By Kai Zhang
Critical third party regime
This is to address the concentration issue where financial services firms outsource key functions/services to a few large service providers (e.g. cloud service providers). HM Treasury will designate which third party service providers are considered “critical”. Then the relevant regulators will be given power to make rules supervising them with respect to certain “material services”. See policy statement of 8 June.
There is no timeline yet as this needs primary legislation.
Regulation of Buy-Now-Pay-Later
Certain BNPL model (essentially, where consumers have an overarching relationship with the lender) will soon become subject to the consumer credit regime. Currently, such firms rely on an exemption to stay outside the regime. The Government is also minded to regulate certain forms of online or remote STIFC (short term interest-free credit) but is seeking further clarity on this sub-sector by 1 August.
Importantly, merchants will be exempted from credit broking by virtue of offering such BNPL (or STIFC) as a payment option.
See consultation response of 20 June; a second consultation is expected by year end.
Changes to AML regime
The following are expected to come into force on 1 September 2022. See consultation response of 15 June.
“Account information service provider” will be excluded from the UK Money Laundering Regulations 2017, meaning that AISPs will no longer have to conduct CDD/KYC on their customers.
AISPs are regulated firms that aggregate customers’ different payment accounts in one place for easy viewing; they do not process transactions. The Government initially proposed to also exclude “payment initiation service providers” (which initiate payments but are not involved in the funds flow) but ultimately decided to keep PISPs within scope.
Crypto travel rule
“Cryptoasset exchange provider” and “custodian wallet providers” (which must register with the FCA for AML purposes) will soon be required to include specified information of the originator and the beneficiary for transfers of cryptoassets. Essentially, the former provide services exchanging between fiat and cryptocurrencies or between cryptocurrencies; the latter provides custody of customers’ private key.
The sending firm must include the specified information and the receiving firm must detect if the information is missing. The required information covers (about the originator) name, address, account number or transaction identifier, personal document number, customer identification number or date/place of birth; and (about the beneficiary) name, account number or transaction identifier. There are various exemptions: for a transfer below EUR1000, only names and accounts (of both parties) are required; for a transfer where all service providers are within the UK, only the accounts of the parties are needed; for unhosted (or cold) wallets, such information only need be collected for high-risk transfers.
The information should be sent alongside the transfer via a different system that is not publicly accessible, rather than shared “on chain”.
This is the UK’s implementation of FATF Recommendation 16 (the travel rule). There will be a 12-month grace period, from 1 September 2022 to 1 September 2023.
Change in control
A change in control over a cryptoasset exchange provider or a custodian wallet provider (see above) will require prior approval from the FCA. Currently, such a change in control is only subject to a post-event notification.
* Benjamin Disraeli