Search This Blog

Saturday, 12 December 2020

New Insolvency Regime for UK E-money and Payment Institutions

A new insolvency regime is being introduced for UK e-money/payment institutions. Some recent administration cases have taken years to resolve. Of six cases, only one has so far returned funds to customers! Comments on the draft regulations are requested to pemisar@hmtreasury.gov.uk by 14 January, and on related rules (to be published by 17 December) by 28 January. I expect that the regulations/rules will be introduced fairly quickly thereafter – possible a few weeks, depending on the feedback received. These are based on a similar scheme for investment banks, so it should be ‘tried and tested’.  

The 'special administration regime' will have the following features:

  • the special administrator must return customer funds as soon as reasonably practicable and engage with payment systems and authorities in a timely fashion
  • a deadline for claims to be submitted to speed up the distribution process
  • a mechanism to transfer customer funds to a solvent institution
  • post-administration reconciliation to top-up or drawdown safeguarded funds
  • provisions for continuity of supply of services, to minimise disruption
  • rules for treatment of shortfalls in safeguarding accounts
  • rules for allocation of costs.


Tuesday, 8 December 2020

March Deadline For Buy Now Pay Later Offerings

Source: Financial Times

'Buy now pay later' providers and merchants have until 2 March 2021 to meet new guidance on how to comply with advertising standards. The guidance is summarised below. Please let me know if you need assistance.

Unregulated BNPL offerings allow consumers to defer full payment for a short period or allow payment by instalments, without interest.

To comply with the Advertising Standards Authority's CAP and BCAP Codes, all marketing communications for BNPL (including text on online checkout pages) must not be misleading. 

The ASA requirements apply even though the offering is not regulated by the Financial Conduct Authority, so it must be clear that BNPL services are still a form of credit and that using it could result in late payment fees, referral to debt collection agencies and have a negative impact on the customer's credit score. 

Marketing should not imply that is suitable for all customers or is risk-free credit.

Any claims that using BNPL will not impact a person's credit score or have no consequences for missing payments must be substantiated - particularly as debts may be sold to debt collection agencies. 

It is permissible, however, to explain that a "soft" credit check may not affect the customer's credit score, where that is in fact the case.

BNPL is not "free" if any fees are payable in any circumstances. 

Claims cannot be qualified in a way that contradicts the claim being made.

Ads for financial products must state the nature of the contract, any limitation, expense, penalty or charge and the terms of withdrawal. 

If the ad is brief, consumers should be directed to a page with all the relevant information (NB: this conflicts with FCA requirements that regulated consumer credit advertisements must be 'standalone compliant' - i.e. show all the required information, e.g. using a screenshot).

Where BNPL is offered during checkout: 

  • it should be explicitly clear to customers (not disguised as means of entering card details as if paying by card immediately
  • other available payment methods should be obvious.
  • all relevant information must be set out on the page (not via a link).

This post is for information purposes only and is not legal advice and should not be relied upon as such.  Please let me know if you do need advice.  


Sunday, 29 November 2020

Card Acquirers Circling the Wagons?

Following its initial findings that merchants with up to £50m in card transactions are over-paying for acquiring services, the Payment Systems Regulator (PSR) has taken the unusual step of setting up a "confidentiality ring" to allow potentially affected parties to access the survey results.

The confidential material comprises:

  • Raw data file containing the responsesof 1,037 small and medium sized merchants to questions in the merchant questionnaire;
  • Raw data file key needed to interpret the variable names and values from the raw data file; and
  • Data tables file providing weighted tabulations of the responses.

The confidential material can only be used: 

"in order to prepare submissions and make representations to the PSR in connection with the Market Review and, accordingly, to facilitate the exercise by the PSR of its statutory functions... and (if relevant) to prepare and conduct an appeal against any decision of the PSR in connection with the Market Review, including an appeal in which such parties are, or are intending to apply to be, an intervener."

The deadline for stakeholders to submit responses to the PSR’s consultation on the Interim Report is currently 5pm on 8 December 2020, but this will be extended to allow for access to the Confidentiality Ring, depending on when it opens and how long it lasts. A further announcement on that will be made in due course. Meanwhile, requests to join the Confidentiality Ring must be submitted to the Market Review team at cards@psr.org.uk by no later than 5pm on 4 December 2020... 


Monday, 16 November 2020

Regulator: Card Acquiring Too Costly for UK Merchants With Sales of Less Than £50m

The UK's Payment Systems Regulator (PSR) has found that services which enable retailers to accept credit/debit card payments ('card acquiring') cost too much for those with less than £50 million in annual card payments. It says those merchants should shop around or negotiate a better price with their current provider. In the meantime, the PSR is also considering certain regulatory changes below. Feedback should be emailed to cards@psr.org.uk by Tuesday 8 December 2020. Please let me know if I can assist you in either understanding and re-negotiating your acquiring terms and/or providing feedback to the PSR. 

Content of the report

The report provides a useful guide to the acquring industry (Chapter 3), how the various providers compete (Chapter 4), the analysis of pricing and quality outcomes (Chapter 5), as well as merchants’ ability and willingness to search and switch provider (Chapter 6). The problems and proposed solutions are discussed in Chapter 7.

What are the proposed changes?

The main changes being considered are:

1. whether all merchant service contracts for card-acquiring should have an end date, rather than simply being terminable on a certain amount of notice. This would apply to both acquirer and payment facilitator contracts with small and medium-sized merchants and large merchants with annual card turnover of up to £50 million. This might force merchants to re-tender for their acquiring business, but there is nothing stopping them doing that within the bounds of an existing contract. There is no substitute for a business having the internal discipline to revisit pricing on a regular basis.

2. where merchants with physical tills have a separate contract for their point of sale card terminals/devices ("POS terminals") the end dates for these contracts may not be aligned with the termination provisions of the acquiring service contract, so the PSR is considering:

  • Limiting the length of POS terminal contracts to, say, 18 months.
  • Banning the automatic renewal of POS terminal contracts for successive fixed terms.
  • Declaring contracts for card-acquiring services and POS terminals as being 'linked', where they are sold together as a package by acquirers or Independent Sales Organisations (ISOs). This would enable the merchant to terminate both contracts at the same time without additional charge where, for example, the acquirer wishes to change the fees or other terms of the acquiring contract in ways that are not acceptable, or breaches the contract. But this would not apply where payment facilitators sell POS terminals to merchants separately. In those cases, it would be up to the merchant to negotiate the term and termination rights in the POS terminal contract to coincide with those provisions in the acquiring contract (to cover the situations where either the POS terminals or payment facilitator won't work with a new acquirer).

3. ISOs and acquirers could be required to facilitate price comparison by merchants, e.g. by providng pricing information in an easily comparable format (building on obligations on acquirers in the Internet Fee Regulation and the Payment Services Regulations 2017 to provide fee information to merchants).

Has the regulator got this wrong?
 
Probably not. The PSR has done plenty of homework here and the report seems thorough to me (over 20 years in payments, including spells working inside both a very large merchant and a very large acquirer). Its market research included consulting on the methodologies for: analysing whether the limits on interchange fees had been passed through; surveying merchants; and analysing acquirer profitability. The PSR also engaged with other regulators and all the various types of industry participants: acquirers, banks, ISOs, gateway providers, independent software vendors, online marketplaces, operators of card payment systems, payments consultancies, payment facilitators and trade associations.
 
In fact, as with most such iniatives in the financial services industry, this exercise is probably long overdue.
 
Please let me know if I can assist in your negotiations or feedback. 

Saturday, 14 November 2020

Will It Be Practicable To Transfer Personal Data From the EEA to the UK After 2020?

From 1 January 2021, any EEA-based organisation wishing to transfer personal data from the EEA to the UK (or any other non-EEA country) will need to be able to show that the processing will have the same protection as under EU data protection law (GDPR). Many firms might consider that exercise impracticable from a cost and administration standpoint, particularly in light of certain new recommendations on which the EU authorities are now consulting. These are briefly explained below. The UK's Information Commissioner is "reviewing" the proposals, but of course has no influence. This will affect "thousands" of firms and could prove severely disruptive for cross-border services ranging from payroll and benefits, to e-commerce marketplaces to social media services. If you need assistance, either in the UK or in Ireland/EEA please let me know.

Options for transferring personal data from the EEA to the UK

An EEA-based business can only transfer personal data to a non-EEA country, if one of three situations apply: 

  1. the European Commission has ruled that country's personal data protection laws to be ‘adequate’;
  2. there are appropriate safeguards or 'transfer tools' in place to protect the rights of data subjects (including 'Standard Contractual Clauses'); or
  3. certain 'derogations' or exemptions apply to allow the processing as of right.  

For many reasons it is best to assume there will not be an EU adequacy decision relating to the UK’s data protection regime by 1 January 2021, as that process is long and complex, and there are some features of the UK regime which do present problems, including: 

  • the UK’s use of mass surveillance techniques;
  • intelligence sharing with other countries such as the US;
  • the questionable validity of the UK immigration control exemption;
  • the lack of a ‘fundamental right’ to data protection under UK law; 
  • UK adequacy findings for other countries’ personal data regimes that the EU does not deem adequate; and 
  • the potential for future divergence from EU data protection standards if the UK GDPR is further modified post Brexit. 

As a result of the decision of the European Court of Justice in a case against Facebook (‘Schrems II’), a data exporter relying on Standard Contractual Clauses (or other contractual 'transfer tools') must first verify that the law of the third country ensures a level of protection for personal data that is equivalent to the EU's General Data Protection Regulation. If that level is considered sub-standard, the data exporter may be able to use certain measures to plug the gaps, but this process would need to be carefully documented and is the subject of the main recommendations from the EDPB. 

The extent to which you can usefully rely on the derogations, either before considering the other appropriate safeguards or 'transfer tools', or if those other options are not available is also somewhat doubtful, as I will explain.

Assessing whether personal data transfers outside the EEA are appropriate

To help data exporters evaluate whether the use of transfer tools will be appropriate, the forum of all the EEA data protection authorities (the European Data Protection Board or EDPB), is now consulting on recommendations for: 

The EDPB's first set of recommendations contain steps outlined below. The European Essential Guarantees enable data exporters to determine if the rights for public authorities to access personal data for surveillance purposes can be regarded as a justifiable interference with the rights to privacy and the protection of personal data. Basically:

A. Processing should be based on clear, precise and accessible rules;

B. Necessity and proportionality with regard to the legitimate objectives pursued need to  be demonstrated;

C. An independent oversight mechanism should exist;

D. Effective remedies need to be available to the individual.

The steps involved in assessing the appropriateness of transfer tools must be documented. These involve:

  • mapping the proposed transfers;
  • choosing the basis for transfer (adequacy decision, 'transfer tool' or derogation);
  • unless an adequacy decision has been made by the EU, working with the data importer to assess whether the law or practice of the third country may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer (legislation, especially where ambiguous or not publicly available; and/or certain reputable third party findings such as those in Annex 3), and not rely on subjective factors such as the perceived likelihood of public authorities’ access to your data in a manner not in line with EU standards;
  • considering whether any supplementary tools might avoid any problems with the third country's laws (various use-cases and suggested tools are explained in the Annex 2 to the recommendations);
  • taking any formal steps to implement the relevant tool;
  • re-evaluate the assessment periodically or on certain triggers, such as changes in the law (which you should also oblige the data importer to keep you informed about).

Data exporters must thoroughly record their assessment process in the context of the transfer, the third country law and the transfer tool on which they propose to rely. But it may not be possible to implement sufficient supplementary measures in every case, meaning the transfer must not proceed. As the Commission points out, there are "no quick fixes, nor a one-size-fits-all solution for all transfers."

The problem with relying on 'derogations'

The EDPB's first set of recommendations state (at para 27) that "If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with... ” assessing whether the proposed transfer tool is effective. However, that order of approach is not consistent with Article 49, which provides that:

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; 

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

...

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

In addition, the EDPB's own guidance on article 49 itself points out (on pages 3-4) that: 

“Article 44 requires all provisions in Chapter V to be applied in such a way as to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined. This also implies that recourse to the derogations of Article 49 should never lead to a situation where fundamental rights might be breached…Hence, data exporters should first endeavor [explore?] possibilities to frame the transfer with one of the mechanisms included in Articles 45 [adequacy] and 46 [transfer tools] GDPR, and only in their absence use the derogations provided in Article 49 (1)” [but even then the use of the derogations would imply the need for an assessment of the third country’s personal data protection regime by virtue of article 44].

Accordingly, there seems to be no alternative to running through the steps to assess whether the relevant 'transfer tools' will work (with or without supplementary measures) in the context of the transfer and the third country's law. Yet many firms will likely find that process impracticable from a cost and administration standpoint.


Thursday, 12 November 2020

FCA Irons Out Brexit Wrinkle For UK Open Banking

'Open banking' enables you to use certain 'account information' and 'payment initiation' service providers (TPPs) to extract your payment data or initiate payments from your payment accounts with banks and other payment service providers (ASPSPs). There are 2 million users in the UK. Open Banking was driven by UK competition law enforcement against banks who were hogging access to payment account data; and by changes to the EU Payment Service Directive as a result of similar concerns across Europe. A key feature of the Open Banking regime is that TPPs' systems must authenticate themselves using a certificate that complies with an EU identity regime (eIDAS), from which Britain excluded UK based TPPs by leaving the EU. The FCA has now come up with the quick fix described below to try to support the continuity of Open Banking after 31 December... 

In July, the European Banking Authority confirmed that eIDAS certificates issued to UK-based TPPs by EU trust providers will be revoked on 31 December, even though UK law would recognise them as valid under its new UK eIDAS Regulation. 

The FCA does not have the ability to delay the revocation of eIDAS certificates; there is no scope within eIDAS to issue UK-only certificates; and there are not yet any UK trust providers qualified to issue eIDAS certificates under the new UK eIDAS Regulation. 

That means TPPs in the UK will no longer be able to access their customer’s payment account data held with their account service payment service providers (ASPSPs) after 31 December without a further change to UK eIDAS requirements, so the FCA has amended them to allow for the use of an alternative form of authentication certificate.

As a result of the recent changes, UK ASPSPs must now accept at least one other electronic form of identification issued by an independent third party, in addition to continuing to accept eIDAS certificates. 

The additional form of identification must:

  • be a digital certificate issued by an independent third party upon identification and verification of the payment service provider’s identity;
  • include the name of the TPP as well as information on the competent authority the TPP is authorised or registered with, and the corresponding registration number (Firm Reference Number (FRN));
  • be revoked as soon as the TPP is no longer authorised to conduct TPP activities. 

An ASPSP must: 

  • verify the authorisation status of the TPP in a way that would not create any obstacles to TPP access;
  • satisfy itself of the suitability of the independent third party issuing the certificate;
  • specify publicly which means of identification it accepts to ensure TPPs are aware (e.g. on the Open Banking Implementation Entity (OBIE) transparency calendar or on their website).

To ensure continuity of service and enable TPPs to use the existing 90-day reauthentication cycle, the FCA will allow ASPSPs to accept a certificate obtained from a provider of an API programme that does not meet the amended requirements until 30 June 2021, so long as:

  • TPPs have also presented a compliant certificate, as described under the amended requirement, to that non-qualifying API programme;
  • that API programme verifies the certificate; and 
  • continues checking, on behalf of the ASPSP, the status of the TPP’s compliant certificate. 

So, a legacy OBIE certificate may be used during that period, provided that the TPP has presented a valid certificate to the OBIE. 

The FCA has removed the need for the certificate to include the address of the TPP and issuer; the need for revoking the certificate if identity information is unverifiable; and the need for a certificate to be amended (as, technically, a certificate can only be revoked). 

ASPSPs must: 

  • assess the need for any changes to their systems and processes and implement any necessary changes by 31 December, and tell TPPs which alternative certificate they will accept as early as possible. 
  • continue accepting valid eIDAS certificates. This includes for UK firms until their certificates are revoked, even after 31 December where applicable; as well as for EEA-based firms that benefit from the UK's Temporary Permission Regime to continue providing their services in the UK after Brexit.

TPPs whose eIDAS certificate is likely to be revoked must have an alternative certificate(s) as soon as possible ahead of 31 December.


Monday, 14 September 2020

Payment FinTechs Beware: Banking Law Is Riding The New Payment Rails

Recent cases in the UK have applied English banking law to  non-bank accounts that hold customer funds, including the payment accounts of 'fintech' e-money and payment institutions. These cases effectively require the extension of a firm's anti-fraud and/or anti-money laundering programme to guard against the fraudulent misappropriation of a corporate customer's funds by the customer's own directors or other mandate holders. Equally, corporate customers should also be aware that they will need to treat their accounts with non-bank institutions like bank accounts, if they do not already, and be ready to respond promptly and clearly when transactions are queried. If you have concerns in this area, please let me know.

Acting in good faith

Traditionally, banks have been required to execute their customers' instructions promptly, and where a bank acts in good faith and a loss occurs, the customer must bear that loss (Bank of England v Vagliano Bros [1891] AC 107). 

Quincecare Duty

But a bank must not executing a customer’s order if, and for so long as, the bank has reasonable grounds (though not necessarily proof), for believing that the order is an attempt to defraud the customer (Barclays Bank plc v Quincecare Ltd, [1992] 4 All ER 363). If it were to go ahead, the bank may be liable for the customer's loss. 

This "Quincecare duty" protects a company from its funds being stolen by management or staff who've been permitted by the company to operate the company's bank accounts in the ordinary course of business. 

In this type of case (unlike in some other scenarios) the courts tend not to attribute the employee's fraudulent acts to the company, because that would leave the company unprotected from the fraud (Singularis Holdings Ltd (in official liquidation) v Daiwa Capital Markets Europe Ltd [2019] UKSC 50, where the firm was not actually a deposit-taking bank)

Extending this to fintech firms

More recently, the High Court (in Hamblin v World First Ltd [2020] 6 WLUK 314) has made a preliminary ruling which extends all of this law firmly into fintech territory. The court held that: 

  • an action for breach of statutory duty could be brought under the Payment Services Regulations 2017 where the regulations impose a duty for a limited class of the public and there is a clear parliamentary intention to confer a private right of action for breach on members of that class (certain principles derived from EU law should also be considered at the trial);
  • it was arguable that a claim for a breach of the customer's mandate could be estopped (prevented) where the payment service provider acted in in good faith, even if the account holder had no directors (!) and was in fact under the control of fraudsters, but it was also observed that the service provider's internal documents relating to the opening of the account could affect the outcome...;
  • it was arguable that the acts of fraudsters who misappropriated funds from the company account should not be attributed to the company, so as to give the company protection from the fraud (Singularis);
  • similarly, a person has 'standing' to bring such claims in the form of a 'derivative action' against a payment provider on behalf of the corporate customer (effectively standing in the shoes of the corporate customer) where that person paid funds to the corporate customer in a way that made the company a trustee (due to its knowledge of the payment and the receipt of funds on trust or as a result of a fraudulent scheme) and where the company as trustee has committed a breach of trust, or in other exceptional circumstances such as fraud. 

Practical Steps  

These cases highlight the importance of having good customer on-boarding and account opening processes/records, as well as 'transaction monitoring' processes - both of which are otherwise required by the anti-money laundering regime in any event. 

A payment service provider should be in a position to know that a corporate customer has no directors, as well as the nature of its business and the purposes for which customers are asked to make payments to its accounts. The service provider must also be able to recognise activity on its customer's payment accounts that is unusual, in order to determine whether it is an attempt to misappropriate funds, as well as whether it is suspicious from a money laundering or terrorist financing perspective. Triggers for suspicion or being 'on notice' of potential for fraud or misappropriation of funds include where the customer is in financial difficulties; there is a breakdown in relations among directors, or directors and shareholders; or the customer has suffered significant security breaches and so on. 

As with suspicious activity from a money laundering perspective, once suspicion or 'notice' is triggered, it must be investigated. Explanations for activity should be sought and should receive appropriate scrutiny (not simply believed and filed); and decisions to proceed or not should be made and documented. Of course this process must be balanced against the need to avoid 'tipping-off' and/or to file a suspicious activity report where appropriate; and the firm should document where those legal and compliance requirements prevents further "Quincecare" related work to resolve whether funds are being misappropriated. 

Equally, it is incumbent on corporate account holders to monitor the activity on their own payment accounts, inform the service provider of changes to the nature of their business or solutions to potential 'trigger' problems; and to be ready to respond promptly and clearly to queries from banks and other account providers. Not only should those steps help ensure their funds are not misappropriated, but it should also help avoid a situation where a confused service provider needlessly interrupts the flow of genuine transactions.

If you have concerns in this area, please let me know.


Wednesday, 9 September 2020

New Risk Factor On Unlawful Government Action For UK Public Offerings?

Given that yesterday's announcement by the UK government's Secretary of State for Northern Ireland was sufficiently doom-laden to trigger the resignation of the British government's most senior civil service lawyer, I wonder if it also warrants the inclusion of an additional "risk factor" in prospectuses for some UK public offerings of bonds and shares? A potential short form version is set out below (for the sake of discussion only and is not intended as advice or to be relied upon in any way). There is also, of course, a wider point about the adverse impact on the acceptability of English law as a choice of law for international contracts involving trade in goods and services...

Unlawful Government Action 

In addition to the possibility of changes in the law or regulation of the United Kingdom which may have a material adverse effect on the [Transaction Documents, the Parties and/or the Transaction], the United Kingdom government has indicated in Parliament that it intends to introduce legislation and otherwise act in breach the provisions of its treaty with the European Union in relation to the United Kingdom's withdrawal from the European Union and related arrangements for trade in goods and services (and therefore the provisions of the European Union (Withdrawal Agreement) Act 2020 which approved that treaty). This indication, and any such violations of international and/or national law, may have a material adverse effect on the [Transaction Documents, the Parties, the Transaction] and/or some or all investors' willingness to purchase the [Notes][Shares]; and may result in material uncertainties as to their true legal position which may not be practicable to resolve or which may require the [Parties] and/or investors to await the result of relevant legal proceedings or incur significant expenditure on legal fees, costs and expenses with their respective advisers to resolve such uncertainty themselves, including via legal proceedings which may not be successful.


Monday, 7 September 2020

Transferring Prepaid Card Programmes Is Non-Trivial

Ominous news that the UK e-money subsidiary of scandal-ridden Wirecard AG is "intending to wind-down its FCA-regulated business" and that "the business will continue to trade while alternative arrangements are being made with its card providers." 

Having advised on the creation and transition of various prepaid card programmes and customers, I'm aware this is highly technical from an e-money and payments regulation standpoint, and will involve intensive 'customer due diligence' under the anti-money laundering regime, as well as a careful approach to the processing of personal data. 

The FCA claims to be "working closely with Wirecard throughout this process to ensure that its customers are treated fairly," so programme managers any e-money issuer(s) taking them and their programmes on will need to tread carefully.

Needless to say, I'm here to help the transferring programme managers or their new e-money service providers either in the UK or in relation to any EEA programmes via Ireland.

 

Thursday, 3 September 2020

EU Regulation of Cross-border Crowdfunding Services

The EU Parliament is about to adopt a crowdfunding regulation that will enable 'European crowdfunding service providers' (ECSPs) to help businesses raise funding directly from investors across the EU more easily than they can today. The regulation calls for the related funds flows to be handled under payment services regulation, and adds operational and prudential requirements related to lending and investment in securities. I have covered the regulation in more detail for Leman Solicitors in Ireland, as the EU regulation will be of little use to UK-based platforms owing to Brexit and the end of passporting, even where the regulation applies.

Since helping start Zopa, the first peer-to-peer lending platform, in 2005 I've acted for many peer-to-peer lending platforms and some crowd-investment platforms in the UK, as well as advising in relation to e-money and payment services since 1999. If you have plans in this area, please get in touch.

 

Wednesday, 5 August 2020

Brexit-proofing... eIDAS Certificates

The European Banking Authority has just reminded firms to get ready for the end of cross-border activity between the EU and UK. Among other things, for Open Banking this means:
account information service providers (AISPs) and payment initiation service providers (PISPs) registered/authorised in the UK will no longer be entitled to access customers’ payment accounts held at the EU payment service providers and their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 [the eIDAS Regulation] will be revoked.”
However, as explained by the UK's Information Commissioner, a version of the eIDAS Regulation will take effect in UK law after 1 January 2020 (by virtue of the snappily titled Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019/89). 

This means UK law will continue to recognise EU registered qualified trust service providers, with the intention that UK-based organisations can continue to use EU-based trust services as well as UK-based trust providers. The approved trust providers that appear in the eIDAS trusted list for the UK immediately before the end of the transition period will remain on the list for the new UK scheme after transition ends. But the certificates issued under the UK scheme - or by EU service providers to UK-based firms - will not be recognised in the EU (or EEA).

Of course, it's a practical/commercial issue as to whether EU-based trust service providers will continue issuing certificates to UK firms after Brexit transtion ends…


Monday, 20 July 2020

New Basis/Rules For UK Participation In SEPA From 1 January 2021

The European Payments Council has issued a press release on the impact of Brexit on Single Euro Payments Area (SEPA), regardless of whether the UK leaves with or without a deal. I have summarised some key data changes below. Firms with queries should email their local national SEPA adherence body. The EPC has previously outlined the implications of a no-deal Brexit on SEPA transactions.

The UK will remain a participant in SEPA but the rules that apply to  transactions to and from the UK and countries in the European Economic Area (EEA) from 1 January 2021 will be the rules that apply to transactions between EEA countries and non-EEA countries. 

So the required content of SEPA instructions to be executed or settled on or after 1 January 2021 involving a UK-based firm that participates in the SEPA scheme will be:
  • for SEPA Credit Transfers (SCT) and SEPA Instance Credit Transfer (SCT Inst): instructions from the originator should include the full address details of the originator and the Bank Identifier Code (BIC) of the beneficiary bank, when the originator bank explicitly requests this data element from the originator; and
  • for SEPA Direct Debit (SDD) Core and SDD Business to Business (B2B): collection files from the creditor should include the full address details of the debtor and the BIC of the debtor bank, when the creditor bank explicitly requests this data element from the creditor
Failure to include these additional transaction details may lead to rejected transactions or other issues from the scheme participant receiving the payment message (beneficiary/debtor bank or their respective interbank clearing and settlement partners). 

UK-based SEPA members should therefore identify their customers that have cross-border SEPA transactions involving both a UK and an EEA payment account, and inform them of the need to provide the extra transaction data from 1 January 2021 (as either execution or settlement date). 


Thursday, 16 July 2020

FCA E-money and Payments Safeguarding Update - Clarity On Financial Services Compensation Scheme

The Financial Conduct Authority recently issued temporary updated guidance on the safeguarding obligations of e-money and payments institutions. There were several points that I raised during the consultation on the temporary guidance, but I acknowledge there might not have been adequate time or resources to address them. Indeed, they might be dealt with in the wider consultation due in 2020/21 on changes to the FCA's general guidance on e-money and payments regulation in the Approach Document. In the meantime, I have long been particularly interested in whether e-money and payments firms should be expected to explain the extent to which the Financial Services Compensation Scheme (FSCS) might protect deposits held by those firms with any bank that became insolvent. This is not a fanciful issue, as the insolvency of Wirecard AG has demonstrated. Wirecard's bank subsidiary is under 'emergency management' of the German financial regulator, while the FCA has allowed the e-money subsidiary to reopen after an unfortunate snap-freeze. I should point out that this post is for information purposes only, does not constitute legal advice and should not be relied upon to make any decision. Please contact me if you need assistance on any of the issues covered.

The FSCS covers eligible deposits held at banks, and not the services offered by or the electronic payment accounts of e-money or payment institutions. So the FCA is right to say that e-money and payments firms should not suggest to their customers that the FSCS applies to their activities or the accounts in their systems.  

However, there needs to be clarity on the extent to which there could be pass-through FSCS cover for the end-customers of e-money or payment institutions where money is held in an institution's ‘safeguarding' bank account at a bank which itself becomes insolvent (as opposed to the e-money or payment institution becoming insolvent), under the provisions of the Depositor Protection rules in the Prudential Regulation Authority Rulebook.

For convenience the relevant provisions are:
  • Paragraph 1.26 of the updated FCA guidance states (as does the Approach Document): 
Payment and e-money firms should also avoid suggesting to customers that the relevant funds they hold for them are protected by the Financial Services Compensation Scheme. 
"relevant funds" are either funds that have been received in exchange for issued e-money or sums received from, or for the benefit of, a payment service user for the execution of a payment transaction or sums received from a payment service provider for the execution of a payment transaction on behalf of a payment service user; and they must be held in a certain type of bank account ('safeguarding account') or be appropriately insured.
  • DP 6.2(5) contains the obligation on the FSCS to pay compensation where the bank account holder is not absolutely entitled to the eligible deposit, and another person (A) is absolutely entitled (see DP 6.10 below);
  • DP 6.3 mentions trustee (other than bare trustees) and entitlements of beneficiaries, without being specific as to whether these might be statutory or non-statutory trust arrangements; and
  • DP 6.10 provides: 
“For the purposes of this Part, the cases in which A is absolutely entitled to the eligible deposit include where:
(a) A is a beneficiary under a bare trust;
(b) the account holder is a nominee company which is holding money in the account for A;
(c) A is a client in respect of money which the account holder is treating as client money of A in accordance with FCA rules, the SRA Accounts Rules 2011 or an equivalent regime; or
(d) the FSCS is otherwise satisfied that A is absolutely entitled to the eligible deposit taking into account any information that the FSCS considers relevant.”
Therefore, it seems to me that, in the event of the insolvency of the bank where an e-money or payment institution's safeguarding account is held:
  • the end-customer of the e-money/payments institution should have recourse against the bank under Depositor Protection rules for money in the safeguarding account (to which he or she is beneficially entitled via a claim on the relevant funds under the E-money/Payments Regulations) up to the £85,000 limit (extended in some cases for temporary high balances). This would be consistent with the position in relation to funds held in bank accounts covered by the FCA's client money rules (CASS), as well as other arrangements under the Solicitors Regulatory Authority rules relating to solicitors client accounts, for example. The PRA made clear this applied to peer-to-peer lending platforms, before those platforms became regulated by the FCA and were generally operating as bare trustees.
  • In addition, while they could not be entitled to be compensated twice, under trust principles, end-customers should also be entitled to receive a proportion of any FSCS pay-out that the e-money or payment institution might receive as a customer of the bank in its own right in relation to the safeguarding account, according to the proportion that those end-customers’ funds bear to the total amount held in the safeguarding account. 
I would be interested to know the views of any other practitioners in this area.

Again, this post is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article. Please contact me if you need assistance on any of the issues covered.


Tuesday, 14 July 2020

EU Platform to Business Regulation

The European Union regulations for the supply of online platform services to businesses took effect on 12 July 2020 and are known as the "Platfrom to Business" or "P2B" Regulation. The intention is to provide rules creating a fair, transparent and predictable business environment for smaller traders on online intermediation (sales) platforms and search engines that enable those business users to reach consumers. The European Commission has published a Q&A on how the P2B Regulation applies, and these are definitely worth reading. Most of the obligations for platforms who are caught relate to what must be in their terms and conditions, which will be void if they do not comply. The only truly awkward or unusual provision, however, is the obligation to name two or more mediators to whom they are willing to refer disputes that can't be resolved by means of the internal complaint-handling system. Please contact me if you have any queries about the P2B Regulation.

The P2B Regulation applies if you are an online intermediation service or search engine and within the geographic scope, i.e. the target business users or corporate website users:
  • have their place of establishment or residence in the EEA; AND 
  • offer goods or services through the online intermediation service or search engine to consumers located in the EEA.
This will cover UK (and other non-EEA) intermediation/search platforms even after Brexit if they satisfy these two criteria.

Your services qualify as “online intermediation services” if they meet all of the following requirements:
  • they constitute information society services (provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services);
  • they allow ‘business users’ to offer goods or services to 'consumers’;
  • with a view to facilitating the initiating of 'direct transactions' between the business users and the consumers, regardless of where the direct transactions are ultimately concluded; 
  • they are provided to ‘business users’ on the basis of contractual relationships between the provider of the services and the business users.
The most common examples are e-commerce marketplaces, where businesses are active, such as short-term accommodation rental websites where hosts include professionals (e.g. hotels), app stores and social media for business. Small platform operators (fewer than 50 staff and ≤ €10 million turnover) are covered, but are exempt from requirements an internal complaint handling mechanism or specify mediators in their terms and conditions.

Examples of intermediation platforms not covered would include:
  • peer-to-peer online intermediation services without the presence of business users, 
  • pure business-to-business online intermediation services which are not offered to consumers, 
  • online advertising tools and online advertising exchanges which are not provided with the aim of facilitating the initiation of direct transactions and which do not involve a contractual relationship with consumers. 
  • search engine optimisation software services
  • services which revolve around advertising-blocking software;
  • online payment services, since they do not themselves meet the applicable requirements but are rather inherently auxiliary to the transaction for the supply of goods and services to the consumers concerned. 
While this post does not constitute legal advice to be relied on in any way and the position may vary on the specific facts, my initial view would be that a peer-to-peer lending platform would not be included, because businesses are not offering goods or services to consumers, but lending money. In addition, on many platforms the lenders/investors are not acting in a business capacity, some platforms may only be consumer-to-consumer, while on others the borrowers are typically corporations.

Search engine providers are also caught if all the elements of the definition of that term are present:
  • a digital service, 
  • that allows users to input queries, 
  • to perform searches of, in principle, all websites, or all websites in a particular language, 
  • on the basis of a query on any subject, 
  • in the form of a keyword, voice request, phrase or other input, and 
  • returns results in any format in which information to the requested content can be found. 
Search engines do not necessarily have a contractual relationship with their corporate website users.

Please contact me if you have any queries about the P2B Regulation.


Friday, 26 June 2020

Wirecard UK's Customers Should Get Their Money Back...

The sudden closure of Wirecard Card Solutions, the UK e-money institution, highlights confusion over whether customer's prepaid funds are protected. Here's a quick explanation. The Financial Conduct Authority also has published an explanation. If you have any queries about how these rules operate, please let me know.
The Financial Services Compensation Scheme (FSCS) covers bank deposits but not the 'electronic money' or other payment services offered by e-money institutions or payment institutions.  The Financial Conduct Authority’s guidance in its “Approach” to regulating such payment service providers states:
In providing customers with details of their service, PSPs and e-money issuers must avoid giving customers misleading impressions or marketing in a misleading way, e.g.:
- misleading as to the extent of the protection given by safeguarding
- suggesting funds are protected by the Financial Services Compensation Scheme, or displaying the FSCS logo
However, the actual funds that correspond to the electronic balance in an e-money institution's prepaid account, or the funds that a payment institution is handling in the course of executing payment transactions, must be 'safeguarded' in certain types of bank accounts ('safeguarding accounts') or be insured.

If the funds are held in the safeguarding account in accordance with the relevant regulations, then they form a 'pool' of money that is separate from the e-money or payment institutions own funds, and can be passed back to the customers who are entitled to them rather than be used to pay the institution's other creditors. This can take some time, however. The safeguarding process can also breakdown, for instance, where the institution mixes its own funds in those accounts, or moves 'relevant funds' to non-safeguarded accounts.

E-money and payment institutions are also required to ensure that their registered agents also safeguard relevant funds. Registered agents could include firms that issue prepaid debit/payment cards or otherwise operate prepaid card or e-money programmes on behalf of the e-money institution.

There remains the question of what happens in the event of a failure by the bank where the safeguarding account is held (as opposed to the failure of the e-money or payment institution that safeguarded its customers funds there, as in the Wirecard case).  In that event, there should be pass-through FSCS cover for the end-customers of payment institutions and e-money institutions because:
  • there must still be recourse to assets to which the end-customer is beneficially entitled (their claim on the pooled safeguarding account), so as the underlying beneficiary the end-customer should have a claim for up to the £85,000 limit (extended in some cases for temporary high balances) against the FSCS (under Depositor Protection 6.3 in the Prudential Regulatory Authority Rulebook). This is the position in relation to funds held in bank accounts covered by the FCA's client money rules (CASS), as well as other non-financial trust fund arrangements such as those for law firms under the rules of the Solicitors Regulatory Authority.  The PRA made clear this applied to peer-to-peer lendingplatforms, albeit this was before the platforms became regulated, when they were generally operating trusts, so it would be surprising if this were different for payment services providers who are not banks.
  • In addition, while they could not be entitled to be compensated twice, the principles of trust law should mean that customers would also be entitled to receive a proportion of any FSCS pay-out that the payment service provider receives as a customer of the bank in its own right in relation to the safeguarding account held in its name, according to the proportion that those customers’ funds bear in relation to the total amount held in the safeguarding account.
If you have any queries about how these rules operate, please let me know.