Regulatory round-up – July 2017


Consumer and Retail Finance – July 2017
The FCA’s recent flurry of activity, including extending the Senior Managers and Certification Regime, and […]
The FCA’s recent flurry of activity, including extending the Senior Managers and Certification Regime, and other sector news.
Financial Conduct Authority (FCA)
We have seen a flurry of activity over the past month.
On 31 July 2017, the FCA published the feedback statement from its review into high-cost credit. It says that the review provides clear evidence that FCA regulation of high-cost-short-term credit has delivered substantial benefits to consumers. The FCA has decided to leave the existing payday loan price cap in place and not to extend it to encompass any other products at this stage. The cap will be subject to review again in 2020. The review highlighted concerns with other high-cost credit products, including in relation to unarranged overdrafts and rent-to-own, home-collected credit and catalogue credit sectors. A consultation will follow in spring 2018. On the same day, the FCA published its consultation paper on proposed changes to the rules and guidance on assessing creditworthiness in consumer credit. Comments are requested by 31 October 2017. See the press release for links to both documents. The FCA has also published an occasional paper “Preventing financial distress by predicting unaffordable consumer credit agreements: An applied framework”.
On 26 July 2017, the FCA published its consultation paper on extending the Senior Managers and Certification Regime to all firms authorised under the Financial Services and Markets and Act 2000. The proposals affect almost all financial services firms (including limited permission consumer credit firms) and their staff. Comments are requested by 3 November 2017. See our recent briefing for further details.
The FCA also recently published the findings from its thematic review of staff incentives, remuneration and performance management in the consumer credit sector. It is consulting on a proposed new rule and guidance (CONC and non-Handbook) to help ensure that firms take appropriate steps to identify and mitigate the risks arising from the way their staff are paid and managed. Comments are requested by 4 October 2017. See our recent briefing for further details.
The FCA has analysed responses to its Call for Input on the planning phase of the review of retained provisions of the Consumer Credit Act. It intends to publish a summary of the responses and outline the scope for the review.
It has now published a policy statement on “FCA regulated fees and levies 2017/18”, including feedback on the consultation and ‘made rules’. Fee-payers were due to be invoiced from July onwards for their 2017/18 periodic fees and levies. See the “Next steps” section on page 9 for further details.
In a recent speech, FCA Chief Executive Andrew Bailey talked about retail banking in the UK, which he described as “a big agenda of work for the FCA”. In addition to the feedback statement on high-cost short-term credit, in July 2017 alone we have seen publication of a thematic review on “Customer understanding: Retail banks and building societies” (which will inform the FCA’s strategic review of retail banking business models) and the findings from the FCA’s review of how firms handle complaints about packaged bank accounts.
The FCA consulted on enhancing conduct of business rules for firms providing contract for difference products to retail clients in late 2016/early 2017. It recently published a statement providing an update on the consultation and its policy work in this area.
The FCA announced a number of changes to its Advice Unit (part of Project Innovate), including expansion of the Unit’s scope to firms developing automated advice models within the mortgage, general insurance and debt advice sectors.
It also recently issued a statement on the use of the interbank rate in online currency converter tools, following concerns that payment and e-money institutions may have used such tools in a misleading way.
On 27 July 2017, the FCA reported that Lloyds Banking Group has agreed to set up a redress scheme for mortgage customers who incurred fees after they fell behind with their mortgage payments.
In relation to anti-money laundering, the FCA published its finalised guidance on the treatment of politically exposed persons for anti-money laundering purposes. It expects firms to take appropriate but proportionate measures in meeting their financial crime obligations and the guidance provides clarity on how firms should apply the definitions of a politically exposed person in the money laundering regulations in the UK. The FCA published a number of separate reports on 5 July 2017 alongside its annual report and accounts for 2016/17, including one on Anti-money laundering.
The House of Lords secondary legislation scrutiny committee raised concerns about the lack of effective Parliamentary scrutiny of the new money laundering regulations which came into force on 26 June 2017. It has now published correspondence with the Economic Secretary to the Treasury on this issue.
Feedback from the FCA’s consultation on proposed amendments to the Decision Procedure and Penalties Manual and Enforcement Guide in light of the new regulations has been published in Handbook Notice 46.
In addition, HM Revenue & Customs has published updated anti-money laundering guidance for money service businesses and the FCA has published a webpage on the notification requirements in the money laundering regulations for FSMA-authorised firms.
Finally, HM Treasury is consulting until 16 August 2017 on the impact and drafting of regulations intended to improve oversight of the anti-money laundering supervisory regime. At the same time, the FCA is consulting on a sourcebook for professional body supervisors on anti-money laundering supervision. The FCA consultation closes on 23 October 2017.
Other news
The PRA published a Statement on consumer credit following its review of consumer credit lending, which examined PRA regulated firms’ asset quality and underwriting practices for credit cards, unsecured personal loans and motor finance. The statement summarises the review’s findings (see section 2) and outlines issues arising for PRA-regulated firms that provide consumer credit to consider and act upon. The review highlighted concerns across all three consumer credit markets.
In a recent speech, the Executive Director for Financial Stability Strategy and Risk at the Bank of England considered recent developments in household debt, noting the very rapid growth of consumer credit, with outstanding car loans, credit card balance transfer and personal loans having increased by 10% in the past year.
A Creditworthiness Assessment Bill – to require certain matters to be taken into account when assessing a borrower’s creditworthiness – had its first reading in the House of Lords on 28 June 2017.
We reported in the previous update that the Queen’s Speech included plans for a Financial Guidance & Claims Bill to (among other things) establish a new body with responsibility for coordinating the provision of debt advice, money guidance, and pension guidance. The government has since published the response to its December 2016 consultation on this topic, reporting that the majority of respondents welcomed the proposed changes. The Bill itself has now reached the committee stage in the House of Lords, the first chance for line by line scrutiny of the proposals.
We also reported that the government intends to repeal the Victorian legislation on bills of sale and replace it with a Goods Mortgage Act enabling individuals to use their existing goods (for example, their car) as security for a loan, while retaining possession. The Law Commission is now consulting on draft clauses intended to form part of the new Bill.
The government has announced a new regulatory regime for FinTech firms from January 2018 which will allow them to access data from all of an individual’s bank accounts, at the individual’s request. This could lead to a range of innovations giving consumers greater control over their bank data and financial decisions. This development comes from the revised EU Payment Services Directive (known as PSD2), which will be implemented in the UK through the Payment Services Regulations 2017. These have now been published. Consumers will also see the end of card-charging. The FCA published its main consultation on implementing PSD2 in April 2017. It recently published a follow-up consultation on authorisation, registration and reporting forms.
The Financial Services Consumer Panel has published a position paper on consumers and competition, following on from an evidence review and consumer survey commissioned last year to inform and stimulate debate about consumers’ role in driving competition in retail financial services markets.
UK Finance, the new financial services trade association, launched on 3 July 2017. It merges the Asset Based Finance Association, British Bankers’ Association, Council of Mortgage Lenders, Financial Fraud Action UK, Payments UK and the UK Cards Association. On 20 July 2017, UK Finance published the latest update to its Access to Banking Standard, which aims to help minimise the impact of bank branch closures on customers and local communities.
The Banking Standards Board launched a consultation paper on proposed supporting guidance to help firms identify and deal with the risks and issues that may arise when assessing staff fitness and propriety for the purposes of the Certification Regime.
Over in Europe, a recent decision of the European Court of Justice confirms that the debt recovery practices of third party debt collection agencies can fall within the scope of the Unfair Commercial Practices Directive.

Data Protection – July 2017
Update on GDPR, Privacy Shield, international transfers of data, latest from the ICO and more. […]
Update on GDPR, Privacy Shield, international transfers of data, latest from the ICO and more.
Update on the General Data Protection Regulation (GDPR)
We had been expecting the Information Commissioner’s Office (ICO) to publish its final consent guidance in the summer. However, its “Guidance: what to expect and when” webpage was recently updated to say that the final version will not be published until after the Article 29 Working Party (WP29) has agreed its Europe-wide consent guidelines. The latest timetable for the WP29 consent guidelines to be agreed and adopted is December 2017. In the meantime, the ICO has announced that it intends to publish a summary of the responses to its draft consent guidance consultation.
A group of European trade associations has written to the European Commission and the WP29 Chair, expressing concerns over the WP29’s stakeholder consultation process in respect of GDPR guidelines. It calls on the WP29 to work to ensure that the final guidelines are developed as swiftly as possible and that a reasonable consultation period is set. The group notes that GDPR and the associated guidelines will have a wide-ranging and fundamental impact on the financial services industry and that the industry needs to receive guidance in a timely manner to prepare for GDPR taking effect on 25 May 2018. It says that, at present, there are no indications of when or if stakeholder feedback would be expected through a timetable or roadmap, and it believes that the WP29’s consultation processes, which have taken place so far with 30-day deadlines to respond, have been much too short. It is also concerned that the guidelines effectively introduce additional rules to what is required under GDPR.
To date, the WP29 has published final, adopted guidelines on the right to data portability, data protection officers, and identifying a controller or processor’s lead supervisory authority. A consultation on draft guidelines on high risk processing and data protection impact assessments closed in May 2017.
We reported previously that the UK’s Information Commissioner participated in March 2017 in a wide-ranging evidence session before the EU Home Affairs Sub-Committee on the topic of the EU Data Protection Package. At that session, the Commissioner spoke of the importance of obtaining an adequacy decision post-Brexit (considered the most straightforward process to ensure the continued flow of data between the EU and the UK) and the importance of the UK’s status and influence on the European Data Protection Board (EDPB), which will make decisions about data processing that impact on UK citizens. The Sub-Committee has now published its report which considers the implications of the UK’s exit from the EU for cross-border data transfers and for UK data protection policy more generally. A summary of conclusions and recommendations is set out at the end of the report.
Among other things, the report says that the government must not only signal its commitment to unhindered and uninterrupted flows of data, but set out clearly, and as soon as possible, how it plans to deliver that outcome (the Sub-Committee was “struck by the lack of detail in the government’s assurances thus far”). It recommends that the government should seek adequacy decisions to facilitate UK-EU data transfers post-Brexit, and urges it to ensure that any transitional arrangements agreed during the withdrawal negotiations provide for continuity of data sharing, pending the adoption of adequacy decisions (to avoid a “cliff edge” on exit day). The report notes that securing unhindered data flows with the EU may require the UK to demonstrate that it has put arrangements in place with the US that afford the same level of protection as the EU-US Privacy Shield and the EU-US Umbrella Agreement (which will no longer apply in the UK), and that maintaining unhindered data flows with the EU post-Brexit could require the UK to continue to align its domestic data protection rules with EU rules that it no longer participates in setting. It says it is imperative that the government considers how best to replace the structures and platforms from which the UK has been able to influence EU rules on data protection and retention and it should start by seeking to secure a continuing role for the ICO on the EDPB.
The ICO recently published its first ever International Strategy, designed to help it meet overseas data protection challenges including increased globalism, changing technology, GDPR and Brexit.
Fees payable to the ICO
In the evidence session before the EU Home Affairs Sub-Committee in March 2017, the ICO stated that a proposal had been submitted to Parliament for an alternative fee structure to replace the annual notification fee which will cease to apply under GDPR.
On 31 July 2017, sections 108 to 110 of the Digital Economy Act 2017 came into force. These sections give the Secretary of State the power to make regulations requiring data controllers to pay fees of an amount which is yet to be specified….watch this space.
More from Europe…
The WP29 has published an Opinion on data processing at work, which assesses the balance between the legitimate interests of employers to protect their business and the reasonable privacy expectations of employees, in the context of the risks posed by new technologies. The document can be found under the ‘Letters, Opinions and other documents’ heading on the WP29’s website.
The Opinion makes it clear that where employers use social media profiles, either as a vetting process for job applicants or as part of the ongoing monitoring of their workforce, they need to make sure that what they do is transparent, necessary and proportionate. This means that employers have to tell job applicants and employees in advance that their social media profiles may be reviewed. Employers must also be clear what they are trying to achieve by checking social media profiles in this way and satisfy themselves that this is the most appropriate way of achieving that objective. They will also need to be sure that they have a lawful ground for collecting data in this way, bearing in mind that asking the individual for consent is unlikely to be sufficient.
The Opinion also reminds employers that simply because a social media profile is publicly available does not mean that they are allowed to access and use that data for their own purposes. This echoes the guidance issued by the ICO to the political parties just before the General Election that public information is “not fair game”.
Privacy Shield
A delegation from the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs recently visited Washington DC for the first time during the Trump presidency. While all parties reiterated their continued commitment to making the EU-US Privacy Shield work, the Chair of the Committee stressed that “deficiencies still remain which need to be urgently resolved to ensure that the Privacy Shield doesn’t suffer from critical weaknesses.” See the press release here. The first annual joint review of the besieged data transfer agreement is due to be held in September 2017 (see our earlier briefing for further details).
We reported previously that Human Rights Watch and the American Civil Liberties Union wrote a joint letter to the EU’s Commissioner for Justice, Consumers and Gender Quality urging her to re-examine whether the Privacy Shield and EU-US Umbrella Agreement (on the protection of personal data exchanged for law enforcement purposes) sufficiently protect the fundamental rights of people in the EU. On 26 July 2017, Human Rights Watch and Amnesty International wrote a joint letter urging the Commission to, among other things, re-evaluate its Privacy Shield adequacy decision. The letter enclosed a briefing setting out their detailed assessment of US legal authorities and surveillance activities and conclusions regarding why they fail to provide an adequate level of protection for the purposes of EU law.
International transfers of data
The European Court has also delivered its opinion on the proposed agreement between the EU and Canada on the transfer and processing of passenger name record data. The Court found that there were a number of issues with the agreement which mean that it is incompatible with the EU Charter of Fundamental Rights and it therefore cannot be entered into in its current form, including:
- the agreement does not specify sufficiently the scope of the data to be transferred
- there is no “precise and particularly solid” justification for the transfer of sensitive personal data
- the agreement should only allow data to be retained in relation to passengers who have left Canada if there is objective evidence that they “may present a risk in terms of the fight against terrorism and serious transnational crime”.
The Court’s opinion has implications for the validity of the existing Passenger Name Record agreements in place between the EU and the US and the EU and Australia.
It also illustrates the approach the Court may adopt in relation to both the challenges to the Privacy Shield which are currently proceeding before it and any referral from the Irish High Court in respect of the model contract clauses.
The Court’s opinion should also be taken into account in the forthcoming first annual joint review of the Privacy Shield.
Latest from the ICO, including direct marketing and enforcement action
We reported previously that the ICO had updated its guidance for organisations on dealing with data subject access requests (DSARs), to reflect recent Court of Appeal decisions on the use of DSARs in litigation and the efforts required in searching. The ICO’s blog post on this topic highlights that changes have also been made to the ICO’s CCTV code of practice and guide to data protection in light of these decisions.
In relation to direct marketing, loan firm Provident Personal Credit Limited – responsible for sending nearly a million nuisance text messages – was fined £80,000 by the ICO. It had employed third party affiliate companies to send unsolicited text messages on its behalf to promote personal loans. Moneysupermarket was also fined £80,000 after it sent millions of emails to customers who had previously opted out of direct marketing.
In the first seven months of 2017, the ICO has issued 39 monetary penalties totalling £2,737,500, compared to the 32 monetary penalties totalling £3,121,500 issued by the ICO in the whole of 2016. Please click here for further details.
These fines reiterate the ICO’s recent message to organisations to ensure that they have the appropriate consents in place for sending unsolicited marketing communications and to refresh these to ensure they meet the higher threshold for consent under GDPR where necessary. An ICO fine of £50,000 issued to a lead generation and data brokerage business for instigating the sending of unsolicited marketing texts about debt, was reduced to £20,000 taking into account the company’s size, the fact that it was its first contravention and the fact that it was the first and only time it had conducted such a direct marketing campaign. At the time of the contravention, the company’s turnover and profit appeared to have increased substantially, and this was a factor in setting the appropriate penalty [1].
On 6 July 2017, the Fundraising Regulator launched the Fundraising Preference Service, which will enable individuals to block direct marketing communications from named charities.
In other recent news: the ICO fined a video game rental firm £60,000 after it failed to take basic steps to stop its website being attacked; a recruitment manager was prosecuted and fined after he illegally disclosed job applicants’ personal information to a third party employment agency; and the ICO ruled that the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act when it provided patient details to Google DeepMind in a clinical trial. Patients were not adequately informed that their data would be used as part of the test. The ICO published a blog post setting out four lessons that NHS Trusts can learn from this case, but the principles apply equally to companies in the private sector. On the subject of healthcare, the government has responded to the National Data Guardian for Health and Care’s Review of Data Security, Consent and Opt-Outs and the Care Quality Commission’s Review ‘Safe Data, Safe Care’.
__________________________
[1] LAD Media Ltd v Information Commissioner [2017] UKFTT 2017_0022

Health, Safety and Environmental – July 2017
£8 million Tesco fine; focus on £1 million-plus fines; product recalls and safety and more. […]
£8 million Tesco fine; focus on £1 million-plus fines; product recalls and safety and more.
Tesco given £8 million fine for serious pollution incident…
In June 2017, Tesco Stores Limited was ordered to pay over £8 million in fines and costs following a serious pollution incident in July 2014, in which approximately 23,500 litres of petrol escaped from a petrol filling tank at a Tesco-operated petrol station causing a “massive impact” on the local community and environment. A joint investigation by the Environment Agency (EA) and others found that the incident “resulted from Tesco’s failure to address a known issue with part of the fuel delivery system and an inadequate alarm system and was compounded by poor emergency procedures.” See the EA’s full press release here. An EA Environment Manager said that the sentencing “sends out a clear message to anyone whose recklessness causes serious pollution to the environment – we will be relentless in our investigations and take action wherever needed.” The company pleaded guilty in relation to offences under both health and safety and environmental legislation, attracting fines of £5 million and £3 million respectively.
… as £1 million-plus fines continue to bite
In recent weeks we have continued to see a steady flow of yet more fines of £1 million or more imposed for health and safety offences:
- A Sheffield steel company was fined £1 million after a worker was severely burnt, suffering life-changing injuries, following the explosion of an oxygen pipe.
- A chemical company was fined £1.2 million after two people suffered minor injuries when an explosion occurred during the operation of a newly installed hydrochloric acid burner. The company pleaded guilty to breaching Regulation 4 of the Control of Major Accident Hazards (COMAH) Regulations 1999.
In both of these cases, the Health & Safety Executive (HSE) inspector involved said: “This incident could have been avoided if simple checks had been carried out. Duty holders should be aware that HSE will not hesitate to take appropriate enforcement action against those that fall below the require standard.”
- Warburtons Limited was fined £1.9 million after an agency worker became trapped against a running conveyor belt when cleaning parts of the bread line. HSE inspectors found that the machine could have been fitted with guarding to prevent access. This follows hot on the heels of the company’s £2 million health and safety fine earlier this year after a worker fell from the top of a mixer.
- United Lincolnshire Hospitals NHS Trust was fined £1 million after a patient died following a collapse onto an exposed metal post on the standing aid hoist being used to support him. An HSE investigation found that staff had not received effective training and monitoring and unsafe practices had developed.
- Aldi Stores Limited was fined £1 million after a delivery driver was injured at one its stores while using a powered pallet truck. Council officers found that Aldi’s training ought to have had a more formal structure and the Council said that the “level of fine reflects the seriousness of the failings within the company.”
Organisations across all sectors should take note that this brings to 28 the number of fines of £1 million or more imposed by courts in England and Wales for health and safety offences since the new sentencing guidelines were introduced in February 2016.
HSE publishes annual figures for fatal accidents in the workplace
The HSE has released annual data concerning work-related fatalities, showing that the period between April 2016 and March 2017 was the second lowest year on record. The long-term downward trend in the number of fatalities has shown signs of levelling off in recent years. The construction sector accounts for the largest share.
Product recalls and safety – working group sets out recommendations
On 19 July 2017, the government-backed working group on product recalls and safety – tasked with developing options to improve the system of product recalls and safety – published a report setting out its recommendations. See the press release with a link through to the full report. The government is expected to formally respond in the autumn.
Food Standards Agency (FSA) publishes plans to change food regulation
On the same day, the FSA published a paper setting out its proposals for transforming the way food businesses are regulated in England, Wales and Northern Ireland. These include an enhanced system of registration for all food businesses, on the basis of which the FSA will apply proportionate, risk-based controls.
New rules on food and soft drink advertising to children now in force
New rules banning the advertising of high fat, salt or sugar food or drink products in children’s media came into force on 1 July 2017. The rules apply to all non-broadcast media, including social media. The Committee of Advertising Practice has published a toolkit for businesses to aid compliance.