UK Delays Anti-fraud Measures For Banking And Payments

It seems payments legislators wrote checks the industry couldn't cash... The UK's Financial Conduct Authority has announced a delayed ‘migration plan’ for phasing in compliance with the Strong Customer Authentication requirements by March 2020 for internet banking and March 2021 for e-commerce transactions, instead of 14 September 2019. The FCA made a separate announcement for consumers.

Update: The FCA has also written to the CEOs of payment service providers it supervises, commending the plan from the trade body, UK Finance for meeting the deferred timeline. This will see SCA phased-in from Feb 2020 for merchants who are ready, with support from the card schemes in driving the adoption of the 3D Secure protocol (3DS 2.1/2) from March/September 2020.

This follows the guidance issued in June by the European Banking Authority that EU national regulators could agree specific migration plans (although I'm not sure the EBA expected industry-wide delays!).

The FCA says that it will not take enforcement action against payment service providers if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. 

At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA. 

It will be interesting to see how much progress is really made in the next 6 to 18 months...

FCA Fires A Flare Over Safeguarding Of Funds Related To Payments And E-money

Everyone worries about banks going bust, and whether there's enough capital and depositor protection if they do. That's because banks are allowed to treat the cash we deposit as their own (subject to the obligation to repay it when we want it). But non-bank payment service providers don't have this privilege, and depositor protection (the Financial Services Compensation Scheme) does not cover their activities. So PSPs must 'safeguard' funds related to the payment transactions they process and the e-money they issue. If they go bust, the safeguarded amount should therefore be available to the relevant customers instead of paying debts owed by the PSPs to their own creditors. As we live in troubled times, earlier this year the UK's Financial Conduct Authority sampled the safeguarding practices of 11 payment service providers to figure out whether  PSPs are safeguarding correctly. The results were not a disaster, but enough problems were detected for the FCA to feel the need to write to all PSPs requiring them to confirm their compliance with safeguarding requirements by end of July... Let's hope they all did! Confidence in a diverse, innovative and competitive payment system depends on PSPs being fanatical about the details involved in protecting customer funds.

Safeguarding Requirements

PSPs must safeguard "relevant funds" - i.e. money received:

• from, or for the benefit of, a user for the execution of a payment transaction; 
• from a payment service provider for the execution of a payment transaction on behalf of a user; or 
• in exchange for electronic money that has been issued,

where they continues to hold the relevant funds at the end of the 'business day' following the day on which they were received.

There are rules on when safeguarding obligations start and end; two different safeguarding methods (either through holding appropriate insurance or by segregating the funds in specially designated bank accounts); the type of account or 'relevant assets' in which the funds must be held; reconciliation and record-keeping; and when amounts that are not "relevant funds" must be removed and held separately to avoid 'commingling'.

To be fair to all concerned, the various definitions, other language and rules require a lot of interpretation to understand how they apply and the FCA has issued extensive guidance in Chapter 10 of its Approach to regulating e-money and payment services.

FCA Findings

Some firms were unable to explain which payment services they provided in certain situations, when they were issuing e-money or when they were acting as agent or distributor for another PSP. That meant they could not identify some "relevant funds" and didn't know whether they were safeguarding the correct amounts.

Even where they were clear on the status of funds, some PSPs did not segregate relevant funds on receipt; or received them into accounts with funds held for other purposes; or did not remove other funds more than once a day where it was practicable to do so.

In addition, some PSPs did not have up to date documentation that explained their treatment of funds and how their systems and controls would ensure compliance with the safeguarding requirements.

Some of the segregated accounts in which PSPs were holding relevant funds or assets were not correctly designated in a way that shows they were safeguarding accounts. 

Some firms did not carry out appropriate reconciliations, or did so infrequently or did not adjust the balance of their safeguarded accounts in a timely way when they identified discrepancies.

Rather than monitoring their processes and procedures to ensure compliance, some firms only checked if they spotted an actual breach - so their controls weren't able to alert them to a potential breach and safeguarding requirements weren't factored into new products.

Continuing Confusion Over Agents vs Distributors

PSPs are able to appoint agents and distributors, but are sometimes uncertain about the difference. The distinction turns on whether the proposed agent or distributor would be providing a payment service. A firm can only provide a payment service if it is either directly authorised or registered as the agent of an authorised PSP.  A distributor, therefore, cannot supply a payment service and, in my view, should not be handling relevant funds at all. Instead, the PSP should oblige the distributor to set up a 'float' of its own money that the PSP can draw on when issuing e-money or executing a payment transaction involving that distributor. That means when a customer pays money to the distributor (e.g. to 'load' or 'top-up' an e-money/prepaid account) the customer is not relying on the distributor to pass those funds to the PSP on the customer's behalf. The PSP already has the equivalent amount of funds that have now become 'relevant funds' to be safeguarded. The distributor can then pay the funds it receives from the customer into the 'float' for the PSP to draw on for the next transaction.

Confusingly, however, the FCA says PSPs are responsible for ensuring that the agent or distributor segregates any "relevant funds" held by the agent or distributor.  That suggests the distributor might be relying on some exclusion from offering a regulated payment service, but if that were so, the funds it receives from customers should not be 'relevant funds' in the first place...

At any rate, the FCA found that some firms calculated their safeguarding obligation at the end of the business day on which e-money was issued via a distributor or agent that received the corresponding funds, and only transferred the amount into a safeguarding account the next business day. This suggests all sorts of confusion!

Conclusion

The FCA is to be commended on its vigilance in this area, and PSPs have to be fanatical about the details if we are to have a diverse, innovative and competitive payment system that works effectively in good times and bad.

UK FCA Guidance on Regulation of CryptoAssets

The regulation of 'cryptoassets' including cryptocurrencies is under permanent review, with the UK's Financial Conduct Authority perhaps the latest financial regulator to finalise its guidance. Despite the often-repeated statement that financial regulation is 'technology-neutral', the decentralised nature of cryptographic or 'distributed ledger technology' (DLT) is awkward because there is no central issuer, operator or service provider to which regulatory responsibility and accountability can be attached. Add to that the flexibility of DLT and the wide range of use-cases, and you have the recipe for widespread regulatory confusion.

The guidance itself is set out in Appendix 1 to the FCA's paper (pp 29-54), including useful case studies and examples, but I've only discussed the different types of cryptoasset below - including a new category added by the FCA.

The FCA's guidance in this context is also separate from:

• anti-money laundering: the fifth money laundering directive (5MLD) will be gold-plated implemented in the UK by January 2020, which will impose anti-money laundering requirements on certain cryptoasset firms, amongst other types of businesses.
• the use of Distributed ledger technology (DLT) for regulated activities such as custody, and settlement.

The guidance may also change pretty quickly because:

• the FCA itself will consult on banning the sale of derivatives linked to certain types of unregulated cryptoassets to retail clients; and
• the UK Treasury will consults on whether (further) regulation of (unregulated) cryptoassets is required; and
• other countries may regulate in a way that it makes sense for the UK to match.

What Are Cryptoassets?

Like the regulatory authorities in most developed markets, the FCA initially embraced the idea that cryptoassets can be defined in terms of three types of cryptographically-generated 'tokens': exchange tokens, utility tokens and security tokens. 

But the FCA has now added a fourth category of "e-money tokens" (those which meet the definition of "electronic money" discussed below). The intention is to leave exchange tokens and utility tokens outside the regulatory perimeter as "unregulated tokens"; and to differentiate the use of tokens as e-money from security tokens (which carry rights and obligations that are essentially the same as specified investments covered by existing securities regulation).

"Stablecoins" don't constitute a separate category because while they're all structured in a way that seeks to limit changes in their perceived value, those structures vary a lot. Some could meet the definition of e-money (e.g. equating in value to a fiat currency and meeting the other requirements), or a security ('backed' by other securities), while others would not.

So, basically, the FCA considers that only e-money tokens and securities tokens will be regulated.  But note that firms which are already regulated by the FCA may have regulatory obligations relating to their unregulated activities where they are carried out by the regulated firm in connection with, or held out as being for the purposes of, a regulated activity. In such cases, the FCA's 11 Principles for Business (PRIN) and individual conduct rules under the Senior Managers and Certification Regime (SMCR) will still apply. The FCA also works with other agencies to indirectly mitigate harm from other types of unlawful activity involving cryptoassets.

It's also possible that tokens could shift categories over time, or meet the definitions of two or more types. The FCA says that: 

"...the regulatory treatment depends on the token’s intrinsic structure, the rights attached to the tokens and how they are used in practice. If the token at a point in time reaches the definition of an e-money token or a security token, then it will fall under regulation. We have provided additional case studies on the fluidity of tokens within the Guidance."

Exchange Tokens

These are cryptoassets that are decentralised and primarily used as a means of exchange (e.g. ‘cryptocurrencies’, ‘crypto-coins’ or ‘payment tokens’) that are typically designed to provide limited or no rights for the holder, and there is usually no (single) issuer to enforce rights or make claims against.

The FCA does not want to regulate exchange tokens themselves (without a change in the law), but may already regulate the participants at either end of the exchange, for instance, where the cryptoasset is used by regulated payment service providers to more efficiently facilitate the processing of payment transactions in 'fiat' currency. 

Anti-money laundering regulation may also apply (particularly from 10 January 2020), but the FCA sees this as a separate to its financial regulatory perimeter (even though it is also a supervisory authority for AML regulation).

Utility Tokens

These are cryptoassets that provide users with access to a current or prospective product or service and often grant rights similar to pre-payment vouchers. Again, these are unregulated where they just provide this type of utility.

Security Tokens

These are cryptoassets with essentially the same rights as regulated investment instruments (securities) such as shares, debentures or units in a collective investment scheme; and the FCA says it will regulate these the same way they regulate their traditional cousins.

Of course, the security tokens are often distributed by means of 'initial coin offerings' and/or 'airdrops' that cross multiple jurisdictions, each of which may treat/regulate them differently. The problem with consistent international regulation is that (certainly outside the 31 countries in the European Economic Area) there are differences in the classification and regulatory treatment of securities that will also affect crypto-securities with the same characteristics. The FCA points to bilateral harmonising efforts and multilateral discussions through the Global Financial Innovation Network (GFIN), the International Organization of Securities Commissions (IOSCO), the European Commission (EC) and the European Supervisory Authorities (ESA) - and one could add central bank co-ordination on the impact of cryptoassets on fiat currencies and currency regulation via the Bank of International Settlements.

E-money Tokens

These are tokens that meet the definition of "electronic money" in the Electronic Money Regulations 2011 (derived from the second EU E-money Directive):

electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions [as defined in PSD2], and which is accepted by a natural or legal person other than the electronic money issuer;

There are also certain specific exclusions, which include instruments used within 'limited networks'  but that's worth a whole series of posts in itself.

Whether this meets the concern of the Financial Markets Law Committee that there's a gap in AML regulation for virtual currencies that share the characteristics of money remains to be seen.