Search This Blog

Monday, 12 July 2021

'Slight Delay' To EU Crowdfunding Regulation

The European Securities and Markets Authority has written to the European Commission urging clarificiation of some important interpretation issues relating to the EU Crowdfunding Regulation and suggesting a 'slight delay' to the proposed implementation date of 10 November 2021. ESMA says the delay would ensure that all the key technical standards are available to applicants and national authorities. I have summarised the letter for Leman Solicitors.  

Let me know if you need assistance with any application for authorisation.


Friday, 25 June 2021

Payment and E-money Institution Insolvency Regulations Take Effect On 8 July

As covered in December, the Payment and Electronic Money Institution Insolvency Regulations 2021 were passed on 17 June and take effect on 8 July 2021.

While the Regulations mainly deal with an insolvency scenario, it’s worth noting there is also provision for the Financial Conduct Authority to seek a special administration merely where that is ‘fair’ (see Regulation 9(1)(b) and 9(3)). This might assist in cases where the institution is solvent but otherwise proving difficult.

Please let me know if I can help.

Monday, 24 May 2021

Deadline For SCA On E-commerce Transactions Slips Again

Once upon a time, the second Payment Services Directive required mandated the introduction of 'strong customer authentication' (SCA) - also known as 'two factor authentication' or 'multi-factor authentication' - for remote and electronic payment transactions from 14 September 2019. But fear that consumers will abandon online transactions, lack of industry preparation and then the pandemic have seen this rather battered can being kicked steadily further down the road. The UK's Financial Conduct Authority has now declared the latest 'deadline' to be 14 March 2022.

This time it might be serious.

Wednesday, 19 May 2021

E-money Institutions To Remind Customers About Safeguarding vs The Financial Services Compensation Scheme

The UK Financial Conduct Authority is still concerned that customers of electronic money institutions (EMIs) do not understand that any funds they hold in their e-money accounts are safeguarded, but not covered by the "Financial Services Compensation Scheme" (basically, the UK depositor protection scheme for banks, building societies and credit unions). Of course, if the bank where the EMI holds its safeguarding account were to fold then the bank account would be covered by the FSCS but that is a different matter. 

The FCA has written to EMIs asking them to write to their customers before 29 June 2021 to "remind them of how their money is protected through safeguarding and that FSCS protection does not apply." Firms may include a link to the FCA's explanation to help customers decide whether that level of protection is appropriate for their circumstances (e.g. EMIs cannot pay interest, so any balance you aren't likely to use in the near future may as well be moved to a bank savings account that does). The communication must be separate from any other messaging or promotional activity, and the method(s) of communication may vary based on the EMI's business model and customer base, including any vulnerable customers. 

EMIs must also review their financial promotions in this regard to ensure customers get enough information on the topic. Where the FCA is named in promotions that refer to matters the FCA does not regulate, it must be made clear that those matters are not regulated by the FCA (a wider issue for the FCA).

The FCA wants its letter brought to the attention of the EMI's board of directors, which is expected to have considered the issues and to have approved the action taken in response. 

The FCA has promised to assess the action taken by a sample of EMIs.

Please let me know if I can help.


Monday, 17 May 2021

The FCA's New 'Consumer Duty'

The UK's Financial Conduct Authority is consulting on the introduction of a new "consumer duty" that will apply to regulated firms in relation to their regulated activities by 31 July 2022. This follows the report on a previous consultation in April 2019. The FCA is holding a webinar on the proposals on 10 June 2021; and comments will be open until 31 July 2021. The rules would be consulted on by 31 December 2021. Please let me know if I can help.

Broadly, this would require firms to act in ways that enable retail customers to obtain the outcomes they should be able to expect from the firm's products and services, rather than to hinder customers obtaining those outcomes. This effectively puts firms (and, significantly, the FCA) in the customers' shoes. 

This may require some firms to radically alter their culture and behaviour to focus on consumer outcomes, and putting customers in a position to act and make decisions in their own interests. 

There will be three elements to the new duty:

  • A new consumer principle: "a firm must act in the best interests of retail clients" or "a firm must act to deliver good outcomes for retail clients". 
  • Broad rules that would require firms to take all reasonable steps to avoid foreseeable harm to customers and enable customers to pursue their financial objectives; to act in good faith. 
  • More detailed rules and guidance on firms' conduct relating to four specific outcomes: communications; products and services; customer service; and price and value. 

The FCA is also consulting on the potential benefits of attaching a private right of action to the new duty, and what any unintended consequences of this might be. 

Critics of the FCA's approach to consumer outcomes in the wake of various 'scandals' over the years will be hopeful that this new duty will see the FCA aligned with consumers, rather than tending to protect its own reputation, the 'financial services industry' and the firms its regulates.

Monday, 19 April 2021

Make Cosmetic Changes to Your Consumer Credit Pre-contract Information Notices by 1 June 2021 - or Else!

One of the joys of Brexit is the need for consumer credit providers to make some cosmetic changes to their pre-contract information notices by 1 June 2021, to avoid having to get a court order to enforce the documents. The FCA explains the very minor but important changes here.

Sunday, 7 February 2021

UK Changes To Strong Customer Authentication and Payments Guidance

The FCA is consulting on some noteworthy changes to certain technical aspects of payments regulation and related guidance. Responses to the questions relating to contactless payments should be answered by 24 February 2021, and on the other aspects of the consultation by 30 April 2021. If you need assistance on any of these issues, please let me know.

Specifically, the FCA is changing the regulatory technical standards applicable to strong customer authentication (SCA) to: 

  • create a new SCA exemption in Article 10A so that a customer's payment account provider (ASPSP) does not need to require the customer to reauthenticate every 90 days when accessing account information through an account information service provider (AISP or TPP);
  • limit the scope of the existing Article 10 exemption to when the customer accesses their information directly;
  • add a requirement where a TPP continues to accesses account information where the customer does not actively request, the TPP will need to reconfirm the customer’s explicit consent every 90 days and disconnect access/stop collecting data if a customer fails to re‑confirm their consent.
  • require certain ASPSPs to allow access by TPPs to payment accounts via 'dedicated interfaces' rather than modifed customer interfaces for personal and SME ‘current accounts’ ("payment accounts" under the Payment Account Regulations) and credit card accounts held by consumers or SMEs.
  • require that the technical specifications and testing facility only be made available to TPPs from the launch of new products and services, rather than 6 months in advance and that the requirement for a fallback interface should only take effect six months after launch.
  • allow ASPSPs to rely on exemptions from setting up a fallback interface granted by home state competent authorities;
  • amend the threshold at which SCA must be applied to a single payment from £45 to £100-£120 and the threshold value for cumulative contactless payments from £130 to £200.

In addition, the FCA will amend its guidance in the "Approach Document" on how it supervises SCA to be consistent with the above changes and with existing EBA and European Commission guidance as follows:

  • SCA would need to be reapplied where the final amount of a payment is higher than the original amount authorised, so long as the final payment is reasonably within the amount the customer agreed to when authorising the payment and not higher by more than 20% and the customer has agreed to the possibility before authorising the original amount. 
  • the payee’s PSP (e.g. merchant acquirer) should be liable where it triggers an SCA exemption and the transaction is carried out without applying SCA, so (other than where the
    payer has acted fraudulently) the payer’s PSP would refund the customer and be entitled to reimbursement by the payee’s PSP.
  • for the purpose of what can be used to satisfy two of the three SCA authentication factors (knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is)): a device could only be used as evidence of 'possession' where there is a reliable means to that the device is actually in the customer's possession; static card data cannot satisfy either the 'knowledge' or 'possession' factor; behavioural biometrics may satisfy the 'inherence' factor (as they ‘relate to physical properties of body parts, physiological characteristics and behavioural processes created by the body.
    and any combination of these) but not other individual properties, such as spending patterns.
  • the fraud rate calculation used to anyalyse whether transaction risk is low enough to justify the exemption from SCA should only include unauthorised or fraudulent remote electronic transactions for which the PSP was liable, and no other types of transactions (unlike the calculation for payments fraud reporting under REP017).
  • the corporate exemption is applicable to cards or payment instruments that are ‘only
    available to payers who are not consumers’, i.e. only available to corporate customers.
  • the authentication elements the customer uses to access their payment account online (including via a mobile) may be reused if they then initiate a payment within the same online session), so a customer could authenticate the payment only one extra element where the firm relies on the account log-in password, for example (as long as the dynamic linking element is linked to the SCA element used when the payment is initiated).
  • merchant-initiated transactions: transactions initiated by the payee only, without any involvement from the payer, are not in scope of SCA. While card‑based payments generally imply an action by the payer and are considered as 'transactions initiated by the payer, through the payee',
    where a payer has given a mandate to the payee/merchant for a transaction, or series of
    transactions, made using a card or other payment instrument then the payments
    initiated pursuant to this mandate are outside of the scope of SCA  That includes payments made under continuous payment authorities such as a subscription for a streaming service, but SCA is required to set up the mandate.
  • in order to monitor the contactless exemption thresholds, firms use a counter that is either host‑based, on a device (which won't count offline transactions); or chip‑based, on the physical card, (which will count both online and offline transactions), but in either case firms should consider the risk of unauthorised or non‑compliant contactless transactions being made and monitor the effects of the option in practice.
  • clarify that ASPSPs must share with payment information service providers (PISPs): the name of the account holder (if the name is shown to the customer in their online account); and the account number and the sort code (if these are shown to the customer after they make a payment). 
  • reflect the fact that ASPSPs must accept at least one other electronic means of identification issued by an independent party, in addition to eIDAS certificates (Article 34 of the SCA‑RT). 

The FCA will also amend its guidance in the "Approach Document" on how it more generally supervises the regulation of e-money and payment services to: 

  • make the temporary Covid19 guidance on safeguarding permanent and to extend guidance on risks and controls relating to the insurance method of safeguarding to the guarantee method of safeguarding;
  • include guidance on the Treasury's proposed special administration regime for e-money and payment institutions;
  • reflect the extension of the FCA’s Principles for Businesses to the provision of payment services and issuing of e‑money by certain PSPs and e‑money issuers;
  • reflect the application of certain communication rules and guidance in the Banking Conduct of Business Sourcebook (BCOBS) to communications with payment service and e‑money customers and the communication and marketing of currency transfer services;
  • clarify the FCA's expectations on notifications under the electronic communications exclusion (ECE) and limited network exclusion (LNE) including more detail on the types of information expected as part of a firm’s notification and the types of firms that may be able to benefit from the LNE;
  • update certain reporting requirements;
  • reflect changes following EU withdrawal and the end of the transition period, and the application of our rules and guidance to firms in one of the temporary permission schemes designed to replace passporting as the basis for EEA-based EMIs, PIs and RAISPs to continue operating in the UK for 3 years after the end of the transition period. 

If you need assistance on any of these issues, please let me know.