Regulatory round-up – September 2017


Consumer and Retail Finance – September 2017
Latest from the FCA including customer complaints handling and payment services, and other sector news. […]
Latest from the FCA including customer complaints handling and payment services, and other sector news.
Financial Conduct Authority (FCA)
The FCA has published a Dear CEO letter for the attention of all firms engaged in consumer credit activities, regarding the handling of customer complaints. The letter follows a review by the FCA into how firms approach and deal with customer complaints. It found examples of material non-compliance and other concerning practices, details of which are set out in the letter. The following main concerns were identified:
- a failure to provide the required information to customers about the Financial Ombudsman Service (including a failure to provide details of the complainant’s right to refer to the ombudsman if they remain dissatisfied);
- a failure to provide a clear explanation, to the complainant, of the outcome of the complaint and why this outcome had been reached;
- a lack of management controls.
The letter reminds firms that the FCA’s Dispute Resolution rules (DISP) apply to all sizes of firm. The FCA expects firms to take action now, by reviewing how complaints are identified, recorded, and dealt with, and how this is communicated to customers (considering in particular the areas set out in the letter). Firms are reminded that they must be able to evidence compliance with the applicable regulatory requirements. There is no requirement to notify the FCA of the outcome of the review, but it is important to note that the FCA may ask for evidence of compliance, which includes details of any review carried out as a result of the letter. Firms are warned that serious failings could lead to formal enforcement action.
In a recent speech, “Culture and conduct – extending the accountability regime”, the FCA’s Director of Supervision for Retail and Authorisations discussed, among other things, the Senior Managers and Certification Regime (SM&CR) and what it aims to achieve. He expressed his hope that SM&CR would be “a good thing for firms as well as customers and markets. It is the antidote to decision-making by default, fostering clear accountability and thinking”. The FCA is currently consulting on the extension of SM&CR to all firms authorised under the Financial Services and Markets Act 2000 (see our earlier briefing for details).
The FCA has finalised the revised EU Payment Services Directive (PSD2) requirements. PSD2 will be implemented in the UK through the Payment Services Regulations 2017, which come into force on 13 January 2018. PSD2 will affect all payment services providers, both firms which are already authorised or registered under the existing Payment Services Regulations, and those that are seeking authorisation or registration. Firms can apply to be authorised or registered under the new regulations from 13 October 2017. The FCA has updated its PSD2 webpage and this explanatory press release contains links to the recently published PSD2 Policy Statement and Approach Document. The Payment Systems Regulator has also confirmed its approach to monitoring and enforcement of the new rules.
We reported in an earlier edition of the Regulatory round-up that the FCA was proposing changes to the Conduct of Business Sourcebook and the Mortgages and Home Finance: Conduct of Business Sourcebook, as part of its ‘Smarter Consumer Communications’ initiative. The FCA confirmed in its Handbook Notice 47 that it will proceed to make the changes consulted on.
The FCA has published an Occasional Paper on the Ageing Population and Financial Services, which considers the public policy implications of an ageing population and the impact on financial services, and what the FCA and the financial services industry can do to better support older consumers.
A reminder that the pre-action protocol for debt claims came into force on 1 October 2017. It applies to any business claiming payment of a debt from an individual. The protocol is intended to complement any regulatory regime to which the creditor is subject, which includes the FCA’s Consumer Credit Sourcebook. Specific regulatory obligations take precedence over the protocol where there is an inconsistency. If a dispute proceeds to court litigation, the court will expect the parties to have complied with the protocol. See our briefing for further details, with a link to the protocol itself.
The FCA said in its latest round-up that it is increasing its focus on anti-money laundering (AML). This includes an annual review of AML and sanctions systems and controls in approximately 100 largely randomly selected firms, from sectors which the FCA as supervisor considers present a lower inherent risk of money laundering.
On 26 September 2017, the Competition and Markets Authority published the final report on its digital comparison tools market study, which focused on a number of sectors including credit cards. The report was welcomed by the FCA, which has provided expert input on financial services. See the FCA’s response for further details and a link to the report.
Other sector news
On 22 September 2017, the Law Commission published the full version of the draft Goods Mortgages Bill, which is intended to repeal the Victorian legislation on bills of sale and enable individuals to use their existing goods as security for a loan, while retaining possession. The Law Commission previously consulted on draft clauses and has now published the results of that consultation together with the draft legislation. The Law Commission has described the existing law as “wholly unsuited for modern credit arrangements”. HM Treasury is consulting on the draft Bill until 13 October 2017. The consultation includes the government’s proposals for how goods mortgages should be registered.
The Financial Services Compensation Scheme (FSCS) announced the launch of an industry-wide agreement on how deposit-takers communicate to consumers about FSCS protection for bank and building society deposits (up to £85,000 per person per firm). The aim is to enhance consumer awareness of the guarantee scheme and provide reassurance that consumers’ money is protected under it no matter how they choose to bank. The new agreement covers websites, mobile banking apps and customer information sheets. Banks and building societies have 18 months to implement the agreement. There is an infographic in the FSCS press release setting out the new requirements.
The European Commission has published a summary of the contributions to its public consultation on FinTech. The stated purpose of the consultation was to seek input from stakeholders to further develop the Commission’s policy approach towards technological innovation in financial services. Respondents considered that there were huge opportunities in respect of access to finance, operational efficiency, cost-saving and competition. In terms of risk, the major concerns were cybersecurity, the use and control of data and money laundering. The Money Advice Service is supporting Tech City UK’s “Fintech For All” competition, “an opportunity to showcase how innovation could contribute to help improve the financial capability of people in the UK”.
The Joint Committee of the three European Supervisory Authorities published its final guidelines setting out what payment service providers should do to detect and prevent the abuse of funds transfers for terrorist financing and money laundering purposes. A consultation on draft guidelines ran from 5 April to 5 June 2017.
The European Court of Justice ruled that a contractual term in a foreign currency loan agreement requiring the consumer to repay the loan in that same currency was not unfair, provided it was drafted in plain intelligible language [1]. This meant that the average consumer (reasonably well-informed and reasonably observant and circumspect) would be aware both of the possibility of a rise or fall in the value of the foreign currency in which the loan was taken out, and would also be able to assess the potentially significant economic consequences of such a term with regard to his or her financial obligations. Financial institutions must provide borrowers with sufficient information to enable them to take prudent and well-informed decisions. Under the UK’s Consumer Rights Act 2015, the term must be both prominent and drafted in plain and intelligible language.
___________
[1] Andriciuc and others v Banca Românească SA (Case C-186/16) EU:C:2017:703, 20 September 2017

Data Protection – September 2017
New Data Protection Bill, latest on GDPR, update on e-Privacy Regulation, ICO enforcement, Privacy Shield […]
New Data Protection Bill, latest on GDPR, update on e-Privacy Regulation, ICO enforcement, Privacy Shield and more.
New Data Protection Bill published
The government has published the Data Protection Bill, which will replace the UK’s existing Data Protection Act. The Bill sits alongside the EU General Data Protection Regulation (GDPR) and: clarifies a number of points around GDPR, for example the definition of public authority and the minimum age of consent for children; sets out the derogations to GDPR that the UK will adopt; applies GDPR standards to general data processing which GDPR currently does not apply to (such as unstructured paper files processed by public authorities); applies GDPR standards to data processing by law enforcement and intelligence services; and sets out the Information Commissioner’s role and powers including enforcement powers. The Bill had its first reading in the House of Lords on 13 September 2017, with the second reading scheduled for 10 October 2017. See the government’s press release for a summary of the Bill, with a link to various factsheets. The Information Commissioner’s Office (ICO) has said that it is important to remember that GDPR is only a part of the UK’s overall data protection framework. The ICO’s aim is to provide a suite of data protection guidance that is as comprehensive as possible by May 2018. In practical terms, businesses should continue to prepare for GDPR, which comes into force on 25 May 2018.
Latest on GDPR
The ICO has published its long-awaited draft guidance on contracts and liabilities between data controllers and data processors under GDPR. The short consultation period ends on 10 October 2017. Under GDPR, whenever a controller uses a processor (or a processor employs another processor), there needs to be a formal written contract in place between them. GDPR specifies what terms must be included in the contract, as a minimum requirement. While data controllers bear ultimate responsibility for ensuring that the processing of personal data is GDPR-compliant, data processors need to be aware that GDPR also imposes direct obligations on them. Organisations should review all existing contracts which involve any processing or sharing of personal data to ensure that they meet GDPR requirements. Please get in touch if you require any assistance in this regard.
The ICO has updated its Guidance: what to expect and when document. Key points are:
- As part of the Article 29 Working Party (WP29), the ICO is leading the drafting of the EU-level guidelines on profiling, data breaches and administrative fines and contributing to the work on consent, transparency, certification and international transfers;
- For the rest of 2017, the ICO will be working to turn its “Overview of the GDPR” document into a comprehensive “Guide to GDPR”, to include summaries, checklists and more detailed content;
- The ICO will produce detailed guidance during 2017 on accountability and on children’s data;
- The ICO expects to publish detailed guidance on consent and other lawful bases for processing (including legitimate interests) in early 2018;
- It expects that WP29 guidelines on profiling and automated decision making will be adopted in October 2017, followed by consent, transparency and breach notification guidelines at the end of the year. These will sit alongside the ICO’s own guidance.
In the fourth in its series of ‘myth-busting’ blogs on GDPR, the ICO looks at issues surrounding data breach reporting. It explains that reporting will be mandatory where the breach is likely to result in a risk to people’s rights and freedoms (in high risk cases the breach will also need to be reported to the affected individuals). The breach must be reported without undue delay and, where feasible, not later than 72 hours after becoming aware of it. The ICO stresses that it does not expect to receive comprehensive reports at the outset, but it will want to know the potential scope and cause of the breach, planned mitigation actions, and how the organisation plans to address the problem. In relation to fines, these will be proportionate and will not be issued in every case. The ICO wants organisations to be aware that the sanction is there, but says that fines can be avoided if organisations are open and honest and report without undue delay: “Tell it all, tell it fast, tell the truth”. Over the coming months the ICO will introduce a new phone reporting service which will sit alongside the current web reporting form.
In a recent speech, the UK’s Information Commissioner spoke of how cyber security and data protection are “inextricably linked” and described the new Data Protection Bill, including GDPR, as a “massive opportunity” for cyber security, which is very much a boardroom issue: “Data protection law reforms are long overdue but now they are here, they will provide the best incentive for companies to get security right”.
Update on the e-Privacy Regulation
With all the focus on GDPR, it is easy to forget for a moment that a new e-Privacy Regulation (introducing new rules on electronic direct marketing, cookies and other forms of online monitoring) is also due to come into force on 25 May 2018. The Council of the European Union recently published some proposed revisions to the European Commission’s initial draft of the Regulation (published back in January 2016). The revised text was produced for the purposes of various meetings of the Working Party on Telecommunications and Information Society during September 2017. There is still some way to go in the legislative process and it is unclear at this stage whether the 25 May deadline will be met. Walker Morris will continue to monitor and report on developments.
More news from Europe…
The Investigatory Powers Tribunal here in the UK has referred to the Court of Justice of the European Union (CJEU) a number of questions concerning the activities of the security and intelligence agencies in relation to the acquisition and use of bulk communications data for the purposes of national security, including whether such activities are governed by EU law [1]. The Tribunal was essentially satisfied that the bulk communications data regime complies with the European Convention on Human Rights (ECHR), which is distinct from EU law. The key issue is whether EU law applies and imposes a higher standard as a result of the CJEU’s Watson judgment at the end of 2016 [2]. In that case, the CJEU effectively ruled that the UK’s Data Retention and Investigatory Powers Act 2014, predecessor to the controversial Investigatory Powers Act 2016 (IPA), was incompatible with the EU e-Privacy Directive when read in light of the EU Charter of Fundamental Rights. As we mentioned in the last edition of the Regulatory round-up, the even more extensive and intrusive IPA gives the government, among other things, wide-ranging powers to monitor and intercept citizens’ communications and internet usage. It is a potential sticking point in relation to the adequacy of the UK’s data protection standards in the EU’s eyes in a post-Brexit world.
On appeal, the European Court of Human Rights has reversed an earlier decision and found that the monitoring of an employee’s electronic communications amounted to a breach of his right to private life and correspondence (under Article 8 of the ECHR) [3]. The Romanian national courts had failed to strike a fair balance between the competing interests at stake (the employee’s Article 8 right and the employer’s right to take measures in order to ensure the smooth running of the company). This included a failure to determine whether the employee had received prior notice from his employer of the possibility that his communications might be monitored. The ICO’s guidance on monitoring at work can be found here.
Recent ICO enforcement action – no let-up in nuisance marketing fines
In the space of just one week, the ICO issued fines totalling £610,000 to companies behind illegal recorded messages. Easyleads Limited was fined £260,000 after it made 16.7 million automated marketing calls about boiler grants without specific consent, while Your Money Rights Limited was fined £350,000 after it made a staggering 146 million calls about PPI without specific consent. This is the highest number of automated calls to result in an ICO fine to date. The ICO said that the company should have known that the law around automated calls is stricter than for other marketing calls. Both companies also broke the rules by not including the company name and contact details in the recorded message.
A taxi booking app firm was fined £45,000 for sending unlawful direct marketing texts during a one-day text marketing campaign. It could not show that it had received customers’ consent. On the same day, a telephone services company was fined £85,000 after it made calls to people registered on the Telephone Preference Service and to people who had specifically asked not to be called.
Breach of the direct marketing rules is a key focus for the ICO. As businesses prepare for GDPR, this is a timely reminder to review all types of direct marketing, ensure that GDPR-compliant consents are being collected, and refresh any non-compliant ones now.
In other enforcement news, a former data co-ordinator employed by The University Hospitals of North Midlands NHS Trust was prosecuted after she accessed sensitive medical records of colleagues and other people she knew, without the consent of the data controller, and a former Leicester City Council worker was prosecuted after he emailed personal data relating to 349 individuals, which included sensitive personal data, to his personal email address without the data controller’s consent.
EU-US Privacy Shield – first joint annual review takes place
Two days of joint review meetings of the EU-US Privacy Shield data transfer framework have taken place in Washington DC. According to a joint press statement, the review “examined all aspects of the administration and enforcement of the Privacy Shield, including commercial and national-security related matters, as well as broader US legal developments”. Various concerns have been raised over the robustness and effectiveness of the framework, including in relation to US surveillance activities. The European Commission has said that the discussions with the US administration (together with feedback from businesses, non-governmental organisations and other stakeholders) will feed into the Commission’s annual review report to be published in the second half of October 2017.
In a positive development, the US Federal Trade Commission (FTC), which oversees enforcement of the Privacy Shield in the US, has brought its first enforcement cases. According to the FTC’s press release, three US companies have agreed to settle charges that they falsely claimed participation in the framework, and the actions “highlight the FTC’s commitment to aggressively enforce” the Privacy Shield. Walker Morris will continue to monitor and report on developments.
___________________
[1] [2017] UKIPTrib IPT_15_110_CH
[2] The Tele2/Watson judgment: Joined Cases C-203/15 and C-698/15, 21 December 2016
[3] Bărbulescu v Romania (61496/08)

Health, Safety and Environmental – September 2017
Sentencing update, including £2.5 million Iceland Foods fine; launch of ‘Go Home Healthy’ national campaign. […]
Sentencing update, including £2.5 million Iceland Foods fine; launch of ‘Go Home Healthy’ national campaign.
Sentencing update – Iceland Foods handed £2.5 million fine
Iceland Foods Limited was fined a total of £2.5 million after a fatal accident at a store in Rotherham. A contractor fell almost three metres through a suspended ceiling when visiting the store to replace filters in an air conditioning unit which was located on a platform above the ceiling. An environmental health investigation found that there were no barriers in place to prevent falls, and the area in front of the access ladder was restricted and had several tripping hazards. No risk assessment had been carried out by the company.
Just two weeks earlier, bakery firm Greencore Grocery Limited was fined £1 million after a self-employed contractor died after falling from a stepladder while carrying out electrical work. The Health and Safety Executive (HSE) investigation found that the company failed to properly plan the activity from the beginning. The HSE inspector said: “Falls from height remain one of the most common causes of work related fatalities in Great Britain, the risks associated with working at height are well known. Work at height regulations require that all work at height is properly planned and appropriate access is provided. If Greencore had carried this out this death could have been prevented”.
These significant fines serve as yet a further stark reminder to businesses of the consequences of not getting health and safety right.
In other sentencing news:
- An aerospace manufacturer was fined £800,000 after an employee suffered serious leg injuries when he fell into the path of an advancing work platform so that his leg was trapped and dragged along the floor. The HSE investigation found that the company had failed to prevent access to dangerous parts of machinery.
- United Utilities was fined £666,000 after pleading guilty to polluting a river in Greater Manchester with raw sewage. The pollution had a significant impact on fish stocks and water quality. The Environment Agency’s Environment Manager for Greater Manchester said that the Environment Agency “take pollution incidents very seriously and this case should send a strong message to companies of the potential consequences if they damage the environment”.
- A company was fined £450,000 after a 19-year old worker died when the fork lift truck he was driving overturned and crushed him. The HSE inspector said: “This tragic incident could have easily been prevented. The company’s management of fork lift truck driving operations and its failure to provide various measures to ensure the safety of the external yard area coupled with the lack of safe driver measures, such as wearing a seat belt, exposed employees to serious safety risks”. In a similar incident, another company was fined £300,000 after a worker was fatally crushed when the fork lift truck he was driving overturned. The truck had run over a loose tyre in the road. The HSE investigation found that the company had no policy in place instructing workers to wear seatbelts when operating fork lift trucks, and if the tyres had been stored securely this would have reduced the risk of the truck overturning.
- A roofing contractor was given an eight month suspended prison sentence and ordered to complete 200 hours of community service after health and safety risk managers at North Yorkshire County Council saw unsafe scaffolding from their office window. Two workers were at risk of falling approximately seven metres from an unprotected edge on the roof of the building. The HSE inspector said: “Work at height, such as roof work, is a high-risk activity that accounts for a high proportion of workplace serious injuries and fatalities each year”. Breach of work at height regulations is a recurring theme in health and safety incidents.
- A recycling company and its two directors were fined after “multiple safety failings”. Numerous enforcement notices had been issued to both the company and the directors in relation to work equipment, work at height and electrical matters, among other things. The company was fined £83,000. In addition to receiving fines totalling £17,500 between them, one director was sentenced to 26 weeks’ imprisonment suspended for 12 months, while the other was given a 150 hours community order. This comes at a time when the HSE is carrying out a programme of unannounced inspections to review health and safety standards in waste and recycling businesses across the country. The industry is a priority sector for the HSE, with a statistically higher rate of workplace injury and work-related ill health than other sectors.
- A construction company and project manager were fined after the HSE identified a number of serious health and safety failings at two project sites, including unsafe work at height, unstable deep excavations and inadequate arrangements for planning, managing and monitoring. The company was fined £100,000 and the project manager £15,000. The HSE inspector said: “Principal contractors and their managers have a duty to ensure risks to workers are managed throughout the construction phase of projects. This case serves as a reminder to those responsible of the importance of ensuring construction work is properly planned, managed and monitored so that serious risks are identified and eliminated or controlled. It was only by good fortune that someone was not seriously injured or killed in this instance”.
HSE launches ‘Go Home Healthy’ national campaign
On 18 September 2017, the HSE launched its ‘Go Home Healthy’ campaign, with the stated aim of reducing cases of work-related ill-health “by shining a light on the causes and encouraging employers to do the right thing to protect their workers’ health”. According to new HSE research, more than two-fifths of businesses report a rise in cases of long-term ill-health, with the majority stating that tackling the problem is a priority within their organisation.