Payment FinTechs Beware: Banking Law Is Riding The New Payment Rails

Recent cases in the UK have applied English banking law to  non-bank accounts that hold customer funds, including the payment accounts of 'fintech' e-money and payment institutions. These cases effectively require the extension of a firm's anti-fraud and/or anti-money laundering programme to guard against the fraudulent misappropriation of a corporate customer's funds by the customer's own directors or other mandate holders. Equally, corporate customers should also be aware that they will need to treat their accounts with non-bank institutions like bank accounts, if they do not already, and be ready to respond promptly and clearly when transactions are queried. If you have concerns in this area, please let me know.

Acting in good faith

Traditionally, banks have been required to execute their customers' instructions promptly, and where a bank acts in good faith and a loss occurs, the customer must bear that loss (Bank of England v Vagliano Bros [1891] AC 107). 

Quincecare Duty

But a bank must not executing a customer’s order if, and for so long as, the bank has reasonable grounds (though not necessarily proof), for believing that the order is an attempt to defraud the customer (Barclays Bank plc v Quincecare Ltd, [1992] 4 All ER 363). If it were to go ahead, the bank may be liable for the customer's loss. 

This "Quincecare duty" protects a company from its funds being stolen by management or staff who've been permitted by the company to operate the company's bank accounts in the ordinary course of business. 

In this type of case (unlike in some other scenarios) the courts tend not to attribute the employee's fraudulent acts to the company, because that would leave the company unprotected from the fraud (Singularis Holdings Ltd (in official liquidation) v Daiwa Capital Markets Europe Ltd [2019] UKSC 50, where the firm was not actually a deposit-taking bank). 

Extending this to fintech firms

More recently, the High Court (in Hamblin v World First Ltd [2020] 6 WLUK 314) has made a preliminary ruling which extends all of this law firmly into fintech territory. The court held that: 

• an action for breach of statutory duty could be brought under the Payment Services Regulations 2017 where the regulations impose a duty for a limited class of the public and there is a clear parliamentary intention to confer a private right of action for breach on members of that class (certain principles derived from EU law should also be considered at the trial);
• it was arguable that a claim for a breach of the customer's mandate could be estopped (prevented) where the payment service provider acted in in good faith, even if the account holder had no directors (!) and was in fact under the control of fraudsters, but it was also observed that the service provider's internal documents relating to the opening of the account could affect the outcome...;
• it was arguable that the acts of fraudsters who misappropriated funds from the company account should not be attributed to the company, so as to give the company protection from the fraud (Singularis);
• similarly, a person has 'standing' to bring such claims in the form of a 'derivative action' against a payment provider on behalf of the corporate customer (effectively standing in the shoes of the corporate customer) where that person paid funds to the corporate customer in a way that made the company a trustee (due to its knowledge of the payment and the receipt of funds on trust or as a result of a fraudulent scheme) and where the company as trustee has committed a breach of trust, or in other exceptional circumstances such as fraud. 

Practical Steps  

These cases highlight the importance of having good customer on-boarding and account opening processes/records, as well as 'transaction monitoring' processes - both of which are otherwise required by the anti-money laundering regime in any event. 

A payment service provider should be in a position to know that a corporate customer has no directors, as well as the nature of its business and the purposes for which customers are asked to make payments to its accounts. The service provider must also be able to recognise activity on its customer's payment accounts that is unusual, in order to determine whether it is an attempt to misappropriate funds, as well as whether it is suspicious from a money laundering or terrorist financing perspective. Triggers for suspicion or being 'on notice' of potential for fraud or misappropriation of funds include where the customer is in financial difficulties; there is a breakdown in relations among directors, or directors and shareholders; or the customer has suffered significant security breaches and so on. 

As with suspicious activity from a money laundering perspective, once suspicion or 'notice' is triggered, it must be investigated. Explanations for activity should be sought and should receive appropriate scrutiny (not simply believed and filed); and decisions to proceed or not should be made and documented. Of course this process must be balanced against the need to avoid 'tipping-off' and/or to file a suspicious activity report where appropriate; and the firm should document where those legal and compliance requirements prevents further "Quincecare" related work to resolve whether funds are being misappropriated. 

Equally, it is incumbent on corporate account holders to monitor the activity on their own payment accounts, inform the service provider of changes to the nature of their business or solutions to potential 'trigger' problems; and to be ready to respond promptly and clearly to queries from banks and other account providers. Not only should those steps help ensure their funds are not misappropriated, but it should also help avoid a situation where a confused service provider needlessly interrupts the flow of genuine transactions.

If you have concerns in this area, please let me know.

New Risk Factor On Unlawful Government Action For UK Public Offerings?

Given that yesterday's announcement by the UK government's Secretary of State for Northern Ireland was sufficiently doom-laden to trigger the resignation of the British government's most senior civil service lawyer, I wonder if it also warrants the inclusion of an additional "risk factor" in prospectuses for some UK public offerings of bonds and shares? A potential short form version is set out below (for the sake of discussion only and is not intended as advice or to be relied upon in any way). There is also, of course, a wider point about the adverse impact on the acceptability of English law as a choice of law for international contracts involving trade in goods and services...

Unlawful Government Action 

In addition to the possibility of changes in the law or regulation of the United Kingdom which may have a material adverse effect on the [Transaction Documents, the Parties and/or the Transaction], the United Kingdom government has indicated in Parliament that it intends to introduce legislation and otherwise act in breach the provisions of its treaty with the European Union in relation to the United Kingdom's withdrawal from the European Union and related arrangements for trade in goods and services (and therefore the provisions of the European Union (Withdrawal Agreement) Act 2020 which approved that treaty). This indication, and any such violations of international and/or national law, may have a material adverse effect on the [Transaction Documents, the Parties, the Transaction] and/or some or all investors' willingness to purchase the [Notes][Shares]; and may result in material uncertainties as to their true legal position which may not be practicable to resolve or which may require the [Parties] and/or investors to await the result of relevant legal proceedings or incur significant expenditure on legal fees, costs and expenses with their respective advisers to resolve such uncertainty themselves, including via legal proceedings which may not be successful.

Transferring Prepaid Card Programmes Is Non-Trivial

Ominous news that the UK e-money subsidiary of scandal-ridden Wirecard AG is "intending to wind-down its FCA-regulated business" and that "the business will continue to trade while alternative arrangements are being made with its card providers." 

Having advised on the creation and transition of various prepaid card programmes and customers, I'm aware this is highly technical from an e-money and payments regulation standpoint, and will involve intensive 'customer due diligence' under the anti-money laundering regime, as well as a careful approach to the processing of personal data. 

The FCA claims to be "working closely with Wirecard throughout this process to ensure that its customers are treated fairly," so programme managers any e-money issuer(s) taking them and their programmes on will need to tread carefully.

Needless to say, I'm here to help the transferring programme managers or their new e-money service providers either in the UK or in relation to any EEA programmes via Ireland.

 

EU Regulation of Cross-border Crowdfunding Services

The EU Parliament is about to adopt a crowdfunding regulation that will enable 'European crowdfunding service providers' (ECSPs) to help businesses raise funding directly from investors across the EU more easily than they can today. The regulation calls for the related funds flows to be handled under payment services regulation, and adds operational and prudential requirements related to lending and investment in securities. I have covered the regulation in more detail for Leman Solicitors in Ireland, as the EU regulation will be of little use to UK-based platforms owing to Brexit and the end of passporting, even where the regulation applies.

Since helping start Zopa, the first peer-to-peer lending platform, in 2005 I've acted for many peer-to-peer lending platforms and some crowd-investment platforms in the UK, as well as advising in relation to e-money and payment services since 1999. If you have plans in this area, please get in touch.