Time To Get Excited About... The SM&CR!

The FCA has produced a webpage to explain the extension of the "Senior Managers and Certification Regime" (SM&CR) from banks etc. to all FCA-regulated firms from 9 December 2019. 

The SM&CR replaces the "Approved Persons Regime" because it's a bit embarrassing that no senior managers went to jail for their part in the financial crisis and the FCA needed to show that was just because they needed new powers  it lacked 'teeth'.

There's even a video 'explaining it' in full corporate jargon for those who want to sound really important when talking about SM&CR but not actually say anything meaningful about it. 

You can work out the type of firm yours is and how SM&CR will affect you using a marvellous "firm checker" decision tree; or a snappy 76 page guide. 

The FCA believes the impact this regime will have is "profound"...

FCA Proposes Guidance On CryptoAssets

The FCA is consulting on new guidance as to when cryptoassets would be regulated, along with a new webpage on the topic. 

The guidance considers when cryptoassets might be specified investments (or out of scope), payment services and/or e-money services - giving context and examples.

Consultation ends on 5 April 2019. 

The Treasury is soon to consult on legislation to extend the FCA's jurisdiction to cover certain cryptoassets; and the FCA aims to publish a policy statement in September, based on its current consultation.

#PSD2: An Account Information Service Is Not Really A Payment Service

There are good reasons why an "account information service" (AIS) became a regulated "payment service" under the not-so-new Payment Services Directive (PSD2). Chief among them was retail banks' decades-long refusal to allow retailers and other unregulated service providers access to the data in their antiquated systems at all, let alone seamlessly via 21st century "application programming interfaces" (APIs) that are now commonplace. Resolving those concerns sparked formal registration and other complex regulatory and technical requirements on service providers wishing to enable the sharing of payment data (AISPs), including a lot of unfortunately necessary detail in the Directive about customer authentication and information security. Yet years after PSD2 was set in stone confusion still reigns over exactly what an AIS actually is or is not, both as defined in local payments regulation implementing PSD2 and how such services work commercially - especially because an AIS rarely stands alone...

The FCA is doing its best to clarify the regulatory scope of an AIS, including confusion about who might be the AISP, when a firm would require formal registration as an agent and how to benefit from the exclusion for 'technical service providers' (see Q25A of its Perimeter Guidance on payment services). But those issues are merely the tip of the iceberg.

The major problem is that an AIS is primarily a data service (and one which involves personal data at that). This means an AIS attracts the need for several sets of regulatory consents and specific information to be included in customer contracts, as well as the typical series of contractual licences to receive and use the data itself. 

The challenge to getting all this right is that it's rare for payments regulatory specialists to know very much about data licences, or for lawyers who specialise in data licensing to know anything about PSD2. It still feels strange to me to have spent a career on both sides of that divide - veering from financial information service licensing at Reuters, to e-commerce specialist at DLA, to payments specialist at Earthport, to P2P lending at Zopa (which involved licensing of user-generated content and market data) and back to payments at Amazon and WorldPay. And even though I've also continued to advise private clients on all types of services since 2005, there's still very much a sense of 'switching hats' when working through the various issues. 

So what are they?

Regulatory requirements for an AIS

From a regulatory standpoint the multiple sets of rights needed to supply an AIS include:  

• explicit consent from the customer for the supply of the AIS itself (under payments regulation) - note that that 'customer' does not include a third party with whom the customer wants to share the data; and
• under data protection regulation, explicit consent (or some other legitimate basis) for the collection, processing, sharing etc of the data itself, to the extent required to deliver it to a third party - as well as for the processing etc of that data by the third party (which may be tackled via the third party's own privacy policy and data consents).

In addition, payment services regulation specifies certain information that must be included in either an ongoing or single use service contract with the customer.

Meeting these requirements is complicated by the fact that the customer is also likely to be using the AISP's platform to be receiving and sharing data from other types of personal account that are not regulated. So the payment-specific regulatory requirements have to be met within a context where unregulated data services are also being provided.

Commercial requirements

From a commercial standpoint, there are numerous copyright licensing issues to consider regardless of whether the data being shared comes from a payment account or some type of unregulated account. Indeed, the data being contributed and shared could come from the customer herself (user-generated information or 'UGC'). In effect, even the information coming from the user's accounts with third parties is effectively user-generated, particularly in terms of whether the service provider takes responsibility for its accuracy and so on.

These licensing issues must also be considered in terms of what licences are required 'upstream' from the customer, the service provider and any sources of data, as well as downstream licenses - and usage restrictions - from the standpoint of the service provider, the customer and third parties receiving the data. These licences are likely to be reflected in an array of different contracts, including customer terms and commercial agreements. Appropriate disclaimers, exclusions and limits on liability must also be considered.

This is where the sanity of specifically regulating payment account information services becomes questionable, as some of the typical commercial requirements may conflict with the liability and information requirements relating to an AIS, in which case it would need to be 'carved-out'.

Conclusion

These are not the only issues related to the supply of account information services or other data services, but they do illustrate the complex challenges arising from the fact that AISPs had to be subjected to regulation for banks to cooperate with them, and yet an AIS involves the supply of data in a way that other regulated payment activity does not, often in combination with other data services.

Is Your Financial Services Provider Ready For A #NoDeal Brexit?

With a 'No Deal' Brexit now central to Tory government strategy, it's critical to ensure the right financial contingency plans are in place for a 'cliff edge' exit with no transition period from 29 March 2019. Unfortunately, however, the European Banking Authority says it is seeing "little evidence of financial institutions communicating effectively to their customers on how they may be affected by the UK withdrawal" and those institutions' Brexit arrangements. So customers have to question their providers about those arrangements. Here's a quick guide to steps those institutions might take, depending on whether they are based in the UK or elsewhere in the EEA... if you do not receive credible, satisfactory commitments to service continuity from existing providers within the next few weeks, you should set-up alternative and/or back-up relationships as soon as possible.

EEA-based firms supplying services into the UK

These firms will have a short window ahead of Brexit day in which to seek temporary regulated status:

• temporary permission to continue operating in the UK for a limited period after Brexit if they currently passport into the UK under the Financial Services and Markets Act 2000 (FSMA) or the e-money or payment services regimes;
• temporary recognition if they are third country central counterparties; or
• temporary registration if they are EU-registered trade repositories. 

If EEA-based firms carry out operations in the UK after Brexit in reliance on EU legislation without entering into these temporary regimes, they may be carrying on regulated activities in the UK without appropriate permissions, which would be a criminal activity and/or mean they cannot meet their contractual obligations.

EEA firms that do not gain full authorisation through the temporary regimes can only continue to carry out new business to the extent necessary to 'run-off' pre-existing contractual obligations in the UK for five years (15 years for firms performing obligations under insurance contracts). They cannot undertake new business or agree new contracts with UK customers. A "supervised run-off" arrangement applies to those firms with a UK branch, firms who enter a temporaty regime but exit it without UK authorisation and firms that hold top-up permissions before Brexit. A "contractual run-off" regime will apply to firms without a UK branch that do not enter a temporary regime or do not hold a top-up permission; and will apply for the purposes of winding down UK regulated activities in an orderly manner.   Firms with a UK establishment will retain their existing membership of the Financial Services Compensation Scheme. 

A run-off regime for payments firms and e-money firms that do not enter the temporary regime or leave it without full UK authorisation will apply for five years, either on a supervised or contractual basis (though the FCA can require supervised run-off for firms to demonstrate they are safeguarding client funds). 

A run-off regime will apply for non-UK Central Counterparties that are eligible for, but do not enter, the temporary recognition regime, for a period of one year starting on exit day. If a non-UK CCP entered the temporary recognition regime but exits it without the necessary permanent recognition, the Bank of England will determine a non-extendable period for recognition up to a year. 

There will also be a run-off regime for trade repositories that are removed from the temporary registration regime without the necessary permissions to continue to provide services to UK firms, for a non-extendable period of one year, unless the FCA sets a shorter period. 

UK firms dealing with EEA residents

The FCA has suggested that UK financial services providers consider the following questions ahead of Brexit. If the answer is 'Yes' to any of them, then the service provider should understand the legal basis for that scenario and whether another basis is necessary after Brexit - including additional regulatory permissions or a new subsidiary with the right authorisation or agency and necessary permissions in a remaining EEA member state. 

• Do you currently provide any regulated products or services to customers resident in the EEA? For example, you might provide financial advice to EEA based customers. Or you might have insurance contracts either with EEA based customers or which cover risks located in the EEA which require regulatory permission in that country in order to be serviced. 
• Do you have customers or counterparties based in the EEA, including UK expatriates now based in an EEA country? 
• Are you marketing financial products in the EEA? This includes products marketed on a website aimed at consumers in the EEA. 
• Do you have agents in the EEA or interact with any intermediary service providers in the EEA? For example, you may use an insurance intermediary to distribute products into the EEA. 
• Does your firm transfer personal data between the UK and the EEA or vice versa? 
• Does your firm have membership of any market infrastructure (trading venues, clearing house, settlement facility) based in the EEA? 
• Are you part of a wider corporate group based in the EEA, or does your firm receive any funding from an entity in the EEA? 
• Do you outsource or delegate to an EEA firm or does an EEA firm outsource or delegate to you? 
• Are you party to legal contracts which refer to EU law? 

There will now be insufficient time for any provider to get a new authorisation in another EEA member state, and even setting up an agency relationship would be very tough to do within the next few months.

Firms should be informing clients about issues such as:

• the implications of Brexit on the specific services they provide and the implications for the relationship between the client and the firm;
• the actions taken by the firm to prevent or detect problems, including how they will deal with client inquiries, changes in competent authorities or protection under national compensation schemes;
• the implications of any corporate restructuring, including changes to contractual terms or contract transfers;
• other impact on contractual and/or statutory rights, including the right to terminate existing contracts and cancel new contracts, and any rights of recourse and how to pursue them. 

If you do not receive credible, satisfactory assurances of service continuity post-Brexit from existing providers within the next few weeks, you should set-up alternative and/or back-up relationships as soon as possible.

FCA Updates Payment Services Approach On Customer Authentication, Gift Cards

The FCA has today published its policy statement explaining changes to the Approach document following the consultation on Strong Customer Authentication and some other revised guidance in September (although the links to the actual revised Approach Document don’t appear to be working correctly at the moment).

Notwithstanding the confusion created by the proposed changes to the guidance on the "limited network exclusion" to exclude gift cards from the scope of PSD2 (no doubt partly due to the obligation to register programmes that exceed €1m in transactions in any 12 month period), the FCA confirms the guidance as follows:

store cards – for example, a ‘closed-loop’ gift card, where the card can only be used at the issuer’s premises or website (so where a store card is co-branded with a third party debit card or credit card issuer and can be used as a debit card or credit card outside the store, it will not benefit from this exclusion). On the other hand, in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them.

The FCA explains this interpretation in the latest policy statement (at para 6.15) as follows:

"The change we have made to clarify that retailers issuing their own gift cards should not have to notify, is based on the issuer and the retailer being the same person. If the issuer is not the retailer, but the card would be used to purchase goods and services from that retailer, it is possible that the card would be considered a payment instrument under the PSRs 2017 and the limited network exclusion test would be relevant. We already give relevant guidance in PERG Q40 on such instances."

For convenience, the limited network exclusion provides as follows (with the paragraph (k)(i) being the limb which gift card programme operators - and the FCA - have historically assumed applied to avoid gift cards being subject to e-money and payment services regulation):

(k) services based on specific payment instruments that can be used only in a limited way and meet one of the following conditions—

(i) allow the holder to acquire goods or services only in the issuer's premises;

(ii) are issued by a professional issuer and allow the holder to acquire goods or services only within a limited network of service providers which have direct commercial agreements with the issuer;

(iii) may be used only to acquire a very limited range of goods or services; or

(iv) are valid only in a single EEA State, are provided at the request of an undertaking or a public sector entity, and are regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers which have a commercial agreement with the issuer.

This overlooks the fact that while the retailer may have already received the funds or value from the purchaser of the gift card/account (potentially via a payment service provider under a regulated payment transaction), yet the "holder" is often a different person who is later using the gift card/account balance as a means of acquiring goods or services (albeit that transaction may only be accounted for in the retailer's accounting system without being processed via a third party payment provider).

While the FCA's view may be factually and logically correct (particularly from a VAT standpoint), and will no doubt come as a relief to retailers who would otherwise have to register programmes, it involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate to catch other payment methods - particularly in relation to card payments, for example. The FCA's guidance should therefore confirm the step-by-step rationale as to why a "payment order" is therefore not initiated; how the gift card scenario falls outside the definitions of "payment transaction"; and why neither the gift card holder nor the retailer/issuer are a "payer" or "payee" respectively. But I suspect that may open a can of worms...

The FCA's view also represents a key area of potential divergence from EU payments law in the Brexit context, to the extent that the Commission and EEA regulators may well decline to adopt the FCA's interpretation. The Central Bank of Ireland, for example, includes "prepaid gift card to buy cinema tickets" in the list of programmes that fall within the limited network exclusion. The FCA does not seem to be concerned that the same programme that regulators insist must be registered in, say, France - and therefore surface in the European Banking Authority's register of large limited networks - would not be registered at all in the UK. That wider uncertainty creates confusion and the potential for "regulatory creep" as firms might take action beyond what is required by the FCA in order to avoid it - such as shutting programmes, outsourcing or applying to register unnecessarily (at least from a UK standpoint). 

The sooner such scope for confusion at EEA level is removed, the better.

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.

Brexit Spells End To Cross-Border Interchange Fee Caps

UK consumers will lose another layer of protection after Brexit when dealing with EEA-based suppliers, as the government will no longer cap interchange fees where either the merchant's acquirer or the payment card issuer is based outside the UK.  This follows the erosion of other consumer protection measures for UK consumers buying from suppliers in the remaining EEA countries.

The proposed changes to the UK Interchange Fee Regulations for Brexit purposes would take effect on 30 March or end December 2020 (depending on whether there is a Withdrawal Agreement and related transition period). Among other things, the proposed Regulations:

• Limit the scope of the Regs from the EEA to the UK to transactions that take place only within the UK (both the acquirer and the card issuer are located in the UK), so cross-border card payments between the UK and the EEA will no longer be within scope of either the UK or EU interchange fee regs (i.e. payments made within the UK will continue to have caps on interchange fees, while payments where either the acquirer or the card issuer is based outside the UK (including in the EEA) will no longer be subject to the caps); and

• Allow for regulations setting lower caps on UK debit and credit card transactions, and a maximum cap for UK debit card transactions.

Use It Or Lose It: The UK Temporary Permission (Passport) Regime

The UK's Financial Conduct Authority has told firms based elsewhere in the European Economic Area who rely on a 'passport' to offer their financial services in the UK to notify the FCA if they intend to use the UK "temporary permissions regime" (TPR). The Prudential Regulatory Authority has issued a similar direction to the banks and other firms it regulates.

Notifications to the FCA must be made by submitting the Temporary Permission Notification Form containing the necessary information via the FCA's "Connect" system between 7 January and 28 March 2019.

Firms that have not submitted a notification during that period will not be able to use the TPR.

The FCA told Parliament in 2016 that there are 8,008 EEA firms holding 23,532 passports covering their UK financial services offerings.