Regulatory round-up – November/December 2019


Consumer and Retail Finance – November/December 2019
Latest from the FCA, including extension of the Senior Managers and Certification Regime; other sector […]
Latest from the FCA, including extension of the Senior Managers and Certification Regime; other sector news.
Financial Conduct Authority (FCA)
On 9 December 2019, the Senior Managers and Certification Regime (SMCR) was extended to around 47,000 firms. By 9 December 2020, solo-regulated firms will need to ensure that:
- all relevant staff are trained on the Conduct Rules and how they apply to their roles;
- all staff in certified roles are fit and proper to perform that role and are issued with a certificate; and
- they submit data to the FCA for the directory of key people working in financial services (the Directory).
Now that SMCR is in force for solo-regulated firms, all regulated financial services firms can start to submit their data for the Directory. See this webpage for submission details.
Walker Morris has published a two-part series of briefings on SMCR, exploring some of the practical considerations and realities for solo-regulated firms [1].
In relation to Buy Now Pay Later products, the rule preventing backdated interest from being charged on repaid amounts came into force on 12 November 2019. See the press release.
The FCA’s rules on overdraft repeat use and competition remedies (including rules on overdraft alerts) come into force on today. See this link. In light of this, the Competition and Markets Authority has decided to vary the Retail Banking Market Investigation Order 2017 and remove Part 6 relating to unarranged overdraft alerts.
The FCA recently met with firms to discuss feedback on Gabriel, its current data collection platform, which will be replaced by a new reporting platform. See the press release. The FCA says that it will communicate in good time before any action is required by firms and other Gabriel users to start using the new system.
Firms are being urged to register for the FCA’s Connect online platform. From January 2020, they will be required to review and confirm the accuracy of their details annually, in line with their Accounting Reference Date. This will have to be done using Connect.
The FCA responded to key comments from the 2018/19 annual reports of the four statutory panels who advise it on its policies and practices. This includes the Financial Services Consumer Panel, which represents the interests of consumers and small businesses. Operational resilience, which includes resilience against cyber threats, continues to be one of the FCA’s cross-sector priorities. The FCA is consulting until 3 April 2020 on new requirements on the firms it supervises to help strengthen operational resilience. The consultation was the subject of a recent speech delivered by the FCA’s Executive Director of Supervision (Investment, Wholesale and Specialist). A policy statement will be published in autumn 2020.
The FCA updated its cyber resilience webpage to include a link to a new self-assessment questionnaire for firms.
The FCA is consulting until 13 January 2020 on regulatory fees and levies: policy proposals for 2020/21. Chapter 6 invites interested parties to share views on mechanisms for funding free-to-consumer debt advice in the UK.
A six-week consultation on FCA regulated fees and levies: rates proposals for 2020/21 will be launched in April 2020, with a policy statement due in July 2020.
In a speech delivered on 6 November 2019, the FCA’s Director of Innovation spoke about meeting the pace of technological change. Among other things, he referred to the unintended and unwanted consequences that technology and change can have on some of the more vulnerable people in society.
In related news, a new FCA Innovation webpage has been published, bringing together a range of materials and links on this topic.
In another recent speech, the FCA’s Director of Competition spoke about Open Finance, an area of significant interest to the FCA, and the opportunities it provides to businesses, consumers and the regulator. An advisory group has been considering how Open Finance will develop, including the barriers to its development and the ethical and practical issues around data sharing. The group was set up to discuss the potential of extending Open Banking-like data sharing to a wider range of financial products. On 17 December 2019, the FCA published a call for input, asking for proposals on how Open Finance could transform financial services. Advice from the advisory group was also published.
The FCA published the latest mandated and voluntary information from current account providers on current account services, including in relation to speed of service and major incidents. Links to this and other data can be found here.
On 10 December 2019, the FCA published the latest mortgage lending statistics.
A policy statement on changes to mortgage advice and selling standards is due to be published in Q1 2020.
Other sector news
A study by the Office for National Statistics found that total household financial debt rose by £12 billion (11%) in the latest period (April 2016 to March 2018), up from £107 billion in April 2014 to March 2016, with most of the change accounted for by increased hire purchase debt (up by £6 billion) and student loans from the Student Loans Company (up by £7 billion). Total financial debt increased for loans, hire purchase and credit, store and charge card debt. See this link.
The Banking Standards Board published a suite of good practice guidance documents on aspects of SMCR. See the press release.
UK Finance published a blog post with a link through to a paper specifically for those boards struggling to adapt to the changing cyber threat landscape.
The National Crime Agency published a new booklet to provide guidance on the use of Suspicious Activity Report glossary codes and reporting routes.
The Financial Ombudsman Service published a summary and feedback statement following the recent consultation on its future funding. As part of its plans, budget and future strategy consultation for 2020/21 it is now consulting on proposals that 60% of its funding should come from case fees and 40% from its levy in the next financial year (with an aspiration to reach a split in the order of 50:50), and on setting the individual case fee at £650 for all cases closed after 1 April 2020.
On 4 December 2019, the Risk Coalition launched ‘Raising the Bar’ – principles-based guidance for board risk committees and risk functions in the UK financial services sector.
On 5 December 2019, the EU Council and Commission issued a joint statement on “stablecoins”, a new type of cryptocurrency. See the press release.
Seven signatories of the voluntary code of good practice aimed at better protecting customers and reducing the occurrence of authorised push payment fraud have agreed to continue interim funding arrangements for cases of “no-blame” reimbursement to 31 March 2020. This will allow more time to consider alternative recommendations on long-term funding arrangements put forward by Pay.UK in November 2019. See the UK Finance press release for details.
In related news, on 1 November 2019, the House of Commons Treasury Select Committee published a report setting out how “banks must do more for consumers exposed to economic crime”. See the press release.
On 9 December 2019, the European Payments Council issued its 2019 Payment Threats and Fraud Trends Report, which reflects the recent developments concerning security threats and fraud in the payments landscape over the past year.
On the same day, the Finance & Leasing Association published ‘Priorities for 2020 and Beyond’, which identifies “three improvements that the incoming Government must adopt to transform customer protection in the consumer credit market, and strengthen the growth of a sustainable and productive economy”. See the press release.
[1] See Extension of the Senior Managers and Certification Regime: Part 1 and Extension of the Senior Managers and Certification Regime: Part 2

Data Protection – November/December 2019
Latest from the ICO, including guidance on special category data; cybersecurity update; and more. The […]
Latest from the ICO, including guidance on special category data; cybersecurity update; and more.
The past couple of months has seen a flurry of activity from the ICO:
- On 14 November 2019, detailed guidance was published on special category data under the General Data Protection Regulation (GDPR). The ICO expects data controllers to take all necessary precautions to protect this data. See the blog post with a link through to the guidance, which is aimed at Data Protection Officers and those with specific data protection responsibilities in larger organisations.
- On 22 November 2019, the Information Commissioner submitted to government the final version of the Age Appropriate Design Code of Practice, dubbed the “Kids Code”. See the blog post for details. The code will need to be laid in Parliament before it takes effect.
- The Information Commissioner invited views on her office being granted access to investigation and other associated powers under the Proceeds of Crime Act 2002.
- According to the ICO, organisations are increasingly using artificial intelligence (AI) to support, or to make decisions about individuals. It is consulting until 24 January 2020 on guidance which aims to give organisations practical advice to help explain the processes, services and decisions delivered or assisted by AI, to the individuals affected by them. See the blog post for details.
- On 3 December 2019, a campaign was launched to contact all registered companies in the UK reminding them of their legal responsibility to pay a data protection fee. See the blog post for details.
- The ICO is consulting until 12 February 2020 on draft guidance on the right of access, a fundamental right under GDPR. This new draft guidance explains in greater detail the rights that individuals have to access their personal data and the obligations on data controllers. It also explores the special rules involving certain categories of personal data, how to deal with requests involving the personal data of others, and the exemptions that are most likely to apply in practice when handling a request.
- And finally, a data protection web hub has been launched for small and medium organisations and sole traders.
Cybersecurity update
The government issued a call for evidence as part of its Cyber Security Incentives and Regulation Review 2020. It says that it wants all organisations to be effectively managing their cyber risks, with the appropriate investments in place to improve their resilience – but despite significant government and industry action over the course of the National Cyber Security Strategy, including the world-class guidance and support developed by the National Cyber Security Centre (NCSC), research shows that many businesses of all sizes are still failing to adequately protect themselves against cyber attacks and data breaches, with over a third of UK businesses suffering a cyber breach or attack in 2018. It says that it needs to understand what more can be done to improve and incentivise investment in effective cyber risk management across the UK economy.
On 5 December 2019, the NCSC re-issued its advice on how to reduce the risk of becoming a victim of malware attacks. See the blog post.
Over in Europe
At its November 2019 plenary session, the European Data Protection Board (EDPB) adopted a final version of its guidelines on the territorial scope of GDPR. The guidelines seek to ensure a consistent application of GDPR across the EU when assessing whether particular processing by a data controller or processor falls within its scope. They stress that it is essential that controllers and processors, especially those offering goods and services internationally, undertake a careful and concrete assessment of their processing activities, in order to determine whether the related processing of personal data falls under the scope of GDPR. The guidelines also provide clarification on the process for designating a European representative under GDPR, and the representative’s responsibilities and obligations. The ICO’s Guide to the GDPR says that it will be providing guidance “later this year” on where the GDPR applies.
The EDPB is consulting until 16 January 2020 on guidelines on data protection by design and by default under GDPR. The proposed guidelines include practical guidance on how to effectively implement the key data protection principles which underpin GDPR, with a list of key design and default elements and examples for each one. The ICO’s Guide to the GDPR says that it will produce further guidance soon on how organisations can implement data protection by design.
Progress on moving forward with a new ePrivacy Regulation continues to stall in Europe, with the EU Council failing to come to an agreement on the latest compromise text. The purposes of the proposed legislation include enhancing security and confidentiality of communications, and defining clearer rules on tracking technologies such as cookies, as well as on spam. Walker Morris will continue to monitor and report on developments.
Other news
The Joint Committee on Human Rights reports “serious grounds for concern about the nature of the “consent” people provide when giving over an extraordinary range of information about themselves, to be used for commercial gain by private companies”. See the press release with a link through to the report, ‘The Right to Privacy (Article 8) and the Digital Revolution’. The Committee is “deeply frustrated” that the government’s recently published Online Harms White Paper explicitly excludes the protection of people’s personal data. Its view, based on the evidence heard, is that “the consent model is broken. It puts too much onus on the individual to educate themselves on how the technology companies work rather than setting a high standard of protection by default”. The Committee’s conclusions and recommendations can be found on page 33 onwards.

Health and Safety – November/December 2019
Sentencing update, including latest £1 million-plus fine; online marketplaces and product safety policy paper; and […]
Sentencing update, including latest £1 million-plus fine; online marketplaces and product safety policy paper; and more.
Latest £1 million-plus fine and other sentencing news
Hampshire County Council was fined £1.4 million after a six-year old girl suffered a life-changing head injury when the street bollard she was playing on, which was damaged and not appropriately secured, fell to the ground. The investigation by the Health and Safety Executive (HSE) found that insufficient information, instruction and training was provided to those carrying out inspections, and the inspection guidance was misleading. The matter had been reported to the Council previously, and monthly scheduled inspections had failed to identify the issue.
A property management and development company was fined £600,000 after five employees, who used vibrating powered tools to carry out grounds maintenance tasks, developed Hand Arm Vibration Syndrome. The HSE investigation found that the company had failed to assess or manage the risks associated with vibrating tools, to provide suitable training or health surveillance for its maintenance workers, or to maintain and replace tools which increased vibration levels.
Thames Water Utilities Limited was fined £300,000 after three workers were carried along a sewer when a 150-year old gate collapsed, engulfing them. The HSE investigation found, among other things, that the company had no effective means of collating, comparing and adapting to the impact of multiple work activities.
A construction company was fined £225,000 after a worker died when the front tipping dumper truck he was manoeuvring on a spoil heap overturned following a loss of control. The HSE investigation found major deficiencies in the management of tipping operations on the spoil heaps. The HSE inspector said: “This was a tragic and wholly avoidable incident, caused by the failure of the employer to assess the risk related to tipping operations, implement safe systems of work, and failure to ensure that such systems were communicated to groundworkers and were followed”.
Which? publishes policy paper on online marketplaces and product safety
On 20 November 2019, consumer organisation Which? published a policy paper on online marketplaces and product safety. It says that research and testing regularly finds large numbers of unsafe consumer products being sold via sellers on online marketplaces, and that this “Wild West” of product safety requires a more proactive approach by the marketplaces and a robust response by regulators to meet consumers’ expectations and ensure their safety. Which? is calling for regulation to strengthen the legal responsibilities of online marketplaces and ensure that public authorities have adequate powers, tools and resources to require action from marketplaces when consumers are put at risk. In the meantime, it says that clearer government guidance is needed in line with the Codes of Practice envisaged in the government’s Online Harms White Paper. Conclusions and recommendations are set out on page 21 of the policy paper onwards. See the press release with a link through to the document.
Commons Select Committee calls for independent national safety body
On 1 November 2019, the Business, Energy and Industrial Strategy Committee published its report on the safety of electrical goods in the UK. The report, which focuses to a large extent on what is described as “the Whirlpool tumble-dryer saga”, also scrutinises the role of the government’s Office for Product Safety and Standards (OPSS), which was set up in January 2018. The Committee says that the failings of OPSS in dealing with the Whirlpool issue question the body’s authority, independence and transparency. Among other things, it says that OPSS has not yet delivered a fully operational and credible hub for consumers to register their electrical goods and access information on recalls, a comprehensive injury database or indelible marking for electrical goods, and has not made enough progress on the sale of recalled second-hand electrical goods or those that do not meet safety standards. It says that the failure to make more progress in these areas and to tackle manufacturers such as Whirlpool is exacerbated by OPSS’s lack of civil sanctions. The Committee’s Chair said: “The major product safety issues raised by Whirlpool have also highlighted the need for a tough and independent national safety body with the teeth to stand up for consumers. [OPSS] is not fit-for-purpose and should be scrapped. It should be replaced by a truly independent body, equipped with the full array of powers necessary to ensure that people have confidence in the safety of electrical goods in their homes”. See the press release with a link through to the report.