This country-specific Q&A provides an overview of the legal framework and key issues surrounding fintech law in the United Kingdom.
This Q&A is part of the global guide to Fintech.
For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/fintech-2nd-edition
What are the sources of payments law in your jurisdiction?
The most significant piece of law governing payments in the UK is the Payment Services Regulations 2017 (referred to in this chapter as the “PSRs”). These are the UK implementation of the Second Payment Services Directive (commonly known as PSD2), which is a piece of European Union legislation that came into force on 13 January 2018, having been finalised in late 2015. PSD2 was created by the European Commission as a result of learnings from and in response to market developments since the introduction of the first Payment Services Directive in 2007, which was itself introduced in order to open up the payments market and govern various payment-related activities that had previously been unregulated. These included money remittance (i.e. sending money from one place to another), operating a payment account, the execution of payment transactions and the issuing or acquiring or payment instruments. Under PSD2 and the PSRs, this scope was increased to include third party providers (“TPPs”), the so-called “open banking” account information service providers (or “AISPs” - who are enabled to pull digitised transaction data out of a payment account that is operated by another payment service provider), and payment initiation service providers (or “PISPs” – who are enabled to initiate a push payment such as a bank transfer, from an account operated by another payment service provider). Further detail is given on open banking in answer to questions 4 and 5 below.
PSD2 and the PSRs are supplemented by a range of Guidelines and Regulatory Technical Standards that are produced by the European Banking Authority pursuant to its mandate in Article 98 of PSD2. The most well-known of these is the Regulatory Technical Standard for strong customer authentication and common and secure open standards of communication (commonly known as the “SCA RTS”, official title the Commission Delegated Regulation (EU) 2018/389), which governs the methods by which payment service providers will have to carry out authentication in relation to payment transactions and online access to account information as well as the communication between the TPPs and other payment service providers. Broadly speaking this mandates two-factor authentication, under which authentication must be carried out using any two of three factors of something you know (such as a password), something you possess (such as a mobile phone or a credit card) or something you are (such as a biometric marker like a thumbprint). There are exemptions from the need to carry out strong customer authentication – for instance for certain low value transactions, contactless card payment transactions or recurring transactions – but these are tightly controlled. The SCA RTS was due to come into full effect in September 2019, but in response to calls from the payments and retail industries, who largely did not have strong customer authentication technologies and processes fully implemented, the FCA agreed (with some conditions) to delay enforcement of the SCA until March 14 2021.
The other main piece of payments-related legislation in the UK is the Electronic Money Regulations 2011. These govern the particular payment service of issuing and distributing “e-money”, which is an electronic representation of cash. The typical example of e-money is a prepaid card, but these days e-money structures underlie anything from gift cards to mobile banks.
Lastly, whilst it is not strictly speaking legislation, the documents “Payment Services and Electronic Money – Our Approach” published by the Financial Conduct Authority (available here) is an excellent guide on how the FCA views the application of the various pieces of legislation.
Can payment services be provided by non-banks, and if so on what conditions?
Under the Payment Service Regulations, non-banks can become authorised to provide payment services. There are a number of ways that they can do this.
The first is to become an authorised payment institution. In order to do so they must go through the authorisation process with the FCA, for which purpose they must meet a number of requirements including the holding of capital, safeguarding funds, record keeping, accounting and audit, conditions around material outsourcings, and provision of information to customers of the payment services.
The second is to become authorised as a small payment institution. The compliance burden is significantly less than for an authorised payment institution, but with restrictions such as that a small payments institution cannot have an average monthly transaction volume over the previous year (or projected volume) of more than €3 million.
In addition, the FCA provides for a simplified application process for entities providing account information services only. The application is shorter and the compliance burden is lower, reflecting the fact that AISPs transact in data only and do not move or hold funds.
The FCA decides when an application is complete, and has up to 3 months from receipt of the completed application to make a decision on whether or not the application is successful.
What are the most popular payment methods and payment instruments in your jurisdiction?
The most popular payment method by far is the debit card, which overtook cash as the most frequently used payment method in the UK in the last quarter of 2017. Around 98 per cent of the population holds a debit card, using these to make 15.1 billion payments in 2018. This represents an increase of 14 per cent over 2017. The use of debit cards is forecast to continue to increase to 50% by 2024.
The use of credit cards also increased in 2017, by 4 per cent over 2017, to account for 3.2 billion payments. Around 65 per cent of adults in the UK hold a credit card. As with debit cards, the use of credit cards is forecast to continue to increase.
In terms of payment method, the number of contactless payments in the UK has increased significantly, rising a staggering 31 per cent during 2018 to hit 7.4 billion payments. These payments are made by the 124 million contactless-enabled cards in circulation by the end of 2018, with 84 per cent of debit cards and 64 per cent of credit cards capable of making contactless payments.
In contrast to credit and debit cards, the use of cash as a payment method has continued to decline. While 61 per cent of payments made in 2007 were made in cash, only 28 per cent of payments made in 2018 were. This decline is forecast to continue, although predictions do not indicate that cash will become extinct as a means of payment.
In terms of payment methods used for credit transfers, direct debit, standing orders, Bacs Direct Credit and CHAPS are all used. Of these, the use of direct debit is widespread, with 90 per cent of UK consumers using direct debit to pay some or all bills. This amounts to 4.4 billion payments for a value of £1.327 billion in 2018. The payment method most frequently used by businesses and government remained Bacs Direct Credit. CHAPS is used principally by financial institutions for (large) corporate treasury payments. The result is that a mere 0.1 per cent of the total volume of UK payments made via CHAPS accounts for 91 per cent of the total value of all payments made: 48.5 million payments for a value of £84 trillion. Online banking and mobile banking transfers, which are largely underpinned by the Faster Payments Service, have also enjoyed significant increases in popularity, with 72% of UK adults using online banking and 48% using mobile banking in 2018.
Last and least, the use of cheques to make payments continued to decline, with only 342 million cheques used in 2018 in contrast to 1,581 million in 2007. With the increase in the use of card and other newer methods of payment, this decline is forecast to continue.
Looking forward, the use of newer payment methods such as PayPal, Google Pay, Samsung Pay and ApplePay is projected to increase in the coming years, and in 2018 these payment methods together accounted for a greater volume of payments than either standing orders or cheques. as is the use of payment initiation services to make credit transfers at an online (or potentially in-person) checkout. Source: UK Payment Markets Summary 2019, available at www.ukfinance.org.uk/sites/default/files/uploads/pdf/UK-Finance-UK-Payment-Markets-Report-2019-SUMMARY.pdf)
What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so to which entities, and what is state of implementation in practice?
In the UK, open banking is facilitated by the PSRs, implementing PSD2, (see answer to question 1 above for more detail), and the work done by the Open Banking Implementation Entity (the “OBIE”) and other private entities and financial institutions seeking to implement its effect. The PSRs provide that an account servicing payment service provider – that is, the payment service provider maintaining a payer’s payment account – must allow access to AISPs and PISPs (together referred to as “third party providers” or “TPPs”).
AISPs – account information service providers
AISPs are given access to a payment service user’s account and transaction data, under certain conditions. This requirement applies to all account servicing payment service providers who make payment accounts accessible online, and can therefore include not only traditional banks but also e-money institutions and credit card providers. PISPs are given similar access, but practically speaking access will be limited to those payment accounts from which a credit transfer payment can be initiated.
The PSRs impose requirements on both the account servicing payment service provider and the AISP. The PSRs require that the account servicing payment provider:
- Must communicate securely with the AISP in accordance with the EBA RTS on SCA;
- Treat any request for data access from an AISP exactly it would a data access request from the payment account owner; and
- Not require the AISP to enter into a contract with it.
The PSRs require that AISPs
- Act only with the explicit consent of the payment service user (account owner);
- Ensure the confidentiality of the payment service user’s personalised security credential;
- Communicate securely with the account servicing payment service provider in accordance with the EBA RTS on SCA;
- Restrict its access to designated payment accounts and transactions only;
- Not request “sensitive payment data”; and
- Not use, access or store any information for any purpose other than the provision of the account information service that the payment service user has explicitly requested.
In this, the PSRs implement the requirements set out in PSD2; however, the PSRs definition of account information services is slightly narrower than that set out in PSD2. While PSD2 takes a broad view of account information service as the provision of consolidated information on one or more payment accounts, the PSRs narrow this by including in the definition the provision that account information thus obtained be provided “only to the payment service user” or “the payment service user and to another person in accordance with the payment service user’s instructions”. In other words, any AISP registered with the FCA in the UK will need to be able to provide the account information back to the payment service user and not simply route the information to a third party.
PISPs – payment initiation service providers
Similarly, account servicing payment service providers must execute payments initiated by PISPs. The PSRs impose requirements on both the account servicing payment service provider and the PISP. The PSRs require that the account servicing payment provider:
- Must communicate securely with the PISP in accordance with the EBA RTS on SCA;
- Make available to the PISP all information about the initiation of the payment transaction as well as all information the account servicing payment service provider has regarding the execution of the payment transaction;
- Treat any payment order exactly as it would a payment order requested directly by the payment account owner; and
- Not require the PISP to enter into a contract with it.
The PSRs require that PISPs
- Do not hold the payer’s funds at any time;
- Ensure the confidentiality of the payment service user’s personalised security credential;
- Do not provide any information about the payer to anyone other than the payee, and then only with the payer’s explicit consent;
- Identify itself to the account servicing payment service provider upon initiating a payment order and communicate securely with the account servicing payment service provider in accordance with the EBA RTS on SCA (see answer to question 1 above);
- Not store “sensitive payment data”;
- Not request information from the payer except as necessary for the payment initiation;
- Not use, access or store any information for any purpose other than the provision of the account information service that the payment service user has explicitly requested; and
- Not modify any feature of the initiated transaction.
OBIE – the Open Banking Implementation Entity
The EU-based PSD2 and PSRs were preceded by and are now in force concurrently with the UK-specific OBIE provisions. The OBIE was initially set up by the UK’s Competition and Markets Authority (“CMA”) in 2016 to deliver Open Banking to the UK, in response to a CMA report on the UK retail banking that found that established banks do not need to compete hard enough for customers, and that new entrants to the market encountered difficulty in obtaining access. The OBIE required nine major retail banks (known as the CMA 9) to develop application programming interface (“API”) standards to facilitate the payment service users’ access to their current account data. Standard implementation requirements for firms using these API standards have been published by the OBIE, with a view to aligning the firms’ APIs with the requirements and goals for establishing TPP access to accounts set out in PSD2. Additional information on the OBIE, including its Customer Experience Guidelines and Technical Specifications, can be found here.
The OBIE conducted a three-month managed roll-out in the first quarter of 2018 to test account access by third parties, following which account holders were able to obtain access to and share their account data with third parties. The OBIE is continuing to work with the CMA 9 to improve the existing APIs, and to introduce additional functionality to boost the uptake of open banking services.
As regards the more widely applicable PSD2 and PSR requirements around open banking, when the RTS on SCA comes into force, all account servicing payment service providers must provide access to TPPs, whether through dedicated interfaces (such as APIs) or by direct access to the customer account. Prior to the date when this comes into force, account servicing payment service providers must nonetheless provide access to TPPs pursuant to the PSRs, even where access cannot be provided through dedicated interfaces. This means that “screen-scraping” (i.e. a TPP using a customer’s own login details to obtain access to the relevant account) is permitted until the SCA fully comes into force, unless the account servicing payment service provider gives the option to the TPP of obtaining access through dedicated interfaces such as an API.
As regards the nature of the dedicated interface, the PSRs and PSD2 are neutral on the means of access; however, the FCA encourages the use of standardized APIs, such as those already developed by the OBIE, though many others are already developed and in use.
Implementation in practice
In practice, AISPs are already offering payment service users innovative products and services based on their account and transaction data, expanding quickly on the government’s initial, relatively narrow, vision for account information services, which saw AISPs providing dashboard services providing an aggregated view of accounts and income and expenditure analysis. In the event, UK-registered AISPs have gone further and are providing payment service users with services ranging from loyalty cashback services run entirely through the AISP to analysis of small and medium business cashflow needs to speedier and more effective credit analysis. In contrast to AISPs, PISPs have been slower off the mark, with the first UK-specific bank-to-bank payment through a PISP taking place only in June 2018.
The development of the OBIE APIs by the CMA 9 banks continues apace, with new functionality and scope being added in various releases. The Open Banking Standards are currently on Version 3.1.3, and apply to many of the products covered by PSD2 such as credit cards, e-wallets, prepaid accounts, currency accounts and other accounts that can be used to make payments, such as loans, mortgages and savings accounts, as defined in PSD2.
As for timing, the UK has effectively had a two-track implementation process as regards open banking. This has been driven by, in one case, the OBIE and the CMA Order, and in the other by PSD2. Details about implementation timelines are made available by the OBIE and can be found here.
Within PSD2 is the timeline for implementation of the RTS on SCA, which was due to come into force on 14 September 2019. However, on 13 August 2019 the FCA confirmed, in response to calls from industry, that it had reached an agreement with the EBA that it would undergo an 18-month implementation plan, under which the FCA would not enforce the provisions of the RTS on SCA against businesses until 14 March 2021, “where there is evidence that they have taken the necessary steps to comply with the plan”. As such, businesses (including card issuers) have an additional 18-month window to implement the processes and systems necessary to comply fully with the SCA requirements.
How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?
The main piece of legislation around data is the General Data Protection Regulation (GDPR), which has been incorporated into UK law as the Data Protection Act 2018 (DPA). As in other jurisdictions within the European Union, the GDPR is an evolution of the previous legislation around data protection and in many ways codifies and puts on a mandatory footing what was already best practice in relation to the treatment of personal data. The scope of data covered by the GDPR is broader than under the previous legislation, in ways that are likely to be relevant for a number of fintech business models. For instance, GDPR explicitly includes biometric data within the scope of the “personal data” it governs, which is likely to be of relevance to those providing identity verification or authentication services. It also includes location data, which may well be relevant to fintech providers that are operating mobile-based services.
Among the many other obligations emanating from GDPR around the treatment of personal data, some of the most important for early-stage fintechs to consider are the obligations in Article 25 around data protection be design and by default. These entail the building of systems and processes in a way that integrates data protection principles as a matter of technical architecture and process management. One aspect of this is ensuring that personal data is stored in such a way that it is only seen by people who really need to see it, using techniques such as data minimisation and pseudonymisation, meaning that having one single repository of all customer data is unlikely to be acceptable. Existing large organisations, both within and outside the financial services arena, have had to put a large amount of effort into complying with these requirements; new fintechs have an opportunity to get this right from the outset.
Another key focus of GDPR is transparency and accountability. This means that organisations handling personal data have to be very explicit and clear with their customers and their employees about the personal data they are collecting and how they are using it, and have to keep clear records of the same. There are also obligations to include in contracts with data processors (for instance subcontractors for IT services) specific obligations that are designed to draw out the detail around the treatment of personal data in the contractual arrangement, in a way that will help to ensure compliance with data protection principles. Organisations which carry out certain types of processing activities are also obliged to appoint a data protection officer who is responsible for monitoring the organisation’s compliance with data protection principles.
As the GDPR is EU-focused legislation, any entity transferring personal data outside the EU will need to apply additional protections to that data. This can take the form of, for example, mutual contractual obligations between the transferring and receiving parties. The use of cloud providers, third-party hosting platforms and data centres are just some examples of where personal data is commonly transferred and stored outside the EU.
The GDPR also places restrictions and obligations on entities using personal data for the purpose of profiling data subjects or making solely automated decisions about them. Profiling and automated decision making can only be carried out in certain circumstances, and data subjects have additional rights in relation to this type of processing, such as the right to object and the right to have any such decision manually reviewed. Technology involving big data, artificial intelligence and machine learning frequently involve profiling and/or automated decision making.
One other area of GDPR which is potentially a great advantage in fintech is the new set of obligations which empower individuals whose data you are holding (“data subjects”) to transfer the personal data you hold about them electronically to another service provider. These “data portability rights” can be very useful for a data-driven fintech company, as they may enable it to some extent to get hold of data collected in the context of other services that might otherwise not be obtainable – in many ways this is a broad data access right that is similar in principle to open banking (see answers to question 4 above). Fintechs planning to transfer or store personal data outside the European Economic Area should be aware of the strict requirements in doing so.
The data protection and privacy regulator in the UK, responsible for enforcing GDPR and the DPA, is the Information Commissioner’s Office (“ICO” – not to be confused with “initial coin offerings”). As with all European privacy regulators, the ICO is empowered to conduct investigations into the application of GDPR, and impose fines or restrictions on processing. The fines for the most serious breaches can be up to EUR 20m or 4% of worldwide turnover; however, most fines are likely to be significantly less than this.
It is worth noting that the above areas of data regulation apply to individuals’ personal data, and while this will cover many of the types of data relevant to fintech, it does not cover everything. For instance, while the laws around open banking refer across to GDPR, the payment account data that they govern will in many cases fall outside the personal data regime, as is the case with much of the payments and finance data of small businesses. There are also other areas of financial services where non-personal data is regulated by different regimes, such as the EU Benchmarks Regulation, but these are more niche in their application.
What are regulators in your jurisdiction doing to encourage innovation in the financial sector? Are there any initiatives such as sandboxes, or special regulatory conditions for fintechs?
Against the backdrop of a tightening regulatory landscape in recent years (driven largely by the global financial crisis), UK regulators and policy makers have undertaken a variety of initiatives and projects to understand the implications of technology in financial services. As well as investing in projects through Innovate UK and research councils, the government has carried out a number of calls for information and launched its Digital Strategy – setting out the government’s ambition to make the UK attractive to attracting and growing digital businesses.
At the regulator level, the FCA has established the Innovation Hub and the Regulatory Sandbox to support innovation in the interests of consumers. Through the Regulatory Sandbox (now on its fifth cohort since the end of 2015), a wide range of firms are able to test innovative business models, delivery mechanisms, products and services in the real market, with real consumers in a controlled environment. Firms also have direct access to the FCA’s dedicated teams, providing a level of advice and support around the regulatory regime and onward authorisation if this is required. Similarly, the Bank of England has established a Fintech Hub to consider the policy implications of fintech. To date this has focused on testing proof of concepts to understand how new technologies are being adopted and why, as a means of informing the Bank’s approach to financial stability and supervising the market.
The government has a Fintech Sector Strategy, which brings together HM Treasury, the FCA and the Bank of England, with a view to developing an approach to emerging technology and innovation while maintaining the UK’s international reputation as a safe and transparent place to do business in financial services. It is taking an active role, alongside institutions such as Innovate Finance, in promoting the attractiveness of the UK as a destination for growing a fintech business; and is promoting growth amongst the start-up community through initiatives such as the establishment of the Tech Nation Fintech Delivery Panel and various related programmes.
Do you foresee any imminent risks to the growth of the fintech market in your jurisdiction?
The most obvious risk is Brexit. This is for three main reasons.
The first and most frequently cited is the potential loss of the passporting regime, under which firms that are authorised to carry out a regulated activity in one Member State of the EU are permitted to carry out that activity in other Member States on the basis of a registration in that Member State, rather than having to go through a full authorisation process, and without having to have an establishment in that jurisdiction. However, this will of course affect only those fintechs that operate in multiple jurisdictions, and which are carrying out regulated activities - so its effect may be limited in practice.
The second and more real risk is around immigration and access to talent. Fintech businesses need a wide range of skills that are sometimes quoted as not being available from within the UK in large enough numbers to support the UK’s thriving fintech ecosystem, particularly around experienced software engineers. As such, the immigration controls on talent of this type are likely to be key to the success of the UK fintech ecosystem as we leave the EU, and many are watching this particular issue with keen interest.
The third is the potential for regulatory divergence. In many respects, divergence from the rest of European law could of course be a disadvantage, but as with passporting this is likely to affect mainly those aspects of financial services that inherently operate on a cross-border basis, such as international payments. However, for non-international fintechs, there is every possibility that the divergence could be beneficial, allowing UK legislators to create laws that track innovations in financial services more quickly than has been possible at a European level, and perhaps providing templates for other legislators in the process.
However, as set out in answer to question 10 below, they are a great many reasons why the fintech ecosystem should continue to thrive in the UK, and none of the above is likely in our view to damage this materially in practice.
What tax incentives exist in your jurisdiction to encourage fintech investment?
Whilst not specific to fintech, there are a number of generous tax incentives in the UK aimed at promoting investment in small companies by “business angels”.
The first is the Seed Enterprise Investment Scheme (SEIS), which was introduced in April 2012 to help small, start-up stage companies, raise funds through individual investors by providing very generous tax relief to investors who take risks on such ventures. If an investor invests up to £100,000 per year in SEIS investments, for a stake in a company of less than 30%, income tax relief of 50% of the amount invested is given with the potential to split the relief between the tax year of the investment and the previous tax year. There is also no capital gains tax on the disposal of shares if the shares were held for at least three years. Loss relief is available; however, the relief is reduced by the income tax relief claimed on the investment.
The second is the Enterprise Investment Scheme (EIS), which was launched in 1994 to encourage individual investments in small unquoted trading companies in the UK. For this to apply, individual investors can invest up to a maximum of £1,000,000 per year, for a stake of less than 30%, and income tax relief of 30% of the amount invested is given. Again, there is no capital gains tax on the disposal of shares if the shares were held for at least three years; loss relief is available, but the relief is reduced by the income tax relief claimed on the investment and can be set against the investor’s capital gains or his income in the year of disposal.
The third is Entrepreneur’s Relief. This applies a 10% rate of capital gains tax to gains accruing on the disposal of ordinary shares in an unlisted trading company held by individuals, that were newly issued to the claimant and acquired for new consideration on or after 17 March 2016, and have been held for a period of at least three years starting from 6 April 2016.
One further tax incentive that is likely to be relevant to fintechs is R&D tax relief. This provides enterprises with a significant tax saving in respect of qualifying expenditure incurred by the enterprise on research and development projects which seek to achieve an advance in overall knowledge or capability in a field of science or technology, through the resolution of scientific or technological uncertainty. For a company with fewer than 500 employees that either has an annual turnover up to €100 million or a balance sheet of up to €86 million, the tax relief on allowable R&D costs is 230% - that is, for each £100 of qualifying costs, the company or organisation could have the income on which corporation tax is paid reduced by an additional £130 on top of the £100 spent. A loss-making company of this type could surrender its loss to HM Revenue & Customs for repayment as cash credit: for example, if a loss-making company carries on R&D and incurs a surrenderable loss of £100,000 in an accounting period, it could surrender the loss and receive £14,500 back from HMRC in cash. As such, a fintech that that is carrying out significant amounts of research and development could benefit greatly from this relief.
Which areas of fintech are attracting investment in your jurisdiction, and at what level (Series A, Series B etc)?
Most fintech investment is still at Series A and lower, simply because much of the development is coming out of new start-ups. However, the multiples around fintech are high, such that a Series A can be £5-10 million, or in some cases more.
We’re seeing investment in particular in the following areas: anything which can streamline the client on-boarding process (facial recognition, biometrics etc); mobile banking; wealth management; regtech software; capital markets analysis software; and open banking products.
There has also been a large amount of retail investment in initial coin offerings (referred to as “ICOs”), though this has slowed significantly over the last six months – see question 15 below for further detail.
If a fintech entrepreneur was looking for a jurisdiction in which to begin operations, why would it choose yours?
The UK has established itself as one of the leading jurisdictions in the world for fintech. It has a long history as a centre of financial services and as such has a deep network of institutions, knowledge and talent around all aspects of finance. It also has a long history of technological innovation and the creative arts, meaning that there is ample talent and networks available for people to share ideas and create new businesses; it is for this reason that the start-up scene in the UK – primarily but by no means exclusively in London – is one of the most vibrant in the world. As such it was extremely well placed from the outset to be a desirable destination for fintechs to grow – it already had the talent pools for the “fin” and the “tech” firmly in place. Countless accelerators and incubators are testament to this, and have acted as a focal point for some of the most prominent success stories.
However, there are a few additional factors that are often overlooked.
The first is political imperative. Uncertainty over Brexit has arguably spurred politicians and regulators on to introduce initiatives that will help the UK to remain at the forefront of fintech – the creation of the Open Banking Implementation Entity and the Open Up Challenge by the Competition and Markets Authority is just one example of this; the Tech Nation Fintech programme is another. Concerns over the effects of Brexit are likely to remain for some time, especially around immigration and passporting, but for any business operating in the fintech arena there are still significant advantages to setting up in the UK and taking advantage of that wave of political impetus.
The second is regulation. The UK has in the FCA a regulator that has shown itself to be both pragmatic and open to debate and engagement, which has helped numerous fintechs to bring their innovations to market far more quickly than would otherwise be the case – see question 6 for more detail on some of the measures that have been taken in this regard including the Regulatory Sandbox.
The third, more unlikely candidate, is taxation. The tax incentives and reliefs available to investors, outlined in our answer to question 8 above, provide a platform where investors are encouraged to put capital into growing businesses by reducing the risks to the investor should the business fail, which has undoubtedly contributed to the ability of nascent businesses to attract crucial early investment.
The last is engagement by major institutions, including the incumbent banks. The major UK banks have largely already gone through a process of learning to engage with small companies in ways that they have not been accustomed to doing in the past, and many have not only started to deploy fintech-like business models themselves (e.g. digital-only banks), but have also started their own fintech accelerator programmes which are aimed at fostering innovation with a view to long term partnership arrangements. Furthermore, five of the major banks and a group of major fintechs, led by Tech Nation’s Fintech Delivery Panel, recently clubbed together to produce at the end of 2019 a guide for fintechs on the best way to engage with banks and how to avoid common pitfalls. This was to our knowledge the first time in any jurisdiction that major financial institutions had gone out of their way to guide fintechs on the best ways to collaborate with them, and signals significant further development of the fintech industry in years to come.
These factors and more – in spite of and arguably because of Brexit – make the UK an excellent place to build a fintech business.
Access to talent is often cited as a key issue for fintechs – are there any immigration rules in your jurisdiction which would help or hinder that access, whether in force now or imminently? For instance, are quotas systems/immigration caps in place in your jurisdiction and how are they determined?
The UK immigration system has specific categories for the tech sector, including the Tier 1 (Exceptional Talent) category which is designed to attract those who are at the very top of their field.
Companies in the UK can apply for a Tier 2 sponsor licence which permits them to bring non-EEA nationals to the UK to work in skilled roles. There is a cap on the number of skilled migrants who can come to the UK under Tier 2 (General) and it is set at 20,700 per annum.
In Spring 2019, the Government introduced the start-up and innovator categories. The schemes are designed to allow UK businesses and accelerators to sponsor entrepreneurs and innovators.
However, there has been widespread criticism that the new schemes do not go far enough to attract seasoned entrepreneurs and innovators (in part due to the requirement to be accepted on incubator/accelerator programmes of the endorsing bodies) with only four applications being granted in Q2 2019.
It is therefore critical that the future immigration system is designed taking into account the skills shortages facing industries like fintech and learning lessons from the past.
If there are gaps in access to talent, are regulators looking to fill these and if so how? How much impact does the fintech industry have on influencing immigration policy in your jurisdiction?
The UK is dealing with the challenges of exiting the EU, sector shortages and controlling migration. It is not unique in having to control migration however it is doing within challenging times particularly in a climate where 42% of employees in the tech sector are from outside the UK and 28% are from within the EEA.
The UK does have some measures in place to try to address sector shortages, it has a shortage occupation list of professions for which there are not enough resident workers to fill vacancies in the UK.
The Migration Advisory Committee (MAC) is an advisory non-departmental body which advises the Government on migration issues. The MAC regularly reviews the list and calls for evidence of which occupations should be included or removed.
Jobs which fall on the shortage occupation list are exempt from the requirement to test the resident labour market and companies which hold a Tier 2 sponsor licence can apply to sponsor non-EEA migrants without having to first conduct a resident labour market test.
Tech Nation is a Government initiative which provides a network of growth programmes, events, skills and data resources to reach all corners and clusters of the UK.
The Tier 1 (Exceptional Talent) programme (mentioned above) is supported by Tech Nation as it is one of the designated competent bodies which reviews and assesses applications for endorsement under the Digital Tech sub-category. In addition, the Government increased the cap on the number of visas granted in this category (including those endorsed by other bodies such as the Arts Council England, The Royal Academy of Engineering etc) from 1,000 to 2,000 per annum.
Now more than ever, regulators in the UK need to continue to lobby the Government and push for the UK sector to remain at the forefront of the global fintech industry and achieve its goals of making the UK the best place to imagine, start and grow a digital business.
What protections can a fintech use in your jurisdiction to protect its intellectual property?
Fintech companies rely on innovations, usually implemented through software. These assets are almost exclusively protected by intellectual property (IP). Therefore, IP underpins the value of almost all fintech companies. The UK offers a range of IP rights to protect fintech innovations. Some commonly used IP rights of particular relevance to fintech companies are as follows:
The law of copyright protects the results and expressions of creative ability and extends from art and literary works to more technical works, including computer code. It arises automatically; the UK does not have a copyright registration system, unlike some other jurisdictions, so there is no need to register to benefit from copyright. It endures for the life of the author plus 70 years.
For a fintech company, common copyright protected assets include source code and object code, databases (in terms of their selection and arrangement), pictures, content, sounds/videos, GUI’s and designs/drawings/plans. In order to qualify for copyright protection, the work must be original, and a minimum amount of intellectual creation / labour must have gone into creating the work. Copyright will be owned by the original author unless the author is an employee in which case the employer will own the copyright (providing the work was created by the employee while performing their duties). Where contractors are used, it is important to ensure that assignments of copyright (and other IP rights) are included in their contracts.
Copyright gives the owner the exclusive right to exploit the work in a variety of ways (e.g. copying, adapting, rental/lending, issuing copies to the public and communicating the work to the public); and to prevent others doing those acts in relation to the whole or a substantial part of a copyright work (which can be assessed qualitatively or quantitively. However, in relation to software, copyright does not protect functionality itself. While a company can prevent a third party from copying its source code, copyright law does not prevent a party writing its own code to carry out the same functionality. Further, lawful users of software can (i) observe/study/test it to understand underlying principles and (ii) providing certain conditions are met, can decompile software in order to achieve interoperability.
Databases can be protected either under the law of copyright, or under the EU sui generis database right. A database is “a collection of independent works, data or other materials which are arranged in a systematic or methodical way and are individually accessible by electronic or other means”.
The database right prevents a third party from extracting or reutilising all, or a substantial part, of a database. To qualify, the author must show a substantial effort in the obtaining, verifying or presenting of the contents of the database. Note that this is separate to creating the data itself. While the database right usually lasts for 15 years from creating, or making the database available to the public, a new right arises where there is a substantial change in the contents. Therefore, fintech companies often find their electronic databases have protection on an ongoing basis as those databases continue to grow.
As a separate right to the sui generis database right, database copyright requires that there is some intellectual creation in the selection or arrangement of the contents of a database; for this reason, it can be harder to show. If database copyright subsists, it gives the same rights and endures for the same duration as other forms of copyright.
Designs can be relevant to fintech companies as they can be used to protect user interfaces. Larger tech companies often obtain registered designs of commonly used user and web interfaces which they associate with their brand / technology. This may be useful if a fintech company has a unique app interface. Designs can be registered cheaply, and with a minimal examination process, and can be a useful tool to ward off competitors who might be minded to copy the “look and feel” of an application. Designs can be registered at the UK and (currently) EU level.
Despite commonly held views, Europe and the UK allows the patenting of software innovations where there is something of technical effect to protect.
Patents protect the functionality of the innovation itself, regardless of the code implementing the invention. This stops a third party from copying the functionality of software. Having patent protection allows the fintech company to exercise a monopoly over the innovation, permitting only that company to commercialise or license the innovation to third parties.
To obtain a patent, certain criteria must be met. In short, a patent must be novel and involve an inventive step (new and inventive over any invention which has been previously disclosed). An application should be completed as soon as possible and before commercial exploitation or publication / marketing of the product. In the UK and Europe specifically, to patent an invention implemented in software it must also make a “technical contribution” of some kind. For example, software which speeds up trading or allows customers to connect to services in a new way.
Patents last for 20 years and are often seen as valuable by investors. The UK also offers a tax saving on profits generated through patent-protected innovations through its patent box tax system.
Trade Secrets / Confidential Information
Patenting requires disclosing how the invention works; some companies prefer to rely on keeping their innovation confidential.
UK common law provides a law of confidence. In addition, the UK is subject to the EU Trade Secrets Directive and this was implemented into UK law by the Trade Secrets (Enforcement, etc.) Regulations 2018. To class as a trade secret, the information must not be generally known by the public or persons specialising in the fintech company’s area, it must have commercial value, and reasonable steps must be taken in order to keep the information secret. A trade secret owner can take legal action where there has been unauthorised use of the information to the owner’s detriment.
Fintech companies should look to bolster their legal position by entering into NDAs before disclosing any confidential information regarding their product, giving them an additional contractual protection.
Although not specific to fintech companies, the UK has an exhaustive trade mark registration system for the protection of word marks and logos. It is also (currently, until Brexit) part of the EU trade mark system.
The UK offers a world-renowned justice system with a high calibre independent judiciary. As well as the High Court, the UK has a specialist IP court for lower value claims, called the IPEC. This is particularly useful for fintech companies looking to protect their assets at a lower cost, due to its faster outcomes, more limited process, and caps on recovery of legal costs (the usual rule in UK litigation is that the loser pays a proportion of the winner’s costs).
How are cryptocurrencies treated under the regulatory framework in your jurisdiction?
Cryptocurrencies as such are not regulated in the UK at this point in time. The UK regulatory framework defines regulated activities broadly as specified activities that are carried on in the UK by way of business which relate to specified investments. The principal provisions regarding the regulated activities regime are contained in the following:
- The Financial Services and Markets Act 2000 (‘FSMA’), which is the key statute governing financial regulation in the UK and contains in section 19 the general prohibition on unauthorised persons carrying on regulated activity in the UK unless they are an exempt person (by virtue of being an appointed representative of another authorised firm) or an exclusion is available.
- The Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (‘RAO’), which contains definitions of the regulated activities and exclusions.
Under FSMA it is an offence for a (legal or natural) person to carry on regulated activities in the UK unless it is authorised or an exemption applies. Violation carries criminal penalties and any agreements made in violation may be void.
The extent to which this framework applies to cryptocurrencies depends on whether these fall within the definition of a specified investment. This is generally determined on a case-by-case basis and depends heavily on the defining characteristics of the cryptocurrency and the nature of the proposed activity. Where the specified activity involves both cryptocurrency and a specified investment – as is often the case – this will bring the activity within the regulated sphere.
Examples of activities that would otherwise be regulated but are not when cryptocurrencies are used include payments and e-money activity. Cryptocurrencies will generally fall outside the scope of the Payment Services Regulations 2017 (implementing the second Payment Services Directive 2015/2366 (EU)) and the Electronic Money Regulations 2011 (the “EMRs”). This is because cryptocurrencies are not at this point considered by the Bank of England as “money” and therefore not cash. Similarly, most cryptocurrencies would not fall within the EMRs because e-money is defined as being issued on receipt of “funds” and represent a claim on the issuer, which would exclude many cryptocurrencies.
Examples of activities where cryptocurrencies do fall within scope of the regulated activity include cryptocurrency derivatives. These may be caught by the Markets in Financial Instruments Directive II (MiFID II), even though cryptocurrency is not considered to be currencies or commodities within scope of MiFID II. This is because cryptocurrency derivatives can be financial instruments within the meaning of MiFID II. The FCA have said that it is likely that dealing in, arranging transactions in, advising on or providing other services that amount to regulated activities, as these relate to derivatives with a cryptocurrency as the underlying instrument, will require authorisation by the FCA.
Whether or not cryptocurrencies are regulated by the principal financial regulations in the UK, they do fall within scope of the Fifth Anti-Money Laundering Directive ((EU) 2015/849) (“AMLD5”), which came into effect on 9 July 2018 and must be transposed by EU member states by 10 January 2020. Among other provisions, AMLD5 contains specific provisions aimed at bringing cryptocurrency exchange platforms and wallet providers within scope of regulation.
While cryptocurrencies are not currently regulated, the government and the regulators are monitoring their development and actively consulting on the appropriate response. In March 2018, the Chancellor of the Exchequer launched a Cryptoassets Taskforce (the “Taskforce”), consisting of HM Treasury, the FCA and the Bank of England. The Taskforce issued its final report in October 2018 (the “Report”). The Report considered the benefits of cryptoassets, such as their use as a means of exchange, use in investment or to support capital raising. The Report also considered the risks, including the risk of financial crime, risks to consumers who may lack sufficient understanding of cryptoassets, risks to market integrity and the potential implications for financial stability. Following on from the Report, the FCA and HM Treasury set out their plans for further consultations and guidance on various areas.
The FCA issued guidance on the regulatory status of cryptocurrencies in July 2019 (PS 19/22), broadly setting out a four classification system: exchange tokens and utility tokens outside the regulatory perimeter, and security tokens and e-money tokens within it. The guidance includes indicative lists of permissions needed for the issuance of security tokens and e-money tokens, along with the provision of exchanges, wallets, and payment services. These predominantly attach to the activities and the underlying contractual rights or services being offered, rather than the cryptocurrency or cryptotoken itself.
In July 2019 the FCA also issued a proposal on the sale, marketing and distribution of derivatives and ETNs that reference certain unregulated cryptoassets to retails clients, by firms in, or from the UK (CP 19/22). A policy statement is expected in Q1 2020 in respect of this proposal.
Following the Report, HM Treasury consulted on the potential gold-plating of the transposition of AMLD5, expanding the remit of AMLD5 to include crypto-to-crypto services, peer-to-peer services, crypto ATMs, ICO issuances, and open source software publishing. The output of this consultation had not been published as of October 2019.
The Report also set out that HM Treasury intends to consult on potential changes to the regulatory perimeter in respect of cryptoassets that have features comparable to specified investments, however this has not been released as of October 2019.
How are initial coin offerings treated in your jurisdiction? Do you foresee any change in this over the next 12-24 months?
Initial coin offerings – i.e. a fundraising method akin to crowdfunding under which retail investors pre-purchase crypto-assets on platforms that typically have not been built yet, at a reduced price – reached their peak in the autumn and winter of 2017, on a wave of enthusiasm that was likely fuelled by the huge rise in the value of ‘cryptocurrencies’ leading up that period. There were a huge number of ICOs carried out in many different jurisdictions, that raised vast amounts, and not infrequently on the back of vague or even entirely unfounded promises of technical development. Amongst those were a number of genuinely good offerings, but a relatively small proportion of those ICOs have launched products to date.
The vast majority of ICOs are not financial regulated offerings, since most cryptotokens do not quite fall within any of the “specified investment” definitions that would trigger compliance with the existing regulatory mechanisms. This broad framework, and classification of tokens into: exchange tokens and utility tokens outside the regulatory perimeter, and security tokens and e-money tokens within it, was confirmed in FCA guidance in July 2019 (PS 19/22). In advance of this, in September 2017 the FCA issued a warning to consumers about the risks of ICOs, describing them as “very high-risk, speculative investments”, pointing out that most are not regulated and have no form of investor protection, and often inadequate documentation. Whilst some ICOs offer tokens which do constitute “transferable securities”, as per the July 19 FCA guidance in PS 19/22, and therefore trigger compliance with the prospectus regime as with normal share offerings, the majority do not.
Two main points emerge from this, for fintechs considering engaging in an ICO.
Firstly, the structure of the tokens and their proposed usage will need to be looked at with great care, as small changes could mean that the tokens and therefore the ICO fall into the regulated sphere. In accordance with the latest guidance, true “utility tokens” will sit outside the regulated sphere, compared to “security tokens” that sit with it, but the distinctions between them can be subtle.
Secondly, although there is no specific regulatory regime in relation to ICOs, other legal principles will still apply, particularly in relation to consumer rights, misrepresentation and fraud. As such, those offering ICOs need to be clear that what they are offering to consumers is genuine and evidenced – even if heavily caveated – so that they do not fall foul of these protections. At the time of writing, a ban on the offering of derivatives and ETNS in relation to cryptoassets to retail customers is under consultation (CP 19/22).
Are you aware of any live blockchain projects (beyond proof of concept) in your jurisdiction and if so in what areas?
There are many live operating blockchain projects within England and Wales. Blockchain technologies have been used in respect of equity issuance (Globacap), creating structured products (ResonanceX), central depository services (SETL), customer compliance (Heliocor), AML (Elliptic), and more.
To what extent are you aware of artificial intelligence already being used in the financial sector in your jurisdiction, and do you think regulation will impede or encourage its further use?
There are a number of fintech suppliers who are using artificial intelligence actively in enhancing existing financial processes. One such is Eigen Technologies, which is using natural language processing to pull specific data fields out of large amounts of legacy documents in order to help financial institutions to get digital control of the data that they hold in other formats, in a fraction of the time that it would take humans to carry out the same task. There are other examples of regtechs that are using machine learning to extract and package up regulatory information, such as Cube Global.
Other companies are using AI to spot behavioural patterns and anomalies in those patterns – one of AI’s strong suits. These include:
- payments authentication solution Cybertonica;
- email security firm Tessian; and
- Nasdaq Buy-Side Compliance (formerly Sybenetix), which is used by asset managers and hedge funds to spot anomalies and suspicious activity in traders’ trading patterns.
Others use machine-learning to spot patterns in order to make predictions. These include:
- cashflow prediction engines Fluidly and Fractal Labs; and
- insurance pricing and risk engine Cytora.
There is limited regulation in this area at the moment, the main regulation being those parts of GDPR that touch upon the sorts of data processing that are often involved in machine-learning. These will include, in particular, obligations in relation to profiling and automated decision making (see the answer to question 5 above). A House of Lords Select Committee has been established for the purpose of considering the economic, ethical and social implications of advances in AI, and this has focused to some extent on the concepts of ethical uses of broad data sets, accountability, and the mandated sharing of data (similar to open banking) in order to prevent “data monopolies”. It remains to be seen to what extent this thinking will translate into legislation. However, our view is that if any future regulation is technically realistic and flexible, whilst encouraging transparency and accountability, it will be of benefit to consumer trust in its use in the long term, which will in turn lead to widespread adoption.
Insurtech is generally thought to be developing but some way behind other areas of fintech such as payments. Is there much insurtech business in your jurisdiction and if so what form does it generally take?
As it has in other jurisdictions, insurtech has developed more slowly in the UK than other aspects of the fintech industry. A combination of complex products, relatively heavy regulation and legacy systems have made it difficult for insurtech solutions to make headway, as have barriers to start-ups resulting from prudential capital requirements. Having said that, investment and growth have surged in recent years, as the industry has responded to technological advancement, customer expectations and market conditions.
Insurtech is bringing changes to a number of areas, including disintermediation in insurance for SMEs and product development. To the extent that SMEs are increasingly moving toward cloud applications, opening up new avenues for direct connections to insurers, the demand for brokers may decrease.
Insurtech is also changing the nature of the product offering, with new products including:
- parametric insurance, which pays out a defined amount upon an agreed trigger being hit;
- automated underwriting for single invoice insurance (against bad debt);
- predict-and-pay services, which shifts the focus from making indemnity payments as claims arise to predicting and preventing claims from arising in the first place; and
- narrowly tailored products and pricing, which uses a combination of static data, contextual information and real-time data to develop products and pricing.
Are there any areas of fintech that are particularly strong in your jurisdiction?
It would be difficult to point to any area of fintech that is particularly strong within the UK, given the strong presence of fintech businesses across the board. Fintechs are active within the business- and consumer-credit space, payments (including account information services and the services built on this), e-money (including e-money as a means to authorisation by challenger banks), robo-advice and insurtech. The UK’s financial regulatory system is effective in enabling products and service offerings across a wide range of regulated services, facilitating innovation across the financial sector.
What is the status of collaboration vs disruption in your jurisdiction as between fintechs and incumbent financial institutions?
The beginnings of fintech in the UK were largely hyped as being about disruption, and at the time this was largely true: challenger banks and international money transfer businesses dominated the headlines. However, the market has now matured into three main sections.
First are the genuine disruptors: those who take something that the incumbent banks already do, and do it faster, cheaper or in some way better – and steal market share by doing so. These include international money remittance providers and challenger banks.
Second are probably the largest group overall, the suppliers: these are the companies supplying services to other financial institutions in order to help those institutions do something that they do already, but do it better. There are obviously a great many options here, but by way of example only this could include data gathering and analytics (e.g. Eigen Technologies), onboarding / ID verification technology (e.g. Onfido, Yoti), or regtechs like Axiom HQ, Tessian and Cube Global that help institutions to maintain compliance with their regulatory obligations.
Third are arguably the most significant group in terms of the overall effect on the financial system, the niche-fillers. These are the companies that are doing something that no one else was doing before. This covers a broad range of services, from funding platforms that service loans that the incumbent banks would not normally take on (e.g. iwoca), to companies that produce digital receipts for store purchases (e.g. Flux) to companies that choose to offer traditional banking services in a way that makes them more accessible to people who normally find it difficult to get a bank account (e.g. Monese).
In relation to the first category, collaboration is naturally less likely. However, the second and to a large extent the third categories lend themselves to collaboration. An incumbent financial institution can benefit from new innovations of suppliers without having to create them itself, and can partner with niche-fillers to participate in markets that were previously closed to them. It is in this context that we have seen the most activity and change over the past few years, as incumbents become more skilled at adapting their contracting and procurement processes to the start-up world. In our experience there is still some way to go with many of the banks, but it is now far easier for a start-up to partner with a UK bank than it was even three years ago.
A significant recent step in the field of collaboration is the release by the British Standards Institute of a guide on “Supporting fintechs in engaging with financial institutions”. This document was created by five of the UK’s biggest banks and a number of leading fintechs, led by Tech Nation and the Fintech Delivery Panel (see answer to question 10 above), to act as a guide for fintechs who may be unfamiliar with the procurement processes and concerns of financial institutions on how best to approach the various issues that typically come up in a “partnering process”. It is an excellent guide that any fintech should read, it is to our knowledge the first of its kind in the world where a number of major banks have come together to try to facilitate better collaboration with fintechs.
There is an argument that similar guidance is needed for institutions to further improve their processes and strategy in order to partner with fintechs effectively, as unnecessarily burdensome documentation, policies and sign-off processes often stand in the way effective partnering – efforts are being made by some institutions in this direction but there are significant further improvements that could be made. The institutions that get the partnering process right stand to gain significant competitive advantage over their peers in the acquisition of new functionality for their customers.
To what extent are the banks and other incumbent financial institutions in your jurisdiction carrying out their own fintech development / innovation programmes?
A number of incumbent financial institutions (including both banks and insurance companies) are actively involved in running fintech programmes and accelerators. Barclays has for some years run an accelerator in partnership with Techstars, with a number of notable success stories, and today most of the major retail banks run an innovation or accelerator programme of some kind, often teaming up with tech consultancies. In addition, many of the banks and insurance companies now have their own specific innovation function which is tasked with finding and partnering with fintechs that will be useful for their business.
Are there any strong examples of disruption through fintech in your jurisdiction?
The UK boasts many examples of fintechs disrupting the traditional financial, payments and insurance systems. The UK has seen more challenger bank activity than other regions, hosting Atom Bank, Tandem Bank, Monzo (the first online-only challenger bank with a full banking licence) Monese, Pockit, Starling, Tide and Revolut, among others. A number of these have already obtained a full banking licence whilst others have followed the path of first obtaining an e-money licence.
The implementation of the second Payment Services Directive ((EU) 2015/2366) paved the way for a host of providers of account information services (“AISPs”) and, to a lesser extent, payment initiation services providers (“PISPs”). Notably, UK AISPs have taken the initial regulatory description of provision of account and transaction data from multiple accounts to a consumer and elaborated on this, developing innovative uses for this data to bring new fintech products to market, whether by improving on existing processes or creating new offerings. For example, AISPs are currently using account and transaction data to speed up the process of evaluating SME and consumer credit eligibility, thus streamlining the process of obtaining loans. Providers of accounting services use access to account data to provide faster and more accurate accounting services to their users. Other uses of AIS include innovative applications such as automated loyalty point and cashback provision. This space has also seen the growth of intermediary providers of account data, such as TrueLayer and OpenWrks, who are registered as AISPs and provide AIS as a service to third parties in the fintech space who then use the data to provide services to end-users.
Other areas in which UK fintechs lead run the gamut from robo-advising and app-based investing (Nutmeg and Wealthify), peer-to-peer money remittance (Transferwise), business-to-business lending (Funding Circle), providers of SME small- and micro-loans (Iwoca), identity-verification (Onfido, Yoti), peer-to-peer lending (Zopa), invoice factoring (Market Invoice), and open banking (Fractal Labs, Fluidly).