Regulatory round-up – June 2018


Consumer and Retail Finance – June 2018
Latest from the FCA, including high-cost credit consultations. Other sector news, including FOS annual review findings. […]
Latest from the FCA, including high-cost credit consultations. Other sector news, including FOS annual review findings.
Financial Conduct Authority (FCA)
On 31 May 2018, the FCA published the much-anticipated findings and proposals from its 18-month high-cost credit review. They focus on rent-to-own, home-collected credit, catalogue credit, store cards and overdrafts – areas presenting particular risks to consumers. As part of its wider consumer credit work, the FCA has already introduced: a high-cost short-term credit (HCSTC) price cap; rules to tackle persistent credit card debt; and guidance on staff incentives, remuneration and performance management. The two high-cost credit consultation papers can be accessed here. Responses to the questions on rent-to-own pricing are requested by 13 July 2018. All other responses are requested by 31 August 2018. Final rules are not expected to apply before 2019. The proposals aim to give high-cost credit users greater control and protection:
- In relation to home-collected credit, the FCA is not currently planning a price cap, as its concerns centre on the risks of repeat borrowing, in particular the costs of refinancing. This decision has disappointed campaigners, who have been calling on the FCA to extend its definition of HCSTC to include home credit loans. The FCA is consulting on information requirements for refinancing and further borrowing. The proposals will require customers to be provided with full information on the costs of refinancing compared to taking a concurrent loan where both options are available. The FCA is also consulting on guidance on its interpretation of section 49 of the Consumer Credit Act 1974, which prohibits the canvassing of cash loans off trade premises. The industry currently operates on the basis that a customer’s written Request to Call (RTC) to discuss a new loan can be valid for a period and cover multiple loans. The FCA disagrees and wants to see a fresh RTC for every visit where a new loan is discussed. Whilst acknowledging that only the courts can give a definitive view, the FCA will consult on guidance to support its view. It will be interesting to see whether the home credit sector is prepared to push this issue to a judicial determination.
- Issues with rent-to-own pricing have convinced the FCA to consider a potential price cap. Applying a cap in this sector will be problematic; not least as there is currently no legal definition of rent-to-own and the FCA’s proposal (that it should cover all hire purchase and conditional sale agreements where consumers make payments more often than monthly, excluding motor finance), is easy to circumvent. Unsurprisingly, the FCA acknowledges that significant additional analysis is required on the structure of a possible cap and requests suggestions for alternative solutions. It is consulting now on rules to ban the sale of extended warranties alongside rent-to-own agreements at the point of sale.
- A package of proposed rules on catalogue credit and store cards aims to address concerns surrounding credit offers, consumer choice and control over credit limit increases, treatment of consumers at risk of financial difficulty, and potential problem debt. This includes intervention for persistent debt cases as well as clearer warnings about how ‘buy now pay later’ offers work and the costs incurred if customers don’t repay within the period.
- FCA research shows that overdrafts are poorly understood, with low consumer engagement and weak competition. The high level of unarranged overdraft charges is a particular concern. The FCA is consulting on a package of remedies to encourage competition through increasing consumer awareness. It is also discussing more direct interventionist measures to address the complexity of overdrafts, high level of fees and repeat overdraft use. This includes a ban on fixed fees and a backstop price cap on overdraft charges. The FCA will undertake further analysis to model the impact of these measures, including drawing on the work from its review of retail banking business models. It aims to consult on any specific proposals later in 2018. Again, campaigners have expressed disappointment that the FCA’s immediate plans do not go far enough.
See the press releases from debt charity StepChange, Citizens Advice and consumer group Which?, commenting on the FCA’s high-cost credit proposals. In a recent letter to the FCA, signed by 84 MPs, Which? demanded urgent action on restricting unarranged overdraft charges to the same level as arranged overdrafts. New research conducted by Which? found that the most expensive overdraft fees cost seven times as much as a payday loan.
On 20 June 2018, the FCA published the latest analysis from its Financial Lives survey, which highlights the different financial services experiences of consumers in rural and urban areas, including the use of high-cost loans.
The FCA has published the draft text of a number of recent speeches: its Director of Supervision (Retail and Authorisations) gave a speech on ‘Building Societies and the Future of Retail Banking’; its Executive Director of Strategy and Competition gave a speech on the FCA’s approach to competition and innovation, including Fintech and Open Banking, and a separate speech on ‘Technology and global ties: turning the tide on financial crime’; its Director of Enforcement and Market Oversight gave a speech which looked at whether the banking industry has improved ten years on from the start of the financial crisis; and its Executive Director of Supervision (Investment, Wholesale and Specialists) gave a speech on ‘Turning technology against criminals’.
Following on from the publication in March 2018 of its discussion paper on transforming culture in financial services, the FCA recently published a summary of the issues discussed at its Transforming Culture Conference which took place on 19 March 2018. The document also sets out the FCA’s next steps in this area.
The FCA and Bank of England released the latest mortgage lending statistics, covering the period to the end of Q1 2018. Among other things, they show a decrease in mortgage lending activity compared with the previous quarter.
The FCA published a report setting out the findings of research to identify the most effective messages for a series of ‘prompts’ (messages designed to encourage greater account engagement and encourage customers to consider switching) and ‘alerts’ (messages designed to increase awareness of overdraft use and encourage people to take action to avoid incurring charges). This work follows on from the Competition and Markets Authority’s retail banking investigation. The report sets out, starting at the end of page 4, a number of key prompt and alert design features that could potentially act as guidance for banks.
On 11 June 2018, the FCA wrote a Dear CEO letter on good practice regarding how banks handle the financial crime risks posed by cryptoassets. The UK’s new Cryptoassets Taskforce met for the first time on 21 May 2018.
And finally, the FCA has published a guide on the basics of network security. See the Data Protection section of this Regulatory round-up for the latest on cybersecurity.
Other sector news
The government announced that Sir Hector Sants, current chairman of StepChange and a former CEO of the Financial Services Authority, has been appointed chair of the new single financial guidance body, for a five-year term starting on 3 October 2018. The CEO of the Money Advice Service recently gave a speech ‘Investing in quality – the future of debt advice’, in which he discussed the value of debt advice, the work of the single financial guidance body, and the recommendations from the independent review of the funding of debt advice, which was published earlier this year.
The Financial Ombudsman Service (FOS) published its annual review for 2017/2018. Vulnerability is a key theme. In 2017/2018, the FOS saw a 146% increase year-on-year in complaints about home credit. There was a 40% increase in complaints about consumer credit products and services, and a 64% increase in relation to payday loans. The FOS says that it has seen an increasing number of complaints over the last couple of years involving instalment loans, including high-cost instalment loans which are taken out as a way of refinancing unaffordable payday loans. In some cases, the use of instalment loans has led to mounting and unsustainable debt, with lenders offering loans which people could never have afforded.
On 18 June 2018, the government published the response to its October 2017 call for evidence seeking further insight from the debt advice sector and creditors on how best to design a six-week breathing space scheme for individuals in debt. The government will outline a policy proposal for consultation later in the summer and intends to lay regulations to establish the scheme during 2019.
The government has appointed four “industry champions” to expand the dormant assets scheme across their respective sectors. See the press release.
The Bank of England has responded to HM Treasury’s March 2018 call for evidence on ‘Cash and digital payments in the new economy’. Among other things, it says that the usage of cash is evolving, but there is, and is likely to remain for the foreseeable future, a significant public demand for banknotes.
On 12 June 2018, the European Commission published a report to the Parliament and Council on the findings of a study and public consultation on restrictions on cash payments, to help the fight against terrorism financing and money laundering. It concludes that cash restrictions would not significantly address the problem of terrorism financing, but preliminary findings indicate that a prohibition on high value payments in cash could have a positive impact on the fight against money laundering. The report notes that restrictions on cash payments is a sensitive issue for European citizens. Many of them view the possibility to pay in cash as a fundamental freedom, which should not be disproportionally restricted.
The European Central Bank published a speech delivered on 6 June 2018 by a member of its Supervisory Board, on the digitalisation of the banking sector, and whether we should feel threatened or excited by the rise of technology.
The Bank of England, in conjunction with the New Payment System Operator and the Payment Systems Regulator (PSR), is consulting until 18 July 2018 on the adoption of a global standard to modernise UK payments. See the press release for details.
The PSR recently published a discussion paper on how data is used in payment systems. It wants to understand what role it might play to make sure new uses of data work well for the people and businesses that use payment systems – through removing barriers to setting up new services, or through mitigating risks associated with them. Comments are requested by 3 September 2018.
On 21 June 2018, the PSR published a document setting out brief details of a range of ongoing and upcoming initiatives to combat authorised push payment scams, where a fraudster somehow persuades a consumer to organise a transfer from the consumer’s account to the fraudster’s account.
The Fifth Money Laundering Directive (MLD5), which was formally adopted by the Council of the European Union on 14 May 2018, has now been published in the Official Journal of the EU. Member States will be required to bring into force the laws, regulations and administrative provisions necessary to comply with MLD5 by 10 January 2020. In light of the Brexit transitional period and ongoing negotiations, it is unclear at this stage to what extent MLD5 will have to be transposed into UK law.
Still on the subject of money laundering, the European Commission has welcomed an agreement reached by the European Parliament and Member States on stronger rules criminalising money laundering.

Data Protection – June 2018
First GDPR complaints filed; Privacy Shield update; proposed fines for nuisance call directors; cybersecurity and […]
First GDPR complaints filed; Privacy Shield update; proposed fines for nuisance call directors; cybersecurity and more.
Latest on the EU General Data Protection Regulation (GDPR)…
Since the 25 May 2018 implementation date for GDPR, the Information Commissioner’s Office (ICO) has continued to update its Guide to the GDPR, to include detailed guidance on children and the GDPR and detailed guidance on determining what is personal data. It has also added guidance on the GDPR’s seven key principles.
The ICO launched a range of resources for its “Your data matters” public information campaign, including pages explaining the different personal data rights. See this post for more information about the campaign. Organisations can download and use the materials to help clients and customers understand how GDPR works. Those wanting to pledge their support for their customers’ or service users’ data rights can sign up to a public register and gain access to an exclusive banner for use on their communications materials.
Changes to the way that the ICO is funded came into force on 25 May 2018 (see our earlier briefing for details of what organisations need to do). The ICO’s new data protection fee webpage can be found here. The ICO’s register of fee payers is now publicly available.
The new European Data Protection Board (EDPB) replaced the Article 29 Working Party on 25 May 2018. The EDPB recently published its final guidelines on derogations applicable to international transfers under GDPR. It is currently consulting until 12 July 2018 on guidelines on certification and identifying certification criteria.
…as the first complaints are filed
Austrian privacy campaigner Max Schrems wasted no time in taking action under GDPR. On the same day that the GDPR came into force, his non-profit organisation “noyb” (meaning “None of Your Business”) filed multi-billion-euro complaints against Google, Instagram, WhatsApp and Facebook with various European data protection authorities, over the issue of “forced consent”. See the press release for details.
More news from Europe
At its first plenary meeting on 25 May 2018, the EDPB adopted a statement on ePrivacy. It calls on the European Commission, Parliament and Council to work together to ensure a swift adoption of the new ePrivacy Regulation.
On 31 May 2018, the European Data Protection Supervisor published a preliminary Opinion on the principle of “privacy by design” (a key feature of the accountability and governance requirements under GDPR), calling for “workable technology which serves the interests of society”. See the press release.
On 4 June 2018, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (known as the LIBE Committee) held the first part of a hearing on the Facebook/Cambridge Analytica case. On its website, the Committee says that: “The contributions made by speakers showed the need to further investigate the consequences this data breach has had on data protection and privacy, the possible impact on electoral processes, consumers’ trust in digital platforms, cybersecurity, the market position of Facebook etc”. The second part of the hearing is due to take place on 25 June 2018, when members will “question experts and Facebook representatives on issues such as data protection implications, alleged election interference and cybersecurity”.
In a separate but related development, the LIBE Committee has called on the European Commission to suspend the embattled EU-US Privacy Shield (the framework for transatlantic exchanges of personal data for commercial purposes) unless the US complies with it by 1 September 2018, saying that “the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter [of Fundamental Rights]”. It emphasises the need for better monitoring of the agreement (citing the fact that both Facebook and Cambridge Analytica are certified under the Privacy Shield). It is also concerned about a new US law granting the US and foreign police access to personal data across borders. See the press release here.
On the subject of the Privacy Shield, we reported in the previous edition of the Regulatory round-up that the Irish High Court has referred to the Court of Justice of the European 11 questions over the validity of the European Commission’s adequacy decisions on model contract clauses (following the complaint by Max Schrems to the Irish Data Protection Commissioner about Facebook Ireland’s transfer of his personal data to Facebook Inc. in the US). Importantly, a number of these questions refer directly to the Privacy Shield. The second annual joint review of the Privacy Shield is due to be held in the autumn. Walker Morris will continue to monitor and report on developments.
Back in the UK…
The Department for Digital, Culture, Media & Sport and the Home Office have published various guidance on the new Data Protection Act 2018, which also came into force on 25 May 2018 and is to be read alongside GDPR.
The government is consulting until 21 August 2018 on taking action against directors in relation to nuisance calls and messages, including proposals to amend electronic marketing regulations to give the ICO increased powers to impose fines of up to £500,000. The ICO has welcomed the consultation.
On 7 June 2018, the Department for Exiting the European Union published a technical note on the benefits of a negotiated legally-binding data protection agreement between the UK and the EU; benefits which, it says, a standard adequacy decision (where the European Commission assesses whether a third country’s data protection standards are “essentially equivalent” to those applied in the EU) cannot provide. This includes a role for the ICO on the EDPB. The government previously published a presentation setting out its proposed future UK-EU framework in relation to data protection. In a speech delivered on 26 May 2018, the Commission’s chief Brexit negotiator rejected, among other things, the notion that the ICO could remain on the EDPB, and said that “the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision”.
On 13 June 2018, the Department for Digital, Culture, Media & Sport issued a consultation seeking views on the activities and work of the new Centre for Data Ethics and Innovation. In the words of the Secretary of State: “From helping us deal with the novel ethical issues raised by rapidly-developing technologies such as artificial intelligence, agreeing best practice around data use to identifying potential new regulations, the Centre will set out the measures needed to build trust and enable innovation in data-driven technologies. Trust underpins a strong economy, and trust in data underpins a strong digital economy”. The consultation closes on 5 September 2018.
Cybersecurity update
On 13 June 2018, Dixons Carphone announced that it had launched an investigation into unauthorised data access, affecting 5.9 million payment cards and 1.2 million personal data records. The National Cyber Security Centre, ICO and Financial Conduct Authority are among those investigating the breach.
Yahoo! was fined £250,000 by the ICO following a cyber attack in November 2014 which was only publicly disclosed almost two years later. Systemic failures put customer data at risk. In the accompanying blog post, the ICO’s Deputy Commissioner of Operations discusses the fine and reminds organisations of their cybersecurity responsibilities.
The British and Foreign Bible Society was fined £100,000 after intruders exploited a weakness in its computer network to access the personal data of 417,000 supporters.
Other recent ICO enforcement action
- BT was fined £77,000 for sending 4.9 million emails to recipients who had not given the necessary consent. While the company did not deliberately break the rules, the Information Commissioner found that it should have known the risks and it failed to take reasonable steps to prevent them.
- Gloucestershire Police was fined £80,000 after a bulk email was sent revealing the identities of abuse victims. The officer involved had not used the “Bcc” function on the email, meaning that names and email addresses, and other information relating to the allegations, were visible to other recipients, who included witnesses, lawyers and journalists.

Health and Safety – June 2018
Sentencing round-up; Hackitt Review developments; meaning of “defect” under Consumer Protection Act; gross negligence manslaughter […]
Sentencing round-up; Hackitt Review developments; meaning of “defect” under Consumer Protection Act; gross negligence manslaughter in healthcare.
Sentencing round-up
- A construction company was fined £566,670 after a tipper vehicle driven by an employee touched, or came close to touching, overhead power lines. The driver was not hurt in the incident.
- Balfour Beatty Utility Solutions Limited was fined £500,000 after workers were exposed to hand-arm vibration over a nine-year period the Health and Safety Executive (HSE) inspector said: “This case was about failing to protect workers. Exposure to hand-arm vibration is a well-known risk which Balfour Beatty Utility Solutions Ltd. failed to adequately control. The company failed to heed warnings. Early health surveillance detected ill health but still this was not acted upon to prevent on-going exposure. This is a particularly serious case because of the extent and duration of failures. The breaches were repeated over several years and this resulted in persistent poor compliance”.
- A waste disposal company was fined £250,000 after a worker fell into the compaction chamber of a baling machine and died. The HSE investigation found that the incident could have been prevented had the company devised and instructed workers on a safe method for clearing machine blockages: “Employers should make sure they properly assess and apply effective control measures to minimise the risk from dangerous parts of machinery. Maintenance work should only be carried out when the piece of equipment is isolated and confirmed safe. Companies should be aware that HSE will not hesitate to take enforcement action against those that fall below the required standards”. The HSE recently published a report into fatal accidents in the waste and recycling sector. See the press statement of the Chartered Institution of Wastes Management, which supported the research.
- A lead recycling company was fined £200,000 after a crane operator was trapped and injured by falling scrap lead when the bin it was contained in slipped while being lifted. The HSE investigation found that the work was not suitably planned and supervised by a competent person or carried out in a safe manner.
- The company director of a fireworks firm has been sentenced to ten years’ imprisonment. He was found guilty in May 2018 of two counts of gross negligence manslaughter, after two men died when an accidental ignition caused fireworks to explode and a catastrophic fire. Among other things, a police investigation found that he had been storing fireworks on the premises far in excess of the quantities that he was licensed to store there.
- Two fairground workers convicted of gross negligence manslaughter following the death of a seven-year-old girl in a bouncy castle incident have each been jailed for three years. They were also found guilty of a health and safety offence and sentenced to a further 12 months’ imprisonment, to run concurrently.
Developments following Dame Judith Hackitt’s final report on building regulations and fire safety
On the same day that Dame Judith Hackitt’s long-awaited final report on building regulations and fire safety was published (17 May 2018), the government swiftly confirmed that it would be consulting on banning the use of combustible materials and cladding systems on high-rise residential buildings. The Hackitt report had stopped short of recommending an outright ban. The government has now issued its consultation and responses are requested by 14 August 2018.
A steering group of organisations from the construction and fire sectors is working to “develop a plan for an overarching body to provide oversight of competence requirements and support the delivery of competent people”. The Hackitt report set out demanding expectations around improved levels of competence, including the development of a competence framework and oversight body. The group is being chaired by the Chief Executive of the Construction Industry Council. See their press release for more details.
As the public inquiry into the Grenfell Tower disaster continues, the Metropolitan Police is investigating London Fire Brigade’s use of a “stay-put” policy during the fire.
High Court’s further guidance on the meaning of “defect” under the Consumer Protection Act 1987
The High Court recently handed down its significant judgment in group litigation concerning allegedly defective metal-on-metal hip prostheses [1]. The decision provides useful guidance on the meaning of “defect” under the Consumer Protection Act 1987 (the Act), including that:
- The Act does not impose a warranty of performance on a producer. The test is not that of an absolute level of safety, nor is there an absolute liability for harm caused by a harmful characteristic: “All hip prostheses will eventually wear out and fail, if the patient survives long enough, and some will fail within 10 years: the natural propensity of a hip implant to fail therefore cannot be a “defect”, any more than the inevitable wear and tear that causes minute particles of debris to enter the patient’s body. Otherwise all hip implants would be “defective”…”
- The fact that a product fails following normal use and in circumstances in which a standard product would not have failed may be enough for the court to infer that it is defective. However, there might be circumstances in which a greater degree of specificity about a feature or characteristic that is said to make the product unsafe is required in order to prove the requisite lack of safety, for example, if the injury or damage could have arisen even if the product met the statutory safety standard: “… the claimant may have to establish that the failure of a product or a component in it was not due to ordinary wear and tear, but to something abnormal that caused it to fail when it should not have done; or that something must have happened to elevate the inherent risk to a level that was higher than the public was entitled to expect”.
- A producer is only liable for damage caused by a defect in its product. Proof of a causal connection between defect and damage can only be looked at by the court once the defect, if there is one, has been identified.
The Act implements Europe’s Product Liability Directive 1985 (the Directive) in England and Wales. As we reported in the previous edition of the Regulatory round-up, the European Commission recently published a report on the Directive. As part of its evaluation, the Commission will be assisted by an expert group on liability in interpreting, applying and possibly updating the Directive, including in light of developments in EU and national case law. This latest High Court decision is likely to feed in to that work.
Gross negligence manslaughter in the healthcare profession
On 11 June 2018, the government published the independent report from Professor Sir Norman Williams on gross negligence manslaughter in healthcare. The Williams rapid policy review was commissioned by the Secretary of State for Health in February 2018, “to consider the wider patient safety impact resulting from concerns among healthcare professionals that simple errors could result in prosecution for gross negligence manslaughter, even if they occur in the context of broader organisation and system failings. In particular, there was concern that this fear had had a negative impact on healthcare professionals being open and transparent should they be involved in an untoward event, as well as on their reflective practice, both of which are vital to learning and improving patient care”.
The report sets out a number of recommendations which “aim to support a just and learning culture in healthcare, where professionals are able to raise concerns and reflect openly on their mistakes but where those who are responsible for providing unacceptable standards of care are held to account”. The recommendations include the removal of the right of the General Medical Council (GMC) to appeal fitness to practise decisions by its Medical Practitioner Tribunal Service. The report says that “revised guidance to investigatory and prosecutorial bodies and a clearer understanding of the bar for gross negligence manslaughter in law should lead to criminal investigations focused on those rare cases where an individual’s performance is so “truly exceptionally bad” that it requires a criminal sanction”.
Separately, the GMC has commissioned an independent review led by Dame Clare Marx, past president of the Royal College of Surgeons, which will look into how cases of gross negligence manslaughter, and culpable homicide in Scotland, involving doctors are initiated and investigated. Written submissions are requested by 27 July 2018.
As we reported in the August 2017 edition of the Regulatory round-up, the Sentencing Council has been consulting on a draft sentencing guideline for gross negligence manslaughter (in addition to other forms of manslaughter). It is expected that the sentencing guideline will be published in September 2018, coming into force in December 2018. In its response to the consultation, the House of Commons Justice Committee made a number of recommendations, including that the Sentencing Council reconsider the proposed high culpability factors for gross negligence manslaughter, taking account of concerns raised by other respondents to the consultation, including those representing the views of medical practitioners. The Committee concluded that “there is a risk of the high culpability factors proposed for gross negligence manslaughter leading to inappropriately long custodial sentences, especially in relation to clinical decisions taken by medical practitioners in testing circumstances, and situations where junior employees have little control in their workplace environment”.
_______________________
[1] Gee and others v DePuy International Ltd (The DePuy Pinnacle Metal on Metal Hip Litigation), [2018] EWHC 1208 (QB)