Search This Blog

Friday, 27 December 2019

UK Firms: Why Not Simply Process EEA Residents' Personal Data In the EEA?

It's time for UK businesses to get creative in dealing with Brexit and all its uncertainties. As I've explained here, the processing of personal data relating to EEA residents is a particular problem. The UK is 13th on the list of countries that will be waiting for the European Commission to declare the UK personal data regime to be 'adequate' to transfer that data as of right (as happens now).

So, rather than bring personal data into the UK from the EEA, you could - as many already have - simply incorporate an entity within the EEA to hold the data and determine the means and purposes of processing there. That EEA entity could do the processing itself within the EEA or outsource that to an EEA-based processor with the right experience and expertise. Ireland, for example, is the top AI hub in the EU and it can be a simple matter to transfer existing English law contracts to a new entity there, particularly as Irish law is so similar.  

Only the aggregated results would need to come in to the UK.


Open Finance: The FCA's Call For Input

The FCA has called for suggestions by 17 March 2020 as to how it can support more open access to customers’ financial data. A few thoughts here, with an article to follow in the coming weeks...

The major stumbling blocks, as ever, are genuine customer problems/demand and supplier appetite, which tend to be focused quite narrowly; and who gets access to the data and for what purpose. 

One suspects that the Nirvana of a single consumer 'dashboard for everything' remains a long way off. We’ve seen broad-based initiatives before, like the UK government’s ‘midata’ programme from 2011. Key challenges remain customer identity and authentication on a broad scale, as opposed to channels more closely aligned with specific customer activities. In July 2019 the Government Digital Service and the Department for Digital, Culture, Media & Sport were still calling for evidence of how the Government can support improvements in identity verification and the development (and secure use) of digital identities generally. 

Yet there have been genuine advances around more defined customer activities. The FCA itself cites the second payment services directive and related standards designed to open up the payments market, for instance. These were partly a response to strong demand for new, unregulated services that were already providing access to current account data and enabling the remote initiation of bank transfers. Those competing to provide these services were encountering a distinct lack of co-operation from the current account providers (mainly banks). Specific regulation was forthcoming and has duly helped account information and payment initiation services proliferate and scale. But regulation did not itself catalyse either the demand or the services themselves. 

At any rate, it will be interesting to see whether the FCA receives evidence of other existing but nascent 'open finance' type services whose growth is genuinely stymied by issues that can be resolved by regulation. Whether such use-cases are sufficiently distributed across the range of day-to-day activities in which customers are engaged to constitute generally 'open finance' will be interesting to discover but of secondary importance. 

Of course, the elephant in the room is who will have access to all the data and for what purpose. In this respect, it would be particularly interesting to know when the FCA and PRA will begin to actually audit the use of artificial intelligence by financial services providers, rather than merely survey the industry on a self-disclosure basis. If they're true to form, we'll see a few major train wrecks first...

Are You Caught In The Wider Net Of The New Money Laundering Regs?

As a late Christmas present, the UK government issued the long-awaited amendments to the money laundering regulations ("MLRs") that must take effect by 10 January 2020. The changes impose customer due diligence and transaction monitoring obligations on letting agents, art market participants; cryptoasset (e.g. virtual currency) exchange providers and custodian wallet providers. The definition of tax adviser is also extended to those who provide material aid or assistance on tax; and certain limits are lowered for e-money transactions and new restrictions are imposed on acquiring anonymous prepaid card transactions. I've summarised some of the key aspects below, but there is no substitute for getting advice on your specific circumstances. Let me know if you need assistance.

Whether your activities fit the various definitions may not be easy to decipher. Crypto-currency exchange and wallet providers have been in discussion with the authorities for many years, and the impact there is reasonably clear. The definition of "letting agent" and the impact on the property market, however, deserves a blog of its own.  The impact on the art market is also difficult to address...

Art Market Participants

Recent allegations reveal that a complex web of people and international locations are often involved in art fraud. Not only does this type of fraud itself produce dirty money, but high prices, inconsistent record-keeping, subjective valuations, questionable authenticity and anonymity also create a fertile environment for laundering cash generated by other crimes. Digital technology and encrypted communications have made it increasingly hard to detect and prove fraud and money laundering after the fact. Prosecution of art fraud across national borders has been difficult.

Prior to MLD5, "high value dealers" fell within the scope of the AML regime, and these were defined as:
"a firm or sole trader who by way of business trades in goods (including an auctioneer dealing in goods), when the trader makes or receives, in respect of any transaction, a payment or payments in cash of at least 10,000 euros in total, whether the transaction is executed in a single operation or in several operations which appear to be linked."
The MLRs have now been amended to also apply to an “art market participant”, meaning a firm or sole practitioner who either: 
(i) by way of business trades in, or acts as an intermediary in the sale or purchase of, works of art and the value of the transaction, or a series of linked transactions, amounts to 10,000 euros or more; or 
(ii) is the operator of a freeport when it, or any other firm or sole practitioner, by way of business stores works of art in the freeport and the value of the works of art so stored for a person, or a series of linked persons, amounts to 10,000 euros or more;
A “work of art” means anything which in a long list in section 21 of the Value Added Tax Act 1994.

A “freeport” means a warehouse or storage facility within an area designated by theTreasury as a special area for customs purposes pursuant to section 100A(1) of the Customs and Excise Management Act 1979 (designation of free zones).

What Does Compliance Involve?

Those caught by the MLRs must at least apply certain "customer due diligence measures", including verifying the identity of the customer (subject to certain thresholds or triggers) and the ultimate beneficial owners of the money and assets involved:
  • before establishing a business relationship; 
  • if they suspect money laundering or terrorist financing; 
  • if they carry out a funds transfer of more than a 1,000 euros; or
  • if they doubt the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification. 

Additional requirements apply in some cases. For instance, art market participants must also apply customer due diligence measures consistent with how that role is defined:
  • in relation to any trade in a work of art when the firm or sole practitioner carries out, or acts in respect of, any such transaction, or series of linked transactions, whose value amounts to 10,000 euros or more; 
  • in relation to the storage of a work of art when it is the operator of a freeport and the value of the works of art so stored for a person, or series of linked persons, amounts to 10,000 euros or more.

You must also understand the nature of your customer’s business and its ownership and control structure. If you can’t complete that due diligence, or enhanced due diligence where it is appropriate to make further checks, then you must cease dealing with the customer and file a suspicious activity report (SAR) with the National Crime Agency (NCA).

You will also need to monitor transactions with your customers for suspicious activity, which must also be reported to the NCA.

The Proceeds of Crime Act makes all forms of money laundering a criminal offence, and creates other offences such as failing to report a suspicion of money laundering and “tipping off” a suspected money launderer, which applies to staff and your nominated money laundering reporting officer (MLRO).

The Fraud Act 2006 also sets out offences committed by false representation, failing to disclose information and abuse of position.

The Data Protection Act 2018 and the EU General Data Protection Regulation require you to take appropriate security measures against the loss, destruction or damage of personal data. You also remain responsible when you pass data to a third-party for processing or to countries that do not have adequate data protection regimes.

The MLRs require a risk-based approach to compliance. It’s not enough that you comply, because you must be able to demonstrate that you comply, if challenged. That means written policies and procedures; good records of obligations performed, training, compliance monitoring; and taking steps to remedy gaps or failings identified. Your written AML policy should show that you and your staff are aware of the requirements and how you go about meeting them. You should also have a set of detailed, written AML procedures that show exactly how you and your staff will satisfy the commitments in your AML policy.

Again, while I've summarised some of the key aspects of AML compliance here, there is no substitute for getting advice on your specific circumstances. Let me know if you need assistance.

Anonymity In Central Bank Digital Currency Systems

The European Central Bank has been wrestling with the issue of how to allow a certain degree of privacy in electronic payments using digital cash issued by central banks ("central bank digital currency" or "CBDC"), while complying with anti-money laundering and counter-terrorist financing (AML) requirements. 

Eurozone central banks believe they have now established a proof of concept for anonymity in CBDCs based on a simplified payment system using distributed ledger technology (DLT). This proof of concept allows users some degree of privacy for lower-value transactions, while still ensuring that higher-value transactions are subject to mandatory AML checks. Each user's identity and transaction history cannot be seen by the central bank or intermediaries other than that chosen by the user. Automated enforcement of limits trigger additional checks by an AML authority. 

While the ECB believes that the proof of concept will be instrumental in assessing how CBDCs could work in practice, it says the prospect of central bank initiatives should not discourage or crowd out market-led solutions...

Tuesday, 3 December 2019

Recent Adventures In Artificial Intelligence

My most recent Dublin trip was timed to take in the SCL event on bias in artificial intelligence, the second in a series following the SCL's Overview of AI in September.

This time Dr Suzanne Little of the School of Computing at Dublin City University explained the types of challenges that introduce bias.

Three further events are planned for Dublin in 2020, drilling into how we should assess the performance of AI, whether transparency is possible without explainability and the thorny issues relating to liability when AIs are wrong.

Assessing Performance 

While giving us some insights into bias, Suzanne Little also explained that 'confidence' in AI is quite different to 'accuracy'. The measurement of accuracy/error and confidence intervals is explained here, for example.

Transparency

The UK's Alan Turing Institute and the Information Commissioner are consulting on best practice for how to explain decisions made with AI, with a view to ensuring a legal person remains responsible and accountable for what an AI decides.  This is aimed at senior management, as well as compliance teams.

This issue is particularly important given that we often don't know that we are exposed to decisions made by artificial intelligence.

Liability

How to determine who should be liable when artificial intelligence goes wrong is also the subject of a recent report published by the European Commission.  


Friday, 11 October 2019

What Does Gov.uk Say You Need To Do Now To Prepare for Brexit?

Wow, I just plugged the data about my own professional service business into the UK Government's "Get Ready for Brexit Check" and set out below is what I got... 

As you read it, remember that free trade deals do not cover the export/import of services to anywhere near the extent that the UK trades in services under the principle of free movement of services as an EU member state. So, any form of Brexit effectively means "No Deal" for services.

All I can say is that I'm very relieved that I did my Brexit-proofing last year!

...

Based on your answers, we know:
  • You own or operate a business or organisation
  • You work in professional, legal and business services
  • Your business sells goods or services in the UK
  • Your business provides services in the EU
  • You do not employ EU citizens
  • You exchange personal data with EU organisations
  • You process personal data from the EU
  • You use websites or services hosted in the EU
  • You provide digital services to the EU
  • You use or rely on intellectual property protection
  • You use or rely on IP copyright protection
  • You do not receive EU or UK government funding
  • You do not sell products or services to the public sector
  • You are a British national
  • You live in the UK
  • You are employed in the UK
  • You plan to travel to Ireland

Your business or organisation

Check if you need to change your conformity assessment or conformity marking to sell your CE marked goods in the UK or EU
In most cases you can continue using the CE marking in the EU and UK (although in some cases you may need to transfer your certificate of conformity to an EU conformity asssesment body) - but if your good requires UKCA marking and you have not used it, then it will not be valid for sale in the UK.
Do it as soon as possible

Get legal advice if your business is merging with an EU company
If you do not follow the rules, you may be investigated by the Competition and Markets Authority (CMA) and the European Commission.
Do it as soon as possible

Check if you need to appoint a representative in the EU, and label your goods with your EU importer's details
If you do not meet the requirements, you may not be able to export goods to the EU.
Do it as soon as possible

Check if your employees need a visa or work permit and meet any requirements for their profession to work in the country they’re going to
You or your employees may not be able to enter or work in some countries.
Do it as soon as possible

Check if you need to change how you do accounting and reporting
You may breach reporting requirements in EEA countries if you do not make any changes you need to.
Do it as soon as possible

Check how to label food if you're selling it in the UK or EU
You may not be able to sell goods in the EU if they're labelled incorrectly.
Do it as soon as possible

Check if you need to pay a tariff on goods you import from the EU
Your goods will be held at customs if you do not pay the correct tariff.
It takes more than 4 weeks

Sign up to search for contracts to sell goods or services to the UK public sector
You won't receive notifications of new UK public sector contract opportunities.
Do it as soon as possible

Check if you need to change your contracts to broadcast licenced content outside the UK
You may not be able to broadcast outside the UK if you do not get extra copyright permissions.
Do it as soon as possible

Check if you need permission to sell someone's intellectual property in the EEA, if you've already sold it in the UK
You may not be able to export your intellectual property protected products from the UK to the EEA without the right permission.
Do it as soon as possible

Do it as soon as possible

Exchange your UK Driver Certificate of Professional Competence (CPC) for an EU Driver CPC
You will not be able to drive a lorry, bus or coach for an EU operator if you do not have an EU Driver CPC.
Read the guidance: Driving in the EU after Brexit
Do it as soon as possible

Check how to get approval to sell vehicles and vehicle parts in the UK and the EU
You will not be able to sell vehicles or vehicle parts in the UK and the EU if they are not approved correctly.
It takes more than 4 weeks

Check what steps you need to take in order to import goods from the EU
If you do not get your business ready, you may not be able to import goods into the UK from EU countries.
Do it as soon as possible

Disclose your designs before 31 October if you want unregistered protection in the UK and EU
If you do not do this before 31 October, you’ll only have protection where you first showed your design, either the UK or the EU.
Do it as soon as possible

Check what you need to do if you're a lawyer with an EU or EEA qualification to still work or provide legal services in the UK
You may not be able to continue working or providing legal services in the UK if you do not prepare.
Do it as soon as possible

Check what you need to do if you own a UK legal services business
You may not be able to continue providing legal services in the same way if you do not get your business ready.
Do it as soon as possible

Check what you need to do if you're a lawyer with a UK qualification to still work or provide legal services in the EU
You may not be able to continue working or providing legal services in the EU if you do not prepare.
Do it as soon as possible

Check which carbon pricing policies you need to comply with before and after exit day
You may not comply correctly with emissions reporting and carbon pricing regulations, which could lead to a fine.
Up to one week

Check if your employees need to make social security contributions in the UK as well as in the EU, EEA or Switzerland
Your employees may not be entitled to healthcare or benefits in the country they work in.
Do it as soon as possible

You may not need to do all these actions ahead of the 31 October deadline. The action you may need to take may change subject to negotiations and your own circumstances.

Wednesday, 9 October 2019

Any Form Of Brexit Means #NoDeal For Export Of British Services

An excellent event at the Institute of Directors today on the impact of Brexit on Britain's trade in services - congratulations to all the speakers. This is vital to understand and address in some detail, because services amount to 80% of the UK economy, 80% of UK jobs, a third of UK exports of which 40% go to other EU countries based on the principle of free movement of services. Yet most services are not covered by free trade deals with third countries. So even if Britain were to leave the EU and eventually negotiate trade deals, that wouldn't help UK exporters of services. There will always be "No Deal" for most services, so the UK's "No Deal" warnings are permanent for services. This is why Liz Truss is suddenly making "liberalising trade in digital and services" one of three priorities at the WTO. She's too late, and it will never happen for the reasons given below, so it's time to get cracking on mitigation...

While the problem for services post-Brexit isn't news to me, I'm still absolutely stunned to see so little information about it in the media. Partly it's the age-old assumption that 'business' means 'big business' while nearly all UK businesses are small - 99% of UK businesses (5.7m) employ fewer than 250 people. Only 8,000 UK businesses employ more than 250 people.  

5.4m UK businesses are 'micro-enterprises' who are either sole traders or employ up to 9 people.

'Businesses' are people - many of them sole traders selling their time and expertise across the EU. Eve online, business is personal.

I've posted on the impact of Brexit on services many times, here and on Pragmatist and for several law firms. I've tended to focus on the Brexit impact on financial services because that's my main area of expertise - and they are the largest of the UK's services exports, relying on valuable EU passporting rights which they will lose. As a result, 7000 jobs have moved so far, with more to follow if Brexit proceeds, and the costs of splitting capital/liquidity to support separate EU subsidiaries will cost customers €60bn a year by 2030.

But I've also mentioned the need for a new basis for transferring personal data from the EU27 to the UK, and I've even shared my own personal Brexit-proofing journey in adding Irish qualifications and consulting to an Irish law firm, for the same reason that it makes sense to switch EU contracts from English law to Irish law.

So I was thrilled to learn of today's event and I was not disappointed. I'm sharing my notes (anonymised) and I understand the video will be available via the IoD site. Worth watching! 

What laws govern the export of services?

Every country regulates what services can be offered to its residents to some degree. Regulations get tougher the more money residents might lose, or the greater the gap in knowledge between the service provider and the customer - that's why financial services are so heavily regulated.

Permitting foreign service providers to sell their goods or services in your country is a matter of trust and control, or political will and legislation ("trust is good but control is better").

Trade law on goods developed first, and rules on services followed - in particular:
  1. EU membership entitles firms to free movement of services based on mutual recognition of professional/trade qualifications and legislation that ensures individual member states don't drop their standards or supervision. That freedom falls away on Brexit day (subject to any agreed transition).
  2. Some services remain unregulated today (e.g. management consultants) and some are given mutual recognition status only at trade body level rather than by governments (e.g. architects). That shouldn't change on Brexit.
  3. Some regulation is based on outcomes, rather than dictating how qualifications are actually obtained or what subjects have to be studied to gain 'equivalence' or 'mutual recognition' (e.g. lawyers). This could diverge on Brexit, and 'equivalence' findings and mutual recognition will not automatically apply, can take a long time to be granted and are subject to withdrawal on little notice without appeal.
  4. Financial services passporting represents the most advanced form of free movement in services, since authorisation in one EU member state allows certain services to be provided in all member states. That will not be possible after Brexit (subject to any transition).
  5. In stark contrast to financial services passporting, the 'equivalence' regime that is available to third countries (and post-Brexit UK) is only available for certain types of financial infrastructure (e.g. exchanges) and some investment services, and can be withdrawn without appeal on 30 days notice (e.g. Swiss stock exchange) - so equivalence is not reliable.
  6. Other services that can be supplied to EU countries after Brexit will be based on a patchwork of national access rights, which vary in terms of scope and conditions.
  7. Outside the scope of EU trade rules (and where only minimum standards are set), the member states (like any other country in the world) can set tougher standards where they see greater potential adverse impact. The UK will be treated like any other non-EU country for that purpose. The UK government has tried to helpfully list where different EU countries have different rules for different services (will that stay up to date?). 
  8. There is a WTO rule (article 7 of GATS) aimed at preventing one member country from discriminating against another member ('most favoured nations' or 'MFN').  Free trade agreements also contain MFN clauses that require one party to offer the other any similar benefit that has been offered to another country. The EU seems to ignore the WTO requirement (which the Swiss have complained about to no effect so far), but does allow MFN clauses in its free trade deals with very limited scope (won't cover mutual recognition or equivalence decisions, for example, just legislation and 'national treatment'). Critically, the EU insists on its own regulatory autonomy. Only the  European Commission (and ultimately the European Court of Justice) can decide whether a service etc meets EU rules. 
Immigration and visa restrictions go hand-in-hand with constraints on services, since people often have to be physically present to provide services.  So free movement of labour is also critical to the free movement of services. That freedom entitles Brits to live, work and retire freely in 30 countries, but is lost on Brexit. Related entitlements to healthcare and so on will also fall away...

What are the practical impacts of Brexit?

Well, if you're among the 5.4m 'micro-enterprises' and export goods or services to the EU, the VAT rules will be a big problem. You currently benefit from hard-fought exceptions under the VAT Mini One Stop Shop (MOSS), but those will disappear on Brexit day (what if part way through contracts?). The HMRC warning states:
Businesses that want to continue to use the MOSS system will need to register for the VAT MOSS non-Union scheme in an EU member state. This can only be done after the date the UK leaves the EU. The non-Union MOSS scheme requires businesses to register by the 10th day of the month following a sale. Alternatively, a business can register in each EU member state where sales are made.
EU consumers are already ceasing to buy from UK suppliers, and EU suppliers are geo-blocking UK customers and suppliers from applying to their sites. So forget bidding for service contracts from the UK, and many EU business people have stopped traveling to do business in the UK.

Work permits will be needed after Brexit, but can’t be applied for before then. These may be needed for speaking at conferences (unless asked a question first), giving training sessions, working on projects and so on.

Booze cruise etc to the EU for cheaper, duty free consumer goods may impact small retailers and their service providers.

If you're a director of a company, you have a duty to promote the success of the company, as well as a duty to exercise reasonable care, skill and diligence. You need to be able to demonstrate that in the context of Brexit - which is a known unknown. That would likely include: board discussions, a sub-committee, minutes, briefing papers, presentations, risk registers, scenario planning, supply chain analysis to identify suppliers at risk who may need to be replaced/helped (using the wrong type of pallet, say, or their trucks may be allowed into the UK by UK authorities, but will struggle to back into EU); and resolutions taking action to address threats and opportunities.

What can you do if your services are impacted? It depends on threats and opportunities identified, but some examples:
  • Set up a new subsidiary in an EU27 member state;
  • Rewrite contracts with new governing law and other pertinent changes;
  • Establish a new basis for transferring personal data from EU customers/suppliers to the UK;
  • Consider the tax impact of moving business activity to an EU27 country (or, for instance, whether withholding tax exemptions still work for entities owned by UK companies)

Time to get cracking!

Tuesday, 8 October 2019

Hype Will Harm Artificial Intelligence

After exploring AI deployment in some depth and chairing the SCL's overview of AI in Dublin in September, I've been particularly conscious of the hype vs reality. Nobody should deny that narrow artificial intelligence is here to stay - for good and bad. We just have to be realistic about its capabilities and shortcomings - and how to detect their consequences - so that AI is developed and deployed responsibly.

In a recent report on 'smart cities', for example, the Oliver Wyman Forum found that no city on Earth is ready for the disruptive effects of artificial intelligence

Talk of 'killer robots' and beating humans at board games is also all the rage, but Barry O'Sullivan assured us in Dublin that robots take ages to 'train' for any one sequence, can't cope with door handles and their batteries soon run down. It took $50m in electricity to train a computer to beat a human at Go. 

AI can be used for good, but it can also be 'weaponised' against a population, and 'hacked' by altering the appearance of things or people's appearance in quite subtle ways - without actually interfering with the AI itself. 

In the 'real world' of AI, the genuine concerns are inaccuracy, lack of explainability and the inability to remove bias. And there remain vast challenges associated with the reliability of evidence and how to resolve disputes arising from their use. 

That means we have to challenge the use of AI where the consequences of false positives or negatives are fatal or otherwise unacceptable, such as denying fundamental rights or compensation for loss, for example. 


Being realistic about AI and its shortcomings also has implications for how it is regulated. Rather than risk an effective ban on AI by regulating it according to the hype, regulation should instead focus on certifying AI's development and transparency in ways that enable us to understand its shortcomings to aid in our decision about where it can be developed and deployed appropriately.

Wednesday, 14 August 2019

UK Delays Anti-fraud Measures For Banking And Payments

It seems payments legislators wrote checks the industry couldn't cash... The UK's Financial Conduct Authority has announced a delayed ‘migration plan’ for phasing in compliance with the Strong Customer Authentication requirements by March 2020 for internet banking and March 2021 for e-commerce transactions, instead of 14 September 2019. The FCA made a separate announcement for consumers.

Update: The FCA has also written to the CEOs of payment service providers it supervises, commending the plan from the trade body, UK Finance for meeting the deferred timeline. This will see SCA phased-in from Feb 2020 for merchants who are ready, with support from the card schemes in driving the adoption of the 3D Secure protocol (3DS 2.1/2) from March/September 2020.

This follows the guidance issued in June by the European Banking Authority that EU national regulators could agree specific migration plans (although I'm not sure the EBA expected industry-wide delays!).

The FCA says that it will not take enforcement action against payment service providers if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. 

At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA. 

It will be interesting to see how much progress is really made in the next 6 to 18 months...


Tuesday, 6 August 2019

FCA Fires A Flare Over Safeguarding Of Funds Related To Payments And E-money

Everyone worries about banks going bust, and whether there's enough capital and depositor protection if they do. That's because banks are allowed to treat the cash we deposit as their own (subject to the obligation to repay it when we want it). But non-bank payment service providers don't have this privilege, and depositor protection (the Financial Services Compensation Scheme) does not cover their activities. So PSPs must 'safeguard' funds related to the payment transactions they process and the e-money they issue. If they go bust, the safeguarded amount should therefore be available to the relevant customers instead of paying debts owed by the PSPs to their own creditors. As we live in troubled times, earlier this year the UK's Financial Conduct Authority sampled the safeguarding practices of 11 payment service providers to figure out whether  PSPs are safeguarding correctly. The results were not a disaster, but enough problems were detected for the FCA to feel the need to write to all PSPs requiring them to confirm their compliance with safeguarding requirements by end of July... Let's hope they all did! Confidence in a diverse, innovative and competitive payment system depends on PSPs being fanatical about the details involved in protecting customer funds.

Safeguarding Requirements

PSPs must safeguard "relevant funds" - i.e. money received:
  • from, or for the benefit of, a user for the execution of a payment transaction; 
  • from a payment service provider for the execution of a payment transaction on behalf of a user; or 
  • in exchange for electronic money that has been issued,
where they continues to hold the relevant funds at the end of the 'business day' following the day on which they were received.

There are rules on when safeguarding obligations start and end; two different safeguarding methods (either through holding appropriate insurance or by segregating the funds in specially designated bank accounts); the type of account or 'relevant assets' in which the funds must be held; reconciliation and record-keeping; and when amounts that are not "relevant funds" must be removed and held separately to avoid 'commingling'.

To be fair to all concerned, the various definitions, other language and rules require a lot of interpretation to understand how they apply and the FCA has issued extensive guidance in Chapter 10 of its Approach to regulating e-money and payment services.

FCA Findings

Some firms were unable to explain which payment services they provided in certain situations, when they were issuing e-money or when they were acting as agent or distributor for another PSP. That meant they could not identify some "relevant funds" and didn't know whether they were safeguarding the correct amounts.

Even where they were clear on the status of funds, some PSPs did not segregate relevant funds on receipt; or received them into accounts with funds held for other purposes; or did not remove other funds more than once a day where it was practicable to do so.

In addition, some PSPs did not have up to date documentation that explained their treatment of funds and how their systems and controls would ensure compliance with the safeguarding requirements.

Some of the segregated accounts in which PSPs were holding relevant funds or assets were not correctly designated in a way that shows they were safeguarding accounts. 

Some firms did not carry out appropriate reconciliations, or did so infrequently or did not adjust the balance of their safeguarded accounts in a timely way when they identified discrepancies.

Rather than monitoring their processes and procedures to ensure compliance, some firms only checked if they spotted an actual breach - so their controls weren't able to alert them to a potential breach and safeguarding requirements weren't factored into new products.

Continuing Confusion Over Agents vs Distributors

PSPs are able to appoint agents and distributors, but are sometimes uncertain about the difference. The distinction turns on whether the proposed agent or distributor would be providing a payment service. A firm can only provide a payment service if it is either directly authorised or registered as the agent of an authorised PSP.  A distributor, therefore, cannot supply a payment service and, in my view, should not be handling relevant funds at all. Instead, the PSP should oblige the distributor to set up a 'float' of its own money that the PSP can draw on when issuing e-money or executing a payment transaction involving that distributor. That means when a customer pays money to the distributor (e.g. to 'load' or 'top-up' an e-money/prepaid account) the customer is not relying on the distributor to pass those funds to the PSP on the customer's behalf. The PSP already has the equivalent amount of funds that have now become 'relevant funds' to be safeguarded. The distributor can then pay the funds it receives from the customer into the 'float' for the PSP to draw on for the next transaction.

Confusingly, however, the FCA says PSPs are responsible for ensuring that the agent or distributor segregates any "relevant funds" held by the agent or distributor.  That suggests the distributor might be relying on some exclusion from offering a regulated payment service, but if that were so, the funds it receives from customers should not be 'relevant funds' in the first place...

At any rate, the FCA found that some firms calculated their safeguarding obligation at the end of the business day on which e-money was issued via a distributor or agent that received the corresponding funds, and only transferred the amount into a safeguarding account the next business day. This suggests all sorts of confusion!

Conclusion

The FCA is to be commended on its vigilance in this area, and PSPs have to be fanatical about the details if we are to have a diverse, innovative and competitive payment system that works effectively in good times and bad.


Monday, 5 August 2019

UK FCA Guidance on Regulation of CryptoAssets

The regulation of 'cryptoassets' including cryptocurrencies is under permanent review, with the UK's Financial Conduct Authority perhaps the latest financial regulator to finalise its guidance. Despite the often-repeated statement that financial regulation is 'technology-neutral', the decentralised nature of cryptographic or 'distributed ledger technology' (DLT) is awkward because there is no central issuer, operator or service provider to which regulatory responsibility and accountability can be attached. Add to that the flexibility of DLT and the wide range of use-cases, and you have the recipe for widespread regulatory confusion.

The guidance itself is set out in Appendix 1 to the FCA's paper (pp 29-54), including useful case studies and examples, but I've only discussed the different types of cryptoasset below - including a new category added by the FCA.

The FCA's guidance in this context is also separate from:
The guidance may also change pretty quickly because:
  • the FCA itself will consult on banning the sale of derivatives linked to certain types of unregulated cryptoassets to retail clients; and
  • the UK Treasury will consults on whether (further) regulation of (unregulated) cryptoassets is required; and
  • other countries may regulate in a way that it makes sense for the UK to match.
What Are Cryptoassets?

Like the regulatory authorities in most developed markets, the FCA initially embraced the idea that cryptoassets can be defined in terms of three types of cryptographically-generated 'tokens': exchange tokens, utility tokens and security tokens

But the FCA has now added a fourth category of "e-money tokens" (those which meet the definition of "electronic money" discussed below). The intention is to leave exchange tokens and utility tokens outside the regulatory perimeter as "unregulated tokens"; and to differentiate the use of tokens as e-money from security tokens (which carry rights and obligations that are essentially the same as specified investments covered by existing securities regulation).

"Stablecoins" don't constitute a separate category because while they're all structured in a way that seeks to limit changes in their perceived value, those structures vary a lot. Some could meet the definition of e-money (e.g. equating in value to a fiat currency and meeting the other requirements), or a security ('backed' by other securities), while others would not.

So, basically, the FCA considers that only e-money tokens and securities tokens will be regulated.  But note that firms which are already regulated by the FCA may have regulatory obligations relating to their unregulated activities where they are carried out by the regulated firm in connection with, or held out as being for the purposes of, a regulated activity. In such cases, the FCA's 11 Principles for Business (PRIN) and individual conduct rules under the Senior Managers and Certification Regime (SMCR) will still apply. The FCA also works with other agencies to indirectly mitigate harm from other types of unlawful activity involving cryptoassets.

It's also possible that tokens could shift categories over time, or meet the definitions of two or more types. The FCA says that: 
"...the regulatory treatment depends on the token’s intrinsic structure, the rights attached to the tokens and how they are used in practice. If the token at a point in time reaches the definition of an e-money token or a security token, then it will fall under regulation. We have provided additional case studies on the fluidity of tokens within the Guidance."

Exchange Tokens

These are cryptoassets that are decentralised and primarily used as a means of exchange (e.g. ‘cryptocurrencies’, ‘crypto-coins’ or ‘payment tokens’) that are typically designed to provide limited or no rights for the holder, and there is usually no (single) issuer to enforce rights or make claims against.

The FCA does not want to regulate exchange tokens themselves (without a change in the law), but may already regulate the participants at either end of the exchange, for instance, where the cryptoasset is used by regulated payment service providers to more efficiently facilitate the processing of payment transactions in 'fiat' currency. 

Anti-money laundering regulation may also apply (particularly from 10 January 2020), but the FCA sees this as a separate to its financial regulatory perimeter (even though it is also a supervisory authority for AML regulation).

Utility Tokens

These are cryptoassets that provide users with access to a current or prospective product or service and often grant rights similar to pre-payment vouchers. Again, these are unregulated where they just provide this type of utility.

Security Tokens

These are cryptoassets with essentially the same rights as regulated investment instruments (securities) such as shares, debentures or units in a collective investment scheme; and the FCA says it will regulate these the same way they regulate their traditional cousins.

Of course, the security tokens are often distributed by means of 'initial coin offerings' and/or 'airdrops' that cross multiple jurisdictions, each of which may treat/regulate them differently. The problem with consistent international regulation is that (certainly outside the 31 countries in the European Economic Area) there are differences in the classification and regulatory treatment of securities that will also affect crypto-securities with the same characteristics. The FCA points to bilateral harmonising efforts and multilateral discussions through the Global Financial Innovation Network (GFIN), the International Organization of Securities Commissions (IOSCO), the European Commission (EC) and the European Supervisory Authorities (ESA) - and one could add central bank co-ordination on the impact of cryptoassets on fiat currencies and currency regulation via the Bank of International Settlements.

E-money Tokens

These are tokens that meet the definition of "electronic money" in the Electronic Money Regulations 2011 (derived from the second EU E-money Directive):
electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions [as defined in PSD2], and which is accepted by a natural or legal person other than the electronic money issuer;
There are also certain specific exclusions, which include instruments used within 'limited networks'  but that's worth a whole series of posts in itself.



Friday, 12 July 2019

Explainability Remains The Biggest Challenge To Artificial Intelligence

You might think that understanding and explaining artificial intelligence is becoming a job in itself, but it has actually become part of everyone's job. This struck me particularly hard while reading the recent report from UK Finance (and Microsoft), on the role of artificial intelligence in financial services. It shows that organisations are treating AI as a project or programme in itself, and struggling with where to pin responsibility for it, when actually their use of AI (and existing exposure to it through ad networks etc) means it's already loose in the world. That makes "explainability" - of AI itself and its outcomes - absolutely critical.

What is AI?

One first challenge is understanding what is meant by "AI" in any given context. In this report, the authors generally mean "a set of technologies that enable computers to perceive, learn, reason and assist in decision making to solve problems in ways that mimic human thinking."

We seem to have moved on from the debate about whether AI will ever move far beyond "narrow AI" (better than humans at some tasks like chess, Go or parsing vast quantities of data) to "general AI" (as good as a human mind) to superintelligence (better than humans, to the point where the machines do away with us altogether).

It seems widely accepted that we are (still) developing narrow AI and applying it to more and more data and situations, with the vague expectation (and concern) that one day it might become "general". 

The next major challenge is explaining each technology in the "set of technologies" that encompass AI. Not all are spelt out in the report, but I understand these technologies to include machine learning, neural networks, deep learning networks, natural language processing, speech recognition, image and facial recognition, speech and acoustic recognition. The report notes they are often used in conjunction  (e.g. scanning documents for hints of fraud, robotic process automation ("RPA") and personalising services for individuals or groups of customers). And it's important to understand that one or more technologies will be combined with devices or other machines in the course of biometrics, robotics and the operation and co-ordination of autonomous vehicles, aircraft, vessels and the 'Internet of things' - not ordinarily thought of in terms of financial services, but the data and decision-making in the context of these uses will be relevant for many financial institutions.

Each new report seems to bring a nugget or two of new jargon to understand, and this one alerted me to the use of "Random forests". 

What is a good use-case for AI?

The good news for the human race is that the authors recommend combining artificial and human intelligence rather than allowing the machines to work alone toward our extinction. AI can build on human intelligence by recognising patterns and anomalies in large amounts of data (think fraud detection) and can scale and automate repetitive tasks in a more predictable way to analyse and try to predict risks. The report suggests that AI Nirvana for UK financial institutions is fully automated customer on-boarding, personalised customer experience, retail advice and proactive financial management.

You might have spotted that the last two aspirations will be particularly exciting for fans of financial 'scandals'... and it's worth noting that the report on the health and motor insurance sectors added pricing, underwriting, claims handling, sales and distribution...

UK Finance rightly points out that organisations need to consider the implications of AI beyond the technical (or technological), particularly when used in the core of their businesses. Specifically, there are implications for culture, behaviour and governance from the business, social and economic perspectives. Privacy, safety, reliability, fairness (lack of bias and discrimination) are critical to safeguard, as well as adapting the workforce, communities and society for the impact on employment and skills. Again, AI can't be treated as separate or managed in a silo; and it's a challenge for all stakeholders, including regulators and governments.

Yet, while AI might be pervasive in its impact and effects, that does not mean it is ripe to be deployed in every situation (as is the case with applying process improvement methodologies like Six Sigma). The report provides some insight into identifying where AI is the right solution, as well as high-value use cases, levels of AI maturity and capabilities; and how to scale and measure returns on investment and business impact.

The Thorny Issue of Explainability...

While the UK Finance report is intended as an overview, a major criticism I have is that it only sounds a note of caution on the worrying issue of "explainability" without pointing out that explainability is not possible with technologies that have "hidden" layers of computing, such as artificial neural networks and deep learning. The report merely cautions that: 
"Where firms identify a trade-off between the level of explainability and accuracy, firms will need to consider customer outcomes carefully. Explainabilty of AI/ML is vital for customer reassurance and increasingly it is required by regulators." 
This is the point where the fans of financial scandals start stockpiling popcorn.

The relevant shortcomings and concerns associated with explainability are covered in more detail in my post on the report into the health and motor insurance sectors, including the South Square chambers report. But in summary, these mean that neural and deep learning networks, for example, are currently only really appropriate for automating decision-making where "the level of accuracy only needs to be "tolerable" for commercial parties interested only in the financial consequences... than for... issues touching on fundamental rights." 

Yet the UK Finance warning not only assumes that the use of AI and its outcomes is known by or can be explained to people within the organisation (when that may not be the case), but also assumes that organisations understand what the trade-off between explainability and accuracy means; the implications of that; and therefore whether a given use-case is actually appropriate for the application of AI technologies. A critical issue in that analysis is how to resolve any resulting disputes, whether in the courts or at the Financial Ombudsman, including identifying who is responsible where AI computing has been been outsourced and/or there are multiple external sources of data.

None of this is to say, "Stop!" (even if that were possible), but it's important to proceed with caution and for those deploying and relying on AI to be realistic in their expectations of what it can achieve and the risks it presents...