Search This Blog

Wednesday, 14 August 2019

UK Delays Anti-fraud Measures For Banking And Payments

It seems payments legislators wrote checks the industry couldn't cash... The UK's Financial Conduct Authority has announced a delayed ‘migration plan’ for phasing in compliance with the Strong Customer Authentication requirements by March 2020 for internet banking and March 2021 for e-commerce transactions, instead of 14 September 2019. The FCA made a separate announcement for consumers.

Update: The FCA has also written to the CEOs of payment service providers it supervises, commending the plan from the trade body, UK Finance for meeting the deferred timeline. This will see SCA phased-in from Feb 2020 for merchants who are ready, with support from the card schemes in driving the adoption of the 3D Secure protocol (3DS 2.1/2) from March/September 2020.

This follows the guidance issued in June by the European Banking Authority that EU national regulators could agree specific migration plans (although I'm not sure the EBA expected industry-wide delays!).

The FCA says that it will not take enforcement action against payment service providers if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. 

At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA. 

It will be interesting to see how much progress is really made in the next 6 to 18 months...


Tuesday, 6 August 2019

FCA Fires A Flare Over Safeguarding Of Funds Related To Payments And E-money

Everyone worries about banks going bust, and whether there's enough capital and depositor protection if they do. That's because banks are allowed to treat the cash we deposit as their own (subject to the obligation to repay it when we want it). But non-bank payment service providers don't have this privilege, and depositor protection (the Financial Services Compensation Scheme) does not cover their activities. So PSPs must 'safeguard' funds related to the payment transactions they process and the e-money they issue. If they go bust, the safeguarded amount should therefore be available to the relevant customers instead of paying debts owed by the PSPs to their own creditors. As we live in troubled times, earlier this year the UK's Financial Conduct Authority sampled the safeguarding practices of 11 payment service providers to figure out whether  PSPs are safeguarding correctly. The results were not a disaster, but enough problems were detected for the FCA to feel the need to write to all PSPs requiring them to confirm their compliance with safeguarding requirements by end of July... Let's hope they all did! Confidence in a diverse, innovative and competitive payment system depends on PSPs being fanatical about the details involved in protecting customer funds.

Safeguarding Requirements

PSPs must safeguard "relevant funds" - i.e. money received:
  • from, or for the benefit of, a user for the execution of a payment transaction; 
  • from a payment service provider for the execution of a payment transaction on behalf of a user; or 
  • in exchange for electronic money that has been issued,
where they continues to hold the relevant funds at the end of the 'business day' following the day on which they were received.

There are rules on when safeguarding obligations start and end; two different safeguarding methods (either through holding appropriate insurance or by segregating the funds in specially designated bank accounts); the type of account or 'relevant assets' in which the funds must be held; reconciliation and record-keeping; and when amounts that are not "relevant funds" must be removed and held separately to avoid 'commingling'.

To be fair to all concerned, the various definitions, other language and rules require a lot of interpretation to understand how they apply and the FCA has issued extensive guidance in Chapter 10 of its Approach to regulating e-money and payment services.

FCA Findings

Some firms were unable to explain which payment services they provided in certain situations, when they were issuing e-money or when they were acting as agent or distributor for another PSP. That meant they could not identify some "relevant funds" and didn't know whether they were safeguarding the correct amounts.

Even where they were clear on the status of funds, some PSPs did not segregate relevant funds on receipt; or received them into accounts with funds held for other purposes; or did not remove other funds more than once a day where it was practicable to do so.

In addition, some PSPs did not have up to date documentation that explained their treatment of funds and how their systems and controls would ensure compliance with the safeguarding requirements.

Some of the segregated accounts in which PSPs were holding relevant funds or assets were not correctly designated in a way that shows they were safeguarding accounts. 

Some firms did not carry out appropriate reconciliations, or did so infrequently or did not adjust the balance of their safeguarded accounts in a timely way when they identified discrepancies.

Rather than monitoring their processes and procedures to ensure compliance, some firms only checked if they spotted an actual breach - so their controls weren't able to alert them to a potential breach and safeguarding requirements weren't factored into new products.

Continuing Confusion Over Agents vs Distributors

PSPs are able to appoint agents and distributors, but are sometimes uncertain about the difference. The distinction turns on whether the proposed agent or distributor would be providing a payment service. A firm can only provide a payment service if it is either directly authorised or registered as the agent of an authorised PSP.  A distributor, therefore, cannot supply a payment service and, in my view, should not be handling relevant funds at all. Instead, the PSP should oblige the distributor to set up a 'float' of its own money that the PSP can draw on when issuing e-money or executing a payment transaction involving that distributor. That means when a customer pays money to the distributor (e.g. to 'load' or 'top-up' an e-money/prepaid account) the customer is not relying on the distributor to pass those funds to the PSP on the customer's behalf. The PSP already has the equivalent amount of funds that have now become 'relevant funds' to be safeguarded. The distributor can then pay the funds it receives from the customer into the 'float' for the PSP to draw on for the next transaction.

Confusingly, however, the FCA says PSPs are responsible for ensuring that the agent or distributor segregates any "relevant funds" held by the agent or distributor.  That suggests the distributor might be relying on some exclusion from offering a regulated payment service, but if that were so, the funds it receives from customers should not be 'relevant funds' in the first place...

At any rate, the FCA found that some firms calculated their safeguarding obligation at the end of the business day on which e-money was issued via a distributor or agent that received the corresponding funds, and only transferred the amount into a safeguarding account the next business day. This suggests all sorts of confusion!

Conclusion

The FCA is to be commended on its vigilance in this area, and PSPs have to be fanatical about the details if we are to have a diverse, innovative and competitive payment system that works effectively in good times and bad.


Monday, 5 August 2019

UK FCA Guidance on Regulation of CryptoAssets

The regulation of 'cryptoassets' including cryptocurrencies is under permanent review, with the UK's Financial Conduct Authority perhaps the latest financial regulator to finalise its guidance. Despite the often-repeated statement that financial regulation is 'technology-neutral', the decentralised nature of cryptographic or 'distributed ledger technology' (DLT) is awkward because there is no central issuer, operator or service provider to which regulatory responsibility and accountability can be attached. Add to that the flexibility of DLT and the wide range of use-cases, and you have the recipe for widespread regulatory confusion.

The guidance itself is set out in Appendix 1 to the FCA's paper (pp 29-54), including useful case studies and examples, but I've only discussed the different types of cryptoasset below - including a new category added by the FCA.

The FCA's guidance in this context is also separate from:
The guidance may also change pretty quickly because:
  • the FCA itself will consult on banning the sale of derivatives linked to certain types of unregulated cryptoassets to retail clients; and
  • the UK Treasury will consults on whether (further) regulation of (unregulated) cryptoassets is required; and
  • other countries may regulate in a way that it makes sense for the UK to match.
What Are Cryptoassets?

Like the regulatory authorities in most developed markets, the FCA initially embraced the idea that cryptoassets can be defined in terms of three types of cryptographically-generated 'tokens': exchange tokens, utility tokens and security tokens

But the FCA has now added a fourth category of "e-money tokens" (those which meet the definition of "electronic money" discussed below). The intention is to leave exchange tokens and utility tokens outside the regulatory perimeter as "unregulated tokens"; and to differentiate the use of tokens as e-money from security tokens (which carry rights and obligations that are essentially the same as specified investments covered by existing securities regulation).

"Stablecoins" don't constitute a separate category because while they're all structured in a way that seeks to limit changes in their perceived value, those structures vary a lot. Some could meet the definition of e-money (e.g. equating in value to a fiat currency and meeting the other requirements), or a security ('backed' by other securities), while others would not.

So, basically, the FCA considers that only e-money tokens and securities tokens will be regulated.  But note that firms which are already regulated by the FCA may have regulatory obligations relating to their unregulated activities where they are carried out by the regulated firm in connection with, or held out as being for the purposes of, a regulated activity. In such cases, the FCA's 11 Principles for Business (PRIN) and individual conduct rules under the Senior Managers and Certification Regime (SMCR) will still apply. The FCA also works with other agencies to indirectly mitigate harm from other types of unlawful activity involving cryptoassets.

It's also possible that tokens could shift categories over time, or meet the definitions of two or more types. The FCA says that: 
"...the regulatory treatment depends on the token’s intrinsic structure, the rights attached to the tokens and how they are used in practice. If the token at a point in time reaches the definition of an e-money token or a security token, then it will fall under regulation. We have provided additional case studies on the fluidity of tokens within the Guidance."

Exchange Tokens

These are cryptoassets that are decentralised and primarily used as a means of exchange (e.g. ‘cryptocurrencies’, ‘crypto-coins’ or ‘payment tokens’) that are typically designed to provide limited or no rights for the holder, and there is usually no (single) issuer to enforce rights or make claims against.

The FCA does not want to regulate exchange tokens themselves (without a change in the law), but may already regulate the participants at either end of the exchange, for instance, where the cryptoasset is used by regulated payment service providers to more efficiently facilitate the processing of payment transactions in 'fiat' currency. 

Anti-money laundering regulation may also apply (particularly from 10 January 2020), but the FCA sees this as a separate to its financial regulatory perimeter (even though it is also a supervisory authority for AML regulation).

Utility Tokens

These are cryptoassets that provide users with access to a current or prospective product or service and often grant rights similar to pre-payment vouchers. Again, these are unregulated where they just provide this type of utility.

Security Tokens

These are cryptoassets with essentially the same rights as regulated investment instruments (securities) such as shares, debentures or units in a collective investment scheme; and the FCA says it will regulate these the same way they regulate their traditional cousins.

Of course, the security tokens are often distributed by means of 'initial coin offerings' and/or 'airdrops' that cross multiple jurisdictions, each of which may treat/regulate them differently. The problem with consistent international regulation is that (certainly outside the 31 countries in the European Economic Area) there are differences in the classification and regulatory treatment of securities that will also affect crypto-securities with the same characteristics. The FCA points to bilateral harmonising efforts and multilateral discussions through the Global Financial Innovation Network (GFIN), the International Organization of Securities Commissions (IOSCO), the European Commission (EC) and the European Supervisory Authorities (ESA) - and one could add central bank co-ordination on the impact of cryptoassets on fiat currencies and currency regulation via the Bank of International Settlements.

E-money Tokens

These are tokens that meet the definition of "electronic money" in the Electronic Money Regulations 2011 (derived from the second EU E-money Directive):
electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions [as defined in PSD2], and which is accepted by a natural or legal person other than the electronic money issuer;
There are also certain specific exclusions, which include instruments used within 'limited networks'  but that's worth a whole series of posts in itself.



Friday, 12 July 2019

Explainability Remains The Biggest Challenge To Artificial Intelligence

You might think that understanding and explaining artificial intelligence is becoming a job in itself, but it has actually become part of everyone's job. This struck me particularly hard while reading the recent report from UK Finance (and Microsoft), on the role of artificial intelligence in financial services. It shows that organisations are treating AI as a project or programme in itself, and struggling with where to pin responsibility for it, when actually their use of AI (and existing exposure to it through ad networks etc) means it's already loose in the world. That makes "explainability" - of AI itself and its outcomes - absolutely critical.

What is AI?

One first challenge is understanding what is meant by "AI" in any given context. In this report, the authors generally mean "a set of technologies that enable computers to perceive, learn, reason and assist in decision making to solve problems in ways that mimic human thinking."

We seem to have moved on from the debate about whether AI will ever move far beyond "narrow AI" (better than humans at some tasks like chess, Go or parsing vast quantities of data) to "general AI" (as good as a human mind) to superintelligence (better than humans, to the point where the machines do away with us altogether).

It seems widely accepted that we are (still) developing narrow AI and applying it to more and more data and situations, with the vague expectation (and concern) that one day it might become "general". 

The next major challenge is explaining each technology in the "set of technologies" that encompass AI. Not all are spelt out in the report, but I understand these technologies to include machine learning, neural networks, deep learning networks, natural language processing, speech recognition, image and facial recognition, speech and acoustic recognition. The report notes they are often used in conjunction  (e.g. scanning documents for hints of fraud, robotic process automation ("RPA") and personalising services for individuals or groups of customers). And it's important to understand that one or more technologies will be combined with devices or other machines in the course of biometrics, robotics and the operation and co-ordination of autonomous vehicles, aircraft, vessels and the 'Internet of things' - not ordinarily thought of in terms of financial services, but the data and decision-making in the context of these uses will be relevant for many financial institutions.

Each new report seems to bring a nugget or two of new jargon to understand, and this one alerted me to the use of "Random forests". 

What is a good use-case for AI?

The good news for the human race is that the authors recommend combining artificial and human intelligence rather than allowing the machines to work alone toward our extinction. AI can build on human intelligence by recognising patterns and anomalies in large amounts of data (think fraud detection) and can scale and automate repetitive tasks in a more predictable way to analyse and try to predict risks. The report suggests that AI Nirvana for UK financial institutions is fully automated customer on-boarding, personalised customer experience, retail advice and proactive financial management.

You might have spotted that the last two aspirations will be particularly exciting for fans of financial 'scandals'... and it's worth noting that the report on the health and motor insurance sectors added pricing, underwriting, claims handling, sales and distribution...

UK Finance rightly points out that organisations need to consider the implications of AI beyond the technical (or technological), particularly when used in the core of their businesses. Specifically, there are implications for culture, behaviour and governance from the business, social and economic perspectives. Privacy, safety, reliability, fairness (lack of bias and discrimination) are critical to safeguard, as well as adapting the workforce, communities and society for the impact on employment and skills. Again, AI can't be treated as separate or managed in a silo; and it's a challenge for all stakeholders, including regulators and governments.

Yet, while AI might be pervasive in its impact and effects, that does not mean it is ripe to be deployed in every situation (as is the case with applying process improvement methodologies like Six Sigma). The report provides some insight into identifying where AI is the right solution, as well as high-value use cases, levels of AI maturity and capabilities; and how to scale and measure returns on investment and business impact.

The Thorny Issue of Explainability...

While the UK Finance report is intended as an overview, a major criticism I have is that it only sounds a note of caution on the worrying issue of "explainability" without pointing out that explainability is not possible with technologies that have "hidden" layers of computing, such as artificial neural networks and deep learning. The report merely cautions that: 
"Where firms identify a trade-off between the level of explainability and accuracy, firms will need to consider customer outcomes carefully. Explainabilty of AI/ML is vital for customer reassurance and increasingly it is required by regulators." 
This is the point where the fans of financial scandals start stockpiling popcorn.

The relevant shortcomings and concerns associated with explainability are covered in more detail in my post on the report into the health and motor insurance sectors, including the South Square chambers report. But in summary, these mean that neural and deep learning networks, for example, are currently only really appropriate for automating decision-making where "the level of accuracy only needs to be "tolerable" for commercial parties interested only in the financial consequences... than for... issues touching on fundamental rights." 

Yet the UK Finance warning not only assumes that the use of AI and its outcomes is known by or can be explained to people within the organisation (when that may not be the case), but also assumes that organisations understand what the trade-off between explainability and accuracy means; the implications of that; and therefore whether a given use-case is actually appropriate for the application of AI technologies. A critical issue in that analysis is how to resolve any resulting disputes, whether in the courts or at the Financial Ombudsman, including identifying who is responsible where AI computing has been been outsourced and/or there are multiple external sources of data.

None of this is to say, "Stop!" (even if that were possible), but it's important to proceed with caution and for those deploying and relying on AI to be realistic in their expectations of what it can achieve and the risks it presents...

Monday, 24 June 2019

EBA Gives Some Leeway On SCA

There has been increasing concern that the e-commerce world won't be ready for the introduction of "strong customer authentication" (or two-factor authentication) for electronic and remote payments on 14 September 2019. The checks apply to electronic and remote payments, which include payments online, as well via mobile devices, kiosks or other machines. It is feared many aren't aware of the new checks or the potential that checks will lead to failed or abandoned transactions, causing a hit to retailers' and payment service providers' revenues. The European Banking Authority now says local financial regulators may provide limited additional time to payment service providers to introduce compliant processes “on an exceptional basis and in order to avoid unintended negative consequences for some payment service users" on that date. 

Specifically, the PSPs must have agreed a migration plan with their regulator and execute it "in an expedited manner." The regulator should monitor the execution of the plans "to ensure swift compliance..." 

The opinion also contains tables listing the types of features that will (or, in marginal cases, will not) constitute compliant elements for the purpose of SCA (two of either "inherence", "possession" or "knowledge" - i.e. what the customer is, what the customer possesses, or what the customer knows).

There is also guidance on how to satisfy the additional requirements for "dynamic linking" (to ensure the SCA elements link the transaction to an amount and the specified payee when initiating the transaction) and that the SCA elements be independent of each other.

The EBA issued an earlier opinion and a Q&A on how all this applies, but it remains to be seen how many retailers are aware of the new requirements at all, let alone the potential impact on customer experience and 'conversion' (customers dropping out at the payment step when asked to complete one or more additional authentication steps).

Whether payments are affected depends on whether PSD2 applies - some may be out of scope based on currency or location, while others may be within the scope of PSD2 but excluded. There is then a question whether the transaction is interpreted to be one caught by the SCA requirement. Is it remote or electronic and initiated by the payer (rather than being a 'merchant initiated transaction')? Even transactions that are in scope may not be caught if the issuer (not the merchant or acquirer) of the payment instrument/account applies any of the potential exemptions:
    Low-value transactions: up to €30 per transaction (limit of five separate transactions or €100);
    Recurring transactions: e.g. subscriptions for the same amount and payee (SCA applied to the first transaction);
    Whitelisted: payers can add payees to a whitelist of trusted beneficiaries with the issuer, but payees can't request this;
    Corporate payment processes: dedicated process for non-consumers, approved by the regulator (member states may exclude micro-enterprises as consumers);
    Contactless: up to €50 (limit of five separate transactions or €150 without an SCA check);
    Unattended terminals: only for paying transport fares or parking fees;
    Low-risk of fraud: as determined by the issuer, depending on its average fraud levels for the relevant acquirer (not by merchant/channel), with different limit for cards and credit transfers.
The FCA will apply the SCA standards in the UK even if Brexit occurs.

Thursday, 20 June 2019

Buy Now Pay... Earlier

Retailers have always been fond of "buy now pay later" offers, but perceived abuses (or lack of clarity) discovered by the FCA must end by November. 

Typically, a BNPL credit offering involves a 'promotional period' of 3 to 12 months in which no repayments are required and no interest is payable at all if the consumer repays in full during the promotional period. After the end of that period, repayment obligations begin; and interest is charged for the promotional period. Uncertainty arises where the consumer only makes partial repayments during the promotional period. Some creditors ignore partial repayments and still charge interest on the entire amount of credit for the promotional period, at least until the date of the partial repayment(s). This means that consumers who are uncertain whether they'll be able to repay in full during the promotional period also don't know whether to make part repayments. Even only narrowly missing full repayment in the promotional period could mean paying interest on the full amount of credit anyway - or nearly the full amount.

These types of offers could be either on a 'fixed sum' basis for a one-off purchase, or on a running account basis for each product purchased during any given month on a store card, for example, making it tough to understand which partial payments are credited to which purchase.

BNPL offers are not the same as a genuine "payment holiday" features, where interest is still being charged during the 'holiday' period when no repayments are due. Nor are they necessarily the same as a 0%APR offer that you see on cars, for example, where no interest at all is payable for a certain period (so long as there is no discrimination against partial repayments before the interest-free period expires). Credit cards effectively have a much shorter interest-free period of up to two months on each purchase (so you need to clear the whole running balance in that time).

The FCA wants to BNPL consumers to be free to repay as much as possible during the promotional period, so they incur less interest. Changes to the FCA's consumer credit rules (CONC) will require clear information to be given about BNPL credit offers, so consumers know the consequences of not repaying the full balance by the end of the offer period, with a reminder that the offer period is about to end.

The FCA will also prevent creditors claiming more interest on any amounts repaid during the promotional period than would be payable if they repaid the full amount, so consumers get the benefit of making partial repayments even if they don't clear the full amount of credit in that time. 

Creditors must comply with the disclosure rules by 12 September 2019, and must stop claiming interest on partially repaid amounts by 12 November 2019 for purchases after that date.


Wednesday, 19 June 2019

Extension of FCA Principles And Marketing Rules To Payment Service Providers

From 1 August, the Financial Conduct Authority will begin to enforce its Principles of Business and certain rules on marketing and communications against the payment service providers that it regulates.

The FCA explained its approach in a policy statement earlier this year, but it was likely put off as a summer project, and Brexit will have been a distraction for many. At any rate, chapters 2, 3 and the rules in Annexes A-C are the key parts to read.

Some Key Points

Because many PSPs also provide unregulated services that are allied to their regulated activity (e.g. gateway services and other "technical services" as well as unregulated foreign exchange and e-commerce services), it's important to note that the FCA's high level Principles will also apply to unregulated activities that are "connected" to regulated e-money or payment services. The FCA is refusing to clarify exactly what that means, since the list is long, and this may lead to 'regulatory creep' to the extent PSPs err on the side of caution. 

Equally, a PSP's compliance with the Principles (and even the marketing rules) can be affected by the activities of other group companies - e.g. faulty centralised fraud or risk management systems or other outsourced support services; or misleading ads for an unregulated service that is deemed to be "connected" with the PSP's regulated service.

The FCA is particularly anxious about the misleading promotion of currency transfer services (and 'connected' foreign exchange services, even if unregulated).

The FCA does not care that there is overlap with other advertising and communications requirements - as there is for banks (the 'new' rules on marketing and communications are created by applying the FCA's existing Banking Conduct of Business (BCOB) rules to PSPs). But the FCA does confirm that these rules cannot cut across EU-derived regulations (wither Brexit?).

Next Steps

The extension of the Princples and the marketing rules to PSPs means they will likely need to update various in internal policies and procedures, e.g. those dealing with: 
  • Governance (reporting lines and responsibilities to control operational risks);
  • Marketing and communications (the policy and procedures for sign off on your ads and communications to ensure they are clear, fair and not misleading) particularly for payment services involving currency transfer services - and any "connected" unregulated activities; and
  • Treating Customers Fairly (with appropriate cross references to other policies). 
That summer project starts now!