Are Influencers Regulated?

We've come along way from sponsorship and advertising deals for sports stars, actors and other celebrities. Now products are marketed by some people whose celebrity and vast wealth comes only from marketing products through posting their own personal 'lifestyle' content in the social media.  Of course, 'traditional' celebrities are also in on the act, and can command even greater sums for their own highly personalised, lifestyle-type endorsements. Yet such personal content is rarely filtered through any type of compliance process, unlike traditional advertising. And the temptation to make a fortune at the touch of a screen often overrides any sense of responsibility on the part of the influencer. As a result, the role of 'influencer' has become one of the most highly regulated in society... and that regulation will only intensify. Please get in touch if you need advice.

It's no surprise that politicians are at pains to see this evolution as wildly positive:

Europeans are spending more time online, meaning that influencers who create content for social media have a greater impact than ever before on the way we perceive and understand the world. In order to ensure that this impact is positive, the EU must provide support to influencers, enabling them to build their media literacy and increase their awareness and appreciation of the rules that govern their actions online. 

- Benjamin Dalle, Flemish Minister for Brussels, Youth, Media and Poverty Reduction

In typical civil law fashion, the EU is calling for positive regulation that will effectively permit the practice of being an influencer and govern how it can be done lawfully.

In common law countries, it's also a case of the law catching up, but the authorities in charge of the marketing rules are less enthusiastic, responding with advertising bans, for example, and now a Financial Conduct Authority prosecution relating to activities between 2018 and 2021 (perhaps more to do with its ban on certain marketing high risk financial derivatives to retail customers). 

The regulators responsible for retail sales (CMA), broadcasting (Ofcom) and advertising (ASA) began jointly targeting 'hidden advertising' in 2020, while the FCA's latest social media guidance is also partly aimed at influencers and other affiliate marketers. 

Yet even the guidelines can be tough to follow, and influencers may well cross the line into other regulated activity, such as the need to register with the FCA for anti-money laundering purposes if you make arrangements with a view to crypto trading, for example.

Please get in touch if you need advice.

Low Take-Up Of UK Temporary Permissions Regime By EEA Firms With UK Passports?

According to the FCA's figures in August 2016, the end of financial services passporting between the EEA and the UK was going to leave 5,476 UK finance firms potentially needing a new passporting 'hub' in one of the remaining 27 EU countries and 8,008 EEA firms potentially needing a UK base to cover their UK offerings. So, how many have acted?

There has definitely been a scramble by UK firms to set up in the EU27, although the figures are spread across multiple registers, and regulators do not disclose the numbers of applications that are still in progress. The Central Bank of Ireland claimed "well over 100" in September 2019, for example, with similar numbers thrown out by others. 

Not all firms might use their passports, of course. It's quite straightforward to take advantage of the passporting regime - a simple notification to your home state regulator, which then notifies the various host state regulators. And there's no obligation to actually use a passport. Many firms will have ticked the box for all EEA countries to avoid inadvertently committing an offence wherever their customers happened to reside. And the picture is perhaps distorted by non-EEA corporations who were using the UK as their passport hub, so their new Irish subsidiary would not count as an application by a UK parent.

There has been less pressure on EEA firms who operate under passports in the UK because the FCA offered a Temporary Permissions Regime (TPR) that allows them to continue trading for 3 years as if they were passporting. The registration deadline has been extended each time Brexit has been delayed, so the current deadline is 30 January 2020. However, it's likely that most, if not all, EEA firms that were intending to use the TPR option will have already registered, although some newly authorised firms could still squeeze in (e.g. new FinTech firms).

At any rate, the Financial Conduct Authority has responded to a Freedom of Information Act request with the news that 1,441 EEA-based firms had applied for the TPR by October 2019. Of those, 228 are based in Ireland, 170 in France, 165 in Cyprus and 149 in Germany. 

If this is to be considered a high take-up of the TPR option, then it would appear that only about 18% of EEA passports into the UK were actually being used. That's perhaps not unreasonable, given the tick-box approach to passporting to avoid inadvertently committing an offence in the UK in the event that they ended up with UK customers.

In any event, these 1,441 firms now have until 30 January 2023 to decide whether to set up offices in the UK and get authorised locally, to the extent they continue to serve the UK market.

Use It Or Lose It: The UK Temporary Permission (Passport) Regime

The UK's Financial Conduct Authority has told firms based elsewhere in the European Economic Area who rely on a 'passport' to offer their financial services in the UK to notify the FCA if they intend to use the UK "temporary permissions regime" (TPR). The Prudential Regulatory Authority has issued a similar direction to the banks and other firms it regulates.

Notifications to the FCA must be made by submitting the Temporary Permission Notification Form containing the necessary information via the FCA's "Connect" system between 7 January and 28 March 2019.

Firms that have not submitted a notification during that period will not be able to use the TPR.

The FCA told Parliament in 2016 that there are 8,008 EEA firms holding 23,532 passports covering their UK financial services offerings. 

EU Warns Firms To Act On Loss Of Financial Services Passports

The European Union has today warned financial services firms that rely on EU passports to make alternative arrangements ahead of Brexit. Separate warnings were made to ratings agencies, investment firms, insurers and reinsurers,  banks and payment services firms, auditors, providers of post-trade services (settlement and clearing), and asset management. Warnings were also issued to participants in other pan-EU licensing schemes.

This is nothing new, as explained previously, and many firms have already activated their plans to move EEA-facing operations into one of the 27 remaining EU member states.

The warning is timely, however, in case any firms are distracted by UK government "assurances" concerning potential free trade arrangements following previous EU warnings in December, which the UK government has conceded the EU is legally entitled to issue. 

Such deals do not usually deal very extensively with services, and 'most favoured nations' obligations in existing EU trade deals with third countries mean that it is very unlikely that the EU will wish to - or realistically be able to - set any kind of precedent in a deal with the UK.

The UK government's insistence on the leaving the single market and the customs union effectively rules out the UK remaining a member of the EEA (like Norway). That means the only alternative to Brexit is remaining a member of the EU.

Post-Brexit Outlook For Passported Financial Services

Well it's been a dismal six months watching the politicians shadow-box among themselves over what Brexit really means. There's no shared vision of the big picture, let alone any grip on the detail. What is clear, however, is that size matters in trade negotiations. So the larger trading partners like the EU will dictate their own terms in any deals. And while the application of logic seems to be prohibited in this 'post-truth' era, I intend to proceed on the basis that the UK will not even be a member of the EEA (or the Customs Union) - and that it certainly won't get a better trade deal with the EU than it has today. That means the only real job left for UK politicians is to figure out who gets pork-barrelled compensated by the UK taxpayer for being worse off for having to treat the EEA as a separate market (where they can't pass those costs onto their UK/EEA customers more).

While the car makers got in first, ejecting from the EU/EEA poses a very significant challenge, in particular, for the 5,476 of the UK firms relying on 336,421 'outbound' passports to avoid being authorised in every EEA member state. This works out at 61 passports per firm, which is somewhat strange given there are 31 EEA countries, but passports are counted for each separate directive that requires them (only one if a firm has several under the same directive). Brexit is also a challenge for the 8,008 EEA firms that hold 23,532 passports (about 3 each) to cover their UK offerings.

In essence, a total of 13,484 firms need to apply for 359,953 additional regulatory permissions over the next two years if they want to continue to make sure they can cover their existing markets.

Such applications don't come cheaply or quickly, and involve significant ongoing management and administration costs following authorisation. And because most of the work will be required abroad, the lion's share of the related fees and expenses will be charged outside the UK, worsening the UK's trade deficit even further. The UK can also kiss goodbye to the tax revenues on the earnings of each foreign firm, as well as the incomes of its management and staff...

But that's all water under the bridge (or out the English Channel, if you will).

During the next two years, any financial services firm based in the UK/EEA that relies on a passport for cross-border activities or ambitions involving the UK will need to pursue the following options, either organically or by acquisition: 

• Retain/obtain authorization for an entity established in the UK, if it wishes to serve the UK market;

• Obtain/retain authorization for an EEA-based entity to take advantage of the EEA passport regime for the remaining EEA countries;

• Seek to rely on any passporting arrangements that the UK may agree with non-EEA countries (these could only be formally agreed post-Brexit, but might be planned in the meantime);

• Obtain/retain authorisations in any non-EEA countries it wishes to target - as is the case today, but the cost/benefit of targeting some of these countries may now have changed, given the extra cost of authorisation to serve EEA markets, and perhaps jockeying among countries wishing to take advantage of the situation.

So where would you base your EEA-passport firm?

The relevant analysis, if not the outcome, will vary significantly depending on the type of financial services and markets involved. Most of the relevant passports relate to general insurance intermediation and trade in various securities/markets, but payment and e-money services represent the third most popular category with perhaps greater retail significance - here 350 UK firms rely on outbound passports and 142 EEA firms passport into the UK.  According to a report commissioned by the Emerging Payments Association, the 350 UK firms have six countries to choose from as a potential base for their EEA passport entity, based on criteria including the ease of making an application, supportive regulatory approach/attitude, ease of setting up and doing business, jurisdictional reputation and sovereign/political risk:

• Cyprus 
• Denmark 
• Ireland 
• Luxembourg 
• Malta 
• Sweden

While not wishing to disparage any of those fine jurisdictions, you will see from the commentary in the EPA report why the UK is walking away from a (literally) golden opportunity to continue its role as the preferred EEA passporting hub for financial firms (many of which are managed or staffed by people who moved to the UK for that reason).  Yet, while that commentary is very helpful and a useful lens through which to view options, I know from personal experience that it does not always reflect reality on the ground or capture all the criteria that are relevant to the decision for each firm - and the authors don't pretend that it does.

We are only at the beginning of a very long and expensive journey...

Revenge Of The Trilogues

They sound like something from a sci-fi horror movie, but the Trilogues are actually already among us. In an excellent article, Vicky Marissen, MD of PACT European Affairs, has explained how these "three-way discussions" have moved further and further away from their rightful place in the latter part of the ordinary European legislative procedure and are now being used informally as a legislative shortcut - something the new EU agreement seems likely to make even worse.

Relying more on trilogues means that about 90% of EU legislation is adopted on first reading without any genuine legislative debate; and secondary legislation is being used to kick more sensitive cans down the Rue du Luxembourg. Indeed, trilogues are now happening within just a few days of each other without publishing the changes agreed, so it's impracticable for those outside the trilogues to follow or attempt to engage in what is really a closed debate. This was a frequent problem in the course of agreeing the new Payment Services Directive, for example.

The recent EU institutional agreement on better regulation won't fix this, as the Commission is able to use its participation in trilogues to (wrongfully) assume the role of legislator - note that its proposal for better regulation didn't even mention the word "trilogue" and merely stated that "The three institutions will ensure an appropriate degree of transparency of the legislative process, including of trilateral negotiations between the three institutions." If anything, that agreement promises more informal trilogues:

"Where appropriate, the three institutions may agree to coordinate efforts to accelerate the legislative adoption process, both during each institution's internal preparatory steps and during the inter-institutional negotiations."

Not only does this increasingly closed shop raise the risk of poor, ill-considered drafting that creates costs for the broader community, but the mere perception of an opaque process also widens the gap between EU legislators and EU citizens - a gap that is already wider than the one between national legislators and their citizens.

The EU's legislative process needs to be more transparent than national processes, not less, if the EU is to be respected or seen as a Good Thing.

I'm amazed the Brexit fans aren't sounding the alarm over this...

Oh, wait, no I'm not. The Brexit 'debate' is pure politics, not connected to anything real.

#RedTape Redline - Mark-up Your Laws!

During any respectable contract negotiation, the party 'holding the pen' produces a mark-up or "redline" of each draft of the contract showing the changes it has accepted so far from the previous version. In fact, it's considered offensive and sneaky not to show those changes. It's as if you're hiding something and don't want to make it easy for the other side to understand the deal they're being asked to sign up to. 

Not so for the people drafting our laws and regulations. No. While they have their own internal mark-up of how a piece of legislation is being amended from time to time, they keep it to themselves and only use it for the purpose of writing up an amending 'statutory instrument' that shows only the change and where it is supposed to be plugged into the original. Nuts, unless of course you're still writing with a goose feather, or you're the one proposing the changes and you want to slow your opponents down by making them reverse-engineer what the changes looks like in context. Or you're one of the legal publishers everyone is forced to pay in order to get an up-to-date version showing all the changes once they are passed, since not even the government's own legal publishing unit has the resources to keep up-to-date with how all our laws have changed.

I am not the first to complain about this, as I pointed out in 2009 in the context of the Free Legal Web initiative, which you can now see is defunct. Dragged under the waves by the combined weight of institutional inertia, investor scepticism and despair... but I'll leave it to Nick Holmes to tell that story.

And yet, in true Terminator fashion, this won't die. Yesterday, we were treated to a presentation on the new OpenLaws initiative to "make legislation, case law and legal literature more accessible" (please,  take the survey).

It's thought that OpenLaws might benefit from including European law. Certainly it brings European cash, which is smart. But if there's one institution committed to less transparency than the UK Parliament, it's the European Union. You'll see that I've previously considered launching a quest to find the source of European law, but abandoned the idea immediately. Anyone who's tried to keep track of the European Commission amendments to draft directives and regulations as they ooze their way through the European "ordinary legislative procedure" quagmire will understand the true value of the lobbyist. I can't imagine sunlight ever falling on that process.

But I may be wrong. And it could well be that the OpenLaws' social media tools concentrate enough rage against the EU machine that transparency will be introduced. In the meantime, we'll have access to case law, articles, commentary and unofficial redlines of legislative amendments, even if we can't shake the uneasy feeling that only a few officials fully understand what our Parliaments are churning out.

 

Word Count

Doing the rounds on email last week:

• Pythagoras' theorem - 24 words.

• Lord's Prayer - 66 words. 

• Archimedes' Principle - 67 words. 

• 10 Commandments - 179 words. 

• Gettysburg address - 286 words. 

• US Declaration of Independence - 1,300 words. 

• US Constitution with all 27 Amendments - 7,818 words. 

• EU regulations on the sale of cabbage - 26,911 words 

Image from DesignAndBuild.

An Integrated EU Market For Payments?

A Dog's Breakfast

We have until 11 April to weigh in on the European Commission's dream for "an integrated European market for card, internet and mobile payments."

Tedious as the EC's role and processes are, we mustn't forego these opportunities to feed into the EU's 'social dialogue'. If we don't participate we'll get legislation that's more reflective of canine culinary expertise rather than how various markets actually work (like the Payment Services Directive).

Some key issues in the current green paper are:

• whether we need more sunlight on how much we pay in interchange fees;

• whether it's overkill to make a retailer show on your receipt how much it costs to use your chosen payment method;

• whether non-financial service providers should be able to directly access clearing and settlement systems;

• whether you should be allowed to permit any service provider you like to show you your bank balance, rather than only your bank; and

• whether competition is being inhibited by the process of 'standardisation' and demands for "full interoperability".

My own personal view is that the short answer to all of the above is, "Yes."

The challenge to regulating payments is that service providers and regulators alike tend to view "paying" and "banking" as consumer activities in their own right. Whereas consumers don't actually "pay" - and retailers don't even "accept payment" - as distinct activities. The man from Visa who thinks the brand on my payment card is the most important brand in the context of me buying a gift for a friend on my way to a party is institutionally deluded. Actually paying for the gift is a barely considered sub-process in the course of getting to the party, and I might pay in cash.

Not only must we remember that payment occurs in the context of wider consumer activities, but we must also acknowledge that payment details are a subset of all the personal and transaction data used in retail services that are subject to broader market forces and other regulation. In particular, the impact of the EC's proposal for more comprehensive regulation of personal data processing cannot be underestimated. There seems little point in dealing with access to bank balance information in the context of payments regulation when the wider data protection regime would enable the "right to be forgotten", "data portability", "data protection by design and by default", the logging/reporting of personal data security breaches, personal data processing impact assessments, prior consultation and regulatory consent for potentially risky processing; not to mention enhanced internal controls, enforcement and compliance burdens, including the appointment of a data protection officer.

But let's glance away from the data protection elephant for a moment.

On the question of interchange, it's clear from Annex 2 of the green paper that the EC doesn't understand the lack of a direct contractual/settlement relationship between issuers and acquirers in four-party card schemes like Visa/MasterCard, even where a banking group has both an issuing business and an acquring business. Each acquirer and issuer contracts directly with the card scheme, and the card scheme settles independently with each of them. Besides, the issuing arm's cardholders won't always be making payments to the aquiring arm's merchant customers. Not only does this add an important nuance to the interchange debate, but it also has far wider implications for payment services regulation than there's time to cover here.

As consumers, of course we want retailers to keep a lid on their interchange costs (like any other overhead). That would enable them to improve their services, increase product selection or maybe reduce their prices. But unless the retailer has its own specific surcharge, I don't need the receipt to tell me the cost of using my chosen payment method, any more than I'd need to know what it cost to get the item from the warehouse to the shop. The underlying cost might be fascinating to EC officials and payments geeks, but the all-in price of the item should be enough for me to compare the efficiency of retailers' operational processes. Whether those retailers are competing properly in their own markets is a separate issue to the cost of payments in any event.  

I can also see that the cost of payments might be reduced by enabling sophisticated businesses to directly accessing clearing and settlements systems, rather than relying on financial institutions whose systems are geared to servicing the broader market. And such businesses shouldn't need to become regulated financial institutions or to join cosy industry bodies for that privilege. However, I should point out that developing an internal acquiring and settlement capability is very likely to prove an unwelcome distraction for non-financial corporate groups.

Similarly, as a consumer, I should be able to appoint a single service provider to enable access to my various bank, card and other payment accounts, without being in breach of the obligation to keep my account access details confidential. It's not beyond the wit of man to work out which provider is liable for any security breaches that might occur in that data sharing process.

Finally, we need to be really careful about requiring "standardisation" and "full interoperability" rather than merely enabling the market to develop this naturally, free of anti-competitive activity. Entrepreneurs don't have the time or resources to sit around in policy and standards meetings. Nor do they wish to telegraph to incumbents their disruptive plans. Yet there is also little meaningful distinction between "technologicial interoperability" and "commercial interoperability" in a digital world where business models are automated or 'hard coded'. I'm struggling to understand the EC's intention here. On the one hand the EC wants to see competition (which generally means less consolidation and more fragmentation - plenty of new players and competing, disruptive solutions), and on the other hand it wants to "avoid fragmentation of the market". So these aims seem incompatible. 

Interoperability and standards may be important to enable efficient, straight-through processing between participants at either end of an overall business process or system. But the more tightly that process is bound together - or the narrower the group of entities involved in the development of standards/interoperation - the harder it is for new entrants to compete by disintermediating or improving any one element of that process. This is a key reason we have been trying to avoid any preoccupation with mandating standards in relation to data release formats in the context of the 'midata' initiative, for example (formerly 'mydata'). This avoids creating an extra hurdle to the release of the data, while opening up a market for the supply of data transformation applications that collect such data in multiple formats and display or transfer it in another format. 

Paradoxically, the EC's own concerns on this front are reflected in the green paper questions as to whether card scheme management should be separated from control over card payment processing (Q's 9 and 10), as well as the competition challenge to standards-setting by the European Payments Council:

"Joaquín Almunia Commission, Vice President in charge of Competition Policy, said: "Use of the internet is increasing rapidly making the need for secure and efficient online payment solutions in the whole Single Euro Payments Area all the more pressing. I therefore welcome the work of the European Payments Council to develop standards in this area. In principle, standards promote inter-operability and competition, but we need to ensure that the standardisation process does not unnecessarily restrict opportunities for non-participants."

I rest my case.

An EU Contract Law? Too Tough To Digest

A hat-tip to Mayer Brown for the heads-up on the latest in the saga of a proposed European Contract Law. We have until 1 July to send feedback on 189 individual articles included in a 'feasibility study'. The Commission will then consider that feedback, together with the results of an earlier consultation.

As I have posted previously in another place, I'm not terribly supportive of a new European Contract Law. It doesn't fix any real problem, and it won't catalyse a single, cross-border market - notwithstanding the rationale advanced by the European Commission. The example used is:

"An Irish consumer buys an MP3 player online from a French retailer. In this case, Irish contract law would apply if the French retailer has designed his website for Irish consumers."

This is a strange scenario, littered with odd assumptions. Besides, there are notable instances of successful cross-border retailing in the EU that rely on the law of a single Member State as the law of the contract. And choice of law is the least of the barriers to setting up such an operation, as the European Commission itself discovered in the context of the reform of laws related to consumer rights and consumer credit. In particular, a May 2007 study by Civic Consulting revealed that:

“the main [non-regulatory] barriers hindering selling of consumer credit products in other EU Member States are different language and culture; consumers’ preference for national lenders; credit risk for lenders – no access to creditworthiness information; problems related to tax, employment practices etc.; difficulties to penetrate local market; different consumer demand in different Member States; lack of consumer confidence in a brand; differing stages of development of consumer credit; and lack of adequate marketing strategies.”

Furthermore, the law should follow, not lead commerce (though I realise that is a common law, rather than a civil law view). Otherwise, it acts as a hurdle to innovation and market development, and only those who are 'good at regulation' (incumbent players) will cope.

A pan-European contract law also conflicts with the principle already enshrined in various financial and other regulatory frameworks that, in general, the law in a corporation's home Member State should govern that corporation's cross-border EU activities. In fact, given the preponderance of any EU-based cross-border retailer's trade is with the citizens of its home state (with the exception of retailers based in Luxembourg) this proposal would seem to envisage retailers either imposing European Contract Law on their local customers, or creating separate set of terms for cross-border customers. I don't see how either is helpful, other than to generate work for the likes of... well, me.

But I'm not in the business of creating more hurdles for cross-border trade. So, while I will of course personally attempt to digest yet another European dog's breakfast, I propose to focus my drafting energies on an exclusion clause that will mean my clients and their customers won't have to.

Apply within ;-)

Do Other EU Countries' Data Protection Laws Apply To You?

A hat-tip to Claire Walker and Shona Kerr for their SCL article on the above question: "Location, Location … Guidance on Applicable Law in International Data Processing Scenarios" (cheap annual subscription applies).

The "guidance" referred to is the Opinion of the EU's Article 29 Data Protection Working Party of national data protection regulators. And, naturally, the answer to the above question is that "it depends".

In essence, the factors for businesses to consider are whether you are the data controller or processor, and whether you have an "establishment" in a given EU Member State and/or are sufficiently involved in processing personal data through "equipment" or some means of processing located in that country. There are helpful detailed examples in the Opinion, but ultimately it's a question of fact and degree that will benefit from discussion with the operational or IT staff who know what's actually going on. Guidance is also given on supervision and enforcement.

This sort of analysis is not exclusive to the law on personal data protection - many local laws and regulations may apply to your cross-border activities in another country, even if you don't operate a physical point of sale there (direct and indirect taxes being critical examples). But it's a useful illustration of the type of issues facing anyone operating on a cross-border basis.