Search This Blog

Monday, 5 December 2022

FCA To Allow Simpler Advice On 'Mainstream' Investments

The UK's Financial Conduct Authority is consulting on a new investment advice regime to allow consumers to access simplified advice on investments that qualify for stocks and shares ISAs from April 2024, and reflecting the fact that the new Consumer Duty will apply. 

The FCA's research revealed that "less wealthy" consumers do not access professional support where they want it to make financial decisions like investing in stocks and shares ISAs. Those who receive advice are those who already hold investment products. Investors are more confident in a personal recommendation and value human interaction in the advice process. If offered a free consultation, only 6% of adults would choose a robo-adviser, whereas 51% would choose to meet face-to-face with an adviser (Mintel, 2021).

The FCA plans to:

  • Cut the existing qualification requirements to reflect the lower risk of the narrower scope of advice (the necessary technical and regulatory understanding to advise on mainstream investments and where clients have straightforward needs). 
  • Reframe the suitability requirements to reflect the narrower scope and less complexity of the advice relevant to the more limited decision consumers will be making, with new guidance on minimum information expected for the 'fact find' to reduce time and liability consequences for firms not doing a more fulsome inquiry.
  • Limit the range of investments advisers can recommend to a set of mainstream investments and excluding any recommendations to invest in high‑risk investments. 
  • Allowing consumers to pay for transactional advice in instalments.

You have until 28 February 2023 to respond to the FCA's consultation.

Thursday, 1 December 2022

ICO Explains How To Do A Transfer Risk Assessment Under UK GDPR

The UK Information Commissioner's Office (ICO) has updated its guidance on international transfers of personal data from the UK to any country that does not benefit from an adequacy decision that its data protection regime is the same or better than the UK's ('restricted transfer'). If you need assistance, please let me know.

A ‘transfer risk assessment’ (TRAs) determines whether the effective and legally enforceable protection for data subjects and their personal data under the UK data protection regime will be undermined in the proposed receiving country, even if the transferring firm uses one of the ‘transfer tools’ for providing appropriate safeguards under Article 46 of the UK GDPR.

Those transfer tools include are the ICO’s International Data Transfer Agreement (IDTA), the Addendum to the EU SCCs (the Addendum) and ICO-approved Binding Corporate Rules (BCRs).

As explained previously, in backing the second successful challenge to the EU-US Privacy Shield, the ECJ decided that before a firm may rely on an Article 46 transfer tool to make a restricted transfer, it had to carry out a TRA to figure out if it also needs to take some other steps to fill in the gap. If there are gaps that cannot be filled, the transfer must not be made.

It's worth noting that the ICO states in its guidance:

You do not need to carry out a TRA if you are making a transfer to any country covered by UK adequacy regulations or if the transfer is covered by one of the exceptions [in Article 49].

This is supported by guidance from the European Data Protection Board (made up of all EU member state data protection regulators): 

27. If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with Step 3.

But, again, as explained previously (and in the EDPB's own guidance on Article 49), the way GDPR works is that (unless the country in question benefits from an adequacy finding), you would need to have decided on to rely on a transfer tool under article 46 before you can try to rely on an exception under article 49, so you need a risk assessment either way.  

The ICO's template TRA tool is a Word document that may be opened by clicking the link at the foot of the guidance page. It asks 6 questions (with guidance) to help firms get to an initial assessment. It will likely be quite efficient to use the tool, but it's not mandatory and you could work through the questions yourself:

Question 1: What are the specific circumstances of the restricted transfer? 

Question 2: What is the level of risk to people in the personal information you are transferring? 

Question 3: What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation? 

Question 4: Is the transfer significantly increasing the risk for people of a human rights breach in the destination country? 

Question 5: 

(a) Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK? 

(b) If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)? 

Question 6: Do any of the exceptions to the restricted transfer rules [in Article 49 of UK GDPR] apply to the “significant risk data” [which you identified in Questions 4 and 5 as data for which your Article 46 transfer tool does not provide all the appropriate safeguards]. 

If by using the TRA tool, you decide that your Article 46 transfer mechanism will not provide appropriate safeguards and effective and enforceable data subject rights for all the personal data, then you must not make the restricted transfer.

The ICO will soon issue guidance on how to use the International Data Transfer Agreement (IDTA) and the Addendum to the Standard Contractual Clauses.

If you need assistance with any aspect of international personal data transfers, please let me know.

Tuesday, 29 November 2022

Steiner Case No Save Haven For Card Issuers, Acquirers, Processors or Merchants

I have a real problem with the facts and ultimate outcome for the cardholder in the recent case of Steiner v National Westminster Bank plc [2022] EWHC 2519 (KB) decided in October. I make no criticism of the lawyers or judge involved, but those in the payment card business should not see it as setting up any kind of safe haven. 

In essence, the court absolved a credit card issuer from liability for the price of a timeshare deal under section 75 of the Consumer Credit Act because the supplier of the timeshare ('CLC') was found not to be a party to the credit card 'arrangements'. Instead, those arrangements were found only to involve a separate company ('FNTC') that was not part of the same corporate group as CLC and was acting as a trustee and not as agent for CLC. 

Unfortunately, it seems the Mastercard rules were not fully explored, as the judge held:

13. Equally, there was no evidence before me as to the rules of the Mastercard network, but it was not suggested that they prohibited a merchant who was a member of the scheme from receiving payment under the scheme as trustee or agent for another.

However, the Mastercard rules effectively require that acquirers, merchants and sub-merchants (and the intermediate 'Payment Facilitator') must be party to the overall scheme arrangements, and it would be a breach of those rules if that were not the case (see Chapters 5 and 7). 

In addition, it appears that as a separate company and a trustee, FNTC was not lawfully able to handle funds due to CLC under the Payment Services Regulations 2017. There is no evidence that FNTC was a payment institution (or small payment institution) or the agent of one; and as a separate company and trustee it could not benefit from any of the exclusions from the need for authorisation/registration as a payment institution, the most common in such scenarios being the exclusion for a commercial agent or a group company collecting or making payments on behalf of other companies in the same group. 

In this specific case, there may have been good reasons why the Mastercard rules were not explored and/or the card acquirer, FNTC and CLC were not joined as defendants and subject to a barrage of claims and remedies to recover the funds (assuming that the card issuer could not have known of the apparent breach of scheme rules and FNTC's apparently unlawful conduct). There may have been shortcomings in the evidence or other issues involved in mounting the potential legal claims and remedies - not the least of which would be the necessary financial resources.

But I do not see this case as a reliable basis for anyone to start setting up trustees as payment processors in an attempt to avoid liability under supply contracts, card scheme rules, Payment Services Regulations and/or section 75 of the Consumer Credit Act!

Monday, 28 November 2022

Legal Adventures in the Fediverse

Joining the fediverse has jolted my legal brain into gear over some esoteric questions (listed below). These largely turn on the fact that, unlike in Web 2.0 offerings, such as Blogger or Twitter, there is no central service provider hosting/operating the service on its own servers. In the fediverse, separate sites (or 'instances') can interoperate because they are running the same standardised, open software (e.g. Mastodon) which itself relies on the same standardised, open protocol (Activity Pub, in the case of Mastodon):
Mastodon websites are operated by different people or organizations completely independently. Mastodon does not implement any monetization strategies in the software. 
Some server operators choose to offer paid accounts, some server operators are companies who can utilize their existing infrastructure, some server operators rely on crowdfunding from their users via Patreon and similar services, and some server operators are just paying out-of-pocket for a personal server for themselves and maybe some friends. So if you want to support the server hosting your account, check if it offers a way to donate. 
Mastodon development is likewise crowdfunded via Patreon and via OpenCollective. No venture capital is involved.
Perhaps this is no different to independent website owners building their own websites using a standardised website template provider (e.g. Wix), but the interoperability does seem a significant additional factor to consider. That's like email, which again could be provided by a centralised email service provider (e.g. Microsoft's hotmail) or your employer. Equally, the fact that each site or 'instance' could be self-hosted is similar to websites and email, yet most users choose their site to be hosted with the operator of a server or instance that hosts many sites (e.g. or Some instances are open to anyone, while others are targeted at, say, residents of Glasgow. 

I think this just involves a sense-check against the regulatory regime of where the relevant fediverse instance and any users that it actively solicits are based. Here's a flavour of some of the issues:
  • How does a user proceed if the developer of the relevant communication software somehow fails to ensure the software runs as promised in the documentation?
  • Who is responsible for the integrity of the protocol on which the software is based?
  • Do fediverse instances based in the EU with UK resident users but no offices, branches or other establishments in the UK need to appoint a UK representative under UK GDPR (and vice versa!)?
  • Is each 'instance' in the fediverse ready for the EU's Digital Services Act (exemptions for micro/small enterprises will help)?
  • If each 'instance' in the fediverse can be an Intermediary service, online platform or e-commerce platform under the Digital Services Act (see prior post), then they could grow to be 'gatekeepers' under the EU Digital Markets Act.
  • How are fediverse instances treated for the purposes of  'reverse solicitation' analysis - i.e. whether you are treated as doing business in another jurisdiction where users are based, as opposed to where the instance is based?
If you need assistance with any of these issues, please let me know.

Sunday, 27 November 2022

Welcome to The Fediverse

Now that both Facebook and Twitter have confirmed my hypothesis that Web 2.0 'Facilitators' (who solve your problems) could eventually be shunned as merely Institutions (who solve their own problems at your expense), I've finally embraced the fediverse - a network of independently hosted servers running open standard communication protocols. In my case, Mastodon, running on ActivityPub.

Web 2.0 vs The Fediverse is a little like King Arthur stumbling across an anarcho-syndicalist commune.

And, hey, no advertising!

My research on where to base myself began with an excellent SCL Tea & Tech session with Neil Brown and Simon Forrester, followed by a review of Mastodon documentation, then a trip to the Join Mastodon page to find a hosted server that seemed like the right home and would have me and seems serious about maintenance and moderation... a process that really makes you think about what matters to you! 

Setting up was just as easy as setting up in any of the Web 2.0 social network services.

Trickier is finding whom to follow, and deciding how to curate your new online 'instance' - again an opportunity to think quite hard about what matters to you and how you want to communicate. I'm planning not to follow many people or post much until I've that figured out. Maybe I'll set up several different accounts, following different themes, just as I have separate blogs, email addresses, communication apps and Web 2.0 social media presences some of which may need to fall away...

Monday, 21 November 2022

Help The UK Govt Understand Decentralised Autonomous Organisations (DAOs)

Source: Yield App
The Law Commission is calling for evidence to help shape its current understanding of the issues raised by Decentralised Autonomous Organisations ("DAOs").  The UK government has asked the Commission to accurately capture the composition of DAOs, their role in the cryptoasset ecosystem, participants and relationships. The Commission will identify options for law reform that might be required to make DAOs viable, possibly including “classes” of DAOs, but not to make recommendations yet. Responses may be submitted online between 16 November 2022 and 25 January 2023. It's worth contributing to help ensure all the challenges are identified and one day addressed. I have previously been asked to look into various aspects of DAOs. If you would like help in making any submission (including on your behalf), please let me know.

Broadly, a DAO is an organisation that relies on distributed ledger or blockchain technology, as well as smart contracts or other software/systems. It basically operates in a similar fashion to a partnership, club, co-operative or unincorporated association but online, so members could be anywhere. This can be helpful where the local community is too sparse or lacks resources to achieve a certain goal, but unincorporated associations and partnerships don't have independent legal status and carry unlimited liability for their members. Some DAOs include a recognised legal entity to interact with the 'real world' but others may operate solely via 'code' and/or smart contracts to automate some or all of their activity. This has created problems where the code did not operate the way users understood.

The Commission is looking for information from those with general knowledge of DAOs, as well as first-hand experience of specific DAOs, and to understand where opinions vary on any aspect or issue (with "sanitised or anonymised submissions where it is inappropriate to provide details about a particular DAO").

Personally, I've been approached several times to advise on certain challenges associated with DAOs, particularly governance, appropriate jurisdictions, potential authorisation and means of enforcement.

It's worth contributing to help ensure all the challenges are identified and one day addressed - at least in the law of England & Wales, but other common law jurisdictions may also benefit from the Commission's work.

If you would like help in making any submission (including on your behalf), please let me know.


Wednesday, 2 November 2022

Latest on EU Crypto Regulation

As I recently posted in more detail on Ogier Leman's 'Insights' page, the Council of the EU has published a further draft of the proposed Regulation on markets in cryptoassets (MiCA). It seems likely that MiCA will be published officially in 2023, with a wide range of transitional arrangements and dependencies on regulatory technical standards being developed by various EU regulatory agencies. Being a regulation, it will apply without needing to be implemented at national level. MiCA's impact will be significant, given the 'libertarian' origins of distributed ledger technology and cryptocurrencies and the goals of many purists, but likely welcomed by those seeking to harness the benefits of the technology to replace legacy systems. 

If you have queries about the regulatory implications of cryptoassets or related activities, please let me know.