Doing Fintech Business in the UK: Regulatory Q&A for US and Other Non-UK Businesses

The UK has no single regulatory regime for fintech providers. Instead, a fintech firm will be subject to regulation if it carries on, by way of business in the UK, certain activities that are identified as regulated activities under the Financial Services and Markets Act 2000 (FSMA) and other laws, regulations, and rules, including the following:

• Those, such as the Payment Services Regulations 2017 (PSR), made to give effect to European Union (EU) directives while the UK was still a member of the EU 
• Directly applicable EU regulations—such as the Markets in Financial Instruments Directive (MiFID), which includes requirements for identifying whether certain foreign exchange products are regulated—that were incorporated or “onshored” into UK law before the UK ceased to be an EU member

The regulated activities include long-established activities such as accepting deposits and offering accounts, providing payment and card services, providing consumer credit, offering residential mortgages, providing insurance, providing and managing investments, and providing financial advice. 

They also include the regulation of more recent activities including crowdfunding, peer-to-peer lending, and those related to cryptoassets, the regulation of which is expanding. (See our alert on Marketing Cryptoassets and Services in and Into the UK: Shifting Regulatory Sands (goodwinlaw.com).)

It is a criminal offence for a person to carry on a regulated activity without being one of the following:

• Authorised by the Financial Conduct Authority (FCA) or, for deposit-taking activities, the Prudential Regulation Authority
• Exempt from authorisation because the person is, for example, an appointed representative of an FCA-authorised firm under the Financial Services and Markets Act 2000 or an agent of FCA payment services institution under the PSR

A person may also not communicate an invitation or an inducement to engage in investment activity—that is, make a financial promotion—without either becoming FCA authorised or having an FCA-authorised firm approve the communication. This is known as the “Financial Promotion Restriction”.

As noted above, a fintech firm will be subject to regulation if it carries on regulated activities by way of business in the UK. The FCA general guidance indicates that a firm will carry on business only where it has an establishment in the UK, but it also states that a person based outside the UK may be carrying on activities in the UK even if they do not have a place of business in the UK, for example by means of the internet or other telecommunications system or by occasional visits. In that case, it will be relevant to consider whether the firm satisfies the by-way-of-business test. This test looks to factors such as degree of continuity, which, in the context of cross-border business, considers time spent in the UK, use of offices, and other similar factors. The person may be able to rely on the “overseas persons exclusions”, although these are narrow and currently under review.

One clear exception to note is that, in the case of regulated mortgage contracts, even if the contract provider is outside the UK, when the residential property on which the mortgage is secured is in the UK, the provider will be subject to UK regulation. 

For payment and electronic money (e-money) services, the FCA guidance indicates that FCA authorisation or Payment Services Regulation registration is not required by non-UK payment institutions seeking to provide payment services and e-money services to UK customers from a location outside the UK. 

The Financial Promotion Restriction, noted above, does have an extraterritorial effect and applies to any financial promotion that is “capable of having an effect in the UK”. Currently, the promotion of payment services and e-money services is not subject to the Financial Promotion Restriction. 

Generally, as an initial requirement a firm will have to a apply to become FCA authorised and, depending on whether it is authorised under FSMA or another regime, such as that under the PSR, satisfy certain conditions for authorisation including requirements to have, amongst other things:

• An office in the UK
• Sufficient staff to carry on its business in the UK, including personnel responsible for regulatory compliance
• Appropriate governance arrangements with individual directors and other senior managers who are fit and proper and have the appropriate qualifications 
• The minimum amount of regulatory capital prescribed for its type of business
• Appropriate arrangements for preventing financial crime, including anti–money laundering and know-your-customer systems and controls that comply with the Money Laundering
• Regulations 2017, anti-bribery and sanctions policies, and processes for preventing cybercrime 
• Adequate arrangements for safeguarding customer funds where the firm, for example, issues electronic money — a particular recent focus for the FCA
• Systems and control for managing operational risk, including the risk arising from the outsourcing of critical services to third parties 
• Processes for reviewing financial promotions and ensuring that customer documentation complies with consumer protection requirements 
• Processes for handling customer complaints
• Processes for making regulatory reports and notifications 

The PSR, which form the backbone of the UK payments regulatory regime, apply to anyone who provides a payment service as a regular occupation or business activity in the UK. Payment services are defined in the PSR to include:

• Services enabling cash to be placed on or withdrawn from a payment account and all of the operations required for operating a payment account
• The execution of payment transactions by direct debits, credit transfers, or a payment card or similar device
• Issuing payment instruments or acquiring payment transactions
• Money remittance
• Payment initiation services
• Account information services

The PSR also contain a list of activities expressly excluded from the definition of payment services. This includes payment transactions carried out between payment service providers or their agents and branches for their own account and payment transactions carried out within a payment or securities settlement system. 

Issuing e-money, typically stored in a user’s account, which can be accessed using a card or an electronic device, such as a mobile phone, and can be used to pay for goods and services is a regulated activity under the Electronic Money Regulations 2011 (EMR). The EMR define e-money as electronically (including magnetically) stored monetary value as represented by a claim on the electronic money issuer that is:

• Issued on receipt of funds for the purpose of making payment transactions
• Accepted by a person other than its issuer
• Not excluded by the EMR

The requirement that e-money is issued only on receipt of funds excludes the application of the definition to credit products, such as credit cards.

The EMR provide for two exemptions. They are referred to as the “limited network exclusion”, intended to prevent products such as some retail gift cards from falling within the scope of the e-money definition, and the “electronic communications exclusion”, which applies to products used to make payment transactions that the provider offers in addition to the provision of electronic communications networks or services. 

Generally, lending to customers in the UK is not a regulated activity, unlike the position in some European Union member states, unless the loans amount to regulated credit agreements or regulated mortgage and similar home financing arrangements.

If no exemptions apply, a lender will have to be FCA authorised and subject to the types of requirements noted above. Regulated credit agreements have specific requirements around how the agreement is drafted and formatted and what information must be included. Regulated mortgages are subject to particular restrictions on how the mortgages are marketed, originated, and sold; how the lenders administer the loans on an ongoing basis; and how borrowers who fall behind on their payments are dealt with.

The operation of an electronic system in relation to lending, which is aimed at peer-to-peer lending, is also a regulated activity in the UK.

Fintech businesses looking to do business in the UK will also have to consider law and regulation of general application. This includes the EU General Data Protection Regulation which has been incorporated into the laws of the UK (UK GDPR). The UK GDPR regulates the collection,  processing and transfer of personal data. The UK GDPR applies to UK-based companies and has extra-territorial reach applying to companies based outside the UK who offer goods and services to UK individuals or monitor the behaviour of UK individuals.

Fintech businesses will also have to consider the application of immigration, employment and antidiscrimination law and regulation when employing individuals in the UK.