Contributed By Fox Williams LLP
Brexit uncertainty dominated thinking in the FinTech market in the UK in 2018 and will continue to have a major impact in 2019. The main issue has been the loss of passporting rights of UK-regulated firms across the EU, meaning that (almost certainly) UK-regulated FinTechs that want to carry on regulated business in the rest of Europe will also need to establish a European-based entity to enable them to do so. Brexit is also likely to make it harder for FinTech and other firms to recruit and retain non-UK national employees.
The proposed regulation of digital assets in 2019 is another interesting development in the UK’s FinTech scene. The last quarter of 2018 saw the framework being laid for regulation of digital assets through the publication of the Treasury Select Committee report on digital currencies, followed by the publication of the final report of the Crypto Assets Task Force (consisting of HM Treasury, the FCA and the Bank of England). In early 2019 the FCA published its first of a series of consultations relating to the regulation of digital assets. 2019 will likely be the year in which regulators, law-makers and legal reform groups obtain the feedback from stakeholders required to prepare coherent and complementary legislation and regulation for digital assets.
2018 saw phenomenal growth of challenger banks and 'neo-banks' such as Monzo and Revolut – FinTechs that provide hassle-free consumer banking products, with the main draws being mobile-based current accounts that allow customers to hold, exchange and transfer money without fees and categorisation of spending. It is thought that these FinTechs, which originally appealed to younger digital natives, will go mainstream over the next twelve months and expand their market share not only in the UK, but also further afield.
It is a criminal offence to carry on regulated financial services activities in the UK without being (i) authorised by the Prudential Regulation Authority (PRA) or FCA, or (ii) exempt from the obligation to be authorised. The regulated activities include deposit-taking, entering into or selling contracts of insurance, lending to consumers, operating a peer-to-peer lending platform, advising on the sale or purchase of shares, debentures and other kinds of securities, and arranging or helping to bring about the sale or purchase of any of these products. Most of these activities are governed by the Financial Services and Markets Act 2000, the Financial Services and Markets Act (Regulated Activities Order) 2001, the PRA’s Rulebook and the FCA’s Handbook of Rules and Guidance.
However, (i) the issue and redemption of electronic money are governed by the Electronic Money Regulations 2011; (ii) money remittance, services enabling cash to be placed on or withdrawn from payment accounts, the execution of direct debits and standing orders, the issue of payment instruments and acquiring payment transactions are governed by the Payment Services Regulations 2017; and (iii) most regulated FinTech and other financial services businesses must also comply with the Money Laundering Regulations 2017.
In the UK, FinTech firms are obliged to comply with the same laws and regulations as other financial services-providers and the law does not usually distinguish between FinTech and non-FinTech companies. Most of the relevant law applies uniformly across the whole of the UK, although there are some instances where the law in England and Wales is different to the law in Scotland or Northern Ireland.
The FCA has established a sandbox.
It is a criminal offence to carry on regulated financial services activities in the United Kingdom without being authorised by the PRA or FCA, or exempt from the obligation to be authorised. It can be expensive and time-consuming to prepare and submit an application for authorisation, and the time and cost would be wasted if a new firm’s innovation does not work in a live environment as expected. The FCA’s sandbox allows firms to obtain a restricted authorisation, which is just enough to enable them to test their ideas, before making an application for a full authorisation if it makes commercial sense to do so, when their test results are available.
To qualify for a place in the sandbox, a firm must be able to show that:
The typical sandbox testing period is six months. Firms are required to prepare and submit a sandbox testing report within four weeks of the end of the test period. The FCA will provide feedback on the test report, but it will not certify a business model, or sign off a product or services. It will, however, usually work with cohort participants to identify appropriate next steps.
The UK has two primary financial services regulators: the PRA, which authorises banks and insurers, and regulates them with the FCA; and the FCA, which authorises and regulates almost every other financial services business established or operating in the UK.
The regulators supervise regulated firms in different ways depending on, for example, the size and nature of the business, whether it holds or controls client money, and whether it operates in the retail or wholesale markets. Regulated firms are required to self-report material rule breaches and submit regular financial and other reports. The largest, highest-risk firms are subject to 'close and continuous' supervision. Large firms usually receive an annual supervisory visit, when their directors, officers and key staff are interviewed; and systems, records and other checks are carried out. Small, lower-risk firms might only receive a supervisory visit once every three or four years, but they still receive regular requests for information from the FCA, in particular.
Prior regulatory approval is usually required before a legal or natural person acquires control of a PRA or FCA-authorised firm.
The FCA is broadly responsible for regulating standards of conduct in retail and wholesale markets, supervising trading infrastructures that support those markets and the prudential supervision of firms that are not PRA-regulated. It also has a single strategic objective to ensure that the markets for financial services function well. Three operational objectives support this: securing an appropriate degree of protection for consumers, protecting and enhancing the integrity of the UK financial system, and promoting effective competition in the financial services markets. The FCA is funded by the firms it regulates. It is ultimately accountable to the UK Parliament.
The PRA is responsible for the prudential regulation and supervision of banks, insurers and designated investment firms. Its objective is to promote the safety and soundness of these firms.
The FCA categorises the firms it supervises and pays more attention to the larger firms and those that pose the greatest risk to its objectives. These firms will usually have dedicated supervisors and will receive regular requests for information and regular supervisory visits. The FCA also uses Thematic Reviews to identify emerging risks in particular parts of the market. For FinTechs, it also uses the Innovation Hub, Advice Unit and sandbox for similar purposes.
The FCA has a wide range of enforcement powers, which can be criminal, civil or regulatory in nature. These include narrowing, restricting or withdrawing a firm’s authorisation, prohibiting individuals from carrying on regulated activities, issuing fines against firms or individuals who breach the FCA’s rules, and bringing criminal prosecutions for offences such as insider dealing or carrying on regulated activities without being authorised to do so.
The PRA and FCA work closely with other regulators and law enforcement agencies such as the police, the National Crime Agency, the Competition and Markets Authority and Trading Standards to find and take action against those who break the law.
Authorised firms looking to outsource functions must have regard to outsourcing provisions found throughout the FCA Handbook and PRA Rulebook. In addition, if the outsourcing constitutes a material outsourcing (defined in the FCA Handbook as “outsourcing services of such importance that weakness, or failure, of the services would cast serious doubt upon the firm's continuing satisfaction of the threshold conditions or compliance with the [Principles for Business]”), the outsourcing firm must tell the FCA that it is proposing to enter into a material outsourcing arrangement, before doing so.
If an outsourced activity is a regulated activity, the vendor will need to be authorised by the PRA or FCA (as the case may be).
Whether or not an outsourced activity is regulated, the service-provider must agree to give (i) the FCA access its business premises and (ii) the regulated firm’s auditors access to the service-provider’s relevant books and accounts, if asked. The service provider must also make its relevant employees available to answer questions from the FCA and the regulated firm’s auditors, if required.
A firm must also take reasonable steps to ensure that a vendor to a material outsourcing contract deals in an open and co-operative way with the PRA or FCA (as the case may be).
FinTechs are most likely to outsource their know-your-customer (KYC) and anti-money laundering (AML) functions, and these functions will almost certainly constitute a material outsourcing. It is therefore important that FinTechs are aware of their KYC/AML obligations and ensure that the required provisions are reflected in their outsourcing contracts.
The UK has a 'financial promotions' regime, which applies every time a financial promotion is communicated, whether that is done using social media or in another way.
A financial promotion is an “invitation or inducement to engage in investment activity”, where the invitation, inducement or communication includes a promotional element. It is unlawful to communicate a financial promotion, unless (i) the person communicating it is PRA or FCA authorised and satisfied that the communication complies with the FCA’s financial promotions rules, (ii) the communication has been approved by a PRA or FCA authorised person, or (iii) the communication will only be made to those who fall into at least one of the exempt categories of recipient (for example, investment professionals and high net worth individuals) and it includes the relevant prescribed language.
Financial promotions can be communicated by social media, but not all communications by social media in relation to investments constitute financial promotions.
At a minimum, all communications by an authorised firm (including through social media) must be clear, fair and not misleading. For financial promotions, such communications will be subject to additional requirements and these will depend on the nature of the product or service being communicated.
Every communication, including through social media, must comply with relevant requirements on a standalone basis, rather than by reference to other social media posts.
It is possible for industry participants to offer unregulated products and services with regulated products and services. An example of this may be a finance-provider offering regulated consumer credit loans to consumers and unregulated business loans to companies. Quite often, the documentation and workflows are similar for both products, providing a greater level of transparency for the unregulated products. Such products may even be offered through the same legal entity, but the FCA makes it clear that the customer should be under no illusion as to whether a product is regulated or unregulated.
Robo-advisers are a subset of wealth managers. They typically target a part of the market that is underserved by legacy players, primarily because they can serve the chosen market more cost effectively than the incumbents. Some robo-advisers have targeted the mass affluent, whilst others have targeted millennials. However, the business model between incumbents and FinTechs has not really changed – the wealth manager still manages customers’ wealth, even if the customer interface used by FinTechs is more innovative.
Robo-advisers and incumbents are treated in the same way from a regulatory perspective.
Some robo-advisers are partnering with incumbents to offer their services to the incumbent’s customers on a white-labelled basis. Other robo-advisers only make their platforms available to the incumbents, in a pure B2B play. Some incumbents have tried to build their own platforms but this is not always a recipe for success.
There are significant differences in the regulation of loans to individuals and to businesses (whether small or otherwise). Loans to corporate entities are usually unregulated. However, recent scandals have increased the chance that small business loans will be regulated in the medium term.
Regulation of loans to individuals is governed by the Consumer Credit Act 1974 and the many regulations made under it. This area of law is complex and often dictated by form, rather than substance. Even a small departure from the law’s prescribed wording can render a consumer credit contract unenforceable, or stop a lender charging interest during a period of non-compliance.
For regulated consumer credit loans, underwriting processes are dictated by the FCA’s Consumer Credit Sourcebook (known as CONC), which sets out the creditworthiness assessments a regulated lender must make to assess the creditworthiness of a customer.
Many FinTechs use a number of data points in their underwriting processes not used by the incumbent players, such as social network data and information pulled from bank accounts (whether through screen scraping or open banking). This often gives the FinTechs an advantage in being able to underwrite loans to segments of society underserved by the incumbents.
Where businesses use online/cloud-based accounting software, some FinTechs may, through agreement with the accounting software-provider, require access to a customer’s account to monitor certain transactions, such as receivables or payments. This allows a FinTech, such as a credit provider, unparalleled real-time access to a company’s books, which it can then use to assess creditworthiness and monitor compliance with the terms of a credit agreement.
Online lenders obtain their funding from a variety of sources, such as facilitating peer-to-peer lending, raising capital on their own balance sheet (whether through a wholesale funding line or issuing bonds), taking deposits (if it has the requisite banking licence) and securitisations.
Facilitating peer-to-peer lending is a regulated activity for which authorisation from the FCA is required. It is a fairly onerous regulatory regime requiring maintenance of regulatory capital and close monitoring of client monies. Legally, each lender on a peer-to-peer lending platform has to be matched to a borrower (whether automatically by the platform or by selection by the lender), resulting in a bilateral loan contract between each lender and borrower. Multiple lenders can each provide a bilateral loan contract to a single borrower within the confines of a single loan agreement (much like syndicated lending in the syndicated loans market). The peer-to-peer lending platform must then facilitate the disbursement of funds to the borrower, and the return of interest and capital payments to the lenders, taking enforcement action on behalf of the lenders should the need arise.
More often than not, online lenders obtain wholesale funding from institutions, funds and family offices. These may take the form of revolving credit facilities or more structured facilities, usually with some form of borrowing covenants.
The cheapest funding for an online lender is by lending out monies it has taken in by way of deposit. However, only a licenced deposit-taking institution (ie, a bank) can take deposits. Whilst the cost of capital is low, there are many other costs to running a bank, such as high regulatory capital requirements and general compliance costs.
For online lenders specialising in consumer credit, securitisation is a well-trodden path to securing cheap credit lines.
In addition to English law requirements under the FSMA, securitisation is now governed by the EU’s Securitisation Regulation, which came into effect on 1 January 2019. The scope of securitisation that may be caught by the regulation can be quite wide and includes loan structures with tranches of subordinated debt (if it meets all of the limbs of the definition of securitisation under the regulation) and there is no requirement for an issuance of transferable securities. However, the key element of securitisation caught within the regulation is that “the credit risk associated with an exposure or a pool of exposures is tranched” (and meets the criteria in the definition). An arrangement that does not meet this definition and criteria will not fall within the securitisation regulation.
See 4.3 Sources of Funds for Loans.
Payment networks like Visa and Mastercard, together with banks and other financial institutions, have built payment infrastructure or 'rails' required for processing payment transactions and moving money from payer to payee. Payment processors that handle transactions from various channels (such as credit or debit cards, or merchant acquiring banks) may create or implement new payment rails.
Payment processors may use existing payment rails for processing payment transactions, or create or implement new ones. The most interesting example in development is the use of blockchains and distributed ledger technology (DLT) as a form of payment rail, currently being developed by Ripple Labs, and IBM through its Blockchain World Wire project (running on the Stellar blockchain).
The theoretical benefits of a blockchain/DLT payment rail capitalise on its decentralised nature, leading to faster, cheaper cross-border settlements logged to an immutable ledger shared by all participants (as opposed to the transaction being recorded on a closed ledger for each participant in the transaction) without the need for a clearing house as intermediary. As blockchain/DLT technology evolves, the capacity for this technology to process settlements (not just authorisations, as is the case with Visa and Mastercard) could match the capacity of existing and mature payment infrastructure.
However, development and deployment of new payment infrastructure is expensive and such infrastructure will likely not generally be compatible with existing technologies and systems. With blockchain/DLT still relatively nascent, wholesale replacement of existing payment infrastructure will not happen immediately. As the technology improves, however, payment processors may start to migrate some existing services to blockchain/DLT payment rails on a small or localised scale, or offer new or alternative products using this technology as an initial testbed, with a view to scaling once the model is proven and any issues addressed.
Regulation of payment service-providers is technology neutral, meaning that a payment processor looking to deploy a new technology to build a payment rail will need to ensure that their use of such technology is compliant with their general regulatory obligations as a payment processor.
Crypto-currency exchanges generally list and enable the trading of utility tokens (defined by the Crypto Assets Task Force as tokens that can be redeemed for access to a specific product or service that is typically provided using a DLT platform), exchange tokens (tokens that use a DLT platform and are not issued or backed by a central bank or other central body; they do not provide the types of rights or access provided by security or utility tokens, but are used as a means of exchange or for investment) and/or security tokens (defined as tokens that amount to a ‘specified investment’ as set out in the FSMA (Regulated Activities) Order (RAO)). These may provide rights such as ownership, repayment of a specific sum of money, or entitlement to a share in future profits. They may also be transferable securities or financial instruments under the EU’s Markets in Financial Instruments Directive II (MiFID II).
Utility tokens and exchange tokens are generally not considered to be specified investments and therefore fall out of the regulatory perimeter of the FCA, as will the crypto-currency exchanges that list such tokens only (as at the time of publication).
Security tokens are considered to be specified investments and therefore a crypto-currency exchange that lists them for trading will be undertaking one or more regulated activities. Such exchanges will therefore need the appropriate FCA authorisation.
However, all crypto-currency exchanges, regardless of whether they list security tokens or not, will need to comply with the requirements of the Money Laundering Directives.
Crypto-currency exchanges that launch their own tokens may also need to consider whether such token constitutes electronic money, and whether they are therefore operating as an electronic money issuer and need appropriate permissions from the FCA. Exchanges that operate fiat on-ramps and off-ramps (by which fiat money can be transferred to the exchange and deposited in a user’s account to purchase blockchain assets listed on the exchange, and blockchain assets sold for cash and transferred back to a user’s bank account) may also need to consider whether they are operating as a payment services-provider and need appropriate permissions.
Subject to the types of services, other asset classes and level of discretion or control an exchange operator is looking to exert, the exchange may also need to be authorised as an organised trading facility or multilateral trading facility.
Investment firms are increasingly using computer algorithms to set parameters (such as timing, price, quantity and post-trade processing) for trading in financial instruments with little or no human intervention (algorithmic trading). Some algorithmic trading is 'high frequency' (HFT) in that it is characterised by the presence of low latency infrastructure, minimal to no human intervention and a high message intraday rate. These technological developments have a number of potential advantages: increased liquidity, lower transaction costs, increased volumes, improved pricing efficiency and execution of orders, narrower spreads and reduced short-term volatility.
However, there is also the potential for these developments to cause rapid, significant market distortion and increase the speed of shock transmission across different markets. For example, there are concerns over increased volatility and the ability of algorithmic and high-frequency traders to withdraw liquidity at any time, the potential for high-order cancellation rates and increased systemic risk. These risks have driven the need for more regulation in this area.
In Europe, the second Markets in Financial Instruments Directive (which applied from 3 January 2018) regulates and supervises algorithmic and high-frequency trading, imposing comprehensive requirements on traders and trading venues.
MIFID II contains obligations, systems and controls for traders that use algorithmic and high-frequency trading strategies, to mitigate the risks arising from algorithmic trading, including HFT. In particular, traders using algorithmic and high-frequency trading strategies usually need to be authorised and to store accurate, time-sequenced records of all orders, and all trading algorithms used, for at least five years.
In order to prevent algorithms that contribute to, or cause, disorderly trading conditions from being used in the markets, firms are also required to test their algorithms; and trading venues are required to provide an environment for this testing. To be able to distinguish between the algorithms of different investment firms, trading venues will also require firms to flag the orders generated by algorithmic trading in certain ways. Investment firms that allow direct electronic access to trading venues will also need to follow certain requirements.
MiFID II also determines the capacity and arrangements that trading venues need to have in place to manage the risks of algorithmic trading and HFT. These systems and controls must be appropriate to the nature, scale and complexity of the trading venue. In particular: trading venues must have the capacity to be able to deal with peak order and message volumes caused by HFT and must be able to ensure orderly trading under severe market stress. They must have effective business continuity arrangements, be resilient and have the ability to slow down or stop the flow of orders in certain circumstances.
Trading venues should manage any disorderly trading conditions that are created by algorithmic trading; for example, by limiting the ratio of unexecuted orders to transactions that may be entered into the trading system by a member or participant. Trading venues should have systems and controls to reject orders that exceed predetermined volume and price thresholds, or those that are clearly erroneous and should have the ability to set out the maximum order-to-trade ratio allowed on their venue. Trading venues must regulate minimum tick sizes and comply with requirements on clock synchronisation. Trading venues must calibrate their powers in a way that takes into account the liquidity of different asset classes, as well as the nature of the market model and different types of users.
These rules will only apply to multilateral trading venues. The trading venue rules on algorithmic and high-frequency trading will therefore not apply to platforms that facilitate bilateral trading; eg, single-dealer platforms, where trading always takes place against a single investment firm that houses the risk of such bilateral transactions.
MiFID II also contains requirements that apply to all investment firms that are pursuing a market-making strategy (via algorithmic or high-frequency trading) on a trading facility. A firm is pursuing a market-making strategy when, as a member or participant of one or more trading venues, its strategy, when dealing as principal, involves posting firm, simultaneous two-way quotes of comparable size and at competitive prices on one or more trading venues in relation to one or more financial instruments, with the result of providing liquidity on a regular and frequent basis to the overall market. Market-makers must carry on their market-making activity continuously during a specified proportion of the trading venue’s trading day, except under exceptional circumstances. Market-makers must also enter into a written agreement with the trading venue that specifies their market-making obligations and have in place effective systems and controls to ensure that they fulfil their obligations under this agreement.
In addition to increasing transparency, MIFID II seeks to enhance the protection of investors in financial instruments. To that end, MIFID II requires that, when executing orders, investment firms take all sufficient steps to obtain the best possible result for their clients, taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. Where there is a specific instruction from the client, the investment firm shall execute the order following the specific instruction.
Investment firms must consider the client’s characteristics and categorisation as retail or professional; the characteristics of the client order; the characteristics of financial instruments that are the subject of that order; and the characteristics of the execution venues to which that order can be directed. This will present a unique challenge for investment firms that engage in algorithmic or high-frequency trading as each of these characteristics will need to be considered (i) before the use of an algorithm or (ii) by the algorithm itself, which would need to be programmed considering the relevant characteristics.
In addition, the best-execution rules also require that investment firms engaging in algorithmic or high-frequency trading must ensure that they take into account and publish information on the quality of execution obtained.
Investment firms that engage in algorithmic or high-frequency trading must also have best execution policies that contain clear and appropriate information to allow clients to understand the algorithmic or high-frequency trading execution process and will also be limited in the types of commissions, benefits and remuneration that they may receive (those which are permitted must be disclosed to clients).
There are a number of financial research platforms providing various services to investors and investment professionals. The UK regulatory authorisation required is likely to vary from platform to platform as it depends on the exact service being offered and the type of customers that have access to the platform.
Whether a financial research platform requires authorisation depends, in part, on the investments covered by the platform. If it covers regulated investments, the platform will need to be authorised. In contrast, if it only covers non-financial investments (eg, roads, bridges and airports), authorisation might not be required.
If the platform only provides factual information, without making any comments or value judgments, the need for authorisation might also be avoided. This might be the case, for example, if the platform:
However, the provision of mere factual information may become regulated advice if the circumstances in which it is provided give it the force of a recommendation; eg, information that is objectively likely to influence the reader’s decision whether to invest in a regulated investment. Any significant element of evaluation, value judgement or persuasion is likely to mean that regulated advice is being given. A financial research platform may still be providing regulated advice even if the reader is not bound to follow it and/or may receive further advice from someone else. Information may still constitute 'advice' even without an actual or implied categoric statement that the recipient should buy/sell/invest/or not.
In addition to the activity of advising on investments, financial research platforms sometimes engage in the regulated activities of arranging (bringing about) deals in investments, or making arrangements with a view to transactions in investments; eg, arrangements of an ongoing nature whose purpose is to facilitate the entering into of transactions by other parties. This activity has a potentially broad scope and will apply, for example, where a platform enables investors to deal with or through a particular firm and/or facilitates the entering into of transactions directly by two parties.
Financial research platforms may be arranging, or making arrangements with a view to, transactions in regulated investments, even where, in the end, no regulated investment is actually made and/or where the platform only provides part of the facilities for arranging a transaction.
Many financial research platforms only post material prepared or reviewed by employees. Such platforms can (for example, through employee training and oversight from legal and compliance) regulate the material available on the platform to ensure that legal and regulatory requirements are met. For example, material can be reviewed to ensure that it does not constitute inside information.
Increasingly, FinTechs are offering interactive research platforms where users can access or share research material that has not been prepared or reviewed by the platform itself. These platforms must consider how material available on the platform is curated to avoid market abuse (such as the spread of inside information) or other types of illegal behaviour. Platforms that fail to do this risk regulatory investigation and censure.
Financial research platforms should consider how to identify and manage behaviour that is illegal or suspicious. Financial research platforms should also consider how to identify and manage behaviour that is socially unacceptable or offensive (and therefore causes reputational damage to the platform), or otherwise discourages potential customers from using the platform (eg, false information or an abundance of information that customers are unlikely to consider useful). Regulatory focus on this is likely to intensify as interactive research platforms increase in number and profitability.
Legacy players across finance, insurance and law have invested significant resources in exploring blockchain use cases. These range from the creation of new products, efficiencies in existing products and processes, and streamlining of internal and back-end functions.
Post-2017, the inevitable hype accompanying a technological innovation has subsided and a more pragmatic thinking prevails. Blockchain is not the solution for everything and it is not a solution for a problem a business does not have. Furthermore, the rapidly evolving development of blockchain technology, combined with the lack of backwards compatibility with existing systems, often acts as a deterrent for wholesale investment in the development of a new product or system that relies on a technology that may be obsolete within a matter of months.
Development of DLT for inhouse applications is common, although many of these use IBM’s Hyperledger rather than developing a proprietary protocol from scratch. Blockchains/DLTs are also being developed by consortia, such as R3 (comprising over 200 technology and industry partners, including banks).
In September 2017, AXA launched Fizzy. When a user buys a flight delay insurance policy, according to AXA, the purchase is recorded in the Ethereum blockchain by way of smart contract, making the transaction and the subsequent insurance contract tamper-proof. The smart contract obtains data from global air traffic databases, so that as soon as a delay of more than two hours is observed, compensation is triggered and paid automatically.
In July 2017, Daimler announced that it had issued a EUR100 million bond on a private version of the Ethereum blockchain.
In early 2019, HSBC announced that it had used its HSBC FX Everywhere DLT platform to execute 150,000 foreign exchange transactions worth USD250 billion.
The UK government is still considering how best to regulate blockchain assets in a way that protects consumers, offers certainty for participants and encourages innovation to position the UK as a global hub for digital assets.
In September 2018, the Treasury Select Committee published its report on digital currencies, which identified the then-current risks and recommended that the existing regulatory framework be extended to blockchain assets and associated activities, rather than introducing a new regulatory regime. Given that most types of security token (other than governance tokens, see below) fall neatly within the existing regulatory regime, this seems sensible. The report also recommended that further consideration be given as to what activity relating to digital assets should be regulated, but at a minimum this should include initial token issuance and the provision of digital asset exchange services.
In October 2018, the Crypto Assets Task Force – consisting of HM Treasury, the Bank of England and the FCA – issued its final report, which is separate to the Treasury Select Committee report. This report is notable for its initial taxonomy of blockchain assets, which formed the basis for the FCA’s January 2019 perimeter guidance consultation (see below) and HMRC’s December 2018 policy paper on taxation of exchange tokens.
The taskforce concluded that “DLT has the potential to deliver significant benefits in both financial services and other sectors, and all three authorities will continue to support its development. HM Treasury, the FCA and the Bank of England will take action to mitigate the risks that crypto-assets pose to consumers and market integrity; to prevent the use of crypto-assets for illicit activity; to guard against threats to financial stability that could emerge in the future; and to encourage responsible development of legitimate DLT and crypto-asset-related activity in the UK.”
In January 2019, the FCA published consultation paper CP19/3: Guidance on Crypto-assets, which included draft FCA guidance on crypto-assets. It also set out upcoming work, including consulting on a potential prohibition of the sale to retail consumers of derivatives referencing certain types of crypto-assets (for example, exchange tokens) and publishing findings on consumer research on the use of crypto-assets.
Separately, the Law Commission commenced a scoping study in late 2018 on smart contracts and any changes required to English law.
The current taxonomy of blockchain assets influencing the development of law, regulation and tax policy in this area is derived from the Crypto Assets Task Force report of October 2018, which at paragraph 2.11 sets out three categories of tokens:
There is a differentiation between security tokens and tokenised securities. Security tokens are programmed with properties that, in and of themselves, give the token value. Tokenised securities are tokens that act as units for recording the transfer of ‘real-world’ securities and are representational of value rather than the token itself having that value.
At publication, issuers of utility tokens do not fall within the regulatory perimeter in the UK. There is a risk, however, that such issuers mis-categorise their token as a utility token when, on closer analysis, it is in fact a security token. Such issuers will be in breach of regulations applying to offering securities, particularly to retail investors. In this firm's experience, those issuers looking to run an initial or subsequent offering of a security token seek the correct legal advice and regulatory authorisations from the outset.
The Treasury Select Committee, in its digital currencies report published on 19 September 2018, recommended that coin offerings be brought within the FCA regulatory perimeter. This may include the offering of utility tokens.
The primary market is usually manifested through initial and subsequent coin offerings. The secondary market operates primarily through centralised digital asset exchanges, OTC operations and more indirect introduction platforms, such as LocalBitcoins.
The Treasury Select Committee, in its digital currencies report published on 19 September 2018, recommended that coin offerings and digital asset exchange services be brought within the FCA regulatory perimeter.
As at the time of publication, exchanges that do not list security tokens for trading are not conducting authorised activities and therefore do not require authorisation for their main trading activity. It is common for each business that applies to an exchange to list a token to provide a legal opinion from counsel in their home jurisdiction opining that the token does not constitute a security.
Exchanges that do list security tokens, as well as OTC operations and introduction platforms that do, or may, include security tokens, ought to be authorised, as they are arranging transactions in specified investments, in the same way as any other platform offering securities for trading.
The amended Fourth Money Laundering Directive will require digital asset exchanges, regardless of the type of tokens listed for trading, to be subject to the anti-money laundering regime. In most cases, however, many digital asset exchanges currently already require anti-money laundering checks to be carried out on customers before they can transact at or above de minimis levels.
Fund vehicles that invest in blockchain assets are subject to the same laws and regulations as any other investment vehicle.
‘Virtual currencies’ are those blockchain assets intended to be used as a representation of money, the most classic example of which is Bitcoin. They are not typically classed as a regulated investment.
Blockchain/DLT technology is simply a protocol for facilitating and verifying transactions, in the same way that the internet primarily runs on the hypertext transfer protocol (HTTP).
The issue is therefore one of complying with privacy regulations when using blockchain/DLT technology, rather than requiring the technology itself to be inherently compliant with privacy regulation.
Each use case and application of blockchain/DLT will need to be assessed separately for any potential issues that may arise under the EU's General Data Protection Regulation.
Questions arise as to identifiable controllers and processors, particularly for public permissionless chains and in cases of decentralised applications (applications that run on and are processed by all nodes in a blockchain/DLT network, without any subsequent central control or intervention).
Discussion and debate on the relationship between blockchain/DLT has not yet resulted in a consensus approach and there are not yet any definitive legal rulings on any aspect of this issue.
The EU's second Payment Services Directive (PSD2) sparked an intense debate about increasing market access and competition, and increasing security in the payments market. On the one hand, PSD2 opened up the payments market to FinTechs, whilst on the other it sought to enhance security standards for online payments and data.
In particular, PSD2 paved the way for 'open banking', whereby regulated banks and payment service-providers must permit customers to share their financial data with authorised third-party providers, including existing and challenger banks, payment service-providers and other FinTechs. These third-party providers offer customer information services (like budgeting or savings apps) or payment initiation services (like Sofort). In this sense, PSD2 enhances competition and promotes consumer choice by facilitating market access for these innovative new products.
However, one of the major drivers of PSD2 was data privacy and data security. PSD2 contains a number of provisions aimed at enhancing security. For example, payment service providers are required to apply “strong” customer authentication, maintain procedures to detect and manage security incidents, and to report operational and security risks and incidents.
A key open banking consideration has been information security and how third-party providers will access the data in customer accounts. Traditionally, customers have given third-party providers access to their online bank accounts by disclosing their log-in details and allowing third parties to pull information directly from their account. However, the regulatory technical standards published under PSD2 mandate the creation of an application planning interface (API) as the basis for third-party access to online payment accounts.
Although API technology is already widely used, the payments industry has been working to develop secure APIs with common standards, using secure common infrastructure. This should mean that third parties do not need to integrate with different technology on a firm-by-firm basis. Development of APIs will mean that customers will not have to provide their log-in details to share their financial information with third parties. Customers will be able to revoke their consent to third-party access easily without having to change their log-in details and will be protected in the event of unauthorised access to their account. Account-providers will be able to ensure that only authorised third parties have access to customer accounts via the API and that those third parties only obtain access to the limited information that they require to be able to provide their service.
Although the regulatory landscape changed drastically with the implementation of PSD2 in January 2018, change to the composition and nature of the payments market has been more gradual. It is likely that all of the possibilities for new products and services that PSD2 and open banking facilitates are not yet clear. FinTechs, Big Techs (like Apple, Facebook and Amazon) and other challengers are still adapting and developing new products and services to offer in this new regulatory landscape.