Regulatory round-up – August/September 2019


Consumer and Retail Finance – August/September 2019
Latest from the FCA, including extension of Senior Managers and Certification Regime; other sector news. […]
Latest from the FCA, including extension of Senior Managers and Certification Regime; other sector news.
Financial Conduct Authority (FCA)
On 11 September 2019, the FCA said that it was “stepping up its efforts to ensure firms are aware of what they need to do to prepare for the potential of a no-deal Brexit”. See the press release .
On 20 September 2019, the FCA updated its dedicated webpage for solo-regulated firms on the extension of the Senior Managers and Certification Regime (SM&CR). There are links to a range of resources, including a recent podcast on certification and regulatory references, and a second podcast on the importance of conduct rules. A further podcast considers SM&CR and the importance of achieving a healthy culture in financial services.
In related news, on 5 August 2019, the FCA published the findings of its review into the embedding of the SM&CR in the banking sector. In summary, it found that the industry has made a concerted effort to implement the regime, with most firms taking actions to move away from basic rules-based compliance towards embedding the regime in the organisation.
On 6 September 2019, the FCA published a new webpage on the Directory – the new public register for checking the details of key people working in financial services – setting out how and when firms should submit their data.
On 13 August 2019, the FCA agreed a plan that gives the payments and e-commerce industry extra time to implement strong customer authentication (SCA) under the revised Payment Services Directive (PSD2). At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA. It sent out a Dear CEO letter setting out the requirements for SCA in card-not-present e-commerce transactions and has also recently updated its dedicated webpage on SCA. The phased implementation plan was welcomed by UK Finance.
On 1 August 2019, the FCA published an Insight article on ‘Artificial Intelligence in the boardroom’, which discusses how “boardrooms are going to have to learn to tackle some major issues emerging from AI – notably questions of ethics, accountability, transparency and liability. These are not matters that can be ring-fenced in a department, whether that be IT, legal, or customer service – that would be to abrogate boardroom responsibility and to leave an organisation exposed at the very top”.
On 13 September 2019, the FCA reminded firms that they need to register for ‘Connect’ to update their firm details. From January 2020, firms will be required to review and confirm the accuracy of their details annually, in line with their Accounting Reference Date. This will have to be done using Connect.
The FCA has set up an implementation group on proposed changes to responsible lending rules which were consulted on earlier this year. The group was established to enable market-readiness for using proposed responsible lending changes, and to promote the availability of switching options for certain consumers. Summaries of the group’s discussions will be published on this webpage.
Just after the June/July 2019 edition of the Regulatory round-up went to press, the FCA published final guidance to help firms understand whether their crypto-asset activities fall under FCA regulation.
A policy statement to the FCA’s high cost credit review consultation on overdraft pricing remedies is due in Q4 2019.
The FCA was due to issue a response to its consultation on proposed guidance for firms on the fair treatment of vulnerable customers in autumn 2019. This is now expected in the first half of 2020.
A two-month consultation is expected to commence in October 2019 on ‘Regulatory fees and levies: policy proposals for 2020/21’. Feedback is expected in February 2020.
And finally, on 4 October 2019, the FCA will host a webinar on ‘Transforming culture through employee motivation and recognition’.
Other sector news
On 14 August 2019, the government updated its guidance page on information for financial institutions if there is no Brexit deal.
On the same day, the Financial Ombudsman Service (FOS) updated various webpages for consumers on complaints that it can help with in relation to credit and borrowing money, including payday loans and home credit. See this link.
On 21 August 2019, the FOS published data showing the number of complaints it received between April and June 2019. It says that it continues to receive a significant amount of complaints about consumer credit, especially in relation to lending. It is upholding a large proportion of complaints about high cost credit.
The Gambling Commission is consulting until 6 November 2019 on banning or restricting the use of credit cards for all forms of remote gambling. The Commission says it is concerned that consumers experiencing harm might use other forms of borrowing, such as overdrafts and loans, to fund their gambling in lieu of credit cards, meaning that the risks might simply displace to other lending products. It says that it is essential that the financial and gambling sectors work to introduce protections for their customers to mitigate the risks of harm from gambling with other forms of borrowed money.
On 30 August 2019, LINK announced that funding will be made available to protect free access to cash for every high street in the UK. On 5 September 2019, the Payment Systems Regulator (PSR) published the responses to its discussion paper on the LINK interchange fee structure and a summary of its recent roundtable discussion on the future structure.
On 13 September 2019, the European Commission published ‘Frequently Asked Questions: Making electronic payments and online banking safer and easier for consumers’ in relation to the application of PSD2.
The European Banking Authority has published clarifications to the fourth and fifth sets of issues raised by its working group on application programming interfaces under PSD2.
On 1 August 2019, the PSR gave a specific direction to members of the UK’s six largest banking groups to fully implement Confirmation of Payee by 31 March 2020. See the press release for details.
On 6 August 2019, the Current Account Switch Service published a white paper on the savings account market, with research showing that consumers are not receiving the best deals and rates for their savings by staying with the same account. See the press release from Pay.UK.
On 10 September 2019, the PSR published its response to its ‘Data in the Payments Industry’ discussion paper, which was published in June 2018. Among other things, it says it will work with Pay.UK to explore the viability of opening up access to data in the UK’s new payments architecture, which it says could benefit everyone through the development of new products and services, such as anti-fraud and anti-money laundering tools and improved payment reconciliation services. See the press release. The PSR also published the responses it received to the discussion paper.
On 20 September 2019, Pay.UK published an independent report on ‘request to pay’, a communication tool to help businesses and individuals across the UK better manage their money. See the press release.
On 15 August 2019, the third set of banking customer satisfaction results were published following a survey of thousands of customers. See the press release from the Competition and Markets Authority (CMA) and the FCA webpage which links through to the data.
In related news, the CMA has provisionally decided to vary the Retail Banking Market Investigation Order 2017 and to remove Part 6 relating to unarranged overdraft alerts, given that the FCA is introducing new rules on overdraft alerts on 18 December 2019.

Data Protection – August/September 2019
Latest from the ICO, including no-deal Brexit guidance; developments in use of automated facial recognition […]
Latest from the ICO, including no-deal Brexit guidance; developments in use of automated facial recognition technology; cybersecurity; and more.
No-deal Brexit guidance
The Information Commissioner’s Office (ICO) is urging businesses to “prepare for all scenarios” to maintain data flows when the UK leaves the EU. On 11 September 2019, it published dedicated guidance to help small and medium sized organisations prepare for the possibility that the UK leaves the EU without a deal. See this blog post. There is separate guidance available for large businesses and organisations and data protection specialists. Also see our recent ‘Countdown to Brexit’ briefing on data transfers, which explains what you should be doing now.
Change to response time for data subject access requests
On 15 August 2019, the ICO issued updated guidance on the timescales for responding to a data subject access request (DSAR) following a recent ruling of the Court of Justice of the European Union (CJEU). See our briefing for details.
It also added guidance on the meaning of “manifestly unfounded or excessive”.
In related news, a recently published test revealed that some companies are still not prepared for DSARs, over a year since the EU General Data Protection Regulation (GDPR) came into force. See our briefing for details.
Developments in use of automated facial recognition technology
In the recent case of R (on the application of Bridges) v Chief Constable of South Wales Police (Information Commissioner and another intervening) [1], the High Court considered, apparently for the first time in any court in the world, the use of automated facial recognition technology (AFR). The case concerned a pilot project run by South Wales Police (SWP) called ‘AFR Locate’. This involves the deployment of surveillance cameras to capture digital images of members of the public, which are then processed and compared with digital images of persons on watchlists compiled by SWP for the purpose of the deployment. The case was brought in order to seek the court’s early guidance on the legal parameters and framework relating to AFR while it is still in its trial phase. The court was satisfied both that the current legal regime is adequate to ensure the appropriate and non-arbitrary use of AFR Locate, and that SWP’s use to date has been consistent with the requirements of the Human Rights Act and data protection legislation.
AFR is a priority area for the ICO, which has launched an investigation following concerns reported in the media regarding AFR’s use in King’s Cross in London. See the Information Commissioner’s statement here. She says that she remains deeply concerned about the growing use of AFR in public spaces, not only by law enforcement agencies but also increasingly by the private sector. Organisations must have documented how and why they believe their use of AFR is legal, proportionate and justified. The ICO’s statement following the SWP ruling can be found here.
Other news from the ICO – round-up
- Two firms were separately fined and ordered to stop their illegal marketing activity after making calls to people whose numbers were registered with the Telephone Preference Service.
- On 5 August 2019, the ICO published a blog post which discusses some of the key safeguards organisations should implement when using solely automated artificial intelligence (AI) systems to make decisions with significant impacts on data subjects. This is one of a number of recent posts forming part of the ICO’s call for input on developing a framework for auditing AI.
- The Information Commissioner has joined representatives of other data protection and privacy enforcement authorities worldwide in expressing shared concerns over the privacy risks posed by Facebook’s ‘Libra’ digital currency and infrastructure.
- On 7 August 2019, the Information Commissioner provided an update on the ICO’s proposed code for protecting children online.
- The ICO has launched a number of resources for local councils addressing the top three GDPR compliance challenges identified through sector feedback: own devices; data audits; and data sharing. See the blog post.
- The ICO is consulting until 4 October 2019 on a new framework code of practice for the use of personal data in political campaigning.
- Just after the June/July 2019 edition of the Regulatory round-up went to press, the ICO selected the first participants for its data protection sandbox, which is a new service supporting organisations developing innovative products and services using personal data with a clear public benefit. See the blog post.
- On 5 September 2019, the ICO issued a warning about historical personal details accessed through work. It says that the Data Protection Act 2018 adds a new element of knowingly or recklessly retaining personal data without the consent of the data controller. It is advising anyone dealing with the personal details of others in the course of their work, whether in a police force, health trust or private business, to take note of this update, especially when employees are retiring or taking on a new job.
- The ICO’s direct marketing code consultation is expected in the autumn.
Government issues new privacy notice guidance for schools and local authorities
On 21 August 2019, the government published an updated privacy notice user guide and suggested templates for schools and local authorities to issue to staff, parents and pupils about the collection of data. See this link.
Cybersecurity update
On 7 September 2019, the National Cyber Security Centre (NCSC) reminded organisations about its collection of guidance on mitigating against denial of service attacks.
On 19 September 2019, the NCSC published new guidance on cyber incident management. See this blog post with a link through to the guidance.
On 11 September 2019, the government issued a call for views on the proposed approach to cybersecurity certification following the UK’s departure from the EU. The document explains that the EU Cyber Security Act, which entered into force on 27 June 2019, provides the EU Cyber Security Agency with a strengthened and permanent mandate and establishes a cybersecurity certification framework under which EU-wide cybersecurity certification schemes will be developed and implemented.
The UK was actively engaged in the development of the Act, and remains committed to enabling improved cybersecurity across Europe and preventing unnecessary market fragmentation. It will seek to cooperate on approaches to cybersecurity certification with the EU and will therefore seek to enter into negotiations with the EU on mutual recognition arrangements. Responses are requested by 15 October 2019.
News from Europe
- The third annual joint review of the EU-US Privacy Shield framework took place on 12 and 13 September 2019. The European Commission’s report on the functioning of the Privacy Shield is expected in October 2019.
- The CJEU has ruled that website operators who embed Facebook ‘like’ buttons on their websites can qualify as joint controllers with Facebook in respect of the collection and transmission of personal data [2]. As a result of this judgment, website operators who embed third party features (arguably this includes cookies) will need to ensure that they take the necessary steps to comply with the relevant GDPR requirements.
________________
[1] [2019] EWHC 2341 (Admin)
[2] Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV (Case C-40/17 – ECLI:EU:C:2019:629)

Health and Safety – August/September 2019
Latest £1 million fine; interim report from Competence Steering Group in response to Hackitt Review; […]
Latest £1 million fine; interim report from Competence Steering Group in response to Hackitt Review; product safety no-deal Brexit guidance; and more.
Latest £1 million fine for health and safety breach
A principal contractor has been fined £1 million (with costs of over £100,000) after a worker was struck and killed by an excavator during night work at a construction site. An investigation by the Health and Safety Executive (HSE) found that the company had failed to ensure the safety, so far as is reasonably practicable, of its employees and others working on the site. In addition, the site supervisor, who was operating the excavator, had failed to take reasonable care for others on site at the time and was given a six month custodial sentence, suspended for twelve months. He was also ordered to pay costs of £15,000.
This fine brings the number of £1 million-plus fines imposed so far in 2019 for health and safety breaches to eleven.
Other sentencing news
BP Exploration Operating Company Limited was fined £400,000 after an oil leak in Shetland. The HSE investigation found that the company had failed to take all measures necessary to prevent major accidents and to limit their consequences to persons and the environment, and had failed to identify and assess the hazards and risks arising from the undertaking of a non-routine job.
A port operating company was fined £300,000 (with costs of just over £7,500) after an agency worker was seriously injured when he was struck by a load which fell from two fork lift trucks. The HSE investigation found that no suitable risk assessment relating to the hazards from the particular loading procedure had been carried out, and the fork lift truck lifting operation was also not properly planned, supervised or carried out in a safe manner.
A council was fined £100,000 (with costs of over £28,000) after seven workers from its grounds maintenance and street care team were exposed to Hand Arm Vibration caused by the excessive use of power tools. The HSE inspector said: “This was a case of the council failing to identify the risk from hand arm vibration which is a recognised health risk with potentially disabling consequences. Unless vibration is identified and properly assessed, an employer won’t know the level of risk and whether action is needed to protect workers”.
Competence Steering Group publishes interim report in response to Hackitt recommendations
On 16 August 2019, the Steering Group on Competence for Building a Safer Future, which was set up to tackle the competency failings identified in Dame Judith Hackitt’s final report on building regulations and fire safety, published its interim report called ‘Raising the Bar’. It is consulting on the report until 18 October 2019.
The report sets out what the Construction Industry Council describes as “a radical and wide-ranging set of measures to improve the competence of those who design, construct, inspect, maintain and operate higher risk residential buildings and make them safer for the public”. See the press release for a summary of the proposals, which include the creation of a new oversight body, and a link through to the report and an executive summary.
The Competence Steering Group’s recommendations are set out on page 26 of the report onwards. They include specific recommendations from thirteen different working groups, including engineers, fire risk assessors, building designers and project managers. The report says that the recommendations “achieve two objectives: they lay firm foundations for a more coherent and consistent approach to assessing and ensuring competence across the critical disciplines; and accompanied with the right legislation they pave the way for a culture change across the whole building industry, so that everyone recognises their responsibility as part of a wider system for delivering safe buildings”.
Government launches consultation on sprinklers in high rise flats
On 5 September 2019, the government launched a consultation on proposals to reduce the building height for when sprinklers are required from 30 metres and above to 18 metres and other fire safety measures. It also announced that a new Protection Board is being set up immediately with the Home Office and National Fire Chiefs Council to provide further reassurance to residents of high-risk residential blocks that any risks are identified and acted upon. This new Board will operate until legislation on a new building safety regime is introduced and a new building safety regulator is established to oversee the new regime. The consultation closes on 28 November 2019.
In related news, a number of corrections have been made to volumes 1 and 2 of the building regulations guidance on fire safety (Approved Document B). See the circular letter. The government has also published an analysis of the responses to its call for evidence on the technical review of Approved Document B which closed in March 2019. It says that it will work with industry and the Building Regulations Advisory Committee to consider the full range of technical areas raised in the call for evidence and determine a detailed plan for taking the review forward.
Government consults on proposals to reduce ill health-related job loss
In other news, the government is consulting until 7 October 2019 on different ways in which government and employers can take action to reduce ill health-related job loss. The proposals aim to support and encourage early action by employers for their employees with long-term health conditions, and improve access to quality, cost-effective occupational health.
UK product safety no-deal Brexit guidance
On 23 September 2019, the Office for Product Safety and Standards published updated guidance to explain how existing product safety and metrology legislation will be amended and what businesses need to do differently. The webpage links through to detailed guides for businesses on specific regulations and updated guidance on placing manufactured goods on the market after Brexit, including conformity marking of goods.
Launch of Industry 4.0 implications for health and safety survey
The Discovering Safety Programme, which the HSE says is aimed at improving health and safety on a global scale by using new insights from data and novel analytical techniques, is seeking views from organisations currently using or planning to use industry 4.0 technologies to support their health and safety strategy. See this link.
Contains public sector information published by the Health and Safety Executive and licensed under the Open Government Licence.