Search This Blog

Thursday 27 December 2018

Is Your Financial Services Provider Ready For A #NoDeal Brexit?

With a 'No Deal' Brexit now central to Tory government strategy, it's critical to ensure the right financial contingency plans are in place for a 'cliff edge' exit with no transition period from 29 March 2019. Unfortunately, however, the European Banking Authority says it is seeing "little evidence of financial institutions communicating effectively to their customers on how they may be affected by the UK withdrawal" and those institutions' Brexit arrangements. So customers have to question their providers about those arrangements. Here's a quick guide to steps those institutions might take, depending on whether they are based in the UK or elsewhere in the EEA... if you do not receive credible, satisfactory commitments to service continuity from existing providers within the next few weeks, you should set-up alternative and/or back-up relationships as soon as possible.

EEA-based firms supplying services into the UK

These firms will have a short window ahead of Brexit day in which to seek temporary regulated status:
  • temporary permission to continue operating in the UK for a limited period after Brexit if they currently passport into the UK under the Financial Services and Markets Act 2000 (FSMA) or the e-money or payment services regimes;
  • temporary recognition if they are third country central counterparties; or
  • temporary registration if they are EU-registered trade repositories. 
If EEA-based firms carry out operations in the UK after Brexit in reliance on EU legislation without entering into these temporary regimes, they may be carrying on regulated activities in the UK without appropriate permissions, which would be a criminal activity and/or mean they cannot meet their contractual obligations.

EEA firms that do not gain full authorisation through the temporary regimes can only continue to carry out new business to the extent necessary to 'run-off' pre-existing contractual obligations in the UK for five years (15 years for firms performing obligations under insurance contracts). They cannot undertake new business or agree new contracts with UK customers. A "supervised run-off" arrangement applies to those firms with a UK branch, firms who enter a temporaty regime but exit it without UK authorisation and firms that hold top-up permissions before Brexit. A "contractual run-off" regime will apply to firms without a UK branch that do not enter a temporary regime or do not hold a top-up permission; and will apply for the purposes of winding down UK regulated activities in an orderly manner.   Firms with a UK establishment will retain their existing membership of the Financial Services Compensation Scheme. 

A run-off regime for payments firms and e-money firms that do not enter the temporary regime or leave it without full UK authorisation will apply for five years, either on a supervised or contractual basis (though the FCA can require supervised run-off for firms to demonstrate they are safeguarding client funds). 

A run-off regime will apply for non-UK Central Counterparties that are eligible for, but do not enter, the temporary recognition regime, for a period of one year starting on exit day. If a non-UK CCP entered the temporary recognition regime but exits it without the necessary permanent recognition, the Bank of England will determine a non-extendable period for recognition up to a year. 

There will also be a run-off regime for trade repositories that are removed from the temporary registration regime without the necessary permissions to continue to provide services to UK firms, for a non-extendable period of one year, unless the FCA sets a shorter period. 

UK firms dealing with EEA residents

The FCA has suggested that UK financial services providers consider the following questions ahead of Brexit. If the answer is 'Yes' to any of them, then the service provider should understand the legal basis for that scenario and whether another basis is necessary after Brexit - including additional regulatory permissions or a new subsidiary with the right authorisation or agency and necessary permissions in a remaining EEA member state
  • Do you currently provide any regulated products or services to customers resident in the EEA? For example, you might provide financial advice to EEA based customers. Or you might have insurance contracts either with EEA based customers or which cover risks located in the EEA which require regulatory permission in that country in order to be serviced. 
  • Do you have customers or counterparties based in the EEA, including UK expatriates now based in an EEA country? 
  • Are you marketing financial products in the EEA? This includes products marketed on a website aimed at consumers in the EEA. 
  • Do you have agents in the EEA or interact with any intermediary service providers in the EEA? For example, you may use an insurance intermediary to distribute products into the EEA. 
  • Does your firm transfer personal data between the UK and the EEA or vice versa
  • Does your firm have membership of any market infrastructure (trading venues, clearing house, settlement facility) based in the EEA? 
  • Are you part of a wider corporate group based in the EEA, or does your firm receive any funding from an entity in the EEA? 
  • Do you outsource or delegate to an EEA firm or does an EEA firm outsource or delegate to you? 
  • Are you party to legal contracts which refer to EU law
There will now be insufficient time for any provider to get a new authorisation in another EEA member state, and even setting up an agency relationship would be very tough to do within the next few months.

Firms should be informing clients about issues such as:
  • the implications of Brexit on the specific services they provide and the implications for the relationship between the client and the firm;
  • the actions taken by the firm to prevent or detect problems, including how they will deal with client inquiries, changes in competent authorities or protection under national compensation schemes;
  • the implications of any corporate restructuring, including changes to contractual terms or contract transfers;
  • other impact on contractual and/or statutory rights, including the right to terminate existing contracts and cancel new contracts, and any rights of recourse and how to pursue them. 
If you do not receive credible, satisfactory assurances of service continuity post-Brexit from existing providers within the next few weeks, you should set-up alternative and/or back-up relationships as soon as possible.


Thursday 20 December 2018

FCA Updates Payment Services Approach On Customer Authentication, Gift Cards

The FCA has today published its policy statement explaining changes to the Approach document following the consultation on Strong Customer Authentication and some other revised guidance in September (although the links to the actual revised Approach Document don’t appear to be working correctly at the moment).

Notwithstanding the confusion created by the proposed changes to the guidance on the "limited network exclusion" to exclude gift cards from the scope of PSD2 (no doubt partly due to the obligation to register programmes that exceed1m in transactions in any 12 month period), the FCA confirms the guidance as follows:
store cards – for example, a ‘closed-loop’ gift card, where the card can only be used at the issuer’s premises or website (so where a store card is co-branded with a third party debit card or credit card issuer and can be used as a debit card or credit card outside the store, it will not benefit from this exclusion). On the other hand, in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them.
The FCA explains this interpretation in the latest policy statement (at para 6.15) as follows:
"The change we have made to clarify that retailers issuing their own gift cards should not have to notify, is based on the issuer and the retailer being the same person. If the issuer is not the retailer, but the card would be used to purchase goods and services from that retailer, it is possible that the card would be considered a payment instrument under the PSRs 2017 and the limited network exclusion test would be relevant. We already give relevant guidance in PERG Q40 on such instances."
For convenience, the limited network exclusion provides as follows (with the paragraph (k)(i) being the limb which gift card programme operators - and the FCA - have historically assumed applied to avoid gift cards being subject to e-money and payment services regulation):
(k) services based on specific payment instruments that can be used only in a limited way and meet one of the following conditions—
(i) allow the holder to acquire goods or services only in the issuer's premises;
(ii) are issued by a professional issuer and allow the holder to acquire goods or services only within a limited network of service providers which have direct commercial agreements with the issuer;
(iii) may be used only to acquire a very limited range of goods or services; or
(iv) are valid only in a single EEA State, are provided at the request of an undertaking or a public sector entity, and are regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers which have a commercial agreement with the issuer.

This overlooks the fact that while the retailer may have already received the funds or value from the purchaser of the gift card/account (potentially via a payment service provider under a regulated payment transaction), yet the "holder" is often a different person who is later using the gift card/account balance as a means of acquiring goods or services (albeit that transaction may only be accounted for in the retailer's accounting system without being processed via a third party payment provider).
While the FCA's view may be factually and logically correct (particularly from a VAT standpoint), and will no doubt come as a relief to retailers who would otherwise have to register programmes, it involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate to catch other payment methods - particularly in relation to card payments, for example. The FCA's guidance should therefore confirm the step-by-step rationale as to why a "payment order" is therefore not initiated; how the gift card scenario falls outside the definitions of "payment transaction"; and why neither the gift card holder nor the retailer/issuer are a "payer" or "payee" respectively. But I suspect that may open a can of worms...

The FCA's view also represents a key area of potential divergence from EU payments law in the Brexit context, to the extent that the Commission and EEA regulators may well decline to adopt the FCA's interpretation. The Central Bank of Ireland, for example, includes "prepaid gift card to buy cinema tickets" in the list of programmes that fall within the limited network exclusion. The FCA does not seem to be concerned that the same programme that regulators insist must be registered in, say, France - and therefore surface in the European Banking Authority's register of large limited networks - would not be registered at all in the UK. That wider uncertainty creates confusion and the potential for "regulatory creep" as firms might take action beyond what is required by the FCA in order to avoid it - such as shutting programmes, outsourcing or applying to register unnecessarily (at least from a UK standpoint). 

The sooner such scope for confusion at EEA level is removed, the better.

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.


Monday 19 November 2018

Brexit Spells End To Cross-Border Interchange Fee Caps

UK consumers will lose another layer of protection after Brexit when dealing with EEA-based suppliers, as the government will no longer cap interchange fees where either the merchant's acquirer or the payment card issuer is based outside the UK.  This follows the erosion of other consumer protection measures for UK consumers buying from suppliers in the remaining EEA countries.

The proposed changes to the UK Interchange Fee Regulations for Brexit purposes would take effect on 30 March or end December 2020 (depending on whether there is a Withdrawal Agreement and related transition period). Among other things, the proposed Regulations:
  • Limit the scope of the Regs from the EEA to the UK to transactions that take place only within the UK (both the acquirer and the card issuer are located in the UK), so cross-border card payments between the UK and the EEA will no longer be within scope of either the UK or EU interchange fee regs (i.e. payments made within the UK will continue to have caps on interchange fees, while payments where either the acquirer or the card issuer is based outside the UK (including in the EEA) will no longer be subject to the caps); and
  • Allow for regulations setting lower caps on UK debit and credit card transactions, and a maximum cap for UK debit card transactions.


Monday 12 November 2018

Use It Or Lose It: The UK Temporary Permission (Passport) Regime


Notifications to the FCA must be made by submitting the Temporary Permission Notification Form containing the necessary information via the FCA's "Connect" system between 7 January and 28 March 2019.

Firms that have not submitted a notification during that period will not be able to use the TPR.

The FCA told Parliament in 2016 that there are 8,008 EEA firms holding 23,532 passports covering their UK financial services offerings. 

Monday 15 October 2018

EU Parliament Resolution on Distributed Ledger Technologies


The European Parliament has adopted a non-legislative Resolution on distributed ledger technologies (DLT), including blockchain. 

The resolution highlights potential applications of DLT, such as: 
  • reporting on clinical health trials. 
  • improving supply chains, such as monitoring of origin of goods for consumer protection. 
  • allowing households to produce and exchange alternative energy. 
  • Tracking, management and protection of intellectual property rights/licensing. 
  • financial intermediation and reducing transaction costs. 
  • control over personal data management and data sharing. 
  • reducing administrative burdens in the public sector. 
The Resolution calls for the development of a European legal framework to solve any jurisdictional problems in dealing with fraud and crime; raise awareness of DLTs; and bridge the digital divide among various member states. 


Monday 1 October 2018

Too Late To Get Authorised In The EU27? Become An Agent!

Getting authorised to offer most types of financial services is a lengthy process at the best of times. But there's now zero chance of getting a new application approved by an EU27 regulator in time for a "hard Brexit" on 29 March 2019. While there's a short deadline for some types of application (e.g. 3 months for payment institutions), these relate to complete applications. Regulators usually ask a few basic questions as the basis for declaring the application 'incomplete' so they can take at least 12 months to consider the application. 

So, as the likelihood of a 'hard Brexit' increases, firms are suddenly interested in alternative ways to establish a new presence to trade in and from the EU27...

Start-ups have always faced this type of problem, and very often get themselves appointed as some form of agent or representative of a firm with an existing authorisation while they apply for their own.

It's tempting to think that a merger or acquisition is an option, but regulatory approval is required for changes in control of regulated firms and the corporate process itself adds fresh complications, risk and time. And even where M&A activity is on the cards, an interim agency arrangement provides the perfect opportunity for the parties to get to know each other and the market opportunity while the corporate aspects are negotiated - without the added pressure of a looming Brexit.

Firms with existing authorisations for many types of regulated activities are entitled to appoint and register other firms as their agents to carry out regulated activities on their behalf (some of which are known as "tied agents" or (in the UK, for example) "appointed representatives"). 

There are some activities that cannot be done through an agent, and even where that is possible, the agent can only do what the principal is authorised to do. So it's important to consider the nature of the authorisation and permissions required, and how quickly the principal might be able to vary or add to its permissions to accommodate the agent. 

It's also possible for a firm that is authorised in one EEA member state to appoint an agent that is based in another EEA state, using any applicable "passport" rights, and for the agent to provide its services under the principal's passports. This would involve a three month passport notification process, as well as the agency registration.  Indeed, it would be possible to actually contract with customers under the law of a third EEA state, e.g. using Irish law as the basis for contracts that are currently written under English law.

The authorised firm (principal) must register each agent with its regulator and provide certain information about the agent, including a description of the governance arrangements that will enable the firm to effectively supervise the agent's activities.  This is an important 'hygiene' factor in any event, however, since the principal is responsible - and accountable to the regulator - for the agent's activities.  

The nature of agency also means that customers have their ultimate contractual relationship with the principal, and can avail themselves of the principal's complaints procedure if dissatisfied with the agent's conduct. But it's usual for the agent to trade under its own name and brand, using a 'white label' approach where the principal's details are disclosed in the service terms and website/email footer and/or on a 'powered by' basis for marketing purposes.

Of course, there are the downsides of fees payable to the principal to cover the additional administration and use of the authorisation (a potentially signficant revenue opportunity for a small principal with a larger agent), the exchange of confidential information between the parties, the need to consider whether the firms are in direct competition (actually quite rare), the need to carefully manage the relationship and the regulatory risks and so on. But such concerns are generally manageable in the short term - and worthwhile in light of the upsides - and most of the work required is useful in the context of the agent getting its own authorisation in the medium term...

And, hey, any port in a storm!


Monday 24 September 2018

Shifting Sands: The FCA Considers Gift Cards Outside The Scope Of PSD2

The sands are shifting under the legal status of gift cards, as the UK's Financial Conduct Authority consults on guidance that removes them from the scope of e-money and payments regulation altogether, rather than deeming them to be excluded as "limited networks". This interpretation would at least remove the need for large gift card programmes to be registered with the FCA, but also suggests a divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation. Ultimately, it is unclear whether a gift card programme might yet somehow fall within the regulated scope but still benefit from an exclusion.

What's a "gift card"?

Gift cards have always represented the advance purchase of goods or services from the retailer who issued the card. Sometimes the value is recorded on the card (or voucher) itself, sometimes it is represented by a credit to a specific account for the card or named customer in the retailer's IT system. In either case, such value is considered 'closed loop'. There is a subtle difference between this and paying for a specific item in advance. But in both cases, the retailer has been able to treat the funds paid by the purchaser as its own funds, so that the customer has always taken on the risk of the retailer going bust before the value could be redeemed or the specific item was delivered (think Farepak and Wrapit).

Gift cards vs "E-money"

Electronic money, on the other hand, requires you to first 'load' value to a device or account (or 'e-wallet') which the "issuer" then enables you to use to pay for purchases at a range of retailers who either participate on the issuer's proprietary platform, or who accept the issuer's 'prepaid debit cards' via the major card schemes. In this sense, e-money is 'open loop'. Here, the customer is taking the risk that the e-money issuer might go broke before the customer can spend the e-money with the retailers. The risk of this has always been considered much greater than the risk of an individual retailer's insolvency, so financial regulators were given powers to control e-money issuance to try to eliminate that risk. The first electronic money directive in 2000 ("EMD") therefore obliged e-money issuers to hold sufficient capital to avoid insolvency and to keep the cash corresponding to their customers' e-money balances separate from the issuer's own cash. They defined "electronic money" as being stored value that is accepted as a means of payment by an entity other than the issuer, thereby excluding 'closed loop' stored value that is issued and spent or redeemed with the the same entity. 

Exemptions for "limited networks"

The closed/open loop distinction was carried through into the first payment services directive in 2007 ("PSD") by explicitly excluding from the definition of "payment services" any "services based on instruments that can be used to acquire goods or services only in the premises used by the issuer or under a commercial agreement with the issuer either within a limited network of service providers or for a limited range of goods or services". This provision became known as the "limited network exemption".  

That exemption was effectively endorsed in 2009, when the second e-money directive ("EMD2") defined "electronic money" by reference to the value being used for the purpose of making payment transactions under the PSD, rather than accepted by an entity other than the issuer.  The reference to the PSD thus automatically picked up and relied on the limited network exemption. 

In 2010, the Treasury proposed an obligation for retailers to segregate their gift card funds, but failed to attract any support. The limited network exemption then evolved into a narrower "limited network exclusion" by 2015 under the second payment services directive ("PSD2"), yet Question 40 of the FCA's Perimeter Guidance still cites "a closed loop gift card" as benefiting from that exclusion.  

In addition, PSD2 requires limited networks which transact more than €1m in any 12 month period to be registered with the local financial regulator, which then has a duty to determine whether the limited network exclusion actually applies to it. The first 12 month period expires on 13 January 2019, with registration due on 10 February. This has obliged retailers to begin tracking the size of their loyalty programmes to determine if and when they need to register, and the consequences of a finding that the programme is not excluded. In essence, the retailer could find itself prosecuted for having operated an e-money and/or payment service without either being authorised or registered as an agent an authorised firm (subject to any 'due diligence defence').

Gift cards now out of scope altogether?

In its latest consultation, however, the FCA proposes to change its stated view by removing the gift card example from Q40 and instead stating:
"... in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them."

But does that analysis extend to server-side stored value that can only be spent with the issuer? It is also at odds with the fact that VAT is not assessed on gift card purchases to avoid duplication, since VAT will in any case be levied on the actual purchase of items from the retailer in due course (let's ignore 'breakage', where the consumer leaves a balance that the retailer eventually takes to revenue). 

Wider consequences?

While this may be factually and logically correct, and might come as a relief to some large retailers, it otherwise creates confusion and "regulatory creep" as firms take action beyond what is required in order to avoid uncertainty - such as shutting programmes, outsourcing or applying to register unnecessarily. It involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate particularly in relation to card payments, for example. It also represent a key area of potential divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation - the Central Bank of Ireland, for example, includes gift cards in the list of programmes that fall within the limited network exclusion. 

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.


Thursday 20 September 2018

"No-Brainer": UK Firms Switching From English to Irish Law And Courts For Their New EEA Hubs

Sadly, we are at "the point of no return" for Brexit preparations by UK businesses who supply goods or services into the remaining EU27 countries - or to non-EU markets under EU trade arrangements. Many will have already been making public announcements to reassure their regulators, customers and suppliers that they've planned how to keep their operations running smoothly in the event of a "No Deal Brexit" on 29 March 2019.  But now they have to execute those business continuity plans.

While the politicians seem to think they still have 6 weeks to negotiate a UK withdrawal agreement, few businesses would have that luxury. Working back from 29 March, they have to consider contractual notice periods (some mandated by law), as well as software development and operational process changes that will need to be fully tested and running in good time before that day.

Of course, the timetable is just the tip of the preparation iceberg. Below the waterline other preparations may have been happening for some time, such as establishing a new entity in an EU27 country and getting it authorised or licensed; opening local bank accounts; leasing office premises; transferring or employing management and staff; relocating or purchasing computers and other equipment, stock or assets, and related software and data licenses; and re-contracting some of the more critical affected customers and suppliers through their new entity.

These preparations raise numerous tax, legal and accounting issues in their own right - including the fact that the UK government is still unclear on much of the official rules, processes and procedures. But the choice of law under which each new entity contracts with customers and suppliers, and which courts will govern disputes, are among the most critical to making life as easy as possible in the transition.

Both EEA-based parties will probably want the contractual terms to remain broadly the same as any current English law contract, even if certain aspects might need to be re-negotiated. Billing and payment details, currency and pricing would likely need to change, for example; as will the legal basis for sharing EEA-residents' personal data with UK operations. There won't be an EU "adequacy decision" on the UK's data protection standards before April 2019 - and no timetable can even be agreed for reaching one unless and until the UK has actually left the EU. The General Data Protection Regulations as enacted where the new entity is established will apply to the new entity's collection, use and storage of personal data, even though the customer-facing privacy policy may remain broadly the same and the customers will still have consistent rights to complain about misuse under their own national data protection laws. In turn, the parties will no longer want the contract to be governed by English law and courts, to avoid the need to worry EEA customers and suppliers about the extent to which English law inevitably diverges from the law in EEA member states.

In these circumstances, choosing the application of Irish law instead of English law to govern at least the commercial aspects of a contract becomes a "no-brainer", because at this stage it's substantively very similar to the law of England & Wales, and far more so than the law of any other EU country. Ireland is the only other purely common law jurisdiction in the EU today, and will be alone after Brexit. The few technical differences include, for example, the absence of the right for any non-party to enforce a benefit under the agreement, which the UK allowed through statute in 1999, or different monetary thresholds for the jurisdiction of familiar types of courts. But such differences can be either simply flagged and understood or explicitly accommodated if necessary (to cite the relevant example, most parties try to limit or exclude 'third party rights' anyway, but the rights can also be explicitly specified). So, while the customer is well advised to run a final check of the contract with independent local Irish counsel, it will not face the comparatively awkward and expensive exercise in understanding the numerous substantive differences between English common law and the codified civil law system of other EU member states.

Of course, it remains possible to agree that the commercial elements of the contract and provision for its enforcement are governed by Irish law and courts, even though the regulated activities of one or other party to the contract (and any regulatory complaints) may be governed by the law of another EU member state. But it has been quite common until now for, say, a financial institution established and regulated in another member state to contract with its customers in the English language under English law (or Irish law, for that matter). So customers should have no problem with a switch from English to Irish law on that basis. 

Note that the process for transferring contracts can be a bit tricky, however. For instance, some UK businesses may seek to merely "assign" their English law contracts to a new entity (possibly under a provision that appears to allow this even without the other party's consent). But under English law it is not possible for a party to assign its obligations under a contract - just its own rights or benefits (e.g. the right to receive payments).  So the transfer of existing contracts to a new entity (and the other changes mentioned) would generally need to be done by way of "novation", which necessarily involves the consent of the other party.  The process of amending agreements may also be constrained by law, such as under national regulations implementing the second Payment Services Directive. These provide for a two month notice period for changes, and a right of termination where it is agreed the changes can be proposed unilaterally and the payment service provider takes that route. It's awkward enough for the ongoing relationship that the process might provoke a renegotiation (or that consent to novation might not be forthcoming at all), without actually being seen to trigger a positive right for the customer to terminate within a finite notice period (think Article 50)!

Of course, this all relates to the new EEA-based entity.  The group head office, and perhaps the UK entity, will still have the job of tracking the extent to which English law (and therefore the basis of the offering to UK customers) diverges from Irish law, EU rules and the offering to EEA customers. 

But you'll just have to blame the Brexiteers for that!


Wednesday 19 September 2018

Will Your UK-issued Card Still Work In The EEA After Brexit?

Some confusion arising around this question today. The answer is that it should not be an issue, based on how card acquiring really works.

The EU has been clear since 2016 that, regardless of which type of Brexit occurs, UK-based financial institutions will no longer benefit from the ability to 'passport' their services into the rest of the European Economic Area (Norway, Liechtenstein and Iceland also participate in the financial services passporting arrangements). This position was emphasised in the relevant EU 'preparedness notice' in February 2018.

In the payments space about 350 UK firms rely on outbound passports around the rest of the EEA, while 142 EEA-based firms passport into the UK, as the FCA explained to Parliamentary select committee in August 2016.


So, in the payments space, the 350 UK-based banks, e-money institutions and payment institutions who currently rely on passports have been setting up additional new entities based in one of the remaining EU27 countries, from which they will service their customers who are resident in the EEA (as have I, on a professional basis, as UK professional qualifications will also cease to be recognised for providing services in the EEA). 

So, when Brexit occurs, the current residents of other EEA countries will be offered payment cards and accounts from an EEA-based entity, rather than a UK one.

That is not to say that a UK resident travelling in the EEA will not be able to make a payment using their payment cards issued to them in the UK under the typical international card schemes (which actually don't base their definition of Europe according to EEA and non-EEA distinctions, anyway). 

So, EEA-based merchants/retailers will still be able to take payment via their EEA-based payment provider (known as a 'card acquirer' or 'merchant acquirer'); and the UK customer will pay their UK card issuer as usual. The card scheme operator will still net-off amounts owed between EEA and non-EEA based issuers and acquirers and they will settle the difference with the schemes. It's just that the UK issuer in this example will then be among the non-EEA group.







Monday 17 September 2018

Brexit And Cross-Border Personal Data Transfers: Agree A New Basis Now!

With 6 months to go, the UK government has warned UK firms to assume that their trading partners in the European Economic Area will be unable to send them any personal data from 29 March 2019, unless they enter into formal written agreements generally required for sending data to non-EEA countries or some other basis for transfer listed below. 

It's likely that EEA trading partners may be waiting on UK firms to do the necessary work, so the government recommends that UK firms should be proactive in making contact on this issue. 

However, any agreements would need to be under the law of an EEA member state (so I would likely advise on this area via my consultancy with Leman in Ireland, rather than via Keystone Law in the UK).
 
The UK proposes to allow the free flow of personal data from the UK to the EU27, but does not mention Norway, Liechtenstein or Iceland in relation to that proposal.

The EU can make an "adequacy decision" which allows the free flow of personal data to a non-EU country where that country's level of personal data protection is essentially equivalent to that of the EU. But the process for reaching such a decision - and even agreeing a timetable for that process - could not begin until after Brexit.

Aside from having the explicit consent of the individuals concerned (or perhaps relying on one of the processing rights under the General Data Protection Regulation), alternative ways for EEA firms to make personal data transfers to UK firms are as follows:
  1. A legally binding and enforceable instrument between public authorities or bodies;
  2. Binding corporate rules;
  3. Standard model data protection clauses adopted by the Commission;
  4. Standard data protection clauses adopted by an EEA supervisory authority and approved by the Commission;
  5. An code of conduct approved by an EEA supervisory authority, together with binding and enforceable commitments of the receiver outside the EEA;
  6. Certification under an approved EEA certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;
  7. Contractual clauses authorised by an EEA supervisory authority
  8. Administrative arrangements between public authorities or bodies which include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorised by an EEA supervisory authority.


Monday 20 August 2018

FCA Applies More Handbook Rules To E-money and Payment Services

With the prospect of a disorderly Brexit looming large, the FCA is consulting on proposals to extend its Principles for Business and customer communication rules to e-money and payment services, whether they are provided by banks, e-money/payment institutions or registered account information service providers. There are also new rules and guidance for currency exchange transfer services. The consultation closes on 1 November 2018, with a view to publishing the final rules by the end of January 2019, to apply from 1 April.  Some rules will not apply to incoming EEA firms, and it remains to be seen whether the European Commission or other EU member states will view the extension of these rules as infringing the 'maximum harmonisation' approach to the regulation of payment services and/or regulatory divergence by the UK post-Brexit. But with the end of financial services passporting, anyway, perhaps the FCA no longer cares - and most firms seem to have started setting up their EEA passport hubs in other EU member states in any event.

Generally, the supply of e-money services is governed by the Electronic Money Regulations 2011 ("EMRs"), which implement the second E-money Directive; and both e-money and payment services are governed by the Payment Services Regulations 2017 ("PSRs"), which implement the second Payment Services Directive.

While the FCA is the regulator appointed to supervise these regulations, most of its rules in the Handbook do not apply, as the E-Money and Payment Services Directives require 'maximum harmonisation' - consistent implementation in all member states to ensure a level playing field across the European Economic Area. However, the PSRs introduced some scope for the FCA to extend its rules to these services, essentially where they are not within the scope of the directives or inconsistent with the regulations or the principle of 'maximum harmonisation'.

While the PSRs prescribe certain information to be given to e-money and payment service customers, they do not create overriding obligations, or the possibility of regulatory redress, concerning the 'fair treatment' of customers, for example, or that firms' communications must be clear, fair and not misleading.  Some payment service providers have fallen foul of the UK's Advertising Standards codes, however.

Accordingly, the FCA considers there is scope to apply its Principles for Businesses and associated guidance which create general management obligations for payment services firms, including the requirement to 'treat customers fairly'; as well as the rules and guidance in BCOBS 2 set out the FCA's expectations of firms when communicating about, or promoting, their services to customers. The specific application of these rules to e-money and payment services is explained in Chapter 3 of the consultation paper.

In addition, the proposed new rules and guidance concerning currency exchange transfer services are designed to enable the FCA to sanction misleading communications to consumers, the exchange rates they can achieve, the cost of those services and comparing alternative providers’ fees. These proposals are explained in Chapter 4 of the FCA's paper.

It remains to be seen whether the European Commission will view the FCA's proposals as cutting across the principle of maximum harmonisation, and its specific efforts to improve the transparency and fairness around payment services, including currency exchange services.

But with the prospect of a disorderly Brexit looming large, and the end of financial services passporting, perhaps the FCA no longer cares...  Most firms seem to have started setting up their EEA passport hubs in other EU member states in any event.


Monday 30 July 2018

UK To Give EEA Firms 3 Years Temporary Permission Post-Brexit

The UK proposes to grant temporary permissions to EEA firms currently operating in the UK under EU financial services 'passports' to continue their UK activities, for three years after Brexit day. 

HM Treasury states that the regime will ensure that: 
  • EEA firms can continue to carry out business as before, writing new contracts and servicing existing contracts entered into before exit day for the temporary period after exit day;
  • EEA firms have appropriate time to prepare for and submit applications for UK authorisation and complete any necessary restructuring; and
  • The PRA and the FCA can manage the expected applications for UK authorisation from EEA firms in a smooth and orderly manner.

The FCA has published its own webpage on how it will implement the temporary permission regime (TPR).

Firms wishing to use the TPR must notify the FCA online between early January 2019 and at a date (not yet specified) prior to exit day. Such firms will be allocated a period within which they must submit their application for UK authorisation. The FCA expects the window to be October to December 2019 and the last to be January to March 2021. The FCA intends to consult in autumn 2018 on the rules that will apply to firms and funds in the TPR and a policy statement and final rules early in 2019.


FCA Update On Cloud and Other IT Outsourcing


This is to reflect the implementation of the General Data Protection Regulation, and the European Banking Authority's December 2017 recommendations (so does not apply to a bank, building society, designated investment firm or IFPRU investment firm covered by those recommendations).