• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Open banking and the AISP agent - views on the FCA's proposed guidance

The FCA released a Consultation Paper (“CP”) in September 2018 (CP 18/25, available here) outlining its proposed Approach to the final Regulatory Technical Standards and EBA Guidelines under the revised Payment Services Directive (“PSD2”). In the CP, the FCA set out its proposed approach to a wide variety of matters under PSD2, including:

  • Assessment of requests for exemptions to the contingency mechanism; 
  • Fraud reporting requirements; 
  • Corporate payment exemptions; 
  • Application of strong customer authentication requirements and associated exemptions; 
  • Approach to the regulation and registration of agents of account information service providers; 
  • E-commerce platforms; and 
  • Closed loop gift cards.

The below addresses one of these topics, the FCA’s views on agency and account information service requirements.

Agency requirements for AISPs – the background

The CP sets out the FCA’s proposed approach to agents of account information service providers, or “AISPs” – these being one of the two types of “open banking” entities created by PSD2, which are permitted to pull transaction data out of a customer’s account (with the customer’s consent) in order to produce some form of “consolidated information” using it, and display that consolidated information in an online service. This concept was originally designed to regulate already existing services that allowed a user to pull data out of numerous bank accounts in order to display a consolidated view of their financial position as a whole, but the potential uses of the data are far broader.

As with other payment service providers, AISPs may appoint agents to carry out, on the principal’s behalf, account information services. The principal is responsible for registering the agent with the FCA and retains responsibility for regulatory compliance by the agent. The Payment Services Regulations 2017 (implementing PSD2 in the UK) require payment service users to be informed of the agency arrangement; that is, the payment service user must be made aware that they receive payment services through an agent and must also know who the principal is. However, the plethora of different ways that data can be used, and the lack of legislation or guidance on what “agency” means in a data context, has made it difficult for many businesses to know where they stand.

Proposed guidance

The FCA has proposed guidance to clarify how agency arrangements work in the case of AISPs. Essentially, the FCA has set out two guidelines: 

  1. if an AISP (Firm A) passes payment account data to another firm (Firm B), and Firm B uses that data to provide account information services (“AIS”) to its customers, Firm B must be authorised or registered with permission to provide AIS; and
  2. if Firm B is acting as Firm A’s agent it may present Firm A’s AIS service to users through its own platform, e.g., its website or application, … It must be clear to the customer who they are dealing with and that Firm B is acting as agent of Firm A, the principal. … Further, the agreement for the provision of AIS will be between the customer and Firm A, the principal.

The effect of the first guideline would be to increase the number of agents who would need to become registered in their own right for AIS – which may well come as a surprise to many who are planning to team up with an AISP that intends to provide data to them for use in their own service. As regards the second guideline, Firm B would have to be registered as an agent of Firm A but would not have to be registered as an AISP in its own right; however, Firm B would need to have its customers contract with its principal, which represents a departure from current market practice in payment services in which agents are free to contract with payment service users on behalf of their principals. 

There are a number of broader issues with the approach outlined in the proposed guidance. 

Regulated data vs any other data

The first is that in order to know whether you need to be an agent of an AISP, or even registered as an AISP in your own right, you need to know whether or not your activities fall within the meaning of “account information services”. However, the meaning of “consolidated information” – arguably the core concept in the definition of AIS – is so unclear that in many circumstances it may be impossible for some entities in a chain of data usage to know whether or not they sit within the regulatory boundary. 

For example, using the FCA’s scenario above, Firm A, as a registered AISP has access to the Open Banking APIs and can pull transaction data out of a payment service user’s payment account with one of the major banks. Firm A then passes that data (all with the customer’s consent) on to Firm B, who takes that data and combines it with location data to show where the transactions took place. This would almost certainly fit within the AIS definition of providing “consolidated information on one or more payment accounts”. Firm B then passes the data to a separate service, Firm C, which takes the enhanced transaction + location data, and uses that to produce analytics on how much the customer has spent in which country so that it can recommend foreign exchange services. Is this analytics data still “consolidated information on one or more payment accounts”, or not? Does Firm C have to be regulated as an AISP, or to register as an agent of Firm A, or Firm B, or do nothing at all? The crux of the issue is that data – unlike funds – has gradations of derivation, and can exist in two places at the same time: without further definition of “consolidated information”, it is very difficult if not impossible to know what level of manipulation of the original transaction data has to have happened before that data has left or should have left the regulated sphere. In other words, when does regulated transaction data become just the customer’s “data”?

Who has access to the account

Another issue revolves around the fact that the definition is defined by the purpose for which the data is used, rather than by who has access to the underlying accounts to retrieve the data – which is surely the chief risk point in the process. 

Take another example. A small business takes all of its physical receipts, and manually uploads them into a spreadsheet. An online service (let’s call it “XL-ent”) launches which allows the business to upload all its spreadsheets into a portal which then puts all the data together and provides a consolidated view back to the small business via a website. On a strict reading of the PSD2 definition of an AISP, and the refined definition in the Payment Service Regulations 2017, XL-ent would have to be regulated. This is because it fulfils all the criteria of providing consolidated information via an online service, and that consolidated information is “on one or more payment accounts” of another payment service provider (i.e. the small business’s bank). But from a big picture perspective it is bizarre that this should have to be regulated, given that XL-ent has never had direct access to the small business’s bank accounts, and is only using information that has been given to it directly by the small business itself. Take this one step further: if the customer were to ask XL-ent to provide that same data for Firm C to provide analytics, then would Firm C have to register as an AISP just for this one activity? Or as an agent of XL-ent?

Possible solutions

These examples may seem contrived, but they are not. As soon as the open banking structures were announced, fintechs and other innovators started coming up with structures to take advantage of the myriad of different ways that data can be transmitted and transmogrified. There is already a wide array of structures in place and anticipated, where data is accessed from the bank account – the original risk point that the regulation was trying to address – and then used by other services, or chains of services, to the benefit of customers. Surely the real risk point here is the access point to the data itself – the initial data pull out of the bank. As long as it is clear that the regulated AISP that initially pulls the data out is ultimately responsible for the proper usage of the data then the main risk is protected – and this can be controlled by contract with those using the data further down the chain, by obliging those further down the chain only to use the data as explicitly agreed with the customer. As with other data chains, such as exchange market data, the perimeter of that control should in any case stop where the “consolidated information” has been derived far enough that the underlying data can no longer reasonably be reverse engineered from it.

This is not an easy position for the FCA to resolve. As much as they have refined the PSD2 definition, to the benefit of the industry, the original PSD2 definition to which they are necessarily anchored is purposive (what are you doing with the data) rather than risk-based (do you have access to the source data, and are you using it as the customer requested). It is of course correct to ensure that services that are directly taking the data and acting in the same way as an AISP would, are doing so in line with regulation. However, it would be highly beneficial to the burgeoning and innovative open banking data industry to have guidance on the extent of derivation needed before “consolidated information” is no longer regulated. Even better, it would seem to make more sense for full regulation to be required only for those with direct access to the underlying accounts (the “keys to the kingdom”), and for that regulated entity to be responsible for making sure – via a string of contracts if necessary - that anyone further down the data chain who is using consolidated information that can be linked back to the underlying transaction data, is doing so only on the express wishes of the customer. Without parameters of this type being put in place, which the FCA is well placed to do via its perimeter guidance and further examples of what does and doesn’t count as AIS and/or agency, there is a real danger that the pace and scope of innovation could be significantly slowed without any real benefit to customers. 

Contact our experts for further advice

View profile for Chris HillChris Hill