Regulatory round-up – February 2017


Consumer and Retail Finance – February 2017
Latest from the FCA, CMA and more. Financial Conduct Authority (FCA) The Financial Services Consumer […]
Latest from the FCA, CMA and more.
Financial Conduct Authority (FCA)
The Financial Services Consumer Panel has proposed amending the Financial Services and Markets Act 2000 (FSMA) to require the FCA to make rules specifying what constitutes a ‘reasonable’ duty of care owed by financial services providers to their customers. Separately, in a letter to the FCA responding to the consultation on its future mission, the City of London Law Society has set out why it considers that the creation of a directly enforceable duty of care is unnecessary. The British Bankers’ Association has also argued against the potential introduction of a formal duty of care.
In its Handbook Notice 41, the FCA sets out a number of recent changes including the introduction of a new levy on consumer credit firms to recover HM Treasury’s expenses in tackling illegal money lending as required under section 333T of the Financial Services and Markets Act 2000 (introduced by the Bank of England and Financial Services Act 2016). The changes came into effect on 24 February 2017. Further detail and feedback from the FCA’s consultation on these proposals can be found on pages 5 to 7 of the Notice.
The FCA has published a Regulation round-up special issue focusing on its recent consultation on the future funding of the Financial Services Compensation Scheme.
The FCA has confirmed that it plans to consult during Q2 2017 on the extension of the Senior Managers and Certification Regime to all FSMA authorised firms. HM Treasury intends that the regime should start from 2018.
Deutsche Bank was fined £163 million for failing to maintain an adequate anti-money laundering control framework – the largest such financial penalty ever imposed by the FCA (or its predecessor the Financial Services Authority). See the FCA’s press release.
Competition and Markets Authority (CMA)
On 2 February 2017, the CMA published the Retail Banking Market Investigation Order 2017, which implements the package of reforms arising from its investigation into the supply of retail banking services to personal current account customers and to small and medium-sized enterprises in the UK. The CMA’s final report was published in August 2016. See the press release for a summary of the reforms and further detail on the Order.
The CMA has also recently published a guide for payday lenders to a number of the rights and obligations created by the Payday Lending Market Investigation Order 2015, which requires online payday lenders to publish details of their products on at least one price comparison website authorised by the FCA by 26 May 2017; and online and high street payday lenders to provide existing customers with a summary of their cost of borrowing.
Other news
In a statement published on 7 February 2017, the Economic Secretary to the Treasury confirmed the government’s agreement to the Law Commission’s recommendations for reforming the Victorian legislation on bills of sale, which allow individuals to use goods they already own as security for loans. The government has agreed to support the Law Commission in drafting legislation to enact the reforms.
The Consumer Finance Association has published its report A Modern Credit revolution: An analysis of the short-term credit market, providing an up-to-date assessment of the short-term credit market and analysing how the market has changed since the introduction of the price cap regulation in 2015.
It has been announced that a new integrated trade body will launch in the summer. The new financial services trade association will merge the Asset Based Finance Association, British Bankers’ Association, Council of Mortgage Lenders, Financial Fraud Action UK, Payments UK and the UK Cards Association.
The Lending Standards Board Standards of Lending Practice for business customers will be launched on 28 March 2017.
In the case of Banco Primus SA v Jesús Gutiérrez García on the interpretation of the Unfair Terms in Consumer Contracts Directive 93/13/EEC, the Court of Justice of the European Union (CJEU) provided guidance on the approach national courts should take when evaluating the potential unfairness of terms relating to the calculation of ordinary interest and accelerated repayment in secured loan agreements. Even where a lender has not enforced an accelerated repayment provision, the court is still obliged to assess whether it is fair and may declare it null and void as a result.
In BAWAG PSK Bank für Arbeit und Wirtschaft und Österreichische Postsparkasse AG v Verein für Konsumenteninformation the CJEU considered whether information transmitted by a bank to its e-banking customers’ mailboxes on its website met the criteria to be considered as ‘provided’ on a ‘durable medium’ for the purposes of the Payment Services Directive 2007/64/EC.

Data Protection – February 2017
Latest on cyber security, the GDPR, international data transfers and more. Launch of National Cyber […]
Latest on cyber security, the GDPR, international data transfers and more.
Launch of National Cyber Security Centre
The National Cyber Security Centre (based in London) was officially opened on 14 February 2017. This follows on from publication in November 2016 of the government’s National Cyber Security Strategy 2016-2021, setting out its plan to make Britain secure and resilient in cyberspace, with £1.9 billion to be invested over the next five years. Links to advice and guidance for organisations can be found here. In a speech delivered at the launch, Chancellor Philip Hammond spoke of how cyber attacks are increasing in their frequency, severity and sophistication. He referred to several recent high-profile incidents which serve as a reminder of the scale of damage that a single successful cyber attack can inflict.
Update on the General Data Protection Regulation (GDPR) and post-Brexit arrangements
At an EU Home Affairs Sub-Committee meeting on 1 February 2017, the Minister of State for Digital and Culture reiterated that the UK will implement the GDPR and that the government is keen to secure the unhindered flow of data between the UK and the EU post-Brexit (he expressed a similar view in relation to UK-US arrangements). The Minister explained that parts of the Data Protection Act 1998 will be repealed to ensure compatibility with the requirements of the GDPR and that he does not foresee any significant changes to UK data protection law post-Brexit, to provide the UK with the greatest possible chance of securing the free flow of data between the UK and the EU. It remains to be seen, however, whether or to what extent the UK will choose to mirror any changes that the EU makes to data protection law in the future, post-Brexit. In a recent speech, the UK Information Commissioner had this to say: “If I could give you just one piece of advice today, it would be not to put this off. The GDPR is happening”.
Latest on international data transfers – Model Contract Clauses and EU-US Privacy Shield
The Article 29 Working Party (WP29) has confirmed that Google’s contractual arrangements for international data transfers for its G Suite and Google Cloud Platform are in line with the European Commission’s Model Contract Clauses (one of the approved mechanisms – for now at least – for transferring personal data outside the European Economic Area). This means that Google’s European business customers will be able to rely on Google’s model clauses for the transfer of personal data, without the need for further authorisations.
Meanwhile, the Irish Data Protection Commissioner (DPC) is asking the Irish High Court to make a reference to the CJEU as to the validity of the Model Contract Clauses. Arguments in this much-anticipated case got under way in early February. The case goes back to a complaint made by Austrian national Max Schrems against Facebook in 2013, regarding the transfer of his personal data from Facebook Ireland to its parent company, Facebook Inc, in the US. Facebook was using the ‘Safe Harbor’ framework. In 2015, the CJEU ruled that the European Commission’s adequacy decision regarding Safe Harbor (i.e. that the US provided an adequate level of protection) was invalid. ‘Safe Harbor’ has since been replaced by the EU-US Privacy Shield. The DPC recently published an update on the current status of the proceedings.
Over 1,700 companies have now signed up to the Privacy Shield. As we reported previously, concerns were recently raised over its future following President Trump’s executive order potentially affecting the privacy protections of non-US citizens or permanent residents. While the US has sought to play down these concerns, the WP29 decided at its February meeting to write directly to the US authorities for clarification on the issue. See the WP29’s press release for more details on this and other topics discussed at the meeting, including the adoption of Privacy Shield complaint documentation, implementation of the GDPR and the work of the enforcement subgroup (which has initiated detailed inquiries into the processing of personal data processed via Windows 10 by Microsoft). The press release can be found in the ‘Updates’ section at the end of the following link. In other news, Human Rights Watch and the American Civil Liberties Union have written a joint letter to the European Commissioner for Justice, Consumers and Gender Equality urging her to re-examine whether the Privacy Shield and EU-US Umbrella Agreement (on the protection of personal data exchanged for law enforcement purposes) sufficiently protect the fundamental rights of people in the EU in light of the recent developments in the US.
Concerns over proposed changes to Fourth Money Laundering Directive
The European Data Protection Supervisor (EDPS) has published an opinion assessing the data protection implications of the European Commission’s proposed amendments to the Fourth Money Laundering Directive ((EU) 2015/849). The amendments are aimed at tackling tax evasion in addition to money laundering. An executive summary is set out at page 3 of the opinion. The EDPS is concerned that the amendments introduce other policy purposes (other than countering anti-money laundering and terrorist financing) that do not seem to be clearly identified. The amendments also raise questions as to why certain forms of invasive personal data processing, acceptable in relation to anti-money laundering and the fight against terrorism, are necessary out of those contexts and whether they are proportionate.
Data subject access rights – recent case law
Data subject access requests, which an individual has a right to make under data protection law to find out what information a data controller holds about them, have been the subject of two recent decisions in the English courts. In Holyoake v Candy and another [1] the High Court considered, among other things, the claimant’s argument that one of the defendants had invalidly relied on the legal professional privilege exemption. In a judgment likely to be welcomed by data controllers, the judge was satisfied that legal professional privilege had been properly claimed, and it was not appropriate in the circumstances of this particular case to order the defendant to comply with the request. However, in Dawson-Damer and others v Taylor Wessing LLP [2] the Court of Appeal overturned an earlier High Court decision and ordered compliance. In a judgment likely to be welcomed by data subjects the court held, among other things, that Taylor Wessing (which had made a blanket assertion of legal professional privilege) had not shown that to comply with the request would involve disproportionate effort as all it had done so far was to review its files – disproportionate effort must involve “more than an assertion that it is too difficult to search through voluminous papers”.
Information Commissioner’s Office (ICO) and direct marketing
In further recent examples of the ICO’s crackdown on those who break the rules around direct marketing, one company was fined £20,000 for unlawfully trading personal information which resulted in 21,000 spam texts about payday loans being sent by the firm which had bought the information; and a credit broker was fined £120,000 for being responsible for millions of marketing texts sent without proper consent. In her recent briefing to the Lords Bill Committee on the Digital Economy Bill, the Information Commissioner welcomed the provision for a statutory direct marketing code which would make it easier to take enforcement action against organisations.
______________________
[1] [2017] EWHC 52 (QB)
[2] [2017] EWCA Civ 74

Health and Safety – February 2017
Sentencing news and recent cases, product recalls and safety. Sentencing National furniture chain DFS Trading […]
Sentencing news and recent cases, product recalls and safety.
Sentencing
National furniture chain DFS Trading Limited is the latest company to be fined £1 million or more for health and safety offences. It was fined £1 million after a worker suffered serious neck and head injuries when unloading wooden furniture frames at one of its sites. The court heard that a number of near misses had been reported in relation to unsecured loads. The inspector for the Health and Safety Executive (HSE) said: “DFS is a large national organisation. The fundamental and systemic failings identified in their health and safety management systems is far from what would be expected from a company of their size who has the ability to deliver higher standards of safety”. Other high-profile companies on the receiving end of substantial fines recently include Wilko Retail Limited (£2.2 million) and Warburtons Limited (£2 million). It is notable that in each case the offence did not result in a fatality. These are only the latest in an increasing number of companies fined £1 million or more since the new sentencing guidelines came into force in England and Wales in February 2016.
A construction equipment hire company was fined £800,000 after a worker died when the hydraulic cylinder he was testing cracked under pressure causing a piece of metal to strike him in the head. The HSE investigation found, among other things, that the company did not have adequate supervision in place for the task and had failed to inform the worker of the safe working pressure for the cylinder.
A London bus company was fined £600,000 after a worker was killed falling from a ladder. The HSE investigation found that the company did not implement and keep to its own procedures for managing contractors.
The director of a construction company has been imprisoned for eight months and disqualified from being a company director for seven years after failure to take appropriate action resulted in a worker receiving serious burns. The HSE inspector involved said: “We hope this sentence sends out a message that directors of businesses must take their health and safety responsibilities seriously”. This case serves as a reminder that, under section 37(1) of the Health and Safety at Work Act 1974, individuals can also be held criminally liable where the company’s offence is proved to have been committed “with the consent or connivance of, or to have been attributable to any neglect on the part of, any director, manager, secretary or other similar officer of the body corporate or a person who was purporting to act in any such capacity”. Where the company’s affairs are managed by its members, the same applies in relation to the acts and defaults of a member in connection with their functions of management as if they were a director. A director convicted of such a breach can also be disqualified from being a director for a maximum of 15 years.
Recent cases have stressed the importance of proper planning:
- A London construction firm was fined £450,000 after four workers fell more than three and a half metres whilst carrying a ventilation unit on an overloaded working platform. Neither the work at height nor the lifting operations were planned properly and the safety failings were severe. The HSE inspector said that the incident “highlights the importance of planning work, in this case both for lifting operations and working from height, to ensure it is carried out safely”.
- A self-employed businessman received a suspended sentence after an employee fell from the roof he was working on and died. A joint police and HSE investigation found that the work was not properly planned in order to ensure it could be carried out safely.
Product recalls and safety
Consumer group Which? says that the government must urgently address issues with the product safety system, after Trading Standards took enforcement action against Whirlpool in relation to long-running fire safety concerns with certain models of tumble dryer. Which? has now dropped its judicial review action against Trading Standards after Whirlpool changed its advice to customers, telling them to unplug and not use the affected appliances until they are repaired. Which? is still pressing for a full product recall and a petition calling on the government to urge Whirlpool UK to recall all faulty tumble dryers has received over 57,000 signatures. The government has responded and, if the number of signatures reaches 100,000, the petition will be considered for parliamentary debate.