New Insolvency Rules for UK E-money and Payment Institutions

The Payment and Electronic Money Institution Insolvency (England and Wales) Rules 2021 (SI 2021/1178) will come into force on 12 November 2021 (there is an explanatory memorandum). The new rules provide detailed operating provisions to support the special administration process for payment institutions andelectronic money institutions governed by The Payment and Electronic Money Institution Insolvency Regulations 2021 (SI 2021/716) which came into effect on 8 July 2021 (there is also an explanatory memo relating to those regs).

Amongst other provisions, the new rules: 

• Require insolvency practitioners to provide a reasonable notice period before a claims bar date comes into effect. 
• Clarify the full hierarchy of expenses. 
• Require notice of a bar date to be given to all persons whom the administrator believes to have a right to assert a security interest or other entitlement over the relevant funds. 
• Require the special administrator to engage closely with payment systems operators during the special administration. 

The Government consultation response explains the evolution of this legislation.

Trouble At The FCA's Perimeter

The UK's Financial Conduct Authority is often charged with an apparent failure to act amidst a 'scandal' of some description. Its usual defence is that the activity in question lay outside the scope or 'perimeter' of what the FCA is empowered to supervise. The FCA also publishes a "Perimeter Report" pointing out issues that it sees outside the perimeter that it considers it should be given powers to address. Needless to say, that's a lot like having your cake and eating it, but so it goes. Anyhow, aside from the usual suspect of dodgy financial advice through appointed representatives, two areas leapt out at me among those identified in the latest Perimeter Report:

Financial promotions/marketing: The FCA believes that the exemptions for unauthorised persons to market investments to 'high net worth' and 'sophisticated' investors under the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (SI 2005/1529) (FPO) are no longer fit for purpose, so there need to be significant changes - including the nature of the thresholds for consumers to qualify and self-certify that they qualify as either high net worth or sophisticated. 

Cryptoassets: The FCA is seeing the evolution of 'complex business models' presented as ways for customers to generate returns from cryptoasset holdings, which its believes may need further regulatory or legislative action to address. I'd say that's the understatement of the century, given the recent shriek of alarm from the Bank of England about the threat to financial stability from cryptoassets. I'd say investors are more likely to understand that 'unbacked' cryptoassets (e.g. bitcoin) are very high risk investments, but vulnerable to being misled to believe that a cryptoasset is somehow "backed" by other assets (i.e. 'stablecoins') or somehow include rights to other assets or income.

The problems identified here are likely to have arisen from investigations or complaints where the FCA would particularly like to have acted but didn't immediately have all the powers it would have liked. Therefore, it also seems likely that these areas will be the subject of future enforcement if those powers are forthcoming...

UK Diverging from EU on Strong Customer Authentication?

As someone who's trying to maintain a financial regulatory practice on both sides of the Irish Sea, I'm watching the Brexidiots like a hawk to spot divergence, particularly in areas that used to require maximum harmonisation, like e-money & payment services. So it's awkward that the FCA recently said that it will not include in its own guidance the European Banking Authority's views on features that would or wouldn't meet the test of  'inherence' in relation to strong customer authentication, but won't yet say why.

Strong (or 'two factor') authentication is the security feature that confronts users when they initiate a bank transfer, for example. It should already have been applied in relation to e-commerce payments, but regulators have repeatedly agreed to kick that can down the road to allow online merchants to prepare. The latest UK deadline is 14 March 2022. 

There are actually three potential factors to strong customer authentication, but only two need to be applied from Inherence (something the user is), Knowledge (something only the user knows) and Possession (something the user possesses).

In an effort to be helpful, the EBA opinion of June 2019 (paras 17-23) went into some detail as to what features satisfy each factor, with Inherence being perhaps the hardest to pin down since it's an area of fast-moving technological development in biometrics etc. 

By refusing to say why it won't incorporate the guidance, the FCA is perhaps hedging its bets as to whether the EBA's view is outdated or will be rolled back. But not to say whether it agrees or disagrees is hardly helpful to those trying to develop and test a solution to go live by 14 March.

 

'Slight Delay' To EU Crowdfunding Regulation

The European Securities and Markets Authority has written to the European Commission urging clarificiation of some important interpretation issues relating to the EU Crowdfunding Regulation and suggesting a 'slight delay' to the proposed implementation date of 10 November 2021. ESMA says the delay would ensure that all the key technical standards are available to applicants and national authorities. I have summarised the letter for Leman Solicitors.  

Let me know if you need assistance with any application for authorisation.

 

Payment and E-money Institution Insolvency Regulations Take Effect On 8 July

As covered in December, the Payment and Electronic Money Institution Insolvency Regulations 2021 were passed on 17 June and take effect on 8 July 2021.

While the Regulations mainly deal with an insolvency scenario, it’s worth noting there is also provision for the Financial Conduct Authority to seek a special administration merely where that is ‘fair’ (see Regulation 9(1)(b) and 9(3)). This might assist in cases where the institution is solvent but otherwise proving difficult.

Please let me know if I can help.

Deadline For SCA On E-commerce Transactions Slips Again

Once upon a time, the second Payment Services Directive required mandated the introduction of 'strong customer authentication' (SCA) - also known as 'two factor authentication' or 'multi-factor authentication' - for remote and electronic payment transactions from 14 September 2019. But fear that consumers will abandon online transactions, lack of industry preparation and then the pandemic have seen this rather battered can being kicked steadily further down the road. The UK's Financial Conduct Authority has now declared the latest 'deadline' to be 14 March 2022.

This time it might be serious.

E-money Institutions To Remind Customers About Safeguarding vs The Financial Services Compensation Scheme

The UK Financial Conduct Authority is still concerned that customers of electronic money institutions (EMIs) do not understand that any funds they hold in their e-money accounts are safeguarded, but not covered by the "Financial Services Compensation Scheme" (basically, the UK depositor protection scheme for banks, building societies and credit unions). Of course, if the bank where the EMI holds its safeguarding account were to fold then the bank account would be covered by the FSCS but that is a different matter. 

The FCA has written to EMIs asking them to write to their customers before 29 June 2021 to "remind them of how their money is protected through safeguarding and that FSCS protection does not apply." Firms may include a link to the FCA's explanation to help customers decide whether that level of protection is appropriate for their circumstances (e.g. EMIs cannot pay interest, so any balance you aren't likely to use in the near future may as well be moved to a bank savings account that does). The communication must be separate from any other messaging or promotional activity, and the method(s) of communication may vary based on the EMI's business model and customer base, including any vulnerable customers. 

EMIs must also review their financial promotions in this regard to ensure customers get enough information on the topic. Where the FCA is named in promotions that refer to matters the FCA does not regulate, it must be made clear that those matters are not regulated by the FCA (a wider issue for the FCA).

The FCA wants its letter brought to the attention of the EMI's board of directors, which is expected to have considered the issues and to have approved the action taken in response. 

The FCA has promised to assess the action taken by a sample of EMIs.

Please let me know if I can help.

 

The FCA's New 'Consumer Duty'

The UK's Financial Conduct Authority is consulting on the introduction of a new "consumer duty" that will apply to regulated firms in relation to their regulated activities by 31 July 2022. This follows the report on a previous consultation in April 2019. The FCA is holding a webinar on the proposals on 10 June 2021; and comments will be open until 31 July 2021. The rules would be consulted on by 31 December 2021. Please let me know if I can help.

Broadly, this would require firms to act in ways that enable retail customers to obtain the outcomes they should be able to expect from the firm's products and services, rather than to hinder customers obtaining those outcomes. This effectively puts firms (and, significantly, the FCA) in the customers' shoes. 

This may require some firms to radically alter their culture and behaviour to focus on consumer outcomes, and putting customers in a position to act and make decisions in their own interests. 

There will be three elements to the new duty:

• A new consumer principle: "a firm must act in the best interests of retail clients" or "a firm must act to deliver good outcomes for retail clients". 
• Broad rules that would require firms to take all reasonable steps to avoid foreseeable harm to customers and enable customers to pursue their financial objectives; to act in good faith. 
• More detailed rules and guidance on firms' conduct relating to four specific outcomes: communications; products and services; customer service; and price and value. 

The FCA is also consulting on the potential benefits of attaching a private right of action to the new duty, and what any unintended consequences of this might be. 

Critics of the FCA's approach to consumer outcomes in the wake of various 'scandals' over the years will be hopeful that this new duty will see the FCA aligned with consumers, rather than tending to protect its own reputation, the 'financial services industry' and the firms its regulates.

Make Cosmetic Changes to Your Consumer Credit Pre-contract Information Notices by 1 June 2021 - or Else!

One of the joys of Brexit is the need for consumer credit providers to make some cosmetic changes to their pre-contract information notices by 1 June 2021, to avoid having to get a court order to enforce the documents. The FCA explains the very minor but important changes here.

UK Changes To Strong Customer Authentication and Payments Guidance

The FCA is consulting on some noteworthy changes to certain technical aspects of payments regulation and related guidance. Responses to the questions relating to contactless payments should be answered by 24 February 2021, and on the other aspects of the consultation by 30 April 2021. If you need assistance on any of these issues, please let me know.

Specifically, the FCA is changing the regulatory technical standards applicable to strong customer authentication (SCA) to: 

• create a new SCA exemption in Article 10A so that a customer's payment account provider (ASPSP) does not need to require the customer to reauthenticate every 90 days when accessing account information through an account information service provider (AISP or TPP);
• limit the scope of the existing Article 10 exemption to when the customer accesses their information directly;
• add a requirement where a TPP continues to accesses account information where the customer does not actively request, the TPP will need to reconfirm the customer’s explicit consent every 90 days and disconnect access/stop collecting data if a customer fails to re‑confirm their consent.
  
• require certain ASPSPs to allow access by TPPs to payment accounts via 'dedicated interfaces' rather than modifed customer interfaces for personal and SME ‘current accounts’ ("payment accounts" under the Payment Account Regulations) and credit card accounts held by consumers or SMEs.
• require that the technical specifications and testing facility only be made available to TPPs from the launch of new products and services, rather than 6 months in advance and that the requirement for a fallback interface should only take effect six months after launch.
• allow ASPSPs to rely on exemptions from setting up a fallback interface granted by home state competent authorities;
  
• amend the threshold at which SCA must be applied to a single payment from £45 to £100-£120 and the threshold value for cumulative contactless payments from £130 to £200.

In addition, the FCA will amend its guidance in the "Approach Document" on how it supervises SCA to be consistent with the above changes and with existing EBA and European Commission guidance as follows:

• SCA would need to be reapplied where the final amount of a payment is higher than the original amount authorised, so long as the final payment is reasonably within the amount the customer agreed to when authorising the payment and not higher by more than 20% and the customer has agreed to the possibility before authorising the original amount. 
• the payee’s PSP (e.g. merchant acquirer) should be liable where it triggers an SCA exemption and the transaction is carried out without applying SCA, so (other than where the
  payer has acted fraudulently) the payer’s PSP would refund the customer and be entitled to reimbursement by the payee’s PSP.
• for the purpose of what can be used to satisfy two of the three SCA authentication factors (knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is)): a device could only be used as evidence of 'possession' where there is a reliable means to that the device is actually in the customer's possession; static card data cannot satisfy either the 'knowledge' or 'possession' factor; behavioural biometrics may satisfy the 'inherence' factor (as they ‘relate to physical properties of body parts, physiological characteristics and behavioural processes created by the body.
  and any combination of these) but not other individual properties, such as spending patterns.
• the fraud rate calculation used to anyalyse whether transaction risk is low enough to justify the exemption from SCA should only include unauthorised or fraudulent remote electronic transactions for which the PSP was liable, and no other types of transactions (unlike the calculation for payments fraud reporting under REP017).
• the corporate exemption is applicable to cards or payment instruments that are ‘only
  available to payers who are not consumers’, i.e. only available to corporate customers.
• the authentication elements the customer uses to access their payment account online (including via a mobile) may be reused if they then initiate a payment within the same online session), so a customer could authenticate the payment only one extra element where the firm relies on the account log-in password, for example (as long as the dynamic linking element is linked to the SCA element used when the payment is initiated).
• merchant-initiated transactions: transactions initiated by the payee only, without any involvement from the payer, are not in scope of SCA. While card‑based payments generally imply an action by the payer and are considered as 'transactions initiated by the payer, through the payee',
  where a payer has given a mandate to the payee/merchant for a transaction, or series of
  transactions, made using a card or other payment instrument then the payments
  initiated pursuant to this mandate are outside of the scope of SCA  That includes payments made under continuous payment authorities such as a subscription for a streaming service, but SCA is required to set up the mandate.
• in order to monitor the contactless exemption thresholds, firms use a counter that is either host‑based, on a device (which won't count offline transactions); or chip‑based, on the physical card, (which will count both online and offline transactions), but in either case firms should consider the risk of unauthorised or non‑compliant contactless transactions being made and monitor the effects of the option in practice.
  
• clarify that ASPSPs must share with payment information service providers (PISPs): the name of the account holder (if the name is shown to the customer in their online account); and the account number and the sort code (if these are shown to the customer after they make a payment). 
• reflect the fact that ASPSPs must accept at least one other electronic means of identification issued by an independent party, in addition to eIDAS certificates (Article 34 of the SCA‑RT). 
  

The FCA will also amend its guidance in the "Approach Document" on how it more generally supervises the regulation of e-money and payment services to: 

• make the temporary Covid19 guidance on safeguarding permanent and to extend guidance on risks and controls relating to the insurance method of safeguarding to the guarantee method of safeguarding;
  
• include guidance on the Treasury's proposed special administration regime for e-money and payment institutions;
  
• reflect the extension of the FCA’s Principles for Businesses to the provision of payment services and issuing of e‑money by certain PSPs and e‑money issuers;
  
• reflect the application of certain communication rules and guidance in the Banking Conduct of Business Sourcebook (BCOBS) to communications with payment service and e‑money customers and the communication and marketing of currency transfer services;
• clarify the FCA's expectations on notifications under the electronic communications exclusion (ECE) and limited network exclusion (LNE) including more detail on the types of information expected as part of a firm’s notification and the types of firms that may be able to benefit from the LNE;
• update certain reporting requirements;
• reflect changes following EU withdrawal and the end of the transition period, and the application of our rules and guidance to firms in one of the temporary permission schemes designed to replace passporting as the basis for EEA-based EMIs, PIs and RAISPs to continue operating in the UK for 3 years after the end of the transition period. 

If you need assistance on any of these issues, please let me know.

Proposed Extension of UK Cryptoasset Regulation

The UK Treasury is consulting until 21 March 2021 on its approach to extending financial regulation to 'cryptoassets'. This is intended to build on the FCA's previous guidance on the UK's regulatory approach to cryptoassets, which divides them into regulated 'e-money' and 'security' tokens and unregulated 'utility' and 'exchange' tokens. Any token could fall into multiple categories, with 'stablecoins' being a prime example that will likely be regulated in their own right. Certain types of service provider will become subject to the full weight of FCA authorisation and regulation. A 'technology neutral' approach means that any asset which replicates the features of a regulated cryptoasset will also be regulated as one ('same risk, same regulatory outcome'). The goal is to protect the 'regulated financial system' not consumers or investors, so speculation in unstable 'exchange' tokens, such as Bitcoin, will remain unregulated (but subject to anti-money laundering checks and, potentially, rules on financial promotions). A key challenge for some existing cryptoassets is that some authorisation requirements would need to have been addressed at launch but were not. Due to the digital, decentralised and cross-border nature of cryptoassets, the government is considering whether firms actively marketing regulated tokens to UK consumers should be required to have a UK establishment and be authorised in the UK.

Extending the concept of 'cryptoasset'

The Treasury takes a broader view of cryptoassets than authorities have done to date, defining them to be 

"a digital representation of value or contractual rights that can be transferred, stored or traded electronically, and which may (though does not necessarily) utilise cryptography, distributed ledger technology or similar technology."

The term ‘token’ is used interchangeably with ‘cryptoasset’. This means that the government's proposals go beyond the proposed extension of financial promotions regulation and the scope of the UK’s anti-money laundering regulations (implementing the EU's 5th Money Laundering Directive).

It is proposed that stablecoins - or 'stable tokens', as the Treasury refers to them - should receive a distinct regulatory status but this will affect assets designed to similar effect that are not based on distributed ledger technology.

FCA research published in June 2020 estimated that 4% of the UK population use or invest in cryptoasset, of whom:

• 47% of UK cryptoasset consumers said they bought cryptocurrencies ‘as a gamble that could make or lose money’; 
• stablecoins are the most likely to be used as a means of payment; 
• 27% of stablecoin owners have used those tokens to purchase goods and services.
  
• 89% understood that cryptoassets are not subject to regulatory protections. 

The government is therefore considering an approach in which the use of currently unregulated tokens and associated activities primarily used for speculative investment purposes, such as Bitcoin, could initially remain outside the perimeter for conduct and prudential purposes, while subject to more stringent regulation in relation to consumer communications via the financial promotions regime (if adopted) and anti-money laundering regulation. 

Utility tokens (used to access a system or service, for example) would also remain outside the authorisation perimeter. 

The issuance and use of stablecoins concerns the government more than rampant speculation in cryptoassets by consumers, partly in light of 10 recommendations from the Financial Stability Board of the Bank of England in December 2019. 

In other words, the more likely that a cryptoasset could be reliably used for retail or wholesale transactions, the more likely it will be subject to a UK authorisation regime. 

Yet investors should be left unprotected in relation to tokens that are not suitable for retail or wholesale transactions. These include ‘algorithmic stablecoins’ that seek to maintain a stable value through the use of algorithms to control supply, without any backing by a reference asset, as they are judged to pose similar risks to unbacked exchange tokens and in their ability to maintain stability of value. You're free to lose your shirt, just so long as it does not affect the 'system'.

Likely scope of authorisation

Key regulated participants are likely to include: 

• issuers or systems operators, responsible for managing the rules of a system, the infrastructure, burning and mining/minting coins (among others);
• cryptoassets exchanges, enabling the exchange of tokens for fiat money or other tokens;
• wallet providers, who provide custody of tokens and/or manage private keys and are often the main customer contact point, along with exchanges. 

Regulation would apply to such firms where they undertake the following functions or activities:

• issuing, creating or destroying asset-linked tokens 
• issuing, creating or destroying single fiat-linked tokens 
• value stabilisation and reserve management 
• validation of transactions 
• facilitating access access of participants to the network or underlying infrastructure 
• transmission/settlement of funds 
• custody and administration of a stable token for a third party, including the storage of private keys 
• executing transactions in stable tokens 
• exchanging tokens for fiat money and vice versa 

The following high-level requirements would be necessary for authorised firms:

• meeting certain gating criteria and threshold conditions prior to operating;
• capital, liquidity, accounting and audit requirements;
  
• maintenance and management of a reserve of assets underlying the token’s value and ensuring the quality and safekeeping on those assets;
  
• orderly failure and insolvency requirements;
  
• safeguarding requirements, principally on wallets and exchanges to ensure those entities are appropriately protecting users' tokens and the privacy and security of keys to those tokens;
  
• systems, controls, risk management and governance;
  
• notification and reporting;
  
• record keeping;
  
• conduct requirements toward customers;
  
• financial crime requirements;
• outsourcing requirements;
  
• operational resilience, service reliability and continuity requirements; and
  
• security requirements (including cyber and cloud).
  

Systemic Stablecoins

The government is considering requirements in relation to the reserves held for stable tokens (and related innovations), particularly where they operate at systemic scale (intended for widespread use in retail or wholesale transactions). Issuers would need to hold reserve assets in central bank accounts, commercial bank deposits or high-quality liquid assets.

Arrangements similar to existing 'payments systems' may need to be regulated by the Payment Systems Regulator as system operators, infrastructure providers or payment service providers in relation to that system. 

A systemic stable token arrangement could be assessed for Bank of England regulation in the same way that current payment systems and service providers are when potential disruption could lead to financial stability risks. Criteria include consideration of their ability to disrupt the UK financial system and businesses based on current or likely volume and value of transactions, nature of transactions and links to other systems, as well as substitutability and use by the Bank of England in its role as monetary authority. 

This would mean that a stable token with significant potential to be systemic at launch would need to be captured from launch by such regulation. Appropriate triggers would include likely user base, likely transaction volumes and likely avenues for acquisition of customers. 

Issuers or system operators that reach systemic status, as well as critical service providers, would be subject to regulation by the Bank of England and would be required to produce an annual compliance self-assessment.