European supervisor sets new deadline for strong customer authentication

Rules for payment service providers requiring strong customer authentication for some electronic payments have, strictly speaking, applied since 14 September 2019. But, earlier in the year, the European Banking Authority suggested that firms could be given extra time to implement SCA. It has now set a long-stop date for completing the move to SCA, but it is a shorter timeframe than that proposed by most of the industry and some regulators, including the UK’s FCA.

SCA migration to be completed by the end of 2020

The EBA has published an opinion calling for payment service providers’ migration to SCA to be completed by 31 December 2020. This is three months shorter than the 18-month extension period which, based on an EBA survey, was requested by most of the industry.

In the UK, following industry discussions, the Financial Conduct Authority had announced it would delay enforcing SCA for e-commerce card transactions until March 2021. The Banque de France had also had indicated that more time would be needed for full SCA compliance. It is unclear how the FCA and Banque de France will respond to the latest EBA announcement. Most other national regulators were waiting for the EBA to announce an EU-wide deadline.

Before SCA took effect in September, the EBA had suggested that some payment service providers may be given additional time to prepare for SCA in relation to e-commerce card transactions. That additional time does not cover SCA for accessing online banking (although, separately, the FCA has allowed a six-month grace period for this in the UK).

Why did the EBA not provide a longer extension?

The EBA opinion acknowledges the calls from industry for an 18-month extension but notes that:

  • the request for a longer extension was based, in part, on the time it would take for specific technology (the 3DS V2.2 communication protocol) to be developed which is not, in the EBA’s view, the only way to achieve SCA compliance;
  • that technology would factor in the full range of exemptions available for SCA but, in the EBA’s view, this was not reason enough to delay the general application of the rules; and
  • the relevant technical standards have been public for long enough for the industry, in the EBA’s view, to have implemented the necessary IT changes.

For these reasons, the EBA concluded that providing “supervisory flexibility” until the end of next year should allow enough time for payment service providers, and merchants, to complete the move to SCA.

What is SCA?

Strong customer authentication aims to increase the security of payments and reduce the risk of fraud. It was introduced under PSD2 and involves authenticating electronic payments using at least two out of three of the following:

  • knowledge (something only the user knows, like a password)
  • possession (something only the user has, like credit card)
  • inherence (something the user is, like a fingerprint).
Milestones laid down for achieving SCA migration

As well as setting a long-stop date for compliance, the EBA opinion sets out a timeline with various objectives for national regulators to meet at specific milestones during the SCA extension period. 

For example, by the end of this year regulators must require payment service providers to:

  • identify the authentication approaches that they currently use,
  • divide them into those that are SCA compliant and those that are not, and
  • provide plans for “expedited migration” of non-compliant approaches.
What happens next?

The EBA recommends that regulators:

  1. Stick to the new deadline;
  2. Require payment service providers to meet the milestones in the timeline;
  3. Emphasise that regulatory forbearance for not complying with the law is subject to the payment service providers respecting the milestones; and
  4. Remind payment service providers that the PSD2 liability regime applies and that therefore payment service providers have a self-interest in complying with SCA as soon as possible.

The FCA has not yet made a statement in response to the EBA opinion and so it remains to be seen whether it will bring forward its March 2021 deadline.

Singapore announces two key fintech regulatory initiatives re digital assets and payments
Crypto Code of Practice strengthens regulatory compliance for the digital asset industry

New Code of Practice and Guide

Facilitated by the Monetary Authority of Singapore (MAS), the Association of Cryptocurrency Enterprises and Start-ups, Singapore (ACCESS) has developed a Code of Practice under its Standardisation of Practice In Crypto Entities (SPICE) initiative, together with an accompanying Guide in partnership with Linklaters and in consultation with the Association of Banks in Singapore. The Code of Practice aims to enable cryptocurrency firms to open bank accounts in Singapore and establish best practices to strengthen regulatory compliance for digital asset companies.

Tackling money laundering and terrorist financing risk

The Code of Practice addresses concerns regarding the use of cryptocurrencies to facilitate money laundering and terrorism-financing activities due to the anonymity associated with the products, and promotes best practices to strengthen regulatory compliance for digital asset companies.

Complementing Singapore’s Payment Services Act 2019, SPICE provides detailed Anti-Money Laundering and Countering the Financing of Terrorism guidelines and practical guidance which crypto-asset and blockchain companies should comply with, including Know-Your-Customer (KYC) best practices, transaction monitoring, customer screening, correspondent services and crypto value transfers, which are relevant to players in the digital asset industry.

Partnership with Linklaters

Linklaters has been appointed as the law firm driving this inaugural industry-changing initiative from a legal and strategic perspective. The leader of our financial regulation practice in Singapore, Peiying Chua commented:

“This initiative will enhance the conduct of crypto-asset and blockchain companies in Singapore and further cement Singapore’s reputation as a leading jurisdiction in the blockchain and fintech space.”

Mr. Anson Zeall, Chairman at ACCESS, pointed to recent developments in Singapore’s crypto regulatory regime, suggesting that it is becoming more competitive at the international level. He noted that newly-proposed changes to the country’s goods and services tax (GST) in relation to digital payment tokens will help to lower hurdles and reduce expenses and costs for businesses in the emerging sector, commenting:

“We are heartened to witness the industry moving in the right direction with key developments that support the growth momentum.

Payments Regulatory Evaluation Program goes into pilot

What is the purpose of the PREP?

Linklaters, along with other six local and international firms, has been invited by the MAS to participate in a two-month pilot run of the newly launched Payments Regulatory Evaluation Programme (PREP), jointly developed by the MAS and the Singapore Academy of Law.

With the upcoming commencement of the Payment Services Act, PREP aims to help the payments industry streamline the process to gain access to legal service providers specialising in payment services regulations to meet the new compliance standards.

What does the pilot offer payment firms?

Under the pilot programme, payment firms will have easy access to a list of participating law firms with such specialised lawyers for comprehensive and customised regulatory assessment applicable to their payments business to meet their compliance needs.

The programme will officially launch at the Singapore FinTech Festival in November 2019 and will be open for all law firms in Singapore to join.

Linklaters a key participant

Linklaters’ fintech team has been an active market participant in Singapore, advising established financial institutions and corporates, as well as other participants in the fintech ecosystem, including the government and regulators, industry associations and emerging players on a broad range of legal and regulatory matters.

In taking part in this pilot programme Linklaters will continue its work in supporting and shaping the legal and regulatory framework on the payments industry. With the upcoming Payment Services Act, we look forward to continuing to support our clients in navigating the increasingly complex and fast-changing fintech landscape.

Bank of England sets out its stall for assessing payments innovation

Payment systems have an important, although sometimes overlooked, role in the broader UK financial system. Facebook’s proposal to launch a digital currency for retail payments within its network has prompted regulators to consider their approach to innovation in the payments sector more generally. At a recent meeting of its Financial Policy Committee, the Bank of England suggests how these innovations should be assessed.

Three principles for ensuring payment systems support financial stability

In the record of its latest quarterly meeting, the FPC welcomes the exploration of alternative ways to improve cross-border and domestic payments. However, ensuring new solutions support financial stability is a key concern. And so, the FPC has agreed the following three principles for assessing how regulation should respond to fast-moving developments in the payments sector.

  • Principle 1 – financial stability risk is more important than legal form Firstly, according to the FPC, regulation should reflect the financial stability risk, rather than the legal form, of payments activities. In other words, the same level of risk should attract the same level of regulation.

    The FPC’s concern is that use of innovative forms of payment (such as digital assets) could become widespread but not necessarily subject to the same level of regulatory oversight as prevailing payment methods (such as debit cards). The FPC reiterated the point that innovative structures are making it increasingly important to apply regulation based on functions undertaken rather than merely the type of entity involved. See also our blogpost on Protecting the financial system as the market changes.

  • Principle 2 – every link in the payment chain should be resilient Secondly, the FPC calls for end-to-end operational and financial resilience across payment chains. Payment chains typically connect payers and payees via multiple payment services firms, payment systems and other financial market infrastructure. Their length and complexity have been increased by new technology and new market participants.

    The FPC is concerned that, when it comes to resilience, these chains are only as strong as their weakest link. For example, it notes that: “The resilience of the proposed Libra system would rely on the stability of not just the core elements of the Libra Association and Libra Reserve but also the associated critical activities conducted by other firms in the Libra ecosystem such as validators, exchanges or wallet providers”.

    Operational resilience is a regulatory priority and the UK regulators, including the Bank of England, are going to propose new rules and guidance for financial institutions shortly. Read our publication on Building the UK financial sector’s operational resilience for more.

  • Principle 3 – data should be made available so that risks can be monitored and addressed Finally, according to the FPC, sufficient information about payments activities should be made available. Their concern is that supervisors may be blindsided to risks that could emerge from innovative payment systems. With more data, there is more chance of identifying risks to financial stability and addressing them appropriately.
The potential systemic importance of Libra

In the FPC’s view, Libra has the potential to become a systemically important payment system. This means it would need to meet the highest standards of resilience and be subject to appropriate supervisory oversight.

The FPC stressed that the terms of engagement for innovations such as Libra must be adopted in advance of any launch. This echoes comments previously made by Mark Carney on Libra – see also our blogpost on Paving the road for a diversity of payment options.

What is the Financial Policy Committee?

The Bank of England’s Financial Policy Committee looks out for risks in the financial system. As well as payments, its latest meeting considered Brexit, the UK-China trade war, the liquidity of some investment funds and LIBOR transition.

Next steps

The Treasury is leading a review of the payments landscape which includes looking at its resilience and how regulation can keep pace with innovation. The FPC suggests that its principles could inform any assessment of current payments regulation in that review.

Regulation driving banking transformation – The data economy, Fintech and Bigtech in finance and crypto assets

In the second edition of Deutsche Bank’s report into regulation driving banking transformation, Linklaters partner and Global Co-Head of Fintech, Julian Cunningham Day contributes to the whitepaper which recommends that a regulatory environment that supports the safe and robust development of the data economy, the emergence of FinTech and BigTech firms and the growth of the crypto-assets market is essential for banking transformation

Here is a brief summary of the report’s key themes and conclusions:

Changing business, changing markets

Disruption and innovation today is easier, better, strong and faster. Technology is not just disrupting the service and products provided by banks, it is changing and challenging the fundamental structures of financial markets themselves.

For crypto-assets to be trusted and used, the report suggests that the regulators central banks and the industry will all need to address the issue in a coordinated and aligned fashion.

Navigating and embracing such potentially tectonic shifts is never easy – but existing processes and rules are being challenged by changing customer behaviours. Looking the other way and with the hope that this a fleeting trend is a mistake that financial institutions and regulators cannot afford to make.

Data is the new oil, and clients own the rights to the crude

Open banking has changed the landscape of Big Data – banks are no longer the only custodian of clients’ financial data and the owners of that data, the client’s themselves, need to be invited to the party so that they can influence its use and commercialisation.

Big data fuels the so-called “data economy” – a digital ecosystem where data is collected, analysed an exchanged between governments, companies or other parties for the purposes of creating value for businesses and individuals. Big Data is the basis upon which advanced analytics operate, which in turn can drive insights and improved client experience, uplifting the provision of financial services.  However, as explored in more detail in the report, data localisation requirements, the restricted scope of open banking sharing requirements and the impact of data privacy requirements create regulatory challenges for this new economy.

BigTech in financial services

As BigTech companies turn their attention to financials services – using deep pools of customer data to craft bespoke solutions – the industry faces a potential game-changer. With deep pockets and an even deeper understanding of the needs of digital native clients, they raise the bar of what is expected from banking services.

The report highlights that BigTechs and incumbent banks are not only competitors but are also mutually reliant on each other for service infrastructure whether this be payment rails or cloud services for instance. This interaction plays a precious role in the financial industry, driving competition, innovation and improved client services – all priority areas for regulators. Yet the very distinct business models employed by BigTech in financial services (which rely on the “data-network-activity-loop”) also trigger regulators’ vigilance around potential gaps, particularly when it comes to competition and data protection rules.

Crypto uptake

Without a marked change in regulatory direction, the report considers that it appears unlikely that we will see a widespread uptake of crypto-assets any time soon. This is particularly pressing issue for the type of crypto-assets that strive to become an alternative  global payment method.

The report concludes that the long term benefits of crypto-assets remain compelling. Yet although some jurisdictions are moving in the right direction (in Europe there has already been major regulatory progress to clarify in which instances a crypto asset should be treated as a financial instrument), the regulatory certainty enjoyed by traditional assets is not are reality for all types of crypto-assets which makes dealing it them subject to uncertain risks. Additional steps need to be taken not only by the regulators, but by the industry itself.

Click here to read the full report

Germany paves the way for DLT securities

The German government’s new blockchain strategy encourages the development of electronic securities and strikes a positive tone for DLT implementation across several sectors in Germany, including financial services. With this strategy, the government intends to give impetus to further growth and legal certainty for distributed ledger technology.

Germany’s blockchain strategy

Following a consultation in March 2019, the German government has now adopted its national blockchain strategy (only available in German) comprising 44 measures which are intended to promote blockchain technology in Germany.

In its strategy, the German government recognises the potential of the technology and aims to further strengthen Germany’s leading position in this area. It confirms that its aim is to pursue a regulatory policy that incentivises investment, supports innovation and ensures stability and so contributes to inclusive growth that is in line with the government’s sustainability goals.

Nevertheless, the principle of a technology-neutral approach remains the guiding principle. Due to the high speed of technological development, the strategy will be reviewed and developed at regular intervals.

Concrete legislative measures for financial markets

Several concrete legislative measures are included in the strategy paper with respect to fintech and specifically DLT applications in finance. 

Although recognising that pan-European legislative efforts are desirable, the German government is keen to establish national legislation that will serve as an interim solution to provide for more legal certainty until a joint European framework for DLT is agreed.

These measures include:

  • Implementation of electronic securities
    As previously trailed in a March 2019 key issues paper, the new strategy announces the reform of German securities law to allow, at first, electronic bonds (Schuldverschreibungen). The current legal framework in Germany requires a paper-based document (Urkunde) for these securities. The reform would end this requirement, allowing those securities to be issued completely electronically, e.g. on a blockchain.

    Electronic securities will be introduced in stages. Electronic bonds are likely to be introduced by the end of 2019, while the digitisation of equity products and investment fund units at a later stage is also being considered. A public consultation process has started, in which Linklaters has participated.

  • Regulatory framework for ICOs and digital debts
    The government also plans to publish a draft law on the regulation of the public offer of certain crypto tokens. This would introduce concrete regulatory requirements for ICOs in Germany.

    Under the proposals, a public offer of tokens could only be made in Germany if the provider has published an information sheet (likely comparable to a PRIIPs KID) which will require the approval of the Federal Financial Supervisory Authority (BaFin) to enhance investor protection and legal certainty regarding the regulatory requirements for such offers.

  • Legal certainty for trading platforms and crypto depositories
    In the strategy paper, the government emphasises its plans to tackle questions about AML and KYC requirements in the crypto space by implementing the provisions of the fifth Anti Money Laundering Directive which relate to crypto assets. Here, the draft implementing law suggests a licence requirement for certain crypto custody services.

    Overall, the strategy paper displays the German government’s intention to provide a clear legal framework for DLT and additional protection for retail investors in the crypto sphere. 

Continued resistance to stablecoins

Despite the overall positive attitude towards blockchain technology, the government raises concerns about stablecoins (crypto assets whose value is backed by e.g. fiat currencies) and suggests that the current e-money regime should be sufficient to bring them within the scope of regulation.

The government intends to work on a European and international level to ensure that stablecoins will not challenge the sovereignty of government currencies. To emphasise this stance, Germany and France also recently published a joint statement on Libra, the currency envisaged by Facebook. In this statement they:

reaffirm their willingness to tackle the challenges raised by cryptocurrency and so-called stable coin projects: financial security, investor protection, prevention of money laundering and terrorism financing, data protection and financial and monetary sovereignty.” 

Further areas of specific interest

The strategy paper considers a variety of potential applications for DLT and declares a general intent to further analyse and deepen understanding for the use of the technology especially in the energy and logistics sectors, and for smart contracts and digital identities.

  • Energy sector: The blockchain strategy announces a pilot scheme for a blockchain-based smart meter implementation in the energy grid and envisages the establishment of a database for smart contract templates for use in the energy sector.
  • Logistics sector/Smart contracts: The government is encouraging an “Industry 4.0 Law Testbed”, using a test environment that enables companies to develop and extensively test secure digital business processes. The research projects around this project aim, for example, to clarify legal issues relating to the negotiation and execution of contracts between machines using so-called smart contracts based on use cases from the areas of logistics and production.
  • Digital identifiers: The government is piloting blockchain-based digital identities and evaluating other suitable applications such as the blockchain-based procedures for keeping public registers for civil status, registration, passports and ID cards as well as for foreign registration.

Overall, the aim is to foster standardisation, transparency and interconnectivity not only for financial markets but across various industries with the help of further research and specific projects.

Germany is getting serious about DLT implementation 

To sum up, the adoption of a national blockchain strategy by the German government is a positive sign for the development of DLT in a number of industries, especially the finance sector. The plan to enact legislation that integrates DLT-based solutions into the German legal framework shows that the German government recognises the potential of DLT as an innovative technology.

What happens next?

In the short term, we are awaiting the implementation of AMLD5 into German law (read our previous blogpost for more). This will most likely include a new licensable financial service in the form of crypto custody business. However, many details are still being debated. For example, we do not currently expect the proposal that crypto custody services should be ringfenced from other licensable services will become law.

Going forward, the blockchain strategy underscores that Germany sees itself as a leading market for innovative products that at the same time aims to provide a reliable legal framework. The legal road seems to be paved for DLT to go mainstream.

Committed Settlement: Digital Asset’s DLT-based collateral management tool

Digital Asset has developed a tool to streamline the process of creating and maintaining security interests over assets held or evidenced on a distributed ledger.In a new report, Linklaters teams up with Digital Asset to consider the key legal and regulatory issues relevant to its adoption under English law. 

What is Committed Settlement?

Committed Settlement is a mechanism developed by Digital Asset using its smart contract language DAML™. It is designed to enable assets held or evidenced on a distributed ledger to be “locked” and transferred in accordance with the terms of a security arrangement, thereby automating the functions of a control account. 

Digital Asset envisages that this tool has the potential to fundamentally alter the financial industry by, for example:

  • eliminating significant operational burdens involved in creating control accounts;
  • eliminating operationally intensive post-trade reconciliation processes; and
  • streamlining and enhancing reporting functionality.
Key legal and regulatory considerations

There are a number of legal and regulatory considerations that will have a bearing on the efficacy of Committed Settlement in the financial markets – notably the impact of insolvency and related laws. We consider the key issues from an English law perspective in our report. If structured and deployed appropriately in light of these considerations, it should be possible for financial markets to utilise Committed Settlement supported by an English law framework.

Read our full report.

Future of Finance Series, episode 8: a new approach to cyber risk in financial services

The Future of Finance Report describes the cyber risks in financial markets and makes recommendations with respect to enhancing protection against these threats. In its response, the Bank of England focuses on facilitating greater resilience in the sector though the adoption of cloud, AI and other new technologies. More broadly, UK regulators are advocating a new approach to cyber risk based on the assumption that disruptive incidents are likely to occur regardless of firm’s cyber security defences.

This is the eighth instalment in our Future of Finance Series, which looks at Huw van Steenis’ Future of Finance Report and the Bank’s response to it.
The risk of cyber crime and other cyber incidents

Criminals have followed financial services online. The FoF report notes that online fraud and account hacking have nearly replaced traditional theft of banknotes and gold and that over 90% of attacks in financial services target banks. But cyber crime is not limited to theft of funds. It also includes theft of IP or data and other types of attack which are aimed at disrupting activity.

As well as cyber crime, there are other forms of risk which arise from financial services being provided online and increasingly reliant on technology. Incidents such as data breaches or leakages, system outages, flash crashes and failure of third party providers could all disrupt the normal operation of a financial services business and negatively impact its customers.

Preventing crime and building resilience

Given this potential impact on customers, it is unsurprising that a key outcome sought by the FoF report is that the UK financial system “helps prevent cyber-crime” and is “resilient to cyber-risk”. To achieve this, it recommends that the Bank should conduct cyber resilience exercises to explore vulnerabilities, build a model for data recovery in the event of a cyber incident and support wider access to cyber insurance products.

It also describes how firms can prepare for cyber incidents and develop the ability to bounce back quickly from successful attacks, i.e. how they can build resilience.

“The financial system is a constant target for cyber-criminals. Regulators and the private sector need to maximise their efforts to keep up with this dynamic threat”.

The FoF report considers that the Bank has been a “thought leader on cyber-resilience” and together with the FCA has been building wider operational resilience in the financial sector. This work has focused on how financial businesses can keep serving customers in the event of any disruption to operations, including as a result of cyber incidents.

Looking at cyber risk in a new way

The Bank has previously indicated that in its supervisory approach it does not expect firms to be able to withstand the most extreme forms of disruption as that would be inefficient and make the cost of providing critical business services prohibitive. It also recognises that disruption will happen and it is unrealistic to expect that firms should have a zero tolerance for disruption.

Essentially UK regulators are recommending that firms look at cyber risk in a different way – rather than focusing on boosting cyber security and defences to meet increasing risk (the FoF report points out that financial services firms already spend three times the amount that non-financial organisations do on cyber security), firms should assume that whatever cyber security defences are put in place will either be breached or will fail at some point.

Focusing on business continuity

Regulators suggest that the focus of financial services firms at the point of an operational failure should be on keeping their core operations running by whatever means available – not simply restoring the failed systems but considering employing alternative systems or workarounds. A plan needs to be in place ahead of a potential disruption.

The priority is therefore continuity of service, even at a reduced level, for their customers. For example, continuing the availably of a banking app, perhaps with reduced functionality, during a disruption or prioritising the order in which payments are settled so that time-critical ones (such as house purchases) are processed ahead of others. See our Fintech Insight Building the UK financial sector’s operational resilience for more background on the FCA’s recommendations on how firms can build their broader resilience to operation failures.

Utilising cloud AI and other new technologies to build cyber resilience

In its response to the FoF recommendations, the Bank includes “facilitating greater resilience and adoption of the cloud and other new technologies” as one of its five priorities. It notes the important role the Bank has in demanding that “changes to core infrastructure are robust and resilient” but also recognises the “potential cyber and operational benefits cloud-based models can bring, particularly for small firms”.

In his speech responding to the FoF report, Mark Carney elaborates on how using cloud technology could “if properly managed”, and “adopted in a safe manner”, “improve the resilience of the overall system”.

To ensure that the benefits of the cloud are realised and the associate risks are well managed, the Bank has announced that the PRA will issue a statement in the autumn setting out its supervisory approach. See our Future of Finance Series episode 2: Embracing cloud technologies – what does this mean for financial services? for more discussion on balancing the benefits of cloud solutions against risk and more details on what is happening next in this space.

Spotlight on cyber incident response and recovery at an international level

The Financial Stability Board – a global financial supervisor – is also working to enhance the cyber resilience of financial institutions with a view to mitigating the implications of cyber incidents on financial stability.

In May this year it published a paper for the G20 on developing a toolkit of effective practices relating to a financial institution’s response to, and recovery from, a cyber incident. It also aims to help regulators and supervisors in supporting financial institutions before, during and after a cyber incident.

The EU is also considering proposals to impose stricter cyber resilience standards on financial services firms and introduce EU-wide cyber resilience testing.

Future of Finance Series

This is the final instalment of our Future of Finance Series in which our team of multi-disciplinary fintech lawyers has focused on eight key themes stemming from the FoF report and their potential impact on the development of the UK fintech landscape.

Visit our Future of Finance page to access all the posts in the series and, to keep up to date with fintech developments, subscribe to our FintechLinks blog.

Future of Finance Series, episode 7: Embracing digital regulation

Regulators need data from the firms they regulate to monitor financial markets. But producing and analysing that data is labour-intensive and costly. According to the Future of Finance Report, investing in regtech to make the best use of this data is “no longer a choice” for the Bank of England.

This is the seventh instalment in our Future of Finance Series, which looks at Huw van Steenis’ Future of Finance Report and the Bank’s response to it. All quotes in this post are from these sources.

The benefits of regtech

Finding efficiencies for firms and regulators

Financial services firms are increasingly relying on technology to help them comply with the regulations that apply to them. This technology, known as regtech, may be used for a variety of purposes such as flagging anomalous trading activity or performing more targeted anti-money laundering checks. Using regtech, firms can cut costs while also improving the quality of compliance. The FoF report argues that regulators should use technology to reap similar benefits.

The FoF report calls on the Bank to be a “technology-enabled and cost-effective regulator” which uses “advanced analytics for analysis of macroeconomic trends, financial surveillance and supervision”. The FoF report focuses on a specific use case for which regtech could benefit both firms and regulators: digitalising regulatory reporting.

A case study: digital regulatory reporting

Using data to monitor markets

Regulators collect a variety of data from regulated firms, on their products, customers and financial information, to help them supervise financial markets. But the UK financial system is constantly creating more data than ever before. Regulators are now “barraged” with an “enormous body of unstructured data”, presenting them with a real challenge for how they interrogate that data in a meaningful way to assist their supervisory activities.

The challenge of too much data

Every month, the Bank receives more than 1 billion rows of data from regulated firms. The Bank admits that the “explosion” in the volume of data it receives is more than it can handle using traditional methods.

Two thirds of supervisors’ time is spent manipulating (rather than analysing) data. As the FoF report notes, this is “a long way from real-time monitoring”.

The cost of reporting

Firms must have in place compliance processes to meet their reporting requirements, which can have serious cost implications when they rely on relatively manual solutions. At present, regulatory reporting is estimated to cost UK banks up to £4.5 billion every year.

Compounding the financial burden of reporting, there have been several significant changes to regulation since the global financial crisis. As a result, the current PRA rulebook is longer than War and Peace and compliance has become increasingly complicated. The FoF report uses the increase in regulation to argue for more efficient regulatory processes which would bring down the industry’s compliance costs.

Digitalising regulatory reporting

The FoF report suggests that a solution to this problem could be to digitalise regulatory reporting. This would involve transforming reporting requirements into machine-readable rules. These rules could then map more easily to the data in firms’ systems. See our short animation which introduces the work UK regulators have already done on digital regulatory reporting and highlights some of the important legal questions posed by the project.

Making rules machine-readable

To achieve more efficient processes, the FoF report emphasises the importance of investing in digital regulation and recommends a range of options for the Bank.

A central plank of all the proposals would be to develop a common understanding of what needs to be reported, i.e. a shared reporting taxonomy. Consistent data standards would reduce ambiguity, allow for better data analytics and enable rules to be read by a machine. Having machine-readable rules could ultimately lead to machine-executable requests for data, i.e. automated compliance.

Pooling data into shared repository

Under the most ambitious proposal, the Bank would be able to pull firms’ data from a shared repository on demand, enabling near real-time data extraction, analysis and intervention. This solution could be implemented via a blockchain network.

The Bank’s response

In its response to the FoF report, the Bank says that the “costs of redesign will not be small” but the vision of the proposals could benefit the industry for many years. The Bank says it will consult with the industry on how regulatory data should be hosted over the next decade. It also plans to make the PRA rulebook machine-readable within the next five years.

Next up in our Future of Finance Series

In the final instalment of our Future of Finance Series we will look at cyber resilience.

Stay tuned by signing up to our FintechLinks blog.

UK firms to get more time to prepare for EU security measures for online payments

Reports have suggested around 30% of UK online shopping transactions could fail if planned EU rules for strong customer authentication were enforced from September as planned. The FCA has now decided to allow extra time for the e-commerce industry to roll out the technology needed to apply strong customer authentication. Payment firms and online retailers should align their plans to the new timeframe and monitor how other EU regulators will respond.

Strong customer authentication delayed 

What is strong customer authentication?

Strong customer authentication is intended to increase the security of payments and reduce the risk of fraud. It involves the authentication of electronic payments using multiple factors. At least two out of three of the following elements are needed:

  • knowledge (something only the user knows, like a password)
  • possession (something only the user has, like credit card)
  • inherence (something the user is, like a fingerprint).

The requirements were introduced by the EU’s revised Payment Services Directive (PSD2) and are due to take effect on 14 September 2019.

What has changed?

The payments industry and e-merchants have been gearing up to the September deadline. However, in June the European body overseeing implementation of the rules acknowledged that not all e-merchants were ready for the new standards and suggested that regulators could introduce a grace period before enforcing the rules, and the UK has now taken up the mantle.

What has the FCA announced?

In a statement, the FCA says that it has agreed with the industry an 18-month delay to strong customer authentication. The strict legal deadline in September cannot be changed but the FCA says that it does not intend to enforce the rules during the extension. This gives card issuers, payments firms and online retailers the new deadline of March 2021 to implement their enhanced security processes.

In a separate update on strong customer authentication, the FCA has indicated that the impact of related changes to online banking will also be delayed from 14 September 2019 by six months.

Why is more time needed?

There had been reports that the September deadline would not be met by all participants in the payments chain. This may in part be down to firms trying to implement nascent technology. For example, applying biometrics to authenticate a customer’s identity requires building more sophisticated technology than other types of authentication, such as a password or possession of a credit card, and this may have slowed implementation efforts.

The FCA says that, while strong customer authentication measures will reduce fraud, it has agreed the “phased plan for their timely introduction” in order to avoid “material disruption to consumers”.

What happens next?

The FCA is one of the first to set an extended timetable. Other EU regulators – such as the Central Bank of Ireland and Bank of Italy – have indicated that they will extend the deadline but so far without publicly fixing new delivery dates.

The European Banking Authority said that it would set a long-stop date by which time all national grace periods must end, although it is not clear yet what that will be. At this stage it is also not clear to what extent EU regulators will harmonise their approach, leading to the potential for a piecemeal implementation of strong customer authentication across the EU, at least until the end of any long-stop deadline.

Future of Finance Series, episode 6: Protecting the financial system as the market changes

According to Huw van Steenis, the Bank of England’s job of protecting the financial system is never done. In his Future of Finance report, he calls on the Bank to anticipate changes to market structures such as those caused by fintech. He also suggests that policymakers should reflect on how effective major policy initiatives like Open Banking really are.

This is the sixth instalment in our Future of Finance Series, which looks at Huw van Steenis’ Future of Finance Report and the Bank’s response to it.
Looking ahead to market changes

Keeping pace with business models

The traditional banking model is under threat from various sources. The growth of market-based finance is reducing reliance on bank funding. Neo banks are competing for market share. Other fintech firms are providing activities like payment services that used to be the reserve of banks. And the tech giants have already begun leveraging their huge customer bases to provide financial services.

As the FoF report notes, this diversity in the market is welcome. But it can also introduce new risks (or old risks in new forms). For example:

  • If market-based finance dries up, there could be a sudden stop in the flow of finance to the economy
  • Increased competition could put further pressure on banks’ margins which could, for example, hamper their investment in IT infrastructure
  • Dividing up banking activities between different service providers could lead to narrower business models which are more vulnerable in downturns
  • This unbundling of the traditional business model may also result in some financial activities being carried out by firms outside the scope of PRA regulation which would limit the Bank’s oversight of risks.

New risks, new policy choices

The FoF report imagines what the future might look like where low interest rates continue but there is a high degree of disruption to the market. In this scenario, the banking industry could become “more modularised with services provided primarily through market place platforms and outsourced activities”. This risks the banks of today becoming “low-margin back-end utilities”. 

The report suggests that in this scenario the Bank may need to ask for its regulatory perimeter – i.e. the scope of its regulatory remit – to be redrawn to take into account the new shape of the market.

Looking back on policy initiatives

The risks of opening up banking

The UK’s Open Banking reforms have required the nine largest banks to develop a common means for sharing customer data with eligible third parties. It was one of the first countries to implement Open Banking although others, like Australia, have followed. The EU Payment Services Directive (PSD2) also requires banks to share customer data although it does not prescribe the method for sharing that data.

While noting the potential benefits of opening up account information, the FoF report refers to some of the drawbacks of Open Banking. These include:

  • Cost: according to UK Finance, the Open Banking project has cost the nine original participants £1.5bn to date
  • Resilience: the report calls on policymakers to monitor the system’s ability to withstand outages
  • Unlevel playing field: under PSD2, data sharing is not reciprocal i.e. banks must share data with third parties but those third parties are not required to share their data with the banks
  • Legal liability: under current rules, banks are expected to compensate customers for unauthorised transactions by third parties and then counter‑sue the payment firm – the report suggests that this process is not be scalable.

Learning lessons from regulatory intervention

The FoF report cites research which indicates that the design of Open Banking does not fulfil the most attractive use cases, that only 28% of UK adults were aware of Open Banking six months after it launched and that 80% were concerned about sharing financial data with companies other than their bank. In response, the report proposes a Treasury-led review of lessons learned from the first 18 months of Open Banking.

It also recommends that the Bank establish a dedicated “regulatory evaluation and response” unit to assess the effectiveness of major policies across their life cycles. Separately, the Financial Conduct Authority has recently embarked on public evaluations of its market interventions.

Next up in our Future of Finance Series

In the next instalment of our Future of Finance Series we will look at the digitalisation of supervision and the potential automation of regulatory compliance.

Stay tuned by signing up to our FintechLinks blog.

Future of Finance Series, episode 5: Financing the transition to a carbon-neutral economy

The Bank of England’s Future of Finance report emphasises the role finance will play in supporting the transition to a carbon-neutral economy. Encouraging sustainable finance will require recognition of the financial risks of climate change and the mobilisation of private financial resources. Here, we explore the insights on the task at hand offered by the report and the Bank of England’s response. 

This is the fifth instalment in our Future of Finance Series, which looks at Huw van Steenis’ Future of Finance Report and the Bank’s response to it.
The transition to a carbon-neutral economy

In 2015, 197 governments formed the Paris Agreement on climate change, committing to keeping global warming well below 2°C and ideally no more than 1.5°C. The FoF report emphasises the huge role finance has to play if this objective is to be achieved. By some estimates, the transition to a low-carbon economy will require investments of more than $90 trillion across the G20 by 2030. The Bank of England (“Bank”) is seeking to encourage an early and orderly transition to a carbon-neutral economy by mobilising the financial sector.

Grappling with the financial risks of climate change

A risk to financial stability

A key point made by the FoF report is that climate change must be understood as a risk to financial stability. It thus falls within the Bank’s remit and is an area where the Bank has already started to take action. 

The FoF report follows the widely used approach of breaking the risks down into two areas:

  • Physical risks, being the risk of damage to assets from climate and weather-related events, which can cause financial losses, increase insurance claims and impact borrower creditworthiness, for example.
  • Transition risks, being the risks posed from the adjustment to a lower-carbon economy  – for example, reserves of fossil fuels will become less valuable if they cannot be exploited for policy reasons or due to reduced demand and, if that risk has not been priced in, this could lead to substantial losses.

Improving awareness

The FoF report notes that financial markets currently lack understanding of climate change related risks, and this is reflected in the typical relative rates of return on “green” and “brown” assets. Climate change risks do not generally form part of overall financial risk management, and the “tragedy of the horizon” means that long-term impacts are not factored into shorter term decision making.

Stress testing

As part of its moves to safeguard financial stability, the Bank stated in its response to the FoF report that it will conduct climate stress testing for financial institutions in 2021 to help “mainstream” climate risk management. The Bank will publish a discussion paper in autumn of 2019 to facilitate scenario design. 

The role and growth of green finance

The report identifies that “green finance” is an important element of financing the transition to a low-carbon economy. It highlights that the demand for green bonds has already accelerated in recent years and that “in some specific cases” green bonds have provided lower borrowing costs than their non-green equivalents. A similar movement is beginning to take off in the loan market, with the rise of green loans and sustainability linked lending. To meet global needs, these trends will need to continue. The report highlights that this presents an opportunity for the UK’s financial sector. That opportunity has also been recognised in the UK Government’s recently published Green Finance Strategy.

Ensuring consistent standards and preventing “green washing”

Importance of adequate disclosures

The FoF report emphasises that a key part of improving awareness of climate risks, as well as mobilising private resources to invest in the transition to a low-carbon economy, is for adequate disclosures to be available. These will provide the information needed to inform investment decisions and risk management.

The Bank itself has been a keen advocate of the Task Force on Climate-related Financial Disclosures (“TCFD”) and its voluntary disclosure regime. Both the FoF Report and the Bank’s response highlight the “virtuous circle” of supply of, and demand for, TCFD disclosures leading to greater adoption and improved disclosures. The Bank in its response to the FoF report commits to continuing to encourage TCFD disclosures, and “expect by 2022 that all listed companies and large asset owners will be disclosing this information”. This is in line with the Government’s expectation in its Green Finance Strategy. 

Comparability and enforceability

A key obstacle for green investing is the plethora of different and often non-comparable methods for determining which investments are green. The FoF Report emphasises that loosely constructed and unenforceable standards and definitions can lead to “greenwashing” of “brown” investments, which in turn undermines confidence in green investing. 

The FoF Report notes that having harmonised, clear and granular standards for classifying “green” and “brown” activities would assist investors. Industry standards do exist, but are often “high-level, fragmented and voluntary”. Whilst the Bank cannot really put such a framework in place by itself, it is worth noting that the EU is legislating in this area. As part of the EU Sustainable Finance Package, a “Taxonomy” Regulation has been proposed to provide a granular, compulsory and enforceable classification system to determine which investments are sustainable. However, the Regulation is still under negotiation at an EU level as, understandably, creating such a comprehensive and granular framework is both technically difficult and politically contentious.

Next up in our Future of Finance Series and other Sustainable Finance Resources

In the next instalment of our Future of Finance Series we will look at protecting the financial system in response to market changes driven by Fintech and Open Banking. Stay tuned by signing up to our FintechLinks blog.

We recently hosted a webinar on the broader universe of incoming sustainable finance obligations for banks and sell side firms where we discussed some of the Bank’s recent measures. We also discussed how banks and sell side firms may be impacted by client demands. The recording is available here for knowledge portal subscribers.

Please contact the Key Contacts listed or your usual Linklaters contact if you have any questions about sustainable finance.

UK FCA spells out when cryptoassets fall within the scope of regulation

Regulators around the world have grappled with how cryptoassets fit within their rules. The Financial Conduct Authority has now set out its final stance on the different types of cryptoasset and how they are regulated in the UK. Notably, “stablecoins” are not seen as a separate category and so may be regulated or unregulated depending on their structural features.

Drawing the line – final perimeter guidance

In January 2019, the FCA proposed draft guidance which was intended to clarify its view on which types of cryptoasset fall inside and outside the UK regulatory perimeter.

The regulatory perimeter is the line between financial services activities which are regulated and those which are not. Ultimately it is for Parliament and the courts to draw the line, but FCA perimeter guidance can help firms understand whether they need to seek FCA authorisation.

The FCA has now issued a policy statement which finalises its guidance as it relates to cryptoassets.

Reframing cryptoassets – changes to the FCA’s taxonomy

Previously, and in line with the October 2018 Cryptoasset Taskforce report, the FCA divided the cryptoasset market into security tokens, exchange tokens and utility tokens.

The FCA has reframed these categories as:

  • Security tokens (regulated): largely unchanged from the draft guidance, this covers tokens which qualify as investments like shares, bonds or units in a fund
  • E-money tokens (regulated): cryptoassets that meet the definition of e-money (see our previous blog) are regulated
  • Unregulated tokens: any cryptoasset that is not a security token or an e-money token is unregulated e.g. exchange tokens (aka cryptocurrencies) like Bitcoin and Litecoin or utility tokens which allow access to a service or network.

In other words, buying and selling unregulated tokens does not require FCA authorisation. However, dealing in derivatives which use cryptoassets is a regulated activity (even if the underlying cryptoassets are unregulated). And new rules may from January 2020 impose AML checks to other cryptoasset activities.

The FCA also notes that it is possible for tokens which facilitate payment services (such as money remittance) to be regulated. This depends on whether regulated payments are being provided rather than the type of cryptoasset being used.

How stablecoins fit into the regulatory framework

The FCA has updated its guidance to clarify its position on stablecoins. The term “stablecoins” generally refers to cryptoassets that have a mechanism for stabilising their value, often by being backed by fiat currency or assets. In a speech in July the FCA described Libra – the proposed digital currency intended to facilitate retail payments within the Facebook ecosystem – as a stablecoin. 

The FCA has decided not to treat stablecoins as a separate category of cryptoasset. Instead the FCA will fit them into its existing framework on a case by case basis. In other words, depending on how it is structured, a stablecoin could be any of a security token, e-money token or unregulated.

International perspective

Feedback to its draft guidance encouraged the FCA to find a harmonised international approach to cryptoassets. The treatment of cryptoassets currently depends on the approach of the local law and regulators. For example, the US SEC takes a relatively broad view on what qualifies as a security token and France has set up a way for utility tokens to receive a regulatory seal of approval.

In response, the FCA notes the difficulties with taking a global approach because of the inherent structural differences between jurisdictions’ securities markets and legal frameworks, but it proposes to encourage consistency in regulation, for example via the Global Financial Innovation Network.

What happens next?

The FCA hopes that its guidance will inform other supervisory work on cryptoassets, including its engagement with cryptoasset firms. It also indicates that it is monitoring cryptocustody and settlement which are not covered by the perimeter guidance.

According to the FCA, the Treasury will consult on whether further regulation is required in the cryptoasset market. Changing the regulatory perimeter would need new legislation.

Finally, as the supervisor for the new AML regime for cryptoassets, the FCA will consult on its proposed approach later this year.

US SEC approves regulated token offering for the first time

On Wednesday, July 10 the SEC approved New York-based blockchain startup Blockstack to launch a $28 million token public offering. Blockstack announced it would commence the sale of its Stacks tokens on Thursday July 11. As the first offering of digital tokens to be approved by the SEC under Regulation A+, Blockstack’s offering is a potentially groundbreaking moment for the cryptocurrency markets. 

The offering 

Blockstack sponsors an open-source peer-to-peer network for decentralized applications. According to Blockstack, a total of up to 295 million “Stacks” tokens will be offered under the approved Regulation A+ offering.

First, up to 215 million Stacks will be offered at a discounted purchase price of US $0.12 to current holders of non-binding Blockstack vouchers. 

Second, at least 40 million Stacks will be sold for $0.30 to the general public. Furthermore, Blockstack has stated that it will allocate up to 40 million Stacks to developers that created the top-ranked applications within the Blockstack ecosystem. Per Regulation A+, the aggregate amount of capital raised in the offering will not exceed $50 million. 

Blockstack will be offering Stacks through its website, where potential investors can review an electronic version of the offering circular and execute a subscription agreement. Once an investor buys Stacks, they will be able to use them on Blockstack’s network. 

Regulation A+ 

What is notable about this offering is that Blockstack chose to offer its tokens in a different way than its previous token sale. In 2017, Blockstack raised approximately $47 million through a token offering which relied on Regulation D. Like Regulation A+, Regulation D is an alternative to a traditional public offering, where a company can offer and sell securities without having to register with the SEC. 

Although raising capital through an offering in reliance on Regulation D has fewer requirements than a public offering, Regulation D has certain limiting conditions such as dollar limits, issuer and investor suitability requirements, restrictions on resales and more.

In contrast, Blockstack is now relying on Regulation A+, which was adopted in 2012 as part of the “Jumpstart Our Business Startups” Act (the JOBS Act). Regulation A+ allows an offering to be open to the general public and the securities being sold are not deemed to be restricted securities. However, Regulation A+ imposes its own limits – notably that the offering is limited to US $50 million being raised in a 12-month period. 

Practical Considerations for Other Token Offerings

While this offering being approved by the SEC is a significant, there remain practical considerations for others wishing to follow the same path. The biggest of which is that the approval process is lengthy and costly. In fact, according to WSJ, Blockstack spent about ten months and $2 million on the approval process. This means that newly formed startup businesses are unlikely to be able to raise capital under Regulation A+ without first obtaining funding through more traditional routes such as friends and family and venture capital. In this case, Blockstack had already raised $5 million from venture capital before it launched its first token offering in 2017.

Regulation A+ offerings have also been less popular due to disappointing performance and fraud concerns. The WSJ recently reported that both Nasdaq Inc. and the New York Stock Exchange are moving to raise listing requirements for Regulation A+ companies. Consequently, the cost of a Reg A+ offering may continue to rise.

What’s happening next?

Overall, it is too early to tell how the Blockstack offering will impact the market. On the one hand, initial coin offerings (ICOs) have been on the decline and blockchain companies may be encouraged to use Regulation A+ as a means of raising capital because the enhanced disclosure and regulatory scrutiny requirements provide comfort to potential investors.

On the other hand, conducting a Regulation A+ offering is both time-consuming and expensive – which could offset the desirability of Regulation A+ to a startup without deep pockets and time to spend. Therefore, it remains to be seen whether the Blockstack offering is the first of many Regulation A+ offerings conducted by blockchain companies, or simply an interesting footnote in the cryptocurrency markets.

Future of Finance Series, episode 4: What the growth and liberalisation of emerging markets means for the UK’s financial sector

Emerging market economies, like China and India, are likely to look increasingly to global capital markets to meet their financing needs, the Future of Finance report predicts. This shift poses both opportunities and risks for the UK’s financial sector, as we discuss in this week’s instalment of the Future of Finance series. 

This is the fourth instalment in our Future of Finance Series, which looks at Huw van Steenis’ Future of Finance Report and the Bank’s response to it.
The growth and liberalisation of emerging market economies

Large EMEs are still relatively closed to global markets

There is no denying the historic and projected growth of China and India. The FoF report points to data showing that by 2030 these could be the world’s largest and third largest economies, respectively. But, to date, these markets have remained relatively closed to foreign investment. And, even as they have begun to open up, their policies have tended to favour foreign direct investment over portfolio investment or foreign debt. Other EMEs have taken a similar approach. 

This has had an insulating effect

As a result, these economies have remained somewhat insulated from the international capital markets. And, as a corollary, UK financial institutions have been under-exposed to the growth and opportunities in EMEs.

That is likely to change

The report predicts that this is likely to change over the next decade and that increasingly EMEs will look to foreign markets to meet their financing needs. The new Shanghai-London Stock Connect scheme is an example of that.

Opportunities all round

Opportunities for EMEs

There are obvious benefits for EMEs in tapping the global markets. As the report states: “This would support EME growth by making it easier to finance domestic investment needs, which are likely to be substantial”.

Opportunities for the UK

But, equally, there are opportunities for the UK as a global financial centre.

UK investors provide significant funding to international capital markets (US$3.4 trillion as at the end of 2017, according to the report). Directing this into faster growing markets could result in strong growth for the UK.

The UK’s record on innovation also places it well to meet evolving market needs. For example, the report highlights that cross-border debt into EMEs is still predominately USD-denominated, which leaves emerging markets vulnerable to the appreciation of the US dollar. As EMEs continue to open up, we could see an increasing demand for local currency denominated bonds. Such instruments benefit the issuing country but at the same time shift FX risks to investors. The UK’s expertise in financial innovation could be helpful in meeting these evolving needs – as well as in responding to the growing demand for other innovative products such as green finance and cyber-risk insurance.

Potential risks for global financial stability

The amplification of macroeconomic shocks

The liberalisation of emerging markets does, however, raise new financial stability risks. Whereas foreign direct investment is a relatively stable, long-term form of inbound capital flow, portfolio flows can be rapidly reversed by investors in deteriorating conditions. In the event of a macroeconomic shock to the market, instant capital flight may have an amplifying effect and could potentially lead to a currency crisis. The report notes that these effects may “spill-back” to an exposed UK.

The UK’s role in mitigating the risks

The report recommends that EMEs take a prudent approach in managing capital account liberalisation by, for example, adopting sound macroeconomic and prudential policies and deepening domestic financial markets.

But it also places responsibility on the UK: “The UK as host to a major international financial centre should be at the forefront of efforts to spot new risks, develop standards and promote close supervisory and regulatory co-operation”. For the private sector, the report’s recommendations focus particularly on post-trade standards and note that the swap and collateral markets would be a good place to start.

Among other things, the Bank of England has said:

  • it will continue to work with various international fora to identify and respond to vulnerabilities and enhance global standards;
  • it is scaling up its efforts to provide training and technical assistance to central banks in emerging markets; and
  • it will convene a “Post-Trade Technology Market Practitioner Panel” to explore how market participants can leverage technological improvements to deliver a more efficient and resilient post-trade ecosystem.
Next up in our Future of Finance Series

In the next instalment of our Future of Finance Series we will focus on green finance and its role in financing the transition to a low carbon economy. Stay tuned by signing up to our FintechLinks blog.

New Digital Bank Licences in Singapore

The Monetary Authority of Singapore (MAS) has announced that it will issue up to 5 new digital bank licences comprising 2 digital full bank licences (permitted to deal with retail clients) and 3 digital wholesale bank licences (permitted to deal with SMEs and non-retail clients). MAS is working on implementation details and expects to invite applications in August 2019.

The 5 new licences will be available to digital players who demonstrate an innovative and sustainable business model even if they have yet to establish a track record in banking – a strong move welcoming non-bank players to become digital banks in Singapore. This marks an addition to MAS’ existing regime which for more than two decades already allowed local banking groups to set up standalone digital banks under MAS’ internet-only bank framework.

In this client alert, we provide an overview of the new licensing framework, as well as commentary on similar developments in Hong Kong.

Future of Finance Series, episode 3: How the Bank of England envisages portable data and an SME finance platform creating “Open Finance”

One of the nine core themes of the Future of Finance report is “Supporting the data economy through standards and protocols”. A key recommendation for how to achieve this is for the Bank to “support better credit files for SMEs”. We examine the Bank’s response, in particular its eye-catching proposal for a national SME financing platform, and consider some of the regulatory and legal issues.

This is the third instalment in our Future of Finance Series, which looks at Huw van Steenis’ Future of Finance Report, the Bank’s response to it and Mark Carney’s supporting Mansion House speech. All quotes in this post are from these sources.
“New Finance” involves “Open Finance” for SMEs

The key thrust of the FoF report is the need for a “new finance” and a “new Bank” to enable a “new economy”. This vision of “new finance” in a digital economy is of a financial system which is “more efficient, fair and accessible”.

The FoF report develops a theme around the role of “data standards and protocols” in enabling innovation, opening-up markets to boost the efficiency and effectiveness of finance in this new economy and addressing existing challenges such as the £22 billion SME financing gap.

As pointed out by Mark Carney in his speech, this funding gap has arisen because SMEs face a number of barriers in raising finance, including borrowing against intangible assets, a lack of historic data for credit scoring and the burdensome nature of Anti-Money Laundering and Know Your Customer Checks. In the world of Big Data the solution to reducing these barriers lies in better leveraging of customer data.

What is “Open Finance”? 

In its response to the FoF’s recommendation to “support better credit files for SMEs”, the Bank develops the theme of data standards and protocols within the concept of “Open Finance”. This essentially envisages the extension of the existing policy of data sharing through open banking – the pro-competition focused requirement for banks to share certain customer data – to much wider data sets.

In examining how Open Finance might be delivered the Bank focuses on two key aspects:

  1. creating richer customer data sets (capturing data held at utilities companies, search, rating and social media data, and data from public sources, such as the Passport Office, DVLA, HMRC and Companies House) which can be easily shared with a broader array of potential finance providers through portable credit files, Legal Entity Identifiers and API technology; and
  2. ensuring greater access to finance for small businesses and individuals through a dedicated finance platform for SME financing.

What is the open platform? 

A priority area for action

The Bank’s most eye-catching commitment, and one of its 5 priority areas for action, is its proposal to support the development of an “open platform” to deliver better access to finance. It aims to do this by bringing together a global identify standards and safe, secure and permissioned method of sharing information; this open platform could harness novel data sources and advanced analytics to provide SMEs with more choice and better access to productive finance.

Role of the Bank

Given its role at the heart of the UK payments system the Bank sees itself as the facilitator of change – using its “levers” to promote data standards and improved digital identification. Whilst Mark Carney suggests that “It’s not for the Bank of England to build this platform but we can help lay some of the groundwork” and the Bank suggests it is a job for “Government and business”, it’s not clear who the likeliest candidates will be to construct the “Open Platform” or whether the initiative will be led by industry or government. In terms of data sharing it is also not clear exactly how the significant challenge of “linking public sources” of data could be achieved in practice.

Examples of finance platforms in action

The FoF report points to China as an example of how data and technology can be leveraged by platforms to provide access to finance and also cites specific examples of finance platforms in action, including:

  • Ant Financial using an array of data sourced from related social media and marketplace platforms to offer credit to those that have been previously underserved by finance.
  • Amazon extending trade credit to businesses selling on its marketplace. 
  • PayPal is extending credit to online customers at the point of sale.
Regulatory and legal issues

The Bank notes that the policy of open banking “is already beginning to change how the UK financial system uses data” and “has demonstrated the potential for sharing data security around the financial system in a standardised way through an API”. However, the original policy of open banking was championed by the Competition and Markets Authority and mandated by regulation, so it seems reasonable to question whether the open platform will require something similar to be successful? It is perhaps instructive that the examples provided in the FoF report relate to platforms created by single private actors rather than on a broader industry basis.

Irrespective of how the open platform is put together, drawing on our experience of working with finance platforms, we suggest that there will be a range of legal issues to navigate, from the commercial arrangements and ownership structure, to considerations around data-sharing, data-security, competition, regulatory licensing and apportioning liability.  

Next up in our Future of Finance Series

In the next instalment of our Future of Finance Series we will look at what the growth and liberalisation of emerging markets may mean for the UK.
Stay tuned by signing up to our FintechLinks blog.

US SEC and FINRA Statement on Broker-Dealer Custody of Digital Asset Securities

A recent joint statement by the SEC and FINRA highlights three main areas for broker-dealers to consider—the customer protection rule, books and records requirements, and insolvency protections—but stopped short of providing concrete guidance, instead noting “the Staffs will continue their constructive engagement with market participants . . . so that they may better respond to developments in the market.” 

The current landscape of digital asset security regulation

The joint statement serves as a stark reminder to US-regulated broker-dealers that: 

  1. certain digital assets are susceptible to characterization as securities (see our April 2019 insight)
  2. “[w]hether a security is paper or digital, the same fundamental elements of the broker-dealer financial responsibility rules apply” to custody services for securities; and
  3. these regulators are still coming to terms with exactly how those rules apply to so-called digital asset securities. 

We look at the three main areas for broker-dealers to consider in light of the joint statement.

1. The Customer Protection Rule

Safeguarding customers assets

Rule 15c3-3 under the Exchange Act of 1934 (the customer protection rule) generally requires a broker-dealer to safeguard customer assets in a way that increases the likelihood that, in the event of the broker-dealer’s failure, customers can still access their securities and cash. 

Among other requirements, broker-dealers must physically hold customers’ fully paid and excess margin securities (as such terms are defined in the rule) or maintain them free of lien at a good control location (e.g., the Depository Trust Company).

Joint statement guidance?

While acknowledging that “[t]here are many significant differences in the mechanics and risks associated with custodying traditional securities and digital asset securities”, the joint statement offers no concrete guidance for addressing these differences.

Instead, the joint statement merely highlights some of the risks attendant to custody of digital asset securities. For example, if a broker-dealer holds a “private key” for securities reflected on a distributed ledger, that broker-dealer may not be able to demonstrate the required control under the rule because it may not be able to foreclose the possibility that no other party has a copy of the private key and thereby could transfer the digital asset security without the broker-dealer’s knowledge or consent.

In what is an oft-repeated sentiment, the joint statement provides that:

 “[t]he specific circumstances where a broker-dealer could custody digital asset securities in a manner that the Staffs believe would comply with the Consumer Protection Rule remain under discussion, and the Staffs stand ready to continue to engage with entities pursuing this line of business.

2. The challenge of Books and Records requirements for digital asset securities

Maintaining auditable records

Broker-dealers generally must make and keep current ledgers of all assets and liabilities and must maintain a securities record containing a list of each customer security carried by the broker-dealer.

The nature of digital asset securities, particularly the use of distributed ledgers, could make it difficult for broker-dealers to adequately evidence the existence of digital asset securities in their books, records and financial statements.

Joint statement Guidance?

The joint statement baldly states that broker-dealers “should consider how the nature of the technology may impact their ability to comply with the broker-dealer recordkeeping and reporting rules.” Easier said than done.

3. Securities Investor Protection Act of 1970

First priority claims in insolvency

SIPA gives securities customers first priority claim to securities and cash held by an insolvent broker-dealer.  SIPA protections apply to “securities” as defined in the SIPA statute in a way that is narrower than that of the federal securities laws.

Notably, the SIPA definition does not include the concept of an “investment contract”, so it remains possible that certain digital assets will be securities for purposes of (a) SIPA but not the federal securities laws and rules thereunder (like the customer protection rule), the federal securities laws but not SIPA, or (c) both SIPA and the federal securities laws.  In case (b)—i.e., where a digital asset is not a security under SIPA—a customer would not have a first priority claim against the estate of an insolvent broker-dealer for that asset; instead, a customer would only have a general unsecured creditor claim.

Joint statement guidance?

The joint statement notes in a grand understatement that such an outcome is “likely to be inconsistent with the expectations of persons who would use a broker-dealer to custody their digital asset securities.”

What’s happening next?

It’s possible that the joint statement is a prelude to more comprehensive and constructive guidance.  It’s also possible that the joint statement is intended to release political pressure on the SEC and FINRA by publicly demonstrating that they are on the case.  Indeed, it is even possible that this verbal equivalent of a shrug emoji is an attempt to signal to Congress that the current statutory framework is lacking or that legislative direction is desired.

At a minimum, the many questions raised with few, if any, answers might have the practical effect of scaring off potential broker-dealer entrants to the field of custodying digital assets.  If such a vacuum is created, it remains to be seen whether other non-broker-dealers, such as trust company holders of New York BitLicenses, will fill it.

European supervisor identifies bigtech as a threat to the payments market

Fintech has led to new products and services, new entrants, and new regulation in the EU payments market. The European Banking Authority, which is responsible for monitoring financial innovation in the sector, has surveyed the impact of fintech on payment and e-money firms. We summarise seven key findings from their report.

The EBA has published a report on the fintech trends shaping the business models of payment institutions and e-money institutions. It follows a similar paper which focused on fintech’s impact on the banking sector.

The latest report summarises the EBA’s view on key market trends and threats. The research included a survey of 65 market participants. Notably, none the firms surveyed were UK institutions.

We have summarised below seven findings from the EBA report.

  • We are fintech: Unsurprisingly, many payment and e-money institutions see themselves as fintech firms. The most popular technologies that have been adopted are cloud computing and digital/mobile wallets, followed by big data analytics and biometrics. The interest in biometrics such as fingerprint and voice recognition may be a result of new incoming security standards.
  • The bigtech threat: Many bigtech firms offer payments services to facilitate their core business (e.g. e-commerce or advertising) but the EBA note that there is considerable diversity in how they conduct payment services. Nearly all the institutions surveyed expect bigtech firms to participate more actively in the EU payments and e-money sector. Some payment institutions suggested they would be open to partnering with bigtech firms or exploring M&A opportunities.
  • Growth in the B2B sector: The EBA found that providing payment services to businesses has seen significant growth as corporates and SMEs have turned to payment and e-money institutions as an alternative to banks for some services. This is consistent with the findings from last year’s report on the banking sector. 
  • Payment rails relatively untouched: Technological innovation has largely focused on improving customer experience rather than changing the underlying payments infrastructure. In Europe, at least, the EBA found that bigtech firms currently rely on existing payment rails.
  • A broadening of services: Firms are investing significantly in the development of APIs and digital and mobile wallets. A third of firms surveyed expect to add new services to their business models but only a few firms plan to seek a banking licence. 13% of payment and e-money institutions offer services related to cryptoassets, such as processing payments and/or opening payment accounts for crypto firms and exchanges.
  • Outsourcing is on the up: More than 80% of institutions outsource activities to third parties and many have seen an increased dependency on external providers in the last couple of years. These third parties are likely to include bigtech firms as well as smaller fintech providers. The potential for over-reliance on these service providers is an area of ongoing concern for regulators.
  • Resilience warning: The EBA warns that institutions are increasingly vulnerable to cyberattacks and that a targeted attack on a significant participant in the payment chain could pose a material risk to the economy. Firms are encouraged to focus on building strong operational resilience. Data sharing and the interaction between PSD2 and GDPR are also highlighted as challenges that may need to be addressed.

Future of Finance Series, episode 2: Embracing cloud technologies – what does this mean for financial services?

One of the nine core themes of the Bank of England’s Future of Finance report is “Enabling innovation through modern financial infrastructure”. A key recommendation for how to achieve this is for the Bank of England to “embrace cloud technologies, which have matured to the point they can meet the high expectations of regulators and financial services”. Cloud technology has become increasingly important to the digital economy, and the use of cloud by financial firms will only increase.  Given the potential risks, the Bank of England has a key role in ensuring that firms use it in a safe and sustainable way. 

This is the second instalment in our Future of Finance Series, which looks at Huw van Steenis’ Future of Finance Report and the Bank’s response to it.
Cloud is becoming mainstream, even in financial services 

Cloud as an enabler

Cloud computing is no longer a “new” technology. It is increasingly used in the financial services sector as a means for firms to enable innovation, improve services and secure competitive advantage. The FoF report acknowledges, however, that adoption of the public cloud has been slower amongst financial institutions than in other sectors as a result of the costs of migration, management concerns over the use of new technologies and cautious regulators. 

That said, research suggests up to a quarter of the activities of the largest global banks may already be on the public cloud or software hosted on the cloud. The FoF report identifies that banks are using cloud for customer relationship management, HR and accounting (but not, generally, for core banking services). Looking forward, McKinsey & Company suggest up to 40%–90% of banks’ workloads globally could be hosted on public cloud or software as a service in a decade.

Impact of Fintechs

The FoF report identifies that “the next generation of financial firms will likely widely use public cloud technology”; this is already being seen in the market with new entrants like Monzo and Starling making extensive use of AWS. These new market entrants are focused on providing an excellent customer experience and have embraced cloud technology to deliver this.  They are disrupting the market and forcing established firms to change more rapidly in order to compete.

There are many benefits in using cloud

Agility, innovation and data analytics

The Bank of England’s (“the Bank”) response to the FoF report notes that since new entrants will be unencumbered by the problems faced by longer-standing firms with antiquated, patchwork IT systems they will be able to be far more agile in responding to changing consumer demands.

Using cloud also provides firms with access to the best analytical tools. Banks are sitting on mountains of data and being able to analyse this properly requires the processing power which can be offered by cloud solutions. These analytics tools should help banks in monetising the data they already have and in better using that data to service their customers.

Access to expertise

Cloud providers are experts in their chosen fields. Facilitating the use of cloud solutions therefore opens banks up to a range of products and expertise which even the most well-resourced in house IT teams would not be able to offer. These additional products can, in turn, enhance user experience and drive competition in the market.

Security and resilience

Security of cloud solutions has previously been viewed by financial services regulators as a significant risk. However, as we have been discussing with financial firms for a number of years, cloud providers can potentially offer a greater level of security than banks can themselves provide. Cloud providers trade on their security reputation; a significant outage or data breach could prove catastrophic to their viability as a business.

Given the frequency with which the financial system is coming under cyber-attack, security is only becoming more important. The FoF report acknowledges that “even the best-resourced financial firms invest less in cyber-defences that cloud providers” and that, particularly for smaller firms, a move to cloud could improve their cyber security and resilience.

This could also offer a better solution for firms with patchwork legacy systems which are either coming to the end of their supportable life or contain a number of vulnerabilities in the joins between those systems.


The reduced costs which can be achieved as a result of the economies of scale offered by cloud are a well-known benefit. Research by McKinsey & Company suggests that cloud has the potential to reduce IT infrastructure costs by between 30% and 50%. These savings could free up cash for firms to spend on enhancing their consumer offering.

But there are also risks to address…

Operational disruption 

The Bank notes that operational resilience of firms is “critically important” and becoming as important as financial resilience. The FoF report indicates that, as part of this, resilience and effective management of technology infrastructure is paramount.

Firms looking to use cloud will therefore need to ensure they have robust processes in place to ensure that failure of, or disruption to, their provider will not impact on the bank’s ability to continue its core services, for example by ensuring that there are multiple backups and a robust disaster recovery process for getting back online quickly. It will be fundamental that banks fully understand what would happen in the event of a failure or disruption, and that should an issue arise, that it is handled effectively. 

Recent high profile disruptions have shown that any such failings can have far reaching consequences for a bank with the regulators, its customers and its market reputation.  

Concentration risk

Currently the cloud services market is dominated by a handful of large providers and, as noted in the FoF report, AWS and Microsoft account for almost half of all revenue in this area.  This raises concerns about concentration risk and the impact which the failure of a single provider could have on the financial services landscape. One provider holding significant amounts of data for a number of banks may also make them a more tantalising target for hackers.

On the other hand, the FoF report also acknowledges that reducing the concentration risk poses additional questions about how best to ensure oversight of a large number of individual providers.

Loss of control

It is clear from both the FoF report and the Bank’s response that one of the key concerns from regulators has been, and still is, the loss of control associated with cloud computing. While IT was all provided on-premises, it did not matter that the technology might have been provided by IBM or Microsoft as the regulators could still walk in to the firm’s premises and have a look at what was going on.

With cloud, regulators do not have that same level of control and nor do the banks themselves. Regulators are therefore going to have to get themselves comfortable with being one step removed for any real shift to the cloud to be supported.

…and regulatory barriers preventing wider adoption 

The FoF report highlights that, according to a new Finastra survey, 43% of UK firms said complex regulatory requirements were the key barrier to adopting cloud collaboration.

There are numerous regulatory considerations associated with cloud, including relating to data protection, information security and bank secrecy. From a financial services perspective, in our experience it is often the audit and security requirements, such as those found in the February 2019 EBA Outsourcing Guidelines, which cause the most friction between firms and cloud providers. Certainly, we see Fintechs frustrated by being unable to meet banks’ stringent requirements relating to audit and security as they are unable to provide each bank with the access to premises (data centres in particular) which banks demand or to provide differing levels of IT security to comply with each bank’s own policies.

Balancing benefits against risks

As the benefits of cloud are further understood, including in relation to security, it may be that the benefits to both providers and users of financial services are starting to carry more weight than the risks and are tipping the balance in favour of the use of public cloud. However, the FoF report highlights that policies will need to respond to this emerging reality if the UK wishes to remain a leading venue for international finance and ensure that UK financial firms are competitive and are on a level playing field to new business models. 

Further, the Bank will need to build expertise and play a leading role, in collaboration with other authorities, shaping use of public cloud in the financial sector.

What’s happening next?

New regulatory guidance

The Bank has committed to publishing a supervisory statement in 2019 which will describe “the PRA’s modernised policy framework on outsourcing arrangements, including a focus on cloud technology and setting out conditions that can help give firms assurance on its use”. 

It will be interesting to see whether this incorporates a move towards removing the audit and security barriers mentioned above by, for example, including a specific proposal for use of pooled audits of cloud providers and standardised security certification, both of which are referred to in the EBA Outsourcing Guidelines. 

If standardised certification is so onerous that only the biggest cloud players will be able to achieve certification, this could have an unintended consequence of decreasing competition and increasing concentration risk.

Global conversation

Both the FoF report and the Bank’s response recognise the importance of taking an international approach to the regulation of cloud use in financial services. The FoF report recommends collaborating with international regulators for a longer-term approach to cloud oversight.   Financial services firms rarely, if ever, operate in a single jurisdiction and public cloud, by its nature, pays no attention to borders. 

The Bank has therefore committed to lead the conversation around cloud globally. Consistent regulation of cloud across jurisdictions should help smooth the adoption of cloud within global banks with competing national regulations to contend with.

A cloud storm?

Removal of existing regulatory barriers to adoption of public cloud will certainly result in greater use of public cloud in financial services, opening up opportunities for both firms and Fintechs, but it does not necessarily follow that there will be a sudden rush in traditional banks moving their entire operations to the cloud. Such projects involve significant IT transformation and therefore significant time and cost, especially where interfaces with old and often bespoke IT systems are involved. 

The requirements of the GDPR also need to be considered when moving personal data to the cloud or when making those new uses of personal data which are opened up by the ability to harness the processing capabilities of cloud computing.

“Changing the boundaries of financial services regulation”

While the FoF report recommends that the Bank embraces cloud technologies, it also emphasises the need for the Bank to be vigilant to the emerging vulnerabilities.  It sends a warning shot to the larger cloud providers that if the removal of barriers to cloud adoption results in significant concentration of core banking functions with one or more provider, then the Bank may view those providers as “systemically important” and look to “include aspects of cloud service providers’ operations in the Bank’s direct oversight”.

Financial services regulation of tech companies is clearly something which is currently on the Bank’s and other regulators’ minds. For example, both Mark Carney and Mu Changchun of the People’s Bank of China have commented on the requirements for regulatory oversight of Facebook’s foray into the payments space with its cryptocurrency, Libra.

Next up in our Future of Finance Series

In the next instalment of our Future of Finance Series we will look at the Bank’s messages relating to the theme of “supporting the data economy through standards and protocols. Stay tuned by signing up to our FintechLinks blog.

UK regulator proposes ban on crypto-derivatives for retail consumers

Derivative contracts can allow individuals to benefit from changes in the value of cryptoassets like Bitcoin without having to buy them directly. The UK Financial Conduct Authority now plans to block these crypto-derivatives from being sold to retail consumers. Firms offering crypto-derivatives as retail products will likely have to stop doing so next year.

What has the FCA proposed?

In a consultation paper, the FCA has suggested banning the sale, marketing and distribution to retail consumers of crypto-derivatives. These are derivatives and exchange traded notes that reference unregulated transferable cryptoassets. The ban would apply to firms acting in, or from, the UK.

Why has the FCA done this?

In the UK Cryptoasset Taskforce report last year, the FCA promised that it would consult on prohibiting the sale of certain cryptoasset derivatives to retail consumers.

In its latest paper, the FCA explains that crypto-derivatives are “ill-suited” to retail investors who cannot reliably assess the value and risks of derivatives or ETNs that reference cryptoassets.

In the FCA’s view, consumers need protection because cryptoassets have “no reliable basis for valuation”, their value is extremely volatile, and retail consumers lack adequate understanding of the investment. Other risks highlighted in the FCA paper are financial crime, market abuse, and opaque costs and charges.

What types of cryptoasset are caught?

The FCA has previously talked about three types of cryptoasset: security tokens, exchange tokens and utility tokens. The retail ban is targeted at derivatives referencing exchange tokens.

These tokens – like Bitcoin and Litecoin – are not issued or backed by any central authority and are used as a means of exchange or for investment purposes. Generally buying and selling this type of cryptoasset is not a regulated activity in the UK.

However, as the FCA has said for some time, creating products deriving from cryptoassets is likely to be a regulated activity. The FCA has seen a small derivatives market develop as the UK cryptoasset market has grown.

Some new definitions

In the draft rules, instead of referring to exchange tokens, the FCA has used the term “unregulated transferable cryptoassets”.

For something to be caught by this definition, it must:

  • be a digital representation of value or contractual rights, 
  • be cryptographically secured,
  • use distributed ledger technology,
  • be tradeable on cryptoasset platforms, and
  • not be e-money or another regulated investment like a security.

“Cryptoasset derivatives” are then defined to include derivatives where the underlying includes an unregulated transferable cryptoasset or an index relating to such a cryptoasset. Derivatives referencing, for example, security tokens would not be caught by the ban (but they would be regulated as securities).

What is a derivative?

Derivatives are contracts which derive their value from something else. They include:

  • futures (where you agree to buy/sell an asset at a set price at a point in the future), 
  • options (where you have the right to buy/sell an asset at a set price at a point in the future), and
  • contracts for difference (where you agree to exchange the difference in price of an underlying between set dates).

According to the FCA, CFDs are the most common type of crypto-derivative seen on the market today. The FCA has already restricted the sale of CFDs to retail consumers, including setting a 2:1 leverage limit on contracts that reference cryptocurrencies. This limit would no longer be needed if the ban takes effect.

What is an exchange traded note?

ETNs are financial products that are structured to provide returns in line with the performance of a specific asset or index. The FCA has only identified a limited number of ETNs available today that track cryptoassets.

What happens next?

The FCA seeks feedback on its proposals until 3 October 2019 and then expects to publish its final rules in early 2020.

The FCA says there will be an “appropriate implementation period” to help firms transition away from providing crypto-derivatives to retail clients. Existing contracts would be allowed to run off so that firms are not expected to close clients’ positions immediately.

Later this summer the FCA will also finalise its broader guidance on how cryptoassets are regulated.