Search This Blog
Showing posts with label cloud. Show all posts
Showing posts with label cloud. Show all posts

Monday, 30 July 2018

FCA Update On Cloud and Other IT Outsourcing


This is to reflect the implementation of the General Data Protection Regulation, and the European Banking Authority's December 2017 recommendations (so does not apply to a bank, building society, designated investment firm or IFPRU investment firm covered by those recommendations).


Posted by Pragmatist 0 comments
Labels: , , , , ,

Wednesday, 15 February 2017

#PSD2: What Is An Account Information Service?

The Treasury is consulting on its proposed regulations to implement the new Payment Services Directive (PSD2) in the UK.  The consultation ends on 16 March 2017 and the regulations must take effect on 13 January 2018. The FCA will consult on the guidance related to its supervisory role in Q2 2017. Time is tight and there are still plenty of unanswered questions, which I've been covering in a series of posts. In this one, I'm exploring the issues related to the new "account information service", which is being interpreted very broadly indeed by the FCA.  Firms providing such services will need to register with the FCA, rather than become fully authorised (unless they provide other payment services); and they are spared from compliance with a number of provisions that apply to other types of payment service provider. But now is the time for assessing whether a service qualifies, and whether to restructure or become registered.

The Treasury has, naturally, copied the definition from the directive:
‘account information service’ means an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider (article 4(16)) - [my emphasis] - but has added:
"and includes such a service whether information is provided—
(a) in its original form or after processing;
(b) only to the payment service user or to the payment service user and to another person in accordance with the payment service user’s instructions" [which do not appear in PSD2]
This reflects the government's broad definition of the directive (para 6.27 of the consultation paper) - consistent with the UK needlessly creating a rod for its own back and particularly ironic in the light of Brexit. The account information service provider (AISP) should be granted access by the account service provider to the same data on the payment account as the user of that account (para 6.25). A firm will be considered an AISP even if it only "uses" some and not all of that account information to provide "an information service" (para 6.28).

Services that the government believes are AISs include (but are not limited to):
  • dashboard services that show aggregated information across a number of payment accounts; 
  • price comparison and product identification services;
  • income and expenditure analysis, including affordability and credit rating or credit worthiness assessments; and 
  • expenditure analysis that alerts users to consequences of particular actions, such as breaching their overdraft limit.
The services could be either standardised or bespoke, so might include accountancy or legal services, for example (para 6.30).

Some key points to consider:
  • does it matter to whom the account information service is provided? The additional wording seems to suggest that the 'payment service user' must be at least one recipient of the information, but does that mean the payment service user of the payment account or the person using the account information service?  This would seem to cover every firm that prepares and files tax or VAT returns, for example, since these are usually provided to both the client and HMRC.
  • the service has to be "online", but what if some of it is not?
  • little seems to turn on the word "consolidated", since the Treasury says a firm only needs to use some of the information from the payment account to be offering an AIS, and it could be from only one payment account. For instance, what if a service provides a simple 'yes' or 'no' to a balance inquiry or request to say whether adequate funds are available in an account, and that 'information' or conclusion/knowledge is not drawn from the payment account itself, but merely based on comparing the balance with the amount in the customer's inquiry or proposed transaction?
  • the payment account that the information relates to must be 'held by the payment service user' with one or more PSPs, so presumably this would not include an online data account or electronic statement that shows the amount of funds held for and on behalf of a client in a trust account or other form of safeguarded or segregated account which is in the name of, say, a law firm or crowdfunding platform operator (albeit designated and acknowledged as holding 'client money' or 'customer funds');
  • it seems impossible for the relevant data to provided in its 'original form', since data has to be processed in some way to be 'provided' online, but this could cover providers of personal data stores or cloud services that simply hold a copy of your bank data for later access;
  • what is meant by 'after processing':
  1. it may not be clear that a firm is providing information 'on a payment account', as opposed to the same information from another type of account;
  2. does this mean each data processor in a series of processors is providing an AIS to its customer(s) - which brings us back to whether it matters who the customer is - or does interim processing 'break the chain' so that the next processor can say that the information was not 'on a payment account' but came from some other service provider's database (whether or not it was an AIS), such as a credit reference agency?
  3. what about accounting/tax software providers providers who calculate your income and expenditure by reference to payment account information but may not necessarily display or 'provide' the underlying data - although presumably the figures for bank account interest income (if any) in a tax return might qualify?
Sorry, more questions than answers at this stage!

Update on 21 April 2017:

The FCA has indicated in Question 25A of its proposed draft changes to the Perimeter Guidance that:
"Account information service providers include businesses that provide users with an electronic “dashboard” where they can view information from various payment accounts in a single place, businesses that use account data to provide users with personalised comparison services, and businesses that, on a user’s instruction, provide information from the user’s various payment accounts to both the user and third party service providers such as financial advisors or credit reference agencies." [my emphasis added]

Posted by Pragmatist 14 comments
Labels: , , , , , , , , , , , ,

Monday, 11 July 2016

#FinTech Service Providers Must Proactively Support FCA Compliance

The FCA has finalised its new guidance to authorised firms on outsourcing to the 'cloud' and other third party IT services, which is mandatory for some firms but (strongly) advisory for others. Unfortunately, exactly what amounts to 'outsourcing' remains grey and short of examples, as do important issues such as the meaning of 'cloud' (largely a marketing term anyway), whether access to data centres is necessary and so on. Not only does that leave FCA staff and finance firms in doubt, but it leaves service providers exposed to the need for financial firms to suddenly switch providers where the FCA considers that guidelines should have been followed but have not been.

The FCA guidance says that outsourcing is "where a third party delivers services on behalf of a regulated firm". That suggests the service in question must effectively be part of the firm's service to its customers, like answering customer calls on the firm's behalf in a call centre, as opposed to, say, the supply of commercial IT hosting services for web sites, apps or back-office software etc., which the firm is not in the business of providing to customers. 

A table in the guidelines sets out an extensive process and related paper trail designed to show that a firm has outsourced a function appropriately.

So lack of clarity on the boundary between outsourcing and normal service provision means that some IT providers may not realise that a financial firm has incorrectly classified the use of its services; and/or the service provider may not be willing or able to help the regulated firm jump through the many hoops laid out in the FCA's guidance. 

As a result, service providers risk losing customers who are finance firms that have failed to grind through the FCA's requirements and have to re-run their outsourcing process.

For all practical purposes, this places the burden on IT service providers to clarify the nature of their offering and make sure they are ready to help their finance customers either explain why there is no outourcing or demonstrate compliance with the FCA's outsourcing guidelines.

Some might observe that this represents regulatory 'scope creep', since it effectively subjects outsourcing providers to FCA regulatory requirements even where they are not required to be authorised (and may even be based outside the UK). Whether this is ever challenged as being ultra vires - beyond the FCA's powers - remains to be seen, but it is certainly a cost of doing business with UK financial firms.


Posted by Pragmatist 1 comments
Labels: , , , ,

Friday, 31 January 2014

Privacy Law Meets The P2P Economy


The legal war against Big Data platforms has intensified recently, with Google on the sharp end of fines and court proceedings, and an Israeli legislative proposal that would require search engines to pay royalties on search results to the State for distribution amongst selected publishers.

But courts, regulators and the legislature are very slow trains in this fast-moving context. I worry that they are distracting us from the urgent and more productive quest for a pragmatic, humanistic solution to the root cause of the privacy problem: lack of control of our own data.

I've recently pointed to some key commercial and technological developments which can deliver that control, in a series of posts responding to Google's rather spooky 'computers vs people' meme. In essence, I've suggested that we can 'win the war' against computers for economic control of our data by transacting on peer-to-peer marketplaces, and by linking those marketplaces and our respective 'personal clouds' to form a wider 'personal data ecosystem' using the tools described in the recent Privacy by Design report.

That ecosystem will be increasingly complex, tightly coupled, dynamic and, above all, collaborative. So, as lawyers, we should be advising our respective clients to work together very closely to build a trust framework which ensures that users are readily able to understand and control how their data is being used, and that the operational and technological rules and processes are consistent with the legal rules governing the ecosystem and all its participants.

This is not 'niche' or happy clappy stuff. Designing the new economy can't be left to a lone 'data protection expert' or a pro bono team and some corporate social responsibility bods from UK plc who are merely trying 'to put something back'. It's got to be business as usual for lawyers and their clients across the board.

Interested in your thoughts.


Posted by Pragmatist 0 comments
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)