New Insolvency Rules for UK E-money and Payment Institutions

The Payment and Electronic Money Institution Insolvency (England and Wales) Rules 2021 (SI 2021/1178) will come into force on 12 November 2021 (there is an explanatory memorandum). The new rules provide detailed operating provisions to support the special administration process for payment institutions and electronic money institutions governed by The Payment and Electronic Money Institution Insolvency Regulations 2021 (SI 2021/716) which came into effect on 8 July 2021 (there is also an explanatory memo relating to those regs).

Amongst other provisions, the new rules: 

• Require insolvency practitioners to provide a reasonable notice period before a claims bar date comes into effect. 
• Clarify the full hierarchy of expenses. 
• Require notice of a bar date to be given to all persons whom the administrator believes to have a right to assert a security interest or other entitlement over the relevant funds. 
• Require the special administrator to engage closely with payment systems operators during the special administration. 

The Government consultation response explains the evolution of this legislation.

Payment and E-money Institution Insolvency Regulations Take Effect On 8 July

As covered in December, the Payment and Electronic Money Institution Insolvency Regulations 2021 were passed on 17 June and take effect on 8 July 2021.

While the Regulations mainly deal with an insolvency scenario, it’s worth noting there is also provision for the Financial Conduct Authority to seek a special administration merely where that is ‘fair’ (see Regulation 9(1)(b) and 9(3)). This might assist in cases where the institution is solvent but otherwise proving difficult.

Please let me know if I can help.

New Insolvency Regime for UK E-money and Payment Institutions

A new insolvency regime is being introduced for UK e-money/payment institutions. Some recent administration cases have taken years to resolve. Of six cases, only one has so far returned funds to customers! Comments on the draft regulations are requested to pemisar@hmtreasury.gov.uk by 14 January, and on related rules (to be published by 17 December) by 28 January. I expect that the regulations/rules will be introduced fairly quickly thereafter – possible a few weeks, depending on the feedback received. These are based on a similar scheme for investment banks, so it should be ‘tried and tested’.  

The 'special administration regime' will have the following features:

• the special administrator must return customer funds as soon as reasonably practicable and engage with payment systems and authorities in a timely fashion
  
• a deadline for claims to be submitted to speed up the distribution process
• a mechanism to transfer customer funds to a solvent institution
• post-administration reconciliation to top-up or drawdown safeguarded funds
• provisions for continuity of supply of services, to minimise disruption
• rules for treatment of shortfalls in safeguarding accounts
• rules for allocation of costs.

Payment FinTechs Beware: Banking Law Is Riding The New Payment Rails

Recent cases in the UK have applied English banking law to  non-bank accounts that hold customer funds, including the payment accounts of 'fintech' e-money and payment institutions. These cases effectively require the extension of a firm's anti-fraud and/or anti-money laundering programme to guard against the fraudulent misappropriation of a corporate customer's funds by the customer's own directors or other mandate holders. Equally, corporate customers should also be aware that they will need to treat their accounts with non-bank institutions like bank accounts, if they do not already, and be ready to respond promptly and clearly when transactions are queried. If you have concerns in this area, please let me know.

Acting in good faith

Traditionally, banks have been required to execute their customers' instructions promptly, and where a bank acts in good faith and a loss occurs, the customer must bear that loss (Bank of England v Vagliano Bros [1891] AC 107). 

Quincecare Duty

But a bank must not executing a customer’s order if, and for so long as, the bank has reasonable grounds (though not necessarily proof), for believing that the order is an attempt to defraud the customer (Barclays Bank plc v Quincecare Ltd, [1992] 4 All ER 363). If it were to go ahead, the bank may be liable for the customer's loss. 

This "Quincecare duty" protects a company from its funds being stolen by management or staff who've been permitted by the company to operate the company's bank accounts in the ordinary course of business. 

In this type of case (unlike in some other scenarios) the courts tend not to attribute the employee's fraudulent acts to the company, because that would leave the company unprotected from the fraud (Singularis Holdings Ltd (in official liquidation) v Daiwa Capital Markets Europe Ltd [2019] UKSC 50, where the firm was not actually a deposit-taking bank). 

Extending this to fintech firms

More recently, the High Court (in Hamblin v World First Ltd [2020] 6 WLUK 314) has made a preliminary ruling which extends all of this law firmly into fintech territory. The court held that: 

• an action for breach of statutory duty could be brought under the Payment Services Regulations 2017 where the regulations impose a duty for a limited class of the public and there is a clear parliamentary intention to confer a private right of action for breach on members of that class (certain principles derived from EU law should also be considered at the trial);
• it was arguable that a claim for a breach of the customer's mandate could be estopped (prevented) where the payment service provider acted in in good faith, even if the account holder had no directors (!) and was in fact under the control of fraudsters, but it was also observed that the service provider's internal documents relating to the opening of the account could affect the outcome...;
• it was arguable that the acts of fraudsters who misappropriated funds from the company account should not be attributed to the company, so as to give the company protection from the fraud (Singularis);
• similarly, a person has 'standing' to bring such claims in the form of a 'derivative action' against a payment provider on behalf of the corporate customer (effectively standing in the shoes of the corporate customer) where that person paid funds to the corporate customer in a way that made the company a trustee (due to its knowledge of the payment and the receipt of funds on trust or as a result of a fraudulent scheme) and where the company as trustee has committed a breach of trust, or in other exceptional circumstances such as fraud. 

Practical Steps  

These cases highlight the importance of having good customer on-boarding and account opening processes/records, as well as 'transaction monitoring' processes - both of which are otherwise required by the anti-money laundering regime in any event. 

A payment service provider should be in a position to know that a corporate customer has no directors, as well as the nature of its business and the purposes for which customers are asked to make payments to its accounts. The service provider must also be able to recognise activity on its customer's payment accounts that is unusual, in order to determine whether it is an attempt to misappropriate funds, as well as whether it is suspicious from a money laundering or terrorist financing perspective. Triggers for suspicion or being 'on notice' of potential for fraud or misappropriation of funds include where the customer is in financial difficulties; there is a breakdown in relations among directors, or directors and shareholders; or the customer has suffered significant security breaches and so on. 

As with suspicious activity from a money laundering perspective, once suspicion or 'notice' is triggered, it must be investigated. Explanations for activity should be sought and should receive appropriate scrutiny (not simply believed and filed); and decisions to proceed or not should be made and documented. Of course this process must be balanced against the need to avoid 'tipping-off' and/or to file a suspicious activity report where appropriate; and the firm should document where those legal and compliance requirements prevents further "Quincecare" related work to resolve whether funds are being misappropriated. 

Equally, it is incumbent on corporate account holders to monitor the activity on their own payment accounts, inform the service provider of changes to the nature of their business or solutions to potential 'trigger' problems; and to be ready to respond promptly and clearly to queries from banks and other account providers. Not only should those steps help ensure their funds are not misappropriated, but it should also help avoid a situation where a confused service provider needlessly interrupts the flow of genuine transactions.

If you have concerns in this area, please let me know.

Wirecard UK's Customers Should Get Their Money Back...

The sudden closure of Wirecard Card Solutions, the UK e-money institution, highlights confusion over whether customer's prepaid funds are protected. Here's a quick explanation. The Financial Conduct Authority also has published an explanation. If you have any queries about how these rules operate, please let me know.

The Financial Services Compensation Scheme (FSCS) covers bank deposits but not the 'electronic money' or other payment services offered by e-money institutions or payment institutions.  The Financial Conduct Authority’s guidance in its “Approach” to regulating such payment service providers states:

In providing customers with details of their service, PSPs and e-money issuers must avoid giving customers misleading impressions or marketing in a misleading way, e.g.:

- misleading as to the extent of the protection given by safeguarding

- suggesting funds are protected by the Financial Services Compensation Scheme, or displaying the FSCS logo

However, the actual funds that correspond to the electronic balance in an e-money institution's prepaid account, or the funds that a payment institution is handling in the course of executing payment transactions, must be 'safeguarded' in certain types of bank accounts ('safeguarding accounts') or be insured.

If the funds are held in the safeguarding account in accordance with the relevant regulations, then they form a 'pool' of money that is separate from the e-money or payment institutions own funds, and can be passed back to the customers who are entitled to them rather than be used to pay the institution's other creditors. This can take some time, however. The safeguarding process can also breakdown, for instance, where the institution mixes its own funds in those accounts, or moves 'relevant funds' to non-safeguarded accounts.

E-money and payment institutions are also required to ensure that their registered agents also safeguard relevant funds. Registered agents could include firms that issue prepaid debit/payment cards or otherwise operate prepaid card or e-money programmes on behalf of the e-money institution.

There remains the question of what happens in the event of a failure by the bank where the safeguarding account is held (as opposed to the failure of the e-money or payment institution that safeguarded its customers funds there, as in the Wirecard case).  In that event, there should be pass-through FSCS cover for the end-customers of payment institutions and e-money institutions because:

• there must still be recourse to assets to which the end-customer is beneficially entitled (their claim on the pooled safeguarding account), so as the underlying beneficiary the end-customer should have a claim for up to the £85,000 limit (extended in some cases for temporary high balances) against the FSCS (under Depositor Protection 6.3 in the Prudential Regulatory Authority Rulebook). This is the position in relation to funds held in bank accounts covered by the FCA's client money rules (CASS), as well as other non-financial trust fund arrangements such as those for law firms under the rules of the Solicitors Regulatory Authority.  The PRA made clear this applied to peer-to-peer lendingplatforms, albeit this was before the platforms became regulated, when they were generally operating trusts, so it would be surprising if this were different for payment services providers who are not banks.

• In addition, while they could not be entitled to be compensated twice, the principles of trust law should mean that customers would also be entitled to receive a proportion of any FSCS pay-out that the payment service provider receives as a customer of the bank in its own right in relation to the safeguarding account held in its name, according to the proportion that those customers’ funds bear in relation to the total amount held in the safeguarding account.

If you have any queries about how these rules operate, please let me know.