Overdue Reform of the UK Consumer Credit Act

The Treasury is consulting on a long overdue overhaul of the Consumer Credit Act 1974 (CCA) which covers the UK’s £200bn non-mortgage consumer credit industry, including personal loans, credit cards, hire purchase and pawn-broking. I'm waiting on publication of a longer note summarising the detail, and will post a link to that here. You have until 17 March 2023 to respond. Let me know if I can help you in understanding the proposals and likely impact. 

Brexit

As previously mentioned, the current consultation was actually proposed in June, just prior to the European Commission proposal for a new Consumer Credit Directive (CCD2).  Extensive changes were made to the CCA in 2010 to implement CCD1, which had considerable input from the UK. 

Supervision of the CCA transferred from the Office of Fair Trading to the Financial Conduct Authority  in 2014 under the Financial Services and Markets Act 2000 (FSMA). This meant adding consumer credit and hire agreements, and related activities, to the FSMA (Regulated Activities) Order 20012 (RAO); and transferring some CCA regulations to the FCA’s rules. The Treasury now wishes to transfer “the majority” of the CCA to FCA rules, which seem likely to align with CCD2. 

Some aspects that are specific to Scotland and Northern Ireland will be addressed later in the review process.

Scope and Impact

The CCA regulates consumer credit and consumer hire, although the latter has less protection. The government has already announced plans to regulate many Buy-Now Pay-Later (BNPL) products that are currently unregulated. 

Broadly, the activities of entering into regulated credit and hire agreements require FCA authorisation and specific permission when carried on by way of business, as do the activities of exercising the rights of a lender (or owner, for hire purposes) and various ‘ancillary services’ such as credit broking, debt collection, debt counselling, debt adjusting, debt administration, operating an electronic system in relation to lending (peer to peer lending), credit information services. 

Advertising credit and hire products is also regulated, even for unauthorised firms. 

The FCA’s new Consumer Duty does not apply to unregulated or exempt individuals or products in the same way as the CCA regime, but that new duty changes the context in which the CCA protections operate; and makes authorised firms liable for certain activities of unauthorised firms in the product 'distribution chain'.

About 6,000 authorised firms have permission to enter into consumer credit or consumer hire agreements; and 36,000 FCA firms have credit permissions (mainly credit broking). 

I will update this post with a link to the more detailed note shortly.

Treasury Tinkers With Payment Account Transparency

When the UK government finally acted to improve transparency in retail banking fees and charges, it sparked a similar effort in Brussels that the UK negotiated to align with its own initiatives. This resulted in the Payment Accounts Directive which the UK implemented via the Payment Accounts Regulations 2015 (PARs). Unfortunately (as the FCA later pointed out) the Treasury 'gold-plated' the implementation, by simply cutting and pasting the Directive. The EU was due to review the Directive in 2019, though that is yet to complete. Meanwhile, the Treasury completed its own review in 2021. Struggling to find any 'Brexit benefits', the Treasury has come up with the wheeze of timing its consultation on how payment account fees are presented to consumers with the political gestures announced by the Chancellor today as some kind of post-Brexit renaissance for Britain's financial services industry, now starved of access to its biggest market. You have until 23 February to have your say on these particular changes [yawns].

Among other things required by the PARs, payment service providers must: 

• provide customers with a fee information document that sets out the fees associated with the payment account in a specific form (FID);
• provide each customer with a statements of fees incurred on the payment account in a given period (SoFs) in a specific form; 
• inform customers of whether it is possible to purchase a payment account separately, where it's offered as part of a package, and provide the consumer with separate information regarding the costs and fees associated with each of the other products in the package.

The Money and Pensions Service (MaPS) is also required to provide consumers with access to a website comparing fees charged by payment service providers (I challenge you to find this!).

The Treasury now wants to know your thoughts on the following questions:

Question 1 Do you consider the requirement for payment service providers to provide consumers with FIDs to have any positive impacts (e.g. supporting transparency and comparability of fee information related to payment accounts)?  

Question 2 Do you consider the requirement for payment service providers to provide consumers with FIDs to have any negative impacts (e.g. admin costs or duplication of information already provided)?  

Question 3 Do you consider the requirement for payment service providers to provide consumers with SoFs to have any positive impacts (e.g. supporting transparency and comparability of fee information)? 

Question 4 Do you consider the requirement for payment service providers to provide consumers with SOFs to have any negative impacts (e.g. administration costs or duplication of information already provided)?  

Question 5 Do you consider the presentational requirements (under Schedules 1 and 2 of the PARs) to be necessary? Could consumers be provided with the same or equivalent information by simpler or alternative means?  

Question 6 Do you consider the requirements for the FCA to maintain a linked services list, and for payment service providers to provide customers with a glossary of related definitions, to have any positive impacts (towards supporting transparency and comparability of fee information)? 

Question 7 Do you consider the requirement for the FCA to maintain a linked services list, and for payment service providers to provide customers with a glossary of related definitions, to have any negative impacts?  

Question 8 Do you consider the requirements for the Money and Pensions Service (MaPS) to provide consumers with access to a website comparing fees charges by payment service providers to have any positive impacts towards supporting transparency and comparability of fee information beyond private sector providers? Or could the same objectives be fulfilled without these specific requirements? 

Question 9 Where relevant, what are the costs to your organisation of adhering to Part 2 and Schedules 1 and 2 of the PARs?  

Question 10 Can you foresee any potential unintended consequences or negative impacts of removing any requirements under Part 2 and Schedules 1 and 2 of the PARs? 

Question 11 Do you have any other views on Part 2 and Schedules 1 and 2 of the PARs that you wish to share?

FCA To Allow Simpler Advice On 'Mainstream' Investments

The UK's Financial Conduct Authority is consulting on a new investment advice regime to allow consumers to access simplified advice on investments that qualify for stocks and shares ISAs from April 2024, and reflecting the fact that the new Consumer Duty will apply. 

The FCA's research revealed that "less wealthy" consumers do not access professional support where they want it to make financial decisions like investing in stocks and shares ISAs. Those who receive advice are those who already hold investment products. Investors are more confident in a personal recommendation and value human interaction in the advice process. If offered a free consultation, only 6% of adults would choose a robo-adviser, whereas 51% would choose to meet face-to-face with an adviser (Mintel, 2021).

The FCA plans to:

• Cut the existing qualification requirements to reflect the lower risk of the narrower scope of advice (the necessary technical and regulatory understanding to advise on mainstream investments and where clients have straightforward needs). 

• Reframe the suitability requirements to reflect the narrower scope and less complexity of the advice relevant to the more limited decision consumers will be making, with new guidance on minimum information expected for the 'fact find' to reduce time and liability consequences for firms not doing a more fulsome inquiry.

• Limit the range of investments advisers can recommend to a set of mainstream investments and excluding any recommendations to invest in high‑risk investments. 

• Allowing consumers to pay for transactional advice in instalments.

You have until 28 February 2023 to respond to the FCA's consultation.

ICO Explains How To Do A Transfer Risk Assessment Under UK GDPR

The UK Information Commissioner's Office (ICO) has updated its guidance on international transfers of personal data from the UK to any country that does not benefit from an adequacy decision that its data protection regime is the same or better than the UK's ('restricted transfer'). If you need assistance, please let me know.

A ‘transfer risk assessment’ (TRAs) determines whether the effective and legally enforceable protection for data subjects and their personal data under the UK data protection regime will be undermined in the proposed receiving country, even if the transferring firm uses one of the ‘transfer tools’ for providing appropriate safeguards under Article 46 of the UK GDPR.

Those transfer tools include are the ICO’s International Data Transfer Agreement (IDTA), the Addendum to the EU SCCs (the Addendum) and ICO-approved Binding Corporate Rules (BCRs).

As explained previously, in backing the second successful challenge to the EU-US Privacy Shield, the ECJ decided that before a firm may rely on an Article 46 transfer tool to make a restricted transfer, it had to carry out a TRA to figure out if it also needs to take some other steps to fill in the gap. If there are gaps that cannot be filled, the transfer must not be made.

It's worth noting that the ICO states in its guidance:

You do not need to carry out a TRA if you are making a transfer to any country covered by UK adequacy regulations or if the transfer is covered by one of the exceptions [in Article 49].

This is supported by guidance from the European Data Protection Board (made up of all EU member state data protection regulators): 

27. If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with Step 3.

But, again, as explained previously (and in the EDPB's own guidance on Article 49), the way GDPR works is that (unless the country in question benefits from an adequacy finding), you would need to have decided on to rely on a transfer tool under article 46 before you can try to rely on an exception under article 49, so you need a risk assessment either way.  

The ICO's template TRA tool is a Word document that may be opened by clicking the link at the foot of the guidance page. It asks 6 questions (with guidance) to help firms get to an initial assessment. It will likely be quite efficient to use the tool, but it's not mandatory and you could work through the questions yourself:

Question 1: What are the specific circumstances of the restricted transfer? 

Question 2: What is the level of risk to people in the personal information you are transferring? 

Question 3: What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation? 

Question 4: Is the transfer significantly increasing the risk for people of a human rights breach in the destination country? 

Question 5: 

(a) Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK? 

(b) If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)? 

Question 6: Do any of the exceptions to the restricted transfer rules [in Article 49 of UK GDPR] apply to the “significant risk data” [which you identified in Questions 4 and 5 as data for which your Article 46 transfer tool does not provide all the appropriate safeguards]. 

If by using the TRA tool, you decide that your Article 46 transfer mechanism will not provide appropriate safeguards and effective and enforceable data subject rights for all the personal data, then you must not make the restricted transfer.

The ICO will soon issue guidance on how to use the International Data Transfer Agreement (IDTA) and the Addendum to the Standard Contractual Clauses.

If you need assistance with any aspect of international personal data transfers, please let me know.