As regulatory thinking evolves, firms must ensure that any current or planned use of AI complies with regulatory expectations.

By Fiona M. Maclean, Becky Critchley, Gabriel Lakeman, Gary Whitehead, and Charlotte Collins

As financial services firms digest FS2/23, the joint Feedback Statement on Artificial Intelligence and Machine Learning issued by the FCA, Bank of England, and PRA (the regulators), and the UK government hosts the AI Safety Summit, we take stock of the government and the regulators’ thinking on AI to date, discuss what compliance considerations firms should be taking into account now, and look at what is coming next.

The FCA recently highlighted that we are reaching a tipping point whereby the UK government and sectoral regulators need to decide how to regulate and oversee the use of AI. Financial services firms will need to track developments closely to understand the impact they may have. However, the regulators have already set out how numerous areas of existing regulation are relevant to firms’ use of AI, so firms also need to ensure that any current use of AI is compliant with the existing regulatory framework.

A new publication from the UK’s financial regulator signals to firms that they should take steps to manage risks in the use of AI.

By Stuart Davis, Fiona M. Maclean, Gabriel Lakeman, and Imaan Nazir

The UK’s Financial Conduct Authority (FCA) has published its latest board minutes highlighting its increasing focus on artificial intelligence (AI), in which it “raised the question of how one could ‘foresee harm’ (under the new Consumer Duty), and also give customers appropriate disclosure, in the context of the operation of AI”. This publication indicates that AI continues to be a key area of attention within the FCA. It also demonstrates that the FCA believes its existing powers and rules already impose substantive requirements on regulated firms considering deploying AI in their services.

A consultation that will remain open until 11 April 2023 offers further clarity on the proposals to regulate buy-now-pay-later products.

By Rob Moulton, Becky Critchley, Ella McGinn, and Dianne Bell

On 14 February 2023, HM Treasury published its consultation and accompanying draft legislation on the regulation of buy-now-pay-later (BNPL) lending. The consultation follows the proposals in HM Treasury’s prior publications released in October 2021 and June 2022, since the government announced its intention to bring currently unregulated

FCA finalises guidance on cryptoassets and consults on product intervention measures.

By Stuart Davis and Charlotte Collins

FCA guidance on the regulation of cryptoassets

As previously reported in this blog, the FCA consulted on guidance on cryptoassets in January 2019. This guidance is designed to help market participants understand how to classify different types of cryptoassets, within the existing regulatory framework. Although the guidance is not able to give definitive answers, and every cryptoasset must be assessed against the guidance based on its own particular features, this publication helps to create a much greater degree of clarity as to how the assessment ought to be performed, and which features are determinative for these purposes.

The FCA published its final guidance in PS19/22 on 31 July 2019. The guidance is substantially the same as that consulted on, save that the FCA has sought to reframe its taxonomy of cryptoassets to help market participants better understand which types of token are regulated. The FCA has included a new category of regulated tokens that constitute e-money, “e-money tokens”, rather than including e-money tokens within the utility tokens category. This provides a clearer distinction between regulated security tokens and e-money tokens on the one hand, and unregulated tokens (utility tokens and exchange tokens that do not fall within the above categories) on the other. However, the final guidance as to whether a token will constitute an e-money token has not changed from the draft version. The FCA has also provided further guidance on so-called “stablecoins”, and on when particular types of token might constitute e-money or securities. The FCA confirms that this determination will depend on the design and rights associated with a specific stablecoin and, therefore, requires a case-by-case assessment.

By Andrew C. Moyle, Grace Erskine, and Charlotte Collins

As leading global financial and FinTech centres, the UK and Singapore will benefit from strengthening their cybersecurity alliance.

On 13 June 2019, the Bank of England, the Financial Conduct Authority, and the Monetary Authority of Singapore announced that they will be working together to strengthen cybersecurity in their countries’ financial sectors.

The regulators have characterised the aims of this new collaboration as “identifying effective ways to share information and exploring potential for staff exchanges”.

All three regulators have identified cybercrime as an increasing global problem. Speaking about the new initiative, Mark Carney, Governor of the Bank of England, said, “The average cost of cybercrime for financial services companies globally has increased by more than 40% over the past three years. Cyber risk is not constrained by geographic boundaries, making international cooperation essential to address this growing threat”.

Report highlights key strengths and regulatory innovations to inform stakeholders for trade and investment.

By Laura Holden and Nootan Vegad

The Department for International Trade, with the support of Innovate Finance, has published a report titled the “FinTech State of the Nation”. Providing an overview of the UK’s FinTech industry and highlighting the UK’s appeal as a FinTech destination for entrepreneurs and investors, the report seeks to demonstrate how the UK’s FinTech sector has emerged as a global leader and why this will continue in the future.

The report describes the actions that the government, regulators, and industry have taken to stimulate and sustain growth of the UK’s FinTech sector. The report includes an overview of technology demand, a regional analysis of FinTech, details of the investment environment, views from the FCA, a summary of the talent, skills, and diversity in the industry and the “Essential Eight” technology trends — which includes block chain, drones, and artificial intelligence to name a few.

As several PSD2 deadlines approach, PSPs must comply with reporting and notification requirements, as well as with their GDPR obligations.

By Christian F. McDermott, Fiona M. Maclean, and Jagveen Tyndall

Though the majority of the provisions relating to the revised EU Payment Services Directive (PSD2) came into force in the UK on 13 January 2018, the regulatory technical standards (RTS) and strong customer authentication measures (SCA) will come into force on 14 September 2019. The FCA has issued a helpful reminder setting out some important deadlines that payment service providers (PSPs) must meet to be compliant.

Application Programme Interfaces

PSD2 allows third party providers (TPPs) to build payment service infrastructures upon the existing platforms of financial institutions; such institutions must provide TPPs with access to client account information via open application programme interfaces (APIs). Financial institutions seeking to enable such access can do so by either constructing dedicated interfaces built on these APIs or through adjusting existing customer interfaces. In both instances, such interfaces and their accompanying customer authentication measures must be in place by 14 September 2019.

UK publishes White Paper with hard-hitting regulatory proposals to tackle online harms.

By Alain Traill, Stuart Davis, Andrew Moyle, Deborah Kirk and Gail Crawford

On 8 April 2019, the Home Office and the Department for Culture, Media and Sport (DCMS) published an “Online Harms White Paper”, proposing a new compliance and enforcement regime intended to combat online harms. The regime is designed to force online platforms to move away from self-regulation and sets out a legal framework to tackle users’ illegal and socially harmful activity. Although the regime appears to target larger social media platforms, the proposals technically extend to all organisations that provide online platforms allowing user interaction or user-generated content (not limited to social media companies or even ‘service providers’ in the traditional sense) and set out a potentially onerous and punitive compliance and enforcement regime for a broad set of online providers.