(a) Crowdfunding, peer-to-peer lending
The regulation of investment-based crowdfunding platforms depends on the activities undertaken by each individual platform. For most platforms, the rules under the recast EU Markets in Financial Instruments Directive (MiFID II) or the Alternative Investment Fund Managers Directive and the corresponding Financial Conduct Authority (FCA) Handbook provisions will be relevant. Investing in unlisted shares or debt securities via online crowdfunding platforms is a regulated activity under Article 25 of the Financial Services and Markets Act (FSMA) (Regulated Activities) Order 2001 (RAO) (“Arranging deals in investments”). Investment-based crowdfunding is classed by the FCA as a high-risk investment activity and specific marketing restrictions in relation to retail clients apply under the FCA Conduct of Business Sourcebook (COBS).
The facilitation of lending and borrowing between individuals or between individuals and businesses by a peer-to-peer platform is a regulated activity under Article 36H of the RAO (“Operating an electronic system in relation to lending”), and requires authorisation by the FCA. Where lenders are individuals, the FCA’s Consumer Credit Sourcebook (CONC) requires peer-to-peer platforms to provide essentially the same protections as those that apply to regulated consumer credit agreements offered by lenders that carry on the business of lending.
Where lenders are individuals, the FCA aims to protect them from the risks associated with non-repayment of loans and ineligibility for the Financial Services Compensation Scheme by categorising peer-to-peer agreements as ‘designated investment business’ for the purpose of applying key parts of COBS.
From December 2019, the FCA is introducing new rules on loan-based and investment-based crowdfunding platforms aimed in particular at enhancing the regulatory framework for loan-based peer-to-peer platforms to protect investors while still allowing for further innovation.
(b) Online lending and other forms of alternative finance
Lending to consumers is a regulated activity under Article 60B of the RAO and any third party that introduces consumers to lenders is likely to need be authorised as a credit-broker under Article 36A of the RAO (eg, payroll linked lending will usually be made available through the employer, which will be a credit broker). Conduct of business rules in CONC as well as the Consumer Credit Act 1974 and its related statutory instruments apply to every aspect of the activity, from pre-contract information to debt collection and enforcement.
(c) Payment services
Payment services are regulated by the FCA outside of FSMA. Regulated activities include placing cash on a payment account, executing payment transactions, issuing payment instruments, acquiring payment transactions, money transmission, payment initiation services and account information services. These last two activities can be provided only in connection with payment accounts that can be accessed online.
The regime is governed by the Payment Services Regulations 2017 (PSRs) and (to a certain extent) the FCA Banking: Conduct of Business Sourcebook. There is also an FCA Payment Services and Electronic Money Approach Document, which explains how the FCA and other relevant authorities approach the PSRs requirements.
Banks and e-money institutions (ie, non-banks issuing e-money which are regulated by the FCA outside of FSMA under the Electronic Money Regulations 2011) can provide payment services without needing further authorisation. Other businesses must register with the FCA as payment institutions. Businesses that provide account information services only can become registered account information service providers instead. Providing payment services without appropriate authorisation is an offence under the PSRs and is punishable by imprisonment, a fine or both.
The payment services regime applies in full to payment services carried out within the European Economic Area (EEA) in euro and other EEA currencies (eg, pounds sterling). It also applies, to a certain extent, to payment services in other currencies and to payments that are made from, or to, a payment services provider outside the EEA.
Any firm providing payment services must comply with the information and conduct of business rules under the PSRs.
Cash-to-cash currency exchange operations (eg, a bureau de change), where the funds are not held on a payment account, are unregulated. However, the provider is likely to be subject to UK anti-money laundering legislation. An existing authorised payment service provider (PSP) is permitted, without additional permissions, to provide forex services that are closely related and ancillary to its payment services (so long as the PSP is not providing foreign exchange derivative services that would otherwise require authorisation under MiFID II.
Brokers of forward forex contracts are generally required to be authorised by the FCA and are subject to its regulatory requirements – for example, relating to capital adequacy, MiFID II-derived conduct of business rules and the European Markets Infrastructure Regulation. There are two exclusions from this requirement for FCA authorisation:
- for forex spot contracts; and
- for foreign exchange transactions connected to a payment transaction.
There are detailed rules (originating from MiFID II) on the conditions that must be met for these exclusions to apply. These exclusions do not apply to an option or a swap on a currency.
Regulation in the United Kingdom is generally technology neutral. This means that the requirement to be authorised and regulated is based on the activity that is carried on, rather than the means by which the activity is carried out.
Dealing in investments (as principal or agent) or agreeing to do so, and arranging deals in investments (either arrangements bringing about investments or arrangements made with a view to transactions in investments), are regulated activities in the United Kingdom, requiring authorisation from the FCA, unless the person is exempt or an exclusion applies. In addition, operating a multilateral trading facility or an organised trading facility, and bidding in emissions auctions, are activities requiring authorisation through separate permissions from the FCA.
Various exclusions and exemptions are available under FSMA, the RAO and the Financial Services and Markets Act 2000 (Exemption) Order 2001 (SI 2001/1201). A person falling within the scope of an exclusion or exemption will, respectively, either not be carrying on the regulated activity in question or be exempt from carrying on the regulated activity. In addition, to require authorisation, the activity must be carried on by way of business in the United Kingdom. The exemptions are more specific and detailed. For example, depending on whether the activity is governed by MiFID II, a company does not deal in investments as principal if it issues its own shares or share warrants. An agent that deals with or through an authorised person will not require authorisation, provided that certain conditions are met.
(f) Investment and asset management
As explained at question 4.5, the United Kingdom’s requirement to seek regulation for activities is technology neutral. Therefore, to conduct the following activities in the United Kingdom, FCA authorisation is required:
- managing an undertakings for collective investment in transferable securities (UCITS) fund;
- managing an alternative investment fund (AIF);
- acting as trustee or depositary of an AIF or a UCITS fund;
- managing investments; and
- safeguarding and administering investments.
These are the most common regulated activities associated with asset management, but the list is not necessarily exhaustive.
Depending on whether or not the investment being managed is a MiFID investment, certain exemptions are available under circumstances detailed in the RAO.
(g) Risk management
The UK regulator requires a regulated financial services firm to have effective processes to identify, manage, monitor and report the risks it is or might be exposed to. However, this obligation applies to firms that are already subject to regulation. There is not a specific regulated activity for risk management. Conversely, certain aspects of risk management may require authorisation if the activity falls within an activity specified in the RAO. This may be the case, for example, where the risk management activity involves dealing in investments as principal or agent. If these regulated activities are relevant, there is potentially an exemption in the RAO: risk management activities involving options, futures and contracts for difference are excluded if specified conditions are met. The conditions include the company’s business consisting mainly of unregulated activities and the sole or main purpose of the risk management activities being to limit the impact on that business of certain kinds of identifiable risk. For dealing as agent, risk management transactions where the agent is dealing on behalf of a group company or a co-participant in a joint enterprise are excluded. Where MiFID applies to the activity carried on by principal or agent, these exclusions are unavailable and authorisation is required.
As noted above, the United Kingdom’s approach to regulation is technology neutral and is relevant in any area where giving advice is regulated such as residential mortgages. For example, advising on investments is an activity requiring authorisation in the United Kingdom. Therefore, if roboadvice amounts to advising on investments, the person giving the advice must be authorised. Roboadvice firms are expected to meet the same regulatory standards as traditional advisory services (eg, requiring suitability of advice).
For an unregulated entity, advising on investments means the advice must:
- be given to a person in that person’s capacity as an investor or potential investor (or capacity as agent for an investor or potential investor); and
- relate to the merits of that person buying, selling, subscribing for or underwriting an investment (or exercising rights to buy, sell, subscribe for or underwrite such an investment).
There is no requirement for there to be a personal recommendation involved.
Generic guidance – for example, that does not relate to a specific product – is not regulated; however, the line can be challenging to define.
Firms already authorised by the FCA will require an additional permission to advise on investments only where the advice they give involves giving a personal recommendation (which is a narrower concept):
- to a person to buy, sell, subscribe for, exchange, redeem, hold or underwrite a particular investment which is a security, structured deposit or relevant investment; or
- to a person to exercise or not exercise any right conferred by such an investment to buy, sell, subscribe for, exchange or redeem such and investment; and
- that is presented as suitable for the person to whom it is made or based on a consideration of the circumstances of that person.
A recommendation issued exclusively to the public is not a personal recommendation.
The FCA has produced detailed guidance to help firms assess whether their conduct will be within the regulatory perimeter in this respect.
‘Insurtech’ can cover a broad category of technology use in the insurance industry, from customer sales and servicing (eg, digital onboarding, automatic underwriting, roboadvice) and improving back office functions and risk management (eg, through cloud, blockchain, big data analysis), to developing new products (eg, with connected devices and smart contracts).
The legal issues and relevant regulations depend on the nature of the technology and how it is being used.
For example, any business using artificial intelligence (AI) to make decisions during an online sales process will need to take account of:
- the Data Protection Act 2018, including the safeguards for automated decision making and an individual’s right not to be subject to a decision based solely on automated processing;
- discrimination risk and what governance will be in place to ensure that the AI shows no signs of bias or discrimination, and that its decisions can be audited and explained; and
- compliance with regulatory requirements on record keeping and maintaining an audit trail of decision making.
This is in addition to any regulation applicable to the product and the way in which it is being sold, such as the FCA Handbook rules on insurance distribution, distance selling, and consumer terms and conditions.
The main UK insurance regulator is the FCA. For an insurtech start-up, a key consideration is whether it will be carrying on any regulated activity in the United Kingdom and therefore requires regulatory permissions.
As insurtech typically involves processing of personal data, organisations will also be regulated by the Information Commissioner’s Office.