1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

Fintechs are treated like other financial services firms. If they carry out activities that fall within the scope of one of the regulated activities under the Financial Services and Markets Act 2000 (FSMA), they will need to be authorised by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA) (part of the Bank of England). Regulated activities are defined in the FSMA (Regulated Activities) Order 2001. This primary and secondary legislation is supplemented by the principles, rules and guidance in the PRA Rulebook and the FCA Handbook. Other key legislation includes the Consumer Rights Act 2015, the Data Protection Act 2018 and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Depending on a fintech's areas of focus, some key EU measures include the second EU Payment Services Directive (2015/2366/EU), the EU Electronic Money Directive 2 (2009/110/EC), the recast EU Markets in Financial Instruments Directive (2014/65/EU), the EU Markets in Financial Instruments Regulation (600/2014) and the E-commerce Directive (2000/31/EC).

1.2 Do any special regimes apply to specific areas of the fintech space?

There is no special regime for fintech in the United Kingdom; fintech firms' activities are treated in the same way as those of other financial services firms.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

The PRA is the prudential regulator and the FCA is the conduct regulator for banks, insurers and the largest investment firms. The FCA is the sole regulator for other firms.

The PRA and FCA have a number of supervisory and enforcement powers. Both the PRA and the FCA have the power to make periodic inspection visits of firms. They also have various powers under FSMA, including to require a firm to provide specified information or documents or commission a report by a skilled person, to publish warning notices and to impose financial penalties. They can both impose specific requirements on firms – for example, to seek the regulator's consent before undertaking certain acts. There are also a number of offences under the FSMA, such as carrying on a regulated activity in the United Kingdom, or purporting to do so, without the relevant authorisation or exemption is a criminal offence.

The Payment Systems Regulator (PSR) has responsibility for the oversight of retail payment systems and is a subsidiary of the FCA. It is competition focused, with wide powers, including the power to amend agreements relating to access to payment systems and to require banks to enter into agreements with smaller institutions. It can investigate and impose fines or other sanctions.

1.4 What is the regulators' general approach to fintech?

The FCA is supportive of the fintech sector, recognising that innovation is key to achieving effective competition in the interest of consumers, which is one of the FCA's statutory objectives. For example, the FCA's Regulatory Sandbox, part of its Project Innovate, provides a safe space for fintech companies to test new products, services, business models and delivery mechanisms in a ‘live' environment with real consumers for a limited period, without the time and cost of the full authorisation process or the risk of regulatory penalties. Eligibility criteria for the Regulatory Sandbox include a requirement that the product or service involve genuine innovation and direct or indirect consumer benefit. The tailored authorisation process is restricted to allow companies to test only the ideas agreed with the FCA.

On the payments front, one of the PSR's statutory objectives is the promotion of innovation in payment systems.

The PRA acknowledges that it must be ready to adapt its prudential regulatory approach to the risks, opportunities and changes in the structure of the financial system resulting from technological developments. More widely, the Bank of England looks to explore how fintech might support its mission to maintain monetary and financial stability. This includes understanding what fintech means for the safety and soundness of financial firms, and performance of its own operational and regulatory roles (eg, infrastructure requirements). The Bank of England's Fintech Accelerator includes a programme through which it works with businesses on fintech proofs of concept.

1.5 Are there any trade associations for the fintech sector?

Innovate Finance is the UK industry body for fintech, representing the UK's global fintech community. It provides a single point of access to promote enabling policy and regulation, talent development and business opportunity and investment capital. Members range from seed-stage start-ups to global financial institutions and professional services firms.

FinTech North focuses on the fintech community in the north of England. It provides a platform for sharing ideas, challenges and best practice, for showcasing innovative start-ups and scale-ups, and for facilitating connections and collaborations.

FinTech Scotland brings together entrepreneurs, the established financial sector, the public sector, accelerators, investors, consumer groups, technology and service firms, universities and skills agencies.

The FinTech National Network brings together FinTech North, Innovate Finance and FinTech Scotland to offer collaboration opportunities throughout the United Kingdom. The network encourages collaboration between UK fintech hubs to raise their collective profile on the global stage and address shared challenges across topics such as skills and talent, capital and investment and diversity.

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

Four of the most embedded subsectors of the fintech industry are:

  • payments-related platforms (eg, PayPal and PaySafe), with $106.49 million of UK venture capital investment in 2018;
  • challenger banks, such as Marcus, Monzo and Revolut, with the biggest share of venture capital investment at $461.43 million in 2018;
  • personal finance and wealth management, such as Nutmeg, with $333.61 million of venture capital investment in 2018; and
  • alternative lending and peer-to-peer lending, such as Funding Circle, with $306.64 million of venture capital investment in 2018.

All of the above information has been taken from Innovate Finance, "2018 FinTech VC Investment Landscape", January 2019.

2.2 What products and services are offered?

Within a specific sub-sector, it is typical for a start-up to focus on one product or service that it can deliver more effectively or with a better customer experience, or that fills a gap in the market. For example, new payment acceptance services have enabled small and medium-sized enterprises (historically considered too unprofitable for the major acquirers) to accept card payments; online lenders working with employers are enabling credit to be made available at better rates to consumers who have historically found it difficult to borrow; and roboadvice is broadening access to the mass market, not just to the affluent. Once a gateway product has been established, other related products may follow, offered either directly or in cooperation with financial institution partners.

2.3 How are fintech players generally structured?

Almost all new start-ups are limited companies, given the need to bring in equity investors.

2.4 How are they generally financed?

Most fintechs are financed by venture capital or private equity investment. According to the UK FinTech Paper, there was $3.3 billion of venture capital, private equity and corporate venture capital investments into UK fintech in 2018. As for the geographical source of funds, the United Kingdom remains a ‘competitive' investment destination, with 50% of investment from overseas, largely from North America (25%) and Europe (18%).

In terms of sectors, the UK FinTech Paper stated that challenger banks led the way with $461 million of venture capital investment in 2018. This was mostly Revolut's Series C funding and Monzo's $110 million Series E.

There were also high levels of venture capital investment in several sub-sectors, showing a sharp increase from 2017. These included personal finance and wealth management ($333.6 million), alternative lending and finance ($306.6 million), blockchain and digital currencies ($174.7 million), insurtech ($103.1 million) and payments ($102.5 million).

There has also been increased private equity investment in UK fintech over the last few years, according to Innovate Finance (Innovate Finance, "2018 FinTech VC Investment Landscape", January 2019), with a twelvefold increase in investment and a fivefold increase in deal volume by private equity-led investors.

Crowdfunding is also a popular way for start-ups to get backing from the public through a platform. Revolut and Monzo have both had successful crowdfunding campaigns.

2.5 How are they positioned within the broader financial services landscape?

Many new entrants in corporate, investment and retail banking are embracing ‘coopetition', rather than competition. This involves partnering with traditional banks, rather than directly competing. According to McKinsey (McKinsey and Company, "FinTechnicolor: the New Picture in Finance", February 2016), start-ups rely on established institutions to fulfil loans or provide the payments backbone for credit-card or foreign-exchange transactions. These start-ups have highly automated, scalable, software-based services and no physical distribution expenses (eg, branch networks), giving them a significant cost advantage.

Banks are having to adapt to the new landscape with these disruptive and innovative new entrants. According to the UK FinTech Paper, "While just a few years ago it was easier to dismiss new market entrants, firms including Exo, GoCardless, Monzo, Nutmeg, Revolut and TransferWise are now competing with traditional banks' business lines - from international payments, transfers and FX, through to savings, investments and retail accounts" (Department for International Trade, April 2019). Some banks have already started to adapt successfully – for example, Goldman Sachs successfully delivered Marcus, an online savings account, and RBS launched Mettle, to work with small businesses in a more digital way.

Open banking is also providing significant new opportunities for fintechs. Open banking was introduced in the United Kingdom as a result of the Competition and Markets Authority's (CMA) 2017 Retail Banking Market Investigation Order (which required the United Kingdom's nine largest banks to build standardised customer systems to share financial information securely with fintech firms) and also across the European Union by the Second Payment Services Directive (PSD2), which introduced account information services and payment initiation services as new regulated activities. The CMA Order and PSD2 came into force on 13 January 2018. Open banking aims to allow firms to offer innovative consumer solutions and improve the quality of their consumer products – for example, improved financial advice and cheaper loans.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

Many start-ups outsource back office functions. It is a common misconception that they ‘must' develop and keep all of their technology in house. In the current world where technological development is so fast paced, it does not always make financial sense to create technology from scratch, when there is already a lot of high-quality software existing in other companies. Outsourcing can work out cheaper, and potentially more reliable, for new companies. Further, third-party technology companies often have greater expertise in their specialist area. Start-ups often outsource on a pay-as-you-go basis, which is a flexible alternative to creating and maintaining the technology in-house.

The main legal implications are that fintechs will have to comply with Financial Conduct Authority (FCA) rules on outsourcing contained in Chapter 8 of Senior Management Arrangements, Systems and Controls and the EBA Guidelines on Outsourcing Arrangements (European Banking Authority, "Final Report on EBA Guidelines on outsourcing arrangements", February 2019), which set rules for how outsourcing relationships, including cloud outsourcings, should be governed. The guidelines apply to a broad range of entities: UK banks, building societies, designated and Prudential Sourcebook for Investment Firms investment firms. A key distinction in the guidelines is that outsourcing arrangements are divided into critical and non-critical, with the regime for outsourcing critical or important functions being much stricter than the regime for other outsourcings. Entities must ensure that they have access and audit rights over the outsourced function, and the ability to step in if the provider is not complying with relevant laws or guidelines.

There are also privacy and cybersecurity concerns which arise as a result of outsourcing, as data will most likely have to be shared between the entity and the outsourcing provider.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

The Internet has no specific regulatory regime; however, internet service providers (ISPs) are subject to regulatory frameworks as well as specific regulations depending on the nature of the services they offer.

The global nature of the Internet means that ISPs need to be aware of where services come within the scope of UK law.

Generally, ISPs are treated as providers of electronic communications networks and services, and therefore these laws are applicable. However, depending on the nature of the services offered by the ISP, other regulatory frameworks may be applicable where content is aimed or contributed by UK consumers, as this has wide implications and touches on a number of different areas of potential liability for ISPs. Key laws to be aware of include:

  • the Communications Act 2003;
  • the Digital Economy Act 2017 (including the Electronic Communications Code);
  • the Data Protection Act 2018 – if any personal data is being processed by the ISP;
  • the Computer Misuse Act 1990;
  • the Regulation of Investigatory Powers Act 2000 and Investigatory Powers Act 2016;
  • the Consumer Rights Act 2015;
  • the Network and Information Security (NIS) Directive;
  • the Defamation Act 2013 – depending on the nature of content on the ISP's site; and
  • the Copyright Designs and Patents Act 1988.

Prior to the United Kingdom leaving the European Union, the United Kingdom is also subject to relevant EU regulations:

  • EU Regulation 2015/2120 on universal service and users' rights in relation to electronic communications networks and services;
  • the General Data Protection Regulation (GDPR); and
  • the Privacy and Electronic Communications (EC Directive) Regulations 2003.

ISPs should also be aware of general conditions and specific conditions issued by Ofcom.

(b) Mobile (m-commerce)

Mobile commerce does not have a specific regulatory regime. It is often regarded as a subset of e-commerce and the same regulatory framework applies.

(c) Big data (mining)

Big data mining, a form of data processing, is subject to the regulatory regime applicable to data protection in the United Kingdom, the Data Protection Act 2018 and the GDPR. The nature of big data and the technology used for big data analytics raise a number of specific issues in this regard. Anonymisation or pseudonymisation is commonly used in the context of big data; and anonymous data is by definition not personal data, and therefore not subject to the GDPR regime.

If the dataset has not been anonymised, particular data protection issues are raised by the characteristics of big data analytics, including the opacity of processing, the tendency to collect as much data as possible, the repurposing of data and the use of new types of data. In this context, it is important to ensure that sufficient information is provided to the data subjects when data is collected or acquired, that processing is carried out in as transparent a way as possible, and that the principles of purpose limitation and data minimisation are observed. Data must be stored with adequate measures in place to ensure it remains secure.

The GDPR harmonises the data protection regime at the EU level. When the United Kingdom leaves the European Union, the GDPR will be incorporated in UK law (subject to a few minor changes), so data protection standards will remain the same. However, as the United Kingdom will become a third country, data transfers from the European Union may occur only if the safeguards required by the GDPR, such as standard contractual clauses or binding corporate rules, are in place. In order for data to be transferred freely between the United Kingdom and the European Union, an adequacy agreement must be reached with the European Union. In order to secure such an agreement, the United Kingdom must be judged to provide a level of protection for personal data processed in the United Kingdom which is equivalent to the level of protection which is applicable in the European Union.

(d) Cloud computing

As a technology, the cloud is not regulated. However, cloud service providers (CSPs) and cloud service users (CSUs) will need to comply with regulations applicable to their use of the cloud as they would as an ISP (see question 3.1 for further information). The most critical of these are in respect of data protection and security, and both CSPs and CSUs will need to comply with applicable laws and regulation related to data and security.

Although optional, the National Cyber Security Centre operates a cyber essential scheme which companies can be assessed and certified against to demonstrate that they are appropriately managing cybersecurity.

Where a CSP is a regulated firm, use of the cloud may be considered an ‘outsourcing of a critical function' and therefore the firm will need to comply with the regulations and guidance issued by its regulator (either the Prudential Regulatory Authority (PRA) or the Financial Conduct Authority (FCA)), which include:

  • the Capital Requirements Directive IV (2013/36/EU);
  • the recast EU Markets in Financial Instruments Directive (MiFID II) (2014/65/EU) and the Delegated Regulation (EU) 2017/565;
  • Chapter 8 of the FCA's Senior Management, Arrangements and Controls Sourcebook (as well as Sections 13 and 14 for insurers); and
  • the outsourcing section of the PRA Rulebook.

European regulators have also published guidelines and recommendations on outsourcing by regulated firms, including:

  • the Committee of European Banking Supervisors' high-level guidelines applicable to outsourcing in the banking sector across the European Union;
  • the European Securities and Markets Authority's guidelines on certain aspects of the MiFID compliance function requirements; and
  • the European Banking Authority's guidelines on outsourcing.

(e) Artificial intelligence

Artificial intelligence (AI) is not regulated in and of itself; rather, it is subject to different regulatory regimes, depending on how the AI is being used. AI includes a broad range of different technologies, including machine/deep learning, use of algorithms and natural language processing; and therefore there is no one applicable set of laws.

In the United Kingdom, specific consideration is being given in respect of self-driving cars and the Law Commission is currently undertaking a review (intended to run until 2020) as to how current laws in England and Scotland need to be updated to take into account issues related to non-human driven cars.

However, until specific regulations are provided, AI will be subject to law applicable to the nature of the AI. Key laws to be aware of include:

  • the Data Protection Act 2018;
  • the Consumer Protection Act 1987;
  • the Consumer Rights Act 2015;
  • the Network and Information Security Directive; and
  • the Copyright Designs and Patents Act 1988.

Prior to the United Kingdom leaving the European Union, the United Kingdom is also subject to relevant EU regulations, including those in respect of personal data. The United Kingdom also has the benefit of EU IP rights and further information is awaited depending on what these will look like after the United Kingdom leaves the European Union.

It is generally acknowledged that current laws and regulations are not appropriate to deal with the considerations of AI and as part of the United Kingdom's AI Sector Deal the government is considering required changes.

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

Distributed ledger technology (DLT) is not regulated in and of itself; however, its applications in some instances are. The regulatory approach to crypto assets in the United Kingdom has been clarified by the FCA in its latest policy statement on 31 July 2019. In an effort to remain technology neutral, the FCA has determined the characteristics of tokens traded using DLT and regulated in kind. The recent statement refines its taxonomy of crypto assets and divides them into security tokens, e-money tokens and unregulated tokens. Security tokens will be regulated in line with the Regulated Activities Order and e-money in line with the Electronic Money Regulations. Later this year the Treasury will be moving forward with its approach to unregulated tokens. The FCA intend to use existing regulations to cover this technology as opposed to creating a new regime; however, this has not been the case in all jurisdictions – notably, Malta and France have come up with bespoke models that look to address specific aspects of tokens. There is yet to be a harmonised approach across countries; however, the European Union's Fifth Anti-Money Laundering Directive has expanded the scope of obliged entities to bring within its remit virtual currency exchange platforms and wallet providers, meaning that they will have to carry out identity checks for clients and beneficial owners as well as report on any suspicious activity. In addition, the European Parliament in its draft report on the European Crowdfunding Service Providers Regulation looked to bring token sales within the remit of the legislation treating certain offerings the same way as traditional crowdfunds.

The key issues around crypto assets relate to ensuring that anti-money laundering provisions are adhered to, investors and consumers are protected and the stability of the financial system is protected, as well as to taxation.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

The regulation of investment-based crowdfunding platforms depends on the activities undertaken by each individual platform. For most platforms, the rules under the recast EU Markets in Financial Instruments Directive (MiFID II) or the Alternative Investment Fund Managers Directive and the corresponding Financial Conduct Authority (FCA) Handbook provisions will be relevant. Investing in unlisted shares or debt securities via online crowdfunding platforms is a regulated activity under Article 25 of the Financial Services and Markets Act (FSMA) (Regulated Activities) Order 2001 (RAO) ("Arranging deals in investments"). Investment-based crowdfunding is classed by the FCA as a high-risk investment activity and specific marketing restrictions in relation to retail clients apply under the FCA Conduct of Business Sourcebook (COBS).

The facilitation of lending and borrowing between individuals or between individuals and businesses by a peer-to-peer platform is a regulated activity under Article 36H of the RAO ("Operating an electronic system in relation to lending"), and requires authorisation by the FCA. Where lenders are individuals, the FCA's Consumer Credit Sourcebook (CONC) requires peer-to-peer platforms to provide essentially the same protections as those that apply to regulated consumer credit agreements offered by lenders that carry on the business of lending.

Where lenders are individuals, the FCA aims to protect them from the risks associated with non-repayment of loans and ineligibility for the Financial Services Compensation Scheme by categorising peer-to-peer agreements as ‘designated investment business' for the purpose of applying key parts of COBS.

From December 2019, the FCA is introducing new rules on loan-based and investment-based crowdfunding platforms aimed in particular at enhancing the regulatory framework for loan-based peer-to-peer platforms to protect investors while still allowing for further innovation.

(b) Online lending and other forms of alternative finance

Lending to consumers is a regulated activity under Article 60B of the RAO and any third party that introduces consumers to lenders is likely to need be authorised as a credit-broker under Article 36A of the RAO (eg, payroll linked lending will usually be made available through the employer, which will be a credit broker). Conduct of business rules in CONC as well as the Consumer Credit Act 1974 and its related statutory instruments apply to every aspect of the activity, from pre-contract information to debt collection and enforcement.

(c) Payment services

Payment services are regulated by the FCA outside of FSMA. Regulated activities include placing cash on a payment account, executing payment transactions, issuing payment instruments, acquiring payment transactions, money transmission, payment initiation services and account information services. These last two activities can be provided only in connection with payment accounts that can be accessed online.

The regime is governed by the Payment Services Regulations 2017 (PSRs) and (to a certain extent) the FCA Banking: Conduct of Business Sourcebook. There is also an FCA Payment Services and Electronic Money Approach Document, which explains how the FCA and other relevant authorities approach the PSRs requirements.

Banks and e-money institutions (ie, non-banks issuing e-money which are regulated by the FCA outside of FSMA under the Electronic Money Regulations 2011) can provide payment services without needing further authorisation. Other businesses must register with the FCA as payment institutions. Businesses that provide account information services only can become registered account information service providers instead. Providing payment services without appropriate authorisation is an offence under the PSRs and is punishable by imprisonment, a fine or both.

The payment services regime applies in full to payment services carried out within the European Economic Area (EEA) in euro and other EEA currencies (eg, pounds sterling). It also applies, to a certain extent, to payment services in other currencies and to payments that are made from, or to, a payment services provider outside the EEA.

Any firm providing payment services must comply with the information and conduct of business rules under the PSRs.

(d) Forex

Cash-to-cash currency exchange operations (eg, a bureau de change), where the funds are not held on a payment account, are unregulated. However, the provider is likely to be subject to UK anti-money laundering legislation. An existing authorised payment service provider (PSP) is permitted, without additional permissions, to provide forex services that are closely related and ancillary to its payment services (so long as the PSP is not providing foreign exchange derivative services that would otherwise require authorisation under MiFID II.

Brokers of forward forex contracts are generally required to be authorised by the FCA and are subject to its regulatory requirements – for example, relating to capital adequacy, MiFID II-derived conduct of business rules and the European Markets Infrastructure Regulation. There are two exclusions from this requirement for FCA authorisation:

  • for forex spot contracts; and
  • for foreign exchange transactions connected to a payment transaction.

There are detailed rules (originating from MiFID II) on the conditions that must be met for these exclusions to apply. These exclusions do not apply to an option or a swap on a currency.

(e) Trading

Regulation in the United Kingdom is generally technology neutral. This means that the requirement to be authorised and regulated is based on the activity that is carried on, rather than the means by which the activity is carried out.

Dealing in investments (as principal or agent) or agreeing to do so, and arranging deals in investments (either arrangements bringing about investments or arrangements made with a view to transactions in investments), are regulated activities in the United Kingdom, requiring authorisation from the FCA, unless the person is exempt or an exclusion applies. In addition, operating a multilateral trading facility or an organised trading facility, and bidding in emissions auctions, are activities requiring authorisation through separate permissions from the FCA.

Various exclusions and exemptions are available under FSMA, the RAO and the Financial Services and Markets Act 2000 (Exemption) Order 2001 (SI 2001/1201). A person falling within the scope of an exclusion or exemption will, respectively, either not be carrying on the regulated activity in question or be exempt from carrying on the regulated activity. In addition, to require authorisation, the activity must be carried on by way of business in the United Kingdom. The exemptions are more specific and detailed. For example, depending on whether the activity is governed by MiFID II, a company does not deal in investments as principal if it issues its own shares or share warrants. An agent that deals with or through an authorised person will not require authorisation, provided that certain conditions are met.

(f) Investment and asset management

As explained at question 4.5, the United Kingdom's requirement to seek regulation for activities is technology neutral. Therefore, to conduct the following activities in the United Kingdom, FCA authorisation is required:

  • managing an undertakings for collective investment in transferable securities (UCITS) fund;
  • managing an alternative investment fund (AIF);
  • acting as trustee or depositary of an AIF or a UCITS fund;
  • managing investments; and
  • safeguarding and administering investments.

These are the most common regulated activities associated with asset management, but the list is not necessarily exhaustive.

Depending on whether or not the investment being managed is a MiFID investment, certain exemptions are available under circumstances detailed in the RAO.

(g) Risk management

The UK regulator requires a regulated financial services firm to have effective processes to identify, manage, monitor and report the risks it is or might be exposed to. However, this obligation applies to firms that are already subject to regulation. There is not a specific regulated activity for risk management. Conversely, certain aspects of risk management may require authorisation if the activity falls within an activity specified in the RAO. This may be the case, for example, where the risk management activity involves dealing in investments as principal or agent. If these regulated activities are relevant, there is potentially an exemption in the RAO: risk management activities involving options, futures and contracts for difference are excluded if specified conditions are met. The conditions include the company's business consisting mainly of unregulated activities and the sole or main purpose of the risk management activities being to limit the impact on that business of certain kinds of identifiable risk. For dealing as agent, risk management transactions where the agent is dealing on behalf of a group company or a co-participant in a joint enterprise are excluded. Where MiFID applies to the activity carried on by principal or agent, these exclusions are unavailable and authorisation is required.

(h) Roboadvice

As noted above, the United Kingdom's approach to regulation is technology neutral and is relevant in any area where giving advice is regulated such as residential mortgages. For example, advising on investments is an activity requiring authorisation in the United Kingdom. Therefore, if roboadvice amounts to advising on investments, the person giving the advice must be authorised. Roboadvice firms are expected to meet the same regulatory standards as traditional advisory services (eg, requiring suitability of advice).

For an unregulated entity, advising on investments means the advice must:

  • be given to a person in that person's capacity as an investor or potential investor (or capacity as agent for an investor or potential investor); and
  • relate to the merits of that person buying, selling, subscribing for or underwriting an investment (or exercising rights to buy, sell, subscribe for or underwrite such an investment).

There is no requirement for there to be a personal recommendation involved.

Generic guidance – for example, that does not relate to a specific product – is not regulated; however, the line can be challenging to define.

Firms already authorised by the FCA will require an additional permission to advise on investments only where the advice they give involves giving a personal recommendation (which is a narrower concept):

  • to a person to buy, sell, subscribe for, exchange, redeem, hold or underwrite a particular investment which is a security, structured deposit or relevant investment; or
  • to a person to exercise or not exercise any right conferred by such an investment to buy, sell, subscribe for, exchange or redeem such and investment; and
  • that is presented as suitable for the person to whom it is made or based on a consideration of the circumstances of that person.

A recommendation issued exclusively to the public is not a personal recommendation.

The FCA has produced detailed guidance to help firms assess whether their conduct will be within the regulatory perimeter in this respect.

(i) Insurtech

‘Insurtech' can cover a broad category of technology use in the insurance industry, from customer sales and servicing (eg, digital onboarding, automatic underwriting, roboadvice) and improving back office functions and risk management (eg, through cloud, blockchain, big data analysis), to developing new products (eg, with connected devices and smart contracts).

The legal issues and relevant regulations depend on the nature of the technology and how it is being used.

For example, any business using artificial intelligence (AI) to make decisions during an online sales process will need to take account of:

  • the Data Protection Act 2018, including the safeguards for automated decision making and an individual's right not to be subject to a decision based solely on automated processing;
  • discrimination risk and what governance will be in place to ensure that the AI shows no signs of bias or discrimination, and that its decisions can be audited and explained; and
  • compliance with regulatory requirements on record keeping and maintaining an audit trail of decision making.

This is in addition to any regulation applicable to the product and the way in which it is being sold, such as the FCA Handbook rules on insurance distribution, distance selling, and consumer terms and conditions.

The main UK insurance regulator is the FCA. For an insurtech start-up, a key consideration is whether it will be carrying on any regulated activity in the United Kingdom and therefore requires regulatory permissions.

As insurtech typically involves processing of personal data, organisations will also be regulated by the Information Commissioner's Office.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

The UK data protection regime is contained in the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It applies wherever personal data are being processed by an entity in the European Union, or where goods and services are offered to data subjects in the European Union or their behaviour is monitored. Entities dealing with personal data are either controllers, which take decisions about how and why personal data is processed and are subject to the full range of GDPR obligations; or processors, which carry out processing operations delegated to them under a controller-processor contract which ensures that the requirements of the GDPR are met and the rights of data subjects guaranteed. Two or more entities may be joint controllers of the same data processing operation(s).

Given the large amounts of personal data involved in the provision of fintech products and services, fintech companies are likely to be subject to the GDPR in some capacity. It is therefore essential to determine the capacity in which a fintech company subject to the GDPR processes personal data.

Controllers must comply with the principles set out in the GDPR, including lawful, fair and transparent processing for specific, explicit and legitimate purposes, with purpose and storage limitations and appropriate security. The GDPR also confers rights on individual data subjects, including the right to be informed about personal data processing, to object to or restrict processing, to rectify data and to have it erased, and to data portability. While personal data may be transferred freely between EU countries, transfers of personal data outside the European Union are prohibited unless appropriate measures are taken to protect the data.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

In addition to the data security requirements set out in the GDPR, the Network and Information Services (NIS) Directive, implemented in the United Kingdom via the NIS Regulations, set out security and incident reporting requirements. These apply, among other things, to relevant digital service providers (RDSPs), which will likely include fintech companies that provide a digital service (provision of online marketplaces, online search engines and cloud computing services) and have a head office in the United Kingdom or have nominated a representative established in the United Kingdom. Small and micro enterprises are exempt.

RDSPs must:

  • register with their competent authority (the Information Commissioner's Office (ICO));
  • take appropriate and proportionate security measures to protect their network and information systems; and
  • put suitable procedures, policies and plans in place to enable detection and reporting of incidents which have a significant impact on the provision of services and business continuity in such circumstances.

When such incidents occur, the ICO must be notified within 72 hours of the RDSP becoming aware of them. The notification must include:

  • the name and digital services provided by the company;
  • the time and duration of the incident;
  • information concerning the nature and impact of the incident, including any actual or likely cross-border impacts; and
  • any other useful information.

The NIS Regulations provide for significant fines in the event of contravention. The legislation provides for various ceilings on monetary penalties relating to different types of incident, with fines of up to £17 million for the most serious cases.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

Financial crime takes many forms and is governed in the UK by various provisions:

  • Money laundering is primarily governed by the Proceeds of Crime Act 2002. Criminal liability may also be incurred by ‘relevant persons' for failure to comply with the requirements under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which impose controls relating to customer due diligence, group-level policies and risk assessments.
  • The facilitation of tax evasion is an offence under the Criminal Finances Act 2017.
  • Terrorist financing is mainly governed by the Terrorism Act 2000.
  • Bribery and corruption are mainly governed by the Bribery Act 2010.
  • Criminal offences of insider dealing and market manipulation are contained in Section 52 of the Criminal Justice Act 1993 and Part 7 of the Financial Services Act 2012 respectively.
  • Breach of financial sanctions is governed by way of directly applicable EU regulations and corresponding UK statutory instruments.
  • The main offences for fraud are contained in the Fraud Act 2006 and the Theft Act 1968, with additional offences in companies and tax legislation.

Additionally, all firms regulated by the FCA must have adequate policies and procedures in place to counter the risk that they might be used to further financial crime. The FCA is empowered to enforce against firms for breaches of the relevant rules.

A key challenge for fintech companies is to ensure that they balance innovation with their obligations under relevant financial crime legislation.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

UK competition laws apply to the fintech sector in the same way that they apply to other sectors.

Although there are no specific pro-competition measures targeted specifically at fintech companies, open banking, introduced following an investigation by the Competition and Markets Authority into the retail banking market, has increased competition and provided significant opportunities for fintech companies.

In addition, both the Financial Conduct Authority and the Prudential Regulatory Authority have powers to enforce competition laws, and have statutory objectives to support competition and innovation. Both have recognised the importance of fintech companies to effective competition and innovation, and can be expected to consider using their enforcement powers to prevent incumbents from seeking to limit the success of fintech companies.

However, the fintech sector does present a number of challenges from a competition law perspective:

  • Market definition is often the starting point of any competition analysis. However, it can be challenging to define the market in the fintech sector – not least because of the constantly evolving nature of the market and complicating factors such as the need to consider the nature of competition in multi-sided platforms.
  • A successful fintech can gain market share very quickly. As a result, even start-ups can find themselves at risk of being considered to be holding a dominant position, depending on how the market is defined, and therefore need to take particular care to avoid infringing rules against abuse of a dominant position.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

Innovation in the fintech space may be protected by a variety of different IP rights in the United Kingdom, including patents, copyright and database rights.

A patent is registered protection for an invention. That invention can be for a product (eg, a new contactless payment device), a process (eg, the use of voice recognition for authentication of contactless payments from a mobile phone) or both. Inventions can be protected only through registration. Once a patent is registered, the inventor can prevent third parties from using or copying the invention for 20 years from the date of filing. Publicly disclosing details of the invention before registered patent protection is granted is fatal to a patent application, as a patent must be ‘novel' – that is, new, over and above what is already out there.

Copyright is relevant for ‘literary works' (including documents, computer programs and databases). Copyright arises automatically when a work is created – that is, it does not have to be registered. The copyright owner (eg, the computer programmer) will be the person that created it, unless it was created by an employee (in which case the employer will usually be the owner), or unless the creator has transferred his or her rights to anyone.

A database may be protected by copyright (see above), as well as a standalone database right which is available in certain circumstances. Database rights are infringed if someone extracts and reuses all or a ‘substantial part' of the contents of a database without permission.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

While there are few UK tax incentives specifically aimed at the fintech space, a number of more general tax benefits may apply at either company or investor level.

Research and development (R&D) tax relief allows companies which are small and medium-sized enterprises (SMEs) to deduct an extra 130% of certain R&D costs for tax purposes and claim a tax credit worth up to 14.5% of any loss given up. A 12% R&D expenditure credit is available to large companies. Capital expenditure may qualify for R&D capital allowances of 100% of the qualifying expenditure. The UK patent box results in a 10% rate of corporation tax for profits attributable to qualifying patents (but not, generally, other types of intellectual property).

For start-ups, expenditure incurred up to seven years prior to trading which would have been allowable if incurred after the trade began is generally deductible. Trading losses can generally be carried back and used against profits from the prior 12 months or carried forward indefinitely. However, the amount of future taxable profits that can be relieved is restricted to, broadly, £5 million plus 50% of remaining profits per accounting period.

Equity investors in certain unquoted companies can benefit from income tax and capital gains tax reliefs under the Enterprise Investment Scheme and Seed Enterprise Investment Scheme and Venture Capital Trust rules. However, the relevance of these to the fintech space is reduced by the fact the investee company must carry on a trade which does not include a substantial amount of financial activities. Peer-to-peer loans and crowdfunding debentures benefit from some limited specific reliefs, including being eligible to be held via Innovative Finance individual savings accounts.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

The United Kingdom is regarded as having a relatively flexible labour market. UK employment law distinguishes between employees, workers and the self-employed. Employees have full rights, including the right to a statutory notice period, not to be unfairly dismissed and to various types of family leave such as maternity and paternity leave. Workers have more limited rights, including the right to receive the national minimum wage, to 28 days' holiday and to limits on daily and weekly working time, but not to unfair dismissal/family leave rights. Employees and workers are protected against discrimination because of a protected characteristic, including age, race, sex, disability, sexual orientation and religion and belief. The self-employed have minimal rights.

Individuals are employees if they have a right to be offered work and a duty to accept it, the employer controls what they do and there are no features that are inconsistent with an employment relationship. Individuals who are not employees may be workers if they perform services personally and are not carrying on a business on their own account. Tribunals and courts look to the reality of the situation, not just to the way the employer and the individual have categorised their relationship, when deciding whether someone is an employee, a worker or genuinely self-employed. This means that those working in fintech on a self-employed basis may still have rights as either an employee or a worker if the ‘self-employed' label does not reflect the reality of the relationship.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

Until the United Kingdom leaves the European Union, European Economic Area (EEA) and Swiss nationals have the right to live and work in the country under the freedom of movement principle.

For non-EEA/Swiss nationals, visitors' visas are available for those engaging in a limited number of permitted work-related activities for a short period (normally up to six months). Longer-term visas are available through the business and work-related categories of the UK immigration Points-Based System (PBS). The most relevant visas for businesses wishing to start up in the United Kingdom or to employ non-EEA/Swiss nationals are those for:

  • high-value migrants under Tier 1 of the PBS; and
  • skilled workers under Tier 2 of the PBS.

Tier 1 visas allow experienced business people or those wanting to start a business to work in the United Kingdom, provided that their business idea is assessed by an approved endorsement body and they meet various other conditions such as an English language requirement. Investor visas are available to those with £2 million to invest.

Under Tier 2 of the PBS, UK employers can sponsor skilled workers to perform roles in the United Kingdom that cannot be filled from the resident labour market. There are annual limits on the number of Tier 2 (general) visas that can be issued and various conditions apply, such as minimum salary requirements. Intra-company transfers are also possible in some circumstances.

It is expected that there will still be a route for skilled migration to the United Kingdom for entrepreneurs and those with employer sponsorship post-Brexit.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Fintech continues to grow in the United Kingdom and signs of growth and investor interest show little sign of stopping. Although previously focused on payments and banking, there is now a broader spread of fintechs in several different areas, including the use of cryptocurrency and tokenised assets. Incumbents have been taking notice, with 82% of incumbents expected to increase fintech partnerships in the next few years, according to the Department of International Trade.

Over the next 12 months, key regulatory developments to monitor include the following:

  • Brexit: There is uncertainty over what the financial services legal landscape will look like in November or beyond. Although it is likely that the European regulatory regime will continue to be followed (at least in the short term), there is a risk that the uncertainty will have a negative impact on fintech resource and talent in the United Kingdom.
  • Fifth Anti-Money Laundering Directive (AMLD5): The amendment to AMLD4 will introduce a definition of ‘virtual currency' and will require certain cryptocurrency businesses (including exchanges) to conduct enhanced anti-money laundering checks on users similarly to banks and other financial institutions.
  • Strong customer authentication (SCA): the second Payment Services Directive was due to be fully implemented in September 2019, requiring payment service providers to implement a two-factor authentication process to authorise payments. However, the European Banking Authority is allowing a degree of tolerance for delayed SCA implementation. The Financial Conduct Authority (FCA) has announced an 18-month plan up to 14 March 2021 for e-commerce card transactions and phased implementation for online banking by 14 March 2020.
  • FCA approach to crypto: The FCA is actively engaging on cryptocurrency regulation, having provided a policy statement clarifying how certain cryptoassets might be regulated. The FCA has also indicated concerns over the selling of tokenised derivative products to retail customers.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

One important tip for fintech players hoping to operate in the United Kingdom is to understand the wide variety of regulations within the UK regulatory regime and exactly how this will affect their business. For example, a fintech player that enters the United Kingdom may need to seek Financial Conduct Authority (FCA) authorisation from day one if it falls within the regulatory perimeter (subject to any exemptions) – something that many fintechs may not have considered if they are not familiar with UK/EU regulation. If regulatory processes and associated costs are not properly factored into business plans, this can be a challenging sticking point, particularly for early-stage start-ups. It will also be critical for fintechs to understand the privacy regime in the United Kingdom under the General Data Protection Regulation. Regulatory penalties can be very high and the regulations apply even to fintechs whose business model may not primarily involve the processing of personal data.

A tip to avoid coming unstuck in the regulatory landscape is to engage with regulators early in the process. The FCA in particular has made great efforts to support early stage fintechs with initiatives such as Project Innovate, which gives participants access to dedicated support and advice directly to assist new players with their regulatory queries. The FCA has also consistently run its regulatory sandbox initiative to enable new market entrants to operate their system or product within a controlled, regulated environment. This can be very helpful for early stage companies to understand how regulation impacts their product in a real-world scenario without facing reprimand.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.