So, are we regulating Buy Now Pay Later yet? Have any big tech providers been designated as "critical third parties" to the financial services industry? What has happened to the failure to prevent fraud offence?

There's never a dull year in financial regulation, and 2024 has proved no exception. In this article, originally written for Compliance Monitor, we take a quick look at whether some things that we expected to happen have happened, and what developments have taken us by surprise. And after that, what we have to look forward to in 2025.

What happened with….

BNPL regulation

Back in February 2021, the Government said it intended to legislate "as soon as time allows" to bring lenders who provide short-term, interest free "buy now pay later" finance within the scope of regulation. Finally, in October this year, the new Government confirmed the proposals.

The upshot of the proposals is that the current exemptions in Article 60F(2) of the FSMA (Regulated Activities) Order 2001 (RAO) that have taken fixed sum credit for borrower-lender-supplier agreements repayable within 12 months and in 12 or fewer payments will no longer apply where the lender is a third party. Agreements under which credit is provided directly by the merchant (and a few other specific arrangements) will remain exempt, as will arrangements for spreading the cost of insurance premiums.

The legislation will create a new category of regulated credit called a “Regulated Deferred Credit Agreement” (DPC) and agreements that meet this definition will fall outside the Article 60F(2) RAO exemption. Anyone carrying out any of three newly regulated activities in relation to regulated DPCs will need authorisation from the Financial Conduct Authority (FCA) to continue to do them, and, where agreements are regulated, the FCA will have power to make appropriate and bespoke rules.

A consultation on the planned wording for the RAO amendments closes on 29 November and the government says it wants to act quickly. However, once the legislation has been finalised, the FCA will need to spring into action to make its rules – and it won't consult on its regime soon after the legislation is finalised. It expects to take on regulation of the sector 12 months after the legislation is made and will give firms time to prepare for the new requirements. It plans to put in place a temporary permissions regime to allow firms already in business to continue with it while their application is assessed.

Consumer Credit Act reform

This brings us nicely onto CCA reform – something else long awaited. As a quick recap, the new Government has not yet taken any action apart from to recognise that it needs to take action.

The outgoing Government had consulted on the broad principles of what needs change, and the broad structure of regulation going forwards, and at the time, it said it expected to consult further in 2024. Obviously the election disrupted this, but the main political parties were in broad agreement over the need for change, and the new Government has acknowledged that is needs to act.

So hopefully the work done to date is not lost, and we will see further action towards the much-needed reform in 2025.

Critical third parties

Something else that promised much, but has so far delivered nothing in practice, are the plans to put in place some form of regulatory control of unregulated third parties who provide key services to the regulated sector and whose failure could be catastrophic to the sector – the so called "critical third parties" (CTPs). The Financial Services and Markets Act 2023 (FSMA 2023) put in place the legislative framework for the Bank of England, Prudential Regulation Authority (PRA) and FCA to consult on how they would work together to oversee the resilience of these providers.

Now, towards the end of 2024, we have the regulatory framework in place – the ability to designate CTPs and the ability to seek information from them, and the ability for the regulators to take enforcement action against them.

So the framework is all in place, and we await the first designation. We know it's not intended that there will be huge numbers of designated CTPs, and those that are designated won't particularly welcome the regulatory intrusion.

APP scam protection

The expected changes to tighten up consumer protection against authorised push payment (APP) scams came into force in October – a little later than expected, but expanded to take account of payments made through both Faster Payments and CHAPS. In brief, as the changes are now well known, all relevant payment service providers, whether receiving or sending, owe duties to their customer to ensure they are reimbursed within 5 business days of notifying that they have fallen victim to a scam, up to a limit of (now) £85,000. There are few exceptions to the requirement with the main one being if the consumer has been grossly negligent, but there has been additional guidance to help consumers understand what the scope of the requirement actually is and when it does not apply.

To help providers, new laws and guidance allow them to delay making payments in certain circumstances.

Failure to prevent fraud

A late entrant into the "what has happened in 2024" category is the announcement in early November that the failure to prevent fraud corporate offence, introduced in the Economic Crime and Corporate Transparency Act 2023 and applying to large companies, will take effect on 1 September 2025.

There had been speculation that perhaps the new government would seek to expand its scope, since many politicians from all parties had called repeatedly for it to apply to all or at least all but the smallest companies. However, at least for now, the offence comes into force as drafted, and the Home Office has published guidance for organisations.

The Edinburgh reforms

It's also worth just remembering a few other things the 2022 "Edinburgh Reforms" proposed and taking a quick stocktake on where we are. The 30-odd reforms (some of which were criticised for not actually being reforms at all), centred on a number of themes.

2024 saw quite a lot of progress, especially on the replacement of retained EU laws – now called "assimilated law". Notable changes include:

  • Finalisation of the beast that is creating Solvency UK out of Solvency II for insurers
  • The gradual repeal of various parts of the Capital Requirements Regulation as it became properly embedded in regulatory rulebooks instead of in legislation
  • The imminent demise of the "PRIIP" (Packaged Retail and Insurance Based Investment Product in favour of a new UK concept of a "consumer composite investment", with the FCA using its powers to designate activities relating to the product that will fall under its rules
  • Moving away from the requirement to "unbundle" the costs of investment research and execution.

What was unexpected?

"Name and shame" enforcement proposals

No-one was ready for the radical proposals that came out of the FCA in February 2024 on a new approach to enforcement investigations, which it said would improve "pace and transparency". The main, and most controversial, proposal was that the FCA could publicly announce its opening of an enforcement investigation, and that, if the FCA considered it in the public interest to do so, the announcement could include the identity of the firm it planned to investigate and a summary of what it would investigate.

Unsurprisingly, the industry was up in arms at the proposals, and a series of parliamentary committees took action to grill the FCA and, ultimately, to request that no further decisions be made before the relevant Committees had fully considered the evidence they were seeking on the proposals.

The work of these Committees halted with the election but a new Committee is carrying on the work of the old and recently interviewed key FCA figures about the proposals and its intentions. Meanwhile the FCA indicated that it intends still to go ahead with its plans – while expressing a slightly conciliatory tone in confirming it did not intend suddenly to start naming every firm under investigation. It suggested it planned to publish some worked examples later in 2024 of how the new regime would work in practice, and a policy decision in early 2025.

What's promised for next year?

D&I

One thing we will certainly see more of in 2025 is regulatory oversight of how firms detail with diversity and inclusion (the regulators in the main refer to D&I rather than DEI), within their business. The PRA and FCA consulted back in late 2023 on the introduction of a range of requirements including on:

  • Development of D&I strategies within firms
  • Data collection, reporting and disclosure
  • Setting targets to reduce under-representation.

A key part of the FCA proposals was also a set of rules on non-financial misconduct, proposing that firms be required to take decisive and appropriate action against employees in relation to behaviour such as bullying and harassment. The expectations will be hardwired into its high level expectations of fitness and propriety on the part of both individuals and firms.

We now expect to see the final rules on non-financial misconduct imminently, with policy statements on the main proposals in 2025.

The rest of the Edinburgh reforms?

What has happened to some of the other initiatives showcased in the Edinburgh reforms speech? Picking out a couple of items that have not progressed, or have been slow in progress:

  • A review of the Senior Managers and Certification Regime (SMCR): this announcement surprised many at the time, but the regulators duly sought views on whether the regime was working well back in 2023. After a long silence, the Chancellor suggested in the November Mansion House Speech that a consultation is imminent on the possible removal of the Certification regime within the SMCR.
  • The development of a CBDC or "Britcoin": the Bank of England consulted on the need for a digital pound and explored design choices for any product if introduced back in 2023. We still await a formal decision on this, but the Government is keen to develop.

What else?

The other key developments for 2025 highlighted in the most recent Regulatory Initiatives Grid do not necessarily promise reforms, as most are focused on regulatory reviews which may or may not lead to change – particularly in the insurance markets, with the results of the current reviews of the pure protection markets and regulation of commercial and bespoke insurance due. The regulators also propose to conduct reviews of the treatment of vulnerable customers and to consult on firm-led redress exercises.

What can we conclude?

Despite the interruption of the election and change of government, 2024 has been a busy year, and we have seen many of the initiatives that paused over the summer be reinvigorated with little or no change in policy stance. There is already a clear picture of changes to come next year, with the focus of reforms moving from prudential and wholesale regulation to conduct and consumer based initiatives.

This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.

FIN.