Financial Regulations In The United Kingdom

Country Overview

Strict and lengthy lockdowns due to the COVID-19 pandemic contributed to the UK’s worst economic performance on record, with a 2020 GDP contraction of 9.9%.¹ The Brexit transition and cyberattacks further compounded the rocky landscape. Meanwhile, the pandemic rapidly accelerated digital transformation, with contactless payments making up 88.6% of UK payments in 2020² and consumers flocking to e-commerce. 

Although Prime Minister Boris Johnson’s recovery package does not prioritize digitalization as the EU’s does, it is a sweeping plan that emphasizes economic growth—including support for job training and university education—which will dovetail well with digitalization efforts. Despite uncertainties with regard to open banking, digital identity and the payments industry, the UK’s attractive fintech landscape and regulations in the works will help to usher in digitalization while fostering innovation and financial inclusion.

Digital identity could prove an important cornerstone in the UK’s digital transformation, although it has had a shaky start. In February, the DCMS released a draft of a digital identity trust framework, which will expand upon the government-to-citizen aspects of the Gov.uk Verify system. This is expected to broaden secure digital identities in all industries, aid in AML and anti-fraud measures, attract more fintech entities and onboard previously unbanked individuals. According to a Financial Conduct Authority survey, 1.2 million UK adults are unbanked.³ Without a workable digital identity system, digitalization could further exacerbate unequal access to financial services.

Digitalization will be instrumental in strengthening the UK’s rapidly growing fintech ecosystem. As it stands, the UK fintech sector makes up 10% of the UK’s global market share and draws the most venture capital investment in all of Europe.⁴ Faced with increasing competition, COVID-19 and Brexit-driven uncertainty, the 2021 Kalifa Review of Fintech warns that the industry could lose its competitive edge without reforms and adaptation. 

Financial Regulatory Bodies

Central Bank: The Bank of England (BoE) is the central bank for the United Kingdom. The bank maintains financial stability for the country, oversees monetary policy and issues currency.

Other Financial Bodies: The Financial Conduct Authority (FCA) regulates the financial services industry in the UK. The agency protects consumers and promotes fair competition in the financial services market.

Her Majesty’s Treasury (HM Treasury) is the national government’s economic and finance ministry. The HM Treasury’s primary objective is to develop public economic policy and promote economic growth. 

The Department for Digital, Culture, Media & Sport (DCMS) is responsible for the digital economy as well as key aspects of media including the internet, in addition to culture and sport. 

Standards, Laws and Regulations

HM Treasury Call for Evidence and Consultation on National AML/CTF Framework, 22 July 2021

HM Treasury published a consultation on amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. The amendments seek to “introduce an ongoing requirement to report discrepancies in beneficial ownership information,” expand access to information sharing gateways and implement FATF’s “travel rule” with regard to cryptoassets. The consultation was introduced alongside a call for evidence seeking feedback on the effectiveness of the national AML/CTF regime. Both the consultation and call for evidence were closed on 14 October 2021. Secondary legislation is expected to be introduced in spring 2022. 

Financial Conduct Authority Extends Deadlines for Implementation of SCA Requirements, 20 May and 16 April 2021

On 20 May 2021, The Financial Conduct Authority (FCA) issued a statement extending the deadline for the implementation of strong customer authentication (SCA) requirements in e-commerce transactions to 14 March 2022. The six-month extension aims to “ensure minimal disruption to merchants and consumers, and recognises ongoing challenges facing the industry to be ready by the previous 14 September 2021 deadline.” 

This follows another FCA deadline extension with regard to SCA implementation. On 16 April 2021, the FCA delayed the requirement for card issuers to implement second factor authentication for the purposes of SCA, following data protection concerns over behavioral biometrics. Card issuers have signaled that behavioral biometrics as currently employed could conflict with the GDPR’s requirement that individuals provide “explicit consent” for the management of their data. UK Finance is seeking advice from the Information Commissioner’s Office on whether a “substantial public interest argument” could negate the need for explicit consent from users.

Although the data protection issue relates only to behavioral biometrics, the FCA postponed the deadline for all forms of second factor authentication. This has not dampened the FCA’s enthusiasm for behavioral biometrics, saying that it “encourage[s] all issuers to use this additional time to explore the use of behavioral biometrics over knowledge factors where possible”. The deadline was 14 September 2021.

As in the EU, the UK’s rollout of SCA requirements has been fraught with uncertainty regarding implementation and enforcement, alongside an oft-shifting timeline. Customers have expressed concerns regarding the requirement to conduct SCA every 90 days, while merchants worry about the effects SCA will have on B2B payments.

Financial Conduct Authority Sends Letter to E-Money Firms Regarding Concerns, 18 May 2021

The Financial Conduct Authority (FCA) sent a letter to UK e-money firms entreating them to clarify to their customers that their accounts are not safeguarded per traditional banking protections. The FCA fears that e-money firms have been misleading in promoting their services, highlighting advantages while minimizing risks. This violates an FCA requirement (BCOBS 2.3.1AR) that communications to e-money customers must include a “fair and prominent indication of any risks.” A primary concern of the FCA is that e-money accounts are not protected by the Financial Services Compensation Scheme (FSCS), which protects consumers in the event that a financial firm fails. The warning points to the FCA’s increasing concerns about payment and e-money services, especially given the COVID-19 pandemic and the summer 2020 bust of Germany payments service Wirecard. A 2018 FCA report found that e-money firms had some weaknesses in their AML/CFT frameworks, a concern that has since been reiterated by an HM treasury risk assessment of ML/TF, which found that payment and e-money services were at a medium risk of money laundering.

Publication of Regulatory Initiatives Grid, 07 May 2021

The Financial Services Regulatory Initiatives Forum—composed of the Financial Conduct Authority, Bank of England and other regulators—published the third edition of the Regulatory Initiatives Grid, which outlines plans and initiatives in the works. The authorities outline timeframes for the delivery of several projects related to the payments sector:

• Publication of consultation paper on Confirmation of Payee (CoP), between June and August 2021
• Publication of follow-up paper on the Call for Views on authorized push payment (APP) scam prevention, between July and September 2021
• Publication of follow-up paper mitigating risks associated with launch of New Payments Architecture (NPA), between July and September 2021
• Publication of statement on review of Consumer Protection in Faster Payments, between September and October 2021
• Publication of policy statement following a consultation on updates to the Payment Services and Electronic Money - Our Approach document, Q3 2021
• Publication of Final Strategy on Payment Systems Regulator’s desired outcomes over the next five years, between October and December 2021

Competition and Markets Authority Publishes Paper on Digital Regulation Cooperation Forum, 04 May 2021

The Competition and Markets Authority (CMA) published a policy paper on Digital Regulation Cooperation Forum: Embedding coherence and cooperation in the fabric of digital regulators, which addresses barriers to digital cooperation and outlines possible future remedies. The Digital Regulation Cooperation Forum (DRCF), established in July 2020, is a partnership between the Information Commissioner’s Office (ICO), the CMA, the Office of Communications (Ofcom) and the Financial Conduct Authority (FCA) to promote coordination amongst the regulators. The paper recommends three major ideas for the government to consider: “supporting appropriate information sharing; embedding coherence and cooperation in the statutory framework for digital services; and providing transparency and accountability.” In promoting a facilitated approach to information sharing, the paper reiterates the importance of ensuring regulators that confidential information shall remain protected by existing legislation. This paper comes on the heels of a 10 March 2021 CMA publication Digital Regulation Cooperation Forum: Plan of work for 2021 to 2022. The policy paper stresses the importance of trust in digital technology, alongside competition and innovation that offer benefits to users. The three priority areas for the DRCF over the 2021-2022 timeframe will include a strategic response to industry and technology changes, joint strategic projects that bolster engagement and cooperation, and regulatory coherence. 

Law Commission Publishes Call for Evidence on Digital Assets, 30 April 2021

The Law Commission published a call for evidence on digital assets in advance of a consultation paper, which will lay out a proposal for reform. The call recognizes the legal uncertainty underpinning digital assets and seeks to garner information on how they are used. The Law Commission notes that it was asked in March 2020 by the Ministry of Justice (MoJ) and Department for Digital, Culture, Media and Sport (DCMS) to review the law for opportunities on reform with regard to digital assets, including cryptoassets. The deadline for responses was 30 July 2021. The Law Commission anticipates publishing a paper on digital assets by the end of 2021. Some UK banks—like HSBC⁵ and retail bank NatWest⁶—have taken a cautious or even completely prohibitive approach to cryptocurrency because of its inherent volatility.

Government to Introduce New Cybersecurity Laws 21 April 2021

The Department for Digital, Culture, Media & Sport has announced that it plans to unveil new cybersecurity laws ensuring smart devices are better protected from cybercrime. Requirements will include a ban on manufacturers installing a default password, a facilitated system for customers to report security weaknesses and an obligation for customers to be told at sale how long their smart devices will receive security software updates.

Bank of England and HM Treasury Announces Creation of Central Bank Digital Currency Taskforce, 19 April 2021

The Bank of England and HM Treasury have established a joint exploratory taskforce on the development of a central bank digital currency (CBDC). The digital money would complement cash, not replace it. The Bank of England also announced the creation of a CBDC Engagement Forum, which will collect input on the non-tech implications of the currency’s development, and a CBDC Technology Forum that will gather input on the technological side. In a 13 May speech, Sir John Cunliffe, Deputy Governor for Financial Stability, points to some of the advantages in the use of digital money. He notes that “…digital public money and the infrastructure necessary to support it would help ensure the necessary interoperability and common standards between all major payment systems in the future economy.  Furthermore, he raises an important concern in that, “… future private money and payments providers may not have the commercial incentives to provide useable services for the unbanked and other parts of the population. Digital public money, appropriately designed, may therefore have an important role to play in ensuring inclusion.” The speech draws major themes from the 12 March 2020 Bank of England discussion paper Central Bank Digital Currency: Opportunities, challenges and design. In a 07 June 2021 discussion paper New forms of digital money, the bank noted that it had not yet decided whether it will issue a digital pound, but that a future CBDC could promote competition and financial inclusion. The report states that, “Where coupled with innovations such as programmable money and micropayments, a CBDC may increase the utility of central bank money when compared to cash. And it could support a resilient, innovative and competitive payments landscape.”

Financial Conduct Authority Publishes Feedback Statement on Open Finance, 31 March 2021

The Financial Conduct Authority’s (FCA) feedback statement details its vision for open finance, its potential benefits and the results from its Call for Input regarding its regulatory strategy. The statement emphasizes respondents’ concerns that the requirement for customers to apply SCA every 90 days causes friction, and that API availability and performance should be strengthened with a mind towards customer convenience. This parallels concerns in the EU over friction in payments caused by SCA. 

Financial Conduct Authority Publishes Policy Statement on Extension of Annual Financial Crime Reporting Obligation, 31 March 2021

Per the policy statement Extension of Annual Financial Crime Reporting Obligation, the FCA will require cryptoasset exchange providers, custodian wallet providers, payment institutions (with exceptions) and electronic money institutions to submit an annual financial crime report (a “REP-CRIM”). This will broaden the scope of reporting firms from approximately 2500 to approximately 7000. The requirement will go into effect 30 March 2022. 

UK Finance Publishes Report on Blueprint and Transition Plan for Open Banking, 02 March 2021

In light of unmet PSD2 requirements, an HM Treasury Payments Landscape Review and CMA Order standards, UK Finance and Baringa Partners have published a report on how the Open Banking Implementation Entity (OBIE) should evolve in addressing concerns and improving functionality and security. The report outlines plans for a “Future Entity” model that improves upon the current one,  while ensuring a smooth transition and compliance with regulatory requirements. The Future Entity, which will center the open data and payments market, is premised on safety, efficiency and reliability. Outcomes in support of this goal include: 

1. “1. Widespread adoption of Open Data and Payments propositions 
2. 2. The services provided will be highly secure and reliable 
3. 3. The UK remains at the forefront of innovation in Open API propositions 
4. 4. Those in vulnerable situations are able to experience equal benefits of Open Data and Payments propositions
5. 5. Poor customer outcomes are prevented”

Open banking has gained in popularity, with over 2.5 million businesses and individual users in the UK,⁷ yet this still constitutes only a small percentage of the 68 million-person population.⁸

Publication of the Kalifa Review of Fintech, 26 February 2021

The widely-read Kalifa Review, commissioned by HM Treasury, gives recommendations on bolstering fintech amidst tightening competition, COVID-19 and regulatory uncertainty in the face of Brexit. Ron Kalifa, entrepreneur and Chairman of payments company Network International, spells out five points in securing the UK’s superior fintech status: policy and regulation, skills, investment, international and national connectivity. “Policy and Regulation” suggests the establishment of a new digital finance package, which would create a regulatory framework to support emerging technology; a “scalebox” that provides extra support to firms focusing on innovative technology; and the development of a global trade policy that prioritizes a fintech agenda. Sub-recommendations address a permanent digital sandbox in enhancing cooperation, fintech’s role in supporting financial inclusion, the digitalization of financial services (a CBDC and the regulation of cryptoassets); and the development of a data strategy (creation of a digital ID, the prioritization of Smart Data and a review of regulatory implications of AI). The report is a key indicator of potential future regulations, especially as the UK feels the pressure to maintain its strong lead in fintech. The recommendation on a digital ID will be especially important towards financial inclusion measures and the possible launch of a CBDC.

UK Publishes Policy Paper on Digital Identity, 11 February 2021

The Department for Digital, Culture, Media & Sport has published a policy paper outlining the proposed digital identity and attributes trust framework. The draft paper, geared towards organizations using or seeking to use digital identity applications, lays out the principles and policies underlying broad goals on digital identity. The framework aims to cultivate trust between users and providers of digital identity services, foster cooperation between the government and private sector in addressing fraud and cybercrime, and facilitate interoperability between service providers. Organizations must institute a data management policy that outlines how they “create, obtain, transform, share, protect, document and preserve data”; a privacy compliance framework; a response plan to incidents; and fraud monitoring. User control over their data is heavily emphasized. The proposal suggests ways in which a digital identity service could be developed under the framework, including an application akin to a wallet and an online identity service provider that can disclose appropriate information to a third party. The framework also takes an important step towards boosting digital inclusion. People without access to traditional documents as evidence of identity can rely on a vouching system, wherein a trusted person vouches for someone’s identity. This could prove instrumental in enfranchising people like refugees, asylum-seekers and individuals in high-poverty settings. The paper ends with an outline of next steps, including a call for feedback and a forthcoming second version of the framework.

HM Treasury Releases National Risk Assessment on Money Laundering and Terrorist Financing 2020, 17 December 2020

HM Treasury released its National Risk Assessment on Money Laundering and Terrorist Financing 2020 on a changing threat landscape and responses to it. Although COVID-19 has changed the threat landscape, it has not led to an overall increase in threats. Major changes include the increased use of cryptoassets in money laundering, the exploitation of pandemic-related fears in tailoring messages to install malware, and the increased criminal use of non-cash and mobile payments. This shift in the threat landscape will require both regulators and individuals to adapt. 

Even before the March 2020 onslaught of COVID-19 in the UK, the Financial Conduct Authority (FCA) had already signaled a harsher approach to its AML procedures with regard to e-payment services. On 11 February 2020, the FCA froze one million ePayments Systems Limited customer accounts due to the claim that weaknesses had been found in the firm’s AML systems and controls. The firm, one of the largest digital payments companies in the UK, received notification from the FCA on 25 February 2021—over a year later—that it could begin processing refunds to customers.⁹

---

References:

^{1. McAuley, Niamh. “GDP first quarterly estimate, UK: October to December 2020.” Office for National Statistics, 12 February 2021. https://www.ons.gov.uk/economy/grossdomesticproductgdp/bulletins/gdpfirstquarterlyestimateuk/octobertodecember2020}

^{2. “Insights: COVID-19 and the rise of the contactless consumer.” Barclay’s, 05 February 2021. https://home.barclays/news/2021/02/Insights--COVID-19-and-the-rise-of-the-contactless-consumer/}

^{3. Financial Lives 2020 survey: the impact of coronavirus. Financial Conduct Authority, 11 February 2021. https://www.fca.org.uk/publication/research/financial-lives-survey-2020.pdf}

^{4. Kalifa Review of UK Fintech. 26 February 2021. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/978396/KalifaReviewofUKFintech01.pdf}

^{5. Wilson, Tom. “HSBC bans customers from buying bitcoin-backer MicroStrategy shares.” Nasdaq, 12 April 2021. https://www.nasdaq.com/articles/hsbc-bans-customers-from-buying-bitcoin-backer-microstrategy-shares-2021-04-12-0}

^{6. Makortoff, Kayleena. “NatWest will refuse to serve business customers who accept cryptocurrencies.” The Guardian, 21 April 2021. https://www.theguardian.com/technology/2021/apr/21/natwest-will-refuse-to-serve-business-customers-who-accept-cryptocurrencies}

^{7. “Three years since PSD2 marked the start of Open Banking, the UK has built a world-leading ecosystem.” Open Banking, 13 January 2021. https://www.openbanking.org.uk/about-us/latest-news/three-years-since-psd2-marked-the-start-of-open-banking-the-uk-has-built-a-world-leading-ecosystem/#:~:text=More%20than%202.5%20million%20UK,access%20credit%20and%20make%20payments}

^{8. “Total population, both sexes combined (thousands).” UN Data, 2021. https://data.un.org/Data.aspx?q=united+kingdom+population+2021&d=PopDiv&f=variableID%3a12%3bcrID%3a826%3btimeID%3a87}

^{9. Wilkes, Guy. “Does the FCA's new hardline approach to AML failure treat customers fairly?” Lexology, 17 May 2021. https://www.lexology.com/library/detail.aspx?g=a30a9066-eb70-4528-8400-d02c978ed666}

---

^{*DISCLAIMER: This information is OneSpan's interpretation of the compliance requirements as of the date of publication. Please note that not all interpretations or requirements of the applicable laws are well-settled and its application is fact- and context-specific. The information contained in this document should not be relied upon as legal advice or to determine how the law applies to your business or organization. We encourage you to seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. OneSpan does not accept liability for the contents of these materials.}

Last updated: November 2021