Regulatory round-up – August 2017


Consumer and Retail Finance – August 2017
Latest from the Financial Conduct Authority, Competition and Markets Authority and other sector news including payments. […]
Latest from the Financial Conduct Authority, Competition and Markets Authority and other sector news including payments.
Financial Conduct Authority (FCA) and Competition and Markets Authority (CMA)
Earlier this year, the FCA published its “Credit card market study: consultation on persistent debt and earlier intervention remedies” which set out, among other things, proposals to address persistent credit card debt and require firms to identify customers at risk of financial difficulties. The consultation formed part of a package aimed at reducing the number of customers with problem credit card debt. A policy statement is expected in Q4 2017. The FCA has recently written to UK Finance in relation to the proposed voluntary industry agreement to give credit card customers greater control over credit limit increases, details of which were set out in chapter 4 of the consultation paper.
The FCA has published an update with more details on its work on motor finance, which was one of the areas of focus highlighted in its 2017/18 Business Plan. The FCA is working to identify potential areas of consumer harm in that market.
The FCA is consulting on a further two of the 28 recommendations from the Financial Advice Market Review (FAMR) final report which was published in March 2016. FAMR is a joint FCA and HM Treasury initiative set up to identify ways of making the UK’s financial advice market work better for consumers.
Firms already subject to the Senior Managers and Certification Regime are reminded that the window for reporting Conduct Rule breaches to the FCA began on 31 August 2017 and ends on 31 October 2017.
The FCA has launched a survey of mortgages in the UK, with research taking place during August and September 2017. The results are due to be published in early 2018. The FCA says it will use the information to understand more about consumers and how they are managing their mortgages and any engagement with their lenders.
The FCA is consulting on proposed new rules requiring current account providers to publish information on service and performance. Comments are requested by 25 September 2017. This work follows on from the CMA’s investigation into retail banking (the final report was published in August 2016). The FCA is in the process of carrying out its own review of the business models used in the retail banking sector to assess their impact on competition and conduct.
From 2 August 2017, as part of the CMA’s package of retail banking reforms, all banks must have set and publicised a ceiling (or cap) on their unarranged overdraft charges in the form of a monthly maximum charge (MMC), and all providers of unsecured loans and overdrafts to small and medium-sized businesses (for values up to £25,000) have to publish and clearly display the rates they will charge for doing so. See the CMA blog for further details. The CMA has issued directions to the Co-operative Bank after it failed to meet the 2 August deadline in relation to the MMC.
Other news
In issue 141 of Ombudsman News the Chief Ombudsman noted that “lenders still aren’t always making the right call in checking people will be able to repay what they owe.” Complaints about consumer credit rose by 89% in the year to April 2017.
Citizens Advice has published a major new report “Stuck in Debt” which examines consumer borrowing and long term consumer debt problems. Research found that nearly 1 in 5 people struggling with debts has had their credit card limit raised without them requesting it. Citizens Advice says that poor affordability checks by firms are making people’s financial situation worse. It says that lenders, the FCA, and the government have a crucial role in helping people stay on top of their debts and getting their finances back on track when they fall into difficulties. The report’s recommendations include that: lenders should not be allowed to increase a credit limit without a customer’s permission and should offer forbearance to customers stuck in problem debt; they should get rid of unarranged overdraft fees; and debt management plans should be legally enforceable. See the press release here.
The Advertising Standards Authority (ASA) has upheld complaints about an American Express credit card television advertisement. The claim “there is a card that could give you 5% cashback on all purchases” was misleading and exaggerated the cashback offer. See an account of the ASA’s ruling here.
The Payments Strategy Forum has launched a consultation on the future of UK payments, which the Payment Systems Regulator (PSR) describes as “the most radical change to the payments industry since the 1960s.” See the PSR press release here.
As we have reported previously, the Payment Services Regulations 2017 will implement the revised EU Payment Services Directive (known as PSD2) in the UK. Firms can apply to be authorised or registered under the new regulations from 13 October 2017. Information on this and the requirements for firms in relation to PSD2 can be found on the FCA website.
The European Banking Authority (EBA) is developing technical standards and guidelines to supplement PSD2, including recently published guidelines on major incident reporting. It is currently consulting on draft guidelines on fraud reporting requirements. Comments are requested by 3 November 2017.
The EBA published a discussion paper on 4 August 2017 on its approach to FinTech, following the mapping exercise it undertook in spring 2017 to gain a better insight into the financial services offered and financial innovations applied by FinTech firms in the EU, and their regulatory treatment. The EBA proposes follow-up work in these areas: authorisation and sandboxing regimes; prudential risks for credit institutions, payment institutions and electronic money institutions; the impact of FinTech on those institutions’ business models; consumer protection and retail conduct of business issues; the impact of FinTech on the resolution of financial firms; and the impact of FinTech on anti-money laundering and countering the financing of terrorism. There is a three-month consultation period.
The World Economic Forum has also recently published a report entitled Beyond Fintech: A Pragmatic Assessment Of Disruptive Potential in Financial Services.

Data Protection – August 2017
Update on GDPR and data protection post-Brexit, latest from the ICO, cyber security and more. […]
Update on GDPR and data protection post-Brexit, latest from the ICO, cyber security and more.
Update on the General Data Protection Regulation (GDPR), the UK’s Data Protection Bill and post-Brexit arrangements
The Queen’s Speech included plans for a Data Protection Bill to “ensure that the United Kingdom retains its world-class regime protecting personal data.” On 7 August 2017, the government published a press release and statement of intent on the proposed Bill which, it is confirmed, will implement GDPR in the UK. See our briefing for more details.
On 24 August 2017, the government published its future partnership paper on the exchange and protection of personal data, one of a number of partnership papers published in the run-up to the next round of Brexit negotiations. The paper “outlines how the UK is considering an ambitious model for the protection and exchange of personal data with the EU that reflects the unprecedented alignment between British and European law and recognises the high data protection standards that will be in place at the point of exit.”
The government says that a UK-EU model should recognise that the UK is compliant with EU data protection law and wider global data protection standards. In light of the UK’s unprecedented position, it wants to explore a UK-EU model which could build on the existing adequacy model (where the European Commission assesses whether a third country’s data protection standards are ‘essentially equivalent’ to those applied in the EU) in two ways. Firstly, by enabling an ongoing role for the Information Commissioner’s Office (ICO) in “EU regulatory fora.” Secondly, by the UK and EU agreeing to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU and other EU adequate countries, and the UK, from the point of exit (until longer-term arrangements come into force). This is to avoid regulatory uncertainty for businesses and public authorities in the UK, EEA, and EU adequate countries.
The Information Commissioner herself has spoken previously of the importance of obtaining an adequacy decision post-Brexit and the importance of the UK’s status and influence on the European Data Protection Board, which will make decisions about data processing that impact on UK citizens. Where we go from here will depend on the outcome of the negotiations.
One potential sticking point in relation to adequacy is the UK’s Investigatory Powers Act 2016 (IPA), which gives the government, among other things, wide-ranging powers to monitor and intercept citizens’ communications and internet usage. The Court of Justice of the European Union ruled in December 2016 that the IPA’s predecessor, the Data Retention and Investigatory Powers Act 2014, was incompatible with the EU e-Privacy Directive when read in light of the EU Charter of Fundamental Rights.
Whatever the outcome, GDPR will apply in the UK from 25 May 2018 and businesses should continue to prepare for it.
ICO launches ‘myth-busting’ blogs on aspects of GDPR
The UK’s Information Commissioner has launched a series of ‘myth-busting’ blogs to “separate the fact from the fiction” on GDPR.
The first post addresses the myth that the biggest threat to organisations from the GDPR is massive fines. The Information Commissioner stresses that, while it is true that the ICO will have the power under GDPR to impose much bigger fines than it can now, it is scaremongering to suggest that the regulator will be making early examples of organisations for minor infringements or that maximum fines will become the norm. She notes that, if misinformation goes unchecked, “we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.”
The second post deals with consent and the myth that you must have consent if you want to process personal data. The Information Commissioner says that consent is not the ‘silver bullet’ for GDPR compliance. GDPR sets a high standard for consent, but the rules only apply where the organisation seeking to process personal data is relying on consent as its basis for doing so. The Information Commissioner highlights that there are five other conditions for processing data under GDPR that may be more appropriate.
This post also seeks to address the myth that organisations cannot start planning for new consent rules until the ICO publishes its formal guidance on this topic (as we reported in the previous edition, the final version is now unlikely to be published before December 2017 since the ICO is waiting until Europe-wide consent guidelines have been agreed). The Information Commissioner says that the ICO’s draft consent guidance is a good place to start, as the final form version is unlikely to include significant changes. She stresses that the guidance will focus on consent only, and will not cover any of the other lawful bases for processing.
The third post considers the myth that GDPR is an unnecessary burden on organisations. The ICO’s Deputy Commissioner (Policy) describes the new regime as “an evolution in data protection, not a total revolution” and repeats the message we have heard before that “if you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR.” As to the perceived burdens on SMEs and smaller organisations, the post highlights that it is not the size of the organisation that is relevant so much as the risk that particular businesses and types of data processing pose, for example handling particularly sensitive data, or processing personal data in potentially intrusive ways.
Latest on cyber security
The government is consulting on its plans to implement the Security of Network and Information Systems Directive (or NIS Directive) in the UK. The consultation closes on 30 September 2017. The government identifies that there is a need to improve the security of network and information systems across the UK, with a particular focus on essential services such as energy, health, transport, water and digital infrastructure. It notes that the magnitude, frequency and impact of network and information system security incidents is increasing – a recent example being the WannaCry ransomware attack which affected the NHS.
Businesses identified as “operators of essential services” will be required to take appropriate and proportionate security measures to manage the risks to their systems and to notify serious incidents to the relevant authority. Key digital service providers will also have to comply with security and incident notification requirements. The government sets out its proposed approach to the identification of “operators of essential services” in chapter 4 and Annex 1 of the consultation paper. It intends that the legislation will continue to apply in the UK post-Brexit. The NIS Directive must be transposed into UK law by 9 May 2018.
The government recently published the FTSE 350 Cyber Governance Health Check Report 2017, which found that, of those companies participating, 10% of Boards did not have a plan in place to respond to a cyber incident and 6% of Boards described their business as completely prepared to meet GDPR requirements. A second report, Cyber security among charities, has also been released.
Privacy Shield
The first annual review of the Privacy Shield has been scheduled to take place in the US during the week of 18 September 2017.
The EU Commission is due to publish a report following the review and the Article 29 Working Party has indicated that it may publish a separate report.
Whilst the beleaguered Privacy Shield has been the subject of heavy criticisms with calls from some quarters for data transfers under the Privacy Shield to be suspended, given that some estimates put the value of transatlantic trade at $1 trillion, the EU is unlikely to be quick to pull the plug.
Businesses should watch this space, and we will be monitoring and publishing updates on developments as they happen.
Ban on pensions cold calling
The government has announced that the new measures to tackle pension fraud will extend the ban on cold calling to emails, text messages and all forms of electronic communications.
Recent ICO enforcement action
The ICO has fined TalkTalk £100,000 after finding that the level of staff access to customers’ personal data was “unjustifiably wide-ranging and put the data at risk.” An investigation by TalkTalk found that three accounts of a multinational IT services company in India (which resolved complaints and handled network coverage problems on TalkTalk’s behalf, and had access to customer information through a TalkTalk portal) had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers. TalkTalk’s lack of adequate security measures left the data open to exploitation by rogue employees. The ICO said that TalkTalk “should have known better.” The company received a record £400,000 fine in October 2016 after security failings allowed a cyber attacker to access customer data “with ease.”
August 2017 saw the ICO issue two separate warnings to businesses about making nuisance calls. At the start of the month, two companies were fined a total of £150,000 after they broke the law by calling people who were registered with the Telephone Preference Service (TPS). Both companies were also issued with enforcement notices compelling them to stop making nuisance calls or face court action. Neither had subscribed to the TPS register to check whether those they were contacting had opted out of receiving direct marketing, and they both contacted people again after being told not to.
More recently, a domestic energy saving firm was fined £50,000 after it continued to make unsolicited marketing calls during a period when its usual system for screening numbers against the TPS register was unavailable due to technical issues.
The government recently published direct marketing guidance for claims management companies.
In other enforcement news, Islington Council was fined £70,000 after it failed to take the appropriate technical measures to keep personal information secure on its parking ticket system website. Design faults meant that the personal data of up to 89,000 people was at risk of being accessed by others. The ICO found that the system should have been tested both before it went live and regularly afterwards.
A former NHS employee was ordered to pay £1,715 in fines and costs after she accessed the sensitive health records of friends and people she knew and disclosed some of the personal information.
Interesting decisions on freedom of information and data subject access requests
The Information Commissioner has held that the Cabinet Office could rely on section 14(1) of the Freedom of Information Act 2000 (FOIA) as a basis for refusing to comply with a request which was made for all information held on its ‘Slack’ channel – an online cloud based collaboration tool allowing users to communicate with each other in a variety of ways. Section 14(1) of FOIA allows a public authority to refuse to comply with a request if it is considered to be vexatious. The Cabinet Office sought to refuse the request on that basis because of the burden involved in complying with it. In the Commissioner’s view, section 14(1) is designed to protect public authorities by allowing them to refuse any requests which have the potential to cause a disproportionate or unjustified level of disruption, irritation or distress. This will usually involve weighing the evidence about the impact on the authority and balancing this against the purpose and value of the request. There is a high threshold to be met for refusal. In this case, the request was vexatious “because the amount of time required to review and prepare the information for disclosure would place a grossly oppressive burden on the public authority.” The ICO has issued guidance on dealing with vexatious requests.
The Commissioner noted that this was the first FOIA complaint she had been asked to consider in relation to a request for information held on Slack, and she recognised that public authorities’ use of such cloud based communication tools “raise a number of complicated and novel issues in respect of compliance with the requirements of FOIA, including wider issues related to records management.” The Commissioner will consider any wider implications for government and the public sector more generally and whether further guidance is required.
In a potentially far-reaching decision in the context of data subject access requests, the ICO held that a judge’s handwritten notes created during employment tribunal litigation and placed on the court file were disclosable as they were “data forming part of a relevant filing system” under the Data Protection Act. The key point was that the notes had been placed on the court file, at which point the Ministry of Justice became the data controller. It is unlikely that informal notes retained by a judge will be treated in the same way.

Health and Safety – August 2017
Draft sentencing guideline on gross negligence manslaughter, sentencing update and review of building regulations and […]
Draft sentencing guideline on gross negligence manslaughter, sentencing update and review of building regulations and fire safety.
Sentencing Council consults on gross negligence manslaughter sentencing guideline
The Sentencing Council is consulting until 10 October 2017 on a draft sentencing guideline for gross negligence manslaughter (in addition to other forms of manslaughter). There is no existing guideline for this form of manslaughter. Notably, the consultation paper says that the approach taken in developing the draft guidelines aims to regularise practice, rather than substantially alter it, other than in the case of the more culpable offences arising from health and safety breaches where it is anticipated that sentences will rise. The offence range for gross negligence manslaughter is one to 18 years’ custody. Gross negligence manslaughter occurs when the offender is in breach of a duty of care towards the victim, the breach causes the death of the victim and, having regard to the risk involved, the offender’s conduct was so bad as to amount to a criminal act or omission.
The draft guideline is set out on pages 57 to 61. It sets out a step-by-step decision making process for the court to use, to ensure a consistent approach to sentencing across England and Wales. Step one involves determining the offence category. This reflects the severity of the offence and indicates the starting point and range of sentences within which the offender is sentenced. The list of factors is exhaustive. Step two relates to the starting point and category range. Once the court has decided upon a provisional sentence using the relevant starting point and category range, it must then go on to consider any relevant aggravating and mitigating factors and the weight they are to be given. The factors at step two are non-exhaustive. There follows a series of further steps, including reduction for guilty pleas.
At step one, there are four levels of culpability (ranging from very high culpability at Category A, which is likely to be rare, to lower culpability at Category D), but the paper says that a fair assessment of the offender’s overall culpability will require a balancing of the various factors. We are told that developing a sentencing guideline for gross negligence manslaughter was particularly challenging because the offence occurs relatively rarely but in a very wide range of circumstances. This is why a degree of flexibility in determining the culpability level is particularly necessary in relation to this guideline, which specifically warns against taking an overly mechanistic approach to applying the factors.
The assessment of culpability includes a consideration of the context of the act or omission that caused the death, the role played by the offender, the extent to which the offender was aware of the risk of death, the length of time over which the negligent conduct persisted, actions after the event, and the circumstances of the offender. There are a number of factors which could be especially relevant in a health and safety context. For example, one of the factors in Category B (high culpability) is that the negligent conduct was motivated by financial gain (or avoidance of cost) which would apply, for example, where an employer decides not to provide adequate safety equipment to save money. Another is where the offender was clearly aware of the risk of death arising from their negligent conduct.
In relation to harm factors, the harm caused will inevitably be of the utmost seriousness in all manslaughter cases and the loss of life is already taken into account in the sentencing levels at step two. The sentence ranges at step two cover a very wide range of sentence outcomes. As there are only four starting points, adjustment from the starting point may be necessary before any adjustment for aggravating and mitigating factors where a case does not fit squarely into a category.
In considering the factors that make an offence of gross negligence manslaughter more or less serious, the Sentencing Council concluded that it would be appropriate for sentences to increase in some situations. It gives the typical example where an employer has had a long standing, utter disregard for the safety of employees and is motivated by cost cutting. Page 28 of the paper sets out an example application of the guideline in a health and safety context.
The draft guideline is a further indication of the increasingly tough line being taken when it comes to health and safety breaches. Since the new sentencing guideline for health and safety offences, corporate manslaughter and food safety and hygiene offences came into force in February 2016, we have seen a marked rise in the severity of the fines imposed.
Sentencing update
Tata Steel UK Limited was fined £930,000 after the release of toxic and flammable substances at its Scunthorpe site exposed five workers to the risk of serious injury of death. A Health and Safety Executive (HSE) investigation found that the company failed to take the appropriate safety measures and failed to address risks which had previously been identified. It was also ordered to pay costs of £70,000.
A company was fined £100,000 and one of its directors was sentenced to six months’ imprisonment (suspended for two years) after removing licensable asbestos materials in an unsafe manner at a number of sites. The HSE inspector said: “Around 3000 people a year die from asbestos related disease and it is a well-known risk within the construction industry, there is no excuse for putting people at risk when the hazards can be controlled with careful management during work with asbestos containing materials.”
Just last month, three companies were fined a total of more than £1 million after workers were exposed to asbestos while refurbishing a school. The HSE investigation found that, although an asbestos survey was completed, there were multiple caveats and disclaimers which were not appropriately checked.
A passenger air transport firm was fined £250,000 after an employee suffered severe brain damage when she was crushed opening a hangar door at Luton Airport. The HSE investigation found that the company failed to conduct adequate planning or provide adequate training and written instructions. The HSE inspector said: “Employers must provide suitable systems of work, training, information and supervision to ensure safety. If a safe system of work had been in place prior to this incident, it could have prevented the life-changing injuries sustained by the employee.”
Government announces review of building regulations and fire safety
The government has announced an independent review of building regulations and fire safety in the wake of the Grenfell Tower disaster. It will look at current building regulations and fire safety with a particular focus on high rise residential buildings and will examine:
- the regulatory system around the design, construction and on-going management of buildings in relation to fire safety;
- related compliance and enforcement issues; and
- international regulation and experience in this area.
The terms of reference for the review were published on 30 August 2017. An interim report is expected before the end of the year, with a final report no later than spring 2018.