Regulatory round-up – November 2016


Consumer and Retail Finance – November 2016
Latest updates from the FCA, what’s coming up in 2016 and news from the CMA. […]
Latest updates from the FCA, what’s coming up in 2016 and news from the CMA.
Financial Conduct Authority (FCA)
The FCA has published its revised proposed guidance on guarantor loans (GC16/7), concerning the enforcement of security under the Consumer Credit Act 1974 (CCA), including the section 87 requirement to serve a default notice before taking certain actions following breach of a regulated agreement. The original proposed guidance published in its February 2016 consultation reversed the FCA’s earlier position that service of a default notice on a guarantor was not required prior to taking or demanding payment from the guarantor. The FCA has moderated its approach compared with the original proposed guidance:
- lenders will not be able to demand payment of a guarantor or take payment via use of a continuous payment authority (CPA) without notice unless they have first issued a section 87 default notice;
- a lender can, however, receive a voluntary payment made by a guarantor who has been notified of the borrower’s default provided such payment is made without any element of compulsion and can request payment from the guarantor without first issuing a default notice;
- taking payment from a guarantor via use of a previously set up CPA or direct debit would not amount to enforcement requiring a section 87 default notice to first be issued provided the guarantor is pre-notified before payment is taken and has the opportunity to object or cancel the CPA/direct debit.
The FCA has also recently published a guidance consultation on the treatment of customers with mortgage payment shortfalls (GC16/6), primarily aimed at residential mortgage lenders and administrators of regulated mortgage contracts. The guidance covers remediation for customers who may have been affected by the way firms calculate their monthly mortgage instalments. A list of questions is contained in the Annex to the publication and comments on these and any other relevant issues are requested by 18 January 2017.
The FCA intends to review the price cap on high-cost short-term credit (HCSTC) in the first half of 2017. It has now decided to expand this work to look at high-cost products as a whole. A call for input was published yesterday. Evidence and feedback on the following is requested by 15 February 2017: high-cost credit products; overdrafts; the HCSTC price cap; and repeat and multiple HCSTC borrowing. In a recent report on the impact of the FCA rules on the payday loan industry, StepChange Debt Charity urged the FCA to look closer at responsible lending measures in the HCSTC market.
Updated consumer credit information sheets have been published and are effective from 18 January 2017. As required by section 86A of the CCA, lenders must include a copy of the relevant information sheet when notifying a consumer that they are in arrears or default. Firms must use the current versions until 17 January 2017.
The FCA is consulting on its future Mission, with the aim of setting out a clear path for the future of financial conduct regulation in the UK. The consultation includes sections on protecting consumers, vulnerable consumers, and whether there is a need for a more specific Handbook review. The FCA is seeking input on its approach and a list of questions is contained in the Annex to the publication. Comments on these and any other relevant questions the Mission should address are requested by 26 January 2017.
The FCA has published high-level guidance for consumer credit firms on how to protect themselves from financial crime. It is particularly relevant for those firms which are new to being regulated by the FCA. The aim is to enhance understanding of the FCA’s expectations and to help consumer credit businesses assess the adequacy of their financial crime system and controls.
In the recent case of Dr Saim Köksal t/a Arcis Management Consultancy v FCA the Upper Tribunal (Tax and Chancery Chamber), having upheld the FCA’s decision to refuse an application to vary existing permission to carry on certain regulated activities, went on to comment (at paragraph 161 of its decision) that the FCA “could perhaps be more helpful when it is clear that a firm is struggling with the complexity and opaqueness of some of the regulatory provisions and give a clear steer as to what matters fall within the scope of the [FCA]’s regulation and which do not”, noting, for instance, that “the perimeter guidance from the [FCA] is somewhat limited when it comes to consumer credit related activities”.
Coming up in 2016…
- The FCA’s final rules for price comparison websites comparing HCSTC products come into force on 1 December 2016.
- The FCA is due to publish consultations on updating and clarifying consumer credit reporting provisions and on assessing affordability and creditworthiness. We also expect to see the results of the FCA’s thematic review of staff remuneration and incentives in consumer credit firms and of early arrears management in unsecured lending, and an update on the progress of the FCA’s review of the retained provisions of the CCA. Feedback on the FCA’s latest quarterly consultation, which included proposed changes to the APR assumptions for consumer credit, is expected in December 2016.
- The FCA’s new rules on reporting financial crime come into force on 31 December 2016. Watch out for our separate briefing on this topic.
Competition and Markets Authority (CMA)
The CMA has published new guidance for businesses on the Consumer Rights Act 2015, after research amongst UK businesses revealed that 54% of those surveyed do not fully understand the rules on unfair terms, which directly impacts how they treat their customers.
The government and the FCA have each published their response to the recommendations made by the CMA following its market investigation into the supply of retail banking services to personal current account customers and to small and medium-sized enterprises in the UK. The CMA’s final report was published in August 2016.

Data Protection – November 2016
Latest news on the GDPR, the EU-US Privacy Shield, data sharing, cyber security and more. […]
Latest news on the GDPR, the EU-US Privacy Shield, data sharing, cyber security and more.
General Data Protection Regulation (GDPR) – Brexit doesn’t mean Brexit
The government has now confirmed that, for data protection at least, Brexit doesn’t mean Brexit and the UK will be implementing the GDPR. For further information about this legislation and what it means for businesses, see our briefing General Data Protection Regulation: What you need to know now.
The Information Commissioner’s Office (ICO) is due to publish a revised timeline setting out what areas of guidance it will be prioritising over the next six months. It has already produced an overview of the GDPR, issued a useful 12 step plan and published a new privacy notices code of practice.
European-level guidance on data protection officers, data portability and identifying your lead supervisory authority is also expected from the Article 29 Working Party by the end of 2016, with further guidance on data protection impact assessments hopefully in February 2017.
The Information Commissioner recognises that there may still be questions as to how the GDPR will work on the UK’s exit from the European Union, and has said that the ICO “will be working with government to stay at the centre of these conversations about the long term future of UK data protection law…”.
Watch out for Walker Morris’ upcoming series of guides to help businesses plan ahead for implementation.
EU-US Privacy Shield faces two legal challenges
Privacy advocacy groups in Ireland and France are seeking to have the EU-US Privacy Shield, the framework governing transatlantic exchanges of personal data for commercial purposes which replaced Safe Harbor, annulled in two separate actions before the European court. Details of the action brought by Digital Rights Ireland in September have now been published in the EU’s Official Journal. The group is challenging the European Commission’s ‘finding of adequacy’ that US organisations signing up to the Privacy Shield provide an equivalent level of protection for EU personal data transferred to the US.
It is widely anticipated that it will be at least a year before the European court rules on either the challenges to the Privacy Shield or the EU Model Clauses (which are also being referred to the European court).
The Commission has also recently released its proposed amendments to the Model Clauses.
US organisations should carry out a cost-benefit analysis of the various available transfer mechanisms and decide in accordance with their risk appetite whether they register under the Privacy Shield, adopt the model contract clauses, incorporate both into their compliance programme or use alternative mechanisms. EU organisations should ensure that adequate protections are in place for any EU personal data which they transfer outside of the European Economic Area.
See our newsflash EU-US Privacy Shield challenged before the European court for further details.
Data sharing – WhatsApp, Facebook and Yahoo
Since our article Facebook, WhatsApp and the controversies of data sharing, the ICO has provided an update on its investigation into WhatsApp’s approach to sharing customer information with its parent company, Facebook.
In the latest development, Facebook has agreed to pause using data from UK WhatsApp users for advertisements or product improvement purposes.
The Article 29 Working Party set out in a press release details of its recent letters to WhatsApp (regarding its updated terms of use and privacy policy) and to Yahoo (regarding its 2014 data breach and the scanning of customer emails for intelligence purposes). An enforcement sub-group has been set up to exchange views on enforcement actions in cross-border cases.
Cyber security
The government has published its National Cyber Security Strategy 2016-2021, setting out its plan to make the UK secure and resilient in cyberspace. £1.9 billion will be invested over the next five years. The document highlights businesses’ responsibility to safeguard the assets they hold, maintain the services they provide, and incorporate the appropriate level of security into the products they sell, stressing that if they are the victim of a cyber attack, they are liable for the consequences.
The ICO responded in October to the recommendations set out in the Culture, Media and Sport Committee’s June report on cyber security. It has also published a link answering various questions on the issue and what organisations need to do.
This follows on from the record £400,000 fine issued to TalkTalk by the ICO for security failings which allowed a 17 year old boy showing off to his friends to access customer data “with ease”. In addition to the record fine, TalkTalk estimated that the attack cost them £60 million and 101,000 customers. A recent cyber attack has also resulted in Tesco Bank paying out £2.5 million to 9,000 customers who had money stolen from their accounts.
It is essential that businesses take information security seriously; consumers are increasingly aware of data protection issues and their rights, and as demonstrated by TalkTalk’s customers, they are willing to vote with their feet if they don’t believe that businesses are looking after their personal data properly.
Direct marketing
A company was recently fined £20,000 by the ICO after sending thousands of spam texts to individuals promoting cash loans. The ICO has previously published guidance explaining the rules on direct marketing under the Data Protection Act 1998 and The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), with a focus on calls and texts to individuals.
Another company – providing a loan matching service – was recently fined £70,000 and ordered to stop by the ICO, after sending out 2.2 million illegal marketing text messages in breach of the PECR.
The government announced on 23 October 2016 that from Spring 2017 the ICO will have powers to hold company directors directly responsible for breaches of the PECR. Each director could be liable for a fine of up to £500,000.
Digital communication
In the recent case of Patrick Breyer v Bundesrepublik Deutschland, the European Court of Justice ruled that dynamic IP addresses registered by online media services providers (e.g. website operators) constitute ‘personal data’ under EU data protection law where the provider has “the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person”.
The European Data Protection Supervisor has since published new guidelines on the protection of personal data processed by mobile applications and through web services. The guidelines are aimed at the EU institutions, but contain practical advice which businesses may find useful.

Health and Safety – November 2016
Sentencing and recent cases, latest HSE statistics and recent action on product recalls and safety. […]
Sentencing and recent cases, latest HSE statistics and recent action on product recalls and safety.
Sentencing
A chemical company was fined £3 million following the release of a toxic vapour cloud on two separate occasions. The Health and Safety Executive (HSE) said that the company still did not learn lessons from the initial incident in 2010 which killed one employee, caused life changing injuries to another, and could have caused a local disaster. As we reported in our earlier briefing, the new sentencing guidelines introduced in February 2016 are already having a profound impact on the sentencing of businesses convicted of health and safety offences.
A port terminal operator has successfully appealed the £1.8 million fine it received following an incident in which a worker was seriously injured when his left hand got caught under a rope and his arm was dragged around the capstan he was using while mooring a vessel [1]. The company was fined in January 2016, just before the new sentencing guidelines came into force. Key points are:
- the sentencing judge’s conclusion that there was a risk of serious injury by use of the capstans and that such a risk was clearly foreseeable was correct
- in the pre-guideline regime governing this type of case it is well established that consistency is not a primary aim in this area of sentencing – attempts to make comparisons with other cases was not helpful
- beyond the mitigation of the company’s guilty plea, co-operation and action to remedy failures identified, there was also mitigation in the company’s general attitude to health and safety matters and its absence of previous convictions
- the need for a fine to be of a size which would achieve the statutory purposes of sentencing by bringing home to a company’s directors and shareholders the gravity of an offence or offences committed and by providing a real incentive to directors and shareholders to remedy failures which had existed, appeared to the Court of Appeal to be a highly material factor in sentencing a relatively prosperous company such as this one, where there had been serious failings resulting in a very serious injury to an employee (the latest figures showed turnover of £23.3 million and gross profits of £10.3 million)
- looking at all the circumstances, including the significant mitigation available to the company, a fine of £1.8 million was simply too high, even making allowance for the need to send an appropriate message to directors and shareholders. An appropriate financial penalty of £750,000 was reduced to £500,000 after giving full credit for an early guilty plea.
HSE statistics
The HSE recently published its Health and safety at work summary statistics for Great Britain 2016. The number of cases prosecuted by the HSE and, in Scotland, the Crown Office and Procurator Fiscal Service, has shown an upward trend in recent years. It is also interesting to note that, while there has been a long-term downward trend in the rate of fatal injury, this shows signs of levelling off.
Product recalls and safety
A government-backed working group on product recalls and safety, set up in October following a serious fire involving a faulty Whirlpool tumble dryer, met for the first time earlier this month. The meeting was attended by the Consumer Minister Margot James. The aim of the group is to deliver urgent recommendations to improve the safety of white goods. See the full press release here.
___________________
[1] Regina v CRO Ports London [2016] EWCA Crim 1589