The Future of Regulation: Building dynamic consumer protection schemes

Against the backdrop of fundamental, wide-reaching change into the digitisation of financial services, is the need to ensconce the consumer in regulatory protections so that they are not unduly exposed to risk that naturally accompanies the emergence and adoption of new technologies.

We've seen the reinforcement of new and existing trends across financial services by the Covid-19 pandemic, such as Buy Now Pay Later, retail trading and investment platforms. Regulatory bodies are beginning to react to these new forces with renewed interest.

This is an extract from Finextra's 'The Future of Regulation 2022' report.

The Kalifa Review: Was it all a pipe dream?

Published in February 2021, the highly anticipated Review outlined a comprehensive plan to support and bolster the fintech sector’s presence across the globe.

Co-Chair of the Policy and Regulation chapter of the FinTech Strategic Review, and regulatory partner at Hogan Lovells, Rachel Kent, believes that while the Kalifa Review’s recommendations were ambitious, they certainly do not amount to a pipe dream.

Referring to Ron Kalifa’s reported delight at the Autumn Budget and Spending Review’s £5 million seed funding for the Centre for Finance, Innovation and Technology (CFIT) to tackle barriers to growth and accelerate the UK fintech sector, Kent notes that the CFIT was a key Kalifa Review recommendation to coordinate targeted fintech policies that aim to scale the sector.

Kent furthers that the Autumn Budget and Spending Review 2021 also quoted the Kalifa Review when announcing that the government will, in spring 2022, launch the Scale-up, High Potential Individual, and Global Business Mobility visas.

The Review itself proposed to create a new visa stream to enhance access to global talent for fintech scaleups. The Review states: “UK fintech thrives on recruiting and retaining talent from across the globe. Foreign talent represents c.42% of UK fintech employees.

In order to remain a global leader in fintech, the UK needs to strengthen its position on immigration or risk a significant shortage in human capital.” The government will also launch a Global Talent Network to proactively find and bring talented people to the UK in key science and technology sectors.

In the policy and regulation area, the FCA will take forward the Kalifa Review’s recommendation for Scalebox, with the body’s CEO Nikhil Rathi confirming that this would achieved by creating a regulatory "nursery". “The idea here is to provide a period of enhanced oversight as newly authorised firms develop and grow used to their regulatory status.”

Kent observes that the formation of a new Taskforce brought together HM Treasury and the Bank of England, to explore a possible UK CBDC one of the Kalifa Review recommendations. Following a discussion paper on new forms of digital money, a Bank of England consultation is expected in 2022 which the Bank states will inform a decision on whether the authorities are content to move into a "development" phase for a CBDC, albeit that it will span several years and the earliest date for launch of a UK CBDC would be in the second half of the decade.

The FCA has adopted the Kalifa recommendation to allow year-round applications to the Regulatory Sandbox, and has decided to continue with a second phase of the Digital Sandbox. The latest successful cohort for the Digital Sandbox was recently announced and focused on the regulatory priority area of sustainability – as recommended by the Kalifa Review.

Kent concludes that while it may take some for certain recommendations form the Kalifa Review to being achieved we’re seeing strong signs of progress.

Dynamic leadership to nurture innovation

John Salmon, regulatory partner in Hogan Lovells’ financial institutions division explains that building dynamic leadership that both protects consumers and nurtures fintech innovation was the Kalifa Review’s ambitious vision for policy and regulation.

Salmon explains that protection and innovation are conventionally portrayed as competing objectives: “There can indeed be a tension between the two - in April this year, FCA CEO Nikhil Rathi described them as ‘held in balance’. Yet regulators in the UK have shown leadership by creating a dynamic formula where innovation and consumer protection complement each other.”

Salmon says that the manner in which the FCA “creatively interpreted” its role as a guardian of innovation is striking.

“Whereas consumer protection is one of the FCA’s three main operational objectives, innovation is not. However, the FCA is thinking very broadly about what consumer protection means and how innovators can support it.”

This is clearly evidenced in the FCA’s first Climate Change Adaptation Report in October, Salmon explains, where the FCA explicitly linked reliable information on green products and services to its consumer protection mandate. Separately, there was also the Green FinTech Challenge pilot in 2019-2020.

“These sandboxes not only nurture FinTech innovation, but channel it towards consumer protection in the widest sense,” Salmon argues. He continues that UK regulators are starting to go even further in providing truly dynamic leadership by coordinating with each other. “A coherent approach across all regulators can enable a supportive environment nurturing fintech innovation while addressing the full range of consumer protection issues.”

Buy Now Pay Later

In response to Christopher Woolard’s Review into the unregulated Buy Now Pay Later (BNPL) industry in February 2021, HM Treasury announced its intention to regulate the sector, launching a consultation which ran until January 6th 2022.

Three fundamental issues with regard to BNPL were raised in the Woolard Review. These include: (i) a lack of understanding of BNPL by consumers; (ii) lack of affordability assessments (given that consumers can access credit from multiple merchants without this data being shared); and (iii) as BNPL is currently an unregulated sector, if customers have difficulty paying back this credit there is a difference in the way they would be treated in relation to their financial difficulties.

Providing a detailed analysis of the UK’s BNPL status, Gavin Punia, partner, Bird & Bird, explains that the Woolard Review shows that the Government is focused on taking a proportionate approach with regard to regulation, giving the issue a political dimension.

“The government wants to be seen to regulate the sector but it doesn't want to put the brakes on BNPL as this may limit the way that consumers spend their money, particularly during the pandemic. There are obviously a number of large retailers that would be impacted by onerous regulation.”

HM Treasury’s consultation proposes regulation around BNPL credit providers, where merchants implementing BNPL solutions or introducing customers to the BNPL provider will remain outside the regulatory perimeter. Punia believes that the government would achieve this by creating an exemption for the introduction of credit.

“This is interesting because The Woolard Review doesn’t really talk about exempting retailers or merchants, but what the Government is considering is actually expanding this to ensure that retailers don't fall within regulation.”

Such requirements would mean BNPL providers need to become authorised and would be treated like any other authorised FCA firm. “As consumer credit firms, they would be required to carry out affordability assessments on customers, making sure that customers understand the credit product they are taking on. The requirements around the information that's provided to customers would be prescriptive.”

Arrears management or treatment would also be necessary. Punia explains that there are existing requirements for how consumer credit firms should deal with customers who have fallen into financial difficulty. This would also apply to BNPL providers and may indirectly impact merchants as some of that customer information may need to be fed through the user journey.

“All in all, it's very positive for merchants in the sense that while this regulation is going to come in, it hasn't bought them directly within the regulatory perimeter.”

Why BNPL has found fertile soil in the UK

The key reason why Buy Now Pay Later has exploded in the UK is tied to what’s known as the "article 60F exemption.”

Punia explains that while the broad position is that the provision of credit to an individual is regulated in the UK, certain exemptions to this exist. In effect, the 60F exemption states that if a provider offers credit in less than 12 instalments over less than a year, without charging any interest or fees on that credit, then you fall within the exemption.

“Many of BNPL providers that entered the UK market have been able to rely on this exemption. It’s this exemption which has led to the rapid development of this space and consequent attention from regulators.”

Punia notes that there is a sense of trepidation by BNPL providers toward any new regulation, largely because the sector would be shifting into the highly regulated financial services sector.

Consumer credit is probably one of the most highly regulated areas of financial services in the UK and has very prescriptive requirements around affordability in relation to the terms that must be provided to customers, in the kind of customer journey, the contractual stage and tied to arrears management.

If a provider were to misstep, then under the Consumer Credit Act, it is possible that their agreement could be rendered unenforceable.

“For instance, if a firm went to court trying to enforce a debt against a customer who was failing to pay, should that firm fail to demonstrate it provided the correct agreement and correct formal content then the court would not enforce that debt. This would be applied to all debts,” warns Punia. He sees legitimate concerns in the unregulated BNPL space regarding customers not fully understanding the fact that they're signing up to credit products with a number of different merchants.

“I think it is the right decision to bring BNPL within the regulated space because it protects consumers, or at least achieves the FCA’s objectives of protecting consumers and even promoting competition because it means that a wider variety of financial players can get involved. That is, because BNPL isn’t just owned by the acquiring banks either, the fact that issuers are also involved could encourage innovation. There would be a more harmonised way of being able to provide affordability assessments and information and the customer contracts.”

Will smaller BNPL firms struggle?

These additional obligations will be a financial burden for firms, and Punia notes that players are beginning to move out of the market or consolidate as a result. This is naturally going to be a larger burden to bear for the smaller market players.

Punia adds that we can already see incumbents entering the space, offering their own BNPL solutions. Regulatory attention is only making this more feasible for the highly regulated, traditional incumbents which have readymade consumer credit products.

He believes that the banks already offering more digital products such as open banking and app-based banking will be well positioned to launch BNPL solutions. “These could be both digital-only banks or electronic money institutions, but it could also be the incumbent banks who have heavily invested in their digital setup.”

Data Protection

Consumers want control over their data. While the alleviation of pain points and the resilient delivery of services tends to improve consumer trust, in its recent survey ‘The Rise of Open Banking’, Mastercard says consumers are also demanding higher security and want protections in place to thwart fraud.

The survey also found that 75% of respondents actively try to protect private data from companies with the remainder stating that they have given up trying to protect data from companies. Interestingly, 50% of respondents stated that they believe it is their personal responsibility to safeguard my money, while 50% responded that it is their bank’s job to safeguard their money.

Naturally, in having to balance these consumer expectations alongside their demand for high-touch digital services, financial institutions have their work cut out for them.

Enforcement penalties on the rise

Enforcement decisions can present a useful tool as to the effectiveness and the degree to which regulatory bodies are holding individuals and firms that fail to comply with data laws to account.

DLA Piper has found that EU data protection authorities have handed down a total of $1.2 billion in fines for GDPR breaches since January 28, 2021. This increase is from around $180 million just one year earlier.

Amazon was fined €746 million during 2021, the largest fine for breaching EU GDPR since the regulation took effect, while WhatsApp was hit with a €225 penalty. Both firms are currently appealing the decisions.

Global head of data privacy at Herbert Smith Freehills, Miriam Everett, describes the “interesting dynamic” that currently exists between UK GDPR enforcement and EU GDPR enforcement.

“From the EU perspective, there appears to be a continuing focus on ‘big tech’ enforcement. The last 12 months has seen significant enforcement actions taken against Amazon, Google, WhatsApp and Facebook. There are also continued criticisms in Europe of the Irish Data Commissioner’s perceived lack of enforcement action against similar organisations.”

Everett believes it will be interesting to see what approach the UK’s new Information Commissioner takes to enforcement in 2022 and going forwards now that the UK is potentially forging its own data protection trail.

Also commenting on the new appointment, Lenitha Bishop, head of DPOs at The DPO Centre, says it will be interesting to see how they ensure that the ICO remains a world leading regulator, empowered to protect personal data while ensuring organisations use personal data responsibly.

“At the same time, the Government’s proposed update to data protection legislation is aiming to revamp the UK’s data protection landscape. Whilst the Government says the ’consultation is the first step in the process of reforming the UK’s regime for the protection of personal data,’ there is concern that the new governmental proposals could bring a level of uncertainty to data protection and privacy, and as such, will lead to an increased burden on organisations.

“Overall, we anticipate the trend in increased and costly enforcement actions to continue.”

Data transfers apply pressure in a post-Schrems era

Bishop highlights a number of data regulatory pressure points that started to bite for financial services in 2021 and predicts that these will increase during 2022. The first is tied to data transfers and the collection of consent. “The current DCMS consultation states ‘uncertainty may have caused an overreliance on consent’ and we would agree with that.”

Bishop adds that financial companies now face additional impact assessments following the revised EU Commission standard contractual clause changes introduced after June 21. Elaborating on the subject of consent,

Everett says that the challenges around data transfers following the 2020 ECJ decision in the Schrems II case remain at or near the top of the list of concerns for many organisations, including financial institutions.

Without taking into account the UK position, organisations in the EU are grappling with multiple transfer issues that include:

1. transfer impact assessments;
2. new modular standard contractual clauses;
3. repapering of existing standard contractual clauses; and
4. continued uncertainty regarding how these various regimes will be interpreted and enforced by regulators.

Adding the UK into the mix increases issues in this “web of complexity.” For instance, these issues include new data transfer guidance tools, UK specific data transfer agreements, and a UK addendum to the new EU standard contractual clauses.

“However, the UK position has not yet been confirmed by Parliament, and there are also data protection reform proposals being consulted on which could result in an entirely different set of data transfer rules being put in place at some point in the future for the UK. Suffice to say that the position is far from clear, and it looks like it could get worse before it gets better.”

Data protection reform proposals suggest the possibility of a more risk-based approach to data transfers from the UK perspective, adds Everett. For any multi-national financial institutions, this is unlikely to offer much assistance as they will continue to need to grapple with the EU position in any event.

Bishop also raises the issue of ‘data graveyards’ as a pressing concern for financial organisations. She explains that companies keeping dead or excessive amounts of data without the ability to monitor the applicable storage restrictions may find themselves in hot water. Bishop expects the number of companies fined for incorrect data retention to increase significantly in the coming years.

Regulatory tightening and financial institutions’ response

Everett observes that if the troubled passage of the proposed ePrivacy Regulation is any kind of yardstick then it seems likely that any changes to data protection regulation would be difficult to get through the legislative process.

The difficulties being seen in relation to enforcement by the Irish Data Commissioner also demonstrate that there is a lack of consensus within the EU regarding the approach to data protection regulation. However, we are seeing many other legislative and regulatory proposals in Europe which touch on data protection issues and so it may be that we start to see tightening of the regulation with respect to specific sectors or activities.

For example, Everett cites digital platform regulation or regulation of AI, which may also look to regulate data outside of the realms of GDPR.

Bishop adds that the European Commission’s proposal for a Regulation on Artificial Intelligence is the first of its kind and believes that few organisations have realised yet the extent of the regulatory compliance implications for them, including those in financial services.

“Financial companies will need to comply with rules on data governance, transparency with end users, human oversight and 'privacy by design'. For example, any financial company using AI systems to evaluate creditworthiness and making financial decisions about a client will face strict mandatory requirements as this will be deemed ‘high risk’ AI. Financial companies will need to ensure that there is still a human element involved in these important financial decisions.”

Looking further afield, China’s new Personal Information and Protection Law (PIPL) will remain an area to watch throughout 2022. Everett believes that “time will tell” as to the impact China’s new PIPL may hold, however, she adds that given this is the nation’s first comprehensive piece of legislation on personal information protection it holds inherent significance.

“For those who are active in the UK and Europe, the extra-territoriality provisions of the PIPL will look somewhat familiar by reference to the GDPR/ UK GDPR. However, we don't yet know how the Chinese authorities will approach enforcement on an extra-territorial basis and so, similar to GDPR, there is likely to be a period of uncertainty whilst everyone gets used to the new rules and tries to align them with the ever-increasing patchwork of data protection laws around the world.”