Strong customer authentication (SCA) measures required by the second Payment Services Directive (PSD2) must in theory be in place by 14 September. SCA is generally required when a payer accesses a payment account online, initiates an electronic payment transaction or carries out an action through a remote channel with a risk of fraud.
Last month we reported that the FCA had agreed a plan with UK Finance for e-commerce transactions, and that it will not take enforcement action against firms that do not meet the requirements until 14 March 2021 provided they comply with the plan.
On a new webpage, the FCA has provided equivalent guidance for online banking.
Account servicing payment service providers (ASPSPs) must still provide third party providers (TPPs) with account data and payment functionality by 14 September, through application programming interfaces (API) or modified customer interfaces (MCI).
However, where it has been providing access through APIs and not all payment accounts were accessible by 14 June 2019, an ASPSP should maintain existing screen-scraping channels and not apply SCA until 14 March 2020. When it provides access through an MCI, it can choose not to apply SCA until that date. The FCA also wants ASPSPs to use this time to adjust MCIs so they can support 90-day access without customers having to re-authenticate.
The adjustment period for online banking is thus shorter than for e-commerce transactions, and the scenarios for which the deadline is extended are circumscribed. During this period, ASPSPs should tell TPPs how they can access accounts, take appropriate steps to manage fraud risk and preferably allow TPPs that lack electronic identification and signature (eIDAS) certificates to use Open Banking ones.
Meanwhile, TPPs should move to API access (where available) as soon as possible and be open about their identities.
On 5 September 2019, the FCA published a speech given by Charles Randell, the Chair of the FCA, on the fight against investment fraud. In the speech Mr Randell acknowledged that investment fraud is one of the "the most damaging" aspects of financial crime, which, he asserts, "has reached epidemic proportions" with a growing number of investors scammed out of their savings.
Mr Randell raised some questions about how the current system for combatting investment fraud could be improved. First, Mr Randell considered the role of policy makers and whether more could be done to embed thinking about the risk of investment fraud into the savings and investment policies that are made. He particularly highlighted that lessons could be learned from the way the pension freedoms policy was easily exploited by scammers, even though transferring out of a defined benefit scheme is “unlikely to be in the interests of the majority of pension scheme members.”
Second, Mr Randell considered the way financial services are promoted and queried whether more could be done to reduce the risk of confusion about which activities are regulated and protected and which activities are not. Mr Randell advised that “the financial promotions regime is ripe for re-examination” and the issue or approval of financial promotions should be made a regulated activity.
Finally, Mr Randell considered the role played by “corporate enablers” who allow consumers’ personal data to be misused or who promote advertisements for scams and therefore “profit” from the scam. As a minimum, Mr Randell expects these companies to take down suspected fraudulent content immediately when requested to do so by the authorities; and to use their extraordinary resources to work with law enforcement and regulators to develop algorithms and machine learning tools to identify potentially fraudulent content.
Mr Randell’s speech follows the collapse of London Capital & Finance (LCF), which promoted unregulated mini-bonds. In his speech, Mr Randell revealed that a large proportion of clients’ payments to the firm were spent on Google advertising to attract more customers.
It is possible that, had the suggestions made by Mr Randell been in place, particularly those around financial promotions and the role played by corporate enablers, the firm would not have operated without regulatory intervention for as long as it did.
In September the FCA delivered an update on its Brexit planning and preparation, in which we learned that it continues to plan for all potential outcomes, including no deal.
One of the main developments in the FCA's preparedness for Brexit include its work with the Treasury and the Bank of England to make EU financial services legislation effective in UK law from exit day, and the Temporary Transitional Power (TPP). The TPP gives the FCA the ability to delay or phase changes to regulatory requirements made under the EU (Withdrawal) Act 2018. The FCA, however, has said that it does not intend to exercise the TPP if to do so would be inconsistent with its statutory objectives.
While the FCA recognises UK firms have stepped up their preparations, it has also decided to step up its communication with firms to ensure they are aware of what they need to do for a no-deal Brexit. This will include running a series of digital adverts signposting to the FCA Brexit webpages, alongside the dedicated telephone line which it has set up to help with queries from firms.
With less than a month to go, it is understandable why the FCA is urging all firms to consider the implications of a no-deal Brexit and what that means for their contingency plans. Firms should use the time now to resolve any identified gaps in their plans and finalise their preparations as best possible.
Following the publication of the European Banking Authority (EBA) Opinion on AML/CTF risks in prudential supervision (EBA-OP-2019-08), the PRA wrote to the CEOs PRA-regulated firms subject to the CRR affirming that the PRA supports the EBA Opinion and "will continue to consider money laundering and terrorist financing (ML/TF) concerns" in its prudential assessments of firms. The PRA will also continue to consider the extent to which ML/TF concerns may have an impact on its prudential objectives and act on those concerns.
In the letter, the PRA sets out its expectations of firms and reminds firms that:
According to the Lloyd's Market Association's (LMA) Chief Risk Officers (CROs) Committee (the Committee), the top ranked risks for the Lloyd's market and its participants were "the bread and butter of risk management" and considered to be the greatest threats currently faced by the market.
Respondents to the LMA and PwC survey, which was published on 18 September, were asked to rank 25 risks on a scale from 5 (high risk) to 1 (low risk). The top 5 risks, which include pricing, target operation model (TOM) modernisation, change management and distribution management, were identified as fundamental rather than specific in nature.
The survey forms the culmination of market workshops, a detailed questionnaire and face to face interviews with risk, compliance and operations representatives across the Lloyd's market, and was conducted to:
Sustainability of delegated underwriting authorities
85% of respondents felt delegated underwriting authorities (DUAs) were potentially unsustainable in their current format.
Risks written through delegated authorities were said to account for approximately half of total gross premium written at Lloyd's and is thought to increase.
The cost attached to operating delegated business was identified as the key risk in the sustainability of this business. The Committee commented that "improvements in data quality have potentially significant links with Insurtech that may help to support and answer" some of the challenges faced by delegated business. If this is the case, it would be worthwhile for the market to consider how it could best engage with, and attract talent within Insurtech and the wider market more generally, if the sector is to remain competitive.
Pay UK published a call for information following a request from UK Finance for a new Faster Payments System (FPS) Rule that would see participants pay a volume-based fee to fund the reimbursement of 'no blame' customers under the Contingent Reimbursement Model Code for authorised push payment (APP) scams (the Code), i.e. customers who have been scammed when neither they nor any bank is to blame. Pay UK sought views on consumer benefits, competitive effects, the proportionality and practicality of the proposal and the use of the FPS Rules to support a voluntary initiative. Responses will be collected on 1 October and Pay UK expects to publish a decision on the request by the end of November.
The Payment Services Regulator (PSR) published a response paper following feedback it received about data in the payments industry. In the paper, the PSR highlighted a number of issues industry needs to manage. It also suggested it would work with Pay UK to explore opening up payments data for the development of new products. However, the PSR said it would do this cautiously in light of data protection concerns and might begin with synthetic rather than real information.
The FCA has updated its information web pages for FCA solo-regulated firms implementing the Senior Managers and Certification Regime (SMCR).
For Enhanced Firms, the FCA has provided additional information in relation to Form K (Conversion Notification), the form that firms must submit notifying the regulator of which currently approved individuals should be converted to a mapped senior management function (SMF). Firms must submit Form K by 23.59 on 24 November 2019 and it is now available on Connect, under the ‘Approved persons’ tab.
In addition, the FCA has provided new information setting out how SMCR will apply to sole traders, confirming that sole traders will be limited scope firms and the SMFs that will apply are SMF29 (the Limited Scope Function) and SMF16 (the Compliance Oversight function). The SMCR and conduct rules will not apply to a sole trader as an individual and therefore they do not apply to sole traders without employees. Sole traders with employees may have a governance structure, i.e with a formal governing body such as a Board, in which case the same SMFs apply as for firms in the Core SMCR category. Employees will be subject to the certification regime and the conduct rules.
The FCA also highlights that the SMF3 (Executive Director Function) extends beyond members of the governing body and includes "a person in accordance with whose directions or instructions (not being advice given in a professional capacity) the directors of that body are accustomed to act."
The updated webpages are:
The FCA has published a new webpage on its Directory of financial services workers. The Directory aims to:
The Directory will include the details of:
Banks, building societies, credit unions and insurance companies must submit their data between 9 September 2019 and 9 March 2020. All other firms must submit their data between 9 December 2019 and 9 December 2020.
On 3 September 2019, the Banking Standards Board (BSB) published its final Statement of Good Practice on regulatory references under SMCR.
The final guidance follows the BSB’s consultation on the draft guidance, published in January 2019.
The BSB's guidance is based on a set of three high-level principles of proportionality, fairness and consistency. The purpose of these principles is to help firms navigate a range of significant considerations when reviewing regulatory references; including their legal and regulatory obligations and more ethical principles such as transparency of process, and consideration of the importance of a regulatory reference to an individual’s career and livelihood.
The guidance focuses on "regulatory references in relation to candidates for certification functions in the banking sector” however parts of it may also be relevant to candidates for SMFs, notified non-executive director functions and other individuals subject to SMCR.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions.