Search This Blog

Showing posts with label distributor. Show all posts
Showing posts with label distributor. Show all posts

Saturday, 20 July 2024

If DAOs Are Really Autonomous, They Could Be Regulated As AI Systems Under the EU's AI Act...

Two recent publications - that of the EU's Artificial Intelligence Act and the UK Law Commission's 'scoping paper' on whether and to what extent Decentralised Autonomous Organisations should be granted legal status - got me thinking about this, because both AI systems and DAOs will tend to be global or 'borderless' in nature. It seems to me that the EU may have granted certain DAOs a form of legal status already - as AI systems - while focusing responsibility and liability on only some of the roles involved... If so, we can add this to other examples of sector-specific regulation in areas where DAOs might be established to operate, which could also have significant implications for the DAO and its participants. Please let me know if you require legal advice in these areas.

Defining AI systems and DAOs

‘AI system’ means [with limited exceptions] a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments;

The Law Commission uses the terms "DAO" very broadly to describe:

a new type of online organisation using rules set out in computer code. A DAO will generally bring together a community of (human) participants with a shared goal – whether profit-making, social or charitable. The term DAO does not necessarily connote any particular type of organisational structure and therefore cannot on its own imply any particular legal treatment.
As to what is meant by "autonomous" the Law Commission found that:

In the context of a DAO, “autonomous” has no single authoritative meaning. Some suggest that “autonomous” refers to the fact that the DAO has (a degree) of automaticity; that is, it relies in part on software code which is capable of running automatically according to pre-specified functions. Others suggest that “autonomous” is a broader, descriptive term used to encapsulate the idea that DAOs are capable of operating in a censorship-resistant manner without undue external interference or internal (or centralised) control. In this paper we allow for both meanings.

To merge the two concepts: a DAO's governance or decision-making could be automated 'with varying levels of autonomy' using codified 'smart contracts' that operate automatically in certain circumstances, to infer from the inputs received how to generate recommendations or decisions that influence the DAO or some other virtual or physical environment. 

Whom would this affect?

The AI Act applies to any person who supplies an AI system (or GPAI model) on the EU (read EEA) market (wherever they may be located) and anyone located outside the EU who provides or deploys an AI system outside the EU, if the output of the AI system is to be used in the EU. 

The AI Act encompasses a range of roles or actors who might - or should - have responsibility/liability in connection with the risks posed by an AI system, each of whom qualifies as an "operator":

‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge;

‘deployer’ means a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity; 

‘authorised representative’ means a natural or legal person located or established in the [EEA] who has received and accepted a written mandate from a provider of an AI system or a general-purpose AI model to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation; 

'importer’ means a natural or legal person located or established in the [EEA] that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country; 

‘distributor’ means a natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the [EEA] market; 

When we think about who might be involved or 'participate' in a DAOs, the Law Commission has grouped them as follows (though the roles may not be mutually exclusive):

  1. Software developers 
  2. Token holders of the tokens that enable governance or other types of participation 
  3. Investors/shareholders (where DAOs use recognised legal entities such as limited companies). 
  4. Operators/contributors in connection with the DAO's tokens (miners/validators), software, management etc. 
  5. Customers/clients, where the DAO offers an external service.
However, it is clear that these roles don't readily 'map' to the AI Act's concepts of responsibility for managing risks associated with the establishment, deployment and ongoing operation of DAOs.

This is not unusual when it comes to sector-specific regulation, which tends to focus on certain activities that some legal person or other must be conducting in the course of developing/establishing, deploying, operating and winding-down/up (although perhaps a lot of this type of regulation tends to be more limited in its territorial application).

Conclusion

Of course it's important to think of DAOs in terms of being an 'organisation' of some kind with legal implications for the participants depending on the actual type (Chapters 3 to 5 of the Law Commission's paper). 

However, it's also critical to consider the potential impact of sector-specific regulation that governs the activities of developing/establishing, deploying, operating and winding-down/up certain types of services or products. This type of regulation tends to be more limited in its territorial application, so requires a country-by-country (or even state-by-state analysis in countries like the US or India or regional trade arrangements, like the EU). Significant examples of this type of regulation that may have very grave implications for the liability and responsibilities of DAO participants include anti-money laundering requirements, financial regulation and tax (Chapter 6 of the Law Commission's paper), and we can add the AI Act as a more recent example. 

Please let me know if you require legal advice in these areas.


Tuesday, 6 August 2019

FCA Fires A Flare Over Safeguarding Of Funds Related To Payments And E-money

Everyone worries about banks going bust, and whether there's enough capital and depositor protection if they do. That's because banks are allowed to treat the cash we deposit as their own (subject to the obligation to repay it when we want it). But non-bank payment service providers don't have this privilege, and depositor protection (the Financial Services Compensation Scheme) does not cover their activities. So PSPs must 'safeguard' funds related to the payment transactions they process and the e-money they issue. If they go bust, the safeguarded amount should therefore be available to the relevant customers instead of paying debts owed by the PSPs to their own creditors. As we live in troubled times, earlier this year the UK's Financial Conduct Authority sampled the safeguarding practices of 11 payment service providers to figure out whether  PSPs are safeguarding correctly. The results were not a disaster, but enough problems were detected for the FCA to feel the need to write to all PSPs requiring them to confirm their compliance with safeguarding requirements by end of July... Let's hope they all did! Confidence in a diverse, innovative and competitive payment system depends on PSPs being fanatical about the details involved in protecting customer funds.

Safeguarding Requirements

PSPs must safeguard "relevant funds" - i.e. money received:
  • from, or for the benefit of, a user for the execution of a payment transaction; 
  • from a payment service provider for the execution of a payment transaction on behalf of a user; or 
  • in exchange for electronic money that has been issued,
where they continues to hold the relevant funds at the end of the 'business day' following the day on which they were received.

There are rules on when safeguarding obligations start and end; two different safeguarding methods (either through holding appropriate insurance or by segregating the funds in specially designated bank accounts); the type of account or 'relevant assets' in which the funds must be held; reconciliation and record-keeping; and when amounts that are not "relevant funds" must be removed and held separately to avoid 'commingling'.

To be fair to all concerned, the various definitions, other language and rules require a lot of interpretation to understand how they apply and the FCA has issued extensive guidance in Chapter 10 of its Approach to regulating e-money and payment services.

FCA Findings

Some firms were unable to explain which payment services they provided in certain situations, when they were issuing e-money or when they were acting as agent or distributor for another PSP. That meant they could not identify some "relevant funds" and didn't know whether they were safeguarding the correct amounts.

Even where they were clear on the status of funds, some PSPs did not segregate relevant funds on receipt; or received them into accounts with funds held for other purposes; or did not remove other funds more than once a day where it was practicable to do so.

In addition, some PSPs did not have up to date documentation that explained their treatment of funds and how their systems and controls would ensure compliance with the safeguarding requirements.

Some of the segregated accounts in which PSPs were holding relevant funds or assets were not correctly designated in a way that shows they were safeguarding accounts. 

Some firms did not carry out appropriate reconciliations, or did so infrequently or did not adjust the balance of their safeguarded accounts in a timely way when they identified discrepancies.

Rather than monitoring their processes and procedures to ensure compliance, some firms only checked if they spotted an actual breach - so their controls weren't able to alert them to a potential breach and safeguarding requirements weren't factored into new products.

Continuing Confusion Over Agents vs Distributors

PSPs are able to appoint agents and distributors, but are sometimes uncertain about the difference. The distinction turns on whether the proposed agent or distributor would be providing a payment service. A firm can only provide a payment service if it is either directly authorised or registered as the agent of an authorised PSP.  A distributor, therefore, cannot supply a payment service and, in my view, should not be handling relevant funds at all. Instead, the PSP should oblige the distributor to set up a 'float' of its own money that the PSP can draw on when issuing e-money or executing a payment transaction involving that distributor. That means when a customer pays money to the distributor (e.g. to 'load' or 'top-up' an e-money/prepaid account) the customer is not relying on the distributor to pass those funds to the PSP on the customer's behalf. The PSP already has the equivalent amount of funds that have now become 'relevant funds' to be safeguarded. The distributor can then pay the funds it receives from the customer into the 'float' for the PSP to draw on for the next transaction.

Confusingly, however, the FCA says PSPs are responsible for ensuring that the agent or distributor segregates any "relevant funds" held by the agent or distributor.  That suggests the distributor might be relying on some exclusion from offering a regulated payment service, but if that were so, the funds it receives from customers should not be 'relevant funds' in the first place...

At any rate, the FCA found that some firms calculated their safeguarding obligation at the end of the business day on which e-money was issued via a distributor or agent that received the corresponding funds, and only transferred the amount into a safeguarding account the next business day. This suggests all sorts of confusion!

Conclusion

The FCA is to be commended on its vigilance in this area, and PSPs have to be fanatical about the details if we are to have a diverse, innovative and competitive payment system that works effectively in good times and bad.


Monday, 27 May 2019

Let's Not Confuse E-money Agents and Distributors

The European Banking Authority has issued an opinion that goes some way to clarifying when e-money institutions create an "establishment" when dealing through "agents" and "distributors", though it does not go far enough to be terribly useful (to be covered in another post...). In reaching that opinion, however, it has managed to create confusion over the distinction between agents and distributors. This is unfortunate, given the very significant difference in legal responsibility for the EMI and the time it takes to set up such arrangements - sometimes on a large scale, where chains of small retail outlets or multiple independent online retailers offer prepaid cards, top-up vouchers etc for the issuer.

The EBA accepts that e-money institutions (EMIs) can operate through either:
  • 'agents' who provide regulated payment services on the EMI's behalf and must be registered by the EMI with the regulator; or
  • 'distributors' who do not provide regulated payment services on the EMI's behalf, so the EMI merely has to notify the regulator that the distributor is being used rather than register it.
But the EBA then states that: 
"...if a distributor receives funds from an end-customer in exchange for e-money, the funds are considered to have been received by the issuer itself, considering that the distributor is acting on behalf of the issuer. The safeguarding obligation of the issuer starts as soon as the distributor receives the funds from the customers, and remains with the issuer/EMI (not with the distributor), so that the customer does not bear any consequence of the funds not being transferred from the distributor to the issuer, including in the event of the distributor's insolvency."
I also notice this has also been picked up by the FCA in its guidance on safeguarding in the Approach document, for example:
"10.28 An institution may receive and hold funds through an agent or (in the case of EMIs and small EMIs) a distributor. The institution must safeguard the funds as soon as funds are received by the agent or distributor and continue to safeguard until those funds are paid out to the payee, the payee’s PSP or another PSP in the payment chain that is not acting on behalf of the institution. The obligation to safeguard in such circumstances remains with the institution (not with the agent or distributor). Institutions are responsible, to the same extent as if they had expressly permitted it, for anything done or not done by their agents or distributors (as per regulation 36 in the EMRs and regulation 36 in the PSRs 2017)...
10.34 Where relevant funds are held on an institution’s behalf by agents or distributors, the institution remains responsible for ensuring that the agent or distributor segregates the funds. "
Elsewhere, the FCA states that
5.6...In our view, a person who simply loads or redeems e-money on behalf of an EMI would, in principle, be considered to be a distributor.

However, the FCA states:
8.338 It is important to recognise that if an agent of an e-money issuer receives funds, the funds are considered to have been received by the issuer itself. It is not, therefore, acceptable for an e-money issuer to delay in enabling the customer to begin spending the e-money because the issuer is waiting to receive funds from its agent or distributor.
These passages might be read as supporting the notion that a distributor is entitled to hold funds on behalf of an EMI, albeit in a segregated bank account, and the EMI is entitled to rely on the distributor to transfer those funds to the EMI's account. 

But in my view, if a distributor were to act in that way it would be operating a payment service (e.g. money remittance) and would therefore need to be either authorised in its own right or registered as an agent of the EMI. In other words, there would be no distinction between an agent and a distributor.

In fact, the role of distributor was created in order to avoid the need for agency registration in a particular scenario (e.g. small retailers whom the EMI would find it difficult to be responsible for registering and supervising); or for the distributor to concern itself with regulatory risk and responsibilities. 

The EMI's obligation to register an agent (and, more importantly, liability for the agent's activities on the EMI's behalf) is avoided by requiring the distributor to keep a 'float' of a minimum amount of funds in an account which the distributor agrees the EMI will draw upon whenever the distributor's system reports to the EMI's system that a customer in one of the distributor's outlets has bought a prepaid card or otherwise loaded funds onto a card or wallet issued by the EMI. 

In that scenario, neither the customer nor the EMI is taking any risk at all that the distributor might fail to transfer funds paid by the customer. The EMI has instant access to the float of funds previously paid by the distributor, and safeguards those funds if the e-money issued to the customer is not spent within the next business day.  Meanwhile, the distributor retains any money paid by the customer as effectively reimbursement for the amount that the EMI has deducted from the distributor's float.