Regulatory round-up – October 2018


Consumer and Retail Finance – October 2018
Latest from the FCA and other sector news, including government consultation on debt breathing space scheme. Financial […]
Latest from the FCA and other sector news, including government consultation on debt breathing space scheme.
Financial Conduct Authority (FCA)
The FCA is consulting until 10 December 2018 on proposed guidance to give practical assistance and information to firms preparing Statements of Responsibilities and Responsibilities Maps under the Senior Managers and Certification Regime (SM&CR), which is being extended to all FSMA authorised firms on 9 December 2019.
On 15 October 2018, the FCA published a Dear CEO letter on the affordability of high-cost short-term credit (HCSTC) loans, following an increase in complaints about unaffordable lending (including complaints about a ‘chain’ of loans over an extended period). It says that firms should take prompt action to: assess their lending activity to determine whether creditworthiness assessments are compliant and, if deficiencies are found, take remedial action to ensure on-going lending activity is compliant and consider whether proactive redress may be required; and inform the FCA if they are unable (now or in the future) to meet their financial commitments because of any remediation costs.
Earlier, on 5 October 2018, the FCA published another Dear CEO letter setting out its expectations of debt packager firms providing debt advice and counselling services.
On the same day, UK Finance and the Association for Financial Markets in Europe submitted their joint response to the FCA’s recent consultation on proposals to introduce ‘the Directory’, a new public register for checking the details of key individuals working in financial services. The changes affect all authorised firms in scope of the SM&CR and their employees. See UK Finance’s insight piece FCA Directory – Is it Needed?
The FCA is also consulting until 21 December 2018 on increasing the award limit for the Financial Ombudsman Service (FOS), which sets the amount of compensation the FOS can require financial services firms to pay when it upholds a complaint against them. A policy statement is expected in spring 2019. The FCA recently published near-final rules on extending access to the FOS to more SMEs, larger charities and trusts, and a new category of personal guarantors. Meanwhile, the Chair of the Treasury Select Committee has expressed concerns over the FOS’ review of cases made during the early stages of its reorganisation in 2016.
In a separate but related development, the independent chair of the UK SME Complaints and Resolutions Review commissioned by UK Finance published a report recommending new routes for SMEs to challenge banks without going to court. See the press release.
On 1 October 2018, the government published a joint report from the FCA and the Competition and Markets Authority (CMA) providing an overview of the main achievements and lessons learned from the UK Competition Network’s consumer remedies project. The FCA recently published its Approach to Competition paper, setting out how it promotes competition in UK financial markets.
On 3 October 2018, the FCA published a report of the findings of its thematic review into money laundering and terrorist financing risks in the e-money sector. Electronic Money Institutions are encouraged to review the report, which includes examples of good and poor practice, and consider whether their anti-money laundering and counter-terrorist financing systems and controls could be improved.
On 15 October 2018, the FCA published a Discussion Paper on Climate Change and Green Finance, setting out its proposed approach to climate change-related matters. Comments are requested by 31 January 2019. On the same day, the Prudential Regulation Authority issued a consultation on its expectations for the management of financial risks from climate change. The consultation closes on 15 January 2019. The FCA’s Executive Director of Strategy and Competition discussed the FCA’s developing approach and initiatives in this area in a speech delivered on 19 October 2018.
The Cryptoassets Taskforce, comprising the FCA, HM Treasury and Bank of England, published its final report setting out the UK’s approach to cryptoassets and distributed ledger technology in financial services.
Coming up…
The FCA’s two-month consultation on regulatory fees and levies: policy proposals for 2019/20 is now expected to be launched in November 2018.
Following a recent, short consultation, the FCA is due to publish a policy statement in December 2018 on its approach to final regulatory technical standards and European Banking Authority guidelines under the revised Payment Services Directive (PSD2).
The FCA is expected to publish in January 2019 a policy statement to its consultation on rules and guidance to improve conduct standards and communications in the payment services and electronic money sectors.
Other sector news
The government is consulting until 29 January 2019 on a detailed policy proposal for a breathing space and statutory debt repayment plan. This follows a call for evidence issued by the government in October 2017, to gain further insight from the debt advice sector and creditors on how best to design the scheme. The response to the call for evidence was published in June 2018.
On 4 October 2018, debt charity StepChange published its debt statistics mid-year update. It says that one of the worrying trends is that the proportion of new clients with HCSTC debt (including payday loans) increased in the first half of the year, despite the FCA-imposed price cap, and it seems obvious that there is a need to establish better alternatives. See the press release.
The government’s response to the Treasury Select Committee’s July 2018 report into household finances was recently published. See the Committee Chair’s comments on the response, and the press release from Citizens Advice.
The appointment of three non-executive directors completes the board of the new Single Financial Guidance Body, which is due to be launched in January 2019. See the press release.
On 8 October 2018, the Lending Standards Board published a summary report of progress towards implementation of the Financial Services Vulnerability Taskforce principles and recommendations. Two days later, UK Finance announced a new voluntary Financial Abuse Code of Practice, designed to take forward the Vulnerability Taskforce recommendations. It will be rolled out across the financial services industry over the next 12 months.
The government issued a press release ahead of the Chancellor’s attendance at the International Monetary Fund Annual Meeting on 10 to 13 October 2018, at which he was expected to “herald Britain’s approach to using technology to save customers money, and open up the market to popular new banking apps” and say, among other things, that “Britain will use its world-leading expertise and influence in finance to shape global views towards new financial technology”. Meanwhile, the Confederation of British Industry says that the financial services sector needs a fresh regulatory and tax approach to deal with the challenges and opportunities presented by a rapidly changing technological landscape. See the press release.
On 25 October 2018, HM Treasury published an updated advisory notice on money laundering and terrorist financing controls in higher risk jurisdictions.
The Payment Systems Regulator (PSR) has responded to LINK’s second ATM ‘footprint report’. We reported in the previous edition of the Regulatory round-up that the PSR was consulting until 9 October 2018 on a draft specific direction to LINK to make sure it does all that it can to deliver on the commitments it has made regarding free access to cash, including having suitable arrangements in place to ensure the ongoing availability of protected ATMs. The PSR has now published a summary of the key comments from submissions to the consultation, together with the specific direction.
On 18 October 2018, Pay.uk (formerly the New Payment System Operator) revealed a new name check safeguard called ‘Confirmation of Payee’ which can reduce the risk of payments being sent to the wrong account. This is one of a package of measures being introduced across the industry. We reported in the previous edition that the Authorised Push Payment Scams Steering Group is consulting until 15 November 2018 on a draft voluntary industry code for the reimbursement of victims of authorised push payment scams. See our recent briefing for more details.
And finally, the European Court of Justice has ruled that Article 4(14) of the Payment Services Directive (PSD) must be interpreted as meaning that a savings account which allows for sums deposited without notice and from which payment and withdrawal transactions may be made solely by means of a current account does not come within the concept of ‘payment account’[1]. PSD2, which has replaced the PSD, provides for the same definition of ‘payment account’.
___________________
[1] Bundeskammer für Arbeiter und Angestellte (Austria) v ING-DiBa Direktbank Austria Niederlassung der ING-DiBa AG (Case C 191/17)

Data Protection – October 2018
Morrisons loses group data breach case appeal; High Court blocks collective proceedings against Google; Facebook’s £500,000 […]
Morrisons loses group data breach case appeal; High Court blocks collective proceedings against Google; Facebook’s £500,000 fine; Privacy Shield Review; and more.
Morrisons loses group data breach case appeal…
In a landmark judgment, supermarket chain Morrisons has lost its appeal against a High Court ruling that it is liable in damages for the actions of one of its former employees who, while employed as a senior internal auditor at the company, deliberately leaked payroll data relating to almost 100,000 employees online following disciplinary action [1]. He had been tasked with providing payroll data to Morrisons’ external auditors. Over 5,500 employees commenced proceedings against Morrisons for damages and interest for misuse of private information, breach of confidence and breach of statutory duty owed under section 4(4) the Data Protection Act 1998 (the Act).
Morrisons was not found directly liable, but the High Court found that the company had deliberately entrusted the individual concerned with the payroll data (disclosing it to others was closely related to the task he had been given, despite the lack of authorisation) and there was a sufficient connection between the position in which he was employed and his wrongful conduct to establish secondary (vicarious) liability. Morrisons submitted on appeal that this close connection test was not satisfied, since the wrongdoing that caused the harm was done by the individual at his home, using his own computer, on a Sunday, several weeks after he had downloaded the data at work on to his personal USB stick. The Court of Appeal agreed with the High Court that there was an “unbroken thread” linking the individual’s work to the disclosure of the data. Rather than a sequence of random events, there was an unbroken chain which included the first unlawful act of downloading data from his personal work computer to a personal USB stick.
It was submitted that to impose vicarious liability on Morrisons in circumstances where the individual’s motive was to harm Morrisons would render the court an accessory in furthering his criminal aims. This was dismissed by the Court of Appeal, which did not accept that there is an exception to the irrelevance of motive where the motive is, by causing harm to a third party, to cause financial or reputational damage to the employer. The Court of Appeal also gave short shrift to the submission that, given the number of employees affected, a finding of vicarious liability would place an enormous burden on Morrisons (and on other innocent employers in future cases). It is helpful to quote directly from the judgment:
“There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward … on behalf of Morrisons”.
Further proceedings are due to take place to determine the level of compensation. Morrisons has said that it will appeal to the Supreme Court.
While the High Court found that, in relation to data deletion, Morrisons had fallen short of its duty to take appropriate organisational measures to guard against unlawful disclosure and data loss, by the time it would have been appropriate to conduct any check on deletion, the probability was that the information had already been copied, and so the failure neither caused nor contributed to the disclosure. In light of the decision in this case, it would be prudent for employers to review their existing policies and procedures and consider imposing stricter internal controls to guard against the risk of employees “going rogue”, including in those parts of the business where employees are regularly entrusted with personal data and confidential or sensitive information.
…as the High Court blocks attempt to bring collective proceedings against Google
The High Court has refused to give the go-ahead to a representative action brought against Google by Richard Lloyd (the former executive director of consumer organisation Which?) on his own behalf and on behalf of an estimated class of 4.4 million people [2]. A representative action is one of the currently available methods for bringing collective proceedings in England and Wales.
The claim alleged that Google acted in breach of the duty imposed by section 4(4) of the Act by secretly tracking the internet activity of Apple iPhone users, collating and using the information obtained, and selling the accumulated data (it was able to do this by using what has been termed “the Safari Workaround”). The claim was for compensation under section 13(1) of the Act, which provides that an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Act is entitled to compensation from the data controller for that damage. No financial loss or distress was alleged.
Mr Lloyd applied for permission to serve the proceedings on Google in the United States. The main issues were: whether the pleaded facts disclosed any basis for claiming compensation under the Act; and if so, whether the Court should or would permit the claim to continue as a representative action.
The Court answered “no” in respect of each issue. The facts alleged did not support the contention that Mr Lloyd or any of the represented claimants had suffered any actual “damage” within the meaning of the Act as a result of the alleged breach (whether financial or non-financial, for example distress). The Court concluded that the essential requirements for a representative action were absent. Mr Lloyd and the represented claimants did not all have the “same interest” within the meaning of the relevant procedural rule. It could not be supposed that the breach of duty or the impact of it was uniform across the entire class of claimants – inevitably, the nature and extent of the breach and the impact it had on individuals would have varied greatly. It was also impossible reliably to ascertain whether any given individual was a member of the represented class.
Finally, in any event, the Court would exercise its discretion against the continuation of the action as a representative action: “It would not be unfair to describe this as officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches…the Representative Claimant should not be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated.”
We understand that Mr Lloyd has sought permission to appeal the judgment. With the introduction of the EU General Data Protection Regulation and the new Data Protection Act 2018 in May 2018, there was concern that these might open the floodgates to US-style class actions in data breach cases (see our earlier briefing on this topic). The decision in this case suggests otherwise, for now.
In other news…
- Facebook has been fined £500,000 (the maximum under the Act, which was applicable at the time) by the Information Commissioner’s Office (ICO) in the wake of the Cambridge Analytica scandal. The Information Commissioner will provide a further update on the ICO’s investigation into data analytics for political purposes when she gives evidence to the Department for Digital, Culture, Media and Sport Select Committee on 6 November 2018.
- Heathrow Airport Limited was fined £120,000 by the ICO after it failed to ensure that the personal data held on its network was properly secured. The ICO’s Director of Investigations said: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise. Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them”. Among other things, the investigation found that only two per cent of the workforce of 6,500 had received data protection training, and there was widespread use of removable media in contravention of the company’s own policies and guidance.
- In other recent enforcement action, a marketing company was fined £90,000 by the ICO after millions of nuisance emails were sent to people who had subscribed to websites operated by the company’s affiliates, but who had not given their consent to receive them.
- The second annual review of the embattled EU-US Privacy Shield, one of the approved mechanisms for the transatlantic transfer of personal data, took place in Brussels on 18 and 19 October 2018. See the joint press statement. The European Commission will publish a report on its findings before the end of the year.
- The Irish Supreme Court is expected to hear Facebook’s appeal in the Schrems litigation in December 2018. Earlier this year, the Irish High Court referred to the Court of Justice of the European Union 11 questions over the validity of the Commission’s adequacy decisions on model contract clauses, one of the alternative available data transfer mechanisms. A number of the questions refer directly to the Privacy Shield. Facebook was granted unprecedented leave to appeal to the Irish Supreme Court.
- We reported previously that, on 28 September 2018, Facebook announced that a security issue had been discovered three days earlier affecting almost 50 million of its user accounts. Cyber attackers exploited a vulnerability in Facebook’s code which impacted the “View As” feature. According to a brief statement at the time, the ICO was making enquiries to establish the scale of the breach and to establish if any UK citizens had been affected by it. In an update on 12 October 2018, Facebook said that about 30 million people were affected. Names and contact details of 29 million people were accessed and, in respect of 14 million of them, other details on their profiles including date of birth, relationship status and work.
- On 26 October 2018, British Airways published an update on the cyber-attack which it first announced in September 2018. It says that the holders of a further 185,000 payment cards may have been affected by the breach. Also, fewer customers were affected than was originally announced. The ICO issued a statement in response.
- The government is undertaking a survey of UK businesses and charities to find out how they approach cybersecurity and learn more about the cybersecurity issues they face. The fieldwork for the latest survey is taking place by telephone from October to December 2018. Businesses and charities from across the UK have been selected at random. See the webpage for details.
- On 16 October 2018, the National Cyber Security Centre published its second annual review, looking at the work it has undertaken over the past year.
- On 19 October 2018, the European Data Protection Supervisor set out the “urgent case for a new ePrivacy law”. Among other things, he said that the adoption of the proposed ePrivacy Regulation is crucial to protect the fundamental rights to privacy and the protection of personal data in the digital age. See the blog post for details.
- The ICO has welcomed the government’s early signing on 10 October 2018 of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (known as “Convention 108”), which is the only legally binding international agreement on data protection. It describes the Convention’s modernisation as “a key milestone for global data privacy regulation”. See the ICO’s blog on its international work.
- In other international news, the Information Commissioner was announced on 23 October 2018 as the new chair of the International Conference of Data Protection and Privacy Commissioners (ICDPPC). At its recent annual meeting, the ICDPPC adopted a declaration on ethics and data protection in artificial intelligence, in order to contribute to the global discussion on this matter.
- And finally, the ICO published an expanded guide to the Network and Information Systems Regulations 2018 for organisations providing digital services such as online marketplaces, online search engines and cloud services.
______________________
[1] WM Morrison Supermarkets Plc v Various Claimants, [2018] EWCA Civ 2339
[2] Richard Lloyd v Google LLC, [2018] EWHC 2599 (QB)

Health and Safety – October 2018
Sentencing news; focus on mental health; HSE inspections; occupational health pilot group launched in construction. […]
Sentencing news; focus on mental health; HSE inspections; occupational health pilot group launched in construction.
Sentencing news
A waste and recycling company has been fined £700,000 (with costs of almost £100,000), and its director has been sentenced to eight months in prison, after a worker died in 2010 when he entered the machine he was working with to clear a blockage. The machine’s safety interlock system had been defeated two months earlier, enabling workers to enter the machine while it was still in operation. Five years later, inspectors from the Health and Safety Executive (HSE) were informed that the company was continuing to use the same machine with further critical safety systems being defeated. The sentencing judge noted this as a serious aggravating factor.
A garden shed manufacturing company was fined £233,334 (with costs of over £21,000) after a worker was killed by a reversing fork lift truck which was unloading a delivery wagon at the time. The HSE says that vehicles at work continue to be a major cause of fatal and major injuries – every year there are over 5000 incidents involving transport in the workplace, about 50 of them fatal.
Focus on mental health
The HSE has updated its guidance on mental health in the workplace, setting out the roles and responsibilities of employers to help their employees. The guidance contains various links to supporting materials. The HSE says that employers have a legal duty to protect employees from stress at work by doing a risk assessment and acting on it. See the HSE’s webpage on work-related stress for more details.
On 8 October 2018, the business-led charity Business in the Community published its Mental Health at Work Report – 2018. It says that, while the government and others are putting in more resources and developing new initiatives, businesses have the opportunity to step up and make direct changes to the way they think about and tackle mental health issues, starting with the core and enhanced standards outlined in the Stevenson/Farmer review (see the October 2017 edition of the Regulatory round-up for details). It says that employers must wake up to the prevalence and impact of mental health issues in the workplace and make it their priority to establish parity between physical and mental health. A series of recommendations for employers on how they can radically improve the support provided in the workplace is set out on page 107 onwards.
HSE announces waste and recycling industry inspections…
On 1 October 2018, the HSE announced the launch of a three month inspection campaign in the waste and recycling industry. Unannounced inspections will focus in particular on the management of workplace transport and machinery safety.
…and cladding removal and replacement inspections
The HSE has also announced that it is carrying out a series of inspections of removal and replacement of Aluminium Composite Material cladding projects on tall buildings. While fire safety will be the focus of the visits, the HSE says that other matters of evident concern which are found will also be dealt with. It has produced a sector technical note for its inspectors in the appendix to its operational guidance, which it says will also be useful for clients, managing agents, designers and contractors involved in planning, procuring and undertaking the work. It strongly advises those engaged to read and follow the guidance in the note.
In related news, the Royal Institute of British Architects responded to the government’s recent consultation on the proposed clarification of building regulations guidance on fire safety (Approved Document B), saying that it doesn’t go far enough. The consultation was issued in the wake of Dame Judith Hackitt’s independent review of building regulations and fire safety.
Pilot group launched to improve occupational health in construction
Not-for-profit financial services provider B&CE has launched a pilot group of companies to help develop a new product to improve occupational health provision across the construction industry. The aim is to make it easier for employers to comply with health and safety legislation and identify work-related illnesses earlier. It says that, each year, 80,000 workers in the construction industry suffer from illnesses caused or made worse by their work.
Contains public sector information published by the Health and Safety Executive and licensed under the Open Government Licence.