Payment FinTechs Beware: Banking Law Is Riding The New Payment Rails

Recent cases in the UK have applied English banking law to  non-bank accounts that hold customer funds, including the payment accounts of 'fintech' e-money and payment institutions. These cases effectively require the extension of a firm's anti-fraud and/or anti-money laundering programme to guard against the fraudulent misappropriation of a corporate customer's funds by the customer's own directors or other mandate holders. Equally, corporate customers should also be aware that they will need to treat their accounts with non-bank institutions like bank accounts, if they do not already, and be ready to respond promptly and clearly when transactions are queried. If you have concerns in this area, please let me know.

Acting in good faith

Traditionally, banks have been required to execute their customers' instructions promptly, and where a bank acts in good faith and a loss occurs, the customer must bear that loss (Bank of England v Vagliano Bros [1891] AC 107). 

Quincecare Duty

But a bank must not executing a customer’s order if, and for so long as, the bank has reasonable grounds (though not necessarily proof), for believing that the order is an attempt to defraud the customer (Barclays Bank plc v Quincecare Ltd, [1992] 4 All ER 363). If it were to go ahead, the bank may be liable for the customer's loss. 

This "Quincecare duty" protects a company from its funds being stolen by management or staff who've been permitted by the company to operate the company's bank accounts in the ordinary course of business. 

In this type of case (unlike in some other scenarios) the courts tend not to attribute the employee's fraudulent acts to the company, because that would leave the company unprotected from the fraud (Singularis Holdings Ltd (in official liquidation) v Daiwa Capital Markets Europe Ltd [2019] UKSC 50, where the firm was not actually a deposit-taking bank). 

Extending this to fintech firms

More recently, the High Court (in Hamblin v World First Ltd [2020] 6 WLUK 314) has made a preliminary ruling which extends all of this law firmly into fintech territory. The court held that: 

• an action for breach of statutory duty could be brought under the Payment Services Regulations 2017 where the regulations impose a duty for a limited class of the public and there is a clear parliamentary intention to confer a private right of action for breach on members of that class (certain principles derived from EU law should also be considered at the trial);
• it was arguable that a claim for a breach of the customer's mandate could be estopped (prevented) where the payment service provider acted in in good faith, even if the account holder had no directors (!) and was in fact under the control of fraudsters, but it was also observed that the service provider's internal documents relating to the opening of the account could affect the outcome...;
• it was arguable that the acts of fraudsters who misappropriated funds from the company account should not be attributed to the company, so as to give the company protection from the fraud (Singularis);
• similarly, a person has 'standing' to bring such claims in the form of a 'derivative action' against a payment provider on behalf of the corporate customer (effectively standing in the shoes of the corporate customer) where that person paid funds to the corporate customer in a way that made the company a trustee (due to its knowledge of the payment and the receipt of funds on trust or as a result of a fraudulent scheme) and where the company as trustee has committed a breach of trust, or in other exceptional circumstances such as fraud. 

Practical Steps  

These cases highlight the importance of having good customer on-boarding and account opening processes/records, as well as 'transaction monitoring' processes - both of which are otherwise required by the anti-money laundering regime in any event. 

A payment service provider should be in a position to know that a corporate customer has no directors, as well as the nature of its business and the purposes for which customers are asked to make payments to its accounts. The service provider must also be able to recognise activity on its customer's payment accounts that is unusual, in order to determine whether it is an attempt to misappropriate funds, as well as whether it is suspicious from a money laundering or terrorist financing perspective. Triggers for suspicion or being 'on notice' of potential for fraud or misappropriation of funds include where the customer is in financial difficulties; there is a breakdown in relations among directors, or directors and shareholders; or the customer has suffered significant security breaches and so on. 

As with suspicious activity from a money laundering perspective, once suspicion or 'notice' is triggered, it must be investigated. Explanations for activity should be sought and should receive appropriate scrutiny (not simply believed and filed); and decisions to proceed or not should be made and documented. Of course this process must be balanced against the need to avoid 'tipping-off' and/or to file a suspicious activity report where appropriate; and the firm should document where those legal and compliance requirements prevents further "Quincecare" related work to resolve whether funds are being misappropriated. 

Equally, it is incumbent on corporate account holders to monitor the activity on their own payment accounts, inform the service provider of changes to the nature of their business or solutions to potential 'trigger' problems; and to be ready to respond promptly and clearly to queries from banks and other account providers. Not only should those steps help ensure their funds are not misappropriated, but it should also help avoid a situation where a confused service provider needlessly interrupts the flow of genuine transactions.

If you have concerns in this area, please let me know.

Transferring Prepaid Card Programmes Is Non-Trivial

Ominous news that the UK e-money subsidiary of scandal-ridden Wirecard AG is "intending to wind-down its FCA-regulated business" and that "the business will continue to trade while alternative arrangements are being made with its card providers." 

Having advised on the creation and transition of various prepaid card programmes and customers, I'm aware this is highly technical from an e-money and payments regulation standpoint, and will involve intensive 'customer due diligence' under the anti-money laundering regime, as well as a careful approach to the processing of personal data. 

The FCA claims to be "working closely with Wirecard throughout this process to ensure that its customers are treated fairly," so programme managers any e-money issuer(s) taking them and their programmes on will need to tread carefully.

Needless to say, I'm here to help the transferring programme managers or their new e-money service providers either in the UK or in relation to any EEA programmes via Ireland.

 

Anonymity In Central Bank Digital Currency Systems

The European Central Bank has been wrestling with the issue of how to allow a certain degree of privacy in electronic payments using digital cash issued by central banks ("central bank digital currency" or "CBDC"), while complying with anti-money laundering and counter-terrorist financing (AML) requirements. 

Eurozone central banks believe they have now established a proof of concept for anonymity in CBDCs based on a simplified payment system using distributed ledger technology (DLT). This proof of concept allows users some degree of privacy for lower-value transactions, while still ensuring that higher-value transactions are subject to mandatory AML checks. Each user's identity and transaction history cannot be seen by the central bank or intermediaries other than that chosen by the user. Automated enforcement of limits trigger additional checks by an AML authority. 

While the ECB believes that the proof of concept will be instrumental in assessing how CBDCs could work in practice, it says the prospect of central bank initiatives should not discourage or crowd out market-led solutions...

Brexit Britain To Gold-Plate 5th EU Money Laundering Directive

Anyone who still dreams that Brexit spells the end of the UK's ménage à trois with bureaucracy and regulation must read the Treasury's plans to implement the fifth EU directive on anti-money laundering.

The UK has always created an EU rod for its own back not only by adding its own weight to the regulatory burden, but also by effectively insisting on literal interpretation of EU law that was only intended to be construed according to its purpose.

This results in directives having a broader impact than they would otherwise have done (known as 'regulatory creep'), saddling British businesses - and ultimately British consumers - with costs they could otherwise avoid.

That is not to say that the UK's approach is always wrong - or is necessarily wrong on this occasion - but the 'blame' for this approach should land in Westminster not Brussels.

In this case, the government proposes to amend the The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLRs") in the ways I've summarised below. Responses to the consultation paper are due by 10 June 2019 and new regulations must take effect in the UK by 10 January 2020.

Tax advisors

• The definition of “tax advisor” in the MLRs to include firms and sole practitioners who by way of business provide, directly or by way of arrangement with other persons, material aid, assistance or advice about the tax affairs of other person.

 Letting agents

• There are numerous options for applying the MLRs to letting agents.

 Cryptoassets

• The MLRs will apply to service providers engaged in exchange services between cryptoassets and fiat currencies, and wallet providers in a way that includes exchange tokens, security tokens and utility tokens and so would also capture crypto-to-crypto exchange service providers; peer-to-peer exchange of both fiat-to-crypto and crypto-to-crypto between prospective “buyers” and “sellers”); cryptoasset ATMs; issuance of new cryptoassets (including ICOs); and the publication of open-source software (which includes, but is not limited to, non-custodian wallet software and other types of cryptoasset related software).

 High Value Dealers

• High value dealers are to include art intermediaries for transactions exceeding €10,000, including art galleries, auction houses and free ports/zones (currently none in the UK) regardless of whether they are paid for in cash (raising many questions in the consultation).

 E-money

• Exemptions for low value e-money instruments will be narrower, as all of the following conditions must be met: the maximum amount that can be stored electronically is €150; it either can't be reloadable or must have a maximum limit on monthly payments of €150 which can only be used in that Member State; used exclusively to purchase goods and services; can't be funded with anonymous e-money; and any single cash redemption or remote payment cannot exceed €50. In addition, EEA acquirers can only accept payments made with anonymous prepaid cards issued in non-EEA countries that impose equivalent AML requirements; and Members States may prohibit payments carried out using anonymous prepaid cards.

E-identification services

• The new requirement for electronic identification processes is for them to be “regulated, recognised, approved or accepted at national level by the national competent authority” which raises questions about which forms in the UK are implicitly within scope.

Companies and officers

• Firms will be required to determine and verify the law to which a body corporate is subject, its constitution and the full names of the board of directors and the senior persons responsible for the operations of the body corporate.

Where beneficial owner cannot be identified

• If a firm has exhausted all possible means of identifying the beneficial owner of a body corporate and hasn’t succeeded, the firm must keep written records of its actions, but such firms will now need to take further measures to verify the identity of the senior person in that body corporate and keep written records of those actions.

Understanding the customer's business/structure

• Firms will be required to understand the nature of their customer’s business and its ownership and control structure (rather than just being required to take "reasonable measures" to do so).

Filing SARs when due diligence fails

• Firms must cease transacting and file a suspicious activity report (SAR) when they cannot apply their due diligence or additional or enhanced measures.

Proof trust/company register was searched

• Firms must also collect proof of registration or an excerpt of the register from the company or the trust that is subject to beneficial ownership registration requirements before a new business relationship is established.

Apply due diligence when beneficial ownership must be reviewed

• Firms must apply due diligence when they have any legal duty in a calendar year to contact the customer for reviewing their relevant beneficial ownership information.

Enhanced due diligence where high risk countries involved

• Firms must apply a newly defined set of enhanced due diligence measures, and monitoring, to business relationships and transactions involving high-risk third countries.

Lists of PEP functions to be taken into account

• The responsibility to apply enhanced due diligence on Politically Exposed Persons (PEPs) will be able to be be discharged by applying the FCA’s July 2017 guidance on how firms should take into account a list of functions in determining whether an individual is a PEP for the purposes of the MLRs.

Information on beneficial owners to be publicly available

• The government must ensure that information on the beneficial ownership of corporate and other legal entities is accessible by members of the general public and “mechanisms” must be in place to ensure that the information held on the central register is adequate, accurate, and current; while the UK must also take appropriate actions to resolve any reported discrepancies in a timely manner and, if appropriate, include a specific mention in the central register in the meantime.

Trusts to be registered

• Trustees or agents of all UK and some non-EU resident express trusts must register those trusts with the Trust Registration Service, whether or not the trust has incurred a UK tax; and the government must share data from the register with a range of persons under certain circumstances.

Bank account registries

• The UK must establish a centralised registry or online retrieval mechanism which allows identification of natural and legal persons who hold or control bank accounts; payment accounts; or safe-deposit boxes held by credit institutions within the UK - including names and account/identification numbers.

Pooled client accounts of unregulated operators

• The government wants further evidence on the administration of checks relating to the use of pooled client accounts (PCAs) under the MLRs, especially those held by non-regulated businesses and any evidence of abuse; and the practical barriers industry face in implementing the current framework and it could be 'enhanced'.

AML risk assessments for new products, practices and channels

• Firms will need to undertake AML risk assessments prior to the launch or use of new products, new business practices and delivery mechanisms.

Provision of Information by branches and subsidiaries

• Firms must have policies relating to the provision of customer, account and transaction information from their branches and subsidiaries.

The UK will not require that "whenever a customer makes their first payment involving a designated high-risk third country, that payment is carried out through an account in the customer’s name with a credit institution subject to the Directive’s customer due diligence standards."

New Money Laundering Guidance

The complexity of the anti-money laundering regime has meant that practical guidance on how to comply has been particularly necessary. The best guidance has come from the Joint Money Laundering Steering Group of various organisations (JMLSG) in three parts. 

New EU directives on money laundering has led to consultation on how these should be implemented in new draft UK regulations that are due to take effect from 26 June 2017. 

And the JMLSG has used the draft regulations as the basis for consultations on updating Part I of its guidance (the mark-up is in 4 separate documents, Chapter 5 of which shows changes to the guidance on electronic identity verification), and more recently on Parts II and III. The consultation versions show the proposed changes to the current guidance, and are an invaluable tool for understanding how a firm's existing approach should change once the new regulations take effect.

Money Laundering Includes... Tax Evasion and Virtual Currencies?

Hot on the heels of the UK's consultation to introduce the 4th Money Laundering Directive comes the imminent EU approval of MLD5. 

A key element involves the creation of a central register of beneficial ownership of legal entities and related ownership arrangements, plus ongoing monitoring of those arrangements, with the intention that: 

"The enhanced public scrutiny will contribute to preventing the misuse of legal entities and legal arrangements for ...predicate offences such as tax evasion."

Other key provisions may be seen as closely related to this ambition: 

• creating a central register of all citizens' bank/payment accounts;
• enabling authorities to go hunting for evidence of suspicious activity even in the absence of a 'suspicious activity report';
• imposing customer due diligence and transaction monitoring obligations on 'virtual currency' exchanges and wallet providers; and
• reducing the limit of anonymity for prepaid cards/instruments.

Needless to say, the members of the European Banking Federation are very uncomfortable with the idea of equating tax evasion with money laundering. The nub of EU banks' concern seems to be that their tax evading customers will simply move their accounts to banks based outside the EEA, the implication being that they'd quite like to retain the business! To be fair, it is a little odd that the list of countries with deficient anti-money laundering regimes doesn't include tax havens typically associated with tax evasion.

But there are reasonable objections on the basis that centralising such sensitive and valuable personal data would be a 'snoopers/fraudsters charter'; and creating a central record of every citizen's bank account and financial arrangements seems mightily disproportionate to the benefit of collecting evidence on the comparatively small proportion of the population that would be involved in significant organised crime or tax evasion. It's surprising that the European Economic and Social Committee ("EESC") did not object on these grounds - either the 'social' aspect of the committee's remit is subordinate to the 'economic' interest, or they consider that the whole of society should happily sacrifice privacy and security to ensure everyone pays their fair share of tax. That's certainly the Scandinavian practice. At any rate, the European Central Bank says that member states' central banks shouldn't have to operate the central registers unless they can bill the government for doing so - highlighting the more important point, that governments are better at wasting the taxes they do manage to collect than collecting taxes in the first place.

The FinTech crowd will no doubt be concerned about stealth regulation of distributed ledger technology or blockchains, via the virtual currency requirements. A "virtual currency" is quite broadly defined as:

"...a digital representation of value that is neither issued by a central bank or a public authority, nor necessarily attached to a fiat currency, but is accepted by a natural or legal person as a means of payment and can be transferred, stored or traded electronically."

Even if exchanges and wallet providers are prepared to tolerate AML regulation as the price for entering the 'mainstream', trying to regulate 'virtual currencies' (or any aspect of digital ledger technology or blockchains) at this early stage is very problematic. The above definition is broad but still does not cover every characteristic of a currency (which the Isle of Man has tried to capture). Indeed, the ECB has bluntly responded that so-called 'virtual currencies' are not currencies or money, pointing out they can also be used for other purposes and the holders don't need to use exchanges or wallet providers. The courts are also struggling with the concept that such 'currencies' are 'ownable' or 'property', as Lavy and Khoo have also explained.

Little wonder that the EESC recommends creating some kind of "European tool for monitoring, coordinating and anticipating technological change." But quite how Europe intends to 'anticipate' let alone 'coordinate' blockchain development is anyone's guess!

In any event, retailers should breathe a sigh of relief. Gift cards and other 'closed loop' instruments generally would not fit the MLD5 definition of a virtual currency, since they typically cannot be transferred or traded electronically. And there is a specific exclusion consistent with the 'limited network' exemption from the definition of electronic money (and therefore 'funds') for instruments that can be used to acquire goods or services only in the premises of the issuer, or within a limited network of service providers under direct commercial agreement with a professional issuer, or that can be used only to acquire a very limited range of goods or services. But note that the limited network exemption will be significantly narrower from January 2018, especially for programs transacting more than EUR1m a year.

At least someone wins!

Boring But Important: UK's Anti-Money Laundering Consultation

The Treasury is consulting on how to implement the fourth Money Laundering Directive into UK law by 26 June 2017, with responses due on 10 November 2016. Draft guidance from the European Banking Authority is also open for consultation. In parallel, a new EU Funds Transfer Regulation will take direct effect, updating the rules on information on payers and payees accompanying the transfer of funds in any currency.

The consultation is important, given that money laundering is also a key enabler of serious and organised crime, estimated by the Home Office to cost us £24 billion a year. Terrorists also tend to use the proceeds of crime as a means to obtain funding, but might also try to obtain finance from (unwitting) legitimate sources.

The current Money Laundering Regulations 2007 cover 150,000 UK businesses, with more likely to be covered due to a lowering of the threshold for eligible transactions in cash (or a series of transactions that appear to be linked) by persons trading goods, from EUR15,000 down to EUR 10,000 (probably about £1000 in 2017 money!); and an extension to include receiving as well as making payments in cash.

With the exception of money remittance, the government is able to exempt from the regulations some persons engaging in certain financial activities on an occasional or very limited basis where there is little risk of money laundering or terrorist financing:

• the financial activity is limited in absolute terms (the proposal is that the total annual turnover from the activity should not exceed £100,000);
• the financial activity is limited on a transaction basis (the proposed maximum threshold per customer and per single transaction, whether the transaction is carried out in a single operation or in several operations which appear to be linked, is £1,000);
• the financial activity is not the main activity of such persons (the proposal is that the activity should not exceed 5% of the total turnover of the natural or legal person concerned);
• the financial activity is ancillary and directly related to the main activity of such persons;
• the main activity of such persons is not an activity referred to in Article 2(1)(3)(a) to (d) or 2(1)(3)(f) of the directive; and
• the financial activity is provided only to the customers of the main activity of such persons and is not generally offered to the public.

The directive requires firms to verify the identity of a customer and any beneficial owner(s) before establishing a business relationship or carrying out a transaction, subject to certain thresholds. But the timing of the verification can be altered: (i) where there is little ML/TF risk and it is necessary so as not to interrupt the normal conduct of business, then verification can be carried out during the establishment of a business relationship - although it shall still be completed as soon as practicable after initial contact; and (ii) an account may be opened with certain institutions provided there are adequate safeguards in place to ensure transactions are not carried out by the customer or on its behalf until the necessary CDD measures are completed.

The directive also requires obliged entities to apply customer due diligence measures to existing customers at appropriate times, using a risk-based approach, as well as to new customers. In particular, such measures should be applied when the circumstances of a customer change, but it is not clear which circumstances are relevant ("e.g. name, address, vocation, marital status etc.") and how a firm would know they had changed. There is a non-exhaustive list of factors in Annex 1 of the MLD that must be taken into account when assessing the risk of money laundering and terrorist financing, raising some uncertainty as to what might constitute an exhaustive list in any given circumstances.

Certain thresholds for implementing customer due diligence apply, but the fact they are expressed in Euros highlights the significant problems posed by the volatility of the pound following the Brexit vote.

Simplified due diligence remains an option, but the list of products currently specified in Regulation 13 is to be replaced by a non-exhaustive list of factors in Annex II of the directive and further guidelines due from the EBA by June 2017 - heralding more uncertainty. In addition, pooled client accounts are no longer mentioned specifically in this context, meaning that the existing explicit option for an institution hosting another firm's client money account (or 'segregated' account or 'safeguarded' account) to apply simplified due diligence in connection with the beneficial owners of the funds in that account will no longer apply.

Enhanced due diligence measures must be implemented in certain circumstances, a non-exhaustive list of which appears in Annex III, with further details in the EBA consultation documents that the Treasury expects everyone to review separately... In fact, there are numerous instances where the various European financial authorities are to draw up regulatory technical standards, so watching that space is very important, as it could act as a brake on innovation.

There has been some increase in the scope of entities that can be relied upon to have conducted customer due diligence, and the Treasury is inviting further suggestions here, particularly to help reduce the regulatory burden. Here it would be very helpful if governments could actually work together to achieve, or at least support, formally 'reliable' ways of verifying the identity of each others' citizens, as envisaged by the eIDAS regulation (there is a single reference to electronic signatures as a means of reducing certain risks, in Annex III).

The new directive is more prescriptive on the internal controls that firms are required to implement, which must vary according to the nature and size of the business concerned. The Treasury is open to suggestions on the thresholds etc., particularly related to a compliance officer and independent audit functions.

There are separate chapters in the consultation specific to gambling, e-money, estate agents, correspondent banking; dealing with politically exposed persons (PEPs); and meeting the requirement for a central register of beneficial owners of corporate and other legal entities incorporated in each member state; as well as reporting, supervision and sanctions for breaches of the regulations.

Worth a read to know what's coming down the 'pike.

Boring But Important: Changes To Money Laundering Regulation

The UK government is consulting on important changes required to implement the fourth EU directive on anti-money laundering (which is still subject to change in the meantime) and changes to wire transfer regulation. Responses are due by 10 November.

This is not the only consultation paper issued recently, so it will be a week or so before I add further summary detail below!