Search This Blog

Wednesday, 19 July 2017

Final UK Regulations Implementing #PSD2

The UK government has today announced its final approach to implementing the new Payment Services Directive (PSD2), along with the final version of the Payment Services Regulations 2017. A final assessment of the impact of the new regulations is yet to be published. The FCA is expected to finalise its guidance on its approach to supervising PSD2 - along with application forms and so on - by September, and to accept applications for authorisation/registration from October 2017 to meet the implementation deadline of 13 January 2018.

It turns out that the responses to the consultation in February have only persuaded the government to change a few aspects of its approach to implementation (explained below). But it seems from the summaries that many responses didn't account for the fact that the government's hands have been tied since 2015, when the UK agreed the final version of PSD2 at EU level. As it's a maximum harmonisation directive, member states can only depart from PSD2 where it specifically allows them to. The ship has sailed (albeit with some awkward passengers on board, as explained in my own response). For the most part, implementation is now a question of how the FCA interprets the language in its application to the real world, which it consulted on in April. This does not suggest any lack of 'sovereignty', just a failure to influence EU negotiations (assuming those affected took the opportunity to engage at that time).

Ban on surcharging

One area of departure from the government's initial plan is to prohibit retailers from charging customers any additional amount for using any type of payment method/instrument.

The original idea was only to ban surcharging for the use of cards covered by the Interchange Fee Regulation (as required under PSD2), as well as cross border bank transfers and direct debits in euros (under the Single Euro Payments Area regulations); and limit the surcharges for other payment methods to the direct cost borne by the retailer for making them available.

But the government has opted instead for a blanket ban on businesses surcharging consumers for using any type of payment method, on the basis that it: 
"will create a level playing field between payment instruments and create a much clearer picture for consumers in which they know the full price of the product/service they are purchasing upfront and [can be] confident that there will be no additional charges when they come to pay [with] any payment instrument they choose to use. A blanket ban will also be much easier to enforce than the current position in which merchants are able to pass on costs (but the consumer has no easy way of assessing what these are).
Meanwhile, the government says it will "assess the scale" of claims that interchange fees for card payments have been rising again.

PSD2 introduces a new “account information service” which basically involves providing information from one or more payment accounts held by the user with one or more other payment service providers.

Initially, the list of services the government said it believed might constitute account information services included some services of a much broader in nature:
"• price comparison and product identification services;
• income and expenditure analysis, including affordability and credit rating or credit worthiness assessments...
[and] might include accountancy or legal services, for example” (para 6.30)."
This provoked concern that the government's interpretation was too broad and overlooked the requirement that an account information service would need to be conducted by way of business in its own right, rather than merely as an ancillary part of a wider service. Examples of services that the government says that respondents were concerned about include: 
"banks’ corporate functions; price comparison websites; accountants; financial advisors; legal firms; and Credit Reference Agencies (CRAs). Many of these services are currently provided via a contractual relationship between service providers, users, and ASPSPs, often referred to as Third Party Mandates (TPMs)."
The government now confirms, however, that:
"many uses of these mandates are likely to be outside of the scope of the PSDII. Examples could include power of attorney, where the services are unlikely to be undertaken ‘in the course of business’."

In addition, the FCA has already suggested this narrower view, based on the 'business test' in its own consultation on how it proposes to supervise PSD2.

Next steps

The FCA is expected to finalise its guidance on its approach to supervising PSD2 - along with application forms and so on for the various types of authorisation/registration - by September, and to accept applications for authorisation/registration from October 2017.

Monday, 3 July 2017

P2P Lending Goes Global: FinTech Credit v OldTech Credit

Twelve years after the launch of Zopa and the peer-to-peer finance sector finally gets its first report from the Bank of International Settlements (BIS), the central bank of central banks. The report is surprisingly positive, given financial regulators' preference for the status quo. Basically, they believe that change increases risk and increased risk is bad, so innovation is both risky and bad. Similarly, they're fond of shoe-horning innovative services into existing regulatory frameworks without seeing that the innovation may itself be exposing and/or solving flaws in that system. At any rate, the banking situation must be pretty dire for the industry's global beacon to produce a positive report on alternatives...  But in the the interests of time I want to ignore the positives and answer a few criticisms:

Is P2P lending "procyclical"?


In fairness, the BIS report only suggests that P2P finance represents the "potential for ...more procyclical credit provision in the economy", but I still disagree that this is a feature of the model.

Bank lending itself is procyclical, which is to say that banks lend lots of money when the economy is booming, yet try to protect their balance sheets when times are tough and we need credit the most. In fact, this was such an alarming feature of the recent/current financial crisis that BIS itself introduced capital rules that it thought would force banks to become less procyclical. Recently, moreover, the BIS's own Basel Committee reported that these rules are proving ineffective. They think there is too much bank credit available and/or the quality of creditworthiness is in decline.

If that's the case, then we really are in trouble, since UK banks have been lending progressively less to real businesses, and we aren't exactly in the grip of an economic boom...

Compare this to the rise of P2P lending. We started Zopa in 2005 when the 'spread' between high bank savings rates and cheap credit was actually very narrow (heavily subsidised by PPI revenues) - yet proved that lending directly between humans without a bank in the middle produced a better deal for both lenders and borrowers. This is why P2P lending has become ever more popular since 2008, while banks have sat on the sidelines waiting for the good times to roll. Lenders get higher interest on their money, diversify risk by lending to lots of people and businesses who are starved of bank loans - apparently leaving the banks with leaner opportunities...

But I believe the banks have simply chosen to chase higher yielding loans and other assets because their cost base does not allow them to make money serving the better risk customers.

Indeed, the BIS report acknowledges that banks have "left room" for platforms that enable people to lend directly to each other "by withdrawing from some market segments" after the financial crisis (which, I'd like to emphasis, still hasn't ended).  The report notes that P2P lending equated to 14% of gross bank lending flows to UK small businesses by 2015... only 5 years after the launch of the first P2P business lending platform.

So, P2P finance is actually counter-cyclical by its very nature.

The real issue, perhaps, is what happens when banks start being able to offer better interest rates and cheaper loans. Yet Zopa's early experience shows the new platforms will still be able to compete successfully (especially because those PPI cross-subsidies are no longer available: refunds and compensation have now reached £26.9bn, according to the FCA!).

Is it likely there will be a 'run' on P2P lending?

No. Far from seeing a potential 'run' on P2P lending platforms by lenders trying to get their money out, many platforms are seeing excess lender demand due to continuing low yields on bank deposits (not to mention high fees on investment products). Zopa, for example, has been closed to new lenders for some months, even while seeing record borrower demand, yet still plans to offer P2P lending within Innovative Finance ISAs. Everyone is chasing yield, not just the banks. But, again, the early experience shows that the rates will still be more attractive if and when banks are able to offer higher rates to savers, because they need fatter margins than P2P platform operators.

Meanwhile, the P2P model has expanded from consumer and small business loans into car finance and commercial property loans. But so far the regulators have protected banks against head-to-head competition for other forms of finance, such as retail sales finance or mortgages, through lack of reform to arcane procedures dictated by consumer credit and mortgage regulation and refusing to allow longer term finance to be supported with short term loans - which banks are allowed to do all the time.

So, rather than a run on P2P lending, we're more likely to see successful P2P lending operators adding a bank to their group, at the same time as expanding their existing P2P offerings. In other words, a twin-track attack on Old Tech banks and banking models.

Will P2P lending help solve problems with banks' legacy systems?


There's no doubt that this BIS report and the regulatory obsession with 'FinTech' generally, springs partly from regulators' fervent wish that OldTech banks will simply take advantage of the latest trend to rejuvenate their systems for the longer term.

But there are many reasons why established retail banks won't do that - and will continue to passively resist regulatory edicts to do so. That's why the UK government had to impose the open banking initiative (not to mention sharing business credit information and declined loan applications); why the Bank of England has opened up the Real Time Gross Settlement system; and why PSD2 regulates a new class of  third party 'account information' and 'payment initiation' service providers.

Why won't the banks renew their legacy systems to save themselves? For starters, they don't actually have legacy "systems" so much as separate bits of very old kit connected manually by employees holding hands with electrical chord between their teeth using their own spreadsheets. So the shiny new government-mandated open banking interfaces will likely be connected to computers that aren't really party of any type of integrated "system" that, say, a Google engineer might recognise.

Aside from that insurmountable IT challenge, bank management teams are simply not incentivised or empowered to think about the long term, and all their key decisions are made (after a very long time) in committee to avoid personal blame.

So it's more likely that the aspects of 'banking' which are within the scope of P2P lending will gradually drift away from banks altogether, while activities outside that competitive scope will need to be reinvented by others, including new banks, from the ground up.

Will traditional banks launch their own P2P lending platforms?

Probably not.

Some have bought shares in such platforms and others have actually lent their own funds on P2P lending platforms. But that's a long way from allowing their depositors to lend directly to their borrowers.

That's because bankers make their money by keeping savers and borrowers separate of each other and treating deposits as their own funds. 

It's high time regulators admitted this to themselves and got on with the job of supporting more transparent, fairer mechanisms for allocating people's spare cash to other people who need it.

Is P2P lending an "originate-to-distribute" model?


Here, again, P2P lending is a reaction away from this type of model and is transparent enough to reveal attempts to introduce it. BIS says that "originate-to-distribute" refers to the fact that neither the primary lender nor the operator of the platform retains any ownership or interest in the loan that is agreed. But this does not fully describe the model or its potential hazards.

The "originate-to-distribute" model may have that basic feature but the point is that it's driven by a market for secondary instruments (bonds and other derivatives) that are based on underlying loan contracts, where demand in that secondary market has outpaced the supply of loans. In that case, loans may start to be originated solely to support the secondary market. This transpired in the context of the sub-prime mortgage crisis, where investment banks arranged bond issues in a way that effectively concealed the poor quality of underlying loans. From their own problems with undertaking due diligence, they knew that the underlying loan data was hard to find and in many cases unreliable (hence the related 'fraudclosure' issue of investors foreclosing on mortgages they could not prove they owned). That's why the banks involved have since been paid billions in fines and compensation towards the repayment of bailouts (at least in the US).

But, as the name suggests, P2P lending - at least in the UK - involves a direct loan between each lender and borrower on the same platform, where the data concerning the loans is available to the participants, including lenders who may receive assignments of loans already made on the same platform. The visibility of the loan performance data and reputational impact for the platform operator if all goes wrong limits the temptation to conceal the original credit quality or performance of the loan.

So, BIS's assertion that P2P lending represents the same model or suffers from the same potential for moral hazard is not right.

It is possible for a lender to ask a P2P platform to provide it with access to some less creditworthy borrowers to achieve a higher overall yield, perhaps even with a view to selling the resulting loans to other lenders or even securitising them; but even if you deem that to be 'originate-to-distribute', the 'moral hazard' is not there because the data is readily available for all to understand the lesser quality or performance of the loan.

The BIS report cites the Lending Club 'scandal' in 2016. But, ironically, Lending Club is not based on a genuine P2P lending model at all, because the SEC refused to allow direct 'peer-to-peer' loans without full security registration requirements (just ask Prosper!). So the regulators forced the US platforms to operate the same securitisation model that the banks pioneered in the sub-prime crisis... We abandoned attempts to launch the direct P2P model in the US because this model is nothing new - as well as being cumbersome, convoluted and expensive. But even there the relevant 'scandal' was 'only' that when selecting a portfolio of loans to issue bonds to the relevant investor, Prosper selected some loans that did not meet the investor's specified criteria. Not great where the data is available, but the point was that the problem was spotted quite quickly because the relevant data was readily available, so the loans could be re-purchased by the issuer.  

The report also cites the problems at Trustbuddy, in Sweden, but the problems there were again detected early by new management looking at the collections data, who promptly alerted the authorities; and Ezubao, in China, which was a ponzi scheme operated between July 2014 and December 2015 that was detected quite quickly - certainly faster than Madoff's activities in the supposedly heavily regulated US investment markets.

It is worth acknowledging, however, that there is always scope for something to go wrong. This is why the UK P2P lending industry pushed for specific regulation of P2P lending from 2011; and highlights why regulators should stop their hand-wringing about innovation and get on with the job of adapting to change.

Monday, 22 May 2017

EBA Insists On Access To Cloud Providers' Premises And Machines

Yes, it's 2017 and the European Banking Authority really does want financial regulators and their auditors to be able to visit the datacentres of regulated firms' cloud service providers, "including the full range of devices, systems, networks and data used for providing the services outsourced".  Responses on these 'recommendations' are due by 18 August 2017.

No one, including the EBA, really knows why regulators would need to do this, or what they would do on arrival - beyond exchanging pleasantries with the datacentre management and staff (who may not be co-located) and perhaps accepting the kind offer of tea or coffee from a robot or good old-fashioned dispensing machine.

The EBA simply presumes that other firms whose data is kept in the same datacentre (however fleetingly) will be happy for the financial regulators and their auditors to be allowed to wander among the cages amidst the pretty lights, exercising their "unrestricted rights of inspection and auditing".  And there's no mention of whether the EBA is happy for all firms' information security policies to be subject to the unauthorised access to their and their clients' sensitive data by audit teams from random financial (or other?) regulators, even where a firm and its clients are not the subject of the audit. 

Far better that the EBA recommendations focus on these thorny, practical issues instead of blithely insisting that firms negotiate broad, unfettered rights of access to datacentres on their regulators' behalf. 

Or maybe this is just a passive aggressive way of trying to prevent firms from using cloud services?

Thursday, 18 May 2017

Fake News, Screen-scraping and the European Banking Federation #PSD2

The old row between new financial service providers and the European Banking Federation has blown up again. At issue is whether the providers of new regulated "account information" services that rely on access to your payment account data should be able to copy it from your online account ('screen-scraping') or only get it through a different type of interface (API) directly provided and controlled by the bank.

Rather typically, the EBF has produced a video that purports to explain 'screen-scraping' (which could be done in a single slide) but actually misleads by suggesting that the motives of the new service providers who want to do it are unlawful. 

Of course, the method of accessing the account information really has nothing to do with the motives of this new type of regulated service provider.

Instead, the EBF's tactics merely reflects the major banks' age-old resistance to anyone else using "their" payment data to provide you with services that are more useful than the very limited data and features available in your bank account. In fact, that resistance led retailers to launch 'loyalty' programmes and behavioural targeting of advertising as far less efficient ways of figuring what you like to spend your money on.

But the data in your payment account is your data, and you should be able to combine it with your other data - or have trusted third parties do that for you - if you wish. 

That's why - refreshingly - the authorities insisted that PSD2 should specifically regulate the new 'account information service providers'; and, crucially, requires banks to make your payment account available to them, precisely so that you can - if you wish to - rely on their services to make sense of your financial affairs or know how much money you have available while shopping etc., without having to log-in to your bank account(s). 

PSD2 also obliges your payment account information service provider to comply with security and data protection requirements when accessing and handling your payment data, regardless of how they get access to that information. 

So, the latest dust-up is is really just an (old) technological argument about whether a service provider should use your log-in credentials to copy the information from the screen that you see, or only access the data through an interface provided (possibly badly) by the bank. It has nothing to do with the possible motives of the service provider in using the data - and they have to behave lawfully anyway.

The fact that the EBF has resorted to fake news and moral panic tells me that any real 'arguments' against screen-scraping are very weak indeed...

Tuesday, 16 May 2017

New Money Laundering Guidance

The complexity of the anti-money laundering regime has meant that practical guidance on how to comply has been particularly necessary. The best guidance has come from the Joint Money Laundering Steering Group of various organisations (JMLSG) in three parts. 

New EU directives on money laundering has led to consultation on how these should be implemented in new draft UK regulations that are due to take effect from 26 June 2017. 

And the JMLSG has used the draft regulations as the basis for consultations on updating Part I of its guidance (the mark-up is in 4 separate documents, Chapter 5 of which shows changes to the guidance on electronic identity verification), and more recently on Parts II and III. The consultation versions show the proposed changes to the current guidance, and are an invaluable tool for understanding how a firm's existing approach should change once the new regulations take effect.

Saturday, 22 April 2017

Durable Medium, According To The FCA

The Financial Conduct Authority has published new guidance (in the form of a web page), on what forms of media will enable firms to satisfy their obligations to provide information or make it available in a 'durable medium' as an alternative to paper... 

Friday, 21 April 2017

#PSD2: The FCA Clarifies The "Business Test"

In deciding whether or not a firm's activities are caught by the new Payment Services Directive (PSD2) as implemented in the UK by new Payment Services Regulations, one needs to first consider whether the activities are conducted by way of business. This is a question of fact and degree that can be difficult to answer. In the consultation on its approach to supervising the new regulations, the Financial Conduct Authority has helpfully done a lot more than it has in other areas to clarify when it considers that a payment activity will constitute 'a regular occupation or business' in itself, as opposed to being merely part of another type of business.

FCA's current guidance on the Payment Services Regulations 2009 states (at PERG 15.2, Q.9):
“…Simply because you provide payment services as part of your business does not mean that you require authorisation or registration. You have to be providing payment services, themselves, as a regular occupation or business to fall within the scope of the regulations. Accordingly, we would not generally expect solicitors or broker dealers, for example, to be providing payment services for the purpose of the regulations merely through operating their client accounts in connection with their main professional activities.”
The FCA has revised Question 9 as part of its proposed draft changes to the Perimeter Guidance to read as follows:
"Q9. If we provide payment services to our clients, will we always require authorisation or registration under the regulations?
Not necessarily; you will only be providing payment services, for the purpose of the regulations, when you carry on one or more of the activities in PERG 15 Annex 2:
  • as a regular occupation or business activity; and
  • these are not excluded or exempt activities.
Simply because you provide payment services as part of your business does not mean that you require authorisation or registration. You have to be providing payment services, themselves, as a regular occupation or business to fall within the scope of the regulations (see definition of "payment services" in regulation 2(1)). In our view this means that the services must be provided as a regular occupation or business activity in their own right and not merely as ancillary to another business activity. Accordingly, we would not generally expect the following to be providing payment services as a regular occupation or business activity:
  • solicitors or broker dealers, merely through operating their client accounts in connection with their main professional activities;
  • letting agents, handling tenants’ deposits or rent payments in connection with the letting of a property by them;
  • debt management companies, receiving funds from and making repayments for a customer as part of a debt management plan being administered for that customer; and
  • operators of loan or investment based crowd funding platforms transferring funds between participants as part of that activity.
The fact that a service is provided as part of a package with other services does not, however, necessarily make it ancillary to those services – the question is whether that service is, on the facts, itself carried on as a regular occupation or business activity."
Simlarly, in Question 38, the FCA proposes to state:
"Q38. We are an investment firm providing investment services to our clients - are payment transactions relating to these services caught by the regulations?
Generally, no. Where payment transactions only arise in connection with your the main activity of providing investment services, in our view it is unlikely that you will be providing payment services by way of business. In those limited cases where you are, the PSRs 2017 do not apply to securities assets servicing, including dividends, income or other distributions and redemption or sale (see PERG 15 Annex 3, paragraph (i))."
In relation to e-commerce marketplaces, the FCA proposes to add the following question to its Perimeter Guidance:
"Q33A. We are an e-commerce platform that collects payments from buyers of goods and services and then remits the funds to the merchants who sell goods and services through us – do the regulations apply to us?
The platform should consider whether they fall within the exclusion at PERG 15 Annex 3, paragraph (b). The PSRs 2017 do not apply to payment transactions from the payer to the payee through a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or the payee but not both the payer and the payee.
Recital 11 of PSD2 makes clear that some e-commerce platforms are intended to be within the scope of regulation. An example of where a platform will be acting for both the payer and the payee would be where the platform allows a payer to transfer funds into an account that it controls or manages, but this does not constitute settlement of the payer’s debt to the payee, and then the platform transfers corresponding amounts to the payee, pursuant to an agreement with the payee.
The platform should also consider whether they are offering payment services as a regular occupation or business activity (see Q9). Depending on your business model, the payment service may be ancillary to another business activity, or may be a business activity in its own right. Where the payment service is carried on as a regular occupation or business activity, and none of the exclusions apply, the platform will need to be authorised or registered."
The FCA also proposes to add Question 34A relating to "online fundraising platforms":
"Q34A. We are an online fundraising platform which collects donations in the form of electronic payments and transmits funds electronically to the causes and charities that have an agreement with us - do any of the exclusions apply to us?
Persons collecting cash on behalf of a charity and then transferring the cash to the charity electronically do not fall within the exclusion in PERG 15 Annex 3, paragraph (d), unless they themselves are carrying this out non-professionally and as part of a not-for-profit or charitable activity. For example, a group of volunteers that organises regular fundraising events to collect money for charities would fall within this exclusion. On the other hand, an online fundraising platform that derives an income stream from charging charities a percentage of the money raised for them is unlikely to fall within this exclusion.
Nor will an online fundraising platform accepting donations and then transmitting them to the intended recipient be able to take advantage of the exclusion in paragraph (b), as they are not a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or the payee but not both the payer and the payee.
Online fundraising platforms should also consider the guidance in Q33A."
There may be some confusion over whether a platform is an "online fundraising platform" covered by Questions 33A and 34A, as opposed to a 'donation/reward based crowdfunding platform' which I would suggest should be treated consistently with loan/investment based crowdfunding platforms under Question 9 above.