Search This Blog

Thursday, 7 December 2017

Are UK Retailers Ready for The Ban On Payment Charges To Customers?

As mentioned previously, UK retailers won't be able to charge their customers a fee for using most forms of payment from 13 January 2018, and must refund any charges that violate the ban or limit. Certain surcharges within the scope of the regulations will remain permissible, but must not exceed the actual costs incurred in accepting the relevant payment method.

Customers will have teeth. Any contractual term requiring payment of a problem fee will be unenforceable to the extent of the excess charged, and will be treated as requiring the excess to be repaid. These rights can be enforced in the courts or alternative dispute resolution schemes. Customers might also initiate chargebacks for the excess amounts via their card issuer (or make a claim against the issuer under section 75 of the Consumer Credit Act).

Local Trading Standards authorities will have to consider complaints they receive from payers concerning prohibited charges, and must then decide whether to apply for an injunction or any other appropriate relief or remedy against the relevant payee or to accept undertakings to avoid court action. They must also notify the Competition and Markets Authority of any undertakings or the outcome of proceedings taken, which will be publicised for their reputational impact.

In addition, the authorities may seek enforcement orders under the Enterprise Act 2002. Where there is collective harm, the court can restrain continued or repeated conduct. 

I should add that the above restrictions apply to any "payee", not just retailers, as well as to bank transfers and direct debits in euros. They also cover business “payers”, not just consumers. However, excluded from the ban are charges for using commercial payment instruments - issued to businesses, public sector entities or the self-employed and limited to use for business expenses where the payments are charged directly to their account. But charges for using those must only cover the cost to the retailer of using that specific payment instrument.

The restrictions have been introduced in The Consumer Rights (Payment Surcharges) Regulations 2012 by the Payment Services Regulations 2017.

Update on 15.12.17: The government has now published its revised guidance on the Regulations, taking into account the ban introduced from 13 January 2018, as well as how to calculate appropriate surcharges where they are expressly permitted.

Wednesday, 22 November 2017

FCA Launches PSD2 Navigator

The Financial Conduct Authority has always led its EU counterparts in explaining its approach to regulating payment services, and continues to do so in spite of Brexit. 

The FCA had already published its "Approach" document for the new Payment Services Regulations 2017 (incorporating its approach to supervising the Electronic Money Regulations 2011) and has now launched a higher level web page to help navigate the impact and benefits of the new regulations.

This will be of most help to firms offering the new "account information services" and "payment initiation services", as well as retailers operating loyalty programmes that transact over €1 million in any 12 month period starting from 13 January 2018 and various other exclusions.

It is important to consider at the outset, however, whether your firm is offering payment services as a regular occupation or business.

Monday, 9 October 2017

Red Alert: Retailers With Loyalty Progammes

Three years after being announced in the UK and I suspect many retailers are yet to realise that their loyalty/store card programmes will be regulated by the Financial Conduct Authority from 13 January 2018 - likewise across the European Economic Area. 

As the FCA now also warns, retailers who offer such programmes anywhere in the EEA will need to track the annual transaction volumes very carefully, starting with the completely arbitrary and inconvenient date of 13 January 2018. 

If the volume meets or exceeds €1 million (or the GBP or local currency equivalent) in any 12 month period (the first ending on 12 January 2019), the retailer must notify the FCA (or local regulator) within 28 days (by 10 February 2019).  Firms may also choose to register at any time from 13 October 2017.

But be sure of the outcome before you decide whether or not to register!

The regulator must then decide whether the programme is exempt from regulation as an e-money/payment service.  

If the firm fails to notify, it commits an offence under the Payment Services Regulations 2017 (or local equivalent implementing the second Payment Services Directive (PSD2)). 

If the FCA decides the programme is exempt, then it must include the retailer on the FCA's register of 'limited networks', and the name will be added to a central register of all such firms across the EEA.

If the FCA decides the programme is not exempt from regulation the retailer can appeal, but basically this means the firm will have been found to be violating the Electronic Money Regulations 2011 and/or Payment Services Regulations 2017 by issuing e-money and/or offering a payment service without being duly authorised/registered to do so. Major problem!

So retailers really have to decide now whether they should outsource the operation of the programme to an authorised firm (or the agent of one); or seek their own authorisation (or agency registration). Ultimately, they might restructure the scheme to fit the exemption, or shut it down.

Of course, the mere fact that retailers with loyalty schemes have to be mindful of these requirements and go through the process means they are in effect regulated by the FCA. Ignorance, as they say, is no defence.

Wednesday, 27 September 2017

FCA to Regulate All Employees Of Financial Firms

The Financial Conduct Authority is consulting on the extension of its "Senior Managers and Certification Regime" (SM&CR) to all firms that are regulated by the FCA under the Financial Services and Markets Act 2000 (which excludes e-money/payment institutions, for example, unless they have dual authorisations).

This will replace the "Approved Persons" regime and extend some requirements to all employees

Consultation ends on 3 November, and the extension is likely to take effect from early in 2018. 

This means you should study the proposals and begin to plan how to comply, particularly as HR staff/advisers will also need to be involved.

Wednesday, 20 September 2017

Consultation: Contract Guidance for Data Controllers/Processors Under #GDPR

The Information Commissioner has published draft guidance for data controllers and processors on their contracts and liabilities under the General Data Protection Regulation, for comment by 10 October 2017. GDPR takes effect in the UK from 25 May 2018, but a lot of preparation is required, including reviewing and updating contracts for personal data processing.

The guidance is intended to explain what data controllers must include in contracts; and what responsibilities and liabilities data processors have under the GDPR.

As a sign of the complexity and uncertainty in this area, the ICO adds that its guidance "will need to continue to evolve to take account of any guidelines issued in future by relevant European authorities... as well as our developing experience of applying the law in practice"...

Tuesday, 19 September 2017

FCA Publishes Final Approach and Rules Implementing #PSD2

The FCA has today published its final policy statement on how it will supervise the Payment Services Regulations 2017 (implementing the second Payment Services Directive, or PSD2).

I haven't digested it fully yet, but following earlier consultations, the FCA explains that it has amended its approach in various respects, particularly, its perimeter guidance on the new account information services and payment initiation services, complaints handling and reporting and conduct of business requirements. There is a table summarising the updates on page 6 of the policy statement.

I may post on any significant changes separately.

Further updates will be required when certain regulatory/implementing technical standards (RTS/ITS) and EBA Guidelines are finalised in late 2017 and early 2018, including EBA Guidelines on operational and security risk, and fraud reporting.

In the meantime, various draft application forms for authorisation and reporting have been published, with the final versions to be available for applications from 13 October 2017.  As explained in my earlier post, the FCA recommends waiting until then, even if you are making an application under the current regulations - otherwise it will need to be updated or re-assessed.

Tuesday, 12 September 2017

FCA Weighs In On #InitialCoinOfferings

The Financial Conduct Authority has just published its thoughts on "initial coin offerings" (ICOs), the issue of cryptographic tokens or 'currency'. There is already a wide variety of purposes for ICOs, making them much harder to classify than your typical stock market "initial public offering" (or IPOs) with which some people seem to be equating them.  The FCA has also provided links to guidance from: 
Many additional risks also arise from the fact that the nature of the 'coins' or cryptographic currency and whether there is a market for those - quite apart from the purpose for which funds are being raised and/or invested in - as well as the distributed ledger in which they and related transactions are based. We are a long way from the usual stakeholders (like regulators) understanding and engaging with the new technology, let alone standardising any kind of process for doing ICOs as 'efficiently' as IPOs or even traditional technology projects (hopefully more so!).

I have no reason to think ICOs won't necessarily become fairly commonplace in due course, but it's appropriate for the regulators to be treading cautiously at present - although they should be supportive of genuine attempts to innovate in this area and engage positively with issuers while warning investors of the risks.

Here's a helpful ICO 'tracker' from CoinDesk.


Monday, 11 September 2017

Top Tip: Make Any UK Applications Under #PSD2 From 13 October 2017

The FCA has published several web pages explaining the new authorisation/registration process under the Payment Services Regulations 2017 ("PSRs 2017") and similar process in the existing Electronic Money Regulations 2011 ("EMRs") that are updated by the new PSRs 2017. Basically, firms are "strongly encouraged" by the FCA to make their applications on or after 13 October 2017.

For payment institutions:
"You will be able to submit applications under PSD2 from 13 October 2017, giving you the opportunity to become registered or authorised under the PSRs 2017 from 13 January 2018.
Rather than applying under the PSRs 2009, you are therefore strongly encouraged to make your application under the PSRs 2017, on or after 13 October 2017.
If you decide to apply under the PSRs 2009 and we have not determined your application by 13 January 2018, we will treat your application as being made under the PSRs 2017. This means you will be required to provide more information to us, as required under the new regime [which would likely slow the process down]. If we have determined your application under the PSRs 2009 by 13 January 2018, you will need to submit an application to re-register or become re-authorised under PSD2 and the PSRs 2017, and pay an additional application fee.
Businesses applying for re-authorisation under PSD2 will need to submit a complete application by 13 April 2018 in order to continue operating on or after 13 July 2018.
Businesses applying for re-registration will need to submit a complete application by 13 October 2018 in order to continue operating on or after 13 January 2019."
For e-money institutions:
"You will be able to submit applications under PSD2 and the amended EMRs, from 13 October 2017, giving you the opportunity to be registered or authorised under the new regime from 13 January 2018.
Rather than applying under the current EMRs, you are therefore strongly encouraged to make your application under PSD2 and the amended EMRs, on or after 13 October 2017.
If you decide to apply under the current EMRs and we have not determined your application by 13 January 2018, we will treat your application as being made under the amended EMRs. This means you will be required to provide more information to us, as required under the new regime [which would likely slow the process down]. If we have determined your application under the current EMRs by 13 January 2018, you will need to submit an application to re-register or become re-authorised under PSD2 and the amended EMRs, and pay an additional application fee.
Businesses applying for re-authorisation or re-registration under PSD2 will need to provide all the information we need with an application by 13 April 2018 in order to continue operating on or after 13 July 2018."

Thursday, 27 July 2017

Of Card Payments, Consumer Protection, SMEs and Merchant Aggregators

Consumer advocates have raised the issue of some uncertainty about which credit card transactions benefit from the statutory right to pursue the card issuer if a merchant makes a misrepresentation or breaches the contract for sale of an item (see the April article from MoneySavingExpert). Many do not realise that the uncertainty arises from arrangements that enable small businesses to accept card payments, overlooking important benefits to SMEs and consumers alike. If SMEs (which represent 99% of UK businesses) cannot accept card payments, consumers may find it less convenient to deal with them, threatening their livelihoods and over half the UK's new jobs, while also reducing consumer choice and competition for large retailers. The statutory right is also subject to exceptions that mean the transaction might not be covered anyway. Yet cardholders still have 'chargeback' rights under their card terms, which are more generous and involve less hassle than making a statutory claim.  So, my own view is that the benefit of enabling small traders to offer their customers the convenience of paying by card outweighs the potential lack of a statutory claim against the card issuer, because the cardholder has the greater comfort of being able to initiate a chargeback anyway. 

Statutory Rights

Consumer credit transactions that involve the borrower (e.g. a credit cardholder), the creditor (e.g. a credit card issuer) and a supplier (merchant) under the same agreement benefit from a provision of the Consumer Credit Act (CCA) that makes the creditor liable for any misrepresentation or breach of contract relating to the sale of the item (section 75). Various exclusions apply. For instance, it only covers items over a £100 up to £30,000 and it does not cover or must be more than Another provision covers transactions where the credit agreement did not directly involve the supplier but was specifically linked to the sale of a specific item (section 75A). Again, however, there are exceptions and it only applies to transactions for an amount exceeding £30,000 up to £60,260, so it is unlikely to be relevant to card transactions.

Chargeback Rights

Under rules governing the operation of the card schemes, such as MasterCard, card transactions can be reversed or 'charged back' in various cases including cardholder dispute within 180 days of the transaction. This right is wider than the statutory right under section 75 of the CCA because it applies to debit card transactions as well as credit card transactions, and the reasons for initiating a chargeback go well beyond the scope of the statutory right (see the list of reasons on page 54).

Merchant Aggregators

Card schemes operate by enabling issuers to issue payment cards that can be presented to participating merchants, who send the transaction data to an 'acquirer' who then obtains payment from the relevant card issuers via an 'interchange' process run by the card scheme operator. 

Typically, the merchant must have a direct contract with an acquirer, but that is expensive to set up and administer in the case of small merchants. 

So to give cardholders the convenience of being able to pay small merchants, the card schemes allow approved intermediaries (MasterCard calls them "Payment Facilitators", for example) to represent  small businesses more efficiently and cost effectively under a single contract with the acquirer, enabling those 'submerchants' to accept card payments where their annual transaction volume is less than $1m or local currency equivalent (increased from $100,000 a few years ago). WorldPay, the UK's largest card acquirer, explains its aggregator program here, for example; and MasterCard has a global list of approved Payment Facilitators by region.

In addition, department stores and e-commerce marketplaces may be treated by the card schemes as the merchant, where the obligation to pay the price of an item offered by a third party seller is satisfied by paying the store or marketplace operator rather than the seller directly. Where problems arise in that context, even though section 75 claims would not be possible, the cardholder typically has the right to either use the marketplace's own dispute resolution and compensation process or, in any event, to initiate a chargeback (large third party sellers will also have their own returns and complaints resolution and compensation process). Such 'master merchant' relationships are also important channels for small businesses to gain access to larger markets, again improving convenience, consumer choice and competition.

The point in all these cases is to weigh the benefits to consumers of convenience, increased choice and competition - as well as the benefits to SMEs who are able to access a wider market, grow and create more new jobs - against the loss of the relatively narrow rights under section 75 compared to chargeback rights and other remedies.

Wednesday, 19 July 2017

Final UK Regulations Implementing #PSD2

The UK government has today announced its final approach to implementing the new Payment Services Directive (PSD2), along with the final version of the Payment Services Regulations 2017. A final assessment of the impact of the new regulations is yet to be published. The FCA is expected to finalise its guidance on its approach to supervising PSD2 - along with application forms and so on - by September, and to accept applications for authorisation/registration from October 2017 to meet the implementation deadline of 13 January 2018.

It turns out that the responses to the consultation in February have only persuaded the government to change a few aspects of its approach to implementation (explained below). But it seems from the summaries that many responses didn't account for the fact that the government's hands have been tied since 2015, when the UK agreed the final version of PSD2 at EU level. As it's a maximum harmonisation directive, member states can only depart from PSD2 where it specifically allows them to. The ship has sailed (albeit with some awkward passengers on board, as explained in my own response). For the most part, implementation is now a question of how the FCA interprets the language in its application to the real world, which it consulted on in April. This does not suggest any lack of 'sovereignty', just a failure to influence EU negotiations (assuming those affected took the opportunity to engage at that time).

Ban on surcharging

One area of departure from the government's initial plan is to prohibit retailers from charging customers any additional amount for using any type of payment method/instrument.

The original idea was only to ban surcharging for the use of cards covered by the Interchange Fee Regulation (as required under PSD2), as well as cross border bank transfers and direct debits in euros (under the Single Euro Payments Area regulations); and limit the surcharges for other payment methods to the direct cost borne by the retailer for making them available.

But the government has opted instead for a blanket ban on businesses surcharging consumers for using any type of payment method, on the basis that it: 
"will create a level playing field between payment instruments and create a much clearer picture for consumers in which they know the full price of the product/service they are purchasing upfront and [can be] confident that there will be no additional charges when they come to pay [with] any payment instrument they choose to use. A blanket ban will also be much easier to enforce than the current position in which merchants are able to pass on costs (but the consumer has no easy way of assessing what these are).
Meanwhile, the government says it will "assess the scale" of claims that interchange fees for card payments have been rising again.

PSD2 introduces a new “account information service” which basically involves providing information from one or more payment accounts held by the user with one or more other payment service providers.

Initially, the list of services the government said it believed might constitute account information services included some services of a much broader in nature:
"• price comparison and product identification services;
• income and expenditure analysis, including affordability and credit rating or credit worthiness assessments...
[and] might include accountancy or legal services, for example” (para 6.30)."
This provoked concern that the government's interpretation was too broad and overlooked the requirement that an account information service would need to be conducted by way of business in its own right, rather than merely as an ancillary part of a wider service. Examples of services that the government says that respondents were concerned about include: 
"banks’ corporate functions; price comparison websites; accountants; financial advisors; legal firms; and Credit Reference Agencies (CRAs). Many of these services are currently provided via a contractual relationship between service providers, users, and ASPSPs, often referred to as Third Party Mandates (TPMs)."
The government now confirms, however, that:
"many uses of these mandates are likely to be outside of the scope of the PSDII. Examples could include power of attorney, where the services are unlikely to be undertaken ‘in the course of business’."

In addition, the FCA has already suggested this narrower view, based on the 'business test' in its own consultation on how it proposes to supervise PSD2.

Next steps

The FCA is expected to finalise its guidance on its approach to supervising PSD2 - along with application forms and so on for the various types of authorisation/registration - by September, and to accept applications for authorisation/registration from October 2017.

Monday, 3 July 2017

P2P Lending Goes Global: FinTech Credit v OldTech Credit

Twelve years after the launch of Zopa and the peer-to-peer finance sector finally gets its first report from the Bank of International Settlements (BIS), the central bank of central banks. The report is surprisingly positive, given financial regulators' preference for the status quo. Basically, they believe that change increases risk and increased risk is bad, so innovation is both risky and bad. Similarly, they're fond of shoe-horning innovative services into existing regulatory frameworks without seeing that the innovation may itself be exposing and/or solving flaws in that system. At any rate, the banking situation must be pretty dire for the industry's global beacon to produce a positive report on alternatives...  But in the the interests of time I want to ignore the positives and answer a few criticisms:

Is P2P lending "procyclical"?


In fairness, the BIS report only suggests that P2P finance represents the "potential for ...more procyclical credit provision in the economy", but I still disagree that this is a feature of the model.

Bank lending itself is procyclical, which is to say that banks lend lots of money when the economy is booming, yet try to protect their balance sheets when times are tough and we need credit the most. In fact, this was such an alarming feature of the recent/current financial crisis that BIS itself introduced capital rules that it thought would force banks to become less procyclical. Recently, moreover, the BIS's own Basel Committee reported that these rules are proving ineffective. They think there is too much bank credit available and/or the quality of creditworthiness is in decline.

If that's the case, then we really are in trouble, since UK banks have been lending progressively less to real businesses, and we aren't exactly in the grip of an economic boom...

Compare this to the rise of P2P lending. We started Zopa in 2005 when the 'spread' between high bank savings rates and cheap credit was actually very narrow (heavily subsidised by PPI revenues) - yet proved that lending directly between humans without a bank in the middle produced a better deal for both lenders and borrowers. This is why P2P lending has become ever more popular since 2008, while banks have sat on the sidelines waiting for the good times to roll. Lenders get higher interest on their money, diversify risk by lending to lots of people and businesses who are starved of bank loans - apparently leaving the banks with leaner opportunities...

But I believe the banks have simply chosen to chase higher yielding loans and other assets because their cost base does not allow them to make money serving the better risk customers.

Indeed, the BIS report acknowledges that banks have "left room" for platforms that enable people to lend directly to each other "by withdrawing from some market segments" after the financial crisis (which, I'd like to emphasis, still hasn't ended).  The report notes that P2P lending equated to 14% of gross bank lending flows to UK small businesses by 2015... only 5 years after the launch of the first P2P business lending platform.

So, P2P finance is actually counter-cyclical by its very nature.

The real issue, perhaps, is what happens when banks start being able to offer better interest rates and cheaper loans. Yet Zopa's early experience shows the new platforms will still be able to compete successfully (especially because those PPI cross-subsidies are no longer available: refunds and compensation have now reached £26.9bn, according to the FCA!).

Is it likely there will be a 'run' on P2P lending?

No. Far from seeing a potential 'run' on P2P lending platforms by lenders trying to get their money out, many platforms are seeing excess lender demand due to continuing low yields on bank deposits (not to mention high fees on investment products). Zopa, for example, has been closed to new lenders for some months, even while seeing record borrower demand, yet still plans to offer P2P lending within Innovative Finance ISAs. Everyone is chasing yield, not just the banks. But, again, the early experience shows that the rates will still be more attractive if and when banks are able to offer higher rates to savers, because they need fatter margins than P2P platform operators.

Meanwhile, the P2P model has expanded from consumer and small business loans into car finance and commercial property loans. But so far the regulators have protected banks against head-to-head competition for other forms of finance, such as retail sales finance or mortgages, through lack of reform to arcane procedures dictated by consumer credit and mortgage regulation and refusing to allow longer term finance to be supported with short term loans - which banks are allowed to do all the time.

So, rather than a run on P2P lending, we're more likely to see successful P2P lending operators adding a bank to their group, at the same time as expanding their existing P2P offerings. In other words, a twin-track attack on Old Tech banks and banking models.

Will P2P lending help solve problems with banks' legacy systems?


There's no doubt that this BIS report and the regulatory obsession with 'FinTech' generally, springs partly from regulators' fervent wish that OldTech banks will simply take advantage of the latest trend to rejuvenate their systems for the longer term.

But there are many reasons why established retail banks won't do that - and will continue to passively resist regulatory edicts to do so. That's why the UK government had to impose the open banking initiative (not to mention sharing business credit information and declined loan applications); why the Bank of England has opened up the Real Time Gross Settlement system; and why PSD2 regulates a new class of  third party 'account information' and 'payment initiation' service providers.

Why won't the banks renew their legacy systems to save themselves? For starters, they don't actually have legacy "systems" so much as separate bits of very old kit connected manually by employees holding hands with electrical chord between their teeth using their own spreadsheets. So the shiny new government-mandated open banking interfaces will likely be connected to computers that aren't really party of any type of integrated "system" that, say, a Google engineer might recognise.

Aside from that insurmountable IT challenge, bank management teams are simply not incentivised or empowered to think about the long term, and all their key decisions are made (after a very long time) in committee to avoid personal blame.

So it's more likely that the aspects of 'banking' which are within the scope of P2P lending will gradually drift away from banks altogether, while activities outside that competitive scope will need to be reinvented by others, including new banks, from the ground up.

Will traditional banks launch their own P2P lending platforms?

Probably not.

Some have bought shares in such platforms and others have actually lent their own funds on P2P lending platforms. But that's a long way from allowing their depositors to lend directly to their borrowers.

That's because bankers make their money by keeping savers and borrowers separate of each other and treating deposits as their own funds. 

It's high time regulators admitted this to themselves and got on with the job of supporting more transparent, fairer mechanisms for allocating people's spare cash to other people who need it.

Is P2P lending an "originate-to-distribute" model?


Here, again, P2P lending is a reaction away from this type of model and is transparent enough to reveal attempts to introduce it. BIS says that "originate-to-distribute" refers to the fact that neither the primary lender nor the operator of the platform retains any ownership or interest in the loan that is agreed. But this does not fully describe the model or its potential hazards.

The "originate-to-distribute" model may have that basic feature but the point is that it's driven by a market for secondary instruments (bonds and other derivatives) that are based on underlying loan contracts, where demand in that secondary market has outpaced the supply of loans. In that case, loans may start to be originated solely to support the secondary market. This transpired in the context of the sub-prime mortgage crisis, where investment banks arranged bond issues in a way that effectively concealed the poor quality of underlying loans. From their own problems with undertaking due diligence, they knew that the underlying loan data was hard to find and in many cases unreliable (hence the related 'fraudclosure' issue of investors foreclosing on mortgages they could not prove they owned). That's why the banks involved have since been paid billions in fines and compensation towards the repayment of bailouts (at least in the US).

But, as the name suggests, P2P lending - at least in the UK - involves a direct loan between each lender and borrower on the same platform, where the data concerning the loans is available to the participants, including lenders who may receive assignments of loans already made on the same platform. The visibility of the loan performance data and reputational impact for the platform operator if all goes wrong limits the temptation to conceal the original credit quality or performance of the loan.

So, BIS's assertion that P2P lending represents the same model or suffers from the same potential for moral hazard is not right.

It is possible for a lender to ask a P2P platform to provide it with access to some less creditworthy borrowers to achieve a higher overall yield, perhaps even with a view to selling the resulting loans to other lenders or even securitising them; but even if you deem that to be 'originate-to-distribute', the 'moral hazard' is not there because the data is readily available for all to understand the lesser quality or performance of the loan.

The BIS report cites the Lending Club 'scandal' in 2016. But, ironically, Lending Club is not based on a genuine P2P lending model at all, because the SEC refused to allow direct 'peer-to-peer' loans without full security registration requirements (just ask Prosper!). So the regulators forced the US platforms to operate the same securitisation model that the banks pioneered in the sub-prime crisis... We abandoned attempts to launch the direct P2P model in the US because this model is nothing new - as well as being cumbersome, convoluted and expensive. But even there the relevant 'scandal' was 'only' that when selecting a portfolio of loans to issue bonds to the relevant investor, Prosper selected some loans that did not meet the investor's specified criteria. Not great where the data is available, but the point was that the problem was spotted quite quickly because the relevant data was readily available, so the loans could be re-purchased by the issuer.  

The report also cites the problems at Trustbuddy, in Sweden, but the problems there were again detected early by new management looking at the collections data, who promptly alerted the authorities; and Ezubao, in China, which was a ponzi scheme operated between July 2014 and December 2015 that was detected quite quickly - certainly faster than Madoff's activities in the supposedly heavily regulated US investment markets.

It is worth acknowledging, however, that there is always scope for something to go wrong. This is why the UK P2P lending industry pushed for specific regulation of P2P lending from 2011; and highlights why regulators should stop their hand-wringing about innovation and get on with the job of adapting to change.

Monday, 22 May 2017

EBA Insists On Access To Cloud Providers' Premises And Machines

Yes, it's 2017 and the European Banking Authority really does want financial regulators and their auditors to be able to visit the datacentres of regulated firms' cloud service providers, "including the full range of devices, systems, networks and data used for providing the services outsourced".  Responses on these 'recommendations' are due by 18 August 2017.

No one, including the EBA, really knows why regulators would need to do this, or what they would do on arrival - beyond exchanging pleasantries with the datacentre management and staff (who may not be co-located) and perhaps accepting the kind offer of tea or coffee from a robot or good old-fashioned dispensing machine.

The EBA simply presumes that other firms whose data is kept in the same datacentre (however fleetingly) will be happy for the financial regulators and their auditors to be allowed to wander among the cages amidst the pretty lights, exercising their "unrestricted rights of inspection and auditing".  And there's no mention of whether the EBA is happy for all firms' information security policies to be subject to the unauthorised access to their and their clients' sensitive data by audit teams from random financial (or other?) regulators, even where a firm and its clients are not the subject of the audit. 

Far better that the EBA recommendations focus on these thorny, practical issues instead of blithely insisting that firms negotiate broad, unfettered rights of access to datacentres on their regulators' behalf. 

Or maybe this is just a passive aggressive way of trying to prevent firms from using cloud services?

Thursday, 18 May 2017

Fake News, Screen-scraping and the European Banking Federation #PSD2

The old row between new financial service providers and the European Banking Federation has blown up again. At issue is whether the providers of new regulated "account information" services that rely on access to your payment account data should be able to copy it from your online account ('screen-scraping') or only get it through a different type of interface (API) directly provided and controlled by the bank.

Rather typically, the EBF has produced a video that purports to explain 'screen-scraping' (which could be done in a single slide) but actually misleads by suggesting that the motives of the new service providers who want to do it are unlawful. 

Of course, the method of accessing the account information really has nothing to do with the motives of this new type of regulated service provider.

Instead, the EBF's tactics merely reflects the major banks' age-old resistance to anyone else using "their" payment data to provide you with services that are more useful than the very limited data and features available in your bank account. In fact, that resistance led retailers to launch 'loyalty' programmes and behavioural targeting of advertising as far less efficient ways of figuring what you like to spend your money on.

But the data in your payment account is your data, and you should be able to combine it with your other data - or have trusted third parties do that for you - if you wish. 

That's why - refreshingly - the authorities insisted that PSD2 should specifically regulate the new 'account information service providers'; and, crucially, requires banks to make your payment account available to them, precisely so that you can - if you wish to - rely on their services to make sense of your financial affairs or know how much money you have available while shopping etc., without having to log-in to your bank account(s). 

PSD2 also obliges your payment account information service provider to comply with security and data protection requirements when accessing and handling your payment data, regardless of how they get access to that information. 

So, the latest dust-up is is really just an (old) technological argument about whether a service provider should use your log-in credentials to copy the information from the screen that you see, or only access the data through an interface provided (possibly badly) by the bank. It has nothing to do with the possible motives of the service provider in using the data - and they have to behave lawfully anyway.

The fact that the EBF has resorted to fake news and moral panic tells me that any real 'arguments' against screen-scraping are very weak indeed...

Tuesday, 16 May 2017

New Money Laundering Guidance

The complexity of the anti-money laundering regime has meant that practical guidance on how to comply has been particularly necessary. The best guidance has come from the Joint Money Laundering Steering Group of various organisations (JMLSG) in three parts. 

New EU directives on money laundering has led to consultation on how these should be implemented in new draft UK regulations that are due to take effect from 26 June 2017. 

And the JMLSG has used the draft regulations as the basis for consultations on updating Part I of its guidance (the mark-up is in 4 separate documents, Chapter 5 of which shows changes to the guidance on electronic identity verification), and more recently on Parts II and III. The consultation versions show the proposed changes to the current guidance, and are an invaluable tool for understanding how a firm's existing approach should change once the new regulations take effect.

Saturday, 22 April 2017

Durable Medium, According To The FCA

The Financial Conduct Authority has published new guidance (in the form of a web page), on what forms of media will enable firms to satisfy their obligations to provide information or make it available in a 'durable medium' as an alternative to paper... 

Friday, 21 April 2017

#PSD2: The FCA Clarifies The "Business Test"

In deciding whether or not a firm's activities are caught by the new Payment Services Directive (PSD2) as implemented in the UK by new Payment Services Regulations, one needs to first consider whether the activities are conducted by way of business. This is a question of fact and degree that can be difficult to answer. In the consultation on its approach to supervising the new regulations, the Financial Conduct Authority has helpfully done a lot more than it has in other areas to clarify when it considers that a payment activity will constitute 'a regular occupation or business' in itself, as opposed to being merely part of another type of business.

FCA's current guidance on the Payment Services Regulations 2009 states (at PERG 15.2, Q.9):
“…Simply because you provide payment services as part of your business does not mean that you require authorisation or registration. You have to be providing payment services, themselves, as a regular occupation or business to fall within the scope of the regulations. Accordingly, we would not generally expect solicitors or broker dealers, for example, to be providing payment services for the purpose of the regulations merely through operating their client accounts in connection with their main professional activities.”
The FCA has revised Question 9 as part of its proposed draft changes to the Perimeter Guidance to read as follows:
"Q9. If we provide payment services to our clients, will we always require authorisation or registration under the regulations?
Not necessarily; you will only be providing payment services, for the purpose of the regulations, when you carry on one or more of the activities in PERG 15 Annex 2:
  • as a regular occupation or business activity; and
  • these are not excluded or exempt activities.
Simply because you provide payment services as part of your business does not mean that you require authorisation or registration. You have to be providing payment services, themselves, as a regular occupation or business to fall within the scope of the regulations (see definition of "payment services" in regulation 2(1)). In our view this means that the services must be provided as a regular occupation or business activity in their own right and not merely as ancillary to another business activity. Accordingly, we would not generally expect the following to be providing payment services as a regular occupation or business activity:
  • solicitors or broker dealers, merely through operating their client accounts in connection with their main professional activities;
  • letting agents, handling tenants’ deposits or rent payments in connection with the letting of a property by them;
  • debt management companies, receiving funds from and making repayments for a customer as part of a debt management plan being administered for that customer; and
  • operators of loan or investment based crowd funding platforms transferring funds between participants as part of that activity.
The fact that a service is provided as part of a package with other services does not, however, necessarily make it ancillary to those services – the question is whether that service is, on the facts, itself carried on as a regular occupation or business activity."
Simlarly, in Question 38, the FCA proposes to state:
"Q38. We are an investment firm providing investment services to our clients - are payment transactions relating to these services caught by the regulations?
Generally, no. Where payment transactions only arise in connection with your the main activity of providing investment services, in our view it is unlikely that you will be providing payment services by way of business. In those limited cases where you are, the PSRs 2017 do not apply to securities assets servicing, including dividends, income or other distributions and redemption or sale (see PERG 15 Annex 3, paragraph (i))."
In relation to e-commerce marketplaces, the FCA proposes to add the following question to its Perimeter Guidance:
"Q33A. We are an e-commerce platform that collects payments from buyers of goods and services and then remits the funds to the merchants who sell goods and services through us – do the regulations apply to us?
The platform should consider whether they fall within the exclusion at PERG 15 Annex 3, paragraph (b). The PSRs 2017 do not apply to payment transactions from the payer to the payee through a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or the payee but not both the payer and the payee.
Recital 11 of PSD2 makes clear that some e-commerce platforms are intended to be within the scope of regulation. An example of where a platform will be acting for both the payer and the payee would be where the platform allows a payer to transfer funds into an account that it controls or manages, but this does not constitute settlement of the payer’s debt to the payee, and then the platform transfers corresponding amounts to the payee, pursuant to an agreement with the payee.
The platform should also consider whether they are offering payment services as a regular occupation or business activity (see Q9). Depending on your business model, the payment service may be ancillary to another business activity, or may be a business activity in its own right. Where the payment service is carried on as a regular occupation or business activity, and none of the exclusions apply, the platform will need to be authorised or registered."
The FCA also proposes to add Question 34A relating to "online fundraising platforms":
"Q34A. We are an online fundraising platform which collects donations in the form of electronic payments and transmits funds electronically to the causes and charities that have an agreement with us - do any of the exclusions apply to us?
Persons collecting cash on behalf of a charity and then transferring the cash to the charity electronically do not fall within the exclusion in PERG 15 Annex 3, paragraph (d), unless they themselves are carrying this out non-professionally and as part of a not-for-profit or charitable activity. For example, a group of volunteers that organises regular fundraising events to collect money for charities would fall within this exclusion. On the other hand, an online fundraising platform that derives an income stream from charging charities a percentage of the money raised for them is unlikely to fall within this exclusion.
Nor will an online fundraising platform accepting donations and then transmitting them to the intended recipient be able to take advantage of the exclusion in paragraph (b), as they are not a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or the payee but not both the payer and the payee.
Online fundraising platforms should also consider the guidance in Q33A."
There may be some confusion over whether a platform is an "online fundraising platform" covered by Questions 33A and 34A, as opposed to a 'donation/reward based crowdfunding platform' which I would suggest should be treated consistently with loan/investment based crowdfunding platforms under Question 9 above.

Thursday, 20 April 2017

Consultations On Supervision Of New Payment Services Regs Under #PSD2

The FCA is consulting on its approach to supervising the new regulations that will implement PSD2. It's a huge job, and delays to the release of the draft regulations has left little time to prepare for the regulations to take effect from 13 January 2018. Responses to the FCA consultation are due by 8 June 2017, and can be provided online

The consultation is explained in the first 60 pages of the main policy document, and the detailed changes to the FCA Handbook is in the Annexes (another 217 pages worth!), including important updates to the 'perimeter guidance' on activities that are in scope, out of scope or excluded (Annex K from page 223 of the PDF version).

The FCA has also helpfully published a mark-up showing changes to its Approach Document that explains how it regulates the current PSD. The regulations are still in draft, so the FCA's guidance may also change if the regulations do; and there are certain 'regulatory technical standards' being developed that could also produce changes over time.

I will likely publish my general observations on the FCA's proposed changes in the coming weeks, where possible. 

In the meantime, my general response to the Treasury consultation on the draft Payment Services Regulations is here; and I've also previously posted on the following general issues under PSD2:

Wednesday, 19 April 2017

Financial Authorities Need A Fresh Approach To Innovation

The application of the latest technology and business models to finance ("FinTech") is sparking a debate about the role of regulators and their approach to innovation. Senior officials advocate no change, citing various experiments and distinct innovation teams or projects of their own. But the financial system will fail to keep pace with the demands of the broader economy unless a culture of encouraging innovation is embedded throughout our regulators.

Financial innovation is hog-tied to the past. Regulators are conditioned to view innovation through the lens of current services and rules, rather than to consider it afresh. New services are sidelined into policy silos, where they are 'shoe-horned' into existing rules. Regulators seem reluctant to concede that new services reveal shortcomings in existing models and or that they should drive a change in regulatory approach. 

For example, Mark Carney, Governor of the Bank of England, has said that the Bank of England takes "consistent approaches to activities that give rise to the same risks, regardless of whether those are undertaken by "old regulated" or "new FinTech" firms."  This is because, he claims, "following a raft of post-crisis reforms, the Bank’s regulatory frameworks are now fit for purpose."  

Whose purpose?

Do banks adequately serve their customers?

Do they operate within the law? 

The UK's banks are a constant source of scandal, and frequently incur vast fines and compensation bills for misconduct.  New problems emerge constantly, and on a giant scale. Their role in Russian money laundering is perhaps the latest example. Many of the post-crisis reforms are also yet to take effect in the UK. The critical "ring-fencing" of retail and investment or 'casino' banking, for example, has been watered-down and won't take effect until 2019 - more than a decade after the financial crisis began - while Donald Trump is busy unwinding such reforms in the US. Whether such national initiatives will even be effective in a global system is still unclear.

Despite its name, "FinTech" represents not only the application of technology but also (usually) a customer-oriented commitment to either improve existing financial services or create alternatives that are aligned with customers' requirements. Yet the Bank of England approaches such innovation in the banking sector by asking:
  • Which FinTech activities constitute traditional banking activities by another name and should be regulated as such? Systemic risks associated with credit intermediation including maturity transformation, leverage and liquidity mismatch should be regulated consistently regardless of the delivery mechanism.
  • How could developments change the safety and soundness of existing regulated firms?  
  • How could developments change potential macroeconomic and macrofinancial dynamics including disruptions to systemically important markets? 
  • What could be the implications for the level of cyber and operational risks faced by regulated firms and the financial system as a whole?
This is not just a UK phenomenon. When it comes to assessing the application of technology to the financial system Sabine Lautenschlager, Vice-Chair of the Supervisory Board of the European Central Bank, also advocates "same business, same risks, same rules." 

Sabine says that "customers want to extend their digital life to banking; they want banking services anytime and anywhere." Yet she points to three "potential futures" for 'banking', none of which acknowledges the benefits of innovation. The only 'benign' scenario she considers is the one where banks "team up with" new entrants (or "fintechs"). A second scenario involves fragmentation into regulated and unregulated activity - nothing new, as the unregulated 'shadow banking' sector was already at the vast, pre-crisis levels in 2015. A third is that "fintechs" might be "swallowed up by big tech companies" making the banking market "more concentrated, less competitive and less diversified" (as if banking isn't already!). But the big tech companies already have regulated financial subsidiaries (mainly offering retail payment services under EU carve-outs from the banking monopoly), and their presence in the market automatically makes it less concentrated, more competitive and more diversified.

The ECB's overall concern seems to be that banking will become less profitable, causing existing players to cut spending on risk management.  But a preoccupation with the impact of innovation on  legacy players dooms the sector to over reliance on legacy firms and inefficient models that effectively require super-normal profits to operate. Mark Carney also points out that concerns about banks cutting corners to keep up with more nimble competitors should not constrain innovation, but is instead a matter for the central bank "to ensure prudential standards and resolution regimes for the affected banks are sufficiently robust to these risks."

The ECB has some strange views on what constitutes risks.  It is said to be inherently risky, for example, that P2P lending platforms are "securitising the loans they originate from their platforms". That maybe how such programmes work in the US, but over there a regulated lender makes a regulated loan and sells it to a listed entity that issues bonds under an SEC-registered prospectus. So any problems are happening right under the noses of the relevant authorities. In the UK, the lenders are free to securitise their portfolios - and several have - but that is not the role of the platform operator. Again, however, this involves regulated activity, both at P2P platform level and through the offer and listing of the relevant bonds.  The regulators are already implicated.

"Robo-advice" is also said to create the risk of investors 'herding' into the same positions at the same time, yet this already happens among regulated fund managers (and banks).  

Risks associated with 'cloud' services and outsourcing of data storage are also cited by the ECB, but these are not new risks at all, or even exclusive to financial services.  

Indeed, what regulators seem to miss is that many of the technological advances that are finally being applied to financial services under the "FinTech" banner have been applied to other sectors for over a decade.

This is not to say that new models are necessarily 'good' or effective. It can also take some time for risks to emerge.  The 'lessons' of the past and the resulting regulatory 'tools' and solutions must not be forgotten, and the old models need to be managed along side the new. But those old models and the rules they require should not be the only lens through which all innovation is analysed. New services must also be viewed afresh.

Wednesday, 15 February 2017

#PSD2: Are Merchant Checkouts "Payment Instruments"?

The Treasury is consulting on its proposed regulations to implement the new Payment Services Directive (PSD2) in the UK.  The consultation ends on 16 March 2017 and the regulations must take effect on 13 January 2018. The FCA will consult on the guidance related to its supervisory role in Q2 2017. Time is tight and there are still plenty of unanswered questions, which I've been covering in a series of posts. In this one, I'm exploring whether online merchants' checkout process/pages could be "payment instruments", so that merchants who host their own process might be engaging in the regulated activity of "issuing payment instruments" (and possibly even offering a "payment initiation service"). There is now precious little time for retailers to consider the issue,  decide whether their activities are caught and, if so, whether to outsource the hosting of the checkout process to a duly authorised firm or its agent, restructure the checkout process or the entity/ies that operates it, or become authorised or the agent of an authorised firm.

Everyone is familiar with the e-commerce 'checkout' page or process, with its list of ways to pay for the items selected or in the 'shopping basket'. Sometimes these are hosted by a regulated payment service provider, an exempt 'technical service provider' or 'gateway', and sometimes by the merchant itself (in which case the merchant has to comply with certain security requirements in relation to card transaction data, for example). 

Whether technical service providers who are currently exempt will remain so under PSD2 is already an open issue, since to remain so they cannot also provide either a payment initiation service or an account information service, even though they still would not be handling the funds to be transferred.

The big question is whether merchants themselves fall into the regulated scope, especially as they ultimately receive funds, so might not qualify as technical service providers.

First, a few (of the many) relevant definitions:
“issuing of payment instruments” means a payment service by a payment service provider contracting to provide a payer with a payment instrument to initiate and process the payer’s payment transactions;
“payment instrument” means any— (a) personalised device; or (b) personalised set of procedures agreed between the payment service user and the payment service provider, used by the payment service user in order to initiate a payment order;
“co-badged”, in relation to a payment instrument, refers to an instrument on which is included two or more payment brands, or two or more payment applications of the same payment brand;
Note that the references to 'payment service' and 'payment service provider' are redundant or circular - essentially, they mean anyone who is, or should be, authorised to provide a regulated payment service. The reference to 'co-badging' is important as certain information could have to be provided under the Merchant Interchange Fee Regulations.

I think the primary questions are as follows, but the answers would vary considerably according to the payment method and other facts and circumstances:
  • is the checkout process/page a "personalised device"; or "personalised set of procedures agreed between" the customer and the merchant?
  • if so, is the checkout process/page "used by the payment service user" (again, see here)?
  • if so, is the payment service user using the checkout process/page "in order to initiate a payment order"... as explained previously...or 'payment transactions'?
  • finally, how much processing would a merchant have to do to fall within the meaning of "initiate and process the payer's payment transactions": so, when does that processing begin and end; what steps/participants are involved; what is the nature of the processing (e.g. does it send transaction data to a payment gateway, acquirer or other type of payment service provider?); is the merchant acting as principal, agent or payee?
Hopefully, the Treasury and FCA will explain their interpretation soon!

#PSD2: What Is An Account Information Service?

The Treasury is consulting on its proposed regulations to implement the new Payment Services Directive (PSD2) in the UK.  The consultation ends on 16 March 2017 and the regulations must take effect on 13 January 2018. The FCA will consult on the guidance related to its supervisory role in Q2 2017. Time is tight and there are still plenty of unanswered questions, which I've been covering in a series of posts. In this one, I'm exploring the issues related to the new "account information service", which is being interpreted very broadly indeed by the FCA.  Firms providing such services will need to register with the FCA, rather than become fully authorised (unless they provide other payment services); and they are spared from compliance with a number of provisions that apply to other types of payment service provider. But now is the time for assessing whether a service qualifies, and whether to restructure or become registered.

The Treasury has, naturally, copied the definition from the directive:
‘account information service’ means an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider (article 4(16)) - [my emphasis] - but has added:
"and includes such a service whether information is provided—
(a) in its original form or after processing;
(b) only to the payment service user or to the payment service user and to another person in accordance with the payment service user’s instructions" [which do not appear in PSD2]
This reflects the government's broad definition of the directive (para 6.27 of the consultation paper) - consistent with the UK needlessly creating a rod for its own back and particularly ironic in the light of Brexit. The account information service provider (AISP) should be granted access by the account service provider to the same data on the payment account as the user of that account (para 6.25). A firm will be considered an AISP even if it only "uses" some and not all of that account information to provide "an information service" (para 6.28).

Services that the government believes are AISs include (but are not limited to):
  • dashboard services that show aggregated information across a number of payment accounts; 
  • price comparison and product identification services;
  • income and expenditure analysis, including affordability and credit rating or credit worthiness assessments; and 
  • expenditure analysis that alerts users to consequences of particular actions, such as breaching their overdraft limit.
The services could be either standardised or bespoke, so might include accountancy or legal services, for example (para 6.30).

Some key points to consider:
  • does it matter to whom the account information service is provided? The additional wording seems to suggest that the 'payment service user' must be at least one recipient of the information, but does that mean the payment service user of the payment account or the person using the account information service?  This would seem to cover every firm that prepares and files tax or VAT returns, for example, since these are usually provided to both the client and HMRC.
  • the service has to be "online", but what if some of it is not?
  • little seems to turn on the word "consolidated", since the Treasury says a firm only needs to use some of the information from the payment account to be offering an AIS, and it could be from only one payment account. For instance, what if a service provides a simple 'yes' or 'no' to a balance inquiry or request to say whether adequate funds are available in an account, and that 'information' or conclusion/knowledge is not drawn from the payment account itself, but merely based on comparing the balance with the amount in the customer's inquiry or proposed transaction?
  • the payment account that the information relates to must be 'held by the payment service user' with one or more PSPs, so presumably this would not include an online data account or electronic statement that shows the amount of funds held for and on behalf of a client in a trust account or other form of safeguarded or segregated account which is in the name of, say, a law firm or crowdfunding platform operator (albeit designated and acknowledged as holding 'client money' or 'customer funds');
  • it seems impossible for the relevant data to provided in its 'original form', since data has to be processed in some way to be 'provided' online, but this could cover providers of personal data stores or cloud services that simply hold a copy of your bank data for later access;
  • what is meant by 'after processing':
  1. it may not be clear that a firm is providing information 'on a payment account', as opposed to the same information from another type of account;
  2. does this mean each data processor in a series of processors is providing an AIS to its customer(s) - which brings us back to whether it matters who the customer is - or does interim processing 'break the chain' so that the next processor can say that the information was not 'on a payment account' but came from some other service provider's database (whether or not it was an AIS), such as a credit reference agency?
  3. what about accounting/tax software providers providers who calculate your income and expenditure by reference to payment account information but may not necessarily display or 'provide' the underlying data - although presumably the figures for bank account interest income (if any) in a tax return might qualify?
Sorry, more questions than answers at this stage!

Update on 21 April 2017:

The FCA has indicated in Question 25A of its proposed draft changes to the Perimeter Guidance that:
"Account information service providers include businesses that provide users with an electronic “dashboard” where they can view information from various payment accounts in a single place, businesses that use account data to provide users with personalised comparison services, and businesses that, on a user’s instruction, provide information from the user’s various payment accounts to both the user and third party service providers such as financial advisors or credit reference agencies." [my emphasis added]