Payment FinTechs Beware: Banking Law Is Riding The New Payment Rails

Recent cases in the UK have applied English banking law to  non-bank accounts that hold customer funds, including the payment accounts of 'fintech' e-money and payment institutions. These cases effectively require the extension of a firm's anti-fraud and/or anti-money laundering programme to guard against the fraudulent misappropriation of a corporate customer's funds by the customer's own directors or other mandate holders. Equally, corporate customers should also be aware that they will need to treat their accounts with non-bank institutions like bank accounts, if they do not already, and be ready to respond promptly and clearly when transactions are queried. If you have concerns in this area, please let me know.

Acting in good faith

Traditionally, banks have been required to execute their customers' instructions promptly, and where a bank acts in good faith and a loss occurs, the customer must bear that loss (Bank of England v Vagliano Bros [1891] AC 107). 

Quincecare Duty

But a bank must not executing a customer’s order if, and for so long as, the bank has reasonable grounds (though not necessarily proof), for believing that the order is an attempt to defraud the customer (Barclays Bank plc v Quincecare Ltd, [1992] 4 All ER 363). If it were to go ahead, the bank may be liable for the customer's loss. 

This "Quincecare duty" protects a company from its funds being stolen by management or staff who've been permitted by the company to operate the company's bank accounts in the ordinary course of business. 

In this type of case (unlike in some other scenarios) the courts tend not to attribute the employee's fraudulent acts to the company, because that would leave the company unprotected from the fraud (Singularis Holdings Ltd (in official liquidation) v Daiwa Capital Markets Europe Ltd [2019] UKSC 50, where the firm was not actually a deposit-taking bank). 

Extending this to fintech firms

More recently, the High Court (in Hamblin v World First Ltd [2020] 6 WLUK 314) has made a preliminary ruling which extends all of this law firmly into fintech territory. The court held that: 

• an action for breach of statutory duty could be brought under the Payment Services Regulations 2017 where the regulations impose a duty for a limited class of the public and there is a clear parliamentary intention to confer a private right of action for breach on members of that class (certain principles derived from EU law should also be considered at the trial);
• it was arguable that a claim for a breach of the customer's mandate could be estopped (prevented) where the payment service provider acted in in good faith, even if the account holder had no directors (!) and was in fact under the control of fraudsters, but it was also observed that the service provider's internal documents relating to the opening of the account could affect the outcome...;
• it was arguable that the acts of fraudsters who misappropriated funds from the company account should not be attributed to the company, so as to give the company protection from the fraud (Singularis);
• similarly, a person has 'standing' to bring such claims in the form of a 'derivative action' against a payment provider on behalf of the corporate customer (effectively standing in the shoes of the corporate customer) where that person paid funds to the corporate customer in a way that made the company a trustee (due to its knowledge of the payment and the receipt of funds on trust or as a result of a fraudulent scheme) and where the company as trustee has committed a breach of trust, or in other exceptional circumstances such as fraud. 

Practical Steps  

These cases highlight the importance of having good customer on-boarding and account opening processes/records, as well as 'transaction monitoring' processes - both of which are otherwise required by the anti-money laundering regime in any event. 

A payment service provider should be in a position to know that a corporate customer has no directors, as well as the nature of its business and the purposes for which customers are asked to make payments to its accounts. The service provider must also be able to recognise activity on its customer's payment accounts that is unusual, in order to determine whether it is an attempt to misappropriate funds, as well as whether it is suspicious from a money laundering or terrorist financing perspective. Triggers for suspicion or being 'on notice' of potential for fraud or misappropriation of funds include where the customer is in financial difficulties; there is a breakdown in relations among directors, or directors and shareholders; or the customer has suffered significant security breaches and so on. 

As with suspicious activity from a money laundering perspective, once suspicion or 'notice' is triggered, it must be investigated. Explanations for activity should be sought and should receive appropriate scrutiny (not simply believed and filed); and decisions to proceed or not should be made and documented. Of course this process must be balanced against the need to avoid 'tipping-off' and/or to file a suspicious activity report where appropriate; and the firm should document where those legal and compliance requirements prevents further "Quincecare" related work to resolve whether funds are being misappropriated. 

Equally, it is incumbent on corporate account holders to monitor the activity on their own payment accounts, inform the service provider of changes to the nature of their business or solutions to potential 'trigger' problems; and to be ready to respond promptly and clearly to queries from banks and other account providers. Not only should those steps help ensure their funds are not misappropriated, but it should also help avoid a situation where a confused service provider needlessly interrupts the flow of genuine transactions.

If you have concerns in this area, please let me know.

EU Parliament Resolution on Distributed Ledger Technologies

The European Parliament has adopted a non-legislative Resolution on distributed ledger technologies (DLT), including blockchain. 

The resolution highlights potential applications of DLT, such as: 

• reporting on clinical health trials. 
• improving supply chains, such as monitoring of origin of goods for consumer protection. 
• allowing households to produce and exchange alternative energy. 
• Tracking, management and protection of intellectual property rights/licensing. 
• financial intermediation and reducing transaction costs. 
• control over personal data management and data sharing. 
• reducing administrative burdens in the public sector. 

The Resolution calls for the development of a European legal framework to solve any jurisdictional problems in dealing with fraud and crime; raise awareness of DLTs; and bridge the digital divide among various member states. 

Can You Use P2P Loans to Provide Finance To Others?

The FCA and others have become concerned that some people or firms may be borrowing money on peer-to-peer lending platforms and using that money to provide finance to others without being authorised to do so, rather than borrowing solely to finance their own activities. 

So the Treasury proposes to clarify when a person or business can borrow on a P2P lending platform without needing to be authorised to 'accept deposits' by amending the 'business test' for deposit-taking as explained here.

For the sake of argument, let's just accept that a 'loan' can be a "deposit"; that borrowing on a P2P lending platform can involving "accepting" a deposit; and no potential exemptions apply. The question is whether this is being done "by way of business".

The current test merely says that a borrower will not be 'accepting deposits by way of business' if the borrower doesn't hold himself out as accepting deposits on a day-to-day basis; and any deposits are accepted only on "particular occasions".

This is considered too vague to be helpful in the P2P lending context, so the government proposes to add a specific carve-out for the situation where:

• the acceptance of deposits is facilitated by an authorised P2P lending platform;
• the borrower is not a bank or 'credit institution' (as they are already in the business of accepting deposits) or other type of regulated person (who would need to add the permission to accept deposits);
• the borrower is not carrying on the business of accepting deposits (which is obviously kind of circular, but another provision will say that if the borrower uses the capital or interest on the funds solely to finance other business activity carried on by the borrower (not a third party), this will be evidence that the borrower is not carrying on the business of accepting deposits);
• the borrower does not hold himself out as accepting deposits on a day to day basis, other than as facilitated by the P2P lending platform.

The key element in the context of borrowing on a P2P lending platform is that the borrower's use of the loan proceeds is to finance that person or firm's own activities, as opposed to being used to provide finance to others.

Of course, this post is for information purposes only and does not constitute legal advice.

FCA Weighs In On #InitialCoinOfferings

The Financial Conduct Authority has just published its thoughts on "initial coin offerings" (ICOs), the issue of cryptographic tokens or 'currency'. There is already a wide variety of purposes for ICOs, making them much harder to classify than your typical stock market "initial public offering" (or IPOs) with which some people seem to be equating them.  The FCA has also provided links to guidance from: 

• the U.S. Securities and Exchange Commission, 
• the Monetary Authority of Singapore, 
• the Canadian Securities Administrators, 
• the People’s Bank of China and 
• the Securities and Futures Commission of Hong Kong.

Many additional risks also arise from the fact that the nature of the 'coins' or cryptographic currency and whether there is a market for those - quite apart from the purpose for which funds are being raised and/or invested in - as well as the distributed ledger in which they and related transactions are based. We are a long way from the usual stakeholders (like regulators) understanding and engaging with the new technology, let alone standardising any kind of process for doing ICOs as 'efficiently' as IPOs or even traditional technology projects (hopefully more so!).

I have no reason to think ICOs won't necessarily become fairly commonplace in due course, but it's appropriate for the regulators to be treading cautiously at present - although they should be supportive of genuine attempts to innovate in this area and engage positively with issuers while warning investors of the risks.

Here's a helpful ICO 'tracker' from CoinDesk.

 

Humans At The Heart of FinTech

My article on this theme has been published by the Society of Computers and Law in connection with the IFCLA conference, where I participated on a panel discussing disruptive technology in financial services. 

It is interesting to see how people's belief in the 'efficient market' and appeals to the authorities for help when things get out of hand is playing out in the context of the Ethereum project and the DAO!