Regulatory round-up – September 2018


Consumer and Retail Finance – September 2018
Latest from the FCA, including Tesco Bank cyber attack fine and PSD2 rules and guidance […]
Latest from the FCA, including Tesco Bank cyber attack fine and PSD2 rules and guidance consultation. Other sector news.
Financial Conduct Authority (FCA)
In a speech delivered at the FCA’s Annual Public Meeting on 11 September 2018, Chief Executive Andrew Bailey spoke, among other things, about operational risks – a new source of risk to the FCA’s objectives. He touched on the four themes of operational resilience (including cyber risk), the impact of technological change and innovation, the challenge of financial crime, and data issues (which he referred to as “the fastest rising risk on our landscape”). In his speech at the same event, FCA Chair Charles Randell discussed the impact of technological developments and the FCA’s serious approach to financial crime.
In the introduction to the FCA’s latest Regulation round-up, Mr Randell encouraged stakeholders to respond to the FCA’s Discussion Paper on a Duty of Care, which was published in July 2018 alongside the FCA’s Approach to Consumers paper. He said that: “Everyone in the financial services system has an almost Hippocratic duty to treat customers fairly. Access to credit can enhance quality of life – as long as the debt is collected with a focus on affordability and the welfare of the customer. For many people, however, having financial resilience in the form of rainy day savings is a key protection against the problems that life can bring…We now live in a world where people work, save and borrow in a fundamentally different way to the way they did 10 years ago. But it is my sincere belief that if regulators and financial service firms are closely attuned to the needs of vulnerable customers we will be able to rebuild the trust in financial services which was lost 10 years ago”. Comments are requested by 2 November 2018.
Around the time that this edition of the Regulatory round-up was due to go to press, the FCA fined Tesco Bank £16.4 million for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack in November 2016. See the press release for details.
The FCA is consulting until 12 October 2018 on new rules and guidance to implement the revised Payment Services Directive. It is proposing changes to reflect final regulatory technical standards on security and new fraud reporting requirements published by the European Banking Authority. It is also proposing new complaints reporting rules about authorised push payment fraud. The FCA intends to publish its final position in early 2019.
On 27 September 2018, the FCA published a thematic review report on the impact of credit broking remuneration models at the point of sale. See the FCA’s webpage for a brief summary of the scope, findings and next steps.
The FCA has completed its review of retail banks’ use of outsourcing. It says that, overall, it did not identify significant concerns. See the latest Regulation round-up for details.
The latest mortgage lending statistics were published by the FCA and Bank of England on 11 September 2018. Mortgage lending activity increased in the second quarter of 2018 compared with the previous quarter. Among other things, new commitments are at their highest level since the first quarter of 2008 and there has been an increase in the amount of lending to first time buyers.
Other sector news
The Money Advice Trust published a new report, ‘A decade in debt’, which looks at how the UK’s debt landscape has changed in the ten years since the financial crisis. In her foreword to the report, the Money Advice Trust’s Chief Executive says that ten years ago a typical caller to National Debtline was struggling to pay credit cards, personal loans or perhaps a mortgage, whereas today, callers are struggling with smaller but trickier debts – often arrears on everyday household bills. The report looks at trends across different types of debt, and sets out recommendations for consideration by government, regulators, creditors and the advice sector. A summary of the recommendations starts on page 44. Pages 19 to 22 of the report focus on consumer credit. The Money Advice Trust recommends, among other things, that the FCA extends the principle of capping the cost of credit at 100% of the amount borrowed to the rent-to-own and home-collected credit sectors, and reconsiders its decision to exclude guarantor lending from immediate action within its high-cost credit review.
The Creditworthiness Assessment Bill is due to have its second reading debate in the House of Commons on 26 October 2018. This is the first opportunity for MPs to debate the main principles of the Bill. The Bill seeks to impose a requirement on the FCA to make rules to ensure that firms carrying on credit-related regulated activities and connected activities, and those entering into or varying a regulated mortgage contract or home purchase plan, take into account rental payment history and council tax payment history when assessing a borrower’s creditworthiness.
On 6 September 2018, the National Audit Office published a report, ‘Tackling problem debt’. The stated aim of the report is to “evaluate and conclude on HM Treasury’s overall approach to over‑indebtedness, and how well it brings together government’s and other stakeholders’ various activities and interventions to meet its objectives”. See the press release for details and a link through to the report. Key findings, on identifying the problem and coordinating the approach to over-indebtedness, preventing over-indebtedness, and managing problem debt, are set out on pages 7 to 10. Recommendations can be found on page 11. Citizens Advice and debt charity StepChange have both responded to the report.
On 28 September 2018, Citizens Advice lodged a ‘super-complaint’ with the Competition and Markets Authority (CMA), calling on the regulator to take action to stop long-term customers being penalised for their loyalty. Research across five essential markets including home insurance, mortgages and savings, found that British consumers lose £4.1 billion a year to this ‘loyalty penalty’. See the press release, the CMA’s press release and the FCA’s statement.
The Advertising Standards Authority ruled that a television advertisement promoting information about a company’s short-term loans breached the UK Code of Broadcast Advertising because the representative APR was given less prominence than the incentive to apply for credit.
New data from UK Finance shows that a total of £503.4 million was stolen by criminals through authorised and unauthorised fraud in the first six months of 2018 and that, during the same period, the finance industry prevented £705.7 million of unauthorised fraud. See the press release and the response of the Payment Systems Regulator (PSR).
The Authorised Push Payment Scams Steering Group is consulting until 15 November 2018 on a draft voluntary industry code for the reimbursement of victims of authorised push payment scams. The Group was set up by the PSR in March 2018 to lead the development of a code. The final version is expected to be ready in early 2019. See the PSR’s press release and the UK Finance response to the draft code.
On 17 September 2018, the Lending Standards Board published its first summary report on banks’ application of the Access to Banking Standard, the overall principle of which is that customers and relevant stakeholders of a bank branch that is closing will be provided with clear, understandable, accessible documentation and information about that specific closure as soon as the bank is able to do so, what it will mean for them and how they can continue to bank following its closure. See the response of consumer organisation Which? to the report. In related news, the government’s response to a Scottish Affairs Committee report on Royal Bank of Scotland branch closures was recently published. It says that the decision to close a branch is a commercial decision for the management team of the bank, and government policy is not to intervene in those decisions.
On 12 September 2018, the PSR responded to LINK’s first ATM ‘footprint report’, published the same day, showing the coverage of ATMs in the UK. LINK is the UK’s largest cash machine network. A number of ‘protected’ ATMs (free to use ATMs which are one kilometre or more away from another free to use ATM) closed between 1 February and 1 July 2018. The Chair of the Treasury Select Committee warned that the PSR’s regulatory action requiring LINK to set out more explicitly how it will maintain the broad geographic spread of free to use ATMs across the UK, may be “too little, too late”. The PSR is consulting until 9 October 2018 on a draft specific direction to LINK to make sure it does all that it can to deliver on the commitments it has made regarding free access to cash, including having suitable arrangements in place to ensure the ongoing availability of protected ATMs.
On 19 September 2018, the Treasury Select Committee published a unanimously-agreed report on crypto-assets as part of its inquiry into digital currencies and distributed ledger technology.
On 3 September 2018, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee approved new EU rules to protect citizens against non-cash payment fraud, such as credit card theft, skimming or phishing. See the press release for details.
In a speech delivered on 6 September 2018, the European Commission Vice-President for the Euro and Social Dialogue spoke about digital challenges for the financial sector and the goals of the Commission’s FinTech action plan, published in March 2018, one of which is to ensure the cyber resilience of the financial sector. The Financial Stability Board published the consultation responses to its draft cyber lexicon, comprising a set of 50 core terms related to cyber security and cyber resilience in the financial sector; and payment, clearing and settlement operators met on 14 September 2018 at a roundtable in Paris to discuss global cyber resilience. See the press release. For more on cyber security, see the Data Protection section of this Regulatory round-up.
On 12 September 2018, MEPs approved new measures to combat terrorist financing, by preventing money laundering and tightening cash flow checks. See the press release for details. Member states will have 24 months from the date of entry into force of the criminalisation of money laundering directive to bring the new rules into force.
And finally…
A reminder that one year has now passed since the Criminal Finances Act 2017 took effect, introducing a new criminal offence for corporates of ‘failing to prevent the facilitation of tax avoidance’. An offence is committed if an organisation fails to prevent its staff or connected parties such as agents from facilitating another person’s tax avoidance, even if the business was unaware of activities in question. The only defence is to demonstrate that the organisation has appropriate preventative measures in place. There are similarities to other financial crime legislation, in particular the Bribery Act 2010. HMRC originally gave businesses some leeway to put the necessary steps in place. Twelve months on, if you have any queries arising from the Act, or require any assistance in relation to compliance, please do not hesitate to contact one of the Directors in our Tax team, who will be very happy to help.

Data Protection – September 2018
Equifax receives maximum fine for security breach; other cyber security news; latest from the ICO; […]
Equifax receives maximum fine for security breach; other cyber security news; latest from the ICO; update on ePrivacy Regulation; and more
Equifax receives maximum fine for security breach…
The UK arm of credit reference agency Equifax has been fined £500,000 by the Information Commissioner’s Office (ICO) for failing to protect the personal information of up to 15 million UK customers during a cyber attack in 2017. The ICO investigation found that the company had failed to take appropriate steps to ensure that its American parent, which was processing the data on its behalf, was protecting the information. There were significant problems with data retention, IT system patching and audit procedures.
Due to timing, the investigation was carried out under the Data Protection Act 1998, with £500,000 being the maximum financial penalty. The maximum penalty under the new General Data Protection Regulation (GDPR) is €20 million or 4% of global turnover. The Information Commissioner said that the company had “received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law…Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine”.
…while Facebook announces security breach affecting almost 50 million users
On 28 September 2018, Facebook announced that a security issue had been discovered three days earlier affecting almost 50 million of its user accounts. Cyber attackers exploited a vulnerability in Facebook’s code which impacted the “View As” feature. The company says that it has yet to determine whether the affected accounts were misused or whether any information was accessed. According to a brief statement, the ICO is making enquiries to establish the scale of the breach and to establish if any UK citizens have been affected by it.
Earlier in the month, British Airways announced that it was investigating the theft of customer data, including personal and financial details, from its website and mobile app. It has also been widely reported that a Conservative Party conference app contained a security flaw allowing access to users’ personal data, including mobile phone numbers. The ICO is making enquiries in relation to both incidents.
On the subject of cyber security…
In a recent speech to the CBI Cyber Security: Business Insight Conference, the ICO Deputy Commissioner (Operations) said that the ICO, as a regulator, “does not seek perfection even if to some it may feel like that. We seek evidence of senior management and board level insight and accountability. We seek evidence of systems that provide a robust level of protection and privacy. The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance. For every investigation which ends in a fine, we have many audits, advisory visits and guidance sessions. That is the real norm of the work we do”. He said that since GDPR came into force on 25 May 2018, the ICO has been receiving around 500 calls a week to its breach reporting line. Around one in five of reported breaches involve cyber incidents, of which nearly half are the result of phishing. The key trends which the ICO is finding with its reporting system are: organisations struggling with the concept of 72 hours as defined under GDPR; incomplete reporting; and some over-reporting by data controllers.
The National Cyber Security Centre has released five core questions to help Britain’s biggest boards understand their cyber risk. See the press release for a link through to the toolkit and other materials.
Europol published its latest report assessing the emerging threats and key developments in cybercrime over the past year. See the press release which looks at some of the main trends, including ransomware, malware, payment card fraud and targeting cryptocurrencies.
The Network and Information Systems Regulations 2018 (NIS Regulations) came into force on 10 May 2018. They were made to implement the EU Directive on Security of Network and Information Systems (NIS Directive). Businesses identified as “operators of essential services” will be required to take appropriate and proportionate security measures to manage the risks to their systems and to notify serious incidents to the relevant authority. Key digital service providers will also have to comply with security and incident notification requirements. Just after the previous edition of the Regulatory round-up went to press, the government published its response following a targeted consultation on how the NIS Directive will apply to digital service providers in the UK. It proposes to use the outcome of the consultation to assist the ICO in clarifying its guidance to digital service providers. It says that it will look to clarify the following key areas: how digital service providers can more easily identify whether they are within scope of the NIS Regulations; how cloud services in particular are defined; and how the ICO’s cost recovery process will operate.
Latest from the ICO
The ICO has sent notices of intent to fine 34 organisations unless they pay the new data protection fee. They have 21 days to respond and face a maximum fine of £4,350. See the ICO’s blog post and our earlier briefing for more details about the fee. The ICO’s fee webpage can be found here.
The Information Commissioner is reminding organisations to be transparent with people’s personal information, after an ICO survey revealed most UK citizens still do not trust organisations with their data.
The ICO’s Guide to the GDPR was updated in September 2018 to include expanded guidance on exemptions.
The ICO is consulting until 12 October 2018 on creating a regulatory sandbox, following on from the publication of its Technology Strategy for 2018-2021. The sandbox “will be a safe space where organisations are supported to develop innovative products and services using personal data in innovative ways”.
The European Data Protection Board (EDPB) met for its third plenary session on 25 and 26 September 2018. In a blog post about the meeting, the ICO referred, among other things, to the UK’s upcoming departure from the EU: “As we draw closer to a new stage in the relations between the EU and the UK, it is worth bearing in mind that data protection concerns do not begin and end at national borders. Interactions between the ICO and EU supervisory authorities is, and will continue to be, essential…The ICO will maintain the already high standards of data protection in the UK after the UK leaves the EU based on the common data protection framework it shares with the rest of the EDPB”.
In recent ICO enforcement action, a marketing agency was fined £60,000 for sending 1.42 million emails without consent, another firm was fined £150,000 for making over 63,000 calls to people who were registered with the Telephone Preference Service, and a former nurse was prosecuted after she accessed patient records without authorisation, multiple times over a two-year period.
Update on ePrivacy Regulation
A new ePrivacy Regulation, providing special privacy rules for e-communications, was intended to apply at the same time as GDPR, but progress has stalled in Europe. Discussions are ongoing within the Council of the EU and negotiations with the European Parliament are unlikely to start until after elections held in May 2019. On 20 September 2018, ahead of a meeting of the Working Party on Telecommunications and Information Society, the Austrian presidency of the Council of the EU published a revised text of the ePrivacy proposal, seeking to address some of the concerns raised during discussions. See this European Parliament webpage for background and a summary of the current issues.
Other recent news
A new provision inserted into the Privacy and Electronic Communications Regulations prohibits the making of unsolicited calls for the purposes of direct marketing in relation to claims management services, except where a subscriber has previously notified the caller that, for the time being, they consent to such calls being made by or at the instigation of the caller. The change came into effect on 8 September 2018.
On 5 September 2018, the government published an initial code of conduct for the use of digital technology in health and care. Among other things, it clarifies what the government expects from suppliers of data-driven technologies, and how it will support and encourage innovators in health and care.
On 14 September 2018, the government updated its data protection toolkit for schools, first published in April 2018. The guidance is intended to “help schools develop policies and processes for data management, from collecting and handling the data through to the ability to respond quickly and appropriately to data breaches”.
And finally, the European Court of Human Rights ruled that aspects of the UK’s surveillance regimes under the Regulation of Investigatory Powers Act 2000 (RIPA) did not comply with Articles 8 and 10 of the European Convention on Human Rights (right to respect for private and family life and right to freedom of expression) [1]. RIPA has been mostly replaced by the controversial Investigatory Powers Act 2016 (IPA), dubbed the ‘Snooper’s Charter’. The EU may examine the UK’s data protection regime relating to national security legislation, including the powers conferred by the IPA, when it decides on the question of adequacy in relation to data flows post-Brexit. Earlier this year, the English High Court ruled that Part 4 of the IPA is incompatible with fundamental rights in EU law. The government has until 1 November 2018 to rewrite that section of the legislation, which deals with the retention of communications data.
__________________
[1] Case of Big Brother Watch v The United Kingdom (Applications nos. 58170/13, 62322/14 and 24960/15), [2018] ECHR 722

Health and Safety – September 2018
£900,000 fine reduced on appeal; other sentencing news; government ban on combustible cladding; and more. […]
£900,000 fine reduced on appeal; other sentencing news; government ban on combustible cladding; and more.
£900,000 fine reduced to £135,000 on appeal
A utilities company has had its £900,000 fine reduced to £135,000 on appeal [1]. Electricity North West Ltd was convicted of contravening regulation 4(1) of the Work at Height Regulations 2005, but acquitted on two other counts of breaching regulation 3(1) of the Management of Health and Safety at Work Regulations 1999 and section 2(1) of the Health and Safety at Work Act 1974. The conviction followed an incident in which an employee died after falling from height while clearing ivy from a vertical wooden pole. The company argued that the size of the fine bore no relation to the seriousness of the offence, in terms of culpability and harm, and in light of the acquittals on the other two counts, and that it was manifestly excessive.
The sentencing judge found that there was “high” culpability, since there was a persistent failure properly to plan over a lengthy period of time. The need to plan for work at height was obvious and a systemic failure put the case in that category of culpability. In relation to harm, in light of the acquittals on the other two counts, he concluded that the likelihood of harm was low and the offending fell within harm category 3. These factors indicated a starting point for a fine of £540,000. The judge then went on to assess turnover. As the company was a “very large” organisation, it was necessary to make an upward adjustment to the starting point and move outside the range to achieve a proportionate sentence. £900,000 was the minimum that could be imposed in the circumstances.
In relation to culpability, the Court of Appeal disagreed with the judge’s finding that the failure to plan that a Mobile Elevated Work Platform was readily available on the day of the incident made the offence one of high culpability. It said that the failure was not comparable to the other factors indicating conduct or omission which falls ‘far short of the appropriate standards’ so as to justify a finding of high culpability, for example, failing to put in place measures which are standard in the industry or ignoring concerns raised by employees or others. In light of the jury’s verdicts, the company had been convicted of an offence which was properly characterised as falling between low and medium culpability. The sentencing range for large organisations for low culpability/harm category 3 is between £10,000 and £140,000, and for medium culpability/harm category 3 between £130,000 and £750,000. The Court of Appeal concluded that the correct sentence was a fine of £135,000. Notably, it did not consider that any further upward adjustment to reflect turnover should be made on the facts of the case.
Other sentencing news
- A logistics company was fined £1.5 million, and ordered to pay costs of over £32,000, after a worker was fatally trapped while attempting to attach a trailer, which was parked on a slight slope, to his vehicle. The inspector from the Health and Safety Executive (HSE) said: “Had Tuffnells taken the slope into account, simple measures could have been taken that would have prevented this incident. Workplace transport remains a high risk environment, and this case serves as a reminder to industry that assessments of sites should be specific and identify the hazards unique to each yard. It is also a reminder that the slope a vehicle is parked on does not need to be steep for incidents to occur”.
- International tyre manufacturer Pirelli was fined £512,000 after two workers were seriously injured by the same machine in two separate incidents. The HSE investigation found that the machine was not properly guarded, despite the first incident.
- Tata Steel UK Ltd was fined £450,000 after a worker fell three to four metres into an open pit while carrying out a skip emptying operation. An earlier risk assessment had identified the need for a barrier around the pit during this type of operation. A barrier was not provided until after the incident.
HSE launches construction health inspection initiative for October 2018
The HSE announced that it will be visiting construction sites across the country during October 2018, focusing on the measures employers have in place to protect their workers from occupational lung disease caused by asbestos, silica, wood and other dusts. It says that it will be looking specifically for evidence of construction workers knowing the risk, planning their work and using the right controls.
Government announces ban on combustible cladding
As this edition of the Regulatory round-up was due to go to press, the government announced that it will ban the use of combustible materials on the external walls of all new high-rise buildings that contain flats, as well as hospitals, residential care premises and student accommodation above 18 metres in height. There will be changes to building regulations and products will be limited to those achieving a European classification of Class A1 (these are products described as having no contribution to fire at any stage) or A2 (products described as having no significant contribution to fire at any stage). The government consulted on a proposed ban during the summer, after the Hackitt final report on building regulations and fire safety stopped short of recommending an outright ban.
Some have said that the ban does not go far enough. The Fire Brigades Union says that the ban should apply to all buildings, whatever their height or use, and should permit only the highest standard of A1 materials. It is also concerned that the measures do not deal with existing cladding on buildings (see the press release). The Royal Institute of British Architects (RIBA) is also concerned at permitting all A2 classified products (see the press release).
On 10 September 2018, the Ministry of Housing, Communities & Local Government issued a circular letter to draw attention to issues about assessments of external wall cladding systems and to issue guidance pending the outcome of various recent government consultations (including the proposed ban on combustible cladding) in the wake of the Hackitt Review.
In related news:
- RIBA is consulting until 15 October 2018 on a new ‘Plan of Work for Fire Safety’.
- The government responded to a Select Committee report setting out the Committee’s main conclusions and recommendations following a short inquiry post-publication of the Hackitt final report.
- The Construction Industry Council published the first quarterly report of the steering group responsible for implementing the competence recommendations of the Hackitt Review.
Consultation on banning the sale of energy drinks to children
The government is consulting until 21 November 2018 on a proposal to end the sale of energy drinks to children. The ban would apply to all retailers in England, including both on-site and online sales. A summary of the proposals and the questions for consultation can be found on page 9 onwards.
______________
[1] R v Electricity North West Ltd, [2018] EWCA (Crim) 1944