FCA Discussion Paper On New Crypto Rules

Hard on the heels of the Treasury's proposed regulatory framework for cryptoasset activities in the UK, the Financial Conduct Authority published its own discussion paper on how it will supervise these activities within that framework. The FCA requested feedback by 13 June 2025. I will gradually add my thoughts on the discussion paper below, for information purposes. If you require legal advice on the plans and their impact, please let me know. 

The FCA's proposals are far reaching (including extra-territorial) and complex. Some areas are new, while others aspects attempt to include cryptoassets/activity into existing rulebooks. There are also some proposed restrictions on the type of customers that firms can deal with. 

The actual rules and guidance won't be available until mid-2025, when the FCA will publish a Consultation Paper on issuing a qualifying stablecoin, safeguarding qualifying cryptoassets and specified investment cryptoassets, along with the prudential framework (capital requirements) for qualifying stablecoins and safeguarding. There will be a further consultation on the wider 'conduct' standards, such as the Consumer Duty even later in 2025.

Operating a Qualifying Cryptoasset Trading Platform

This proposed new regulated activity is incredibly broad: 

[the operation of] ‘a system which brings together or facilitates the bringing together of multiple third-party buying and selling interests in qualifying cryptoassets in a way that results in a contract for the exchange of qualifying cryptoassets for any of: (a) money (including electronic money); or (b) other qualifying cryptoassets.

Any entity operating a trading platform for cryptoassets in the UK, or providing services to UK clients, will generally need to be authorised in the UK, except a firm operating an offshore trading platform for cryptoassets that is only serving professional investors in the UK.

One approach to authorisation for offshore firms would be to require both a 'branch' or local establishment for operating the platform and interfacing with overseas customers; and a UK subsidiary for client-facing functions (including for retail customers). Where an offshore firm is also regulated in its home jurisdiction, the FCA might be prepared to leave certain issues (e.g. capital requirements and systems/controls for trading operations) to the home regulator.

When dealing with retail customers, the FCA proposes that CATPs should:

• Disclose and clarify their own and their clients’ respective responsibilities. 
• Ensure that customers comply with the platform rules and relevant regulations (for example, not engaging in market manipulation). 
• Monitor trading activity to identify infringements of rules. 
• Set controls and limits for each type of customer profile. 
• Be able to revoke access or participation rights, or to suspend a customer.

Algorithmic trading and automated trading software: the FCA points out these are "highly prevalent in cryptoasset markets, with popular bot providers reporting up to 1 million users", including retail investors, requiring limited, if any, human intervention. "Trading platforms also provide dedicated access capabilities for algorithmic trading or [high frequency trading] HFT." Whether or not these will need to be authorised or registered somehow, CATPs will have to ensure fair and non-discriminatory access to trading, ensure orderly markets and eliminate or manage/disclose conflicts of interests between providers of algorithmic or automated trading software and the CATP operator.

Market-makers: the FCA is aware of anti-competitive and collusive practices between crypto trading platforms and market makers, artificially inflating trading volumes, giving unfair advantages for affiliated market makers, and market manipulation. Therefore, CATPs may need to identify those operating market making strategies on the trading platform; have appropriate contracts in place; and disclose potential relationships. Contracts would govern the market making scheme and including obligations for market makers posting simultaneous two-way quotes for a specific liquidity pool.

Trading & execution: Crypto trading service providers have different matching and execution protocols. Some exchanges combine discretionary and non-discretionary systems, and some trade in principal capacity on and off platform with their clients in ways that aren't clear who the counterparty is. The FCA will require CATPs to operate on a non-discretionary basis, treating all orders identically, according to a consistent set of rules, rather than using their judgement as to whether, when and how much of any orders to match. Where investors participate directly, CATPs might not be required to "take all sufficient steps to obtain the best possible order execution results for clients" (best execution requirements), so it would be up to investors to consider where best to trade on the basis of prices, fees and costs. Investors using an intermediary may benefit form investor protection rules and the intermediary's obligation to act in the investor’s best interest, including seeking best execution, though commission or other compensation would be charged.

Matched Principal Trading: this is a form of trading where a person acts as a broker or central counterparty between the buyer and seller, making sure that the price and quantity is agreed on both sides before the trade is executed. The broker charges a fee rather than making a turn on the difference/spread between the buy and sell prices. The risks are that the CATP as broker trades against the clients on platform and/or takes on market risk (of counterparty default). which could create resiliency risks; conflicts of interest undermine the fair and non-discretionary operation of markets; and there may be other abusive or anti-competitive practices, such as wash trading and market manipulation. As a result, the FCA is not happy that "Exchanges often execute clients’ transactions back-to-back, by standing between the 2 trading counterparties" and want to explore some alternatives in light of the IOSCO Recommendations: neither the CATP operator nor any of its affiliates should never be allowed to trade in principal capacity on the CATP's own platform; and the CATP should not be allowed to do so even off platform, for trading activity not related to their CATP’s operation.

Issuing: the FCA may require legal or functional separation between the firm operating a CATP and the issuer of the cryptoassets admitted to trading on the CATP. Legal separation in particular could avoid credit and market risks exposures, capital risks, conflicts of interests and anti-competitive practices by the CATP against other issuers.

Market & Counterparty Credit Risks: the FCA wants CATPs to be "risk-neutral trading systems", without counterparty or credit risk to clients or products. CATPs could not act as a clearing house or directly manage or internalise risk exposures between counterparties on their platform; or provide credit lines or make credit arrangements with their clients.

Settlement: is the ‘irrevocable and unconditional transfer of an asset […], or the discharge of an obligation […] in accordance with the terms of the underlying contract’. The challenge with regulating settlement in cryptoasset markets is that CATPs don't control the underlying distributed ledger or 'blockchain' protocols (which the UK does not intend to regulate). CATPs often take on settlement responsibilities internally, creating risks for the CATP or its clients if a counterparty defaults in its own obligations. Generally, the FCA expects CATPs to have "satisfactory arrangements" for securing the timely and effective transfer of control over the cryptoassets traded on their platform, whether internally or by facilitating or arranging this through other service providers (including custodians).

Transparency & Reporting: the FCA has found that "cryptoasset market data is often unreliable and inconsistent", which undermines efficient pricing, creates unlevel playing fields, and creates "incentives in favour of minor, or illiquid, trading desks that do not offer the same level of transparency". In other words, this is how the pro's fleece the retail sheep. Therefore, the FCA wants to rely on CATPs to clean up and publish pre- and post-trade market data (presumably so a cryptoasset market data sector will grow up, just as other markets for financial data have evolved), including order and transaction data (while also retaining client identity information internally for 5 years).

Cryptoasset Intermediaries

These intermediary functions involve dealing as principal or agent; or arranging such deals in qualifying cryptoassets. Many CATPs undertake these functions as well as being an 'exchange'. Only 28% of users bought crypto through a distinct intermediary, paying higher charges and taking on a long list of risks (that also apply where the CATP is also acting as an intermediary, with additional conflicts of interest and opportunities for abuse). Chapter 3 of the Discussion Paper has more detail on the proposals to address these issues on a 'same risk, same regulatory outcome' basis as in traditional markets: 

• Facilitate UK investors’ access to global crypto markets through authorised entities. 
• Make sure UK markets remain internationally competitive, fair, orderly, transparent and liquid. 
• Fair and transparent conditions for trades executed for, or on behalf of, a client; executed in a way that serves the best interest of clients. 
• Intermediaries ensure that the price a customer pays for a product is transparent and reasonable compared to the overall benefits the customer gets from the product. 
• Firms compete to provide best execution. 
• Consumers protected from unfair or abusive practices. 
• Intermediaries manage conflicts of interest effectively. 
• Support growth of the UK intermediary market with clear and proportionate regulation.

Of APP Fraud, Safeguarding And "Asset Pools"

The awesome scale of 'authorised push payment' fraud is causing sleepless nights throughout the banking and payments industry, and much uncertainty as to where liability sits. There is a seemingly endless array of scenarios in which APP fraud can occur. Examples include impersonation, investment, romance, purchase, invoice and mandate, CEO fraud and advance fees. It's conceivable that liability could vary according to whether or not the payer is a consumer (or to be treated as one), as well as the type of institutions and payment services involved. I've set out below a quick summary of the current state of play for information purposes only, including various cases before the courts. Let me know if you need legal advice on any aspect, including possibly lobbying the new government to grasp some of the nettles via some form of regulatory action, to spare everyone a lot of time and expense...

Regulatory developments

I covered the Payment Systems Regulator's proposals in this area last June, and these have been brought in with effect from 7 October 2024. 

The CRM Code only covered 60% of APP fraud within its voluntary scope, so mandatory reimbursement requirements were always on the cards. 

The new reimbursement requirement applies to consumers, micro-enterprises and small charities which are all treated as ‘consumers’ under the Payment Services Regulations 2017 (PSRs), as with the CRM Code. In other words, it only covers payments made using Faster Payments where the victim is deceived into allowing or authorising a payment from their account with a PSP to another account outside the victim's control at another PSP.  

Firms must reimburse all in-scope customers who fall victim to APP fraud (with some exceptions), sharing the cost of reimbursing victims 50:50 between sending and receiving PSP, with extra protections for vulnerable customers. 

As the operator of Faster Payments, Pay.UK is responsible for monitoring all directed PSPs’ compliance with the FPS reimbursement rules and will operate a reimbursement claim management system (RCMS) that all members (direct participants) in Faster Payments must use from 1 May 2025, with various reporting standards mandated by the Payment Systems Regulator, with some limited to the larger participants. Affected PSPs must also explain this to their customers, including in service terms and conditions, so let's know if I can help there in particular.

As mentioned in March, the previous government proposed an amendment to Regulation 86 of the Payment Services Regulations to extend the time limit on processing a payment order where it has been authorised by the payer but their PSP reasonably suspects APP fraud.

Liability aside from the regulatory solution

Breach of Duties

As clarified by the Supreme Court in Philipp v Barclays: 

• banks have a duty to execute a valid (clear, lawful) payment order promptly. 
• a bank cannot execute a payment outside its mandate, so cannot debit the relevant amount from the customer's account in that case, and if it were to do so, then the customer has a debt claim against the bank.
• banks also have a duty of care to customers to interpret, ascertain and act in accordance with their customers' instructions, which only arises where the validity or content of the customer's instruction is unclear or leaves the bank with a choice about how to carry out the instruction. The duty won't apply in the case of a valid payment order that is clear and leaves no room for interpretation or choice about what is required to execute it (i.e. the bank must simply execute, according to the first duty above). 
• Where the general duty of care arises, and the payment instruction was given by an agent of the customer, and a bank has reasonable grounds to believe that the payment instruction given by the agent is an attempt to defraud the customer, the Quincecare duty requires the bank to refrain from executing the payment pending its inquiries to verify that the instruction has actually been authorised by the principal/customer. A similar duty applies where the bank is on notice that the customer lacks mental capacity to handle their finances or bank accounts.
• the bank may also have a duty to take reasonable steps to recover funds that its customer claims to have paid away by mistake or as a result of fraud.

These findings are generally consistent with the Payment Services Regulations 2017 (PSRs), although (as the Supreme Court also explained), the PSRs did not provide for reimbursement of authorised payments, so did not assist victims of APP fraud, partly because they deem such payments to be correctly executed. However, the PSRs do oblige payment service providers to "make reasonable efforts to recover the funds involved", for which PSPs can charge any contractually agreed fee; and Regulation 90 has been amended to enable liability to be imposed “where the payment order is executed subsequent to fraud or dishonesty” under the Payment Systems Regulator's arrangements explained above - but this does not provide a direct right of action for customers.

It's has since been accepted (e.g. in Larsson v Revolut) that the above duties which apply to banks in a payment scenario, also applies to other types of regulated PSPs (e-money institutions and payment institutions). 

In Larsson, the claim was against the receiving PSP with which the payer also happened to have an account, although that wasn't the account from which payment was taken. However, the court held there were no duties owed by the PSP of the payee ('receiving PSP') to the payer, but did preserve the (slim) possibility of arguing 'dishonest assistance in a breach of trust' such that a constructive trust may have arisen over the proceeds of the payment transaction. 

CPP v NatWest further considered the concept of a 'retrieval duty'. That claim was held to be time-barred in the case of the PSP of the payer; but not in the case of the PSP of the payee, which might owe the duty where: 

• it assumed a responsibility to protect the payer from the fraud; 
• it has done something which prevents another from protecting the payer from that danger; 
• it has a special level of control over that source of danger; or 
• its status creates an obligation to protect the payer from that danger. 

I could see claimants arguing that the presence of voluntary and mandatory APP fraud schemes lend weight to some of these factors, while PSPs arguing that those schemes should be disregarded as they only operate strictly within their own scope.

Unjust enrichment

Terna v Revolut involves a claim by the payer that the receiving PSP was 'unjustly enriched' when the payer instructed its own bank/PSP to pay funds to a third party account in the mistaken belief that it was paying a genuine invoice from an energy supplier. The payment went via a correspondent (intermediary) bank via a series of SWIFT inter-bank messages; and the funds disappeared from the third party account within hours of being credited by the payee's PSP (an e-money institution). 

For this type of claim to succeed, the payee's PSP must have benefited at the claimant's expense in a way that was 'unjust' and without any defence. 

When the payee's PSP received funds in its account with a correspondent bank, it issued e-money to the payee, so claimed that it had not benefited. Some first instance decisions are consistent with that, but established banking law holds that this is not a valid argument; and the court was not convinced that the position may be different with an e-money institution that must issue e-money on receipt of funds and safeguard the funds (which a bank does not have to do) because one safeguarding option involved investing the cash (not to mention insurance as another option). Instead, the court held, these facts might operate as a defence, but that could only be decided on a full trial.

On whether the PSP was unjustly enriched 'at the claimant's expense' the court held that SWIFT and CHAPS payments should be treated the same way; and these were potential instances of 'indirect benefit' rather than 'direct benefit'. Here, the court considered that an 'indirect benefit' is to be treated the same as a direct benefit, where there is agency or a 'set of co-ordinated transactions' and that both applied (contrary to an earlier High Court case of Tecnimont). The likely questions at trial, therefore, are whether the enrichment was 'unjust' and/or a defence applied. 

Fortunately, permission to appeal has been granted, so there's an opportunity to settle the difference of opinion between High Court judges. It's probably too much to ask, but in that event it would be helpful if the Court of Appeal were to add some guidance as to how it would treat claims of unjust enrichment in situations where other forms of payment services (and systems) are implicated. For example,  'money remittance' is defined in the PSRs to mean: 

"the transmission of money (or any representation of monetary value), without any payment accounts being created in the name of the payer or the payee, where— 

(a) funds are received from a payer for the sole purpose of transferring a corresponding amount to a payee or to another payment service provider acting on behalf of the payee; or 

(b) funds are received on behalf of, and made available to, the payee.

Liability where funds are frozen or accounts suspended for regulatory reasons

Kopp v HSBC is another interim judgment, which involves a situation where the payer's bank suspended the payer's account following an anti-money laundering review that the payer argued had been carried out, preventing the payer making certain payments for which it then incurred liability to the payees under an indemnity, including ongoing interest. On an interim summary judgment application, the court held there was a triable issue as to whether the bank's liability clause ('buried' in the service terms) might fail to satisfy the reasonableness requirement under the Unfair Contract Terms Act (which also protect small businesses). That meant the court also refrained from deciding whether the clause in question excluded these heads of liability on the basis that they were not “direct loss of profit” or “other direct losses” or were expressly excluded as being “indirect or consequential loss (including lost business, data, profits or losses resulting from third party claims) even if it was foreseeable”.

Failure to safeguard customer funds

The extension of bank duties and potential APP fraud liability to all types of regulated PSPs (accepted in Larsson) sadly raises the prospect of the insolvency or a voluntary winding up of smaller e-money or payment institutions. 

This is relatively rare, since PSPs are required to have a certain amount of minimum capital (both by regulation and, where applicable, card scheme rules) and to manage their working capital to remain a going concern, unless and until they are fully 'wound-down'. 

However, sudden, unexpected losses could conceivably arise, particularly where there is poor record-keeping or other problems, such as dissipation of assets or perhaps a sudden, significant 'spike' in APP fraud for which it is at least probable that the PSP might be liable (a matter for directors to consider in the exercise of their duties). 

One consequence of APP fraud in this context would likely be that funds which ought to have been, or should have remained, safeguarded were not. The question would then arise whether the affected customer has a priority claim in the "asset pool" of the failed PSP. 

I recently explained the position in more detail in the context of the administration of UAB Payrnet in Lithuania. In the UK, an “insolvency event” (including a ‘voluntary winding up’) of the PSP triggers the creation of an “asset pool” of ‘relevant funds’ to be distributed by an administrator according to a specific hierarchy. The claims of e-money holders are to be paid in priority to all other creditors, with no rights of set-off or security applicable until the e-money holders have been paid. If funds should have been safeguarded according to the regulations but were not, national laws come into play within the overall intention behind the E-money Directive to achieve ‘maximum harmonisation’ of the e-money regime. 

In the case of Ipagoo a failed UK e-money institution, the UK Court of Appeal decided that the EMD did not require the UK to impose a statutory trust over the “asset pool” under UK e-money regulations (EMRs), so they don't impose or create a trust. Instead, the court held that the EMD requires all funds received by EMIs from e-money holders to be safeguarded, not merely those that had actually been safeguarded appropriately. Therefore, the “asset pool” must include both relevant funds that have been safeguarded in a compliant way as well as a sum equal to relevant funds that ought to have been, but had not been, safeguarded in accordance with EMRs, along with the “costs of distributing the asset pool” (including the costs of ‘reconstituting’ the asset pool in circumstances where relevant funds have not been safeguarded, as administrative costs associated with the asset pool itself).

Therefore, it might be claimed (possibly via a retrieval duty or unjust enrichment argument) that funds wrongly paid out should have remained safeguarded, though there is perhaps a question whether the payer qualifies as an 'e-money holder' or other 'user' for whom the institution holds relevant funds within the asset pool.

Conclusion

While the various court proceedings are proving somewhat helpful in revealing and resolving some of the uncertainty relating to where liability for APP fraud might sit, this is clearly a very slow and costly process. It would have been preferable for the Treasury, FCA and Payment Systems Regulator to have worked together more proactively to address the issue. With the change in government already heralding more attention being given to detailed issues, it is to be hoped that these are included.

Let me know if you need legal advice on any aspect, including possibly lobbying the new government to grasp some of the nettles via some form of regulatory action, to spare everyone a lot of time and expense...

New Insolvency Rules for UK E-money and Payment Institutions

The Payment and Electronic Money Institution Insolvency (England and Wales) Rules 2021 (SI 2021/1178) will come into force on 12 November 2021 (there is an explanatory memorandum). The new rules provide detailed operating provisions to support the special administration process for payment institutions and electronic money institutions governed by The Payment and Electronic Money Institution Insolvency Regulations 2021 (SI 2021/716) which came into effect on 8 July 2021 (there is also an explanatory memo relating to those regs).

Amongst other provisions, the new rules: 

• Require insolvency practitioners to provide a reasonable notice period before a claims bar date comes into effect. 
• Clarify the full hierarchy of expenses. 
• Require notice of a bar date to be given to all persons whom the administrator believes to have a right to assert a security interest or other entitlement over the relevant funds. 
• Require the special administrator to engage closely with payment systems operators during the special administration. 

The Government consultation response explains the evolution of this legislation.

E-money Institutions To Remind Customers About Safeguarding vs The Financial Services Compensation Scheme

The UK Financial Conduct Authority is still concerned that customers of electronic money institutions (EMIs) do not understand that any funds they hold in their e-money accounts are safeguarded, but not covered by the "Financial Services Compensation Scheme" (basically, the UK depositor protection scheme for banks, building societies and credit unions). Of course, if the bank where the EMI holds its safeguarding account were to fold then the bank account would be covered by the FSCS but that is a different matter. 

The FCA has written to EMIs asking them to write to their customers before 29 June 2021 to "remind them of how their money is protected through safeguarding and that FSCS protection does not apply." Firms may include a link to the FCA's explanation to help customers decide whether that level of protection is appropriate for their circumstances (e.g. EMIs cannot pay interest, so any balance you aren't likely to use in the near future may as well be moved to a bank savings account that does). The communication must be separate from any other messaging or promotional activity, and the method(s) of communication may vary based on the EMI's business model and customer base, including any vulnerable customers. 

EMIs must also review their financial promotions in this regard to ensure customers get enough information on the topic. Where the FCA is named in promotions that refer to matters the FCA does not regulate, it must be made clear that those matters are not regulated by the FCA (a wider issue for the FCA).

The FCA wants its letter brought to the attention of the EMI's board of directors, which is expected to have considered the issues and to have approved the action taken in response. 

The FCA has promised to assess the action taken by a sample of EMIs.

Please let me know if I can help.

 

UK Changes To Strong Customer Authentication and Payments Guidance

The FCA is consulting on some noteworthy changes to certain technical aspects of payments regulation and related guidance. Responses to the questions relating to contactless payments should be answered by 24 February 2021, and on the other aspects of the consultation by 30 April 2021. If you need assistance on any of these issues, please let me know.

Specifically, the FCA is changing the regulatory technical standards applicable to strong customer authentication (SCA) to: 

• create a new SCA exemption in Article 10A so that a customer's payment account provider (ASPSP) does not need to require the customer to reauthenticate every 90 days when accessing account information through an account information service provider (AISP or TPP);
• limit the scope of the existing Article 10 exemption to when the customer accesses their information directly;
• add a requirement where a TPP continues to accesses account information where the customer does not actively request, the TPP will need to reconfirm the customer’s explicit consent every 90 days and disconnect access/stop collecting data if a customer fails to re‑confirm their consent.
  
• require certain ASPSPs to allow access by TPPs to payment accounts via 'dedicated interfaces' rather than modifed customer interfaces for personal and SME ‘current accounts’ ("payment accounts" under the Payment Account Regulations) and credit card accounts held by consumers or SMEs.
• require that the technical specifications and testing facility only be made available to TPPs from the launch of new products and services, rather than 6 months in advance and that the requirement for a fallback interface should only take effect six months after launch.
• allow ASPSPs to rely on exemptions from setting up a fallback interface granted by home state competent authorities;
  
• amend the threshold at which SCA must be applied to a single payment from £45 to £100-£120 and the threshold value for cumulative contactless payments from £130 to £200.

In addition, the FCA will amend its guidance in the "Approach Document" on how it supervises SCA to be consistent with the above changes and with existing EBA and European Commission guidance as follows:

• SCA would need to be reapplied where the final amount of a payment is higher than the original amount authorised, so long as the final payment is reasonably within the amount the customer agreed to when authorising the payment and not higher by more than 20% and the customer has agreed to the possibility before authorising the original amount. 
• the payee’s PSP (e.g. merchant acquirer) should be liable where it triggers an SCA exemption and the transaction is carried out without applying SCA, so (other than where the
  payer has acted fraudulently) the payer’s PSP would refund the customer and be entitled to reimbursement by the payee’s PSP.
• for the purpose of what can be used to satisfy two of the three SCA authentication factors (knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is)): a device could only be used as evidence of 'possession' where there is a reliable means to that the device is actually in the customer's possession; static card data cannot satisfy either the 'knowledge' or 'possession' factor; behavioural biometrics may satisfy the 'inherence' factor (as they ‘relate to physical properties of body parts, physiological characteristics and behavioural processes created by the body.
  and any combination of these) but not other individual properties, such as spending patterns.
• the fraud rate calculation used to anyalyse whether transaction risk is low enough to justify the exemption from SCA should only include unauthorised or fraudulent remote electronic transactions for which the PSP was liable, and no other types of transactions (unlike the calculation for payments fraud reporting under REP017).
• the corporate exemption is applicable to cards or payment instruments that are ‘only
  available to payers who are not consumers’, i.e. only available to corporate customers.
• the authentication elements the customer uses to access their payment account online (including via a mobile) may be reused if they then initiate a payment within the same online session), so a customer could authenticate the payment only one extra element where the firm relies on the account log-in password, for example (as long as the dynamic linking element is linked to the SCA element used when the payment is initiated).
• merchant-initiated transactions: transactions initiated by the payee only, without any involvement from the payer, are not in scope of SCA. While card‑based payments generally imply an action by the payer and are considered as 'transactions initiated by the payer, through the payee',
  where a payer has given a mandate to the payee/merchant for a transaction, or series of
  transactions, made using a card or other payment instrument then the payments
  initiated pursuant to this mandate are outside of the scope of SCA  That includes payments made under continuous payment authorities such as a subscription for a streaming service, but SCA is required to set up the mandate.
• in order to monitor the contactless exemption thresholds, firms use a counter that is either host‑based, on a device (which won't count offline transactions); or chip‑based, on the physical card, (which will count both online and offline transactions), but in either case firms should consider the risk of unauthorised or non‑compliant contactless transactions being made and monitor the effects of the option in practice.
  
• clarify that ASPSPs must share with payment information service providers (PISPs): the name of the account holder (if the name is shown to the customer in their online account); and the account number and the sort code (if these are shown to the customer after they make a payment). 
• reflect the fact that ASPSPs must accept at least one other electronic means of identification issued by an independent party, in addition to eIDAS certificates (Article 34 of the SCA‑RT). 
  

The FCA will also amend its guidance in the "Approach Document" on how it more generally supervises the regulation of e-money and payment services to: 

• make the temporary Covid19 guidance on safeguarding permanent and to extend guidance on risks and controls relating to the insurance method of safeguarding to the guarantee method of safeguarding;
  
• include guidance on the Treasury's proposed special administration regime for e-money and payment institutions;
  
• reflect the extension of the FCA’s Principles for Businesses to the provision of payment services and issuing of e‑money by certain PSPs and e‑money issuers;
  
• reflect the application of certain communication rules and guidance in the Banking Conduct of Business Sourcebook (BCOBS) to communications with payment service and e‑money customers and the communication and marketing of currency transfer services;
• clarify the FCA's expectations on notifications under the electronic communications exclusion (ECE) and limited network exclusion (LNE) including more detail on the types of information expected as part of a firm’s notification and the types of firms that may be able to benefit from the LNE;
• update certain reporting requirements;
• reflect changes following EU withdrawal and the end of the transition period, and the application of our rules and guidance to firms in one of the temporary permission schemes designed to replace passporting as the basis for EEA-based EMIs, PIs and RAISPs to continue operating in the UK for 3 years after the end of the transition period. 

If you need assistance on any of these issues, please let me know.

New Insolvency Regime for UK E-money and Payment Institutions

A new insolvency regime is being introduced for UK e-money/payment institutions. Some recent administration cases have taken years to resolve. Of six cases, only one has so far returned funds to customers! Comments on the draft regulations are requested to pemisar@hmtreasury.gov.uk by 14 January, and on related rules (to be published by 17 December) by 28 January. I expect that the regulations/rules will be introduced fairly quickly thereafter – possible a few weeks, depending on the feedback received. These are based on a similar scheme for investment banks, so it should be ‘tried and tested’.  

The 'special administration regime' will have the following features:

• the special administrator must return customer funds as soon as reasonably practicable and engage with payment systems and authorities in a timely fashion
  
• a deadline for claims to be submitted to speed up the distribution process
• a mechanism to transfer customer funds to a solvent institution
• post-administration reconciliation to top-up or drawdown safeguarded funds
• provisions for continuity of supply of services, to minimise disruption
• rules for treatment of shortfalls in safeguarding accounts
• rules for allocation of costs.

Wirecard UK's Customers Should Get Their Money Back...

The sudden closure of Wirecard Card Solutions, the UK e-money institution, highlights confusion over whether customer's prepaid funds are protected. Here's a quick explanation. The Financial Conduct Authority also has published an explanation. If you have any queries about how these rules operate, please let me know.

The Financial Services Compensation Scheme (FSCS) covers bank deposits but not the 'electronic money' or other payment services offered by e-money institutions or payment institutions.  The Financial Conduct Authority’s guidance in its “Approach” to regulating such payment service providers states:

In providing customers with details of their service, PSPs and e-money issuers must avoid giving customers misleading impressions or marketing in a misleading way, e.g.:

- misleading as to the extent of the protection given by safeguarding

- suggesting funds are protected by the Financial Services Compensation Scheme, or displaying the FSCS logo

However, the actual funds that correspond to the electronic balance in an e-money institution's prepaid account, or the funds that a payment institution is handling in the course of executing payment transactions, must be 'safeguarded' in certain types of bank accounts ('safeguarding accounts') or be insured.

If the funds are held in the safeguarding account in accordance with the relevant regulations, then they form a 'pool' of money that is separate from the e-money or payment institutions own funds, and can be passed back to the customers who are entitled to them rather than be used to pay the institution's other creditors. This can take some time, however. The safeguarding process can also breakdown, for instance, where the institution mixes its own funds in those accounts, or moves 'relevant funds' to non-safeguarded accounts.

E-money and payment institutions are also required to ensure that their registered agents also safeguard relevant funds. Registered agents could include firms that issue prepaid debit/payment cards or otherwise operate prepaid card or e-money programmes on behalf of the e-money institution.

There remains the question of what happens in the event of a failure by the bank where the safeguarding account is held (as opposed to the failure of the e-money or payment institution that safeguarded its customers funds there, as in the Wirecard case).  In that event, there should be pass-through FSCS cover for the end-customers of payment institutions and e-money institutions because:

• there must still be recourse to assets to which the end-customer is beneficially entitled (their claim on the pooled safeguarding account), so as the underlying beneficiary the end-customer should have a claim for up to the £85,000 limit (extended in some cases for temporary high balances) against the FSCS (under Depositor Protection 6.3 in the Prudential Regulatory Authority Rulebook). This is the position in relation to funds held in bank accounts covered by the FCA's client money rules (CASS), as well as other non-financial trust fund arrangements such as those for law firms under the rules of the Solicitors Regulatory Authority.  The PRA made clear this applied to peer-to-peer lendingplatforms, albeit this was before the platforms became regulated, when they were generally operating trusts, so it would be surprising if this were different for payment services providers who are not banks.

• In addition, while they could not be entitled to be compensated twice, the principles of trust law should mean that customers would also be entitled to receive a proportion of any FSCS pay-out that the payment service provider receives as a customer of the bank in its own right in relation to the safeguarding account held in its name, according to the proportion that those customers’ funds bear in relation to the total amount held in the safeguarding account.

If you have any queries about how these rules operate, please let me know.

FCA To Issue Extra Guidance To E-money and Payments Firms On Safeguarding Customer Funds

The Financial Conduct Authority has issued a consultation on its proposed further guidance to firms issuing electronic money and other payment services on how they should avoid their customers' funds being taken by creditors if the firm goes under. Comments are required by 5 June 2020, and the final guidance will be sent to firms' chief executives by the end of June. 

The FCA asks four specific questions:

• ‘Do you agree that we should provide additional guidance on safeguarding, managing prudential risk, and wind-down plans? If not, please explain why.’

• ‘Do you agree with our proposed guidance on safeguarding? If not, please explain why.’

• ‘Do you agree with our proposed guidance on managing prudential risk? If not, please explain why.’

• ‘Do you agree with our proposed guidance on wind-down plans? If not, please explain why.’

Please let me know if you would like help understanding or responding to the guidance.

FCA Fires A Flare Over Safeguarding Of Funds Related To Payments And E-money

Everyone worries about banks going bust, and whether there's enough capital and depositor protection if they do. That's because banks are allowed to treat the cash we deposit as their own (subject to the obligation to repay it when we want it). But non-bank payment service providers don't have this privilege, and depositor protection (the Financial Services Compensation Scheme) does not cover their activities. So PSPs must 'safeguard' funds related to the payment transactions they process and the e-money they issue. If they go bust, the safeguarded amount should therefore be available to the relevant customers instead of paying debts owed by the PSPs to their own creditors. As we live in troubled times, earlier this year the UK's Financial Conduct Authority sampled the safeguarding practices of 11 payment service providers to figure out whether  PSPs are safeguarding correctly. The results were not a disaster, but enough problems were detected for the FCA to feel the need to write to all PSPs requiring them to confirm their compliance with safeguarding requirements by end of July... Let's hope they all did! Confidence in a diverse, innovative and competitive payment system depends on PSPs being fanatical about the details involved in protecting customer funds.

Safeguarding Requirements

PSPs must safeguard "relevant funds" - i.e. money received:

• from, or for the benefit of, a user for the execution of a payment transaction; 
• from a payment service provider for the execution of a payment transaction on behalf of a user; or 
• in exchange for electronic money that has been issued,

where they continues to hold the relevant funds at the end of the 'business day' following the day on which they were received.

There are rules on when safeguarding obligations start and end; two different safeguarding methods (either through holding appropriate insurance or by segregating the funds in specially designated bank accounts); the type of account or 'relevant assets' in which the funds must be held; reconciliation and record-keeping; and when amounts that are not "relevant funds" must be removed and held separately to avoid 'commingling'.

To be fair to all concerned, the various definitions, other language and rules require a lot of interpretation to understand how they apply and the FCA has issued extensive guidance in Chapter 10 of its Approach to regulating e-money and payment services.

FCA Findings

Some firms were unable to explain which payment services they provided in certain situations, when they were issuing e-money or when they were acting as agent or distributor for another PSP. That meant they could not identify some "relevant funds" and didn't know whether they were safeguarding the correct amounts.

Even where they were clear on the status of funds, some PSPs did not segregate relevant funds on receipt; or received them into accounts with funds held for other purposes; or did not remove other funds more than once a day where it was practicable to do so.

In addition, some PSPs did not have up to date documentation that explained their treatment of funds and how their systems and controls would ensure compliance with the safeguarding requirements.

Some of the segregated accounts in which PSPs were holding relevant funds or assets were not correctly designated in a way that shows they were safeguarding accounts. 

Some firms did not carry out appropriate reconciliations, or did so infrequently or did not adjust the balance of their safeguarded accounts in a timely way when they identified discrepancies.

Rather than monitoring their processes and procedures to ensure compliance, some firms only checked if they spotted an actual breach - so their controls weren't able to alert them to a potential breach and safeguarding requirements weren't factored into new products.

Continuing Confusion Over Agents vs Distributors

PSPs are able to appoint agents and distributors, but are sometimes uncertain about the difference. The distinction turns on whether the proposed agent or distributor would be providing a payment service. A firm can only provide a payment service if it is either directly authorised or registered as the agent of an authorised PSP.  A distributor, therefore, cannot supply a payment service and, in my view, should not be handling relevant funds at all. Instead, the PSP should oblige the distributor to set up a 'float' of its own money that the PSP can draw on when issuing e-money or executing a payment transaction involving that distributor. That means when a customer pays money to the distributor (e.g. to 'load' or 'top-up' an e-money/prepaid account) the customer is not relying on the distributor to pass those funds to the PSP on the customer's behalf. The PSP already has the equivalent amount of funds that have now become 'relevant funds' to be safeguarded. The distributor can then pay the funds it receives from the customer into the 'float' for the PSP to draw on for the next transaction.

Confusingly, however, the FCA says PSPs are responsible for ensuring that the agent or distributor segregates any "relevant funds" held by the agent or distributor.  That suggests the distributor might be relying on some exclusion from offering a regulated payment service, but if that were so, the funds it receives from customers should not be 'relevant funds' in the first place...

At any rate, the FCA found that some firms calculated their safeguarding obligation at the end of the business day on which e-money was issued via a distributor or agent that received the corresponding funds, and only transferred the amount into a safeguarding account the next business day. This suggests all sorts of confusion!

Conclusion

The FCA is to be commended on its vigilance in this area, and PSPs have to be fanatical about the details if we are to have a diverse, innovative and competitive payment system that works effectively in good times and bad.