2023 has been a year of real change for the UK financial services sector. The Financial Services and Markets Act 2023 ushered in a new era for UK financial regulation, enhancing regulators' objectives and powers, and providing the framework for the repeal and necessary replacement of all laws and regulatory requirements stemming from EU measures. The Financial Conduct Authority's (FCA) new Consumer Duty came into force in the summer, setting higher expectations for the standard of care that regulated firms provide to consumers. In October, the Government announced tougher rules to stamp out debanking, enabling regulators to take action if any bank undermines or fails to protect its customers' rights. And all of this against the backdrop of economic uncertainty and firms, consumers and the regulators trying to navigate the continuing cost of living crisis.
As the days get shorter and another year draws to a close, it's time to look ahead to what might be in store for the next 12 months. In this article, Lucy Hadrill and Emma Radmore of Womble Bond Dickinson explore the regulatory hot topics to keep an eye on in 2024.
Widening the regulatory perimeter
Crypto regulation
With pressure mounting on the UK to embrace crypto innovation, 2023 saw the Government take its first steps towards regulating the industry. The challenge for the Government was to balance its strategy to make the UK a global cryptoasset hub with the need to ensure adequate consumer protections. The passing of the Financial Services and Markets Act 2023 (the 2023 Act) enabled the regulation of cryptoassets to support their safe adoption in the UK. The Act introduced into the Financial Services and Markets Act 2000 (FSMA) a definition of cryptoasset:
"cryptoasset" means any cryptographically secured digital representation of value or contractual rights that –
(a) can be transferred, stored or traded electronically, and
(b) that uses technology supporting the recording or storage of data (which may include distributed ledger technology)
As well as the new definition, the 2023 Act introduced provisions which will be used to create the new cryptoasset regulatory structures and to amend the existing regulated activities and financial promotions regimes to accommodate the regulation of cryptoassets. In fact, the FSMA (Financial Promotion) Order 2005 (FPO) was extended with effect from 8 October 2023 to bring cryptoassets within scope of the UK's rules on financial promotions. This means there are now 4 routes to lawfully communicate crypto promotions to UK consumers:
- the promotion is communicated by an FCA-authorised person
- the promotion is made by an unauthorised person but approved by an FCA-authorised person (assuming the latter has successfully passed through the financial promotions gateway once that becomes operational in February 2024)
- the promotion is communicated by a cryptoasset business registered with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 but only where it relates to that firm's own business; or
- the promotion otherwise falls within an exemption in the FPO.
In conjunction with the widening of this regime, the FCA has updated its rules and guidance to enhance consumer protection by ensuring that the marketing of crypto products is clearer and more accurate. These rules include a ban on incentives like 'refer a friend' bonuses, and apply equally to authorised firms whether communicating or approving promotions, and to registered businesses which would not otherwise be subject to FCA's financial promotion rules.
Hot on the heels of this progress, HM Treasury has confirmed its next steps in crypto regulation. Its work will be split into two stages. Phase 1 will focus on (i) the creation of FCA regulated activities under the FSMA (Regulated Activities) Order 2001 (RAO) for the issuance and custody of fiat-backed stablecoins which are issued in the UK and (ii) the regulation of payment services relating to fiat-backed stablecoins where used in a UK payment chain under the Payment Services Regulations 2017. We expect that Phase 1 will be the first item to hit the regulatory agenda in 2024, with the Treasury aiming to lay legislation as soon as possible and by early 2024.
Phase 2 legislation will follow later in 2024 and will include the creation of regulated activities under the RAO and also potentially under the "Designated Activities Regime" also introduced by the 2023 Act covering:
- issuance activities (admitting a cryptoasset to a crypto trading venue) or making a public offer of a cryptoasset
- exchange activities relating to crypto (operating a trading venue supporting exchange of cryptoassets for other cryptoassets, fiat currency or other assets)
- investment and risk management activities (dealing and arranging)
- lending, borrowing and leverage activities (operating a crypto lending platform)
- safeguarding, administrating and custody activities.
Separately, the FCA and the Bank of England (BoE) have requested feedback on their proposals for regulating stablecoins in the context of the regulators looking to harness the potential benefits stablecoins could provide to UK consumers and retailers, especially by making payments faster and cheaper. The deadline for responding to these discussion papers is 6 February 2024.
We also await the response to the BoE and the Treasury's joint consultation on the possibility of introducing a new retail central bank digital currency. When the regulators issued the paper, they indicated that there would be a decision "in the middle of the decade" on whether to proceed – and that if the decision was that the UK would proceed, we would probably see the digital currency nearer to 2030.
Buy-now pay-later (BNPL)
Not much has happened since the Treasury's consultation on BNPL closed in April. The ambition was to lay legislation during 2023 so we expect that this will come in early 2024. As a reminder, the consultation explained why the Treasury has taken certain policy decisions on what to include and what to leave outside the regulatory perimeter. For instance:
- the Government decided to remove the current exemption from regulation for agreements that are interest free and repayable in 12 or fewer instalments in 12 months or less in respect of agreements where the lender is a third party (ie is not also the provider of the goods whose purchase is being financed by a loan). True loans from the merchant of the goods can continue to use the exemption
- there will be new exemptions, such as to permit agreements that finance contracts of insurance where the insurer is not the lender, to allow social landlords to provide finance to their tenants for goods and services and to allow employee loan arrangements, even if the loan is from a third party arranged by the employer
- there will be no "small agreements" exemption, so BNPL products under £50 will be caught, but the "business use" exemption will apply.
It will be interesting to see what feedback the Treasury gets in response to its consultation and what the resultant final legislation looks like.
Despite the lack of movement on regulation, the FCA is continuing to take action in this area as use of BNPL products grows. It recently used its powers under the Consumer Rights Act 2015 against potentially unfair terms in unregulated BNPL contracts issued by PayPal and QVC, stating that it is important to ensure consumers have the right protections, especially given that frequent users of BNPL are more likely to be in financial difficulties.
Critical third parties
The final item to mention in this section is the new critical third parties (CTP) regime which was created under the 2023 Act. Over the past few years, third-party service providers have become a significant part of the financial services ecosystem. Whilst they offer clear benefits to firms, there is growing concern about the reliance, or overreliance, of firms on such service providers, and the risks this brings – cyber-attacks, IT systems outages etc. Although there are operational resilience and outsourcing frameworks in place to help mitigate these risks, the regulators and the Treasury have concluded that the existing frameworks alone are not sufficient to tackle the disruption that a third-party supplier providing key services to multiple firms could cause.
As a result, the 2023 Act established a new CTP regime which provides the regulators with powers to regulate certain CTP service providers directly, rather than relying on firms to mitigate risks through the existing frameworks and contractual arrangements. Although the regime will only apply to some service providers (those designated by the Treasury as being "critical", which is in practice expected to be very few providers), bringing non-financial services firms within the regulatory perimeter is a significant development for the industry. It will not absolve regulated firms from their obligations, but it is likely to help rather than hinder them in their operational risk management.
At the time of writing, there have been no updates on the CTP regime since the Treasury's designation powers came into force in August but. However, we expect the BoE, PRA and FCA to consult on their proposed requirements and expectations for CTPs in due course, including the potential to extend the regime to capture AI and machine learning as well as cloud services.
Reform of existing regimes
Another area of focus for next year is the reform of existing regimes. One particular item on this list is the Consumer Credit Act 1974 (CCA), which turns 50 in 2024. The Treasury published the outcome of its 2022 consultation in July which confirmed that stakeholders were supportive of the Government's plans to move forward with an ambitious overhaul of the outdated CCA. Given the early stage in policy development, the Government has not yet come to any firm conclusions on what the reforms will look like but will proceed with using five principles to underpin the proposals: proportionate, aligned, forward-looking, deliverable and simplified. We expect more detailed proposals and a second stage consultation to land in 2024.
We also anticipate updates on the Treasury, the PRA and the FCA's papers on the effectiveness of the Senior Managers and Certification Regime (SMCR). These consultations resulted from the announcement of the Edinburgh Reform package and sought views on whether the regime has delivered what it intended, and whether any improvements or changes are necessary. Although we still await the outcome of these consultations, there has been some other movement on the SMCR this year. The Act included provisions allowing the Government to introduce a senior managers and certification regime for central counterparties and central securities depositaries. It also gave the Treasury the power to apply the SMCR to credit ratings agencies and recognised investment exchanges.
The future of retail payments is also on the agenda. In July, the Government launched its independent Future of Payments Review (the Review), which aims to boost UK fintech competitiveness by making recommendations on the steps needed to deliver world leading retail payments in the UK. The Review asked for input on what the most important retail payment journeys are both today and in the next five years, and how these journeys in the UK currently compare to those within other leading countries. The Review is currently working its way through the feedback received and we await its recommendations. The outcome of the Review will feed into the Government's plans for the payments landscape post-Brexit, including the development of a future regulatory framework for the UK. The Government will no doubt want to keep pace with the EU's draft third Payment Services Directive (PSD3), published in June, which includes, amongst other things, proposals to improve open banking. As such, we expect to see further action on payments in 2024, both on the Review, but also on other payments initiatives, e.g. New Payments Architecture, open banking and anti-fraud measures.
Technology
Technology in financial services will no doubt continue to dominate regulatory news. Algorithms and artificial intelligence (AI) are already widespread across the banking, insurance and payments sectors, with such technology being used to enhance customer service, personalise insurance cover and detect suspicious payment transactions. But it's not just firms. The regulators themselves are also making use of emerging tech. In a recent speech, the FCA announced that it is using AI-based models to help tackle fraud and that its Advanced Analytics unit is making use of new tools to help protect consumers and markets. For instance, it has developed web-scraping and social media monitoring tools which can detect, review and triage potential scam websites.
There are clearly many benefits to using AI and other technology but some still have concerns and are calling for better parameters around usage and more transparency, for example on the data that is being fed into pricing algorithms. We therefore expect the regulators to become increasingly active in this area in 2024, particularly as the appetite for utilising AI grows amongst financial services firms.
In fact, the PRA and the FCA recently published a feedback statement following their discussion paper on AI and machine learning in the financial sector. As a reminder, the paper asked for views on the role supervisors should play in supporting the safe and responsible adoption of AI by financial services firms. The feedback statement noted that, whilst there is no need for a regulatory definition of AI (nor would it be helpful to have one), live regulatory guidance, which would be updated to evolve with technology, could be useful. Whether such guidance materialises in 2024 remains to be seen but we certainly anticipate the regulators to maintain a watching brief in this area.
Regulator priorities for 2024
Aside from the hot topics referred to above, where can we expect the FCA's focus to lie in 2024? Well, the FCA's 2023/24 Business Plan was ambitious once again and the regulator has already made significant progress in several key areas (including putting consumer needs first via the Consumer Duty). Whilst these efforts will no doubt continue into 2024, we anticipate a significant proportion of the FCA's focus to be on its commitment to reduce and prevent financial crime. Although this is not new to the regulatory agenda, we have certainly seen the FCA's activities in this area ramp up over the last few months, and we expect momentum to build next year.
A couple of recent examples of the FCA's work to prevent financial crime include the publication of its reviews of money mule prevention and firms' fraud controls and complaints handling, undertaken in line with the Government's fraud strategy. The first review focussed on payment service providers and electronic money institutions and the systems and controls they have in place to detect and prevent money mule activity. The FCA found that, as now seems to be standard, some firms are using innovative solutions (such as facial recognition, device profiling and geolocation) to tackle the issue of money mules, but others are not applying the same standards. Despite identifying examples of good practice, the FCA noted areas for improvement including reporting of mule activity, management information and data sharing and staff training. The review made it very clear that the FCA will bare its enforcement teeth should it identify firms failing to maintain adequate controls and thereby allowing their services and customers to be exploited by fraudsters.
The review on fraud controls and complaints handling also highlighted many areas for improvement, with the FCA expressing its disappointment with the way some firms support fraud victims. One of the FCA's main observations was that it wants to see more focus on firms delivering good consumer outcomes post-implementation of the Consumer Duty. The review also found that some firms made it hard for customers to report fraud quickly or easily, especially outside standard opening hours, and took too long to respond to customer complaints. It also found that responses, once they came, were sometimes unclear and even aggressive in tone. The FCA expects firms to do more to strengthen their systems against fraud and we expect that its monitoring in this area will increase in 2024.
Another recent example is the "Dear CEO" letter to wealth management and stockbroker firms which sets out the FCA's financial crime prevention expectations for the sector. The letter highlighted concerns that firms have been responsible for significant customer losses to scams and fraud, and have enabled money laundering. The FCA intends to send a more tailored survey to the sector in December, the results of which it will use to inform its more targeted, intrusive and assertive supervisory style.
We expect this desire to become a more assertive and proactive regulator to be a continued priority in 2024 and we have certainly seen changes in the FCA's behaviour and style of supervision over the past year. For instance, it has become more bullish in its approach to authorisations and is increasingly inclined to invite firms to withdraw their applications where it considers they are not "ready, willing and organised".
What happens next?
We have picked out in this article what we think are the key changes already in the pipeline for 2024. We already know of more and, in line with the FCA's increasingly ambitious plans and assertive attitude, we expect many more items again to hit the regulatory agenda in the coming months. With seemingly no reduction in pace, we anticipate another busy year to come!
This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.