The Financial Technology Law Review: United Kingdom
Overview
The UK is one of the world's leading centres for fintech, 'a permanent, technological revolution that is changing the way we do finance',2 and the market has continued to grow year on year. It benefits from the UK's financial services regulatory regime, which is well established, and the supervision of that regime by the Financial Conduct Authority (FCA), which maintains a reputation as one of the gold-standard regulatory bodies worldwide.
There are no dedicated fintech tax incentives in the UK, but there are various features of the UK tax regime that make it attractive for fintech businesses. There are incentives for companies; for example, research and development (R&D) incentives for both capital and revenue expenditure and the 'patent box' regime.3 Additionally, there are incentives for investors and management, including seed enterprise investment schemes, enterprise investment schemes, venture capital trust relief, entrepreneurs' relief, investors' relief and tax-advantaged share option arrangements.
The UK, like many other jurisdictions, is still addressing some of the transfer pricing and taxable presence problems arising out of fintech businesses. These depend on the value that is placed on a decentralised system, and new types of questions are likely to need to be answered as to what is required for a taxable presence in a country. The starting point for UK tax is to check whether there is a permanent establishment, and typically this will involve a physical presence. However, there are also anti-avoidance provisions designed to prevent an avoided permanent establishment or profit fragmentation, and in some cases the arrangements around a fintech business will need to be reviewed to see if there is a risk of triggering these provisions. In some cases, it will be harder to judge how these might apply to a global supply chain compared with a more traditional business.
The UK left the European Union on 31 January 2020 (commonly referred to as Brexit). In December 2020, the UK and the EU agreed the UK–EU Trade and Cooperation Agreement (TCA). However, as far as financial services are concerned, this offers little more than would have been the case had the UK defaulted to World Trade Organization rules. Alongside the TCA, the UK and the EU published a Joint Declaration on Financial Services Regulatory Cooperation in which the parties committed to work towards a structured regulatory cooperation on financial services. However, although technical negotiations to create a memorandum of understanding concluded in March 2021, nothing has been formally agreed. Inevitably, therefore, the relationship between the UK and the EU as regards the financial services sector will continue to be a live issue over the coming years.
The absence of any harmonised trade deal as regards financial services certainly poses challenges to fintech business models but it also presents opportunities as the UK adjusts its financial regulatory regime to make itself more attractive to fintech entrepreneurs and enterprise capital while at the same maintaining its world-leading reputation as a centre for financial services. With this in mind, the government commissioned the 'Kalifa Review of UK Fintech',4 which has set out a range of proposals with the aim of sparking a post-Brexit 'digital big bang' (see Section VIII for a discussion of its implementation in 2021).
Regulation
i Licensing and marketing
Licensing
The FCA is technology neutral in its considerations on whether a firm is caught by the regulations and, therefore, the source and details of the rules that apply to fintech businesses operating in the UK will depend on the activities being carried on by each business. As a starting point, businesses will have to consider the general prohibition set out in Section 19 of the Financial Services and Markets Act 2000, which provides that it is a crime for any person to carry on regulated activities by way of business in the UK unless that person is authorised or exempt.5
The list of regulated activities caught by the general prohibition is set out in the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO) and includes, pertinently, accepting deposits,6 issuing electronic money, effecting and carrying out contracts of insurance,7 advising on or arranging deals in investments,8 dealing in investments as agent or principal, providing credit information services and operating an electronic system in relation to lending.9 These are known as 'specified activities', and to be regulated activities must relate to certain specified investments also set out in the RAO. Specified investments include electronic money, contracts of insurance, shares, units in collective investment schemes, rights under a pension scheme and credit agreements.10 It does not matter whether services are offered digitally or in person; an entity carrying on the activities specified in the RAO by way of business in the United Kingdom11 will be carrying on a regulated activity for which it must be authorised or exempt.
Where the activities of a business relate to the provision of payment services, the regime implemented in the Payment Services Regulations 2017 (PSRs) will apply to the authorisation, registration and conduct of business obligations of those businesses. These aspects are discussed in more detail in Section IV.
Authorisation and registration applications for carrying on regulated activities under the Financial Services and Markets Act 2000 or specified activities under the PSRs must be made to the FCA and, in some cases, to the Prudential Regulation Authority (PRA).12 Once authorised or registered, either or both of the regulators will continue to regulate the activities of the firm. All firms are regulated by the FCA as regards their conduct of business, but larger trading institutions will also be supervised by the PRA, which focuses on financial concerns that have an ability to negatively impact the broader market and economy.
The authorisation process is a lengthy and time-consuming one, and the scope of permissions that firms are required to obtain are not always clear. With that in mind, the FCA launched its regulatory sandbox in June 2016. The sandbox is open to authorised firms, unauthorised firms that require authorisation and technology businesses, and seeks to provide those firms with, among other things, a reduced time-to-market at (potentially) lower cost, including by offering a restricted authorisation path, which allows those firms to operate in a limited manner under the close supervision of the FCA.13 The 2020 regulatory sandbox called out, for the first time, areas where it would like to see innovation, seeking propositions that make finance work for everyone and to support the UK in its move to a greener economy. There are also proposals to enhance the regulatory sandbox, making the digital sandbox pilot permanent, introducing measures to support partnering between incumbents and fintech and regtech firms.
Despite the more informal route that may be open to firms accepted into the sandbox, no special fintech licence or permission regime applies to fintech firms looking to operate in the UK.
Marketing
Subject to certain notable exceptions, firms may generally market themselves freely in the UK as long as any advertisements or marketing materials are accurate, legal, decent, truthful, honest and socially responsible.14
Firms may not, however, in the course of business communicate an invitation or inducement to engage in investment activity (a financial promotion) unless the firm is authorised or the content of the communication is approved by an authorised person.15 Breaches of the restriction on financial promotions carry criminal consequences.
The terms 'invitation' and 'inducement' are typically given their natural meaning and, as such, communications that include a promotional element (rather than those that seek merely to inform or educate about the mechanics or risks of investment) will be caught by the financial promotion restriction.
A number of exemptions may cause a financial promotion to fall outside of the restriction and, therefore, may freely be made by unauthorised firms within the boundaries of the applicable exemption. Alternatively, unauthorised firms may enter into arrangements under which an authorised entity reviews and approves each promotion at the time it is made. This is a structure often implemented in crowdfunding; for example, where a business seeking equity investment through the crowdfunding platform is required to get the platform (which will be authorised) to sign off on the promotion before it is listed on the site.
Authorised firms that make financial promotions in compliance with the financial promotion restriction will also need to bear in mind the additional conduct rules for financial promotions set out in Chapter 4 of the Conduct of Business Sourcebook of the FCA Handbook.
It is anticipated that later in 2022, certain cryptoassets (including cryptocurrencies) will come within the scope of the financial promotions regime, as discussed in Section V.
ii Cross-border issues
As identified in Section II.i, for a regulated activity to be carried on there must be some link between the activity and the UK. As such, where there is a cross-border element to the services or activities, it will be necessary, from a regulatory perspective, to consider where the activity is actually carried on. This will inform the analysis of whether the firm carrying on that activity requires authorisation in the UK under the process described above. Where a business does not carry on any regulated activities in the UK, it will be able to provide those services in the UK, either on a cross-border basis or from a branch office set up in the UK.
Prior to Brexit, for firms based in Europe but intending to provide regulated activities in the UK, a complex web of EU passporting regimes applied, depending on the activities carried on by the fintech business.16 As an automatic consequence of the UK's departure from the single market, passporting rights to (and from) the UK have ended. However, the UK has made wide-ranging equivalence declarations in respect of EU members, allowing EU firms access to UK markets to the extent permitted by their home legislation while the UK and the EU continue to negotiate on a wider process of adoption, suspension and withdrawal of equivalence decisions between the two jurisdictions. Since the signing of the TCA, the EU has so far granted the UK very limited equivalence for financial services. Conversely, the UK has granted equivalence to European Economic Area (EEA) Member States in a majority of areas identified for equivalence process. Against this backdrop, while the trend in the UK over the past decade had been towards ever-increasing regulation, in June 2021 the government's Taskforce on Innovation, Growth and Regulatory Reform recommended that the UK focus on a more common law, principles-based approach to future financial services regulation to make the financial services sector more agile and adaptive to change.
Digital identity and onboarding
There is no official national digital identity in the UK at present. However, one of the recommendations in the 'Kalifa Review of UK Fintech' was that the UK government should establish a digital ID trust framework for both corporates and individuals, ideally based on a federated model so that data is not concentrated in one place. The Department for Digital, Culture, Media and Sport is progressing an ambitious agenda on data policy and digital identities in conjunction with the joint UK Finance and Innovate Finance Task Force. Access to data for verification purposes should be controlled and consented to by the individual and should be limited to what is truly necessary for the data recipient to have the level of assurance that they need to transact.
In the meantime, a number of fintech firms are employing ever more sophisticated digital onboarding services. The neo-banks in particular have become very good at onboarding clients with little more than photographs of passports and a short video. Meanwhile, the market for firms that claim to be able to use cryptographic hashing to create a digital identity for an individual is growing rapidly in the UK. If successful, these services will enable individuals to verify their identity to third parties using only a very small amount of data. This can be in the form of their personal hash, which is a cryptographically generated code combining all elements of that individual's identifying personal data, with a checksum item forming part of the personal hash calculation, such as the individual's year of birth. In this case, the year of birth acts as a way of validating the personal hash and, therefore, the identity of the individual in question.
Digital markets, payment services and funding
i Digital markets and funding
The UK has a very strong market in crowdfunding, peer-to-peer (P2P) lending and payment services, all of which sit alongside the UK's world-leading financial services marketplace.
The crowdfunding market in the UK is particularly mature and sophisticated – in July 2018, the FCA launched a consultation17 into the market to identify whether the existing regulatory framework was still relevant and robust enough to ensure that good standards of business are practised by the platforms, particularly where retail investors are involved. As a result of the consultation, the FCA published a new package of rules and guidance to further improve standards, which came into force in December 2019.18
Certain crowdfunding activities require authorisation by the FCA and others do not. All crowdfunding platforms are subject to the FCA's general high-level standards, including the Principles for Businesses and specific Conduct of Business rules; for example, in relation to financial promotions. However, there are differences in the detailed regulatory frameworks that apply to investment-based and loan-based (or P2P) crowdfunding platforms.
Investment-based crowdfunding has evolved from more traditional ways of seeking equity-based investments, and the FCA regulates it as such. Therefore, an investment-based platform will usually ask for authorisation from the FCA to carry on activities such as arranging deals in investments (Article 25 of the RAO), dealing in investments as an agent (Article 21 of the RAO) and advising on investments (Article 53). Platforms that provide a nominee structure must also apply for a safeguarding and administration of assets permission (Article 40).
Operating a P2P platform was not adequately captured under the existing list of regulated activities, so, in 2014, the FCA introduced the new activity of operating an electronic system in relation to lending (Article 36H of the RAO), which captures most of what P2P platforms will be carrying on in practice. However, care should be taken if other regulated activities are built into the business model, such as credit broking, debt administration and debt collecting, each of which require separate permission from the FCA.
The creation of secondary markets on platforms is not prohibited but is becoming increasingly unusual with the more established platforms because of the additional regulatory burden of doing so (not least because of the potential financial promotion issues). It is more common for platforms to create venture capital-like fund structures that give investors the ability to exit the fund without having to find other users to buy their units.
ii Payment services
The UK is also a world leader in payment services. Firms will often seek authorisation from the FCA even where they do not intend to serve customers in the UK to benefit from the halo effect of being a UK-regulated firm when considering international expansion.
Payment service activities regulated under the PSRs in the UK include services relating to the operation of payment accounts (e.g., cash deposits and withdrawals from current accounts and savings accounts), execution of payment transactions (whether covered by a credit line or otherwise), card issuing and money remittance. The second Payment Services Directive (PSD II), as implemented by the PSRs, also creates authorisation and registration regimes for payment initiation service providers (PISPs) and account information service providers (AISPs), two activities newly defined in 2017 that capture those businesses looking to utilise Open Banking standards to provide consumers with information about their finances, or that facilitate payments directly from users' bank accounts without the need to use a payment card.
Firms offering payment services are required to identify at the outset whether they will apply for registration or authorisation under the PSRs. Small payment institutions (SPIs),19 small electronic money institutions (EMIs)20 and firms that will only offer account information services can apply to be registered as such, or as a registered account information service provider (RAISP), and a lighter touch registration and conduct regime will apply to those firms. Firms that do not qualify as an SPI, small EMI or RAISP but that intend to carry on payment services in the UK must apply for authorisation and follow more onerous conduct of business requirements. These alternative routes are particularly popular where available.
PSD II and the PSRs also facilitated new Open Banking standards,21 requiring banks and building societies to give third parties access to customers' accounts and data where the user consents to it. At the moment, only the UK's nine largest banks and building societies must make customer data available through Open Banking, but a number of smaller banks and building societies have also opted in to the regime. Relevant third parties that benefit from the Open Banking regime include PISPs and AISPs, which are able to use customer account data to provide these new breeds of services.
Take-up was initially slow, but in 2019 Open Banking surpassed 1 million users for the first time. With a greater number of consumers and small businesses authorising their bank accounts to be connected with authorised third parties, responsibility for protection of their data rests with a wider ecosystem of providers. This raises challenges around security, the onward supply of data and the combination of data with other datasets. The trust framework that sits at the heart of Open Banking and that is administered by the Open Banking Implementation Entity has been so successful that the FCA is keen to develop 'Open Finance' as an extension of Open Banking. Open Finance would open up a wider range of financial products and services to third-party data sharing; for example, pensions and insurance. In its feedback statement in March 2021, the FCA set out its vision for Open Finance as one in which consumers and businesses can grant access to their data to trusted third-party providers and in return gain access to a wider range of financial services. The FCA believes that Open Finance is an important initiative that will spur greater innovation and lead to a broader range of services and improved financial health of consumers and business in the UK.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
Blockchain technology continues to capture the imagination in the UK, and the number of businesses adopting the technology for their own purposes is indicative of longer-term trends. To date, key financial industries utilising the technology include the UK insurance and crowdfunding sectors, with asset management following slightly behind.
Of course, blockchain's original use in cryptoassets continues to be relevant, though that market is under a period of significant flux at the time of writing. This is, in part, due to the global development of rules and regulations that has created a period of instability and regulatory uncertainty. The FCA has carried out work on cryptoassets, both as part of a broader UK Cryptoasset Taskforce and independently. The output of that work is the publication of Policy Statement 19/22, which is intended to help market participants to understand whether the cryptoassets they use are within the regulatory perimeter. In general, cryptocurrencies are not separately regulated by the FCA provided that they are not part of other regulated products or services. Instead, cryptoassets will fall within one of two categories – regulated tokens and unregulated tokens. The latter category does not require regulation and we have not considered those tokens further for these purposes. Regulated tokens can be further broken down into two categories – security tokens and e-money tokens.
Security tokens are tokens that provide rights and obligations akin to specified investments as set out in the RAO, including those that are financial instruments under the EU's second Markets in Financial Instruments Directive.22 Consequently, whether a cryptoasset will be treated as a security token will depend on its characteristics, such as (1) any contractual rights and obligations the token holder has by virtue of holding or owning that cryptoasset, (2) any contractual entitlement to profit-share, or (3) whether the token is transferable and tradable on exchanges.
Separately, the new category of e-money tokens is based on the definition of e-money under the Electronic Money Regulations 2011 (EMR); that is, electronically stored monetary value as represented by a claim on the issuer that is (1) issued on receipt of funds for the purpose of making payment transactions, (2) accepted by a person other than the electronic money issuer, and (3) not excluded by Regulation 3 of the EMR.
Although it is clear that potential anonymity (or, more precisely, pseudonymity) afforded to individuals by cryptoassets means that they may have a role in money laundering and terrorist financing, the applicability of the existing money laundering regulations in the UK is not straightforward. To address that issue, the FCA has taken over supervision of anti-money laundering for cryptoasset businesses under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs), effective from 10 January 2020. The MLRs have been amended to bring cryptoasset exchange providers (including providers of automated teller machines, peer-to-peer providers and issuers of new cryptoassets) and custodian wallet providers within the scope of the Regulations. Businesses carrying on those activities will need to register with the FCA.
The UK has been reluctant to legislate for the tax treatment of cryptocurrency and crypto-token offerings, and HMRC, the UK tax authority, has focused instead on fitting this within existing tax provisions. However, it was recognised that, in the light of the Final Report from the Cryptoasset Taskforce in October 2018, some clarification was needed, as HMRC's 2014 guidance focused mainly on certain types of cryptocurrency and was very limited in scope. HMRC therefore produced revised guidance, covering the tax treatment of cryptoassets for individuals where these are used as a form of employee reward (in December 2018) and the tax treatment of cryptoassets for companies and businesses (in December 2019), which it has continued to update. In summary, HMRC treats cryptoassets in the same way as traditional assets for tax purposes.
Cryptoassets may currently be marketed to UK residents from other jurisdictions, but the UK financial promotion regime will apply and market participants will need to ensure that any financial promotion of products and services, whether regulated or unregulated, is carried on in a way that is clear, fair and not misleading. The government has adopted a staged and proportionate approach to the marketing and promotion of cryptoassets. In July 2020, it published a consultation on a proposal to bring certain cryptoassets within the scope of the Financial Service and Markets Act 2000 (Financial Promotion) Order 2005 (FPO). As a result of the consultation, in January 2022 the government confirmed its intention to bring the promotion of certain cryptoassets into the scope of the regulation. Cryptoassets such as security tokens are already treated as falling within the regulation. However, as a result of the anticipated amendments to the FPO, there will be a new definition of 'qualifying cryptoasset' as any cryptographically secured digital representation of value or contractual rights that is fungible and transferable. The new definition is intended to cover the promotion of cryptocurrencies but not 'utility tokens' that are tied to certain platforms as an exchange for goods or services. As a result, many currently unregulated cryptoasset firms will need to either become regulated or rely on authorised firms to approve their promotions, as discussed in Section II.
It is also worth noting that in April 2021, the Law Commission initiated a consultation on digital assets, in particular to seek views on the extent to which cryptoassets amount to a form of personal property. The consultation is looking at issues around ownership, transferability, security over digital assets and conversion of digital assets. Under English law, there are only two classes of property: 'things in possession' and 'things in action'. Cryptoassets are not tangible and cannot be things in possession; however, as a kind of intangible property, they may be things in action. The consultation is seeking feedback on whether there should be a third kind of property type for cryptoassets.
Other new business models
The UK is awash with new business models. 2021 saw a proliferation in payment initiation service platforms,23 often using white labelled technology solutions that are able to offer online retailers multiple means of taking payment. Open Banking continues to see a rise in the number of AISPs24 becoming operational. Other popular business models include robo-advisers (including fully automated investment processes), e-wallets, crowdfunding, information aggregators and trust-based platform arrangements. Third-party financial comparison sites are commonplace, with insurance the largest category in both the consumer and business sectors. These sites are subject to the usual credit broking and insurance-related regulation (among others), and the same data protection and competition rules as any other business. We have also seen changing consumer dynamics prioritising leasing assets over ownership, with financial comparison sites adding leasing comparison solutions.
Self-executing, or 'smart' contracts are permitted under English law, and the usual legal framework for contracts applies to them. This was stated in principle by the UK Jurisdiction Taskforce in 2019 and has since been confirmed by the Law Commission's advice to government in November 2021. There are a few legal questions that are still unanswered, especially around liability and agency; however, although some types of smart legal contract may give rise to novel legal issues and factual scenarios, existing legal principles can accommodate them.
Finally, the aggregation and analysis of big data is also on the rise, increasing the size and value of datasets. To facilitate data sharing, we are seeing a proliferation of trust-based arrangements with clear accountabilities and risk allocation for all participants, careful governance and security governing access, including third-party supply chain players. Also relevant here are the comments on data trusts in Section VII.ii.
Intellectual property and data protection
i Intellectual property
There are no intellectual property protections that are peculiar to fintech. However, in common with all evolving technologies, some fintech technologies do test the limits of the existing legal framework, this having not been written with these new technologies in mind. The most notable challenges come from blockchain technologies and technologies delivering artificial intelligence (AI) and machine learning applications.
The most important intellectual property rights for AI are confidentiality, copyright and patent rights. The laws of confidence pose no unusual issues for AI. However, from a wider financial services policy perspective, it would be preferable for innovators to disclose AI innovations rather than opt to keep these as trade secrets,25 so other protections come to the fore.
Copyright raises some issues in respect of ownership of the output of AI, but otherwise copyright protection of source code remains as applicable to AI software systems as it does for more traditional software systems.
It is in the realms of patent that the interesting issues around protection arise. In the UK, and under the European Patent Convention, to be granted a patent, the invention must be new, inventive and capable of industrial application and not specifically excluded from protection as a patent. Mathematical methods are excluded, as are computer programs, which are, of course, at the heart of AI development. This is not to say AI and machine learning algorithms cannot form part of a computer-implemented invention where they can be shown to have a 'technical effect'; they are just not patentable in and of themselves. Where they form part of platforms and applications that solve specific technical problems, then the success of a patent application improves significantly.
An interesting development in the realms of patent inventorship came in the form of the UK's Court of Appeal judgment in September 2021, which confirmed that as the law stands,26 AI cannot be a deviser of an invention, given that an 'inventor' must be an person.27 The consequence of this is that investment in AI may be deterred where the derivative inventions are difficult to directly attribute as an invention of a human. In January 2022, the UK government concluded a consultation on AI and intellectual property rights, with views sought on potential proposals to expand the definition of 'inventor' to include AI, or to create a new form of protection entirely, to appropriately reward those who have invested in AI.28 The outcome of this consultation is awaited. It is thought that pro-AI reforms are to be expected, given that the UK's National AI Strategy published in September 2021 sought to make the UK a 'global AI superpower'.29
In summary, a combination of copyright and patent protection should provide a good basis for protecting investment in AI and machine learning in the UK.
AI is, of course, inextricably linked with the data it consumes and the financial services industry generates vast amounts of data. The data itself comes with a set of intellectual property protections – mostly confidentiality, sometimes copyright and, potentially, the sui generis database right.30 For example, look-up tables (databases accessed by software routines) are potentially protected by copyright in the structure of the database and by the sui generis database right protecting the extraction and reutilisation of the data contained in the database (provided the owner can show substantial investment in obtaining the data).
The database right is a powerful right, and while the protection ostensibly lasts for 15 years, each time substantial investment is expended in obtaining, verifying or presenting the contents of the database, a new database is likely deemed created and thus a rolling protection obtained.31 There has been some debate as to whether aggregations of data – for example, sensor or machine-generated data – can fulfil the 'substantial investment in obtaining' requirement of the database right. The debate continues as to where the threshold of effort lies.
Irrespective of whether or not the contents of a database are protected by confidentiality or database rights, both can provide limitless protection. Because big data is becoming such an integral part of any business dealings, there is a potential for markets to face potentially monopolistic effects due to vast datasets being controlled by relatively few market players. There has been intensifying regulatory oversight in this regard, with the UK's Competition and Markets Authority establishing a new Digital Markets Unit (DMU) in April 2021, aimed at tackling anticompetitive practices in the digital sphere, including on big data.32 It is anticipated that Parliament will further legislate on specific powers to be provided to the DMU to promote and uphold competitive markets.
Turning to blockchain technologies, similar issues are encountered: patent protection for spreadsheets is not available, and there will need to be some actual technical effect, similar to software-enabled inventions. Copyright is the most common form of protection for blockchain, both proprietary and open-source. The basic building blocks of many blockchain technologies are open-source software codes, but those building on top of the originating technologies may want to protect their inventions through more commercial protections, such as more restrictive copyright and patent licensing.
The UK's departure from the EU had some implications for intellectual property protection in the UK and it is worth commenting on how the main types of protection relevant to fintech are affected. The European Patent Convention is not directly linked to the European Union, so European patents have not been affected by Brexit. By contrast, European Union trademarks that cover the UK are linked to membership of the European Union and since January 2021 have ceased to provide protection in the UK. Instead, the UK's Intellectual Property Office has created a comparable UK registered trademark for every registered EU trademark, with the same legal status as a UK registered trademark so no trademark rights will be lost. A similar approach has been implemented for international trademarks designating the EU.
As for the sui generis database right, since leaving the EU, the reciprocal recognition for new database rights between the EU and the UK has ceased. However, the UK and the EU agreed to continue the reciprocal recognition where those rights had already been awarded (i.e., UK databases created before 1 January 2021 continue to be protected in the EU and vice versa).33
ii Data protection
The provisions in the General Data Protection Regulation (GDPR) relating to the processing of personal data (now renamed the EU GDPR) have been merged with the UK version of the GDPR (the Data Protection Act 2018) to become the UK GDPR. The UK is one of the most connected countries in the world, and, post Brexit, the maintenance of dataflows between the UK and the EU remains an obvious priority. On 28 June 2021, the European Commission adopted an 'adequacy' decision for the UK meaning most of the data protection rules affecting fintechs prior to Brexit will stay the same. However, this is subject to ongoing review and, in any event, renewal on a four-year basis. If the UK government decides to vary the provisions of the UK version of the GDPR to support the UK's National Data Strategy, it may potentially risk the continuance of the adequacy decision.
If, at the end of the four-year period, the EU decides not to renew the adequacy decision, the UK will become a third country as far as EU dataflows are concerned, and companies will have to put in place more cumbersome compliance mechanisms to govern these, such as binding corporate rules, EU standard contractual clauses (SCCs) or other approved arrangements. The recent Schrems II decision34 will also apply to transfers from the EU to the UK and vice versa. This decision requires that entities make an assessment as to whether those SCCs provide protection that is 'essentially equivalent' to the protections in the UK data protection regime, and if necessary, put in place additional measures.35
On 2 February 2022, the UK Information Commissioner's Office laid before Parliament a new international data transfer agreement (IDTA) and addendum to the European SCCs, with the aim of supporting organisations transferring data outside the UK to countries not covered by adequacy decisions in light of and in compliance with the Schrems II decision. The addendum is to be used where there are transfers of personal data subject to both the EU GDPR and the UK GDPR while the IDTA is intended for transfers subject to the UK GDPR only. If there are no objections by Parliament, the IDTA and addendum will come into force on 21 March 2022 with the Commissioner's Office expected to issue guidance on their use. The entry into force of the IDTA and addendum will substantially simplify data sharing for multinational fintechs subject to both the EU GDPR and the UK GDPR. In the same way as for intellectual property, financial services technologies also test the existing legal framework around data protection, despite the GDPR being of relatively recent provenance.
The Information Commissioner's technology priorities for 2022 include engaging with government on reforms to the UK GDPR, which is highly pertinent to technologies within the financial services sector that handle huge amounts of personal and pseudonymised data.
AI and big data analytics again pose difficulties for data protection law, including: (1) running large numbers of algorithms against vast datasets to find correlations; (2) the opacity of the processing; (3) the tendency to collect 'all the data'; (4) the repurposing of data and the use of new types of data; not to mention (5) the hurdles of distinguishing between data controllers and data processors and obtaining access to sufficient training data. Clearly, all these activities have implications for data protection.36
The Commissioner's Office is reaching out to partners as part of its Technology Strategy to better understand these technologies, and has established a regulatory sandbox, drawing on the successful sandbox process that the FCA has developed. From a fintech perspective, one of the themes of interest in the Commissioner's Office's 2022 sandbox is data sharing, looking at innovations relating to finance and, in particular, distributed ledger technologies such as digital currencies and smart contracts. The purpose of the sandbox is expected to enable organisations to develop innovative digital products and services, while engaging with the regulator, which will provide advice on mitigating risks and data protection by design.37
New blockchain technology also poses data protection challenges. There has been significant debate as to whether or not the hashed information contained on the blockchain could be considered personal information and, if it is, how the GDPR can be reconciled with the benefits of the blockchain being an immutable source of the truth without the need for trusted intermediaries. This question has yet to be resolved.
In addition to the GDPR, PSD II includes a number of specific rules concerning the processing of personal data. For example, PSD II provides for 'explicit consent' raising the question of whether this constrained the use of the various other bases for processing set out in the GDPR. The European Data Protection Board has clarified that it did not. 'Explicit consent' referred to in PSD II is a contractual consent that is an additional requirement of a contractual nature. Payment services are always provided on a contractual basis between payment service user and payment service. There still needed to be a requisite basis for processing the data under the GDPR; for example, processing necessary for the performance of a contract to which the data subject is party.
Where the financial sector is undergoing huge digital transformation in readiness for the 'smart' world, data is itself a building block of modern living and is an extremely valuable economic asset provided its flow can be properly controlled and harnessed.38 To this end, data trusts are a recent development, enabling sensitive commercial data (whether commercially confidential or personal or both) to be shared between multiple parties. In addition to the IDTA and addendum and the sandbox initiatives, the UK's Open Data Institute is pioneering standards for data stewardship, validation and sharing, to build trustworthy data ecosystems, maximising the societal and economic value of sharing data, while limiting and mitigating potential harms.
Year in review
The UK is no longer a member of the EU. A trade deal was finally completed in December 2020, but at the time of writing negotiations continue as regards the flow of financial services from the UK into the EEA. However, a future regime for data flows between the UK and the EEA has been established, with an adequacy decision for the UK.
The success of Open Banking has led to an initiative for Open Finance, which is being championed by the FCA. The FCA believes that opening up financial data will drive significant innovation in the sector.
The interest in data trusts, originally conceived as a means of solving problems posed by creating training data for AI and machine learning, has increased considerably with many new use cases and initiatives focusing on how best to facilitate data sharing. To create datasets of sufficient size to deliver meaningful insights, society needs to share data as never before, through multiparty data sharing at industry level, cross industry and with public bodies and data trusts providing the governance and structure to facilitate sharing. Financial services are well placed to be early adopters of these structures. Indeed, Pay.UK, the operator of the UK's national retail payments systems, are already innovators in this field, using data trust-style models to run analytics to combat payment fraud.
Outlook and conclusions
Focus in the coming months will be on whether the EU grants a more comprehensive equivalence package for the UK or, indeed, whether the UK gives up on comprehensive equivalence and moves towards a more common law, principles-based approach to financial regulation, at least in certain areas.
The implementation of the recommendations in the 'Kalifa Review of UK Fintech' is in hand and being implemented at pace. From a policy and regulatory perspective, the review recommends the creation of a digital finance package creating a new regulatory framework for emerging technology and helping create an enhanced environment for fintech. Following the review, the Bank of England kicked off work on options for a central bank digital currency and has consulted on stablecoins. The report also recommended the creation of a 'scalebox' that supports firms focusing on scaling innovative technology, and the FCA expects to pilot this shortly.
The review proposed the establishment of a digital economy task force bringing together multiple UK government departments and regulators that have important fintech competencies and functions. This has been backed by the government with money set aside to support a new Centre for Finance, Innovation and Technology to support the UK's national fintech hubs. Fintech is also expected to form an integral part of UK global trade policy from now on.
From a capital investment perspective, private funding has been crucial to the success of the UK as a fintech hub. The 'Kalifa Review of UK Fintech' has recommended an expansion in the existing R&D tax credits and other investment incentives to encourage fintechs to continue building their companies rather than selling them. Another key proposal of the review is to improve the listing environment for those firms looking to launch initial public offerings through free float reduction, dual class shares and relaxation of pre-emption rights with a view to setting up a UK tech index in the future.
Footnotes
1 Sarah Kenshall is a partner at BPE Solicitors LLP. The author thanks Gareth Malna for his work on the third edition.
2 Ron Kalifa, OBE, in the 'Kalifa Review of UK Fintech', 26 February 2021, an independent report on the UK fintech sector.
3 The 'patent box' is simply a calculation, though the way in which the patent is owned and used within a group structure can make the calculation and attribution of relevant amounts easier administratively. It allows the company to benefit from a low tax rate of 10 per cent for profits within the 'box'. The benefit of the regime is no longer available for acquired patents; however, it does cover cases where part of the relevant work was subcontracted. For fintech companies, patents that qualify have become more common. Nevertheless, it is critical to note that because the regime only applies to profits related to patents registered with the UK Intellectual Property Office or the European Patent Office or certain European Economic Area states, the benefit of the more flexible regime for software patents in certain jurisdictions (for example, the US and Singapore) is not available. There is no equivalent regime for other forms of intellectual property such as copyright and trademarks.
4 See footnote 2.
5 See Sections 19 and 20 of the Financial Services and Markets Act 2000 (FSMA).
6 Relevant for neo-banks acting with full deposit-taking permissions such as Starling and Monzo, which were both granted permission in 2018.
7 Relevant for those platforms offering peer-to-peer insurance.
8 Relevant to digital wealth platforms such as Nutmeg and MoneyFarm.
9 Directly applicable to loan-based crowdfunding platforms such as FundingCircle.
10 See Part III of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001.
11 The question of whether an activity is being carried on 'in the United Kingdom' has to be answered in the context of each activity. Entities that arrange deals in investments are said to be carrying on that activity from the place of their establishment, whereas the activity of advising is said to be carried on where the advice is received.
12 The Prudential Regulation Authority supervises around 1,500 banks, building societies, credit unions, insurers and major investment firms.
13 The Financial Conduct Authority (FCA) can also offer, through the sandbox: (1) the ability to test products and services in a controlled environment; (2) support in identifying appropriate consumer protection safeguards to build into new products and services; (3) better access to finance; and (4) individual guidance, informal steers, waivers and no enforcement action letters. For further details on the sandbox, see www.fca.org.uk/firms/regulatory-sandbox.
14 That is, they must not encourage illegal, unsafe or antisocial behaviour.
15 Section 21, FSMA.
16 Passporting is the exercise of the right available to a firm authorised in one EU Member State to carry on certain activities covered by certain EU single market directives in another Member State on the basis of its home state's authorisation.
17 CP18/20.
18 FCA policy statement PS19/14. The majority of the new rules came into force on 9 December 2019.
19 Firms operating below an average monthly turnover in payment transactions of €3 million.
20 Firms in which total business activities will not exceed an average of €5 million of outstanding e-money immediately before registration.
21 Open Banking is one of a series of regulatory remedies mandated by the UK Competition and Markets Authority requiring nine UK banks to implement a common standard application programming interface to allow third parties to access customer bank accounts (with customers' explicit consent).
22 MiFID II. The UK's MiFID II EU Exit Regulations ensure that the regime established by the EU's MiFID II functions effectively after Brexit.
23 Payment initiation service providers are regulated by the Payment Services Regulations 2017.
24 Account information service providers are regulated under Open Banking.
25 European Patent Office, Patenting Artificial Intelligence, 30 May 2018.
26 Patents Act 1977, Section 13.
27 Stephen Thaler v. Comptroller General of Patents Trade Marks and Designs [2021] EWCA Civ 1374.
28 www.gov.uk/government/consultations/artificial-intelligence-and-ip-copyright-and-patents/artificial-intelligence-and-intellectual-property-copyright-and-patents#patents.
30 EU Directive 96/9/EC on the legal protection of databases (the Database Directive) implemented in the UK by the Copyright and Rights in Databases Regulations 1997 (SI 1997/3032) (the Database Regulations).
31 The organisation that originates the contents of the database does not get the benefit of the protection as they do not need to expend time finding, checking and verifying the contents (as they originated the contents). Clearly, the key is investment in collection rather than creation of the content.
34 Court of Justice of the European Union, C-311/18, Schrems II.
35 UK Information Commissioner's Office – standard contractual clauses after the transition period ends.
36 Information Commissioner's Office, Big Data, artificial intelligence, machine learning and data protection report 2017.
37 Information Commissioner's Office, Technology Strategy 2018–2021.
38 Kenshall S, 'The Information Flow', Global Banking & Finance Review.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.