Search This Blog

Monday, 14 September 2020

Payment FinTechs Beware: Banking Law Is Riding The New Payment Rails

Recent cases in the UK have applied English banking law to  non-bank accounts that hold customer funds, including the payment accounts of 'fintech' e-money and payment institutions. These cases effectively require the extension of a firm's anti-fraud and/or anti-money laundering programme to guard against the fraudulent misappropriation of a corporate customer's funds by the customer's own directors or other mandate holders. Equally, corporate customers should also be aware that they will need to treat their accounts with non-bank institutions like bank accounts, if they do not already, and be ready to respond promptly and clearly when transactions are queried. If you have concerns in this area, please let me know.

Acting in good faith

Traditionally, banks have been required to execute their customers' instructions promptly, and where a bank acts in good faith and a loss occurs, the customer must bear that loss (Bank of England v Vagliano Bros [1891] AC 107). 

Quincecare Duty

But a bank must not executing a customer’s order if, and for so long as, the bank has reasonable grounds (though not necessarily proof), for believing that the order is an attempt to defraud the customer (Barclays Bank plc v Quincecare Ltd, [1992] 4 All ER 363). If it were to go ahead, the bank may be liable for the customer's loss. 

This "Quincecare duty" protects a company from its funds being stolen by management or staff who've been permitted by the company to operate the company's bank accounts in the ordinary course of business. 

In this type of case (unlike in some other scenarios) the courts tend not to attribute the employee's fraudulent acts to the company, because that would leave the company unprotected from the fraud (Singularis Holdings Ltd (in official liquidation) v Daiwa Capital Markets Europe Ltd [2019] UKSC 50, where the firm was not actually a deposit-taking bank)

Extending this to fintech firms

More recently, the High Court (in Hamblin v World First Ltd [2020] 6 WLUK 314) has made a preliminary ruling which extends all of this law firmly into fintech territory. The court held that: 

  • an action for breach of statutory duty could be brought under the Payment Services Regulations 2017 where the regulations impose a duty for a limited class of the public and there is a clear parliamentary intention to confer a private right of action for breach on members of that class (certain principles derived from EU law should also be considered at the trial);
  • it was arguable that a claim for a breach of the customer's mandate could be estopped (prevented) where the payment service provider acted in in good faith, even if the account holder had no directors (!) and was in fact under the control of fraudsters, but it was also observed that the service provider's internal documents relating to the opening of the account could affect the outcome...;
  • it was arguable that the acts of fraudsters who misappropriated funds from the company account should not be attributed to the company, so as to give the company protection from the fraud (Singularis);
  • similarly, a person has 'standing' to bring such claims in the form of a 'derivative action' against a payment provider on behalf of the corporate customer (effectively standing in the shoes of the corporate customer) where that person paid funds to the corporate customer in a way that made the company a trustee (due to its knowledge of the payment and the receipt of funds on trust or as a result of a fraudulent scheme) and where the company as trustee has committed a breach of trust, or in other exceptional circumstances such as fraud. 

Practical Steps  

These cases highlight the importance of having good customer on-boarding and account opening processes/records, as well as 'transaction monitoring' processes - both of which are otherwise required by the anti-money laundering regime in any event. 

A payment service provider should be in a position to know that a corporate customer has no directors, as well as the nature of its business and the purposes for which customers are asked to make payments to its accounts. The service provider must also be able to recognise activity on its customer's payment accounts that is unusual, in order to determine whether it is an attempt to misappropriate funds, as well as whether it is suspicious from a money laundering or terrorist financing perspective. Triggers for suspicion or being 'on notice' of potential for fraud or misappropriation of funds include where the customer is in financial difficulties; there is a breakdown in relations among directors, or directors and shareholders; or the customer has suffered significant security breaches and so on. 

As with suspicious activity from a money laundering perspective, once suspicion or 'notice' is triggered, it must be investigated. Explanations for activity should be sought and should receive appropriate scrutiny (not simply believed and filed); and decisions to proceed or not should be made and documented. Of course this process must be balanced against the need to avoid 'tipping-off' and/or to file a suspicious activity report where appropriate; and the firm should document where those legal and compliance requirements prevents further "Quincecare" related work to resolve whether funds are being misappropriated. 

Equally, it is incumbent on corporate account holders to monitor the activity on their own payment accounts, inform the service provider of changes to the nature of their business or solutions to potential 'trigger' problems; and to be ready to respond promptly and clearly to queries from banks and other account providers. Not only should those steps help ensure their funds are not misappropriated, but it should also help avoid a situation where a confused service provider needlessly interrupts the flow of genuine transactions.

If you have concerns in this area, please let me know.

Wednesday, 9 September 2020

New Risk Factor On Unlawful Government Action For UK Public Offerings?

Given that yesterday's announcement by the UK government's Secretary of State for Northern Ireland was sufficiently doom-laden to trigger the resignation of the British government's most senior civil service lawyer, I wonder if it also warrants the inclusion of an additional "risk factor" in prospectuses for some UK public offerings of bonds and shares? A potential short form version is set out below (for the sake of discussion only and is not intended as advice or to be relied upon in any way). There is also, of course, a wider point about the adverse impact on the acceptability of English law as a choice of law for international contracts involving trade in goods and services...

Unlawful Government Action 

In addition to the possibility of changes in the law or regulation of the United Kingdom which may have a material adverse effect on the [Transaction Documents, the Parties and/or the Transaction], the United Kingdom government has indicated in Parliament that it intends to introduce legislation and otherwise act in breach the provisions of its treaty with the European Union in relation to the United Kingdom's withdrawal from the European Union and related arrangements for trade in goods and services (and therefore the provisions of the European Union (Withdrawal Agreement) Act 2020 which approved that treaty). This indication, and any such violations of international and/or national law, may have a material adverse effect on the [Transaction Documents, the Parties, the Transaction] and/or some or all investors' willingness to purchase the [Notes][Shares]; and may result in material uncertainties as to their true legal position which may not be practicable to resolve or which may require the [Parties] and/or investors to await the result of relevant legal proceedings or incur significant expenditure on legal fees, costs and expenses with their respective advisers to resolve such uncertainty themselves, including via legal proceedings which may not be successful.

Monday, 7 September 2020

Transferring Prepaid Card Programmes Is Non-Trivial

Ominous news that the UK e-money subsidiary of scandal-ridden Wirecard AG is "intending to wind-down its FCA-regulated business" and that "the business will continue to trade while alternative arrangements are being made with its card providers." 

Having advised on the creation and transition of various prepaid card programmes and customers, I'm aware this is highly technical from an e-money and payments regulation standpoint, and will involve intensive 'customer due diligence' under the anti-money laundering regime, as well as a careful approach to the processing of personal data. 

The FCA claims to be "working closely with Wirecard throughout this process to ensure that its customers are treated fairly," so programme managers any e-money issuer(s) taking them and their programmes on will need to tread carefully.

Needless to say, I'm here to help the transferring programme managers or their new e-money service providers either in the UK or in relation to any EEA programmes via Ireland.


Thursday, 3 September 2020

EU Regulation of Cross-border Crowdfunding Services

The EU Parliament is about to adopt a crowdfunding regulation that will enable 'European crowdfunding service providers' (ECSPs) to help businesses raise funding directly from investors across the EU more easily than they can today. The regulation calls for the related funds flows to be handled under payment services regulation, and adds operational and prudential requirements related to lending and investment in securities. I have covered the regulation in more detail for Leman Solicitors in Ireland, as the EU regulation will be of little use to UK-based platforms owing to Brexit and the end of passporting, even where the regulation applies.

Since helping start Zopa, the first peer-to-peer lending platform, in 2005 I've acted for many peer-to-peer lending platforms and some crowd-investment platforms in the UK, as well as advising in relation to e-money and payment services since 1999. If you have plans in this area, please get in touch.


Wednesday, 5 August 2020

Brexit-proofing... eIDAS Certificates

The European Banking Authority has just reminded firms to get ready for the end of cross-border activity between the EU and UK. Among other things, for Open Banking this means:
account information service providers (AISPs) and payment initiation service providers (PISPs) registered/authorised in the UK will no longer be entitled to access customers’ payment accounts held at the EU payment service providers and their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 [the eIDAS Regulation] will be revoked.”
However, as explained by the UK's Information Commissioner, a version of the eIDAS Regulation will take effect in UK law after 1 January 2020 (by virtue of the snappily titled Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019/89). 

This means UK law will continue to recognise EU registered qualified trust service providers, with the intention that UK-based organisations can continue to use EU-based trust services as well as UK-based trust providers. The approved trust providers that appear in the eIDAS trusted list for the UK immediately before the end of the transition period will remain on the list for the new UK scheme after transition ends. But the certificates issued under the UK scheme - or by EU service providers to UK-based firms - will not be recognised in the EU (or EEA).

Of course, it's a practical/commercial issue as to whether EU-based trust service providers will continue issuing certificates to UK firms after Brexit transtion ends…

Monday, 20 July 2020

New Basis/Rules For UK Participation In SEPA From 1 January 2021

The European Payments Council has issued a press release on the impact of Brexit on Single Euro Payments Area (SEPA), regardless of whether the UK leaves with or without a deal. I have summarised some key data changes below. Firms with queries should email their local national SEPA adherence body. The EPC has previously outlined the implications of a no-deal Brexit on SEPA transactions.

The UK will remain a participant in SEPA but the rules that apply to  transactions to and from the UK and countries in the European Economic Area (EEA) from 1 January 2021 will be the rules that apply to transactions between EEA countries and non-EEA countries. 

So the required content of SEPA instructions to be executed or settled on or after 1 January 2021 involving a UK-based firm that participates in the SEPA scheme will be:
  • for SEPA Credit Transfers (SCT) and SEPA Instance Credit Transfer (SCT Inst): instructions from the originator should include the full address details of the originator and the Bank Identifier Code (BIC) of the beneficiary bank, when the originator bank explicitly requests this data element from the originator; and
  • for SEPA Direct Debit (SDD) Core and SDD Business to Business (B2B): collection files from the creditor should include the full address details of the debtor and the BIC of the debtor bank, when the creditor bank explicitly requests this data element from the creditor
Failure to include these additional transaction details may lead to rejected transactions or other issues from the scheme participant receiving the payment message (beneficiary/debtor bank or their respective interbank clearing and settlement partners). 

UK-based SEPA members should therefore identify their customers that have cross-border SEPA transactions involving both a UK and an EEA payment account, and inform them of the need to provide the extra transaction data from 1 January 2021 (as either execution or settlement date). 

Thursday, 16 July 2020

FCA E-money and Payments Safeguarding Update - Clarity On Financial Services Compensation Scheme

The Financial Conduct Authority recently issued temporary updated guidance on the safeguarding obligations of e-money and payments institutions. There were several points that I raised during the consultation on the temporary guidance, but I acknowledge there might not have been adequate time or resources to address them. Indeed, they might be dealt with in the wider consultation due in 2020/21 on changes to the FCA's general guidance on e-money and payments regulation in the Approach Document. In the meantime, I have long been particularly interested in whether e-money and payments firms should be expected to explain the extent to which the Financial Services Compensation Scheme (FSCS) might protect deposits held by those firms with any bank that became insolvent. This is not a fanciful issue, as the insolvency of Wirecard AG has demonstrated. Wirecard's bank subsidiary is under 'emergency management' of the German financial regulator, while the FCA has allowed the e-money subsidiary to reopen after an unfortunate snap-freeze. I should point out that this post is for information purposes only, does not constitute legal advice and should not be relied upon to make any decision. Please contact me if you need assistance on any of the issues covered.

The FSCS covers eligible deposits held at banks, and not the services offered by or the electronic payment accounts of e-money or payment institutions. So the FCA is right to say that e-money and payments firms should not suggest to their customers that the FSCS applies to their activities or the accounts in their systems.  

However, there needs to be clarity on the extent to which there could be pass-through FSCS cover for the end-customers of e-money or payment institutions where money is held in an institution's ‘safeguarding' bank account at a bank which itself becomes insolvent (as opposed to the e-money or payment institution becoming insolvent), under the provisions of the Depositor Protection rules in the Prudential Regulation Authority Rulebook.

For convenience the relevant provisions are:
  • Paragraph 1.26 of the updated FCA guidance states (as does the Approach Document): 
Payment and e-money firms should also avoid suggesting to customers that the relevant funds they hold for them are protected by the Financial Services Compensation Scheme. 
"relevant funds" are either funds that have been received in exchange for issued e-money or sums received from, or for the benefit of, a payment service user for the execution of a payment transaction or sums received from a payment service provider for the execution of a payment transaction on behalf of a payment service user; and they must be held in a certain type of bank account ('safeguarding account') or be appropriately insured.
  • DP 6.2(5) contains the obligation on the FSCS to pay compensation where the bank account holder is not absolutely entitled to the eligible deposit, and another person (A) is absolutely entitled (see DP 6.10 below);
  • DP 6.3 mentions trustee (other than bare trustees) and entitlements of beneficiaries, without being specific as to whether these might be statutory or non-statutory trust arrangements; and
  • DP 6.10 provides: 
“For the purposes of this Part, the cases in which A is absolutely entitled to the eligible deposit include where:
(a) A is a beneficiary under a bare trust;
(b) the account holder is a nominee company which is holding money in the account for A;
(c) A is a client in respect of money which the account holder is treating as client money of A in accordance with FCA rules, the SRA Accounts Rules 2011 or an equivalent regime; or
(d) the FSCS is otherwise satisfied that A is absolutely entitled to the eligible deposit taking into account any information that the FSCS considers relevant.”
Therefore, it seems to me that, in the event of the insolvency of the bank where an e-money or payment institution's safeguarding account is held:
  • the end-customer of the e-money/payments institution should have recourse against the bank under Depositor Protection rules for money in the safeguarding account (to which he or she is beneficially entitled via a claim on the relevant funds under the E-money/Payments Regulations) up to the £85,000 limit (extended in some cases for temporary high balances). This would be consistent with the position in relation to funds held in bank accounts covered by the FCA's client money rules (CASS), as well as other arrangements under the Solicitors Regulatory Authority rules relating to solicitors client accounts, for example. The PRA made clear this applied to peer-to-peer lending platforms, before those platforms became regulated by the FCA and were generally operating as bare trustees.
  • In addition, while they could not be entitled to be compensated twice, under trust principles, end-customers should also be entitled to receive a proportion of any FSCS pay-out that the e-money or payment institution might receive as a customer of the bank in its own right in relation to the safeguarding account, according to the proportion that those end-customers’ funds bear to the total amount held in the safeguarding account. 
I would be interested to know the views of any other practitioners in this area.

Again, this post is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article. Please contact me if you need assistance on any of the issues covered.