Regulatory round-up – December 2016/January 2017


Consumer and Retail Finance – December 2016/January 2017
Latest from the FCA, what’s coming up in 2017, news from the LSB, CMA and […]
Latest from the FCA, what’s coming up in 2017, news from the LSB, CMA and more.
Financial Conduct Authority (FCA)
Updated consumer credit information sheets – correction: We reported previously that the FCA had published updated sheets to be used from 18 January 2017. These have since been withdrawn due to an error. Firms should continue to use the old versions up to and including 13 April 2017. New versions must be used from 14 April 2017.
Criminal action has been taken for the first time in a case related to the FCA’s consumer credit powers. An unlicensed consumer credit lender had conducted regulated activity without authorisation over a number of years. See the FCA’s press release for more details.
The findings of the FCA’s thematic review report on early arrears management in unsecured lending indicate that positive changes have been made over the past two years, but there remains a need for firms to continue improving their practices. We looked at the key findings in our recent briefing.
We reported previously that the FCA had published its revised proposed guidance on guarantor loans, concerning the enforcement of security under the Consumer Credit Act 1974, including the section 87 requirement to serve a default notice before taking certain actions following breach of a regulated agreement. The FCA has now published its finalised guidance in this area, taking account of the comments received in relation to the proposed guidance. It affords lenders some leeway to take payment from guarantors where this is a ‘request’ rather than a ‘demand’ (see our recent briefing).
The FCA published its final rules for firms when dealing with customers experiencing a payment shortfall on their mortgages or home purchase plans, following its earlier consultation. These and other Handbook changes are set out in Handbook Notice 39. Other rule changes include those to CONC App 1, to ensure that APRs are calculated in a consistent way that will promote the comparability of different offers (proposed changes to the APR assumptions for consumer credit were included in the FCA’s quarterly consultation published in September 2016 – feedback is set out in the Handbook Notice).
The FCA has also recently published key themes from the feedback it has received so far in relation to its Future Mission consultation, which includes sections on protecting consumers, vulnerable consumers, and whether there is a need for a more specific Handbook review.
In a letter to the CEOs of all firms that administer Debt Management Plans, the FCA set out its expectations in this area, following concerns over non-compliance and the increased risk to consumers.
The FCA and Prudential Regulation Authority issued a joint consultation paper on Amendments to Notes for completion of the Mortgage Lenders & Administrators Return. The consultation is relevant to all firms carrying on the regulated activities of home finance providing activity and administrating a home finance transaction. Comments are requested by 13 March 2017.
The FCA is also consulting on enhancing conduct of business rules for firms providing contract for difference products to retail clients. Feedback is requested by 7 March 2017.
The FCA is reviewing the funding of the Financial Services Compensation Scheme (FSCS). Responses are invited on a number of options for changing FSCS funding and the coverage it provides to consumers. The FCA is also consulting on a number of specific proposals to change the rules around the scope and operation of FSCS funding. Comments are requested by 31 March 2017.
Finally, the FCA has launched a market study to consider whether competition in the mortgage sector can be improved to benefit consumers. An interim report is scheduled for summer 2017 and an engagement process with stakeholders will begin shortly. See our recent briefing for more details.
Other news
Issue 138 of Ombudsman News considered the link between mental health and debt, with case studies and commentary from experts across the sector.
The government published a consultation paper setting out the model for a new single financial guidance body which will commission advice for those in problem debt, co-ordinate efforts to improve financial capability and provide information and guidance on matters relating to pensions, financial scams, and wider money matters. Responses are requested by 13 February 2017.
The Money Advice Service has released early findings from a major study, showing that within three to six months of receiving regulated advice, nearly two thirds of those with debts are either repaying them or have repaid in full.
The Lending Standards Board (LSB) has completed its assessment of the gap analysis exercise undertaken by registered firms regarding adherence to, and implementation of, the new Standards of Lending Practice for personal customers. It reports that firms are already meeting the majority of the Standards, with extra focus given to the newly expanded areas of money management and customer vulnerability. Adherence to the new requirements is to be completed by October 2017.
The Competition and Markets Authority (CMA) has accepted undertakings from Bacs Payment Schemes Ltd that commit it to delivering the improvements required by the CMA’s retail banking market investigation within a year. This includes the extension of the redirection service operated by the Current Account Switch Service. See the CMA’s press release for more details on the upcoming changes and the background to the reforms.
Coming up in 2017…
In February 2017, we expect to see the FCA’s policy statement to its consultation on regulatory fees and levies: policy proposals for 2017/18. Chapter 2 set out the FCA’s proposals to introduce a new levy on consumer credit firms to recover HM Treasury’s expenses in tackling illegal money lending as required under section 333T of the Financial Services and Markets Act 2000 (introduced by the Bank of England and Financial Services Act 2016). A consultation is due to launch in March 2017 on FCA-regulated fees and levies: rates proposals for 2017/18, aimed at fee-payers paying FCA fees, Financial Ombudsman Service, Money Advice Service and pensions guidance levies.
Other consultations to look out for in Q1 2017 include those on creditworthiness and affordability in consumer credit and on new rules for firms running crowdfunding platforms. This second paper will be aimed at firms operating loan-based and investment-based crowdfunding platforms. The FCA published a feedback statement in December 2016, reporting on the main issues arising from its July 2016 call for input to launch a post-implementation review of the crowdfunding regime. The review is ongoing. The FCA believes there is evidence of potential investor detriment, prompting it to consult and propose new rules in this area.
The LSB is developing the Standards of Lending Practice for business customers. Due to launch in Q1 2017, they will replace the micro-enterprise provisions of the Lending Code, with protections extended to include businesses with a turnover of up to £6.5 million. Extensions to product scope, covering asset finance and peer to peer lending, will be launched later in the year.
The FCA is expected to launch a consultation in Q2 2017 on the extension of the Senior Managers and Certification Regime to all authorised firms during 2018.

Data Protection – December 2016/January 2017
Latest on the GDPR, e-privacy developments, updates on cyber security, international data transfers and direct […]
Latest on the GDPR, e-privacy developments, updates on cyber security, international data transfers and direct marketing.
General Data Protection Regulation (GDPR) – a game changer for everyone
The Minister for Digital and Culture has reconfirmed in parliament that the GDPR will become UK law from 25 May 2018. The government is working on the details of implementation and plans to consult with stakeholders on key measures where there is an opportunity to apply flexibilities in the legislation “to maximise and to protect our domestic interests and to get the balance right between delivering the protection that people need and ensuring that the regulation operates in a way that ensures that the UK’s data economy can be highly successful”.
In the meantime, the Article 29 Working Party (WP29) has published its GDPR action plan for 2017 and the first tranche of European-level guidance on certain aspects of the GDPR. At its December meeting, the WP29 adopted guidelines and FAQs for data controllers and processors on: the right to Data Portability; Data Protection Officers; and the Lead Supervisory Authority. Watch out for our upcoming commentary on this guidance, the next in our series of guides to help businesses plan ahead for implementation. Our initial publication can be found here: Introducing our series of guides to the EU General Data Protection Regulation.
The Information Commissioner’s Office (ICO) has also updated its “Guidance: what to expect and when” and in a recent speech to the Institute of Chartered Accountants, the Information Commissioner said that “we’re all going to have to change how we think about data protection” as the new legislation “puts an onus on businesses to change their entire ethos to data protection…The message about GDPR is continuity and change...There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone… accountability is at the centre of all of this: of getting it right today, getting it right in May 2018, and getting it right beyond that”.
E-privacy and the “Snooper’s Charter”
In a key judgment, the Court of Justice of the European Union (CJEU) has ruled that national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication, is incompatible with the EU e-Privacy Directive when read in light of the EU Charter of Fundamental Rights.
This was a referral by the English Court of Appeal following a 2015 High Court ruling that the Data Retention and Investigatory Powers Act 2014 (DRIPA) was inconsistent with EU law. The controversial Investigatory Powers Act 2016 (IPA) which replaced DRIPA at the end of 2016, despite opposition from privacy advocates, academics, the Law Society and major technology and telecommunications companies, who voiced significant privacy and data security concerns, goes even further than DRIPA. The IPA, like DRIPA, has been dubbed the ‘Snooper’s Charter’.
The government has said it will put forward “robust arguments” when the case returns to the Court of Appeal. In the meantime, human rights group Liberty has already launched a crowdfunding campaign to fund a legal challenge to the new law. The CJEU’s ruling also raises the possibility of challenge to the adequacy of the UK’s protection of EU personal data in a post-Brexit world.
A new e-Privacy Regulation
The EU e-Privacy Directive itself has been under review – one of the key initiatives proposed under the “Digital Single Market” strategy, aimed at reinforcing trust and security in digital services in the EU. The European Commission recently published the results of its consultations in this area and a proposal to replace the Directive with a new e-Privacy Regulation which, among other things, aligns the rules for electronic communications (including fines and remedies for individuals) with the standards of the GDPR. The Commission intends for the new e-Privacy Regulation to come into force at the same time as the GDPR on 25 May 2018.
In the same press release, the Commission included a link to its proposed “Communication on Exchanging and Protecting Personal Data in a Globalised World” – setting out its strategic approach to the issue of international data transfers. This could be of relevance to the UK post-Brexit.
Cyber security – always on the agenda
Following on from the publication of the National Cyber Security Strategy 2016-2021, the government has now published its cyber security regulation and incentives review. The review was conducted to consider whether there is a need for additional regulation or incentives to boost cyber risk management across the wider economy. For now, the government will seek to improve cyber risk management in the wider economy through the GDPR. The breach reporting requirements and fines capable of being issued under the GDPR will be supplemented by further measures to more clearly link data protection with cyber security. There will also be new non-regulatory interventions to incentivise better cyber security management.
The Joint Committee on the National Security Strategy announced an inquiry into UK national security in a digital world. The closing date for submissions is 20 February 2017.
Having already disclosed an earlier data breach affecting over 500 million user accounts, Yahoo recently reported that it had been subject to a second major cyber attack affecting 1 billion users – making it the largest data breach in history. US authorities have launched an investigation. National Lottery operator Camelot also reported that around 26,500 of its players’ accounts had apparently been accessed by cybercriminals. TalkTalk was also criticised by security experts for its advice to customers that there was “no need” to change their router settings after it emerged that the router credentials of many customers had been hacked.
These latest incidents underline yet again how vital it is for businesses to take data protection and security seriously, both in terms of prevention and recovery.
The ICO has published a post to help businesses prevent and recover from ransomware attacks, keep information secure and avoid financial and reputational damage. There are links through to further guidance and tips, including from the government and the National Crime Agency.
EU and US conclude “Umbrella Agreement” for law enforcement cooperation
The European Commission has published a fact sheet on the “Umbrella Agreement” concluded between the EU and US on the protection of personal data exchanged for law enforcement purposes, which was backed by a majority of MEPs in early December.
International data transfers – changes to the Model Contract Clauses
The European Commission has amended its adequacy decisions on the Model Contract Clauses (an approved mechanism for transferring data outside the European Economic Area) and its adequacy decisions “whitelisting” certain countries and territories as providing adequate protection for personal data.
The changes are intended to implement the CJEU’s decision in the in C-362/14 Schrems v Data Protection Commissioner (see What does the Safe Harbor ruling mean for business? and Putting the EU-US Privacy Shield into motion – what next? for more details) by removing the restrictions on when the national data protection authorities can exercise their powers to suspend data, which the CJEU ruled were invalid.
The changes to the “whitelisting” adequacy decisions have no impact on the Commission’s finding that the 11 countries and territories provide adequate protection and so businesses can continue to transfer personal data to these countries without having to implement any additional safeguards.
The changes to the adequacy decisions for Model Contract Clauses don’t affect the Model Contract Clauses themselves. So, for the time being at least, businesses which have incorporated the Model Contract Clauses into their agreements won’t need to make any changes.
However, the Model Contract Clauses are subject to an ongoing legal challenge in Europe. It is not yet clear what, if any, effect these amendments may have in relation to that challenge. Walker Morris will monitor and report on developments.
Watch out for our upcoming LexisNexis Q&A on this topic.
International data transfers – update on the EU-US Privacy Shield
The EU Justice Commissioner has said that the Commission will “closely monitor the respect of protection standards and the correct implementation of both the Umbrella agreement and the EU-US Privacy Shield” under the leadership of US President Donald Trump. Over 1,500 companies have now self-certified under the new regime for the transatlantic exchange of personal data for commercial purposes. Concerns over the future of the Privacy Shield were raised last week after the President signed an executive order potentially affecting the privacy protections of non-US citizens or permanent residents. The European Union is closely following any changes that might have an effect on Europeans’ data protection rights. Walker Morris will monitor and report on developments.
The Irish Times reports that the US, German and Czech governments have requested to participate in the case involving campaign group Digital Rights Ireland’s legal challenge to the Privacy Shield. Other countries include the UK, France and the Netherlands. In a news release issued by the International Association of Privacy Professionals, it was reported that some European tech companies are worried that the ongoing legal challenges will prove problematic in the long run.
The WP29 has published helpful FAQ documents for both European businesses and individuals on the practicalities of the Privacy Shield (links are available here).
Latest on direct marketing
The ICO recently took over management of the Telephone Preference Service (TPS) from Ofcom – one of a number of government measures to tackle nuisance calls and messages. It has since fined one firm £40,000 for breaking the law by calling people registered with the TPS.
As we reported previously, the government announced in October that from spring 2017 the ICO will have powers to hold company directors directly responsible for breaches of The Privacy and Electronic Communications (EC Directive) Regulations 2003. Each director could be liable for a fine of up to £500,000. Ofcom and the ICO have recently published an update to their joint action plan.
Two companies responsible for sending millions of spam texts offering easy access to loans were recently fined £100,000 and £30,000 by the ICO respectively. Another was fined £50,000 for instigating the sending of nearly 400,000 spam texts about debt. Since last April, the ICO has issued more than £1 million in fines to firms for breaking the law on marketing calls, text messages and emails. It recently issued an update on the action taken to tackle nuisance calls and messages.

Health and Safety – December 2016/January 2017
Including sentencing and recent cases, HSE Health and Work Strategy, food and drink advertising and […]
Including sentencing and recent cases, HSE Health and Work Strategy, food and drink advertising and the Product Liability Directive.
Sentencing
The Court of Appeal dismissed an appeal by the UK subsidiary of global energy corporation ConocoPhillips against the £3 million fine it received in February 2016 for health and safety breaches in relation to three major gas release incidents on a North Sea platform owned and operated by the company [1]. The gas was brought into dangerous proximity to the 66 people working on the platform. Key points are:
- The company was a very large organisation and the sentencing judge was rightly conscious of the need for a fine to be large enough to bring home a message to directors and shareholders as to the company’s health and safety responsibilities (that message is applicable in all cases but a poor safety record will aggravate the position – in this case, one of the mitigating factors was the company’s excellent safety record).
- The company was extremely large and with extensive available assets – if the new sentencing guidelines were applied, the company would easily satisfy the definition of a “very large organisation”.
- There was a trend in sentencing practice prior to the creation of the new guidelines of an increase in levels of sentencing and recognition of the need to reflect assets available to large and very large organisations so as to produce a fair and proportionate sentence – the new guidelines are a continuation of that process.
- The sentencing judge in this case did not apply the new guidelines (which came into force between the hearing of submissions and the passing of sentence) – the Court doubted that this approach was correct, as the guidelines came into effect on 1 February 2016 (regardless of the date of offence) and sentence was passed after that date. It would be unfair, however, to base the Court’s decision on the new guidelines, in view of the position adopted by the parties and the judge.
- Adopting a pre-guideline approach, the Court did not consider that this level of sentencing in a serious case, both in terms of culpability and harm, could properly be described as manifestly excessive – it fell high up the scale of culpability and the level of harm which might foreseeably have been caused was very significant.
- A £5 million fine (the total level the sentencing judge would have imposed before mitigation and full credit for an early guilty plea) was significant in real terms, but only represented about 0.1% of the company’s turnover for the year ending 2014 and about 1.6% of the loss made in that year – that gave some perspective of the impact of the fine on the company.
- The company was fortunate to have been granted full credit for the guilty plea – the Court considered 25% to be the appropriate level given that the plea was only tendered at the first hearing before the Crown Court, and not when the matter came before the Magistrates’ Court.
- By reference to the new guidelines, this was a case of high culpability, since the company fell far short of appropriate standards. There was a serious and systemic failure to address risks to health and safety, persisting over a period of time. As to harm, the Court considered that the case fell within category 1 as there was a high likelihood of serious injury or death being caused and a large number of workers were exposed to that risk. The combination of high culpability and category 1 harm would for a single offence in the case of a large organisation (turnover £50 million and over) lead to a starting point of £2.4 million, with a range of £1.5 to £6 million. Since the company exceeded the threshold for large organisations by a huge margin, it would be necessary to move well beyond that range to achieve a proportionate sentence.
- It was obvious that if the guidelines had been applied, no tenable arguments could have been raised on appeal (even allowing for the available mitigation and credit for a guilty plea) that the sentence imposed was manifestly excessive.
A family-run business in the iron industry had its £160,000 fine for health and safety breaches halved on appeal [2]. The company was fined after a maintenance worker slipped and put his foot through an asbestos sheet during repairs to a roofing panel, potentially exposing employees working underneath to debris and asbestos fibres. The sentencing judge assessed the culpability under the new guidelines as medium due to the failure to put in place the necessary health and safety measures. The level of harm was assessed as level A and fell into category 2 on the basis that there was a risk of death or very serious injury (this was balanced against the fact that no harm was actually caused). The company fell into the medium category given its annual turnover of £32 million in that year. The sentencing judge took a starting point of £240,000 under the guidelines and gave a full one third deduction for an early guilty plea, producing a fine of £160,000. The company appealed. Key points are:
- The Court of Appeal noted that the sentencing judge did not make any downward adjustment to the starting point of the fine, despite the fact that there were no aggravating factors as such and significant mitigating factors (including the firm’s exemplary record over 50 years of trading) which should have driven the starting point down.
- It was highly relevant to have regard to the company’s small operating profit. The fine represented 23 per cent of the company’s operating profit. The Court had been informed that, since the June referendum to leave the European Union, the trading conditions for companies like this one, which employs 240 people, had not been good.
- Taking all of these factors into account and stepping back, the Court considered that £120,000 was a more appropriate starting point. Discounting by one third for the early guilty plea produced a fine of £80,000.
It is notable that the maintenance supervisor in the above case had not undergone any training in relation to his supervisory role, and none of the employees had received training regarding working at height. This has been a recurring theme in a number of recent cases. For example:
- In a case brought by Leicester City Council’s Public Safety Team, high street chain Wilko was fined £2.2 million after an employee suffered spinal injuries when a cage of paint tins fell on top of her. The court heard, among other things, that employees were not provided with adequate training or supervision.
- Jaguar Land Rover was fined £900,000 after a worker suffered life-changing injuries on the production line of one of its plants. The Health and Safety Executive (HSE) investigation found that the company had failed to ensure that the driver of the car involved in the accident was familiar with procedures.
- The national truck, bus and plant division of Volvo was fined £900,000 after a worker suffered head injuries in a fall. The HSE investigation found that, at the time of the incident, Volvo UK had not trained staff to select, inspect and use access equipment for work at height.
- A shipbuilder was fined £400,000 after a worker suffered serious injuries to his hand while carrying out repairs. In a statement, the HSE said that the defendant “had developed a Health and Safety Management System (HSMS) but failed to ensure that the system had permeated all parts of the organisation. If the HSMS had been followed this accident may not have occurred…“
These recent examples underline the importance for businesses of ensuring that adequate training and supervision is in place and that systems and procedures are communicated effectively – having a written policy is not enough. The HSE has produced guidance for organisations of all sizes on their health and safety responsibilities.
It was recently confirmed in the Scottish courts that the new sentencing guidelines (issued by the Sentencing Council of England and Wales) can be used as a ‘cross check’ in cases north of the border [3].
HSE launches new Health and Work Strategy
In December, the Minister of State for Disabled People, Health and Work, Penny Mordaunt MP, helped launch the HSE’s new Health and Work Strategy. Priorities are work-related stress, musculoskeletal disorders and occupational lung disease. The HSE has published draft plans for health and safety in 19 different sectors, from construction and manufacturing to public services and utilities.
New rules on food and soft drink advertising to children
Following a public consultation, the Committee of Advertising Practice announced the introduction of “tough new rules” from 1 July 2017 banning the advertising of high fat, salt or sugar food or drink products in children’s media (targeted at under-16s). The rules apply to all non-broadcast media, including social media.
European Commission launches consultation on Product Liability Directive
The European Commission launched a three month public consultation in January on the rules set out in the Product Liability Directive (Directive 85/374/EEC) on liability of the producer for damage caused by a defective product. Part 1 of the Consumer Protection Act 1987 (CPA) implements the provisions of the Directive into UK law and imposes a strict liability on the producers of defective products for the damage caused by those defects. In an important recent case [4], the English High Court has clarified the meaning of ‘defect’ under the CPA, a decision likely to be welcomed by manufacturers.
______________________
[1] R (Health and Safety Executive) v ConocoPhillips (UK) Ltd [2016] EWCA Crim 1594
[2] R v MJ Allen Holdings Ltd [2016] EWCA Crim 2142
[3] Scottish Power Generation Ltd v HM Advocate [2016] HCJAC 99
[4] Wilkes v DePuy International Limited [2016] EWHC 3096 (QB)