Trends In Digital Regulation

There are so many initiatives designed to control the digital world that I'm struggling to keep track. 

There's also plenty of overlap and commonality in the issues and regulatory solutions, as well as the digital environments and problems the solutions seek to address. 

So I put together a few slides for ready comparison. 

Interesting to see what leaps out...

Trends in Digital Regulation from Simon Deane-Johns

Brexit Britain To Gold-Plate 5th EU Money Laundering Directive

Anyone who still dreams that Brexit spells the end of the UK's ménage à trois with bureaucracy and regulation must read the Treasury's plans to implement the fifth EU directive on anti-money laundering.

The UK has always created an EU rod for its own back not only by adding its own weight to the regulatory burden, but also by effectively insisting on literal interpretation of EU law that was only intended to be construed according to its purpose.

This results in directives having a broader impact than they would otherwise have done (known as 'regulatory creep'), saddling British businesses - and ultimately British consumers - with costs they could otherwise avoid.

That is not to say that the UK's approach is always wrong - or is necessarily wrong on this occasion - but the 'blame' for this approach should land in Westminster not Brussels.

In this case, the government proposes to amend the The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLRs") in the ways I've summarised below. Responses to the consultation paper are due by 10 June 2019 and new regulations must take effect in the UK by 10 January 2020.

Tax advisors

• The definition of “tax advisor” in the MLRs to include firms and sole practitioners who by way of business provide, directly or by way of arrangement with other persons, material aid, assistance or advice about the tax affairs of other person.

 Letting agents

• There are numerous options for applying the MLRs to letting agents.

 Cryptoassets

• The MLRs will apply to service providers engaged in exchange services between cryptoassets and fiat currencies, and wallet providers in a way that includes exchange tokens, security tokens and utility tokens and so would also capture crypto-to-crypto exchange service providers; peer-to-peer exchange of both fiat-to-crypto and crypto-to-crypto between prospective “buyers” and “sellers”); cryptoasset ATMs; issuance of new cryptoassets (including ICOs); and the publication of open-source software (which includes, but is not limited to, non-custodian wallet software and other types of cryptoasset related software).

 High Value Dealers

• High value dealers are to include art intermediaries for transactions exceeding €10,000, including art galleries, auction houses and free ports/zones (currently none in the UK) regardless of whether they are paid for in cash (raising many questions in the consultation).

 E-money

• Exemptions for low value e-money instruments will be narrower, as all of the following conditions must be met: the maximum amount that can be stored electronically is €150; it either can't be reloadable or must have a maximum limit on monthly payments of €150 which can only be used in that Member State; used exclusively to purchase goods and services; can't be funded with anonymous e-money; and any single cash redemption or remote payment cannot exceed €50. In addition, EEA acquirers can only accept payments made with anonymous prepaid cards issued in non-EEA countries that impose equivalent AML requirements; and Members States may prohibit payments carried out using anonymous prepaid cards.

E-identification services

• The new requirement for electronic identification processes is for them to be “regulated, recognised, approved or accepted at national level by the national competent authority” which raises questions about which forms in the UK are implicitly within scope.

Companies and officers

• Firms will be required to determine and verify the law to which a body corporate is subject, its constitution and the full names of the board of directors and the senior persons responsible for the operations of the body corporate.

Where beneficial owner cannot be identified

• If a firm has exhausted all possible means of identifying the beneficial owner of a body corporate and hasn’t succeeded, the firm must keep written records of its actions, but such firms will now need to take further measures to verify the identity of the senior person in that body corporate and keep written records of those actions.

Understanding the customer's business/structure

• Firms will be required to understand the nature of their customer’s business and its ownership and control structure (rather than just being required to take "reasonable measures" to do so).

Filing SARs when due diligence fails

• Firms must cease transacting and file a suspicious activity report (SAR) when they cannot apply their due diligence or additional or enhanced measures.

Proof trust/company register was searched

• Firms must also collect proof of registration or an excerpt of the register from the company or the trust that is subject to beneficial ownership registration requirements before a new business relationship is established.

Apply due diligence when beneficial ownership must be reviewed

• Firms must apply due diligence when they have any legal duty in a calendar year to contact the customer for reviewing their relevant beneficial ownership information.

Enhanced due diligence where high risk countries involved

• Firms must apply a newly defined set of enhanced due diligence measures, and monitoring, to business relationships and transactions involving high-risk third countries.

Lists of PEP functions to be taken into account

• The responsibility to apply enhanced due diligence on Politically Exposed Persons (PEPs) will be able to be be discharged by applying the FCA’s July 2017 guidance on how firms should take into account a list of functions in determining whether an individual is a PEP for the purposes of the MLRs.

Information on beneficial owners to be publicly available

• The government must ensure that information on the beneficial ownership of corporate and other legal entities is accessible by members of the general public and “mechanisms” must be in place to ensure that the information held on the central register is adequate, accurate, and current; while the UK must also take appropriate actions to resolve any reported discrepancies in a timely manner and, if appropriate, include a specific mention in the central register in the meantime.

Trusts to be registered

• Trustees or agents of all UK and some non-EU resident express trusts must register those trusts with the Trust Registration Service, whether or not the trust has incurred a UK tax; and the government must share data from the register with a range of persons under certain circumstances.

Bank account registries

• The UK must establish a centralised registry or online retrieval mechanism which allows identification of natural and legal persons who hold or control bank accounts; payment accounts; or safe-deposit boxes held by credit institutions within the UK - including names and account/identification numbers.

Pooled client accounts of unregulated operators

• The government wants further evidence on the administration of checks relating to the use of pooled client accounts (PCAs) under the MLRs, especially those held by non-regulated businesses and any evidence of abuse; and the practical barriers industry face in implementing the current framework and it could be 'enhanced'.

AML risk assessments for new products, practices and channels

• Firms will need to undertake AML risk assessments prior to the launch or use of new products, new business practices and delivery mechanisms.

Provision of Information by branches and subsidiaries

• Firms must have policies relating to the provision of customer, account and transaction information from their branches and subsidiaries.

The UK will not require that "whenever a customer makes their first payment involving a designated high-risk third country, that payment is carried out through an account in the customer’s name with a credit institution subject to the Directive’s customer due diligence standards."

The EU Boosts Consumer Protection For The Digital Age

Next week, the European Parliament will significantly boost consumer protection in the EU by approving changes to 4 directives on consumer rights. Member states will have 2 years from publication in the Official Journal to implement the changes. The Enforcement and Modernisation Directive amends:

• The Unfair Commercial Practices Directive (implemented in the UK by the Consumer Protection from Unfair Trading Regulations 2008);
• The Consumer Rights Directive (implemented in the UK by the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013);
• The Unfair Contract Terms Directive (implemented in the UK by the Consumer Rights Act 2015);
• The Price Indications Directive (implemented in the UK by the Price Marking Order 2004). 

Online traders and marketplaces. 

There are new information obligations for online traders and marketplaces. These include pre-contract disclosure obligations for online marketplaces; and failure to include the information in an invitation to purchase is both a misleading omission and a blacklisted commercial practice (in some cases for all traders and in some cases just for online marketplaces). 

Traders must provide the criteria used to rank search results (a misleading omission for all traders offering search facilities, and required pre-contract information for online marketplaces). Failure to clearly indicate that search results have been paid for is a blacklisted commercial practice. 

The trader must state whether it verifies reviews (and, if so, how). Submitting fake reviews is a blacklisted commercial practice. 

The status of the seller must be disclosed (a misleading omission and pre-contract information requirement for online marketplaces). 

Whether the consumer will benefit from consumer protection law and how contractual obligations are divided between the seller and the online platform are pre-contract information requirements for online marketplaces. 

All traders must state whether there is any personalisation of the price on the basis of automated decision-making.

Dual Quality Products

The practice of selling dual quality products can be deemed misleading, i.e. where the product is marketed in one member state as being identical to the goods marketed in other member states, while the composition or characteristics are significantly different (unless justified by legitimate and objective factors). Dual quality has been identified as an issue in fish fingers, instant soup, coffee, soft drinks, detergents, cosmetics and baby products.

 

Ticket bots

There is a ban on the use of ticket bots to bulk buy tickets for resale (a practice already dealt with in UK legislation).

Digital services and good with digital elements

To align the Consumer Rights Directive with the draft Digital Content Directive there are new definitions of “digital services” and “goods with digital elements”. These are caught even where they are provided only in exchange for personal information; and there are provisions dealing with the use of personal data and user generated/contributed content after cancellation.

Communicating with traders

 

Traders must provide pre-contract information about online means of communication including use of chat bots or other technology (but reference to fax numbers is deleted) and the technology must enable the consumer to store any written correspondence, including the date and time, on a durable medium. But where the trader is contracting via means with limited time or space to communicate (e.g. text) the trader need not provide the model withdrawal form.

Reference prices for discounts

Any reference price used to indicate a discount must have been in use for at least a month (subject to  exceptions/derogations.

Complaints/redress

The European Commission must use the single digital gateway to inform consumers of their rights and enable them to submit cases to the Commission’s Online Dispute Resolution Platform. Consumers will also have new rights to seek redress directly from traders

Penalties for breach

Member states must impose penalties for breaches of the national consumer protection law implementing the amendments, including the ability to fine businesses up to 4 % of the trader’s annual turnover in the member state or member states concerned, or, if turnover information is not available, up to at least €2 million. 

Where national law may differ 

The Unfair Commercial Practices Directive and the Consumer Rights Directive are 'maximum harmonisation' directives, meaning member states cannot depart from them except in ways that are expressly permitted ('derogations').  New permitted derogations (provided they are proportionate, non-discriminatory and justified by consumer protection) relate to:

• Online marketplaces: member states can impose further information obligations on these; 

• Contracts concluded as a result of unsolicited home visits or excursions organised by a trader: a longer cancellation period for contracts agreed in these situations, from 14 to 30 days; and/or removing exceptions to the right to cancel where the services begin early with the consumer’s consent, the price depends on fluctuations in the financial market, the goods are made to the consumer’s specification or clearly personalised or the goods are sealed for health or hygiene reasons have been unsealed;

• Solicited visits for home repairs:  the consumer's right to cancel can be removed for contracts involving repairs carried out on a solicited home visit where certain conditions are met.

E-commerce Marketplaces, Commercial Agents and PSD2

E-commerce marketplaces are now common in most sectors, enabling suppliers and consumers of all types of goods and services to find each other, contract directly, pay or be paid, arrange delivery and download their transaction data. But action being taken by some payment service providers (PSPs) suggests that many marketplace operators who offer this service in the European Economic Area may not have realised that the payment step needs to be structured in a way that avoids the need for the operator to be authorised by an EEA financial regulator as a payment institution or e-money institution under the Payment Services Directive or E-money Directive (depending on whether the supplier or customer is able to hold a balance in their 'account').

Some financial regulators, like the UK's Financial Conduct Authority, take the view that offering a payment service or e-money service has to be the operator's regular occupation or business in itself to fall within the scope of the PSD or EMD in the first place (the "business test"), although the payment step would need to be a small, ancillary part of the service offered and this is open to interpretation. But less pragmatic or experienced regulators around the EEA might apply the Directives simply because the operator is running a business of any kind. 

This means operators should err on the side of structuring their activities to avoid holding balances and to take advantage of an exclusion under the Payment Services Directive (e.g. for commercial agents authorised to negotiate or conclude contracts on behalf of either the payer or payee); or involve a PSP to handle the receipt and distribution of funds (or become the registered agent of a PSP). 

Other exclusions under the PSD or EMD may also be helpful. But even relying on an exclusion can be somewhat tricky because the interpretation of exclusions can vary from regulator to regulator across the EEA; and there is no 'passport' for one regulator's interpretation as there is for regulated PSPs who can offer their service across the EEA from under authorisation in their home member state. 

That means an operator should seek legal advice on how to structure its activities appropriately under the law of its home EEA member state; and if that involves relying on the local regulator's interpretation of the business test or an exclusion, the operator should check that analysis works under the law of each member state where the operator has a presence or significant numbers of participants (whether suppliers or their customers).  Acting on formal legal advice should also make it less likely that a regulator will take action for acts or omissions consistent with that advice, although it will not necessarily stop a regulator requiring a different structure going forward.

Preparing for the FCA's Senior Managers & Certification Regime (SM&CR)

The FCA has published its finalised guidance on statements of responsibilities (SoRs) and responsibilities maps for FCA firms under the senior managers and certification regime (SM&CR), which will be extended to all FCA authorised firms on 9 December 2019.

Under the extension of SM&CR, all senior managers of FCA-regulated firms are required to have an SoR setting out their responsibilities and certain firms must have a responsibilities map showing how their firm is managed and governed.

The guidance explains the purpose of the SoRs and responsibilities maps, questions for firms to ask themselves, and examples of good and poor practices. 

Firms will also likely need some additional clauses in their employment/directors’ services contracts for senior managers. 

Time To Get Excited About... The SM&CR!

The FCA has produced a webpage to explain the extension of the "Senior Managers and Certification Regime" (SM&CR) from banks etc. to all FCA-regulated firms from 9 December 2019. 

The SM&CR replaces the "Approved Persons Regime" because it's a bit embarrassing that no senior managers went to jail for their part in the financial crisis and the FCA needed to show that was just because they needed new powers  it lacked 'teeth'.

There's even a video 'explaining it' in full corporate jargon for those who want to sound really important when talking about SM&CR but not actually say anything meaningful about it. 

You can work out the type of firm yours is and how SM&CR will affect you using a marvellous "firm checker" decision tree; or a snappy 76 page guide. 

The FCA believes the impact this regime will have is "profound"...

FCA Proposes Guidance On CryptoAssets

The FCA is consulting on new guidance as to when cryptoassets would be regulated, along with a new webpage on the topic. 

The guidance considers when cryptoassets might be specified investments (or out of scope), payment services and/or e-money services - giving context and examples.

Consultation ends on 5 April 2019. 

The Treasury is soon to consult on legislation to extend the FCA's jurisdiction to cover certain cryptoassets; and the FCA aims to publish a policy statement in September, based on its current consultation.