Regulatory round-up – January 2020


Consumer and Retail Finance – January 2020
Latest from the FCA, including changes to Money Laundering Regulations and research into UK’s distressed […]
Latest from the FCA, including changes to Money Laundering Regulations and research into UK’s distressed borrowers; other sector news.
Financial Conduct Authority (FCA)
Changes to the Money Laundering Regulations (MLRs) came into force on 10 January 2020. The FCA published a webpage highlighting some specific new areas that firms need to comply with. Companies House published guidance on the new requirement for firms to report to Companies House discrepancies between the information they hold on their customers compared with the information held on the Companies House Register. The Joint Money Laundering Steering Group published minor updates to its guidance. Updated HMRC guidance is expected shortly. On 23 January 2020, the government published the responses to its consultation on the amended legislation. It is currently holding a detailed consultation on trust registration.
The FCA is now the anti-money laundering and counter-terrorist financing supervisor for businesses carrying out certain cryptoasset activities under the amended MLRs. They need to register with the FCA and comply with the MLRs in relation to those activities. See this link.
The FCA recently published two ‘Insight’ papers summarising ongoing research into the UK’s distressed borrowers. In relation to high-cost credit, notable findings include the following: among heavy users of high-cost credit, income appears to be of little significance in determining who gets into difficulty and who does not; Southern Scotland has a marked issue with users of high-cost credit suffering financial problems; and high-cost borrowers appear to spend longer in distress than other groups. The second paper, which includes a link to the first, can be found here. More detail is set out in the FCA’s occasional paper ‘Borrower subgroups and the path into distress: commonalities and differences’.
In the latest edition of its Regulation round-up, the FCA says that there has been some debate in the high-cost short-term credit market about how its creditworthiness rules should apply to repeat lending. It reminds firms of the contents of its October 2018 Dear CEO letter. It says that, while firms are not prevented (other than for rollovers) from issuing more than a particular number of loans to a customer per se, they need to comply with the creditworthiness rules in doing so, including assessing the affordability risk to the borrower. It says that this view is shared by all relevant bodies, including the Financial Ombudsman Service.
A Financial Services (Duty of Care) Bill – a bill to require the FCA to make rules for authorised persons to owe a duty of care to consumers in their regulated activities – had its first reading in the House of Lords on 9 January 2020.
On the same day, the FCA published proposals to reform the easy access cash savings market. See the press release. It also published an update on its work in the areas highlighted in the Citizens Advice super-complaint made to the Competition and Markets Authority (CMA) in September 2018 – cash savings, home and motor insurance, and mortgages. The CMA has also recently published a 12-month progress update.
On 22 January 2020, the FCA published further data on the mortgage prisoner population, following recent changes to the responsible lending rules. It says that the evidence so far has shown little desire from larger lenders to adopt the changes and it looks forward to more lenders stepping forward and offering products to mortgage prisoners in the coming three months. See the response of UK Finance and the reaction to that response from the All Party Parliamentary Group on Fair Business Banking.
On the same day, the FCA issued a press release stating that seven out of ten overdraft users will be better off or see no change when new rules on overdrafts come into force in April 2020, and that those who are worse off should consider shopping around to find a cheaper deal. The FCA subsequently wrote to the major banks to ask them to provide evidence of how they have arrived at their pricing decisions.
On 31 January 2020, the FCA published its policy statement on mortgage advice and selling standards. It is implementing the proposed changes as consulted on, subject to small changes. Subject to transitional rules, the changes to rules and guidance came into force on 31 January 2020.
We reported in the November/December 2019 edition of the Regulatory round-up that an advisory group has been considering how Open Finance will develop, including the barriers to its development and the ethical and practical issues around data sharing. The group was set up to discuss the potential of extending Open Banking-like data sharing to a wider range of financial products. In related news, the Information Commissioner’s Office recently published a blog on the benefits of sharing personal data and what we can learn from Open Banking.
On the subject of data, the FCA and Bank of England recently announced proposals for data reforms across the UK financial sector. The FCA’s data strategy outlines its “increased focus on the use of advanced analytics and automation techniques to deepen its understanding of how markets function and allow the FCA to efficiently predict, monitor and respond to firm and market issues”.
Around the time that the November/December 2019 edition of the Regulatory round-up went to press, the FCA released a podcast in which a panel of experts dissect the challenges and future opportunities for the payments sector. See this link.
Other sector news
On 14 January 2020, the Gambling Commission announced that a ban on gambling on credit cards comes into effect on 14 April 2020.
On 16 January 2020, the Financial Services Compensation Scheme (FSCS) published its plan and budget for 2020/21. In her overview, the new Chief Executive said that the financial sector faces many changes and challenges as we enter the third decade of the twenty-first century. The FCA and Prudential Regulation Authority are consulting until 17 February 2020 on the FSCS’s Management Expenses Levy Limit for 2020/21.
On 21 January 2020, the Money & Pensions Service launched a new UK-wide strategy to transform the country’s financial wellbeing in a decade. It says that delivering on the strategy will transform the lives of many individuals, benefitting communities, businesses, the economy and wider society. The strategy sets five goals to be achieved by 2030, including 2 million fewer people often using credit to pay for food or bills, and 2 million more people getting the debt advice they need.
HM Treasury published a summary of the Financial Inclusion Policy Forum’s fourth meeting held in October 2019. The Forum brings together leaders on financial inclusion to ensure collaboration across government and with the sector.
The Payment Systems Regulator has been consulting on a proposal to vary its Specific Direction 10 on Confirmation of Payee, in relation to exemptions.
And finally, the European Banking Authority recently updated its guidelines on fraud reporting under the revised Payment Services Directive. The amendments will apply to the reporting of payment transactions initiated and executed from 1 July 2020.

Data Protection – January 2020
Latest from the ICO, including Brexit, subject access request timings and draft direct marketing code; […]
Latest from the ICO, including Brexit, subject access request timings and draft direct marketing code; international data transfers; cybersecurity; and more.
Latest from the Information Commissioner’s Office (ICO), including Brexit statement, data subject access requests and draft direct marketing code
On 29 January 2020, the ICO issued a brief statement on data protection and Brexit implementation, with links through to its various guidance materials and other resources. It will be “business as usual” until the end of December 2020. The General Data Protection Regulation (GDPR) will continue to apply.
In other developments:
- In its GDPR right of access guidance, the ICO explains that the timescale for responding to a subject access request is not paused when the controller asks for clarification from the data subject and awaits a response. Even if the data subject refuses to provide any additional information or does not respond, the controller must still comply with the request, within the timescale, by making reasonable searches for the information covered by the request. The ICO is currently consulting on detailed right of access guidance.
- The ICO is consulting until 4 March 2020 on a draft direct marketing code of practice. The code starts by looking at the definition of direct marketing to help organisations decide whether the code applies to them, before moving on to cover areas such as planning marketing, collecting data, delivering marketing messages and individuals’ rights. The ICO intends to produce additional practical tools, such as checklists, to go alongside the code. We are no further along in Europe with progress on a new ePrivacy Regulation and so the current Privacy and Electronic Communications Regulations 2003 (PECR) continue to apply.
- The ICO announced that it will be working with the UK Accreditation Service to deliver the ICO-approved certification schemes under GDPR. Certification is a way for an organisation to demonstrate compliance with GDPR.
- On 21 January 2020, the ICO published the final version of its Age Appropriate Design Code, a set of fifteen standards that online services should meet to protect children’s privacy. See this link for details. The ICO says that it is preparing a significant package of support for organisations.
- In a recent blog post, the ICO’s Executive Director of Technology and Innovation gave an update on adtech real time bidding reform. The ICO gave the industry six months to work on the points raised in its June 2019 report and, while many organisations are on board with the changes that need to be made, “some appear to have their heads firmly in the sand”. Given the ICO’s understanding of the lack of maturity in some parts of the industry, it anticipates that it may be necessary to take formal regulatory action. In an earlier blog post, all organisations involved in real time bidding were urged to review their processes, systems and documentation.
- In a statement on the use of live facial recognition technology by the police, the ICO said that it will be publishing more about the technology’s use by the private sector later this year.
- On 20 January 2020, the ICO issued a call for views to find out if gaps exist in controllers’ awareness and understanding of the data protection requirements for processing personal data relating to criminal convictions. Responses are requested by 28 February 2020.
- In recent enforcement action, a retailer was fined £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber attack, affecting at least 14 million people. The ICO’s Director of Investigations said: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
- A pharmacy supplying medicines to customers and care homes was fined £275,000 after it left approximately 500,000 documents – including names, addresses, dates of birth, NHS numbers, medical information and prescriptions – in unlocked containers at the back of its premises. The company was also issued with an enforcement notice due to the significance of the contraventions and ordered to improve its data protection practices within three months.
- The director of a telecoms company was banned for six years after his company permitted its lines to be used to make millions of nuisance marketing calls. The ICO had issued the company with a then-record £400,000 fine in 2017 for breaching the PECR. Collaboration between the ICO and Insolvency Service has resulted in two other recent disqualifications in this area.
Update on international data transfers
On 19 December 2019, just after the November/December 2019 edition of the Regulatory round-up went to press, one of the advocates general of the Court of Justice of the European Union (CJEU) delivered his eagerly anticipated opinion on the validity of the European Commission decision that established standard contractual clauses for the transfer of personal data from EU controllers to processors established outside the EU or European Economic Area.
The advocate general’s view is that the decision is valid given the obligation on controllers and supervisory authorities to suspend or prohibit a transfer when the clauses cannot be complied with. See the press release.
The opinion follows a referral to the CJEU in the long-running litigation involving Facebook and Austrian privacy activist Max Schrems regarding the transfer of his personal data by Facebook Ireland Limited to Facebook Inc. in the US for processing, and concerns over US mass surveillance.
While the opinion is non-binding, the CJEU tends to follow such opinions in the majority of cases, and organisations can breathe a cautious sigh of relief that this key international data transfer mechanism looks set to remain available.
The opinion is particularly relevant now that the UK has left the EU, with no guarantee at this stage that the European Commission will issue an adequacy decision in respect of the UK before the end of the transition period in December 2020 – i.e. a finding that the UK’s legal framework provides adequate protection for individuals’ rights and freedoms for their personal data.
Importantly, the advocate general went on to say that he entertained certain doubts as to the conformity of the Commission’s Privacy Shield decision (one of the key mechanisms for the transfer of personal data between the UK and US for commercial purposes) to the relevant GDPR provision on adequacy, read in the light of certain provisions in the EU Charter of Fundamental Rights and the European Convention on Human Rights. Walker Morris will continue to monitor and report on developments.
Other news from Europe
On 6 January 2020, the European Data Protection Supervisor published a preliminary opinion on data protection and scientific research. The executive summary can be found on page two.
On 15 January 2020, the Council of the European Union published its position and findings on the application of GDPR, ahead of a review and evaluation of the legislation by the European Commission, which is due to submit a report by 25 May 2020. See this link. Among other things, while the Council notes that GDPR was drafted to be technologically neutral and its provisions already address the new challenges associated with emerging technologies, it considers that it is necessary to clarify as soon as possible how GDPR applies to these technologies.
Cybersecurity update
On 27 January 2020, the government announced new legislation to improve security standards of internet-connected household devices. The measures set a new standard for best practice requirements for companies that manufacture and sell consumer smart devices or products.
A guide which brings together for the first time knowledge from the world’s leading cybersecurity experts was launched recently in London. The National Cyber Security Centre (NCSC) says that the ‘Cyber Security Body of Knowledge’ has the potential to help organisations to better protect themselves. It covers the foundations of cybersecurity, ranging from the human element through to issues in computer hardware security. See this link.
The NCSC published a complete refresh of all of its end-user device content (mobile device guidance) for organisations. See the blog post for details and a link through to the guidance.
And finally, the NCSC also recently released guidance to assess the security of voice, video and messaging services. See the blog post for details and a link through to the NCSC’s secure communication principles. Feedback on the principles is requested by 30 April 2020.

Health and Safety – January 2020
Government measures to improve building safety; latest sentencing news; medical devices cybersecurity guidance; and more. […]
Government measures to improve building safety; latest sentencing news; medical devices cybersecurity guidance; and more.
Government announces raft of measures to improve building safety standards
On 20 January 2020, warning that the slow pace of improving building safety standards will not be tolerated, the Housing Secretary announced a package of measures to improve building safety in the wake of the Grenfell Tower disaster in June 2017. Key points are:
- A new building safety regulator will be established within the Health and Safety Executive (HSE). It will be established in shadow form immediately, ahead of being fully established following legislation. The new regulator will raise building safety and performance standards, including overseeing a new, more stringent regime for higher-risk buildings.
- The government will work with local authorities to support them in their enforcement options where there is no clear plan for remediation from building owners.
- Building owners who have not taken action to remove unsafe cladding from their buildings will be named from next month. To speed up remediation, a construction expert will be appointed to review remediation timescales and identify what can be done to improve pace in the private sector.
- The government has published consolidated advice for building owners on the measures they should take to ensure their buildings are safe, including in relation to fire doors.
- The government is seeking views on how to assess and prioritise fire safety risks and how to better understand the complexity of building risk to ensure that an appropriate level of safety is achieved in existing buildings. Responses are requested by 17 February 2020.
- The government is consulting until 13 April 2020 on the current combustible cladding ban, including proposals to lower the 18 metre height threshold to at least 11 metres.
- The government consulted last year on sprinklers and other fire safety measures in new high-rise blocks of flats, including proposals to reduce the trigger height at which sprinkler systems are required. Detailed proposals on how it will deliver the technical review of fire guidance will be set out in February 2020.
- An upcoming Fire Safety Bill will clarify the Fire Safety Order (Regulatory Reform (Fire Safety) Order 2005), requiring residential building owners to fully consider and mitigate the risks of any external wall systems and front doors to individual flats.
On 21 January 2020, the government published its response to the Grenfell Tower Inquiry Phase 1 report, setting out the steps it is taking to implement the report’s recommendations and the wider work it is doing to make buildings safer.
Latest sentencing news
Tesco Stores Limited was fined £733,333 after an elderly customer slipped on water pooling from leaking refrigerator units and suffered multiple injuries which left him unable to bend his leg. The company failed either to cure the underlying blockage or effectively deal with the leakage over an extensive period of time before the incident. The judge found that the company had been highly culpable, the maintenance issues repeatedly reported should have been identified and addressed at area management level, and there was a high likelihood of people slipping and sustaining a material level of injury.
A Sheffield company was fined £700,000 (with full costs of just under £170,000) after a worker was fatally wounded by shrapnel ejected from testing equipment. The HSE inspector said: “This was a tragic and wholly avoidable incident, caused by the failure of the company to identify any additional risks that arise when work processes are adapted. Companies should accurately identify and control all potential hazards in the workplace and thereafter monitor performance through effective supervision.”
A construction company was fined £500,000 after a worker was killed while carrying out demolition work. The HSE investigation found, among other things, that in the weeks before the incident CCTV from overhead cameras showed demolition work had been carried out unsafely. The HSE inspector said: “In the weeks prior to this tragic incident workers were regularly put at an acute risk of falling. This is a case of a company wanting to have good systems to protect the workers, but not paying enough attention to what was actually happening at the site.”
New electrical safety standards in the private rented sector
Please see our recent briefing for details.
Medical device cybersecurity guidance published
The European Medical Device Coordination Group recently published guidance on how to fulfil the cybersecurity requirements of the Medical Devices Regulations (MDRs) [1]. The guidance explains that the MDRs set out new essential safety requirements for all medical devices that incorporate electronic programmable systems and software that are medical devices in themselves. They require manufacturers to develop and manufacture their products in accordance with the state of the art taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorised access.
[1] Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices, which apply fully from 26 May 2020 and 26 May 2022 respectively.