FINTECH 2024
UNITED KINGDOM
George Morris, Oli Ward, Sophie Sheldon, Olly Jones, Gordon Ritchie
FINTECH LANDSCAPE AND INITIATIVES
General innovation climate
- What is the general state of fintech innovation in your jurisdiction?
The United Kingdom has been at the forefront of innovation in technology and finance for many years. Despite the disruption caused by the UK’s departure from the European Union and the effects of the covid-19 pandemic, this remains the case today. As the worlds of technology and finance become increasingly linked, London, in particular, has the unique advantage of being the national center of government and finance and having many world-class universities nearby. Fintech businesses also benefit from the UK’s time zone, language and legal system. Unlike the European Union and the United States, the United Kingdom has a small number of regulators, with central government setting the overall framework and able to take decisive action that allows legislators and regulators to react to the fast-moving technology sector.
The United Kingdom still dominates the European market in terms of fintech investment and was second only to the United States in terms of level of capital raised in 2022.
According to data from the UK’s fintech trade association, Innovate Finance, while the global fintech market experienced a 30 percent contraction in 2022, the United Kingdom has demonstrated its resilience as a top destination for fintech. In 2022, fintech companies in the United Kingdom attracted US$12.5 billion in investment capital, confirming the country’s leading position in European fintech rankings, recording greater venture capital investment than the combined total of the subsequent 13 European markets.
Perhaps mindful of the potential effect of Brexit, the government has been keen to promote the United Kingdom as a fintech-friendly jurisdiction. As part of this policy objective, in July 2020, the UK Chancellor asked Ron Kalifa OBE to conduct an independent review to identify priority areas to support the UK’s fintech sector. The resulting report, the Kalifa Review, was published in February 2021 and provided a five-point plan to allow the United Kingdom to extend its competitive advantage over other fintech hubs by creating a framework for innovation and supporting UK fintech firms to scale up. Recommendations included:
- amendments to UK listing rules to make the United Kingdom a more attractive location for initial public offerings;
- improvements to tech visas to attract global talent and boost the fintech workforce;
- creation of a regulatory fintech scalebox to provide additional support to growth-stage fintechs; and
- establishment of a center for finance, innovation, and technology, to strengthen national coordination across the fintech ecosystem to boost growth.
We are starting to see progress on the recommendations, particularly around policy and regulation initiatives with the government’s focus on fintech further endorsed in April 2023 by the Economic Secretary to the Treasury, Andrew Griggith MP. In his speech to the Innovate Finance Global Summit during UK Fintech Week, Griggith reaffirmed the government’s desire to make the United Kingdom a pro-innovation jurisdiction. He reiterated the crucial role played by fintech plays in the economy and, as evidence of this, he mentioned recent government initiatives.
Griggith mentioned the new HM Treasury consultation on the UK regulatory approach to crypto assets and stablecoins published in February 2023, highlighting how the UK government ‘pro-actively support the use of DLT and tokenization‘. Griggith also discussed the upcoming Financial Market Infrastructure Sandbox, ‘which will help industry adopt and scale digital solutions that could radically change the way markets operate‘.
In addition, he also highlighted the government‘s efforts in introducing an agile regulatory framework for payments and e-money reflected in the submission to the Payment Services Call for Evidence, with the aim of fostering an internationally competitive payment sector.
The UK government’s efforts to support the fintech industry is also evidenced by the launch in February 2023 of the new Centre for Finance, Innovation, and Technology (CFIT). This initiative is backed by £5.5 million of HM Treasury and City of London Corporation funding and aims to bring together industry players – entrepreneurs, policymakers, investors and academics – into coalitions to address some of the trickiest challenges facing the sector. Griggith announced that this year the CFIT’s first coalition will focus on open finance.
More broadly, the UK government has announced a significant package of 30 regulatory and tax reforms (the Edinburgh Reforms). The proposed reforms represent a commitment from the government to build on the UK’s position following Brexit and, of particular interest, include proposals on modernizing the regulatory frameworks concerning the remit of regulators, fund management, payments and payment accounts, e-money, and the provision of regulated credit.
Government and regulatory support
- Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?
In addition to the overall policy support articulated by the government described in relation to the UK’s regulatory bodies have established numerous initiatives and services to support fintech companies over the years.
In particular, the Financial Conduct Authority (FCA) started Project Innovate in 2014 to encourage innovation and promote competition. The support offered by Project Innovate has evolved over time, which is outlined in the FCA Innovation Hub. Currently, the FCA provides the following services:
- the Regulatory Sandbox, which allows businesses to test innovative propositions in the market with real consumers. Historically, the FCA allowed firms to participate in a series of cohorts that were open for applications in specific windows, but since 2021 the Sandbox has been open for applications at any time. This approach was also encouraged in the Kalifa Review of UK Fintech, thanks to which firms can now access the FCA testing services ‘at any point throughout the year, at the right point in their development lifecycle, at a time that works best for them’;
- the Innovation Pathways, which helps innovative firms to understand and navigate the UK’s regulatory regime. Support via Innovation Pathways is available to both new and established businesses and includes the provision of a dedicated FCA case manager to provide guidance on whether new business models require authorization and how to apply for authorization or a variation of existing permissions. Innovation Pathways combines the support historically provided by the FCA through its Direct Support program and the Advice Unit, which provided feedback to firms developing automated advice and guidance models;
- the Digital Sandbox, which provides fintech companies with access to online tools and high-quality synthetic data to test and develop their propositions at the proof-of-concept stage. First piloted in 2020, the Digital Sandbox has shown that collaboration and access to data can stimulate beneficial innovation in the market. Following two successful pilots, the FCA confirmed that the FCA Digital Sandbox will become permanent during summer 2023;
- the Tech Challenges, designed to allow the FCA to play a more active part in driving innovation in an area where the FCA sees clear benefits to UK consumers and markets. To date, the FCA has run two Green FinTech Challenges to support firms developing innovative solutions to assist in the UK’s transition to a net-zero economy;
- the TechSprints, also known as ‘hackathons’, which are events allowing the FCA to gather participants from across the financial services industry and beyond to develop technology-based ideas and discuss specific industry challenges. The two upcoming TechSprints in Q3 2023 are the Consumer Duty TechSprint, which will cover how open banking data can be leveraged and integrated into solutions to support the delivery of the New Consumer Duty and the Global Financial InnovationNetwork (GFIN) Greenwashing TechSprint, which will aim to develop a solution to help regulators addressing the risks of greenwashing in financial services across the globe. Previous TechSprints have covered diverse topics from model-driven machine executable regulatory reporting to women’s economic empowerment; and
- industry events, such as roundtables and workshops, to help develop thinking on priority fintech areas and the ways in which practical and productive collaboration can take place at scale. An example of industry events are the Showcase Days for regtech firms to demonstrate their technology solutions to internal market experts within the FCA.
The FCA is also the founder member and chair of the GFIN. Formed in 2019, the GFIN is an international group of 70 financial regulators and related organizations that are committed to supporting financial innovation in the interest of consumers on an international basis. The GFIN was formed to provide a framework for cooperation between financial services regulators on innovation-related topics, sharing different experiences and approaches.
The Bank of England (BoE), is responsible for supervising financial firms such as banks, building societies, credit unions, major investment firms and insurers as well as financial market infrastructure providers and acting as settlement agent for payments systems and setting monetary policy in the United Kingdom. The BoE is also active in exploring how developments in fintech might both impact and support its mission to maintain monetary and financial stability. Among other initiatives, the BoE worked with the FCA to establish the Artificial Intelligence Public-Private Forum in 2020 to create further dialogue on artificial intelligence innovation between the public and private sectors. The BoE has also announced that it intends to work with the FCA to launch the new Financial Markets Infrastructure Sandbox in 2023 to support firms wishing to use new technology such as distributed ledger technology to provide infrastructure services to the financial markets. Separately, the BoE works directly with fintech businesses on proof of concept trials of technology that could be used by the BoE itself.
FINANCIAL REGULATION
Regulatory bodies
- Which bodies regulate the provision of fintech products and services?
The Financial Conduct Authority (FCA) is the financial services regulator for most regulated activities and services that a fintech would provide. The Prudential Regulation Authority (PRA) covers the prudential regulation of banks and insurers in the United Kingdom with the FCA regulating conduct matters (making banks and insurers dual-regulated entities). The FCA and the Payment Services Regulator (PSR) – which has a focus on competition and innovation – are the main regulators of payment systems and the financial institutions that participate in them.
Other relevant regulators that fintechs will need to be aware of are HM Revenue and Customs (HMRC) (the relevant regulator for money service businesses) and the Information Commissioner’s Office (ICO).
Regulated activities
- Which activities trigger a licensing requirement in your jurisdiction?
There are a large number of activities (specified activities) that, when carried on in the United Kingdom by way of business in respect of specified kinds of investments, trigger licensing requirements in the United Kingdom. These are set out in the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO). While it is not practical to list them all, the most common include:
- accepting deposits: this is mainly carried out by banks and building societies. An institution will accept a deposit where it lends the money it receives to others or uses it to finance its business;
- dealing in investments (as principal or agent): buying, selling, subscribing for or underwriting particular types of investments. In respect of dealing as principal, the specified investments are ‘securities’ and ‘contractually based investments’. In respect of dealing as agent, the specified kinds of investments are ‘securities’ and ‘relevant investments’:
- arranging deals in investments (this is split into two activities and specified investments in respect of arranging include securities and relevant investments):
- advising on investments: advising a person in their capacity as an investor on the merits of buying, selling, subscribing for or underwriting a security or relevant investment or exercising any right conferred by that investment to buy, sell, subscribe for or underwrite such an investment;
- managing investments: managing assets belonging to another person, in circumstances involving the exercise of discretion, where the assets include any investment that is a security or contractually based investment;
- establishing, operating or winding up a collective investment scheme (CIS);
- certain lending activities: entering into a regulated mortgage contract or a regulated (consumer) credit agreement (or consumer hire agreement) as lender, together with various ancillary activities such as credit broking and debt collection;
- certain insurance activities: effecting a contract of insurance as principal and carrying out a contract of insurance as principal; and
- e-money: issuing e-money (as a bank).
Payment services and e-money activity have separate regulatory regimes under the Payment Services Regulations 2017 and Electronic Money Regulations 2011 respectively, both of which are derived from EU legislation.
The government has proposed introducing a new regulated activity relating to the custody, or arranging the custody, of a stablecoin as part of its approach to establishing a bespoke regulatory framework for this type of digital asset. If the firm provides or arranges custody for stablecoins and is recognized as ‘systemic’ then under the current proposals, the firm will be dual regulated by the FCA and the Bank of England (BoE). As part of the government’s consultation process, it is proposing to apply and adapt existing frameworks for traditional finance custodians under for cryptoasset custody activities, making ‘suitable modifications to accommodate unique cryptoasset features’, or putting in place new provisions where appropriate.
Consumer duty
Consumer duty is a key regulatory requirement, driven and regulated by the FCA, which is currently being implemented by firms, which will ‘set higher expectations of firms driving a cultural reset that leads to enhanced confidence in financial markets and future gains from innovation’. The duty deals with information asymmetries and consumer cognitive and behavioral biases. It is applicable across multiple regulated activities and should be considered in a wide range of circumstances where firms have exposure to retail clients.
The consumer duty requires firms to review all UK products, services and communications aimed at retail customers across four outcomes (products and services, price and value, customer understanding, customer support). Firms need to design appropriate data-gathering and management information as the FCA expects a firm’s board (or similar body) to consider whether it is acting to deliver good customer outcomes. The FCA has been clear that it is now a data-led regulator, and it is likely to look at this management information carefully as part of its assessment of whether firms have implemented the consumer duty in the way the FCA intended.
Firms that provide in-scope products or services are expected to have begun implementing the consumer duty ahead of the July 2023 implementation deadline (for products or services that are open to sale or renewal). The FCA has said that they will continue to support firms’ embedding activities in the run-up to, and beyond, the July 2023 implementation deadline for new and existing products and services.
Consumer lending
- Is consumer lending regulated in your jurisdiction?
The general position is that lending by way of business to consumers is regulated in the United Kingdom. The FCA is responsible for authorizing and regulating consumer credit firms.
There are two categories of regulated lending: regulated credit agreements and mortgages.
Any person (A) who enters into an agreement with an individual (or a ‘relevant recipient of credit’, which includes a partnership consisting of two or three persons not all of whom are bodies corporate and an unincorporated body of persons that does not consist entirely of bodies corporate and is not a partnership) (B) under which A provides B with credit of any amount must be authorized by the FCA – unless an appropriate exemption applies.
Two of the most common exemptions are:
- where the amount of credit exceeds £25,000 and the credit agreement is entered into wholly or predominantly for business purposes; and
- where the borrower certifies that they are high-net-worth and the credit is more than£60,260.
Other complex exemptions are available that relate to, among other things, the total charge for the credit, the number of repayments to be made under the agreement and the nature of the lender.
If an exemption applies, the lender does not need to comply with the detailed legislative requirements that apply to regulated credit agreements contained in the Consumer Credit Act 1974 (CCA) (and secondary legislation made under it) and the FCA’s Consumer Credit Sourcebook (CONC). Broadly, the CCA sets out the requirements lenders need to comply with in relation to the provision of information, documents and statements and the detailed requirements as to the form and content of the credit agreement itself.
HM Treasury (HMT) has proposed to regulate buy-now, pay-later (BNPL) credit under the RAO. The government’s ambition is to lay legislation during 2023. The government is proposing legislative changes to article 60F(2) of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001, which, currently, broadly exempts any borrower-lender-supplier agreement for fixed-sum credit where:
- the number of repayments is not more than 12;
- the repayments must be made over no more than 12 months; and
- no interest or fees are charged for the credit.
The government is narrowing this exemption considerably by removing from its scope:
- where the lender and the supplier are not the same person (that is, where the credit is provided by a person that is not the provider of the goods or services being financed); and
- where the lender purchases products from the supplier and resells them to the consumer on finance will become regulated, with agreements in these circumstances no longer being able to rely on the exemption and, therefore, likely requiring the lender to be regulated, unless an exemption applies.
In respect of any regulated credit agreement, if an exemption does not apply, the CONC chapter in the FCA Handbook sets out detailed rules that regulated consumer credit firms must comply with and covers areas such as the conduct of business, financial promotions, pre-contractual disclosure of information, responsible lending, post-contractual requirements, arrears, default and recovery, cancellation of credit agreements and agreements that are secured on land.
In addition to the CONC, authorized consumer credit firms must also comply with other applicable chapters of the FCA Handbook. Failing to comply with the requirements of the CCA may result in those agreements being unenforceable against borrowers and the FCA imposing financial penalties on the firm in question.
As part of the Edinburgh Reforms, the government has proposed a substantial modernization of the regulated credit framework. This process is expected to take several years. Two of the key principles of the reforms will be proportionality and simplification, as well as some degree of harmonization with other regulatory developments, such as the FCA’s consumer duty. Some specific points under consultation include:
- changing or possibly abolishing the £25,000 minimum under the business lending exemption;
- reviewing and modernizing information requirements in relation to regulated credit; and
- looking at how reform can encourage financial inclusion and remove barriers.
Where possible, the relevant regulatory rules will be moved into the FCA Handbook (from statute) and there may need to be some extension of FCA powers. The idea is that this will allow the rules to be flexible and to adapt rapidly to an evolving market.
Entering into a regulated mortgage contract is a regulated activity. Such contracts are loans where:
- the contract is one under which a person (lender) provides credit to an individual or trustee (borrower);
- the contract provides for the obligation of the borrower to repay to be secured by a mortgage on land in the United Kingdom; and
- at least 40 percent of that land is, or is intended to be, used.
Secondary market loan trading
- Are there restrictions on trading loans in the secondary market in your jurisdiction?
Provided that the loan itself is being traded, and not the loan instrument (e.g, an instrument creating or acknowledging indebtedness), then there are no restrictions on trading loans in the secondary market.
Collective investment schemes
- Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.
Establishing, operating or winding up a CIS is a regulated activity in the United Kingdom for which firms must be authorized by the FCA.
The definition of a CIS is set out in section 235 of the Financial Services and Markets Act 2000 (FSMA). Broadly, a CIS is any arrangement with respect to property of any description, the purpose or effect of which is to enable the persons taking part in the arrangements to participate in or receive profits or income arising from the acquisition, holding, management or disposal of the property or sums paid out of such profits or income. The persons participating in the arrangements must not have day-to-day control over the management of the property. The arrangements must also have either or both of the following characteristics:
- the contributions of the participants and the profits or income out of which payments are to be made to them are pooled; or
- the property is managed as a whole by, or on behalf of, the operator of the scheme.
Whether a fintech company falls within the scope of this regime will depend on the nature of its business. For example, fintech companies that manage assets on a pooled basis on behalf of investors should consider carefully whether they may be operating a CIS. On the other hand, fintech companies that only provide advice or payment services may be less likely to operate a CIS. Certain cryptoassets or platforms that offer cryptoasset staking, in particular, may be exposed to the risk of being categorized as a CIS, but this analysis is fact-dependent. Fintech companies are advised to seek legal advice on this subject and to have regard to their other regulatory obligations.
The management of two forms of regulated collective investment schemes, undertakings for the collective investment in transferable securities and alternative investment funds, are also regulated activities. Peer-to-peer (P2P) or marketplace lenders or crowdfunding platforms are regulated separately under their own regimes.
Alternative investment funds
- Are managers of alternative investment funds regulated?
Managers of alternative investment funds are regulated in the United Kingdom under the EU Alternative Investment Fund Managers Directive, which has been implemented in the United Kingdom by the Alternative Investment Fund Managers Regulations 2013 and rules and guidance contained in the FCA Handbook. In a key divergence with the European Union, the United Kingdom has not implemented similar legislation to the EU’s Cross-Border Distribution of Funds regime regarding the marketing of funds. Instead, certain elements are covered by the UK’s financial promotion regime.
The FCA published a discussion paper this year on ‘Updating and improving the UK regime for asset management’, which raised questions for industry on opportunities to improve regulation of the asset management sector and introducing ‘a more modern and tailored regime, better meeting the needs of UK markets and consumers’. As is usual for discussion papers, the discussion paper does not contain any firm proposals. A feedback statement on the FCA’s findings is expected later in 2023.
Peer-to-peer and marketplace lending
- Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.
P2P lending is a term that generally refers to loan-based crowdfunding. In the United Kingdom, the FCA regulates loan-based crowdfunding platforms.
Under article 36H of the RAO, operating an electronic system that enables the operator (A) to facilitate persons (B and C) becoming the lender and borrower under an article 36H agreement is a regulated activity (and a firm will require FCA authorization) where the following conditions are met:
- the system operated by A is capable of determining which agreements should be made available to each of B and C;
- A (or someone acting on its behalf) undertakes to receive payments due under the article 36H agreement from C and make payments to B that are due under the agreement; and
- A (or someone acting on its behalf) takes steps to procure the payment of a debt under the article 36H agreement or exercises or enforces rights under the article 36H agreement on behalf of B.
An article 36H agreement is an agreement by which one person provides another with credit in relation to which:
- A does not provide the credit, assume the rights of a person who provided credit or receive credit; and
- either the lender is an individual or the borrower is an individual and the credit is less than £25,000, or the agreement is not entered into by the borrower wholly or predominantly for the purposes of a business carried on, or intended to be carried on, by the borrower.
In addition to falling within the definition of an article 36H agreement, a loan may also constitute a regulated credit agreement, unless an exemption applies and so a lender, through a platform authorized under article 36H, may also be required to have permission to enter into a regulated credit agreement as lender. Two of the most common exemptions are:
- where the amount of credit exceeds £25,000 and the credit agreement is entered into wholly or predominantly for business purposes; and
- where the borrower certifies that they are ‘high-net-worth’ and the credit is more than£60,260.
Other complex exemptions are available that relate to, among other things, the total charge for the credit, the number of repayments to be made under the agreement and the nature of the lender.
The rules governing P2P lending are found in the Conduct of Business Sourcebook and Senior Management Arrangements, Systems and Controls, and include:
- enhanced requirements for platform governance arrangements including in relation to credit risk assessment, risk management and fair valuation practices;
- strengthening rules on wind-down planning in the event of platform failure;
- setting out the minimum information that a platform should provide to investors; and
- introducing a requirement to monitor the investors that can use a platform, including that platforms assess investors’ knowledge and experience of platform lending where no advice has been given to them. Firms are required to ensure that retail clients:
- are certified or self-certified as ‘sophisticated investors’ or ‘high-net-worth investors’;
- confirm before a promotion is made that they will receive regulated investment advice or investment management services from an authorized person; or
- do not invest more than 10 percent of their net investible assets in P2P agreements in the 12 months following certification.
P2P lending has recently been categorized as a ‘restricted mass market investment’ and so regulatory requirements have been placed on financial promotions in relation to such investments. Broadly these include a prescribed form of risk warning and requiring that the promotion does not include any form of incentive to invest.
Crowdfunding
- Describe any specific regulation of crowdfunding in your jurisdiction.
In the United Kingdom, reward-based crowdfunding (where people give money in return for a reward, service or product) and donation-based crowdfunding (where people give money to enterprises or organizations they wish to support) are not currently regulated in their own right.
Equity-based crowdfunding is where investors invest in shares in, typically, new businesses. Equity-based crowdfunding is not specifically regulated in the United Kingdom (in the same way as loan-based crowdfunding).
However, a firm operating an equity-based crowdfunding service must ensure that it is not carrying on any other regulated activity without permission. Examples of regulated activities that equity-based crowdfunding platforms may carry on (depending on the nature and structure of their business) include:
- establishing, operating or winding up a CIS;
- arranging deals in investments; and
- managing investments.
Additionally, equity-based crowdfunding platforms must not market to retail clients unless an appropriate exemption applies.
In the FCA’s policy statement on P2P lending, investment-based crowdfunding platforms were also covered. Recent work has focused on restrictions on the types of clients these platforms can market to and how this is managed.
Invoice trading
- Describe any specific regulation of invoice trading in your jurisdiction.
Currently, there are no regulations relating specifically to invoice trading.
However, depending on how the business is structured, a firm that operates an invoice-trading platform may be carrying on regulated activities for which it must have permission, including:
- establishing, operating or winding up a CIS; and
- managing an alternative investment fund.
Payment services
- Are payment services regulated in your jurisdiction?
Payment services are regulated under the Payment Services Regulations 2017 (the Payment Services Regulations), which implement the EU second Payment Services Directive (PSD2) in the United Kingdom. Following, and relating to, Brexit the FCA published an updated version of its Approach Document setting out guidance for payment and e-money firms to reflect certain required amendments. Payment services include:
- services enabling cash to be placed on a payment account and all the operations required for operating a payment account;
- services enabling cash withdrawals from a payment account and all the operations required for operating a payment account;
- the execution of the following types of payment transaction:
- direct debits, including one-off direct debits;
- payment transactions executed through a payment card or a similar device; and
- credit transfers, including standing orders; and
- the execution of the following types of payment transaction where the funds are covered by a credit line for the payment service user:
- direct debits, including one-off direct debits;
- payment transactions executed through a payment card or a similar device; and
- credit transfers, including standing orders; and
- issuing payment instruments or acquiring payment transactions;
- money remittance;
- payment initiation services (initiating a payment order at the request of a payment service user with respect to an account held with another payment service provider); and
- account information services (online services that are intended to provide consolidated information on one or more payment accounts held by the payment service user with another one (or more) payment service provider).
The Payment Services Regulations broaden the scope of transactions governed by its provisions, narrow the scope of certain exclusions, amend the conduct of business requirements and introduce security requirements.
To provide payment services in the United Kingdom, a firm must fall within the definition of a ‘payment service provider’(PSP). Payment service providers include authorized payment institutions, small payment institutions, credit institutions, e-money institutions, the post office, the BoE and government departments and local authorities.
A firm that provides payment services in or from the United Kingdom as a regular occupation or business activity (and is not exempt, or a bank) must apply for authorization or registration as a payment institution.
E-money institutions are regulated under the Electronic Money Regulations 2011 (SI 2011/99). They must be authorized or registered to issue e-money and undertake certain payment services. The FCA’s Approach Document provides useful guidance for e-money institutions alongside explanations of most requirements in the FCA Handbook.
The government has proposed significant reforms to the payments’ framework as part of their consultation on the Payment Services Regulations under the Edinburgh Reforms. Key proposals include:
- the delegation of further payments regulation to the FCA;
- ‘rationalizing’ the distinction between payment institutions and e-money institutions; and
- reviewing the regulatory regime for payment initiation service providers and account information service providers, and clarifying ambiguities in the Payment and E-Money Institution Special Administration Regime.
The PSR is also proceeding with plans to require the mandatory reimbursement of victims of authorized push payment fraud where payment is made over the Faster Payments Service. This will be subject to very limited exceptions and will apply to all PSPs (including indirect access providers). Firms will, generally, need to refund the consumer within 48 hours of the fraud being reported and costs will be expanded from sending firms, to now both sending and receiving PSPs, with an assumed but negotiable 50:50 split. The PSR is proposing some practical limits and will allow PSPs to:
- set a minimum threshold for reimbursement (of no more than £100);
- withhold an ‘excess’ (of no more than £35); and
- set a time limit for claims (of not less than 13 months).
The Financial Services and Markets Bill currently making its way through Parliament will allow the PSR to establish this system and it is expected that it should be fully implemented by the end of 2023.
The European Commission has launched several initiatives assessing the status of PSD2, including proposing changes to the regulatory oversight of certain delegated models, a simplification of the payments regime, and a central database to record sanctions across EU member states.
In respect of the card-acquiring market, the PSR has published a policy statement setting out its final decision on remedies for the card-acquiring market that covered:
- greater transparency to improve comparison; and
- greater engagement.
Open banking
- Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?
Open banking has been operational since 2018 and has been driven by the United Kingdom’s competition authority (the Competition and Markets Authority (CMA)) and the Open Banking Implementation Entity operating under the CMA’s Retail Banking Market Investigation Order 2017, together with the implementation of PSD2.
Following its investigation into the retail and small and medium-sized enterprise (SME) banking sectors between 2013 and 2016, the CMA ordered a number of remedies to help promote greater competition in the retail and SME banking markets.
One of the core remedies ordered by the CMA requires the nine largest retail banks in Great Britain and Northern Ireland to develop and implement an open banking standard application programming interface (API) to give third parties access to information about their services, prices and service quality to improve competition, efficiency and stimulate innovation. The open APIs also allow retail and SME customers to share their own transaction data with trusted intermediaries, which can then offer advice tailored to the individual customer.
These measures are intended to make it easier for customers to identify the best products for their needs. Additionally, the Payment Services Regulations require banks to allow third-party payment service providers to initiate payments from their customers’ accounts.
The UK open banking ecosystem is currently undergoing a process of expansion. While significant progress has been made in relation to open banking since its introduction, regulators have identified that more needs to be done to deliver the full benefits of open banking within retail banking markets, and beyond, and to maintain its international leadership. The Joint Regulatory Oversight Committee (JROC) has published its recommendations for the next phase of open banking in the United Kingdom. The recommendations also cover plans for the ‘future entity’ in charged with overseeing open banking and the underpinning principles of a future ‘long-term regulatory framework’, which the recommendations confirm the government is intending to legislate for. The JROC intends to monitor progress and will provide a first progress report (as well as the communication of its ‘refined views’ on the design of the future entity) in the fourth quarter of 2023. Full implementation is expected to take at least two years.
Robo-advice
- Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.
There are no specific regulations to cover robo-advisers. The rules applying to investment advisers or arrangers and discretionary investment managers are technology-neutral and cover face-to-face as well as online or automated services. Therefore, a license would generally be required, and robo-advisers would be subject to the usual conduct of business requirements, for example, suitability assessments, disclosure of costs and charges, and marketing (which must be fair, clear and not misleading). The FCA provides some specific guidance for firms developing an automated advice or guidance proposition through a dedicated FCA Advice Unit. The FCA also evaluated the status of automated advice within the UK market in 2020, but with limited substantive action taken.
Insurance products
- Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?
Effecting or carrying out a contract of insurance, arranging contracts of insurance, or dealing in insurance as an agent are regulated activities and fintech companies that wish to do this must be regulated. Key regulation includes the retained EU law version of Regulation (EU) No. 1286/2014 on key information documents for packaged retail and insurance-based investment products and has been applied since the end of the Brexit transition period. Companies that wish to market insurance products must either be regulated, have their marketing material approved by a regulated firm or fall within an applicable exclusion. For example, exemptions may be available for communications to high-net-worth individuals, companies, sophisticated individuals and other investment professionals.
Credit references
- Are there any restrictions on providing credit references or credit information services in your jurisdiction?
Providing credit information services and providing credit references are regulated activities for which firms must be regulated. A firm provides credit information services where it takes (or gives advice in relation to any of the following steps) on behalf of an individual or relevant recipient of credit:
- ascertaining whether a credit information agency holds information relevant to the financial standing of an individual or relevant recipient of credit;
- ascertaining the contents of such information;
- securing the correction of, the omission of anything from, or the making of any other kind of modification of, such information; and
- securing that a credit information agency that holds such information:
- stops holding the information; or
- does not provide it to any other person.
Providing credit references involves providing people with information relevant to the financial standing of individuals or relevant recipients of credit where the person has collected the information for that purpose.
In addition, the Small and Medium-Sized Business (Credit Information) Regulations 2015 (the SMB Regulations) require:
- designated banks to share specified credit information about SMEs with designated credit reference agencies (with the permission of the relevant SME); and
- designated credit reference agencies to provide this information to finance providers at the request of the SME and to the BoE.
While the provision of this information is not a regulated activity under the FSMA, the FCA does monitor and enforce compliance with the SMB Regulations.
HMT has proposed to regulate BNPL credit and, potentially, certain forms of short-term interest-free credit under the RAO. The government’s ambition is to lay legislation during 2023. As part of HMT’s incoming changes to BNPL, it has proposed ensuring that BNPL providers carry out the relevant affordability checks in relation to users and that there is ‘clear, consistent and timely credit reporting’ across the credit reference agencies in relation to this and it is understood that the FCA will consult on detailed rules for the sector covering affordability checks, licensing of operators, and fair marketing.
CROSS-BORDER REGULATION
Passporting
- Can regulated activities be passported into your jurisdiction?
Prior to Brexit, an EEA firm that has been authorized under one of the EU single market directives was able to may provide cross-border services into the United Kingdom. For these purposes, the relevant single-market directives include the:
- Capital Requirements Directive;
- Solvency II Directive;
- second Markets in Financial Instruments Directive;
- Insurance Distribution Directive;
- Mortgage Credit Directive;
- fourth Undertakings for Collective Investment in Transferable Securities Directive;
- Alternative Investment Fund Managers Directive;
- second Payment Services Directive; and
- Electronic Money Directive.
The right to passport into the United Kingdom from EEA jurisdictions ceased to exist after 31 January 2020.
Requirement for a local presence
- Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?
No. With the removal of passport rights post-Brexit, any firm wishing to obtain a license in the United Kingdom will need to establish a presence within the jurisdiction.
SALES AND MARKETING
Restrictions
- What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?
The United Kingdom has a comprehensive set of rules relating to financial promotions. These are set out in Chapter 4 of the Financial Conduct Authority’s (FCA) Conduct of Business Sourcebook (COBS).
The definition of a financial promotion is very wide and includes an invitation or inducement to engage in investment activity that is communicated in the course of business. Marketing materials for financial services are likely to fall within this definition.
The basic concept is that financial promotions must be fair, clear and not misleading. FCA guidance suggests that:
- for a product or service that places a client’s capital at risk, it makes this clear;
- where product yield figures are quoted, this must give a balanced impression of both the short- and long-term prospects for the investment;
- where the firm promotes an investment or service with a complex charging structure or the firm will receive more than one element of remuneration, it must include the information necessary to ensure that it is fair, clear and not misleading and contains sufficient information taking into account the needs of the recipients; the FCA, Prudential Regulation Authority (PRA) or both (as applicable) are named as the firm’s regulator and any matters not regulated by either the FCA, PRA or both are made clear; and
- where if it offers ‘packaged products’ or ‘stakeholder products’ not produced by the firm, it gives a fair, clear and not misleading impression of the producer of the product or the manager of the underlying investments.
However, an exemption may be available to keep marketing materials outside the scope of the financial promotion rules. For example, exemptions may be available for communications to high-net-worth individuals, companies, sophisticated individuals and other investment professionals. Even authorized firms are prohibited from the promotion of unregulated collective investment schemes, except in specific circumstances set out in the Financial Services and Markets Act 2000 (Promotion of Collective Investment Schemes) (Exemptions) Order 2001 (SI 2001/1060).
Only authorized persons may make financial promotions and it is a criminal offence for an unauthorized person to communicate a financial promotion. Any agreements entered into with customers as a result of an unlawful financial promotion are unenforceable. HM Treasury and the FCA have both consulted on the process for the approval of financial promotions, including introducing a ‘regulatory gateway’ whereby all new and existing authorized firms will be prohibited from approving the financial promotions of unauthorized persons without having applied to the FCA to have this prohibition removed either entirely (allowing them to approve all types of financial promotions), or partially (allowing them to approve certain types of financial promotions).
The FCA has also recently rationalized the classification of high-risk investments (under the terms restricted mass market investments and non-mass market investments), introducing a package of measures to slow consumer journeys into high-risk investments. The measures introduced include requirements on:
- strengthening risk warnings;
- banning inducements to invest;
- introducing positive frictions;
- improving client categorization; and
- stronger appropriateness tests.
Lending
In relation to lending, there is also a comprehensive set of rules and the position is similar, but not identical, to that set out in COBS.
In respect of credit agreements, the FCA’s Consumer Credit Sourcebook 3.3 applies and provides that a financial promotion must be clear, fair and not misleading. In addition, firms must ensure that financial promotions:
- are clearly identifiable as such;
- are accurate;
- are balanced (without emphasizing potential benefits without giving a fair and prominent indication of any relevant risks);
- are sufficient for, and presented in a way that is likely to be understood by, the average member of the group to which they are directed, or by which they are likely to be received;
- are presented in a way that does not disguise, omit, diminish or obscure important information, statements or warnings;
- present any comparisons or contrasts in a fair, balanced and meaningful way;
- use plain and intelligible language;
- are easily legible and audible (if given orally);
- specify the name of the person making the communication (or whom they are communicating on behalf of, if applicable); and
- do not state or imply that credit is available regardless of the customer’s financial circumstances or status.
Various other detailed requirements apply depending on the type of credit (e.g, peer-to-peer, secured, unsecured or high-cost short-term credit) and the type of agreement (e.g, whether it is secured on land), which govern things such as:
- the requirement to include particular risk warnings and how those warnings must be worded; and
- when and how annual percentage rates and representative examples must be included and displayed; and expressions that cannot be included in financial promotions.
In relation to mortgages, chapter 3A of the Mortgages and Home Finance: COBS applies. In addition to being clear, fair and not misleading, financial promotions must:
- be accurate;
- be balanced (without emphasizing any potential benefits without also giving a fair and prominent indication of any relevant risks);
- be sufficient for, and presented in a way that is likely to be understood by, the average member of the group to whom it is directed, or by whom it is likely to be received;
- make it clear, where applicable, that the credit is secured on the customer’s home;
- be presented in a way that does not disguise, omit, diminish or obscure important items, statements or warnings; and
- where they contain a comparison or contrast, be designed in such a way that the comparison or contrast is presented in a fair and balanced way and ensures that it is meaningful.
As with credit agreements, other provisions apply depending on the particular type of mortgage, covering, among other things:
- the inclusion and presentation of annual percentage rates and other credit-related information;
- points of contact; and
- when and how financial promotions can be made.
CRYPTOASSETS AND TOKENS
Distributed ledger technology
- Are there rules or regulations governing the use of distributed ledger technology or blockchains?
Regulators in the United Kingdom generally seek to adopt a technology-neutral stance, regulating the outputs of technology systems and the functions or services those systems provide (rather than how they operate). There are no specific rules or regulations concerning the use of distributed ledger technology or blockchain per se.
However, some rules and regulations applicable in the United Kingdom indirectly prevent distributed ledger technology and blockchain from being used in the provision of a particular function or service. For example, the UK General Data Protection Regulation (UK GDPR) generally requires personally identifiable information to be capable of erasure when it is no longer needed, which causes difficulties for firms seeking to use distributed ledger technology to govern the use of that type of data, given the technology’s generally ‘immutable’ (namely, unchangeable) nature. Another example is the UK Central Securities Depository Regulation, which requires transferable securities admitted to regulated trading venues to be represented in book-entry form. This creates a regulatory hurdle for firms seeking to issue or trade transferable securities in digital form (namely, security tokens) on such venues.
Some of the rules and regulations that indirectly prevent the use of distributed ledger technology and blockchains in a financial markets’ context will be revisited as part of the UK’s forthcoming Financial Markets Infrastructure Sandbox (FMI Sandbox). The FMI Sandbox will allow participating firms to test distributed ledger technology and blockchains in a manner they would not otherwise be permitted, through the granting of temporary exemptions to certain UK rules and regulations (subject to authorization and ongoing supervision). Legislative powers to establish the FMI Sandbox will be granted to UK regulators through the revisions being made to the Financial Services and Markets Act 2000. A consultation paper containing proposals on the scope of the FMI Sandbox is expected over the summer of 2023. The FMI Sandbox is expected to commence later in 2023.
Cryptoassets
- Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?
In the United Kingdom, there are specific rules relating to the operation of certain types of crypto-businesses in the United Kingdom, requiring the following businesses to be registered with the Financial Conduct Authority (FCA):
- those that provide a facility to enable the exchange of one cryptoasset for another or the exchange of fiat currency for cryptoassets (or vice versa), or any business that makes arrangements with a view to any such exchange;
- those that provide custodial cryptoasset wallet services;
- any business that issues new cryptoassets (e.g, a business conducting an initial coin offering); and
- businesses that operate cryptoasset automated teller machines.
Prior to operating any such business, the business must first register with the FCA. The registration process is complex and requires the submission of a number of different information requirements. Once a complete application has been submitted, the FCA has three months to consider the application and accept or reject it as it sees fit.
There have proven to be significant challenges in the registration of cryptoasset firms to date. Other regulatory processes regarding cryptoassets continue in other areas.
The FCA’s guidelines include a taxonomy covering ‘exchange tokens’ (decentralized assets such as bitcoin), ‘security tokens’ (blockchain-traded products that have similar characteristics to traditional regulated securities), and ‘utility tokens’ (blockchain-traded products or other items that do not have similar characteristics to traditional regulated securities).
Therefore, in broad terms, the current approach in the United Kingdom to the regulation of cryptoassets at present varies with:
- unregulated tokens (classic exchange tokens such as bitcoin and utility tokens) are unregulated, although to offer services concerning them, a business may need to be registered with the FCA;
- e-money tokens (cryptoassets that have the characteristics of e-money) are regulated as if they were e-money, and businesses dealing in them need to be properly authorized by the FCA as appropriate under the Electronic Money Regulations and the Payment Services Regulations, as well as likely needing to be registered with the FCA (depending on what activity is being undertaken in relation to those e-money tokens); and
- security tokens (cryptoassets that have the characteristics of regulated financial products) being regulated in the same way as the type of security that the cryptoasset shares characteristics with, and any businesses dealing in them need to be properly authorizedby the FCA as appropriate, including being registered with the FCA alongside any wider securities permissions.
E-money institutions that do not issue e-money tokens, but which provide payment services in connection with a cryptoasset (whether or not the cryptoasset is regulated), may need to be authorized under the Payment Services Regulations for these payment services.
Proposed regulatory regime
In February 2023, HM Treasury (HMT) published a consultation on the Future Financial Services Regulatory Regime for Cryptoassets. While this is a consultation and seeks feedback regarding how cryptoassets will be regulated, the consultation shows the direction of travel that HMT intends to take.
The key to the regulatory consultation is a proposal is to bring cryptoassets within scope of existing legislation, rather than create bespoke regulation specific to cryptoassets and activities in relation to them. The consultation proposes to expand the list of ‘specified investments’ in Part III of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001to include cryptoassets.
HMT confirms that it does not intend to expand the definition of ‘financial instrument’ in Part 1 of Schedule 2 to the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO) to include presently unregulated cryptoassets. Therefore, while mainly the proposals will mean that existing regulated activities will now apply in relation to cryptoassets in addition to previously specified investments, there are also proposals for some new RAO activities, specific to cryptoassets.
Stablecoins
In relation to stablecoins, HMT is consulting on bringing certain stablecoins within the scope of the UK regulatory perimeter. Specifically, it seeks to regulate ‘payment crypto-assets’.
This is intended to cover all fiat currency-backed stablecoins, but exclude those that stabilize their value by referencing other assets (e.g, commodities). This will lead to new regulated activities, including the issuing of stablecoins, providing custody for stablecoins, and providing payment services in relation to stablecoins. The FCA will be the regulator for these activities, and firms will need to be authorized. HMT has also proposed an amended financial market infrastructure special administration regime to address the risks posed by the possible failure of systemic digital settlement assets (which would include stablecoin) firms. Further details are awaited.
Financial promotions
HMT has announced that the promotion of cryptoassets to UK consumers is to be regulated and will broadly fall within the FCA’s existing financial promotions regime under the Financial Services and Markets Act 2000 (FSMA). The change will come into force on 8 October 2023. The amendments include a broad definition of cryptoassets that capture a significant range of currently unregulated tokens – it would not capture NFTs. It will cover financial promotions from overseas firms marketing in the United Kingdom, as well as firms that are based in the United Kingdom (even if not authorized by the FCA). For communications originating outside the United Kingdom, the restriction applies to the extent that the communication is capable of having an effect in the United Kingdom.
Promotions to governments and central banks and investment professionals (a specifically defined class of investor) would, however, be exempt. Common retail exemptions on the other hand would not apply, including promotions to high-net-worth individuals or self-certified sophisticated investors.
Together the new rules will mean significant restrictions on the promotion of cryptoassets – financial promotions in relation to these assets will, among other requirements, need to be fair, clear, and not misleading, and include a prescribed risk warning. Only firms registered under the Money Laundering Regulations, or authorized firms will be able to carry out their own promotions in relation to cryptoassets, and only authorized firms will be able to approve unregistered or unauthorized firms’ promotions.
Cryptoasset regulation in the United Kingdom continues to be a developing area and the final requirements of the HMT and FCA proposals may change following further consultation.
Token issuance
- Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?
Any firm that issues a digital token in the United Kingdom needs to be registered with the FCA. The registration process is complex and requires the submission of a number of different information requirements. Once a complete application has been submitted, the FCA has three months to consider the application and accept or reject it as it sees fit.
Beyond the registration requirement noted earlier, there are no rules or regulations specifically governing the issuance of digital tokens. If the token meets the definition of regulated cryptoassets or any other regulated product (even if in tokenized form), Financial Services and Markets Authority and FCA regulations will apply around authorization and compliance to the same extent that they would apply to traditional assets.
Regulation around cryptoassets in the United Kingdom is undergoing some change at the time of writing including bringing cryptoassets within scope of the UK’s regulatory and financial promotion regime. This will include promotions in relation to the issuance of tokens.
ARTIFICIAL INTELLIGENCE
Artificial intelligence
- Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?
There are not yet any significant rules or regulations that specifically govern the use of artificial intelligence (AI) in the United Kingdom, including in respect of robo-advice. Instead, the rules and regulations that apply to a firm’s use of AI depend on the specific nature of the activities for which it is used and, more broadly, any regimes to which a firm is subject at an organizational level.
Fintech firms should consider the status of the activities they are carrying on involving AI under the general licensing regime in the Financial Services and Markets Act 2000 (FSMA). The general prohibition in section 19 of the FSMA prohibits carrying on a regulated activity by way of business in the United Kingdom without authorization or unless an exemption or exclusion applies. Firms carrying on regulated activities will generally require authorization by one of the UK’s financial services regulators, the most significant of which for fintech firms being the Financial Conduct Authority (FCA), the PRA and the Bank of England (BoE) authorized firms using AI to carry on regulated activities and (or) that use AI in other parts of their businesses will need to consider the relevant regulatory regimes to which they are subject. Under these regulatory regimes, the general rules, guidance, and principles will be relevant to such firms’ use of AI as well as specific requirements relevant to particular applications or elements of AI.
At the most general level, firms must have regard to high-level requirements such as the FCA’s Principles for Businesses or the Prudential Regulation Authority’s (PRA) Fundamental Rules when using AI. For example, the FCA requires firms to communicate with clients in a way that is clear, fair and not misleading and to have adequate risk management systems. Requirements under issue-specific regimes may also apply, for example, governance-related requirements under the Senior Managers and Certification Regime (SMCR) or consumer-protection-related rules for retail clients under the new consumer duty. The SMCR and the consumer duty have been specifically identified by the relevant regulators as the key tools they will use for regulating the use of AI by authorized firms. However, firms should also have regard to other issue-specific regimes especially relevant to AI such as those covering operational resilience, outsourcing, model risk management, and data management. In addition, particular activities may be subject to specific requirements, for example, investment advice provided by robo-advisers, would be subject to conduct of business requirements (e.g, suitability assessments and best execution), and systems involved in high-frequency trading decisions would be subject to detailed rules on algorithmic trading.
Although these are existing requirements, their application to the use of AI by businesses requires careful consideration in light of the unique characteristics of AI. The purpose of the BoE-PRA-FCA Discussion Paper 5/22 on AI and machine learning published at the end of 2022 (the Discussion Paper) was to seek views on how existing regulation and legislation may be applied to AI to inform potential future policy proposals. The results of the Discussion Paper are expected at the end of this year but, in the meantime, there are some sources of informal guidance on how existing requirements should apply to AI. The Final Report of the PRA and FCA AI Public-Private Forum provides examples of best practices on how firms can seek to comply with existing rules on governance, data, and model risk management when using AI. There are also notably two papers published by the FCA on AI in 2019 – ‘Explaining why the computer says no‘ and ‘Artificial Intelligence in the boardroom‘– that emphasize that financial institutions (including their board members) should be able to explain AI-based decisions, particularly in sensitive contexts (e.g, in consumer loan applications).
Beyond the financial services regulatory framework, firms using AI will need to consider a number of cross-sectoral rules and regulations that may apply to their activities. The most significant set of cross-sectoral rules and requirements are set out in the UK’s data protection regime. Where activities involve processing of personal data, the Data Protection Act 2018 along with the UK GDPR apply minimum standards for data privacy and security. Particularly relevant to firms using AI and robo-advice, the UK GDPR sets out requirements on ‘automated’ decision-making involving personal data. Article 22 of the UK GDPR provides that a data subject has the right not to be subject to a decision based solely on automated processing except in certain circumstances (e.g, with the data subject’s explicit consent). Where those circumstances apply, the data controller must provide ‘meaningful information about the logic involved’. Firms using personal data in AI (e.g, in assessing loan applications) must, therefore, able to explain how the AI system operates in that context. The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has released extensive guidance on compliance with data protection law when using AI (including the explainability provisions noted above, e.g, in its Guidance on AI and Data Protection and AI and Data Protection Risk Toolkit). The ICO has also issued guidance specifically on explaining decisions made with AI in conjunction with the Alan Turing Institute.
Other key cross-sectoral rules and regulations that may apply to firms using AI include those set out in the Equality Act 2010 (the Equality Act) and the Competition Act 1998 (the Competition Act). Discriminatory decisions made involving AI systems could be a breach of the Equality Act. For example, certain AI-derived price-discrimination strategies could breach the requirements if they result in poor outcomes for groups with protected characteristics under the Equality Act. The Equality and Human Rights Commission is the body with primary responsibility for upholding equality and human rights laws in the United Kingdom. Supervisory authorities, though, including the PRA and the FCA, are subject to a public sector equality duty under the Equality Act, which requires them to have regard to the need to eliminate discrimination and other conduct prohibited under the Equality Act, so breaches may also be subject to action from these bodies. The use of AI could also involve breaches of the Competition Act where it results in, for example, anti-competitive behavior, discriminatory or unfair practices, or cases of abuse of dominance. The Competition and Markets Authority (CMA) is responsible for enforcing the Competition Act but, as with the Equality Act, supervisory authorities, such as the PRA and the FCA, have certain functions under the Competition Act and may use these functions in relation to applications of AI in financial services. In 2019, the CMA published its views on how algorithms, including in the context of AI, can reduce competition and harm consumers and, in May 2023, in line with the UK government’s White Paper, it launched a review of competition and consumer protection considerations in the development and use of AI foundation models.
In addition to the aforementioned regulatory considerations, businesses using AI should also be aware of the National Security and Investment Act 2021 (the NSI Act), which came into force on 4 January 2022. The NSI Act gives the government powers to scrutinize and intervene in business transactions in sensitive areas, including AI, to protect national security. Transactions, including acquisitions, minority investments, and intra-group transactions, involving businesses active in AI may trigger a mandatory requirement to notify the government. In the context of a transaction, such businesses (and any investors) may need to consider whether the transaction triggers a mandatory notification requirement as well as ensuring that any potential implications are reflected in deal timelines and documents to manage the risks of delay and (or) government intervention.
AI, its use by businesses, and its potential impact on societies is an issue attracting increased regulatory and government attention. Unsurprisingly, then, the law and regulation governing the use of AI in the United Kingdom is set to change. In March 2023, the UK government published its White Paper setting out and launching a consultation on its proposals for a regulatory framework for AI. Unlike the approach taken in the European Union, the UK government proposes a flexible and iterative approach beginning with five non-statutory cross-sectoral principles to be interpreted and applied by existing UK regulators through the issuance of guidance on the application of existing laws and regulations to the use of AI. However, in light of the rapid developments and availability of generative AI tools, the UK government is reportedly already considering tightening the position set out in the White Paper to directly regulate the use of AI and create a standalone AI regulator.
In the European Union, the draft AI regulation (AI Act), once implemented, will impose obligations on developers and users of AI systems, particularly those systems classified as ‘high risk’ under the AI Act. While the AI Act does not specifically target AI use in the financial services sector, fintech businesses could still find themselves subject to potentially onerous obligations under the AI Act, for example, if they use AI in the context of human resources or employment.
CHANGE OF CONTROL
Notification and consent
- Describe any rules relating to notification or consent requirements if a regulated business changes control.
Part 12 of the Financial Services and Markets Act 2000 sets out a strict system concerning changes of control of regulated firms, and failure to adhere to the appropriate statutory requirements can be a criminal offence, depending on the nature of the breach.
Controllers or potential controllers of Financial Conduct Authority (FCA)-authorized firms are required to make notifications to and obtain approval from the FCA when a change of control occurs. The notification must be made before a change of control takes place. A person who fails to obtain the appropriate FCA approval will be guilty of a criminal offence.
The notification process takes place under three parallel processes:
- each new controller submitting the appropriate controller notification form to seek the FCA’s pre-approval;
- each exiting controller notifying the FCA of the change of control; and
- the FCA-regulated firm notifying the FCA of these changes.
In practice, a joint notification is usually made, coordinated by the FCA-regulated firm with the new controllers and exiting controllers. Any potential controllers must provide detailed information, including in respect of its:
- group structure;
- senior management;
- commercial activities;
- any criminal or civil proceedings against the company; and
- details of the acquisition.
The FCA has a statutory assessment period of 60 working days to determine change-of-control applications. This can be interrupted for a period of 30 days. In practice, determinations are often delayed due to a lack of case officers. The FCA provides an estimate of the current delay on its webpage: at the time of writing this is at least 90 days. The FCA still recommends that all relevant information and documents are provided with the initial submission and reminds firms that it is a criminal offence to proceed with a transaction before it has decided on the notification (or before the statutory assessment period has expired). There is no application fee.
HM Treasury has stated that it, the PRA and the FCA are considering revising change of control applications and it has been suggested that such changes could be focused on:
- the information provided by applicants to enable regulators to fully assess the risks of the proposal in a timely manner; or
- the currently limited statutory grounds on which the FCA or the PRA can object to an application for a change of control.
FINANCIAL CRIME
Anti-bribery and anti-money laundering procedures
- Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?
Generally, fintech companies are only required to have anti-money laundering (AML) procedures if the company is authorized by the Financial Conduct Authority (FCA) or carries out business that is subject to the Money Laundering Regulations 2017 (MLRs). The United Kingdom implemented the EU Fifth Money Laundering Directive (5MLD) on 10 January 2020, by way of updates to the MLRs effected by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (the 2019 Regulations). Under 5MLD, and the 2019 Regulations (in line with 5MLD), the types of entities required to have money laundering procedures have been widened to include cryptoasset exchange providers and custodian wallet providers. The 2019 Regulations also capture peer-to-peer exchange providers, cryptoasset automated teller machines and the issuing of new cryptoassets (e.g, an initial coin offering or initial exchange offering).
Entities subject to UK money laundering regulations are required to, among other things:
- identify and assess the firm’s exposure to money laundering risk by, for example, undertaking a risk assessment;
- perform customer due diligence to an adequate standard depending on the risk profile of the customer;
- keep appropriate records;
- monitor compliance with the AML regulations, including internal communication of policies and procedures; and
- report suspicious transactions.
The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 came into force in 2022 and introduce a number of changes to the 2017 MLRs. Changes that will be particularly relevant to fintech companies are:
- excluding account information service providers from the scope of the 2017 MLRs;
- adding proliferation financing to the list of financial crime risk covered by the 2017 MLRs, meaning that firms subject to the 2017 MLRs will be required to take steps to mitigate the risk of proliferation financing;
- introducing a change in control regime for cryptoasset exchange and custodian wallet providers registered with the FCA under the 2017 MLRs, meaning that prospective acquirers of FCA-registered crypto firms will need to obtain the FCA’s approval to the transaction; and
- extending the ‘travel rule’ for cryptoasset transfers.
As part of its review of fintech challenger banks, the FCA has noted some concerns over the financial crime controls of these companies prompted by the view that criminals may be attracted to the fast onboarding processes that challenger banks advertise and that the risk the information gathered through these fast processes is insufficient to identify higher-risk customers. The FCA noted that it expects financial crime control resources, processes and technology to be commensurate with a bank’s expansion so that they remain fit for purpose.
With respect to anti-bribery policies and procedures, all companies (including fintech companies) that are incorporated in or carry on business, or a part of their business, in the United Kingdom, are subject to the Bribery Act 2010 (the Bribery Act). While the Bribery Act does not require the implementation of policies or procedures to combat bribery, it creates a de facto requirement to do so. This is because a company charged with ‘failing to prevent bribery’ may rely on the statutory defense that the company had adequate policies and procedures in place designed to prevent bribery. It is not just large companies that need to be concerned with this law. The successful prosecution of Skansen Interiors Ltd (a company with fewer than 30 employees) for failing to prevent bribery in 2018 indicates that UK prosecutors will target smaller companies for such an offence.
From 1 September 2023, the ‘travel rule’, which requires financial institutions to share identifying information about the originator and beneficiary of a transaction, will apply to transfers of cryptoassets in the United Kingdom, bringing the United Kingdom in line with Financial Action Task Force Recommendation 16 regarding information sharing requirements for transferring cryptoassets. Cryptoasset exchange providers and custodian wallet providers registered with the FCA will be subject to the rule when they provide services to the originator or beneficiary of a transfer of cryptoassets. Different cryptoasset transfers will attract different requirements as to the information that the originator’s cryptoasset service provider must be shared alongside the transfer. Cross-border cryptoasset transfers with a value exceeding €1,000 will require additional information and transactions with self-hosted wallets may also attract additional requirements depending upon the firm’s assessment of the risk.
Guidance
- Is there regulatory or industry anti-financial crime guidance for fintech companies?
There is no anti-financial crime guidance issued by the FCA specifically for fintech firms. However, firms that are authorized by the FCA should comply with its ‘Financial Crime Guide: A firm’s guide to countering financial crime risks’, and may find the FCA’s feedback on good and poor quality applications for registration under the 2017 MLRs helpful. In addition, the Joint Money Laundering Steering Group (JMLSG) issues detailed AML guidance for the financial sector, which includes a chapter of guidance specific to the cryptoasset sector (see Chapter 22 of Part 2 of the JMLSG Guidance).
It is important for fintech firms to understand the concerns and policy drivers that financial institutions have with respect to their fintech clients. In June 2018, the FCA sent a ‘Dear CEO’ letter to financial institutions, advising them to take ‘reasonable and proportionate measures to lessen the risk of your firm facilitating financial crimes that are enabled by cryptoassets’. This will have a consequential effect on fintech companies, as financial institutions are likely to apply the FCA’s guidance when conducting due diligence on and monitoring their relationships with crypto-businesses as a result of this letter. While not addressed to fintech companies, they may also find this guidance helpful in mitigating financial crime risks in their own relationships with individuals and entities whose wealth, funds or revenue derives from crypto-related activities. More recently, the FCA sent a ‘Dear CEO’ letter to firms regulated under the Payment Services Regulation 2017 and Electronic Money Regulations 2011, identifying three ‘outcomes’ that the FCA wants those firms to achieve, with financial system integrity through anti-money laundering and sanctions measures being one such outcome. The FCA’s letter identifies common financial crime issues that the FCA has observed at firms and the action that it expects firms to take to address those issues.
DATA PROTECTION AND CYBERSECURITY
Data protection
- What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
On 25 May 2018, the GDPR came into force with direct effect across the entire European Union. In the United Kingdom, the Data Protection Act 2018 came into force at the same time as the GDPR and supplemented the GDPR as it applied in the United Kingdom. Following Brexit, the GDPR took effect in the United Kingdom as the ‘UK GDPR’, which is the retained EU law version of the GDPR as amended by various data protection EU exit regulations. The Data Protection Act 2018 now supplements the UK GDPR. The government has published Keeling Schedules showing the changes (in redline form) to the EU GDPR and the Data Protection Act 2018 made by the data protection EU exit regulations. These schedules are not law but are a useful guide to how the UK GDPR and the Data Protection Act 2018 now look.
Going forward, for any entity in the United Kingdom, one or both of the UK GDPR or the EU GDPR (together, the GDPR) may apply, depending on what activities that entity carries out, and it will need to be established whether any entity is subject to one or both regimes. Currently, the UK GDPR and the EU GDPR obligations continue to be very similar or the same, but this should be kept under constant review.
The GDPR governs the storage, viewing, use of, manipulation and other processing by businesses of data that relates to a living individual. In summary, the GDPR requires that businesses may only process personal data where that processing is done in a lawful, fair and transparent manner, as further described in the GDPR.
The GDPR requires that any processing of personal data must be done pursuant to one of the available lawful bases for processing. One of the most commonly used lawful bases for processing is to obtain the consent of the data subject to that processing – in relying on this lawful basis, the business must ensure that the consent is freely given, specific, informed and unambiguous, and capable of being withdrawn as easily as it is given. This places a significant burden on businesses to ensure that their customers are fully informed as to what their personal data is being used for. Other lawful bases for processing data include where that processing is necessary for the business to perform a contract it has with the data subject, where the business has a ‘legitimate interest’ in processing the personal data (which is not overridden by the ‘fundamental rights and freedoms’ of the data subject) or where required to comply with an obligation the business has at law (not a contractual obligation).
The GDPR does not apply to personal data that has been truly anonymized – as anonymized data cannot, by definition, be personal data. However, to ensure that GDPR does not apply to a certain data set, that data set must be truly anonymized. The GDPR itself gives limited guidance on anonymization in Recital 26, requiring data controllers to consider a number of factors in deciding if personal data has been truly anonymized, including the costs and time required to de-anonymize, the technology available at the time to attempt de-anonymization and further developments in technology.
Businesses that infringe the GDPR may be subject to administrative fines of an amount up to €20 million under the EU GDPR (£17.5 million under the UK GDPR) or 4 percent of global turnover, whichever is higher. If an entity is subject to both the UK GDPR and the EU GDPR, it is possible for the entity to be fined under both regimes for the same breach.
The oversight of UK businesses’ compliance with the UK GDPR and related legislation, and enforcement of them, is carried out by the UK regulator, the Information Commissioner’s Office. If a UK business has operations in the European Union that mean it is subject to the EU GDPR, it may need to appoint a representative in the EU member state in which those operations are most significant, and the oversight of UK businesses’ compliance with the EU GDPR and related legislation, and enforcement of them, generally will be led by the relevant regulator in that EU member state.
There are restrictions under both the EU GDPR and the UK GDPR on transfers of personal data to non-EU or UK countries that are not deemed to offer a standard of protection by the European Commission or the UK government (as applicable). Unless a derogation under article 49 of the GDPR is available, a suitable data transfer mechanism will be needed to legitimize such transfers. The most common method of legitimizing these transfers is the entry into ‘standard contractual clauses’, as approved by the European Commission or UK government (as applicable). Following the Schrems II judgment, businesses are now also required to carry out a ‘transfer impact assessment’, which requires businesses to review whether any supplementary measures are needed to ensure that transfers relying on the standard contractual clauses (or ‘binding corporate rules’) provide adequate data protection for the personal data in practice.
In June 2022, the government published its long-awaited plans to reform the UK Data Protection Act 2018, following the Queen’s Speech in May 2022, in which it announced that it saw the bill as an opportunity to create a more ‘pro-growth and pro-innovation data regime while maintaining the UK’s world-leading data protection standards’. Since then there have been a number of announcements seeking to reform the existing UK data protection regime following Brexit, including the Data Protection and Digital Information (No. 2) Bill, which was introduced into Parliament in March 2023. While the Bill is at the time of writing undergoing Parliamentary scrutiny, the overarching pro-innovation and growth principles of the Bill have been well received.
There are no rules or regulations in the United Kingdom relating to personal data that are specifically aimed at fintech companies.
Cybersecurity
- What cybersecurity regulations or standards apply to fintech businesses?
There are no rules or regulations in the United Kingdom that provide cybersecurity requirements for fintech businesses specifically. More generally, the UK GDPR imposes requirements on businesses in the United Kingdom to ensure a high standard of security over personal data that they process, including the general obligation to have in place reasonable technical and organizational measures to ensure the security of that data, compliance with which requires measures relating to cybersecurity to be put in place.
Further, for FCA-regulated businesses, the FCA has significant powers of oversight and enforcement in respect of those businesses’ internal systems and controls relating to the protection of confidential client information. The FCA actively manages and oversees these requirements and, in recent years, has imposed significant fines on entities that have failed to meet these requirements.
OUTSOURCING AND CLOUD COMPUTING
Outsourcing
- Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?
The position on regulation of outsourcing by financial services companies in the United Kingdom is a complex picture, encompassing a number of different requirements that apply in different ways, depending on the type of financial services business in question.
The most important of these requirements are the European Banking Authority (EBA) guidelines. On 25 February 2019, the EBA published revised (final) guidelines on outsourcing arrangements (the Guidelines) for credit institutions and certain investment firms as well as payment and e-money institutions. The Guidelines amend and finalize previously published draft guidelines in light of extensive consultation responses from the industry and industry bodies. Therefore, the Guidelines are consistent with, and build upon, the previous Senior Management Arrangements, Systems and Controls Chapter 8 (SYSC 8) requirements within the Financial Conduct Authority (FCA) Handbook (which now operate mostly as guidance rather than as requirements); however, they apply to a broader set of businesses than SYSC 8 – most noteworthy is the inclusion of payment and e-money institutions, which are not subject to SYSC 8.
In broad terms, the Guidelines provide more granular detail around requirements that relevant businesses must comply with when carrying out outsourcing (including in relation to internal processes and procedures), compared to the SYSC 8 requirements.
The Guidelines took effect on 30 September 2019 and have been adopted in the United Kingdom. All new outsourcing contracts entered into after this date should be compliant with the Guidelines, and relevant institutions are expected to review and update any internal processes and procedures to meet the Guidelines’ requirements. Companies that did not finalize remediations of existing contracts by 31 March 2022 are obliged to inform the FCA, as the FCA confirmed that the original hard deadline set by the EBA of 31 December 2021 no longer applied in the United Kingdom. The Guidelines support the harmonization of existing regulation and guidance applicable to different types of financial services firms.
The Prudential Regulation Authority (PRA) and the FCA have also published supervisory statements (Statements) that build on the Guidelines and set out the PRA and the FCA’s expectations as to how UK firms will implement outsourcing regulation and manage outsourcing risks, as well as certain other material or high-risk third-party arrangements that are outside the scope of the Guidelines. The Statements make up part of the PRA and the FCA’s wider focus on operational resilience and aim to ensure firms have robust structures and processes in place to manage third-party risk.
Firms that are regulated by the PRA were expected to comply with the expectations in the PRA Statements by 31 March 2022, mirroring the deadline set by the FCA. These expectations are broadly in line with the Guidelines but expand the scope to certain third-party arrangements.
In April 2021, the Bank of England (BoE) published three consultation papers on the requirements that must be met for outsourcing and third-party arrangements for Financial Marker Infrastructure (FMI) entities, which appears to extend the expectations under the PRA Statement to FMI entities. The BoE issued a policy statement in February 2023 providing feedback in response to the three consultation papers, publishing final Supervisory Statements for outsourcing and third-party risk management for different forms of FMI’s, and a Code of Practice for Recognised Payment Operators and Specific Service Providers. The FMI’s will be expected to comply with expectations in their respective Supervisory Statement or Code of Practice by 9 February 2024, and any outsourcing agreements entered into on or after 8 February 2023 will be expected to meet the Supervisory Statement before then.
Operational resilience
Operational resilience is a third pillar of financial regulation concerning banks and other financial services firms, defined by the PRA as ‘the ability of firms, FMI’s and the sector as a whole to prevent, respond to, recover and learn from operational disruptions’.
In the United Kingdom, last year, the UK financial regulators issued new policy and supervisory statements on operational resilience, which came into force in March of this year impacting investment firms, banks, insurers, and branches of non-UK firms operating in the United Kingdom, including the PRA’s supervisory statement SS1/21 ‘Operational Resilience: Impact tolerances for important business services’, which requires firms to prepare for ‘severe but plausible risks’ in connection with important business services. Since then, further consultation papers have been issued indicating the extension of the scope of regulation to a broader range of market participants (such as payment service providers and financial market infrastructure providers) and there is currently discussion in the United Kingdom on the extension of regulatory oversight to critical third-party technology suppliers. The approach the UK regulators have taken is to focus on the resilience of the important products or services offered by the firm to the market.
The rules proposed under the consultation papers apply to all third-party service provision arrangements, which is wider than just outsourcings. Among other things, the FCA identified concentration risks (e.g, dependency on a particular service provider within the financial services sector) and global service providers with inconsistent resilience requirements across various countries, as key areas of risk from an operational resilience perspective.
Traditionally regulated financial entities will be subject to both the PRA and the FCA operational resilience requirements, whereas a select few firms (including UK investment exchanges) will only be subject to the FCA requirements. On the premise that the occasional operational disruption is unavoidable, both regulators expect firms to govern their operations accordingly by taking the following steps during the three-year transitional period starting on 31 March 2022:
- Firms must identify their important business services and establish impact tolerances for each service, determined by the maximum period of time a service can be disrupted before it impacts the stability of the firm, customer, or the financial sector as a whole. The firm must implement strategies, processes and systems accordingly.
- Map the resources that are fundamental to supporting important business services and test their capabilities to perform within the relevant impact tolerance throughout a range of plausible disruption scenarios.
- Use the testing data or information garnered from a disruption to perform a ‘lessons learned’ exercise to identify weaknesses and where to prioritize
- Firms will then be required to prepare and keep up to date a written self-assessment of their compliance with the operational resilience requirements, and maintain internal and external communications including clear and timely communications to relevant stakeholders in the event of a disruption.
- Ensure the regular engagement of boards and senior management in setting effective standards for the management of operational resilience, and further ensure those firm members have the required expertise and training to discharge their respective resilience responsibilities.
By 31 March 2025, the PRA and the FCA expect firms to approach operational resilience as a dynamic governance activity and have established a clear, comprehensive strategy against operational risk aligned with their respective regulation framework.
Cloud computing
- Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?
There are no specific legal requirements in the United Kingdom regarding the use of cloud computing in the financial services industry. However, there does exist a body of guidance on the subject and a number of legal requirements that apply to indirectly regulate the use of cloud computing in financial services.
The primary legal requirements relevant to this question relate to the EBA Guidelines and other outsourcing requirements, which apply to financial services businesses when outsourcing material functions. In many different contexts, the use of cloud services will be of sufficiently significant importance to the business’s operations to bring this requirement into scope and require the business to meet those outsourcing requirements in undertaking outsourcing. In particular, the European Securities and Markets Authority (ESMA) published guidelines on outsourcing to cloud service providers on 10 May 2021 (the ESMA Guidelines). The ESMA Guidelines are intended to ensure that firms and competent authorities identify, address, and monitor their cloud outsourcing arrangement risks. As with the EBA Guidelines, the ESMA Guidelines provide more granular detail around requirements that relevant businesses must comply with when carrying out outsourcing, with a particular focus on information security requirements in their internal policies, including the protection of confidential, personal, or otherwise sensitive data. The guidelines took effect from 31 July 2021 and apply to all cloud outsourcing arrangements entered into, renewed, or amended on or after this date, and firms should review and amend existing cloud outsourcing arrangements by 31 December 2022.
INTELLECTUAL PROPERTY RIGHTS
IP protection for software
- Which intellectual property rights are available to protect software, and how do you obtain those rights?
Computer programs (and preparatory design materials for computer programs) are protected by copyright as literary works. Copyright arises automatically as soon as the computer program is recorded. No registration is required.
Databases underlying software programs may also be protected by copyright and, in certain circumstances, by database right. Database right is a standalone right that protects databases that have involved a substantial investment in obtaining, verifying or presenting their contents (see section 14(1) of the Copyright and Rights in Databases Regulations 1997). Both database copyright and database rights arise automatically without any need for registration.
If the software code has been kept confidential, it may also be protected as confidential information. No registration is required.
Programs for computers, and schemes, rules or methods of doing business ‘as such’, are expressly excluded from patentability under the Patents Act 1977 (PA 1977). These exclusions ultimately flow from the European Patent Convention. Notwithstanding these exclusions, it is possible to obtain patents for computer programs and business methods if it can be shown that the underlying invention makes a ‘technical contribution’ over and above that provided by the computer program or business method itself, such as an improvement in the working of the computer. Accordingly, a well-drafted patent may be able to bring a computer-based, software or business method invention within this requirement, but this may be difficult to do and will not always be possible. Registration formalities must be followed to obtain protection.
IP developed by employees and contractors
- Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?
Copyright and database rights created by an employee in the course of their employment are automatically owned by the employer unless otherwise agreed (see section 11(2) of the Copyright, Designs and Patents Act 1988). Inventions made by an employee in the course of their normal duties (or, in the case of employees who owe a special obligation to further the interests of their employer’s business, in the course of any duties) are automatically owned by the employer (section 39 of PA 1977).
However, copyright and inventions created by contractors or consultants in the course of their duties are owned by the contractor or consultant unless otherwise agreed upon in writing.
Database rights are owned by the person who takes the initiative and assumes the risk of investing in obtaining, verifying and presenting the data in question. Depending on the circumstances, this is likely to be the business that has retained the contractor or consultant.
Joint ownership
- Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?
Restrictions on a joint owner’s ability to use, license, charge or assign its right in intellectual property will depend on the intellectual property right in question. For example, the restrictions on a joint owner of a patent are different from those on a joint owner of copyright.
A joint copyright owner cannot copy, license or grant security over a jointly owned copyright without the consent of the other joint owners (see sections 16(2) and 173(2) of the Copyright, Designs and Patents Act 1988). Each joint owner may assign their own interest, but consent is required for an assignment of the whole right. A joint copyright owner is also able to grant security over their interest.
In the case of UK patents and patent applications, a joint owner is entitled to work the invention concerned for his or her own benefit and does not need the consent of the other joint owners to do so (section 36(2) of PA 1977). However, the consent of the other joint owners is required to grant a license under the patent or patent application and to assign or mortgage a share in the patent or patent application (section 36(3) of PA 1977).
The situation is similar for UK-registered trademarks. Each joint owner is entitled to use the registered trademark for their own benefit without the consent of the other joint owners (section 23(3) of the Trade Marks Act 1994 (TMA 1994)), but the consent of the other joint owners is required to grant a license of the trademark and to assign or charge a share in the trademark (section 23(4) of TMA 1994).
Given the variations in the rights and restrictions of joint owners, and given that the rights of joint owners also differ on a country-by-country basis, it is highly advisable in any situation where parties work together on a project to agree at the outset how the results are to be owned by the parties and their individual rights to exploit the results. In general, joint ownership of intellectual property should be avoided if possible because of the complexities described earlier.
Trade secrets
- How are trade secrets protected? Are trade secrets kept confidential during court proceedings?
Protection of trade secrets in the United Kingdom is regulated by the Trade Secrets (Enforcement, etc) Regulations 2018 (the Trade Secrets Regulations), which implemented the EU Trade Secrets Directive in the United Kingdom and came into force on 9 June 2018. Trade secrets are also protected by the law on breach of confidence, which provides broadly the same level of protection as is required under the Trade Secrets Directive. The Trade Secrets Regulations define what qualifies as a protectable trade secret, providing protection for information that:
- is secret, in the sense that it is not generally known among, or readily accessible to, persons within the circles that normally deal with the kind of information in question;
- has commercial value because it is secret; and
- has been subject to reasonable steps (under the circumstances) by the holder of the information to keep it secret.
The Trade Secrets Regulations also implemented aspects of the EU Trade Secrets Directive that differed from, or added to, the existing law applying to the protection of confidential information. This includes specifying the limitation period for bringing a trade secrets claim and the rules regarding awarding damages and interim and corrective measures.
Confidential information (which may include non-public information that is not captured by the definition of ‘trade secret’) can be protected against misuse, provided the information in question has the necessary quality of confidence and is subject to an express or implied duty of confidence. In the case of both trade secrets and confidential information, no registration is necessary (or possible). Trade secrets and confidential information can be kept confidential during civil proceedings with the permission of the court.
Branding
- What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?
Brands can be protected as registered trademarks in the United Kingdom. Following Brexit, it, is no longer possible to protect a brand in the United Kingdom via an EU trademark. A brand can also be protected under the common law tort of passing off if it has acquired sufficient goodwill.
Certain branding, such as logos and stylized marks, can also be protected by design rights and may also be protected by copyright as artistic works.
The UK database can all be searched to identify registered or applied for trademark rights with effect in the United Kingdom. It is highly advisable for fintech businesses to conduct trademark searches to check whether earlier registrations exist that are identical or similar to their proposed brand names. It may also be advisable to conduct searches of the internet for any unregistered trademark rights that may prevent the use of the proposed mark.
Remedies for infringement of IP
- What remedies are available to individuals or companies whose intellectual property rights have been infringed?
Remedies include:
- preliminary and final injunctions;
- damages or an account of profits;
- delivery up or destruction of infringing products;
- publication orders; and
- costs.
COMPETITION
Sector-specific issues
- Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?
Competition authorities in the United Kingdom (and elsewhere) face a range of potentially complex competition law issues in relation to fintech offerings. These include:
- the risk of anti-competitive collusive behavior between undertakings through partnerships or industry initiatives (including environmental, social and corporate governance initiatives);
- the risks around the exchange of competitively sensitive information;
- the risks of a fintech firm or platform obtaining a dominant position in the market and any behavior that could potentially exclude or exploit other market players;
- the development and participation in technical standards;
- exclusivity arrangements between parties to a fintech offering;
- the limits of any specified tying or bundling of products or services to the fintech solution; and
- issues around the anti-competitive use of algorithms and machine learning.
The Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA) and the Payment Systems Regulator (all of which are concurrent competition law enforcement authorities in the United Kingdom) generally consider fintech to represent a pro-competitive force, leading to change in markets and encouraging innovation. For example, the FCA is an active participant in the Global Financial Innovation Network.
However, the CMA has been undertaking a number of initiatives to formulate its approach to the regulation of competition in the UK digital markets – including fintech – with a view to focusing on the protection of the consumer.
Since undertaking an investigation into the retail banking market and the implementation of the Open banking remedies (intended to improve the quality of the information provided to customers), the CMA has also taken advice from external experts, advocating a more involved approach to competition regulation. More specifically, the CMA was advised to perform more sophisticated analyses of digital mergers, consider the role of big data in creating barriers to entry, and take account of network effects to create more effective rules for large digital platforms (see the Furman and Lear reports for further information).
As a result, the CMA issued its initial Digital Markets Strategy in June 2019, which recognized the profound changes taking place across the economy, and society more widely, as a result of the growth of digital markets. It set out the CMA’s priorities for its digital work to address these changes and ensure consumers continue to get good outcomes in those markets through competition and innovation. The Digital Markets Strategy was refreshed in February 2021 in light of the market changes that had taken place – not least, the government’s decision to establish a Digital Markets Unit (DMU) within the CMA. The DMU was subsequently established within the CMA on 7 April 2021 to focus on operationalizing and preparing for the new regulatory regime to be legislated. The intervening period had also seen the CMA – among other things:
- create a Digital Markets Taskforce: a dedicated unit with the role of monitoring developments in digital markets and advising the government on how best to approach them;
- work with Ofcom and the Information Commissioner’s Office to established the Digital Regulation Co-operation Forum (DRCF) to support cooperation and coordination on online regulatory matters, and enable coherent, informed and responsive regulation of the UK digital economy (the FCA joined as a full member in April 2021). The DRCF has since published its ‘2023/24 workplan’, which set out the organization’s key areas of focus for 2023–2024. These are to increase promote competition and data protection, increase online safety and support effective governance of algorithmic systems;
- revise its Merger Assessment Guidelines to ensure that the way in which digital technologies have affected how goods and services are delivered to customers, and how businesses compete with each other, is properly reflected in assessing whether a merger could harm consumers. In particular, the new guidelines seek to address the competition challenges arising from two-sided markets, the potential for digital input foreclosure, and potential or dynamic theories of competitive harm; and
- increase its data and behavioral science capabilities through the work of its DaTA unit, including launching an analyzing algorithms program.
On 9 March 2022, the government published its Plan for Digital Regulation, which aimed to drive agile regulation, offering clarity and confidence to consumers and businesses. Regulation was to be underpinned by three principles:
- actively promoting innovation;
- achieving forward-looking and coherent outcomes; and
- exploiting opportunities and addressing challenges in the international arena.
Following this consultation process, in April 2023, the Digital Markets, Competition and Consumers (DMCC) Bill was published in draft form. The DMCC Bill is a piece of UK legislation that aims to promote free and fair competition among businesses, both online and offline, while also protecting consumers from unfair practices. The Bill is likely to come into effect in the second half of 2024. There are three primary areas of focus for the legislation (which applies to the fintech sector just as any other), namely:
- consumer protection: empowers the CMA to take enforcement action against businesses that use unfair practices to deceive consumers, such as fake reviews, subscription traps and pressure selling;
- digital markets: the Bill establishes a new regime overseen by the DMU within the CMA, which is designed to hold digital firms accountable for their actions and prevent firms with ‘strategic market status’ (considered in the current draft legislation to be ‘substantial and entrenched market power and a position of strategic significance in respect of the digital activity’) from using their size and power to limit digital innovation or market access; and
- the DMCC Bill: aims to promote competition in the economy more broadly. It gives the CMA stronger investigative and enforcement powers, which allows it to conduct faster and more flexible competition investigations, and identify and stop unlawful anti-competitive conduct more quickly.
The CMA has also continued in its increasingly interventionist stance in UK merger cases. This more interventionist approach has been present in all sectors to some extent, but it has been particularly noticeable in relation to fintech deals as it is seen to play an important role in the UK’s post-Brexit standing as a global financial center. Over the past few years, a number of in-depth investigations have been related to transactions involving fintech players (e.g, FNZ’s acquisition of GBST, PayPal’s acquisition of iZettle, and the merger of Crowdcube and Seedrs). Innovation and potential (future) competition theories of harm are very much at the forefront of the CMA’s merger analyses.
TAX
Incentives
- Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?
The United Kingdom has introduced a wide range of tax incentives that are available to fintech companies and investors in such companies. The key incentives are set out below, although there are a number of conditions to be met to qualify for each scheme:
- seed enterprise investment scheme (SEIS): 50 percent income tax relief and exemption from capital gains tax for investors in high-risk start-up trading companies;
- enterprise investment scheme (EIS): 30 percent income tax relief and exemption from capital gains tax for investors in small high-risk trading companies;
- venture capital trust (VCT) scheme: 30 percent income tax relief and exemption from capital gains tax for investors in venture capital trusts, which subscribe for equity in, or lend money to, small unquoted companies;
- business asset disposal relief (formerly entrepreneurs’ relief): a reduced 10 percent capital gains tax rate for entrepreneurs selling business assets (only available to directors and employees of businesses);
- investors’ relief: a reduced 10 percent capital gains tax rate that allows other types of shareholders to benefit from the same relief as is provided under business asset disposal relief when they sell their shares. Unlike business asset disposal relief, this reduced rate is only available to investors who have not been officers or employees in the company whose shares are being sold;
- research and development tax credits: tax relief for expenditure on research and development;
- patent box regime: a reduced 10 percent corporation tax rate for profits from the development and exploitation of patents and certain other intellectual property rights;
- innovative finance individual savings account (ISA) eligibility: peer-to-peer (P2P)loans are eligible for inclusion in tax-free ISAs;
- tax relief for P2P bad debt: an income tax relief for irrecoverable P2P loans, or P2P bad debt; and
- P2P interest withholding tax exemption: P2P loan interest payments are exempt from UK withholding tax.
A company may raise up to £250,000 (increased from £150,000 from April 2023) under the SEIS and up to a total of £5 million (£10 million for knowledge-intensive companies) over 12 months from ‘relevant investments’, which includes investments under the SEIS and EIS and investments by VCTs (subject to a lifetime limit of £12 million or £20 million). While financial activities are an excluded activity for the SEIS, EIS and VCT scheme, as long as a fintech company is only providing a platform through which financial activities are carried out, such a fintech company should still qualify for those schemes assuming it meets the other conditions.
For expenditure incurred on or after 1 April 2023, the R&D Expenditure Credit rate increased from 13 percent to 20 percent, the small and medium-sized enterprise (SME) additional deduction rate reduced from 130 percent to 86 percent, and the SME payable credit rate (for non-R&D intensive companies) decreased from 14.5 percent to 10 percent.
The government also published details of a new R&D scheme for qualifying ‘R&D intensive’ SMEs from 1 April 2023. Eligible R&D-intensive SMEs are able to claim an additional higher R&D payable credit rate of 14.5 percent instead of the 10 percent credit rate for non-R&D intensive companies. An ‘R&D intensive’ company is a ‘loss-making SME with an R&D intensity of at least 40%’ (meaning that such company incurs at least 40 percent of its expenditure on R&D). Legislation will be included in the Finance Act 2023.
Increased tax burden
- Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?
The headline rate of UK corporation tax increased from 19 percent to 25 percent from April 2023.
The government continues its review of the UK funds regime that could result in wide-ranging changes to the tax and regulatory frameworks for investment funds in the United Kingdom. In addition, Budget 2020 announced a review of how financial services are treated for value added tax (VAT) purposes and the European Commission has also launched a similar review. Fintech companies are advised to keep an eye on what emerges from these reviews, given the potential impact on their tax position.
The digital services tax (DST) was introduced on 1 April 2020 following a government consultation. This 2 percent tax applies to the revenues of search engines, social media services and online marketplaces, which derive value from UK users. The DST applies where a group’s worldwide revenue from digital activities is more than £500 million and more than £25 million of the revenue is derived from the United Kingdom. As such, the tax is expected to impact a small number of large multinationals. Financial services providers are excluded from the online market places definition, meaning fintech companies should generally fall out of the scope of this tax. However, where there are unified platforms with social media, marketplace and search engine elements and the threshold conditions are met, then fintech companies could fall in scope for revenue from the social media and search engine income streams. It is expected that the UK DST will be replaced in the longer term by the introduction of multinational rules based on Organization for Economic Co-operation and Development (OECD) Pillar One.
The government recently consulted on merging the two existing R&D expenditure incentive schemes. The government has indicated it will publish draft legislation on a possible merged scheme for technical consultation in summer 2023 with potential implementation from April 2024.
Changes are being made to the UK’s transfer pricing documentation requirements, which will align them with the OECD Transfer Pricing Guidelines. This measure will primarily affect businesses operating in the United Kingdom, which are part of a large multinational enterprise group that has global revenues of €750 million or more and will have effect for accounting periods commencing on or after 1 April 2023 for corporation tax purposes.
A multinational top-up tax and domestic top-up tax will be introduced for groups with annual global revenues exceeding €750 million where they are conducting business activities in the United Kingdom. These top-up taxes form the first stage of the UK’s implementation of the OECD’s Pillar Two rules. The objective of Pillar Two is to implement a global minimum level of taxation for corporate entities at an effective rate of 15 percent. The multinational top-up tax will target UK parent companies within a multinational enterprise group. The top-up tax will be triggered where:
- a UK parent company has an interest in entities overseas in a non-UK jurisdiction; and
- the UK parent company’s group has profits arising in such non-UK jurisdiction that are taxed below 15 percent.
The domestic top-up tax will target UK companies. The domestic top-up tax will be triggered where the company or group’s profits in the United Kingdom are taxed below 15 percent. In essence, the UK government considers that if UK companies are to be subject to a top-up tax, the UK Exchequer should benefit from it. The measures will have effect for accounting periods beginning on or after 31 December 2023.
IMMIGRATION
Sector-specific schemes
- What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?
All non-UK nationals, save for Irish nationals, need permission to work in the United Kingdom.
The Skilled Worker visa is most relevant. A candidate needs an offer from a licensed sponsor and the role must meet minimum skill and salary criteria. A lower salary may be paid where the worker is aged under 26, has a relevant PhD or STEM PhD or the role is a specified shortage occupation. IT business analysts, architects and system designers, programmers and software development professionals, web design and development professionals and cyber security specialists are currently shortage occupations but finance roles are not.
Licensed sponsors with linked overseas entities, may use the Global Business Mobility (GBM) route, including the Senior and Specialist Worker category. The minimum skill and salary levels for the UK role are higher than for a Skilled Worker and the worker must have at least 12 months service with the linked overseas employer unless they are a high earner.
The GBM Secondment Worker route is for those being seconded to the United Kingdom as part of a high-value contract or investment by their overseas employer. However, there are stringent financial thresholds that will limit the use of this route.
The GBM UK Expansion Worker route is the route for those looking to set up a company in the United Kingdom. It can only be used by businesses who are not yet trading in the United Kingdom and requires the worker to be sponsored by a branch or wholly owned subsidiary of an established overseas business. The same minimum skill and salary criteria and overseas employment criteria apply as for the GBM Senior and Specialist Worker route.
Founders of an innovative scalable company in the United Kingdom may be eligible for the new Innovator Founder visa (formerly the Innovator visa but incorporating elements of the now closed Start-Up visa). Business plans must be endorsed by a UK-authorized body but there is no requirement for initial capital to invest in the business and visa holders can undertake additional skilled work.
A Global Talent visa (Digital Technology) is an option where an individual has technical or business skills in the digital technology sector and is endorsed as a leader in their field. Such endorsement is currently by Tech Nation.
The High Potential Individual visa is for recent graduates from institutions named on the UK Visas and Immigration Global Universities List. Crucially, no sponsorship is required, applicants do not need to have a job offer and can work in any capacity. This route is therefore particularly useful for employers who do not yet have a sponsor license. For other graduates, there is the Graduate visa. Students, sponsored by a UK institution, who have completed a UK degree or other eligible course may apply. The employer does not need to sponsor the individual and they can work in any role for up to two years following which they can switch into a Skilled Worker visa.
UPDATE AND TRENDS IN FINTECH IN UNITED KINGDOM
Current developments
- Are there any other current developments or emerging trends to note?
The authorities in the United Kingdom continue to develop their approach to the regulation of fintech businesses.
Over the next 12 months, the UK legislative and regulatory authorities are expected to focus considerable attention on the regulation of cryptoassets, enforcing the consumer duty, gaining a better understanding of banking as a service or embedded finance models and increasing protection from authorized push payment fraud.
In February 2023, The Financial Conduct Authority (FCA) and the Bank of England (BoE) BoE published their latest regulatory grid to help financial firms prepare for upcoming regulatory work planned by the UK’s legislative and regulatory bodies, including the government, the FCA, the BoE, the Competition and Markets Authority and the Payment Services Regulator. Upcoming regulatory developments relevant to the fintech sector include:
- the coming into force is the new consumer duty, which will apply to all regulated firms who either face retail clients or customers directly or manufacture products for such customers (including digital banks, robo-advisers and insurers as well as payments, e-money and crypto firms) at the end of July 2023;
- consultations on rules for the stablecoin regime, the future regulatory regime for cryptoassets, and oversight of critical third parties;
- further consultation by the BoE on the potential introduction of a UK central bank digital currency;
- the expansion of a new financial markets infrastructure sandbox to support firms wishing to use new technology such as distributed ledger technology to provide infrastructure services to the financial markets;
- a consultation and draft legislation on the regulation of buy-now, pay-later. The new legislation is expected to be introduced in 2023;
- a response to the consultation on the opportunities and risks arising from open finance and the FCA’s role in ensuring that it develops in the best interests of consumers;
- publication of further measures to help prevent authorized push payment scams and the reimbursement regime for such scams, focusing on the implementation of systems to provide confirmation of payee services starting for some firms from the third quarter of 2023;
- a call for evidence on the Payment Services Regulations Review;
- publication of a consultation paper on incident and outsourcing reporting arrangements; and
- a consultation on new access to cash legislation expected in the summer of 2023.
* The authors wish to thank Minesh Tanna, Angus Brown, Ben Foster, Viktorija Kasper, Gary Barnett, David Trapp and Jo Crookshankfor their assistance in the preparation of this chapter.
* The information in this chapter was accurate as of June 2023.
If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)
You can also download the .docx version here.
“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”
LEGAL CONSULTING SERVICES
090.252.4567NT INTERNATIONAL LAW FIRM
- Email: info@ntpartnerlawfirm.com – luatsu.toannguyen@gmail.com
- Phone: 090 252 4567
- Address: B23 Nam Long Residential Area, Phu Thuan Ward, District 7, Ho Chi Minh City, Vietnam