Regulatory round-up – January 2019


Consumer and Retail Finance – January 2019
Latest from the FCA, including new findings on high-cost short-term credit market; other sector news. […]
Latest from the FCA, including new findings on high-cost short-term credit market; other sector news.
Financial Conduct Authority (FCA)
On 24 January 2019, the FCA published new findings on the high-cost short-term credit market, drawing on consumer credit firms’ regulatory returns data and the FCA’s Financial Lives Survey 2017. See our recent briefing for details. Also see the press release from Citizens Advice.
On 10 January 2019, the FCA published its annual Sector Views document, analysing the changing financial landscape, resulting impacts on consumers and market effectiveness. Cross-sector themes in this year’s document include: how technology is driving change in financial services; societal changes and their impact on the financial needs of different generations; the potential impact of Brexit; and the macroeconomic environment. The retail banking and payments sector is covered in chapter 2. Retail lending, including consumer credit and mortgage lending, is covered in chapter 3. While the document is not a consultation paper, the FCA says that it would welcome stakeholders’ comments on the themes it has identified, the drivers of change in each sector, and its findings on harm.
The House of Commons Treasury Select Committee published the FCA’s written submission to the Committee’s inquiry into consumers’ access to financial services, launched in November 2018. The table at the end of the submission sets out examples of recent and upcoming FCA vulnerability and access focused work, including: multi-firm work in relation to policies towards vulnerable consumers and a thematic review of debt management, both due to be published in March 2019; planned thematic work on the treatment of vulnerable consumers within non-bank lenders due to begin in April 2019; and a guidance on vulnerability consultation paper due to be published in April 2019.
Other recent submissions to the inquiry include that of the Financial Services Consumer Panel. Among other things, the Panel submits that there should be a new duty of care on financial services firms and that the best outcome for consumers would be to enshrine such a duty in the Financial Services and Markets Act 2000.
On 9 January 2019, the FCA published a letter addressed to the CEOs of all FCA-regulated firms to remind them of their responsibilities relating to the use of financial promotions. See this link.
On 10 January 2019, the FCA published updated guidance for firms on how to fill out their online tariff data forms, used to calculate annual fees for the following financial year.
On the same day, the Treasury Committee published a letter from FCA Chief Executive Andrew Bailey, providing an update on the FCA’s work on the issue of ‘mortgage prisoners’ – those unable to remortgage or switch to a cheaper mortgage rate due to changes in legislation following the financial crash. See the press release.
See our recent briefing for an update on the ‘super-complaint’ lodged with the Competition and Markets Authority by Citizens Advice, calling on the regulator to take action to stop long-term customers being penalised for their loyalty across five essential markets including mortgages. The FCA’s statement can be found here.
The FCA is consulting until 23 April 2019 on proposals to provide extra clarity in relation to some areas of the Senior Managers and Certification Regime (SM&CR), including its application to the Legal Function. The FCA proposes to exclude the Legal Function from the Overall Responsibility Requirement. Among others, this proposal affects banking firms and enhanced solo-regulated firms. The SM&CR will be extended to all solo-regulated firms from December 2019.
After the last edition of the Regulatory round-up went to press, the FCA published its final rules on extending access to the Financial Ombudsman Service (FOS) to more small and medium-sized enterprises (SMEs), larger charities and trusts, and a new category of personal guarantors. The final rules are unchanged from the near-final rules published in October 2018.
In related developments, the House of Commons Treasury Select Committee published the government and FCA responses to the Committee’s October 2018 report on SME Finance. The government does not believe that there is a clear case for bringing SME lending into regulation and it will not pursue the Committee’s recommendations for the introduction of a Financial Services Tribunal. On 19 January 2019, the Chancellor of the Exchequer wrote to the Chief Executive of UK Finance regarding SME dispute resolution, commenting on the voluntary proposals agreed by the banking industry following the recent independent review of the complaints and alternative dispute resolution landscape for UK SMEs (see the UK Finance press release referred to in the last edition).
The FCA published Handbook Notice 62 which sets out recent changes to the Handbook, including: changes to tackle low levels of consumer awareness of and engagement with overdrafts (due to come into force in December 2019 – see the recent overdrafts consultation paper); changes to strengthen the protections for consumers using home-collected credit, catalogue credit and store cards (see the November/December 2018 edition of the Regulatory round-up for details); changes to implement the revised Payment Services Directive (PSD2) and tackle authorised push payment fraud (see the recent policy statement); changes extending FOS jurisdiction to small business complainants (in force 1 April 2019 – see above); and changes extending the Principles for Businesses and certain communication rules to apply to the provision of payment services and the issuance of e-money by certain payment service providers and e-money issuers, and introducing new communications rules for currency transfer services (in force 1 August 2019 – a separate policy statement is awaited).
And finally, the FCA is consulting until 5 April 2019 on proposed guidance on cryptoassets, in order to provide regulatory clarity for market participants. On 20 December 2018, the Treasury Committee published the government and FCA responses to the Committee’s Cryptoassets report. See the press release. A policy statement is expected in summer 2019.
Other sector news
New rules banning harmful gender stereotyping in advertising come into force on 14 June 2019. See our recent briefing on what this means for the financial services sector.
On 25 January 2019, the House of Commons Treasury Select Committee launched a new inquiry into the future of the UK’s financial services post-Brexit.
The latest CBI/PwC Financial Services Survey found that demand for financial services fell for the first time in five years. See the press release.
The Lending Standards Board is working with the Single Financial Guidance Body to conduct an independent evaluation of the implementation process and effectiveness of the Standard Financial Statement. See the press release.
The Advertising Standards Authority upheld a complaint that a television advertisement for consumer credit provider 118 118 Money breached the Broadcast Committee of Advertising Practice Code because it did not feature the credit card’s representative Annual Percentage Rate.
The FOS has been consulting on its strategic plans and budget for 2019/20. It says that the rate of the rise in complaints about payday and instalment loans is particularly pronounced. By the end of 2018/19, it expects to receive more than 200% of the volumes of these complaints than it did in the whole of the previous year – 50,000 cases, compared with the 20,000 it had planned for. In a letter dated 14 January 2019, Richard Lloyd (who carried out an independent review of the FOS and reported on it in July 2018) provided the Chair of the House of Commons Treasury Select Committee with his views on the progress being made by the FOS in response to the review.
A new government taskforce will work with senior figures from the UK financial sector to tackle economic crime. See the press release. The Home Office will commit £3.5 million in 2019/20 to support work to reform the suspicious activity reports (SARs) regime.
The Wolfsberg Group of thirteen global banks has published new guidance on how financial institutions should carry out sanctions screening.
On 17 January 2019, the Bank of England published its quarterly survey of banks and building societies aimed at improving its understanding of trends and developments in credit conditions, covering supply, demand, loan pricing and defaults. It also recently published a quarterly bulletin, looking at whether a cyber attack could cause a systemic impact in the financial sector.
On 9 January 2019, UK Finance announced that it has formally made an application to maintain participation in the Single Euro Payments Area on behalf of the UK financial services and payments industry.
On 24 January 2019, the Payment Systems Regulator published its final terms of reference for a market review into the supply of card-acquiring services. See the press release.
The European Banking Authority updated its guidelines on fraud reporting under PSD2, to reflect editorial changes applied to pages 4, 27, 29 and 30.
And finally, the European Commission is consulting until 8 April 2019 on the functioning of the Consumer Credit Directive, to assess whether it is still fit for purpose.

Data Protection – January 2019
Google’s €50 million GDPR fine; latest from the ICO; ‘no deal’ guidance; Privacy Shield update; […]
Google’s €50 million GDPR fine; latest from the ICO; ‘no deal’ guidance; Privacy Shield update; and more.
Google hit with €50 million GDPR fine – says it will appeal…
France’s national data protection regulator CNIL handed Google LLC a record €50 million fine under the EU General Data Protection Regulation (GDPR) in relation to two complaints filed by non-profit organisations noyb (set up by Austrian privacy campaigner Max Schrems and meaning “None of Your Business”) and La Quadrature du Net over the issue of forced consent. The company was fined for lack of transparency, inadequate information and lack of valid consent regarding ad personalisation. See the press release from CNIL . It has been widely reported in the media that Google intends to appeal the fine.
… as more complaints are filed
Google’s fine came shortly after noyb filed complaints with the Austrian Data Protection Authority against eight companies, including Amazon, Netflix, Spotify and YouTube, alleging violations of the right-to-access provisions under GDPR.
Insurers seek clarity over insurability of fines and penalties
In a submission on cyber issues to the Organisation for Economic Co-operation and Development, the Global Federation of Insurance Associations referred to the fact that there is international confusion as to the insurability of fines and penalties, and said that work to clarify this issue would benefit consumer and insurer contract certainty. This is a grey area and it is particularly relevant in the context of the (potentially massive) fines that could be imposed on organisations for violations of GDPR.
Latest from the ICO
- The UK Information Commissioner’s Office (ICO) published a new Guide to Data Protection, which covers the Data Protection Act 2018 and GDPR as it applies in the UK.
- In her latest “myth-busting” blog, the Information Commissioner looks at how personal data will continue to flow post-Brexit. The blog links though to the ICO’s various guidance and resources on this topic.
- The ICO is consulting until 8 March 2019 on its proposed access-to-information strategy for the next three years. A final version will be launched later in 2019. In a blog post introducing the draft strategy, which is called ‘Openness by Design’, the ICO’s Director of Freedom of Information noted that, every year, the ICO receives more and more requests to independently review decisions made by public authorities about information requests under the Freedom of Information Act 2000 (FOIA) or the Environmental Information Regulations 2004 (EIR). Among other things, the draft sets out how the ICO will tackle issues of non-compliance among public authorities, especially around timeliness and quality of responses. Feedback is sought from a wide range of stakeholders.
- In a related development, the ICO laid a report before Parliament on 28 January 2019 called ‘Outsourcing Oversight? The case for reforming access to information law’, which calls for an update to FOIA and EIR to include organisations providing a public function. See this link.
- This topic was also discussed in a recent speech delivered by the Information Commissioner titled ‘Data, Transparency and Trust: How information rights can promote a culture of accountability’, in which she noted that two high profile incidents – the Grenfell Tower tragedy and the collapse of Carillion – sharpened her resolve to call for an extension of access-to-information laws.
- On 9 January 2019, the ICO published a blog post on the recent law changes on pension cold calling.
- In recent enforcement action, Cambridge Analytica was fined £15,000 for failing to respond to an ICO enforcement notice which ordered it to respond in full to a data subject access request made by an academic in the US.
- And finally, on 30 January 2019, the ICO published a discussion paper and opened an ‘intention to apply’ survey in relation to its regulatory sandbox. See the blog post for details.
Government ‘no deal’ Brexit guidance
On 28 January 2019, the government published further guidance on data protection and Brexit. As we reported previously, more detailed guidance was published on 13 December 2018. See this link.
Just after the November/December 2018 edition of the Regulatory round-up went to press, the government published guidance for digital service providers under the Network and Information Systems Regulations 2018 on how they can prepare for a no deal scenario.
European Commission adopts Japan adequacy decision for free flow of personal data
On 23 January 2019, the European Commission adopted its adequacy decision on Japan, allowing personal data to flow freely between the two economies. This is the first adequacy decision adopted since GDPR came into force. See the Commission’s press release. The UK will be seeking its own adequacy decision post-Brexit, as part of its future relationship with the EU.
Update on EU-US Privacy Shield
In a press release following its latest plenary session, the European Data Protection Board (EDPB) said that it welcomed efforts made by the US authorities and the European Commission to implement the Privacy Shield (including the announcement of the appointment of a permanent Ombudsperson – one of the key demands of the Commission following the annual joint review conducted in October 2018), but it also set out a series of remaining concerns, including the lack of concrete assurances over indiscriminate collection and access of personal data for national security purposes. Board Members adopted the EDPB’s non-binding report on the second annual joint review. The report sets out the EDPB’s findings on the commercial aspects of the Privacy Shield and on access by public authorities to data transferred to the US under the Privacy Shield.
The official Privacy Shield website has published a set of Privacy Shield and the UK FAQs, explaining the steps that Privacy Shield participants need to take ahead of Brexit.
Decision awaited in Facebook appeal over standard contractual clauses
The Irish Supreme Court recently heard Facebook’s appeal in the Schrems litigation. The appeal concerns the Irish High Court’s referral of questions over the validity of the European Commission’s adequacy decisions on standard contractual clauses to the Court of Justice of the European Union. The Supreme Court will rule on the appeal at a later date. Walker Morris will continue to monitor and report on developments.

Health, Safety and Environmental – January 2019
Thames Water’s £2 million fine; other sentencing news; Food Standards Agency consultations, including allergen labelling; […]
Thames Water’s £2 million fine; other sentencing news; Food Standards Agency consultations, including allergen labelling; investment in robotics.
Thames Water hit with £2 million fine for breaching environmental law…
Thames Water was fined £2 million and ordered to pay full costs of just under £80,000 after raw sewage polluted two streams in Oxfordshire for up to 24 hours, killing almost 150 fish and flooding a residential garden. There had been numerous failures in the management of a sewage pumping station operated by the company, which had ignored or failed to respond adequately to more than 1,000 alarms. Investigations by the Environment Agency (EA) found that the company was aware that the pumping station had failed several times in the year before the incident, which was described as “foreseeable and avoidable”. The sentencing judge said that the company was “reckless” by taking an unacceptable level of risk with the environment. See the full EA press release for details.
…while £1 million-plus fines for health and safety offences continue to bite
Two companies were fined £1 million and £533,000 respectively and ordered to pay £40,000 each in costs after a five year old girl died when her head became stuck between the internal lift she was using and the ground floor ceiling at her home. She had put her head through a hole in the vision panel, which had not been fixed or replaced since it was damaged up to 18 months earlier. An investigation by the Health and Safety Executive (HSE) found a “catalogue of failures” by both companies and a third company which was responsible for arranging lift maintenance issues.
Waste and recycling company Veolia ES (UK) Limited was fined £1 million, and ordered to pay costs of £130,000, after an employee died when he was run over by a reversing refuse collection vehicle. Multiple vehicles were manoeuvring around the yard with no specific controls. The HSE inspector said: “This should be a reminder to all industries, but in particular, the waste industry, to appropriately assess the risks and implement widely recognised control measures to adequately control manoeuvring vehicles, in particular reversing vehicles and restrict pedestrian movements around vehicles”.
Other sentencing news
An NHS Trust was fined £300,000, and ordered to pay costs of £28,000, after a health care assistant and a psychiatric nurse were stabbed multiple times by a service user at a medium secure forensic unit, suffering life-changing injuries. The health care assistant had been preparing sandwiches in the kitchen and had left knives on the work surface. An HSE investigation found that there was no patient specific risk assessment identifying the risks posed by a patient and the measures required to control those risks prior to admission to the ward. It also found that the use of knives on an acute ward was fundamentally unsafe.
A London construction company was also fined £300,000, and ordered to pay just over £17,500 in costs, after an employee died when he fell from a height of seven and a half metres. An HSE investigation found that the work was not properly planned, adequately supervised or carried out in a safe manner. The HSE inspector said: “The risks associated with work at height are well known throughout the construction industry. While, on paper, Formation Construction Limited had identified control measures which could have prevented this incident from occurring; in practice, these safeguards were virtually absent”.
A company director was sentenced to ten months in prison for selling prohibited substances online in breach of regulations. The company had ignored enforcement notices served by the HSE to prohibit further supply. The HSE inspector said: “Companies should be aware that HSE will take robust action against those who unnecessarily put the lives of workers and the public at risk, and against those who endanger the environment, through the inappropriate supply and use of chemicals”.
Food Standards Agency consults on new recalls and withdrawals guidance and allergen labelling
On 7 January 2019, the Food Standards Agency (FSA) issued a consultation asking food businesses, enforcement officers and consumers to provide feedback on its new guidance on food traceability, withdrawals and recalls within the UK food industry. The consultation is open until 4 February 2019. See the press release for more details and a link through to the consultation document.
On 25 January 2019, the FSA issued a second consultation, this one dealing with plans to improve allergen labelling laws across the UK. The consultation is open for a nine week period, and the main issue is the rule concerning foods prepacked for direct sale which are currently not required to carry allergen information. Stakeholder workshops will be held to feed into the final report. See the press release for more details and a link through to the consultation document. The consultation follows a number of recent tragic incidents widely reported in the media.
Government invests in robotics to avoid workplace injury
As part of a £26.6 million investment, which includes building micro robots to repair the UK’s underground pipe network, robotics will be used in hazardous work environments such as offshore wind farms and nuclear decommissioning facilities, to avoid workplace injury. The funding for these projects is part of the modern Industrial Strategy published last year. The HSE Chair said: “The key purpose of the [HSE] is to save lives and prevent workplace injury and ill health. To achieve this, we need businesses to work with us and to be innovative in their thinking around managing risk in the workplace. New and emerging technologies are shaping our working environment. As a regulator we want to encourage industry to think about how technologies such as robotics and AI [artificial intelligence] can be used to manage risk in the workplace, safeguarding workers both now and in the future world of work”. See the full press release for details.
Contains public sector information published by the Health and Safety Executive and licensed under the Open Government Licence.