In late June, the European Banking Authority (EBA) published an opinion allowing national regulators to work with payment service providers and other stakeholders and give them additional time for implementing strong customer authentication (SCA) measures required by the second Payment Services Directive (PSD2), which in theory must be in place by 14 September. The aim of SCA is to make electronic payments more secure by applying two of three security checks on customers, relating to knowledge (e.g. a password), possession (e.g. a code sent by text) and inherence (e.g. a fingerprint scan). SCA is also required in scenarios involving third-party providers, such as account information service providers. By way of explanation, the EBA acknowledged that there was concern in the market about preparedness and ability to meet the deadline.
The FCA published a statement in response a few days later, recognising the challenge of the September deadline and saying it would work with industry to develop a plan for implementation.
The FCA has now agreed such a plan with UK Finance. In a Dear CEO letter issued on 20 August, it announced that it will not take enforcement action against firms that do not meet the SCA requirements in relation to card not-present transactions from 14 September, provided these can demonstrate that they have taken necessary steps to comply with UK Finance's 'managed roll-out', which calls for SCA delivery by 14 March 2021. After that date, failure to comply will be subject to enforcement action. In the meantime, the FCA suggests firms speak to UK Finance and cautions that they should not act outside the agreed plan "in ways that cause unnecessary problems". It also warns that firms will need to mitigate the negative impact of SCA on vulnerable customers, particularly those without mobile phones.
UK Finance addresses this by proposing that biometric and 'accessible' solutions be rolled out concurrently. While the published plan is just an outline for now, UK Finance has set up a programme management office (PMO), partly governed by the FCA, to act as a steering group for the project. In practice, firms will need to look to this as much as to the FCA to keep up with developments.
On 5 August, the FCA published the findings of its 'stocktake report' on how well the senior managers and certification regime (SMCR) has worked to date in the banking sector since it was introduced in March 2016. They are not expected to trigger any policy changes.
The FCA's conclusions were generally positive: the sector was found to have made a "concerted effort to implement the regime", with most firms said to have taken actions to move away from basic rules-based compliance.
However, work remains to be done on the Conduct Rules. The FCA found that many firms were unable to explain what a conduct breach looked like for their business and had not clearly mapped the Conduct Rules to their values. As a result, the FCA has said it will increase its supervisory focus on this part of the regime.
The FCA published its final guidance on the regulation of cryptoassets on 31 July 2019. While it does not propose new rules at this stage – though this has been done separately for derivatives (see below) – PS19/22 explains when tokens are likely to be caught by existing rules, as specified investments under the Financial Services and Markets Act 2000 (Regulated Activities) Order (RAO), e-money under the Electronic Money Regulations 2011 (EMR) or within scope for the Payment Services Regulation 2017, and when they are likely to be unregulated.
The guidance, set out at Appendix 1, does not significantly from the draft version consulted on in January (CP19/3), although it adds detail on tokens known as stablecoins. Accordingly, it divides regulated cryptoassets into (1) 'security tokens' that amount to RAO specified investments (other than e-money), which may provide for ownership rights, repayment of a specified sum of money or entitlement to future profits, and (2) 'e-money tokens', which amount to e-money under the EMR. This leaves other tokens unregulated, including genuine utility tokens redeemable for a particular product or service and most traditional cryptocurrencies such as Bitcoin, designed primarily as a means of exchange.
While this is good news for some participants, following its warning in 2018 that cryptoasset derivatives are generally specified investments (under both the RAO and MiFID II), the FCA also opened a consultation in July on an outright ban on the sale and marketing to retail clients of derivatives and exchange-traded notes that reference certain unregulated, transferable cryptoassets (CP19/22). The FCA's rationale is that retail consumers cannot reliably assess the value and risks of these products due to the lack of inherent value in underlying assets, the history of market abuse and scams in the market, high volatility and sheer lack of understanding. The consultation closes on 3 October, with final rules expected in early 2020.
Also chastening is the FCA's warning against the marketing of securities as utility tokens in initial coin offerings (ICOs) to avoid regulation, and that the features of some ICOs can bring them into the scope of crowdfunding or even collective investment schemes.
Finally, tougher regulation could in time come from other sources. Late September the House of Commons Treasury Committee called the FCA's consumer warnings on cryptoassets to date a 'feeble corrective' to misleading advertising and recommended that the RAO be extended to cover at least ICO issuance and running crypto-exchanges. In October 2018 a Cryptoassets Taskforce including the FCA, the Bank of England and HM Treasury reported that distributed ledger technology had potential benefits, but that risks needed to be addressed, and the Treasury is expected to report in the remainder of 2019 on potential changes to the FCA's remit to catch more activities and tokens, as well as on broadening the scope of anti-money laundering regulation in line with the EU's Fifth Money Laundering Directive ((EU) 2018/843) to tackle the use of cryptoassets for illegal activity.
Meanwhile, the UK Jurisdiction Taskforce, part of the LawTech Delivery Panel which includes members of government and the judiciary, is preparing a detailed statement on the status of cryptoassets and smart contracts under English private law. This is still very much an evolving area.
HM Treasury published a short guidance note summarising what both EEA firms currently passporting into the UK and domestic firms with customers in the EEA should expect in the event of a no-deal Brexit. In particular, it reminded UK firms that there may be data protection consequences even if they do not have customers in the EEA.
On 26 July, the FCA issued a policy statement (PS19/20) setting out its final rules on the extension of SMCR to FCA solo-regulated firms, including claims management companies. PS19/20 also includes final rules for claims management companies and for a new directory of individuals working in financial services, which banks and insurers can now start submitting data to on Connect and which will be available all other firms from 9 December, when the SMCR extension also comes into force.
The final rules on SMCR reflect the few changes consulted on in January and in particular confirm that head of legal will not be a senior manager and amend the scope of the client dealing function.
Pay UK held a seminar on 2 September 2019 for fintechs interested in developing Confirmation of Payee propositions with corporate application such as bulk payment. Implementation is already underway for other applications. A form of the product, which allows account holders to confirm the identity of payees before sending money, is already available to account servicing payment service providers (ASPSPs) with an Open Banking registration.
A decision of the European Central Bank on the procedure and conditions for regulators' exercise of oversight powers over systemically important payment systems was published in the Official Journal and comes enter into force on 5 September.
EU Regulation 2019/1156 on the cross border distribution of investment funds was published in the Official Journal. Together with Directive (EU) 2019/1160 amending the UCITS and AIFMD regimes, it aims to make cross border distribution simpler, quicker, cheaper and increase choice for investors while safeguarding a high level of protection.
On 25 July, the Banking Standards Board published its Consumer Framework (the Framework), proposing an outline of what good banking should look like to retail consumers. The Framework includes five consumer principles with an outcome statement for each principle. The principles are: access; clarity and transparency; safety and security; responsiveness; and fairness.
The Association of British Insurers (ABI) issued an updated guide on how to treat people with criminal convictions fairly and in compliance with the law. According to the guide, insurers should:
The FCA published an impact assessment about rule changes that came into force last October governing the analysis of client options in the context of pension transfer advice. It concluded that costs were likely to rise slightly for providers through higher fees for specialist software, but that this was outweighed by the benefit of clearer options for consumers.
The FCA published a package of proposals designed to improve the quality of pension transfer advice, and help consumers get better value from their pensions. The package includes: (i) a proposed ban (CP19/25) on contingent charging for pension transfer advice; (ii) an update on the FCA's recent work on competition in the non-workplace pensions market (FS19/5); and (iii) final rules (PS19/21) following the Retirement Outcomes Review.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions.