Search This Blog

Monday, 22 May 2017

EBA Insists On Access To Cloud Providers' Premises And Machines

Yes, it's 2017 and the European Banking Authority really does want financial regulators and their auditors to be able to visit the datacentres of regulated firms' cloud service providers, "including the full range of devices, systems, networks and data used for providing the services outsourced".  Responses on these 'recommendations' are due by 18 August 2017.

No one, including the EBA, really knows why regulators would need to do this, or what they would do on arrival - beyond exchanging pleasantries with the datacentre management and staff (who may not be co-located) and perhaps accepting the kind offer of tea or coffee from a robot or good old-fashioned dispensing machine.

The EBA simply presumes that other firms whose data is kept in the same datacentre (however fleetingly) will be happy for the financial regulators and their auditors to be allowed to wander among the cages amidst the pretty lights, exercising their "unrestricted rights of inspection and auditing".  And there's no mention of whether the EBA is happy for all firms' information security policies to be subject to the unauthorised access to their and their clients' sensitive data by audit teams from random financial (or other?) regulators, even where a firm and its clients are not the subject of the audit. 

Far better that the EBA recommendations focus on these thorny, practical issues instead of blithely insisting that firms negotiate broad, unfettered rights of access to datacentres on their regulators' behalf. 

Or maybe this is just a passive aggressive way of trying to prevent firms from using cloud services?


Thursday, 18 May 2017

Fake News, Screen-scraping and the European Banking Federation #PSD2

The old row between new financial service providers and the European Banking Federation has blown up again. At issue is whether the providers of new regulated "account information" services that rely on access to your payment account data should be able to copy it from your online account ('screen-scraping') or only get it through a different type of interface (API) directly provided and controlled by the bank.

Rather typically, the EBF has produced a video that purports to explain 'screen-scraping' (which could be done in a single slide) but actually misleads by suggesting that the motives of the new service providers who want to do it are unlawful. 

Of course, the method of accessing the account information really has nothing to do with the motives of this new type of regulated service provider.

Instead, the EBF's tactics merely reflects the major banks' age-old resistance to anyone else using "their" payment data to provide you with services that are more useful than the very limited data and features available in your bank account. In fact, that resistance led retailers to launch 'loyalty' programmes and behavioural targeting of advertising as far less efficient ways of figuring what you like to spend your money on.

But the data in your payment account is your data, and you should be able to combine it with your other data - or have trusted third parties do that for you - if you wish. 

That's why - refreshingly - the authorities insisted that PSD2 should specifically regulate the new 'account information service providers'; and, crucially, requires banks to make your payment account available to them, precisely so that you can - if you wish to - rely on their services to make sense of your financial affairs or know how much money you have available while shopping etc., without having to log-in to your bank account(s). 

PSD2 also obliges your payment account information service provider to comply with security and data protection requirements when accessing and handling your payment data, regardless of how they get access to that information. 

So, the latest dust-up is is really just an (old) technological argument about whether a service provider should use your log-in credentials to copy the information from the screen that you see, or only access the data through an interface provided (possibly badly) by the bank. It has nothing to do with the possible motives of the service provider in using the data - and they have to behave lawfully anyway.

The fact that the EBF has resorted to fake news and moral panic tells me that any real 'arguments' against screen-scraping are very weak indeed...


Tuesday, 16 May 2017

New Money Laundering Guidance

The complexity of the anti-money laundering regime has meant that practical guidance on how to comply has been particularly necessary. The best guidance has come from the Joint Money Laundering Steering Group of various organisations (JMLSG) in three parts. 

New EU directives on money laundering has led to consultation on how these should be implemented in new draft UK regulations that are due to take effect from 26 June 2017. 

And the JMLSG has used the draft regulations as the basis for consultations on updating Part I of its guidance (the mark-up is in 4 separate documents, Chapter 5 of which shows changes to the guidance on electronic identity verification), and more recently on Parts II and III. The consultation versions show the proposed changes to the current guidance, and are an invaluable tool for understanding how a firm's existing approach should change once the new regulations take effect.




Saturday, 22 April 2017

Durable Medium, According To The FCA

The Financial Conduct Authority has published new guidance (in the form of a web page), on what forms of media will enable firms to satisfy their obligations to provide information or make it available in a 'durable medium' as an alternative to paper... 




Friday, 21 April 2017

#PSD2: The FCA Clarifies The "Business Test"

In deciding whether or not a firm's activities are caught by the new Payment Services Directive (PSD2) as implemented in the UK by new Payment Services Regulations, one needs to first consider whether the activities are conducted by way of business. This is a question of fact and degree that can be difficult to answer. In the consultation on its approach to supervising the new regulations, the Financial Conduct Authority has helpfully done a lot more than it has in other areas to clarify when it considers that a payment activity will constitute 'a regular occupation or business' in itself, as opposed to being merely part of another type of business.

FCA's current guidance on the Payment Services Regulations 2009 states (at PERG 15.2, Q.9):
“…Simply because you provide payment services as part of your business does not mean that you require authorisation or registration. You have to be providing payment services, themselves, as a regular occupation or business to fall within the scope of the regulations. Accordingly, we would not generally expect solicitors or broker dealers, for example, to be providing payment services for the purpose of the regulations merely through operating their client accounts in connection with their main professional activities.”
The FCA has revised Question 9 as part of its proposed draft changes to the Perimeter Guidance to read as follows:
"Q9. If we provide payment services to our clients, will we always require authorisation or registration under the regulations?
Not necessarily; you will only be providing payment services, for the purpose of the regulations, when you carry on one or more of the activities in PERG 15 Annex 2:
  • as a regular occupation or business activity; and
  • these are not excluded or exempt activities.
Simply because you provide payment services as part of your business does not mean that you require authorisation or registration. You have to be providing payment services, themselves, as a regular occupation or business to fall within the scope of the regulations (see definition of "payment services" in regulation 2(1)). In our view this means that the services must be provided as a regular occupation or business activity in their own right and not merely as ancillary to another business activity. Accordingly, we would not generally expect the following to be providing payment services as a regular occupation or business activity:
  • solicitors or broker dealers, merely through operating their client accounts in connection with their main professional activities;
  • letting agents, handling tenants’ deposits or rent payments in connection with the letting of a property by them;
  • debt management companies, receiving funds from and making repayments for a customer as part of a debt management plan being administered for that customer; and
  • operators of loan or investment based crowd funding platforms transferring funds between participants as part of that activity.
The fact that a service is provided as part of a package with other services does not, however, necessarily make it ancillary to those services – the question is whether that service is, on the facts, itself carried on as a regular occupation or business activity."
Simlarly, in Question 38, the FCA proposes to state:
"Q38. We are an investment firm providing investment services to our clients - are payment transactions relating to these services caught by the regulations?
Generally, no. Where payment transactions only arise in connection with your the main activity of providing investment services, in our view it is unlikely that you will be providing payment services by way of business. In those limited cases where you are, the PSRs 2017 do not apply to securities assets servicing, including dividends, income or other distributions and redemption or sale (see PERG 15 Annex 3, paragraph (i))."
In relation to e-commerce marketplaces, the FCA proposes to add the following question to its Perimeter Guidance:
"Q33A. We are an e-commerce platform that collects payments from buyers of goods and services and then remits the funds to the merchants who sell goods and services through us – do the regulations apply to us?
The platform should consider whether they fall within the exclusion at PERG 15 Annex 3, paragraph (b). The PSRs 2017 do not apply to payment transactions from the payer to the payee through a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or the payee but not both the payer and the payee.
Recital 11 of PSD2 makes clear that some e-commerce platforms are intended to be within the scope of regulation. An example of where a platform will be acting for both the payer and the payee would be where the platform allows a payer to transfer funds into an account that it controls or manages, but this does not constitute settlement of the payer’s debt to the payee, and then the platform transfers corresponding amounts to the payee, pursuant to an agreement with the payee.
The platform should also consider whether they are offering payment services as a regular occupation or business activity (see Q9). Depending on your business model, the payment service may be ancillary to another business activity, or may be a business activity in its own right. Where the payment service is carried on as a regular occupation or business activity, and none of the exclusions apply, the platform will need to be authorised or registered."
The FCA also proposes to add Question 34A relating to "online fundraising platforms":
"Q34A. We are an online fundraising platform which collects donations in the form of electronic payments and transmits funds electronically to the causes and charities that have an agreement with us - do any of the exclusions apply to us?
Persons collecting cash on behalf of a charity and then transferring the cash to the charity electronically do not fall within the exclusion in PERG 15 Annex 3, paragraph (d), unless they themselves are carrying this out non-professionally and as part of a not-for-profit or charitable activity. For example, a group of volunteers that organises regular fundraising events to collect money for charities would fall within this exclusion. On the other hand, an online fundraising platform that derives an income stream from charging charities a percentage of the money raised for them is unlikely to fall within this exclusion.
Nor will an online fundraising platform accepting donations and then transmitting them to the intended recipient be able to take advantage of the exclusion in paragraph (b), as they are not a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or the payee but not both the payer and the payee.
Online fundraising platforms should also consider the guidance in Q33A."
There may be some confusion over whether a platform is an "online fundraising platform" covered by Questions 33A and 34A, as opposed to a 'donation/reward based crowdfunding platform' which I would suggest should be treated consistently with loan/investment based crowdfunding platforms under Question 9 above.


Thursday, 20 April 2017

Consultations On Supervision Of New Payment Services Regs Under #PSD2

The FCA is consulting on its approach to supervising the new regulations that will implement PSD2. It's a huge job, and delays to the release of the draft regulations has left little time to prepare for the regulations to take effect from 13 January 2018. Responses to the FCA consultation are due by 8 June 2017, and can be provided online

The consultation is explained in the first 60 pages of the main policy document, and the detailed changes to the FCA Handbook is in the Annexes (another 217 pages worth!), including important updates to the 'perimeter guidance' on activities that are in scope, out of scope or excluded (Annex K from page 223 of the PDF version).

The FCA has also helpfully published a mark-up showing changes to its Approach Document that explains how it regulates the current PSD. The regulations are still in draft, so the FCA's guidance may also change if the regulations do; and there are certain 'regulatory technical standards' being developed that could also produce changes over time.


I will likely publish my general observations on the FCA's proposed changes in the coming weeks, where possible. 

In the meantime, my general response to the Treasury consultation on the draft Payment Services Regulations is here; and I've also previously posted on the following general issues under PSD2:

Wednesday, 19 April 2017

Financial Authorities Need A Fresh Approach To Innovation

The application of the latest technology and business models to finance ("FinTech") is sparking a debate about the role of regulators and their approach to innovation. Senior officials advocate no change, citing various experiments and distinct innovation teams or projects of their own. But the financial system will fail to keep pace with the demands of the broader economy unless a culture of encouraging innovation is embedded throughout our regulators.

Financial innovation is hog-tied to the past. Regulators are conditioned to view innovation through the lens of current services and rules, rather than to consider it afresh. New services are sidelined into policy silos, where they are 'shoe-horned' into existing rules. Regulators seem reluctant to concede that new services reveal shortcomings in existing models and or that they should drive a change in regulatory approach. 

For example, Mark Carney, Governor of the Bank of England, has said that the Bank of England takes "consistent approaches to activities that give rise to the same risks, regardless of whether those are undertaken by "old regulated" or "new FinTech" firms."  This is because, he claims, "following a raft of post-crisis reforms, the Bank’s regulatory frameworks are now fit for purpose."  

Whose purpose?

Do banks adequately serve their customers?

Do they operate within the law? 

The UK's banks are a constant source of scandal, and frequently incur vast fines and compensation bills for misconduct.  New problems emerge constantly, and on a giant scale. Their role in Russian money laundering is perhaps the latest example. Many of the post-crisis reforms are also yet to take effect in the UK. The critical "ring-fencing" of retail and investment or 'casino' banking, for example, has been watered-down and won't take effect until 2019 - more than a decade after the financial crisis began - while Donald Trump is busy unwinding such reforms in the US. Whether such national initiatives will even be effective in a global system is still unclear.

Despite its name, "FinTech" represents not only the application of technology but also (usually) a customer-oriented commitment to either improve existing financial services or create alternatives that are aligned with customers' requirements. Yet the Bank of England approaches such innovation in the banking sector by asking:
  • Which FinTech activities constitute traditional banking activities by another name and should be regulated as such? Systemic risks associated with credit intermediation including maturity transformation, leverage and liquidity mismatch should be regulated consistently regardless of the delivery mechanism.
  • How could developments change the safety and soundness of existing regulated firms?  
  • How could developments change potential macroeconomic and macrofinancial dynamics including disruptions to systemically important markets? 
  • What could be the implications for the level of cyber and operational risks faced by regulated firms and the financial system as a whole?
This is not just a UK phenomenon. When it comes to assessing the application of technology to the financial system Sabine Lautenschlager, Vice-Chair of the Supervisory Board of the European Central Bank, also advocates "same business, same risks, same rules." 

Sabine says that "customers want to extend their digital life to banking; they want banking services anytime and anywhere." Yet she points to three "potential futures" for 'banking', none of which acknowledges the benefits of innovation. The only 'benign' scenario she considers is the one where banks "team up with" new entrants (or "fintechs"). A second scenario involves fragmentation into regulated and unregulated activity - nothing new, as the unregulated 'shadow banking' sector was already at the vast, pre-crisis levels in 2015. A third is that "fintechs" might be "swallowed up by big tech companies" making the banking market "more concentrated, less competitive and less diversified" (as if banking isn't already!). But the big tech companies already have regulated financial subsidiaries (mainly offering retail payment services under EU carve-outs from the banking monopoly), and their presence in the market automatically makes it less concentrated, more competitive and more diversified.

The ECB's overall concern seems to be that banking will become less profitable, causing existing players to cut spending on risk management.  But a preoccupation with the impact of innovation on  legacy players dooms the sector to over reliance on legacy firms and inefficient models that effectively require super-normal profits to operate. Mark Carney also points out that concerns about banks cutting corners to keep up with more nimble competitors should not constrain innovation, but is instead a matter for the central bank "to ensure prudential standards and resolution regimes for the affected banks are sufficiently robust to these risks."

The ECB has some strange views on what constitutes risks.  It is said to be inherently risky, for example, that P2P lending platforms are "securitising the loans they originate from their platforms". That maybe how such programmes work in the US, but over there a regulated lender makes a regulated loan and sells it to a listed entity that issues bonds under an SEC-registered prospectus. So any problems are happening right under the noses of the relevant authorities. In the UK, the lenders are free to securitise their portfolios - and several have - but that is not the role of the platform operator. Again, however, this involves regulated activity, both at P2P platform level and through the offer and listing of the relevant bonds.  The regulators are already implicated.

"Robo-advice" is also said to create the risk of investors 'herding' into the same positions at the same time, yet this already happens among regulated fund managers (and banks).  

Risks associated with 'cloud' services and outsourcing of data storage are also cited by the ECB, but these are not new risks at all, or even exclusive to financial services.  

Indeed, what regulators seem to miss is that many of the technological advances that are finally being applied to financial services under the "FinTech" banner have been applied to other sectors for over a decade.

This is not to say that new models are necessarily 'good' or effective. It can also take some time for risks to emerge.  The 'lessons' of the past and the resulting regulatory 'tools' and solutions must not be forgotten, and the old models need to be managed along side the new. But those old models and the rules they require should not be the only lens through which all innovation is analysed. New services must also be viewed afresh.