UK Diverging from EU on Strong Customer Authentication?

As someone who's trying to maintain a financial regulatory practice on both sides of the Irish Sea, I'm watching the Brexidiots like a hawk to spot divergence, particularly in areas that used to require maximum harmonisation, like e-money & payment services. So it's awkward that the FCA recently said that it will not include in its own guidance the European Banking Authority's views on features that would or wouldn't meet the test of  'inherence' in relation to strong customer authentication, but won't yet say why.

Strong (or 'two factor') authentication is the security feature that confronts users when they initiate a bank transfer, for example. It should already have been applied in relation to e-commerce payments, but regulators have repeatedly agreed to kick that can down the road to allow online merchants to prepare. The latest UK deadline is 14 March 2022. 

There are actually three potential factors to strong customer authentication, but only two need to be applied from Inherence (something the user is), Knowledge (something only the user knows) and Possession (something the user possesses).

In an effort to be helpful, the EBA opinion of June 2019 (paras 17-23) went into some detail as to what features satisfy each factor, with Inherence being perhaps the hardest to pin down since it's an area of fast-moving technological development in biometrics etc. 

By refusing to say why it won't incorporate the guidance, the FCA is perhaps hedging its bets as to whether the EBA's view is outdated or will be rolled back. But not to say whether it agrees or disagrees is hardly helpful to those trying to develop and test a solution to go live by 14 March.

 

'Slight Delay' To EU Crowdfunding Regulation

The European Securities and Markets Authority has written to the European Commission urging clarificiation of some important interpretation issues relating to the EU Crowdfunding Regulation and suggesting a 'slight delay' to the proposed implementation date of 10 November 2021. ESMA says the delay would ensure that all the key technical standards are available to applicants and national authorities. I have summarised the letter for Leman Solicitors.  

Let me know if you need assistance with any application for authorisation.

 

Payment and E-money Institution Insolvency Regulations Take Effect On 8 July

As covered in December, the Payment and Electronic Money Institution Insolvency Regulations 2021 were passed on 17 June and take effect on 8 July 2021.

While the Regulations mainly deal with an insolvency scenario, it’s worth noting there is also provision for the Financial Conduct Authority to seek a special administration merely where that is ‘fair’ (see Regulation 9(1)(b) and 9(3)). This might assist in cases where the institution is solvent but otherwise proving difficult.

Please let me know if I can help.

Deadline For SCA On E-commerce Transactions Slips Again

Once upon a time, the second Payment Services Directive required mandated the introduction of 'strong customer authentication' (SCA) - also known as 'two factor authentication' or 'multi-factor authentication' - for remote and electronic payment transactions from 14 September 2019. But fear that consumers will abandon online transactions, lack of industry preparation and then the pandemic have seen this rather battered can being kicked steadily further down the road. The UK's Financial Conduct Authority has now declared the latest 'deadline' to be 14 March 2022.

This time it might be serious.

E-money Institutions To Remind Customers About Safeguarding vs The Financial Services Compensation Scheme

The UK Financial Conduct Authority is still concerned that customers of electronic money institutions (EMIs) do not understand that any funds they hold in their e-money accounts are safeguarded, but not covered by the "Financial Services Compensation Scheme" (basically, the UK depositor protection scheme for banks, building societies and credit unions). Of course, if the bank where the EMI holds its safeguarding account were to fold then the bank account would be covered by the FSCS but that is a different matter. 

The FCA has written to EMIs asking them to write to their customers before 29 June 2021 to "remind them of how their money is protected through safeguarding and that FSCS protection does not apply." Firms may include a link to the FCA's explanation to help customers decide whether that level of protection is appropriate for their circumstances (e.g. EMIs cannot pay interest, so any balance you aren't likely to use in the near future may as well be moved to a bank savings account that does). The communication must be separate from any other messaging or promotional activity, and the method(s) of communication may vary based on the EMI's business model and customer base, including any vulnerable customers. 

EMIs must also review their financial promotions in this regard to ensure customers get enough information on the topic. Where the FCA is named in promotions that refer to matters the FCA does not regulate, it must be made clear that those matters are not regulated by the FCA (a wider issue for the FCA).

The FCA wants its letter brought to the attention of the EMI's board of directors, which is expected to have considered the issues and to have approved the action taken in response. 

The FCA has promised to assess the action taken by a sample of EMIs.

Please let me know if I can help.

 

The FCA's New 'Consumer Duty'

The UK's Financial Conduct Authority is consulting on the introduction of a new "consumer duty" that will apply to regulated firms in relation to their regulated activities by 31 July 2022. This follows the report on a previous consultation in April 2019. The FCA is holding a webinar on the proposals on 10 June 2021; and comments will be open until 31 July 2021. The rules would be consulted on by 31 December 2021. Please let me know if I can help.

Broadly, this would require firms to act in ways that enable retail customers to obtain the outcomes they should be able to expect from the firm's products and services, rather than to hinder customers obtaining those outcomes. This effectively puts firms (and, significantly, the FCA) in the customers' shoes. 

This may require some firms to radically alter their culture and behaviour to focus on consumer outcomes, and putting customers in a position to act and make decisions in their own interests. 

There will be three elements to the new duty:

• A new consumer principle: "a firm must act in the best interests of retail clients" or "a firm must act to deliver good outcomes for retail clients". 
• Broad rules that would require firms to take all reasonable steps to avoid foreseeable harm to customers and enable customers to pursue their financial objectives; to act in good faith. 
• More detailed rules and guidance on firms' conduct relating to four specific outcomes: communications; products and services; customer service; and price and value. 

The FCA is also consulting on the potential benefits of attaching a private right of action to the new duty, and what any unintended consequences of this might be. 

Critics of the FCA's approach to consumer outcomes in the wake of various 'scandals' over the years will be hopeful that this new duty will see the FCA aligned with consumers, rather than tending to protect its own reputation, the 'financial services industry' and the firms its regulates.

Make Cosmetic Changes to Your Consumer Credit Pre-contract Information Notices by 1 June 2021 - or Else!

One of the joys of Brexit is the need for consumer credit providers to make some cosmetic changes to their pre-contract information notices by 1 June 2021, to avoid having to get a court order to enforce the documents. The FCA explains the very minor but important changes here.