• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

View All

Initial Coin Offerings - give me back my money?

Kemp Little has advised in respect of several Initial Coin Offerings (“ICOs”) in particular in relation to the existing UK financial regulatory framework and how it may indirectly apply, the tax treatment of ICO contributions, and the legal terms that govern ICOs.

We have recently examined a sample of ICO terms available on the internet. The table showed that currently there are very few trends in terms of what is considered ‘market standard’.

Table showing that currently there are very few trends in terms of what is considered ‘market standard’.

One complex area that is being treated differently by issuers is whether contributors are entitled to a refund of their contributions. This is an interesting issue because it demonstrates the tension between the practical nature of blockchain technology which provides for an immutable record of transactions that is incapable (hard-forks aside) of being reversed, on the one hand; and the right for a consumer to cancel a distance contract in accordance with Regulation 29 of the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013[i] on the other.

Immutability means that deleting out a transaction is not possible.  Further, the non-fungible nature of cryptocurrencies means that the contribution funds are often instantly commingled.  This means the exact same cryptocurrency from the contribution cannot be returned to the contributor – only an equivalent amount of cryptocurrency can (which may or may not have the same fiat value at the time of the return).

It is clear from our research that:

  1. some ICO issuers are likely to have been in breach of EU law by failing to offer their contributors a right to cancel and/or a refund; and

  2. some ICO issuers have gone above the requirements of EU law by offering a broader right to refund than required.

In the context of the immutable and non-fungible features mentioned above, this second observation raises interesting questions as to whether such issuers could actually honour the refund right they guaranteed and whether tokens distributed as part of an ICO are even capable in practice of being refunded.

A possible route through this may be found in Regulation 36 of the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013[ii]. Depending on the technical set up and timing of alt-coin distributions under the ICO it may be possible (both legally and practically) to offer a refund to contributions provided the related distribution has not yet been made. If the issuer has already made the distribution then it is possible that the services have been ‘fully performed’ and therefore, provided the terms have been drafted appropriately the contributor’s right to a refund may fall away.

This is far from a clear-cut area and is undergoing rapid developments: the exact rights that the contributor receives under the ICO terms and conditions will turn on the drafting and technical set up of the ICO.  Issuers should be wary however that structuring their ICO in certain ways (particularly in relation to the timing of when the contract is entered into and when the distribution is made) could inadvertently lead to the tokens being considered a financial contract (e.g. a future) that may be subject to additional financial regulations.


What businesses have learnt from 2017's most hard hitting breaches

2017 has seen some high-profile data breaches hitting the headlines, from Equifax to Pizza Hut. Regardless of how commonplace reports of major data breaches now are, there are still lessons to be learned from how the organisations affected have handled these breaches. Emma Wright, Partner at Kemp Little LLP, suggests here five important lessons that are to be learnt from the data breaches of 2017.

As many predicted at the start of the year, a news item announcing a data breach is now a regular occurrence and is only set to become more common with the breach reporting obligations in the General Data Protection Regulation (‘GDPR’) taking effect in May 2018. In fact with the Network and Information Security (‘NIS’) Directive taking effect on 9 May 2018 it will not only be personal data breaches but also attacks on the networks carrying the data that will be notifiable for certain key industry sectors. Will the cyber security breach headline become ever more common, and is there a possibility that these breaches will become ‘normal’ and so commonplace that the general public will become desensitised to these types of attack?

With this in mind I have tried to summarise the top five lessons to be learnt from the data breaches of 2017 (the analysis is based on publicly available information) and whether we are heading into an era when cyber security, or the lack of it, may no longer damage a brand?

Do not try and hide the breach

Whether a data breach becomes a regular occurrence or not, the way Uber handled its data breach demonstrates that if handled incorrectly, a data breach can send a signal to both the public and regulators that there is a wider lack of ethics and compliance at the core of the company. These kinds of indicators will damage a brand. This type of behaviour is also likely to lead to increased regulatory scrutiny in relation to the breach but also sends a signal to other regulators that there is a more fundamental problem. The size of the Uber data breach is significant but the headlines would have been different if it had not tried to hide the breach and pay the criminals - and we suspect the treatment it receives from regulators will be less sympathetic than if Uber had not tried to hide it.

The accountability and transparency requirements that companies will be expected to demonstrate in a post- GDPR era appear hard to reconcile with hiding the loss of millions of customers’ personal data and paying criminals.

A data breach response plan that demonstrates: i) the breach is being treated seriously, ii) every attempt is being taken to quantify the risk, and iii) genuine and effective steps are being taken to protect the individuals, is essential and should be followed.

There are unfortunately plenty of examples of companies that have appeared totally unprepared for a cyber attack. This should arguably improve once mandatory data breach notification takes effect after the coming into effect of the GDPR, although the example of TalkTalk, who at the time of the data breach was subject to such a notification, might indicate the contrary. Except for one notable difference, with the advent of the GDPR, the fines that will apply for even failing to notify the ICO of a data breach or attack on the network have stepped up significantly from the ‘parking level’ type of fines previously imposed on the telco sector under the Privacy and Electronic Communications Regulations.

Notify all relevant regulators and the time lag to then notify affected customers should be minimal

When the Equifax data breach was reported, the ICO resorted to publicly stating that Equifax should be informing affected customers before Equifax itself got around to doing so. Equifax’s handling of the breach has been much criticised with the UK Financial Conduct Authority only finding out about the breach through the media. Although the Pizza Hut breach last year was spotted fairly quickly, this did not mean that customers were informed equally promptly or before their account information had reportedly been used fraudulently for a prolonged period of time. Any breach response plan must include the relevant regulatory reporting requirements as, setting aside the fines for failing to notify, this kind of behaviour can (understandably) be taken as an indication that there was not an adequate breach response plan in place.

The GDPR will require breach notifications to the ICO within 72 hours for most data breaches with a notification to customers ‘where there is a high risk to the rights and freedoms of data subjects’ without undue delay. There will no doubt need to be careful consideration of whether notification to customers is triggered; however recent breach examples indicate that trust and confidence in the company experiencing the breach quickly evaporates if customers believe they should be informed that there has been a breach and it is not forthcoming.

When conducting an internal review of a breach or attack, considering the messaging to customers is as equally important as reporting to the ICO, and trying to explain what has happened in simple terms with steps that customers should take to protect themselves should be a priority.

A cyber breach response plan should include collaboration, knowledge sharing and implementing recommended standards or schemes

The WannaCry attack sent a very clear warning that the nature of globalisation means that a cyber security attack will also be global in its reach and impact, with WannaCry attacking 200,000 computers in 150 countries and leaving a path of devastation. However, just like highly organised physical criminal activity, it also demonstrated that collaboration and sharing information of heightened threats will help mitigate the effects of such an attack. At a local level simply understanding your network architecture and segregating back-up servers from the network should reduce the impact of an attack. Those data maps produced for GDPR compliance should be maintained and kept with the data breach response plan.

The WannaCry virus spread to almost 100 countries on its first day but through the reporting of the risk and security forces working collaboratively, the spread was halted as many in the US were able to patch their systems before being hit. The UK National Cyber Security Centre encourages the reporting of cyber risks to it and through companies joining C-iSPS - the cyber security information sharing partnership set up to encourage collaboration between Government and industry. Although aimed more at SMEs, the Cyber Essentials UK Government accreditation which acts as an annual ‘cyber security MOT’ theoretically allows a company to focus on the more complicated cyber risks. Through its accreditation it aims to ensure that companies have basic cyber security and hygiene in place so they can focus on elimination and responding to the larger and more complex cyber security risks.

The IoT changes the risk profile.

The prediction that the Internet of Things (‘IoT’) significantly increases the cyber risk profile is correct. The Mirai botnet cyber attack in 2017 was the largest attack of its kind in history - although to be fair the possibility of such attacks has only been there for years rather than decades. The attack was targeted on the servers of a company that controls much of the internet’s domain name system infrastructure (and under the NIS Directive it is likely that a report of this kind would have to be notified to government authorities). The difference with this botnet was that instead of using computers, it was largely made up of Internet of Things devices i.e. any device that has a connection to the internet. The effect of the attack was that it took down many high profile websites including The Guardian, Netflix, CNN and many others.

Setting aside that this attack is yet another indication that IoT devices are being flooded onto the market with insufficient cyber or privacy safeguards, it also highlights that the number of machines that can be used as a weapon and that ultimately may become casualties in a ‘cyber war’ has increased exponentially. This will be of particular consideration for the ‘essential operators’ under the NIS Directive, many of which rely on machine-tomachine (‘M2M’) assets as there is a risk that such assets are unlikely to have sufficient computing capacity to deploy adequate cyber security protection.

If you limit access to data internally then it will be easier to identify and notify where the breach has occurred

All employees do not need access to all of the company’s data. Restricted access should be introduced and applied systematically and reviewed regularly. This is good information security practice and allows some of the potential causes of a breach to be removed in order for a breach response team to focus on a more limited set of scenarios. With the recent Morrisons case, where the supermarket Morrisons was found by the High Court to be vicariously liable for the actions of a rogue employee who disclosed personal data, there is an even greater imperative to provide access to company systems on a ‘strictly needs’ basis

The Morrisons lawsuit was brought by 5,500 current and former Morrisons workers who were seeking compensation over the 2014 data security breach in which payroll information of almost 100,000 staff had been posted on the internet and sent to newspapers by a disgruntled employee. The data included names, addresses, NI numbers, bank account details and salaries. It was argued by the claimants’ lawyers that the data theft meant 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.

In the case of Bupa, it was a similar set of circumstances, where more than 500,000 Bupa customers’ data were released after an employee ‘copied and removed’ their information from the health insurer’s systems. The loss of access to personal data constitutes a data breach under the GDPR regardless of whether it is publicly released.

Bupa was able to advise customers relatively promptly and efficiently exactly as to what data had been taken, which customers were affected and what the cause of the breach was, with a video being placed on its website for customers to watch and advice as to what steps to take also being given. Information like this will no doubt assure customers that a company is proactively managing the impact of a data breach.


A point to note is that the focus to date on cyber attacks has been on personal data breaches and essentially minimising the risk of consumer harm and protecting those that have had their data lost. As demonstrated by WannaCry, attacks do not always focus on acquiring personal data; cyber attacks can also make people feel extremely vulnerable through the loss of essential services or facilities such as hospitals. The emphasis will change with the implementation of the NIS Directive where the providers of essential facilities in various key industries will be required to adopt high standards in relation to cyber security and there are reporting requirements where there is an attack on the systems or networks of providers in these sectors. Unfortunately in the case of essential operators, many of which have old assets and infrastructure, implementing high standards of cyber security and measures to allow reporting obligations to be complied with in the event of an attack is likely to be extremely difficult.

2017 has been a year where it seems that there have been constant reports yet another high profile data breach. This is likely to increase post May 2018. It may be that 2018 will be the turning point for data breaches, and that there will be a clear difference between those companies that respond to a data breach in a measured and organised manner compared to those that at best display signs of struggling to cope or at worst appear to be withholding information and not giving the matter sufficient attention. The latter will be clearly remembered by the public and for the wrong reasons.

A well-thought through data breach response plan that considers the network architecture, data flows and access rules alongside the customer base and the regulatory reporting requirements, and is able (even through a process of elimination) to identify the cause of the breach accurately and quickly, will reassure the affected company’s board, customer base and regulatory authorities that the breach is under control, and this should be a top priority for 2018.

This article was first published on Cecile Park Media

Scope of the Electronic Communications Exclusion

A recent change in financial services regulation called the Payment Services Directive 2 (PSD2) seems to have taken telcos by surprise and considering compliance should have been achieved by 13 January 2018, the applicability of PSD2 to a telcos business (whether fixed or mobile) should be urgently considered. Telco activity that was previously comfortably outside the scope of regulation may now be regulated by the FCA: an electronic communications service and/or network provider will now be considered as providing a ‘payment service’ where it provides ‘a voice based service’ that includes a revenue share arrangement with a third party, unless the telco falls within an exclusion.

Telcos must now either become authorised or comply with stringent requirements to qualify for an exclusion. These requirements include the following:

  • Spend cap limits on carrier billing amounts;
  • Notification to the FCA of reliance on the exclusion; and
  • Annual submission of regular auditors reports confirming compliance with relevant regulation, in particular figures on the spend cap limits.

Kemp Little LLP has been working with telcos since the European legislation was in draft form. We have been helping telcos and others in the payments eco-system navigate the following questions:

Which services fall within the means of ‘voice based services’?

Telcos provide a wide variety of services under the heading ‘voice based services’, but will need to have a clear understanding of the services that fall within this rubric to ensure they fall outside the regulated sphere entirely or sit within the exclusion. ‘Voice based services’ are wider than ‘premium rate services’ regulated by the Phonepaid Services Authority and include directory enquiries and other non premium rate revenue share services that subscribers call using their voice service.

Which services fall within the definition of payment services?

Where telcos allow their customers to use carrier billing to pay for purchases or make calls with a revenue share element (eg third party directory enquiries), telcos may be providing payment services. Telcos will therefore need to understand which of the services they offer might fall within the new PSD2.

How do spend caps affect general telco obligations?

To stay within the exclusion and avoid the need to be regulated, telcos will have to comply with the spend caps, restricting the amount customers can charge to their bill, on both a per-transaction and monthly basis.

How to comply with spend caps?

Compliance with spend caps will require telcos to have in place the appropriate systems and controls, which may be challenging for telcos with older systems. However, compliance – and, critically, being able to provide evidence of compliance on an annual basis – is essential, as telcos cannot benefit from the exclusion otherwise.

What control mechanisms should be put in place to continue to fall within the FCA exclusion?

Telcos will need to ensure that carrier billing or calls/SMSs with a third party revenue share element is strictly limited to the amount of the spend caps; their control mechanisms should be sufficiently robust to track customer spending as well as manage customer notification in the event spend caps are triggered.

What can happen (and is most likely) in the event the spend caps are breached?

Where telcos breach the spend caps, this means they are providing a regulated payment service without appropriate authorisation. They will need to regularise their regulatory position to avoid the imposition of sanctions by the FCA.

When is an audit report needed and what should it cover to continue to rely on the

Telcos falling within the exclusion will need to make an official notification of their status to the FCA, as well as providing annual audit reports providing specific information about the services it provides with a ‘payment service’ element, essentially to demonstrate to the FCA that they do in fact comply with the requirements of the exclusion. Telcos must therefore have in place systems to allow auditors the necessary access, as well as the records of their compliance with the requirements for the auditors to review.

If you need further assistance or guidance considering these issues or wider guidance on PSD2 or other opportunities brought about by this change in legislation, please do not hesitate to contact us


Block party - an end to online consumer discrimination?

Executive summary

  • Following publication of proposals in 2016, the European Parliament, Council and Commission have reached political agreement to end so called geo-blocking practices for online consumers of products and services within the EU
  • In high level terms, geo-blocking includes any measures to restrict or redirect online consumer access on the basis of nationality, residence and/or temporary location
  • The new rules seek to enhance consumer access and encourage pan-EU cross shopping through removal of barriers to access, and closer harmonisation of terms of use, across the Union
  • The European Commission intends to publish a draft Regulation in early 2018, with the finalised text to become directly applicable across the Union, nine months later
  • Developments in this area will be of key interest to all online retailers of goods and services, operating within the Single Market

In brief

If the EU is a true Single Market, findings of a late 2016 European Council (EC) study suggest the Union has some way to go in removing cross-border trade barriers, at least within the online space.

Geo-blocking, or the practice of consumer discrimination in respect of access and/or price based on a customer’s nationality, residence and/or temporary location remains, by the EU’s own figures, a feature of some 63% of ecommerce sites 1.  Concerns abound across Member States, that these types of access restrictions severely curtail necessary competition, and stifle critical innovation in an EU Single Market eager to address an increasingly digital customer base.

In November 2017, the EC confirmed an agreement to ban unjustified geo-blocking, paving the way for draft regulation in this space. Despite 2018’s likely lively European legislative agenda, the EC has made clear its intention to have draft regulation together towards the start of the year, with finalised text becoming applicable nine months later.

Developments in this space are of key (and pressing) interest to all online retailers of goods and services, operating within the Single Market, and come at a time of dramatically increased transparency requirements for online retailer assessment and profiling of customers (against characteristics including those above) ahead of May’s General Data Protection Regulation (GDPR) introduction.


Introduction of geo-blocking regulation closely follows recent Union efforts to smooth some of the rougher edges of the cross-EU consumer experience (similar moves including those to end cellular roaming charges and legislation to provide cross-border portability of online subscriptions and access to TV programmes). Efforts to alleviate online commercial friction represent a key pillar of the Union’s broader Digital Single Market (DSM) strategy. 

Whilst existing EU law (in the shape of Directive 2006/123/EC) provides general, non-specific prohibition of consumer discrimination, the EC appears to have taken the view that online leadership in this area requires more bespoke (and correspondingly direct) legislation. 

Cross shopping/ cross-border

Whilst a formal draft remains forthcoming (an early 2016 Proposal for Regulation can be accessed here), the EC has signalled the draft Regulation will define three specific situations “where no justification and no objective criteria for a different treatment between customers from different EU Member States are conceivable from the outset”, being:

  • The sale of goods (without physical delivery). e.g. an Austrian consumer wishing to purchase running shoes, finding the most attractive deal (for collection) on a German website. 
  • The sale of electronically supplied services. e.g. a French consumer wishing to acquire hosting services for a website from an Italian company. 
  • The sale of services provided in a specific physical location. e.g. a Spanish family wishing to purchase theatre tickets for a performance in France, without being redirected to a Spanish website.

Importantly, the draft Regulation will not require a retailer to sell a product or service, and will not directly mandate price harmonisation. The draft Regulation will however target and prohibit retailer restrictions which cannot be justified by other, objective requirements (e.g. taxation or local laws). 

In addition, the draft Regulation will attempt to ease the extent to which EU consumers may make cross-border use of credit cards, by preventing retailers from applying different payment conditions based on a customer's residence. In effect prohibiting a retailer (under certain circumstances) from accepting only credit card payments from specific Member States. Simplifying (and reducing the cost of) cross-border credit card payments, follows recent EU moves to cap interchange fees for card-based payments (Regulation 2015/751), and is again indicative of a clear direction of travel, under the DSM strategy. This comes in addition to rules introduced under PSD2 (Directive 2015/2366), which, from January this year, banned credit and debit card surcharges for consumer transactions.

Whilst developments in relation to credit cards payments are (and will likely continue) to prove significant here, it should be noted that the draft Regulation will not represent a blanket requirement for retailers to accept any credit card transaction, under any circumstances.  Retailers will continue to be free to decide which means of payment are acceptable, in relation to local vs. other Member State customers. 

Impact for retailers – physical goods

Whilst geo-blocking undoubtedly represents a significant compliance consideration, retailers of physical goods should be reassured that neither 2016’s proposal (nor likely 2018’s draft Regulation) make any attempt to:

  • directly require pricing harmonisation; or
  • require a retailer to ship products cross-border (if this is not a service routinely offered).

The forthcoming draft however will:

  • prohibit retailers from denying access or rerouting a customer to a specific regional iteration of an ecommerce site, based purely on factors of nationality, place of residence or geographic location (blocking/ rerouting on other grounds, such as relevant local laws and restrictions will remain valid); and will
  • oblige retailers to permit customers from any EU Member State to purchase products from iterations of the retailer’s sites based in any other EU Member State (unless, as above, other relevant local laws or restrictions apply).

In practical terms, this raises an interesting dilemma, cross-border shipping of physical product is not in-and-of itself required under the Regulation, yet a consumer cannot be prohibited from making a cross-border purchase. Therefore, whilst an Austrian customer may be able to purchase running shoes from a German website, how, in practice, would these goods be obtained?

The EC takes a pragmatic approach here, indicating “the customer will be entitled to order the product and collect it at the trader's premises [if this is a service offered by the retailer] or organise delivery himself to his home [through his or her own shipping arrangements]”. In practice therefore, whilst a committed cross-border cross-shopper could purchase products (sporting or otherwise) from a Member State of choice, practicality (and likely cost) may prove significant barriers.

Interestingly, logistics & distribution providers and the EC appear to have identified a potential market opportunity for pan-EU consumer shipping solutions, with the EC recently bringing forwards a Proposal to simplify cross-border parcel delivery services. As things stand in Q1 2018 however, pan-national Member State shopping for goods at retailers without existing cross-EU shipping provisions seems likely a more attractive proposition on paper, than in practice. 

Impact for retailers – digital goods and services

While regulation in this space raises considerations for retailers of physical product, providers of online services are likely to feel a more acute impact (largely if not solely, as a result of the nature of digital goods and services). In simple terms, providing a pan-EU market for digital goods and services, free from access and (most) price restrictions/variations, opens the door to potentially friction free pan-EU (digital) cross shopping.

In respect of digital goods and services, the draft Regulation will likely:

  • mandate unification of access arrangements unless variations are not solely based on factors of nationality, residence and/or temporary location; and
  • require retailers to provide harmonised terms of use (including pre-tax pricing) to all EU customers.

For the first time, an EU customer, enjoying the same rights of access and pricing arrangements as any local customer will be permitted to cross shop digital music, e-books, video games and software, across the Single Market. Whilst these developments are clearly significant to any retailer of digital product, it is important to recognise the impact of the draft Regulation will be softened somewhat by significant carve outs, namely:

  • provision of financial, transportation, electronic communications, healthcare, audio-visual and broadcasting services are entirely excluded;
  • the draft Regulation will not alleviate or supersede a retailer’s obligation to obtain appropriate IP and other rights to distribute digital content across the Single Market, as required (e.g. a retailer will still require appropriate licencing to sell a specific e-book or album in a specific Member State); and  
  • the draft Regulation will not represent a requirement for retailers to comply with local laws and regulations in every Member State, simply as a result of lifting access restrictions to digital goods or service, unless the retailer “pursues…or directs” (read, directly targets) customers in those Member States (a no doubt significant multi-jurisdictional compliance relief).

Despite these restrictions, the draft Regulation represents a significant compliance consideration for all retailers of online goods and services. In time, dramatically improved consumer access, across the EU, may lead to near complete price parity across digital platforms and emergence of pan-EU price comparison providers.

Looking forwards, action points

As with all things DSM, moves to prohibit geo-blocking speak to both core EU values of open access, in addition to more contemporary EC concerns of modernisation, within the Single Market. 

In addition, the draft Regulation may prove an interesting compliment to legislation in the privacy space, including the GDPR, which seeks to provide EU consumers with better transparency of and control over circumstances in which profiling (using characteristics including location and/or nationality) significantly impacts upon an individual.

  • For retailers, the draft Regulation requires meaningful address of key questions:
  • do we engage in geo-blocking practices? (either through re-direction or access restriction);
  • if so, how is this technically achieved? (IP location, credit card details etc.);
  • can our practices be justified by national law or regulation? (e.g. price variation in accordance with local VAT/ sales tax requirements);
  • should changes be required to process, policy and/ or supplier arrangements, how might these be implemented, technically and organisationally?
  • to what extent should we consideration the wider privacy, monitoring and profiling implications of our online activities?




Themes and warnings from the GB Gambling Commission's Raising Standards Conference 2017

Following the publication of its Strategy 2018-2021, the British Gambling Commission hosted its Raising Standards Conference 2017 on 21 November, which further explored some of the themes emerging from the Strategy and the Commission’s priorities for the next few years, which include industry collaboration, the Commission’s work with the UK’s Competition and Markets Authority (‘CMA’) on consumer T&Cs in relation to promotions, and industry compliance with the General Data Protection Regulation. Susan Biddle, Legal Consultant at Kemp Little LLP, reflects on the themes raised at the Conference.

“Go further and faster” was the overwhelming message from the British Gambling Commission’s second annual Raising Standards Conference on 21 November 2017. Well-timed to follow up on the Commission’s publication of its Strategy for the next three years1 (‘Strategy’), this was an opportunity to explore further some of the themes of that Strategy and the Commission’s priorities.

The Strategy, and the Commission’s priorities, remain consistent with the approach of the last 18 months: the focus remains on consumers and their protection. The Commission acknowledged that some progress had been made - but not enough, and not fast enough. The Commission thinks there is still a disconnect between the industry’s good intentions, and its delivery - something which is reflected in the continued decline in public trust.

Richard Lloyd, former Executive Director of Which?, provided some worrying comparisons with other sectors, but finished on a more encouraging note: like other speakers, he thinks that the industry is at a tipping point, but he does not think it is too late to turn it around, provided that the industry acts promptly.

In relation to problem gambling, the Commission will be looking not only at the person who is gambling, but also at how/where they are doing this and the nature of the product being played. The Commission re-iterated the message in the Strategy document, that the industry must focus on exploiting data and technologies to manage risks and protect consumers, as much as it does for profit. Sarah Harrison, Chief Executive of the Gambling Commission, gave the examples of improving existing tools such as reality checks, and exploring new ones such as mandatory deposit limits and stronger age verification. She emphasised the need for robust internal handling of customer complaints, and stressed that it is not sufficient simply to outsource this to ADR (alternative dispute resolution) providers. She warned that the Commission is likely to step up its reporting requirements, and more generally that over the life of the Strategy the Commission will use “tougher and broader” sanctions.

Some of the messages in the Strategy came through with particular clarity. These included the need for the industry to do more to collaborate, and to share knowledge and good practice - and then to implement this learning, including ideas coming from other operators. The industry increasingly recognises the need for this (subject to appropriate protections for commercially sensitive information, and competition law requirements), and participants made the point that the more industry players that  participate, the better, as this will reduce the risk of their market and margins being eroded by non-participants. Richard Lloyd warned that big players should be wary of leaving smaller businesses behind and should be willing to invest in industry-wide initiatives for the good of all. There was a welcome suggestion that the Commission will look at issuing more guidance on “what good looks like.”

In particular, the whole industry is expected to learn from the CMA’s current review of consumer T&Cs in relation to promotions - and though its focus has been on online gambling promotions, the CMA considers that its concerns are probably of wider application. The CMA confirmed that it does not intend to outlaw such incentives, but the terms must be fair. The importance that the Commission places on this is demonstrated by its publication of the CMA presentation on its website. It was made very clear that the Commission and the CMA expect all operators to review their T&Cs, and to make any necessary changes so as to meet the CMA’s requirements - and to comply with these requirements immediately as they are published.

The Commission emphasised that it will be monitoring compliance in subsequent months and the industry should expect appropriate enforcement action. The CMA and the Commission are continuing to work together in examining the wider question of withdrawal of player funds. Good practice needs to be embedded in the industry and its products. Social responsibility, otherwise known as ‘safe & fair gambling,’ needs to be part of everyone’s role, from the top down throughout the entire workforce. Kate Lampard, Chair of GambleAware, put in a plea for diverse main boards, so as to get a more complete view of the business and better reflect the diversity of the customer base; she recommended that the person responsible for responsible/ ‘safe & fair gambling’ should sit on the main board. Protections gainst problem gambling need to be designed into products, and not just be later add-ons to meet regulatory requirements.

Many in the industry are not yet contributing 0.1% of gross gambling yield to research, education and treatment of problem gambling. There was a clear message that this requirement is only likely to increase - and if the industry cannot deliver an appropriate level of funding via a voluntary scheme, a mandatory obligation will be imposed. Bill Moyes, Chair of the Gambling Commission, warned that the Government already has the necessary power to impose this and that the Commission believes a national levy would be fair, and it will continue to discuss with Government whether the time has come to use this power. The Commission does not believe that the EU General Data Protection Regulation (‘GDPR’) will prevent responsible use of aggregated data to protect consumers. Gareth Cameron from the Information Commissioner’s Office (‘ICO’) promised that more guidance on the GDPR will be forthcoming, though progress has been made more difficult because the UK Data Protection Bill is still being debated in Parliament. The industry will however need to look to the Gambling Commission for industry specific guidance. Gareth emphasised the importance of accountability - the industry needs to be able to demonstrate how it complies, and to document its decisions in relation to treatment of personal data and compliance.

Consent is not the only basis for processing, and the industry should consider all the options available which include compliance with legal obligations and pursuit of legitimate purposes. It is not yet clear whether compliance with LCCPs or self-exclusion schemes, or use in machine learning or the development of algorithms to flag problem gambling indicators, will constitute the necessary ‘legitimate purposes.’

However Gareth assured the audience that this is the sort of issue which the ICO and Gambling Commission are currently debating, and the ICO will provide further (general) guidance on what constitutes a ‘legitimate purpose.’ Data subjects have strengthened rights, and cyber security is a key concern for the ICO; the industry needs to be sure that it has processes in place to deal with requests and any breaches, including reporting within limited timeframes. The ICO will be encouraging reports of security breaches to be made by phone, so it can provide guidance and ensure that the ICO obtains all the necessary information.

While press and public concern has focused in particular on fixed odds betting terminals (‘FOBTs’), the Commission highlighted that it has also been looking at the online industry, and particularly at online casinos. There was a clear message to this sector that the Commission does not think their due diligence or consumer protection systems are adequate, and operators were expressly warned that the Commission will intervene if they do not remedy this.

So overall, a clear message from the Commission to the industry to “up its game” and to “show not (just) tell,” with consumer protection and problem gambling remaining priority areas, and immediate action points in some areas such as consumer terms, sharing learning, online casinos, use of technology and data, and the levy.

1. http://www.gamblingcommission.gov.uk/PDF/Strategy-2018-2021.pdf


This article was first published in the Online Gambling Lawyer on the 13th December

The Autumn 2017 Budget-driverless cars

TMT analysis: Andrew Joint, commercial technology partner at Kemp Little, explains the key announcements of the Autumn Budget relating to driverless cars.

Original news

Autumn Budget 2017: Tech and Innovation, LNB News 22/11/2017 72

The Chancellor of the Exchequer, Philip Hammond, has announced plans at Autumn Budget 2017 for a new advisory body—the Centre for Data Ethics—to enable and ensure safe and ethical innovation in artificial intelligence (AI) and data-driven technologies. The government also outlined its ambition to see fully self-driving cars, without a human operator, on UK roads by 2021.

What has been announced?

In his Autumn Budget the Chancellor stated that ‘the government wants to see fully self-driving cars, without a human operator, on UK roads by 2021’ and that he wanted to create ‘the most advanced regulatory framework for driverless cars in the world’.

Where specifically will the funds be invested?

Noting the stated figures that the driverless car industry has the potential to be worth £28bn to the UK and employ nearly 30,000 people, the investment in an ethical centre to deal with some of the wider issues raised by technologies such as driverless vehicles is a sensible but vital move by the government. However, considering the value/impact of driverless vehicles (according to the government’s own figures) this ‘R&D’ investment still seems low.

We can expect to see more charging points by our roads and electric car use following the announcement of a new £400m charging infrastructure fund, the investment of an extra £100m in Plug-In-Car Grant, and £40m in charging R&D.

What developments have happened so far?

In February 2015 the Department for Transport (DfT) published ‘A detailed review of regulations for automated vehicle technologies’, together with a ‘Summary report and action plan’, under the heading ‘The Pathway to Driverless Cars’.

These documents set out the UK government’s plan to update laws and regulations to permit the sale of automated vehicles to the public, and include plans to develop a code of practice for testing automated vehicles, while reviewing legislation to clarify liabilities in the event of a collision, and consider whether higher standards of safety are required (including dealing with cyber threats).

Additionally, a draft ‘Vehicle Technology and Aviation Bill’ was announced during the Queen’s Speech in February 2017, which included proposed automated vehicle specific legislation, relating to record-keeping, insurance and accidents relating to uninstalled software updates. The Bill passed a second reading in October 2017.

Is it realistic to expect driverless cars to be on the roads in Britain by 2021?

We can certainly expect driverless cars on public roads within the next decade. Whether we can realistically expect to see them by 2021 will depend on the passage of the legislation mentioned earlier.

The government certainly has the desire for this to be the case, but perhaps some of the broader ethical questions regarding the ‘personhood’ status of driving software will be thornier issues to resolve not only in the UK, but also elsewhere in the world.

The law places a strong emphasis on ‘the person’, which drives concepts such as ownership and both civil and criminal liability. That concept initially attached to the human—people owning things, people committing crimes or entering into agreements. But we have seen our laws adapt and, in our modern world, we have stretched the concept of legal personality. We have created intangible entities, for example limited companies, PLCs, LLPs etc, which are all capable of ownership and liability in their own right. This means they can enter into contracts, incur debt and be held accountable for their actions, and they are distinct from the identities of their shareholders, directors, parent or subsidiary companies.

In 2017, for environmental protection reasons, we have seen the Whanganui River in New Zealand granted legal status and an attempt to do the same for the Ganges in India.

In October 2017 a robot called ‘Sophia’ was granted citizenship status by Saudi Arabia—triggering a wave of interesting discussions and repercussions, such as whether Saudi robots have more rights than women.

The law could be amended to give some form of legal status (and so responsibility/accountability) to driving technologies—as we already have a precedent for amending this legal concept.

Interviewed by Alex Heshmaty.

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

This article was first published on Lexis®PSL TMT on 30 November 2017. Click for a free trial of Lexis®PSL

Egaming industry predictions for 2018 - including GDPR and lottery regulation

Susan Biddle reveals her top three industry predictions for 2018

  1. The need for socially responsible provision of gambling will be a key theme, underpinning a number of issues such as: the launch of GAMSTOP and how effective this is; continued debate about the dividing line between gambling and social gaming, and the extent to which social gaming should be regulated. There will be particular concern about children being exposed to gambling-style products; whether there should be a statutory levy to replace the current voluntary funding for research, education and treatment of problem gambling; and a drive towards more co-operation between operators on sharing experiences on what works (or does not work) in relation to identifying and helping problem gamblers and those at risk of becoming problem gamblers. The 5 Live investigation reported in mid-December is perhaps a taste of things to come. Operators will make – or will be under increasing pressure to make – more use of technology (including machine learning and other forms of artificial intelligence) to help them to identify actual/potential problem gamblers and the self-excluded, and to help these people to manage (and where appropriate stop) their gambling.
  2. A continued focus on consumer protection, with all operators needing to review their T&Cs to take account of the outputs from the current Competition & Markets Authority (CMA) investigation, and vigorous action by the CMA and Gambling Commission against any who do not make the necessary changes. We’ll also see continued active enforcement by the Commission and/or the ASA of the various codes on advertising. Egaming industry predictions for 2018 – including GDPR and lottery regulation
  3.  An increased regulatory focus on lotteries, in an attempt to shore up the revenue for good causes including: the introduction and enforcement of the bar on betting on non-UK EuroMillions; the need to make clear what proportion of lottery proceeds go to which good causes; requiring those offering bets on international lotteries to make very clear that this is betting, & not a lottery raising funds for good causes; the competition for the new National Lottery licence and follow-up of the National Audit Office’s report on Camelot’s profits and contribution to good causes; and close scrutiny (by the Gambling Commission and/or the ASA) of the various attempts to sell houses via free prize draws and skill competitions.
This article was first published on EGR December 2017

Is the rapid approach of driverless vehicles accelerating the need for legal change?

Legal regulatory changes on the horizon for driverless cars.

Governments in the UK do not typically have reputations as visionary thought-leaders, facing some of the most challenging political questions of a generation. British politicians are even less likely to be focused on challenging Musk and Hawking for the ‘World’s Leading Futurist’ crown.

So what did we learn when the Chancellor delivered his Autumn Budget, announcing that he wanted to create “the most advanced regulatory framework for driverless cars in the world” and “the government wants to see fully self-driving cars, without a human operator, on UK roads by 2021”?

Prediction is very difficult, especially about the future

We can safely presume that within the next decade, we will see driverless vehicles on public roads, unleashed from their test environments. Uber recently announced plans to buy 24,000 autonomous cars from Volvo, while Google affiliated ‘Waymo’, announced that their fully driverless cars have been driving around Arizona, without a safety driver at the controls, for months. This is industry validation that we’re approaching the event horizon for publicly available driverless vehicles.

The focus is rapidly shifting from validating the capability of the driverless vehicle tech to scrutinising the suitability of existing legislation to deal with this technology. The US and UK have seen plenty of theoretical ‘thought pieces’ on holistic issues raised by driverless vehicles (and artificial intelligence more generally). However, it is only recently that legislators have begun to fully recognise that the topics have evolved from abstract sci-fi debates to practical real-world issues.

Regulatory approach to date

So, where are we with the UK regulator’s approach to automated vehicles? Here we mean both fully autonomous vehicles, capable of being operated with little or no input by a driver, as well as automated technologies which support the operation of a vehicle by a driver.

In February 2015, the DfT published ‘A detailed review of regulations for automated vehicle technologies’, together with a ‘Summary report and action plan’, under the heading “The Pathway to Driverless Cars“. These documents set out the UK government’s plan to update laws and regulations to permit the sale of automated vehicles to the public, and included plans to develop a code of practice for testing automated vehicles, while reviewing legislation to clarify liabilities in the event of a collision, and consider whether higher standards of safety are required (including dealing with cyber threats).

Additionally, a draft ‘Vehicle Technology and Aviation Bill’ was announced during the Queen’s Speech in February 2017, which included proposed automated vehicle specific legislation, relating to record keeping, insurance and accidents relating to uninstalled software updates. The Bill passed a second reading in October 2017.

Is driving software likely to become a ‘person’?

The automated vehicle is often cited as a practical example in a legal debate surrounding artificial intelligence more broadly.  Discussion on AI also focusses on issues around ethics and the concept of legal personality. The question was asked by the EU Commission in the January 2017, following a recommendation by their Legal Affairs Committee on whether robots and indeed other AI technology, should be granted ‘personhood’ status.

The law places a strong emphasis on ‘the person’, which drives concepts such as ownership and both civil and criminal liability. That concept initially attached to the human – people owning things, people committing crimes or entering into agreements. But we have seen our laws adapt, and in our modern world, we have stretched the concept of legal personality. We have created intangible entities – limited companies, PLCs, LLPs etc., which are all capable of ownership and liability in their own right.

This means they can enter into contracts, incur debt and be held accountable for their actions, and they are distinct from the identities of their shareholders, directors, parent or subsidiary companies. In 2017, for environmental protection reasons, we have seen the Whanganui River in New Zealand granted legal status and an attempt to do the same for the Ganges in India. In October 2017 a robot called “Sophia” was granted citizenship status by Saudi Arabia – triggering a wave of interesting discussions and repercussions, such as whether Saudi robots have more rights than women.

The law could be amended to give some form of legal status (and so responsibility/accountability) to driving technologies – as we already have a precedent for amending this legal concept. However, a key question is what are we trying to achieve in doing this?

This question forms the other current focus of regulators regarding automated vehicles and artificial intelligence – the underlying ethical principles, which govern the operation of the tools.

Both the UK and EU and approach has been to flag that reaching conclusions on the various ethical debates on AI and robots is fundamentally important. Indeed, in his November budget, the UK Chancellor provided the further investment required to progress ethical think-tanks and their recommendations.

Questions such as “should the driverless vehicle choose the elderly pedestrian or the young family to crash into?” are now being debated in the public domain. Reaching conclusions on these questions, which should involve factoring in both public opinion, and ongoing Government supported research – will allow us to shape the next phase of legislation. Clearly, with this revolutionary technology so close to being publicly available, we cannot wait too long for the legislation to catch-up.

This artlice was first published on Computer Business Review December 2017

Update on extension of SMCR to FCA FSMA-authorised firms and insurers

Following on from the consultation papers published in the summer regarding the extension of the Senior Managers and Certification regime (see our client alert: here), the FCA have published proposals on how firms and individuals (including insurers) will transition to the extended Senior Managers and Certification Regime (SMCR). In addition, the FCA has published two Consultation papers on the duty of responsibility and also on Industry Codes of Conduct.

Key points:

  • It is likely now that implementation of the extension of SMCR will apply firstly to insurance firms, in late 2018
  • For other firms, implementation is likely to be in mid-to-late 2019
  • Other than for Enhanced firms, the FCA is proposing to automatically transfer existing approved persons into Senior Management Functions
  • Enhanced firms will need to make specific applications for individuals to be approved as Senior Managers
  • The Duty of Responsibility will extend to all SMFs in the extended regime
  • The FCA is seeking feedback on its approach to supervising conduct, and its suggestion that it publicly recognise appropriate industry codes of practice

Consultation paper (CP17/40) on the transitional arrangements for solo regulated firms SMCR

View the consultation paper.

Who is affected by these changes?

All FCA solo regulated firms, as well as EEA and third country branches (not insurers, these firms should read CP17/41).

Conversion of individuals from the APR to the SMCR:

The FCA want to make the transition from the Approved Persons Regime (APR) to the SMCR as simple, clear and proportionate as possible. The FCA proposes to

  • Automatically convert most of the existing approved persons at Core and Limited Scope firms into the corresponding new Senior Management Functions (SMF). A table in the CP (at page 16) sets out which roles will automatically transfer.
  • The CP also includes proposals for dealing with new and in-flight applications by Core and Limited Scope firms.
  • Although statements of responsibility will not be required on the conversion, firms must have statements available for the FCA on request.
  • Enhanced firms will need to submit a conversion notification (Form K) and accompanying documents (statements of responsibilities and responsibilities map).

Certified Staff

Individuals who are not SMFs but who fall under the Certification Regime instead will need to have been identified by the start of the regime, and will be required to comply with Conduct Rules from this date. However, firms will have 12 months thereafter in which to certify them as ‘fit and proper’.

Conduct Rules

Firms will be given 12 months from the implementation date to train all staff (other than SMFs and CFs) covered by the Conduct Rule regime.

Changes for banking firms

The CP also makes clear that the FCA are proposing to introduce the new Prescribed Responsibility for training staff in Conduct Rules before the implementation of the extended regime, and firms will therefore be required to amend existing statements of responsibility, Responsibility Maps and notify the FCA accordingly.

Appointed Representatives (ARs)

The extension of the SMCR does not affect Approved Persons (APs) working at ARs. Principal firms will remain responsible for their ARs.

The Financial Services (FS) Register

The FCA proposed in CP17/25 and CP17/26 that for firms subject to SMCR, only details of people holding SMFs will remain on the register, with employees in Certification Functions (CFs) therefore no longer appearing on the register. This is being reviewed by the FCA as concerns have been raised regarding the impact of this on individuals currently holding CFs.

When will this be implemented?

The new rules will be implemented once the Treasury sets the dates. The FCA presumes that the rules will apply to insurers in late 2018 and solo-regulated firms in mid-to-late 2019. The actual commencement dates will be announced and set by the Treasury in due course.

Consultation paper CP17/41 on transitioning insurers and individuals to the SMCR

View the consultation paper.

Who is affected by these changes?

Solvency II firms, Non-Directive firms or NDFs, small run-off firms.

Transition arrangements

As firms are of different sizes and nature, the FCA does not find it appropriate to move individuals into the SMCR in the same way for all insurers. The FCA propose to:

  • automatically convert most of the APs at the small NDFs, small run-off firms and ISPVs into the corresponding new Senior Management Functions (SMFs);
  • allow Solvency II firms and larger NDFs to submit a conversion notification (Form K) and accompanying documents.

Certified Staff

Individuals who are not SMFs but who fall under the Certification Regime instead will need to have been identified by the start of the regime, and will be required to comply with Conduct Rules from this date. However, firms will have 12 months thereafter in which to certify them as ‘fit and proper’.

Conduct Rules

Firms will be given 12 months from the implementation date to train all staff (other than SMFs and CFs) covered by the Conduct Rule regime.

Consultation Paper CP17/42 – The Duty of Responsibility for insurers and FCA solo-regulated firms

View the consultation paper.

Who is affected by this paper?

Insurers, FCA solo-regulated firms and the senior management of both.

This consultation paper focuses on the extension of the ‘Duty of Responsibility’ to Senior Managers in all firms covered by the extension of SMCR. The FCA has produced guidance on the duty, and seeks feedback from firms affected by the extension.

Responses to these three consultation papers are due by 21 February 2018.

Consultation Paper CP17/37 - Consultation Paper on Industry Codes of Conduct and Discussion Paper on FCA Principle 5


Who is affected by this paper?

All authorised firms, including those already subject to SMCR.

What does the paper say?

The FCA is proposing:

  • a “general approach” to supervising and enforcing SMCR rules for unregulated markets and activities, including those covered by industry-written codes of conduct.
  • to publicly recognise particular industry codes that set out proper

In addition, it is seeking comments on extending the application of FCA Principle for Businesses 5 regarding proper market conduct.

Responses to this paper should be sent by 5 February 2018

What should you do now?

Firms who wish to comment on the various consultation papers should take the opportunity to do so, as past experience has shown that it is possible to inform and shape the Final Rules through consultation responses.

Separately, firms should still be considering who is caught internally by the regime requirements, and which roles will transfer automatically (or on application) to SMFs. Governance structures and reporting lines will need to be considered in light of the extension of the regime and of the duty of responsibility for SMFs.

To discuss how Kemp Little can help you implement these changes, please see our note or contact a member of our SMCR team:

PSD2 - European Commission adopts Delegated Regulation regarding regulatory technical standards on strong customer authentication and on common and secure open standards of communication

What has happened?

Firms who are within scope of the second Payment Services Directive ((EU) 2015/2366) (“PSD2”) now have – at long last – some clarity around PSD2’s strong customer authentication (“SCA”) requirements, following the European Commission’s adoption on 27 November 2017 of a Delegated Regulation and Annex with regard to the regulatory technical standards (“RTS”) on SCA and common and secure open standards of communication (“CSC”) (C(2017) 7782). 

What are the key points?

The key points relate to continuing access by payment service providers to payment service users’ payment account information held by banks and an optional corporate exemption from certain SCA requirements. 

Some detail

The journey to this point has not been easy and it is not clear whether the final RTS will answer all outstanding questions around SCA. The RTS were drafted initially by the European Banking Authority (“EBA”) further to its mandate under PSD2 to specify the requirements for SCA (under Article 98) and related exemptions, security measures for payment service users’ credentials and CSC for payment service providers. 

The RTS met with initial disapproval from the European Commission, which drafted a letter in May 2017 setting out its intention to make a number of amendments. The most controversial of these was the Commission’s proposed requirement that Account Servicing Payment Service Providers (“ASPSPs”) (banks typically) provide access to the customer interface for Account Information Service Providers (“AISPs”) and Payment Initiation Service Providers (“PISPs”) if the dedicated interface is not available. In other words, screen-scraping would still need to be provided even if a bank’s dedicated interface for AISPS and PISPs fails; this is in order to ensure continuity to payment service users (end customers) of the services provided by AISPs and PISPs. In June 2017, the EBA responded with an Opinion letter, setting out its objections, including its objection to permitting screen-scraping in this way. 

The Commission’s adoption of the RTS includes some substantive amendments reflecting the Commission’s original position. The first is the addition of a further exemption from SCA to cover electronic payment transactions that are performed through dedicated payment processes used by corporates, where the appropriate level of security is achieved through other means than the authentication of a particular individual. This exemption would be subject to the approval of each national competent authority. 

The Commission’s second amendment to the RTS relates to “screen-scraping”. Here, the Commission promotes a compromise position (or perhaps a punt). The Commission maintains that banks should permit a fall-back mechanism if the dedicated interface fails: “it is necessary  to  provide,  subject  to  strict  conditions,  a  fall-back  mechanism  that  will  allow  such  providers  to  use  the  interface  that  the  account  servicing   payment   service   provider   maintains   for   the   identification   of,   and  communication   with,   its  own  payment  service   users.” (C(2017) 7782 final (Recital 24))

Having said that, the Commission has also decided that national competent authorities may exempt banks from being required to provide such a fall-back mechanism, provided the dedicated interface meets certain criteria. In other words, it’s back to the FCA. This means that ASPSPs, AISPs and PISPs could face different SCA requirements depending upon which Member State they are operating in.

What happens next?

Although PSD2 applies from 13 January 2018, the RTS apply 18 months after the date that the Delegated Regulation enters into force, which will be the date of its publication in the Official Journal of the EU. This means that the RTS should apply from around Q3/Q4 2019, assuming the necessary approval by the European Parliament and the Council is granted.

The Commission’s adoption of the RTS has several implications for payment service providers. Payment service providers now know they have until around Q3/Q4 2019 to ensure that their systems comply with the security measures in Articles 65, 67 and 97 of PSD2 (transposed in the UK under Part 7 of the Payment Services Regulations 2017) concerning SCA, bearing in mind that those provisions in Articles 65, 67 and 97 that do not relate to SCA will apply from the implementation of PSD2 13 January 2018. 

  • Page 1 of 25