Regulatory round-up – March 2018


Consumer and Retail Finance – March 2018
Latest from the FCA, including recent speeches, consultations, final rules and guidance; other sector news. […]
Latest from the FCA, including recent speeches, consultations, final rules and guidance; other sector news.
Financial Conduct Authority (FCA)
The FCA is marking four years since taking on responsibility for consumer credit regulation.
On 15 March 2018, the FCA’s Director of Supervision – Retail and Authorisations gave a speech on ‘Getting affordability right in consumer credit’. He discussed the warning signs of future problems that the consumer credit sector might want to consider strategically as an industry, the key issues that the FCA is still seeing in relation to creditworthiness and affordability, and how firms can pre-empt issues by fostering a healthy, sustainable business model and culture. On the same day, the FCA published an update on motor finance, setting out the main findings of its review so far and the particular areas of concern it now intends to focus on. The review is due to be completed by the end of September 2018.
On 20 March 2018, the FCA’s Executive Director of Strategy and Competition gave a speech ‘Beyond regulation: thinking creatively about consumer credit’. He spoke of how there are over 24 million people with debt on credit products across the UK and regulation of the credit sector “is not a cold academic exercise…A market like this, where the consequences of our decisions are so acute, requires us to get under the skin of a series of complex problems and think creatively about the solutions we apply to them”. He discussed how the existing rules are being upheld, looking beyond existing regulation to identify and fill any gaps (for example, the new rules on persistent credit card debt), working with others to address failure in the market and influence demand, and the role of innovation in securing better outcomes for consumers. Among other things, the FCA hopes to see the emergence of more business models that can provide commercially sustainable, mid-cost lending.
The FCA recently published a discussion paper on transforming culture in financial services. It considers what a good culture might look like, the role of regulation and regulators, how firms might go beyond incentives, and how to change behaviour for the better. The FCA says that as a regulator it has “long gone beyond having the mindset that simply complying with rules is enough” and it wants “to promote a discussion and consensus on the essential features of a healthy culture and how firms, regulators, employees and customers can help deliver that culture”.
In a speech on the same subject, the FCA’s Chief Executive referred to “positive culture”, which “goes right to the heart of what firms and their staff are, what values they represent and the positive ethical customs. It also requires that we all…, as regulator and employer, are prepared to pursue cultural change for the better, in our own world and as part of society more broadly”. He concluded that the role of regulation in culture “is not to attempt sweeping rules, but rather to use rules and supervision to create the right incentives and to provide tools to diagnose the key characteristics”.
Changes to the FCA Handbook were published in Handbook Notice 52, including to align the Financial Crime Annual Return (REP-CRIM) to the Money Laundering Regulations 2017 (MLR) and politically exposed persons guidance.
Further changes were published in Handbook Notice 53, including to the Consumer Credit Sourcebook in relation to problem credit card debt (consultation feedback and final rules were published in February 2018) and in relation to staff incentives, remuneration and performance management (see the recently published policy statement and finalised guidance – these rules come into force on 1 October 2018 and no substantial changes have been made to the content from the July 2017 consultation).
Citizens Advice is calling on the FCA to extend its definition of high-cost short-term credit to include home credit loans. See the recent press release and Doorway to Debt publication.
Rent-to-own firm PerfectHome has agreed a redress scheme of over £2.1 million, after customers were issued with unaffordable loans. See the FCA’s press release. Citizens Advice is calling for stronger protections for all rent-to-own consumers.
The FCA’s latest quarterly consultation paper includes proposed changes to its rules and guidance under the Payment Services Regulations 2017.
Payment service providers that offer payment accounts must report certain data to the FCA by 30 April 2018. See the FCA webpage for details.
At the beginning of the month, the FCA wrote a Dear CEO letter to firms that enter into regulated second charge mortgage contracts, asking them to review their mortgage lending processes and confirm to the FCA, by 1 May 2018, that they are lending responsibly and that their processes, systems and controls ensure that they are doing so. See our recent briefing for more details.
The FCA and Bank of England released the latest mortgage lending statistics, covering the period to the end of Q4 2017, on 13 March 2018.
On 21 March 2018, the FCA published its Approach to Supervision paper (which shows how it aims to be more forward-looking and pre-emptive in its supervision of firms) and its Approach to Enforcement paper (which outlines how the FCA conducts investigations and its powers). These are the latest in a series of documents that the FCA committed to publish following the launch of its Mission. Consultation on the two papers closes on 21 June 2018 and final documents will be published later in 2018. See the FCA’s press release. The FCA recently finished consulting on its approach to authorisation, which was the subject of a speech given by the FCA’s Director of Authorisations on 14 March 2018.
Upcoming publications:
- A policy statement on regulatory fees and levies: policy proposals for 2018/19 is expected in April 2018 and a two-month consultation on FCA regulated fees and levies: rates proposals for 2018/19 will be launched in April 2018.
- A policy statement setting out the FCA’s final rules and guidance on assessing creditworthiness in consumer credit is due to be published in Q2 2018.
- A policy statement on reviewing the funding of the Financial Services Compensation Scheme is expected in Q2 or Q3 2018.
- An interim report on the FCA’s review of the retained provisions of the Consumer Credit Act 1974 will be published in summer 2018. There will be a series of roundtable discussions and other stakeholder engagement in the second half of 2018 with a final report due by 1 April 2019.
- As reported in previous editions of the Regulatory round-up, the FCA consulted towards the end of last year on extending the Senior Managers and Certification Regime to all firms authorised under the Financial Services and Markets Act 2000. The FCA aims to publish a summary of responses and a policy statement in summer 2018. It expects that the regime will commence from mid-to-late 2019 (HM Treasury sets the timetable for implementation).
Other sector news
On 20 March 2018, the government published a Financial Inclusion Statement of Intent, following its announcement earlier in the year that £55 million from dormant bank and building society accounts will fund financial inclusion initiatives. The Financial Inclusion Policy Forum met for the first time the previous day. Its mission is “to ensure that people, regardless of their background or income, have access to useful and affordable financial products and services”.
The ‘End High Cost Credit Alliance’ was formally launched on 20 March 2018. It was founded in 2017 by the actor and activist Michael Sheen. Members “are committed to working together to deliver greater impact through collective action, campaigns and public engagement”.
The Chief Ombudsman and Chief Executive at the Financial Ombudsman Service has responded to a letter from the Chair of the Treasury Committee following concerns about decision-making and governance raised in a recent Channel 4 Dispatches programme.
On 12 March 2018, the Banking Standards Board (BSB) published its Statement of Principles for Strengthening Professionalism: The role of the firm, following a year-long project “to explore ways of strengthening professionalism in the UK banking sector for the benefit of employees, customers, clients and wider society”. The BSB also recent published its Annual Review 2017/2018, which includes the key findings from the largest ever survey of behaviour, competence and culture in UK banking.
The Payment Systems Regulator (PSR) has responded to UK Finance’s annual fraud figures for 2017, which include information on authorised push payment scams. The PSR also recently published its third annual report on access and governance and annual plan for 2018/19.
In a speech delivered on 22 March 2018 at the International FinTech Conference, the Chancellor launched the government’s new Fintech Sector Strategy, which is “about creating the best possible ecosystem for Fintech to thrive”. Among other things, the government will establish a ‘Cryptoassets Task Force’ comprising HM Treasury, the Bank of England and the FCA, to “explore further the risks of cryptoassets and the potential benefits of the underlying distributed ledger technology, as well as to assess the future response of the appropriate authorities, including around regulation”. It aims to report back in summer 2018. Digital currency exchange Coinbase has recently been granted an e-money licence by the FCA.
In a speech given at the same event, the Deputy Governor for Markets and Banking at the Bank of England discussed the evolving financial sector and the Bank of England’s role: “It is important that the Bank of England is attuned to the needs and challenges of a changing financial sector so that it can translate that to facilitating the infrastructure changes needed to support the UK’s financial sector and fintech development. But how to do this? In my view, by being open. More specifically, by the Bank of England being open minded, keeping an open door, and being open to change”.
The Lending Standards Board (LSB) recently hosted its third roundtable event with its registered firms, FinTechs and the wider industry, on how digital offerings can be developed to help identify and support customers in vulnerable situations. See this link for some of the key messages coming out of the discussion. The LSB has recently been consulting on a review of the Standards of Lending Practice for personal customers.
HM Treasury has issued a call for evidence on ‘Cash and digital payments in the new economy’. Questions are set out on pages 22 and 23 and responses are requested by 5 June 2018.
In a speech delivered to the Innovate Finance Global Summit, the City Minister announced the winners of the government’s Rent Recognition Challenge, “a £2 million competition to develop applications that help renters boost their credit scores, access credit and get on the housing ladder”. At the same event, the FCA’s Executive Director of Strategy and Competition gave a speech ‘Regulating innovation: a global enterprise’, in which he discussed the international dimension of FinTech, the merits of establishing a global sandbox, and the potential power of the sandbox to solve global problems like money laundering.
In Europe, the European Commission recently published its FinTech action plan and the European Banking Authority published its FinTech Roadmap.
On 5 March 2018, the Joint Money Laundering Steering Group’s December 2017 revised Guidance received ministerial approval. The Guidance can be found here.
HM Treasury has published an updated advisory notice on money laundering and terrorist financing controls in higher risk jurisdictions, following the latest publication from the Financial Action Task Force (FATF). The MLR require the UK regulated sector to apply enhanced customer due diligence to high-risk countries.
On 16 March 2018, the FATF published its report to the March 2018 G20 Finance Ministers and Central Bank Governors’ meeting, setting out its ongoing work to fight money laundering and terrorist financing. Particular areas of focus include the risks and opportunities of FinTech, RegTech and virtual currencies.
In relation to cybersecurity, the World Economic Forum published a white paper setting out research-based solutions to address innovation-driven cyber-risk to customer data in financial services, and the Financial Stability Board (FSB) is developing a cyber lexicon “to support the work of the FSB, standard-setting bodies, authorities and private sector participants, e.g. financial institutions and international standards organisations, to address cyber security and cyber resilience in the financial sector”.
The Joint Committee of the European Supervisory Authorities has published its final report on Big Data, analysing its impact on consumers and financial services firms. It found that, overall, the benefits of Big Data innovation currently outweigh the potential risks to financial services consumers.

Data Protection – March 2018
Latest on GDPR, the UK’s Data Protection Bill, WhatsApp, Facebook, enforcement action, cybersecurity and more. […]
Latest on GDPR, the UK’s Data Protection Bill, WhatsApp, Facebook, enforcement action, cybersecurity and more.
Latest on the EU General Data Protection Regulation (GDPR)
On 22 March 2018, the Information Commissioner’s Office (ICO) published draft guidance on Data Protection Impact Assessments (DPIAs). The guidance will replace the ICO’s previous code of practice on conducting privacy impact assessments. GDPR introduces a new obligation to conduct a DPIA for types of processing likely to result in a high risk to individuals’ interests. While DPIAs are a legal requirement for processing that is likely to be high risk, the ICO says that “an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals”. The “In brief” section on page 5 explains what organisations need to do in the run up to 25 May 2018, when GDPR comes into force. The ICO has also published a blog post on the consultation, which closes on 13 April 2018.
The ICO continues to update its Guide to the GDPR. It has published detailed guidance on legitimate interests and expanded its pages on DPIAs, Data Protection Officers, the right to be informed, the right to erasure, the right to rectification and the right to restrict processing.
The ICO’s guidance on direct marketing has been updated to include boxes on GDPR. The guidance will be replaced following consultation in due course on a Direct Marketing Code of Practice. Key points to note are:
- until the new e-Privacy Regulation is finalised, the existing PECR (Privacy and Electronic Communications Regulations) rules will apply using the GDPR definition of consent
- consent must therefore be unambiguous and involve an affirmative action (this means a positive opt-in) unless soft opt-in can be relied upon
- pre-ticked opt-in boxes are banned under GDPR and, while opt-out boxes are not specifically banned, the ICO’s view is that they are unlikely to comply
- consent should not be bundled up as a condition of service unless it is necessary for that service, as made clear under GDPR
- any third party controllers who will be relying on the consent must be named – precisely defined categories of third parties will not be acceptable
- organisations must keep records to demonstrate that they have obtained valid consent, including who consented, when, how, and what were they told
- as set out in GDPR, individuals must be told about their right to withdraw consent and offered easy ways to do so at any time
- the absolute right to object to marketing under GDPR applies to business-to-business direct marketing
- the right to object to direct marketing does not prevent a controller from holding a suppression list; the list is held for compliance purposes as opposed to direct marketing.
The final content of the European-level guidelines on consent under GDPR is expected to be agreed on 10/11 April 2018, after which the ICO will publish a final updated version of its own guidance.
The ICO recently launched a campaign to help micro businesses prepare for GDPR. See the press release here. It is also supporting the Federation of Small Businesses campaign to help small businesses prepare for GDPR.
The Fundraising Regulator and the Institute of Fundraising have produced a series of joint guidance briefings on GDPR and charitable fundraising.
The Crown Commercial Service recently published a blog post on what it is doing to get ready for GDPR and what organisations will need to do. It previously published a guide on GDPR for public sector buyers.
Nominet UK, the .uk domain name registry in the UK, is consulting on its proposed changes to comply with GDPR.
Insurance Europe has developed a suggested template to meet the obligation for data controllers to notify data breaches to the competent supervisory authority (for example, the ICO) without undue delay and, where feasible, no later than 72 hours after having become aware of the breach. It says that the template could be of particular interest to SMEs and supervisory authorities. See the webpage here.
And finally, the European Data Protection Supervisor’s 2017 Annual Report – Data Protection and Privacy in 2018: going beyond the GDPR was published on 19 March 2018.
Latest on the UK’s Data Protection Bill
The ICO has now published an introduction to the Data Protection Bill. It intends to produce detailed guidance once the Bill has been enacted. The current Data Protection Act 1998 will be superseded by the new Data Protection Act 2018 on 25 May 2018.
The Bill passed its second reading in the House of Commons on 5 March 2018 and, at the time of writing, MPs were considering it in a Public Bill Committee, which can take evidence as part of its scrutiny of the Bill. The latest version of the Bill can be found here.
The Information Commissioner produced a briefing ahead of the second reading. She has since provided written evidence and further written evidence to the Public Bill Committee. She says that there are a small number of outstanding issues which, if not resolved, could have a significant impact on her ability to conduct investigations and exercise her powers and functions in an independent and effective way. Her most significant concerns centre on: her ability to acquire the information she needs to assess whether the law has been broken; her independence when assessing whether processing of personal data by certain public bodies is in compliance with the law; and the breadth and effect of the exemption for defence purposes removing safeguards, individual rights and reducing the Commissioner’s powers. In her most recent submission she expresses concern over an agreed government amendment to the Bill which adds democratic engagement activity to the list of examples of processing activities that could be undertaken on the grounds of lawfulness of processing in the public interest, and deficiencies in her enforcement powers in relation to DPIAs in the area of law enforcement.
Debates are ongoing concerning the government’s decision not to include a provision in the Bill to exercise the available derogation at Article 80 (2) of GDPR. This allows not-for-profit organisations acting in the public interest to lodge complaints and exercise data subjects’ rights independently of the data subjects’ mandate (known as “collective redress”).
In its recent report on UK-EU security cooperation after Brexit the Home Affairs Committee considers the potential obstacles to data adequacy. It says that the evidence it has received “suggests that the UK’s current compliance with EU data protection law is no guarantee of obtaining a data adequacy decision without encountering challenges”, for reasons which include:
- that the EU, when deciding on the question of adequacy, may examine the UK’s data protection regime relating to national security legislation, including controversial powers conferred by the Investigatory Powers Act 2016 (human rights organisation Liberty was recently in court to challenge mass surveillance powers in the Act)
- the government’s apparent failure to incorporate into UK law the data protection provisions of the EU’s Charter of Fundamental Rights
- the Data Protection Bill itself, because it denies data protection rights to certain people subject to immigration controls
- the government’s “red line” on the future direct jurisdiction of the Court of Justice of the European Union.
In relation to the timeline for adequacy, the Committee says that, based on the evidence it has received, it has “serious concerns about the number of potential obstacles to the UK achieving an EU adequacy decision within two years. The Government’s position – that the UK’s current compliance with EU data protection law should enable consistency after Brexit Day – takes no account of the different rules governing third countries’ access to EU data. At best, this response is evasive; at worst, it suggests that the Government is worryingly complacent about the UK’s future access to EU data”.
As the Information Commissioner said in a recent speech discussing her varied roles: “Should the UK leave the EU without a data deal in place, EU organisations will need to have binding contractual arrangements in place every time they wish to share new information and data with their UK partners”. In relation to Brexit, the Information Commissioner also mentioned: possible divergences of interpretation of the law and confusion for companies that do business in the UK and the EU; uncertainty over the exact nature of the ICO’s future relationship with its European counterparts; and uncertainty over the arrangements for the protection of EU citizens’ data exported from the UK to the rest of the world, including to the United States.
WhatsApp undertakes not to share personal data with Facebook
WhatsApp Inc, operator of the WhatsApp mobile messaging service, has signed an undertaking with the Information Commissioner, publicly committing not to share personal data with Facebook until it can do so in compliance with GDPR. WhatsApp was acquired by Facebook in 2014 and the ICO recently completed its investigation into the sharing of personal data between WhatsApp and the Facebook group of companies. See the ICO’s comprehensive blog post here.
On the subject of Facebook…
Facebook’s founder has apologised following recent allegations that personal data from over 50 million of its users was improperly harvested and used by UK political consultancy firm Cambridge Analytica to influence the 2016 US presidential election and Brexit referendum. The ICO executed a warrant on 23 March 2018 to inspect the premises of Cambridge Analytica, as part of its ongoing formal investigation into the use of data analytics for political purposes, given the potentially significant impact of data analysis tools on individuals’ privacy. See the ICO’s latest statement here. It has been widely reported that Facebook is facing investigations by the US Federal Trade Commission and the EU.
Recent ICO enforcement action and other news
The ICO raided addresses in Greater Manchester as part of an investigation into companies suspected of sending over 11 million unsolicited text messages.
A Scottish company was raided as part of an ICO investigation into the making of over 200 million illegal nuisance calls, some of which were made to a public safety control centre for unmanned level crossings, potentially putting lives at risk. 146 million calls is the highest number to date to result in an ICO fine.
The ICO published a blog post Making or selling Internet of Things (IoT) devices? Six reasons you need to be thinking about data protection, which will be of particular interest to manufacturers and retailers.
An international operation involving the ICO has found that the affiliate marketing industry “has significant issues to overcome in terms of compliance with rules concerning privacy and unsolicited communications”. See the ICO’s webpage here.
The ICO published its first ever Technology Strategy, covering the period 2018 to 2021. One of the ICO’s eight technology goals is to provide effective guidance to organisations about how to address data protection risks arising from technology. Cybersecurity is one of three technology priority areas identified for 2018/2019.
A public education campaign called “Your Data Matters” will be launched in April 2018 to educate the public on their new rights under data protection law.
“Digital Government” provisions of the Digital Economy Act 2017 come into force on 1 May 2018
Various provisions in Part 5 of the Digital Economy Act 2017, which gives government new powers to share personal information across organisational boundaries to improve public services, come into force on 1 May 2018. The government consulted in late 2017 on various draft data sharing codes of practice, regulations and a statement of principles as required under Part 5 of the Act. Revisions have been made in light of the comments received.
Cybersecurity update
The National Cyber Security Centre has launched its first cybersecurity guidance for the charity sector. Other recent publications include guidance on denial of service attacks and guidance on how organisations can defend themselves against email phishing attacks.

Health and Safety – March 2018
New Code of Practice for product safety recalls, sentencing update, new international standard and other news. […]
New Code of Practice for product safety recalls, sentencing update, new international standard and other news.
New Code of Practice for product safety recalls
The British Standards Institution (BSI) and the new Office for Product Safety and Standards (OPSS) have launched the first ever government-backed Code of Practice for product safety recalls in the UK called PAS 7100. The creation of OPSS and the Code of Practice follow on from recommendations set out in the July 2017 report of the Working Group on Product Recalls and Safety, to which the government responded in January 2018.
The Code of Practice, which is voluntary, is divided into two parts. The first part is focused on non-food consumer products and is aimed at manufacturers, importers and distributors. Among other things, it includes details of how a business can monitor the safety of products and plan for a product recall. The second part is aimed at regulators (including local authority Trading Standards) and sets out details of how they can support businesses in their preparation of a product safety incident plan, monitoring of incidents and implementation of corrective action. The Code is accessed through the BSI’s website.
In other news, OPSS carried out its first enforcement action when it fined a British timber operator £4,000 for breaching regulations which require businesses trading in timber and timber products in the UK to ensure that their products originate from legal sources.
Sentencing update including latest wave of £1 million-plus fines
- Southern Health NHS Foundation Trust has been fined £2 million for failings relating to the deaths in 2012 and 2013 of two patients in its care.
- Martin Baker Aircraft Company Limited was fined £1.1 million (and ordered to pay costs of £550,000) after a Red Arrows pilot died when his ejection seat failed due to a mechanical fault. A Health and Safety Executive (HSE) investigation found that the company had “failed to take all reasonably practicable steps to protect users from the risk of harm after it was told of concerns regarding the shackles which deployed the main parachute”.
- A plastic product manufacturer was fined £1 million following the death of a delivery driver who had been struck by a fork lift truck. The HSE inspector said: “There are more than 5,000 accidents involving transport in the workplace every year, and, like in this case, sadly some of which are fatal. The HSE investigation found the yard was not organised to allow safe circulation of people and traffic as appropriate routes were not identified and therefore insufficient in number. A properly implemented Traffic Management Plan should have identified sufficient measures for the separation of vehicles and people including protected walkways, clear signage and barriers”.
- Poundworld received a total fine of more than £1.1 million for a combination of health and safety and food safety offences at one of its high street stores. Croydon Council food safety officers had been alerted to an out-of-control rodent infestation, and found a number of other health and safety issues in the store. According to Croydon Council’s press release, Poundworld was acquired in 2015 by Poundworld Bidco Limited on behalf of funds controlled by TPG Capital, a global private equity investment firm with assets worth more than US$ 80 billion. The sentencing judge said that, “in the absence of being given sufficient reliable information” she was “entitled to draw reasonable inferences that Poundworld can pay any fine”, after a request for details of TPG were declined on the basis that Poundworld, TPG and other companies are not linked organisations.
- Network Rail Infrastructure Limited was fined £733,000 for failing to undertake adequate maintenance to prevent a freight train derailment. The Office of Rail and Road found that Network Rail’s short and medium term repairs were ineffective and a planned long term solution had not been implemented – “it was only a matter of time before a derailment took place, creating a genuine risk to passengers and the public”.
HSE issues new advice to employers on manual handling risks
The HSE recently issued new web-based advice for employers on how to tackle musculoskeletal disorder risks in the workplace. The accompanying press release quoted the following from the launch event: “Our research shows that simplistic training involving bending your knees to lift a cardboard box is just a waste of time and money, it just doesn’t make any difference. The overall aim is to avoid and reduce manual handling, and that’s where employers should start if their workforce faces manual handling risks. Don’t start with training, start with re-organising and redesigning your working practices. If you do need staff training, and there are many residual risks where this is the case, then this needs to be customised and professionally delivered. Any such training should be based on observations of current working practices, and should be informed by the views and experience of the workforce”.
New occupational health and safety standard published
The International Organisation for Standardisation (ISO) standard ISO 45001 (‘Occupational health and safety management systems – Requirements’) has now been published. See this link for further details. The BSI reports that ten companies have already achieved conformity to the new standard.
Industry working groups inform independent review of building regulations and fire safety
Dame Judith Hackitt has heard advice from the chairs of various industry working groups established following the publication of her interim report in December 2017 and a summit meeting held in January 2018. She will now consider their advice as she develops the recommendations for her final report, which is due to be published in spring 2018. The working groups were asked to consider how to develop elements of a more effective building regulations and fire safety system. See the government’s press release for more information.
Construction sector invited to stand down for health and safety campaign
On 18 April 2017, organisations from the UK infrastructure sector took part in the first UK-wide health and safety stand-down under the ‘Stop. Make a Change’ initiative, which was launched in November 2016 and is aimed at promoting health and wellbeing. The event is being expanded this year to include the whole of the UK construction sector. It will run for a two-week period from 16 April and will focus on the priorities of mental health and plant safety. Further details can be found here.