This edition of Banking Bites provides updates on:
- Privy Council rules against extending Quincecare requirement
- No privileged protection for the identity of the person communicating with lawyers
- Payments systems regulator fines NatWest Group £1.82m for overcharging credit card interchange fees
- EU member states reach agreement to tighten cybersecurity rules
- Financial Conduct Authority agrees to remove unused regulatory permissions
- Lessons Learned: Knowing Your Customers’ Processes Remains FCA’s Main Goal for Challenger Banks
- Wolfsberg Group publishes FAQ advice on filtering out negative news
- FCA encourages reporting of sanction evasions or screening issues
1. The Privy Council rules against the extension of the Quincecare obligation
Does a bank owe a duty of care to a person who is the beneficial owner of funds held in the account of a bank customer and who has been defrauded by that customer? This decision seeks to answer that question. This was a judgment given by the Privy Council in proceedings which had originally been brought in the Isle of Man. It is nonetheless interesting and potentially persuasive. The Privy Council answered the question in the negative, rejecting the fund’s argument that such a duty of care was already established in law on the basis of a case called Quincecare. The Court of Appeal disagreed – there was nothing in the case law to support the argument that the obligation extended beyond that owed to customers of a bank and there would potentially have “radical implications” if it were to be accepted by the courts that such an obligation extended to a beneficiary who sits behind the bank account customer. The ruling is another example of how, in light of recent case law, parties continue to attempt to broaden the scope of a bank’s obligation to detect, arrest and compensate fraud on or by its customers. A copy of the judgment is available here.
please contact Andrew Tuson if you have questions.
2. No privileged protection for the identity of the person communicating with lawyers
In a recent judgement, the UK High Court considered whether the identity of those authorized to instruct solicitors on behalf of a company is itself subject to litigation privilege under English law. The judgment confirms that, in certain cases, the question of who gives instructions to the lawyer may impinge on an answer to the question of the content of those instructions. It is important to consider who the client is for purposes of legal privilege and the judgment highlights some of the sensitivities surrounding the roles of individuals in the client group. Where there is a risk that disclosure of the identity of the data subject could lead to disclosure of the nature of the communications or advice given, greater care should be taken to protect the secrecy of the communications.
please contact Oran Gelb with any questions.
3. Payments Systems Regulator (PSR) fines banking group £1.82m for overcharging interchange fees on credit cards
Four banks have been fined a total of £1.82million for overcharging interchange fees on cards. The initial investigation was launched four years ago after the UK’s PSR discovered problems during routine monitoring. It was found that the four banks had wrongly treated a number of cards as commercial cards when they should have been treated as consumer cards. This meant that the fees charged by these banks were not capped and were set too high. As a result, this has led to banks overcharging merchants (and, ultimately, merchants). While banks eventually closed consumer card accounts and refunded the excess fees they had collected, the PSR concluded that banks should have acted more quickly to comply with the interchange fee regulations. A copy of the PSR notice of decision is available here. For those exposed to its remit, the ruling serves as a helpful reminder of the importance of keeping abreast of the latest PSR guidelines to ensure compliance, especially in light of regular PSR monitoring.
please contact Polly James if you want more information about it.
4. EU member states reach agreement to tighten cybersecurity rules
On May 13, the European Parliament and Member States reached an agreement in principle on new cybersecurity rules and new information systems. The new NIS 2 directive will oblige medium and large entities in sectors critical to the economy and society (including banks and energy services) to take certain cybersecurity risk management measures. According to the Commission, the directive aims to increase information sharing and cooperation in cyber crisis management at national and European level, while imposing additional cybersecurity requirements on companies and tackling vulnerabilities in security in the supply chain.
NIS 2 will also impose a minimum list of basic security elements that companies should implement; create more specific requirements for the cyber incident reporting process and timeline; and requiring individual companies to address cybersecurity risks in supply chain and supplier relationships. Member States, together with the Commission and the EU Cybersecurity Agency, would also be empowered to carry out coordinated risk assessments of critical supply chains, and national data protection authorities would be given increased powers, including the ability to impose administrative fines of up to €10 million or 2% of a company‘s total worldwide turnover, whichever is greater.
A copy of the Commission press release is available here.
5. The Financial Conduct Authority (FCA) undertakes to remove unused regulatory authorizations
The UK financial services regulator, the FCA, has issued a Press release warning that it intends to use new powers to more quickly cancel or change the regulated activities that companies are allowed to carry out. The new powers are defined in Policy Statement PS22/5 and allow the FCA under Schedule 6A FSMA 2000 to revoke or vary a company’s Part 4A authorization. The FCA will now be able to revoke an authorization or modify it 28 days after the first warning if the company has not taken appropriate action. The hope is that this will strengthen consumer protection by reducing the risk of consumers being misunderstood or misled about their exposure to financial risk and the degree of consumer protection they enjoy. The press release reminds that companies regulated by the FCA must regularly review their authorizations, ensure that they are correct and that they act in accordance with them. If certain permissions are not needed or used, companies should seek to revoke them quickly.
6. Lessons Learned: Knowing your customer processes remains a key objective for challenger banks
Our recent experience working with challenger banks suggests that the UK financial services regulator has a strong focus on implementing effective KYC processes. In particular, the FCA indicated that video selfies of customers were useful for banks to report human trafficking concerns to the relevant authorities. The FCA also clarified that no matter how good a transaction monitoring system is, firms must always comply with the relevant customer due diligence requirements. Challenger banks also expect any enhanced due diligence to be contained in a written document, rather than stored in code.
7. Wolfsberg Group publishes FAQ advice on filtering out negative news
The Wolfsberg Group published Frequently Asked Questions assist financial institutions in creating a negative news screening framework in support of financial crime risk management. Implementing an effective negative news screening framework can help financial institutions understand who they are doing business with and the risks they are exposed to. Although there is no universally accepted definition of what constitutes negative news, it can be broadly defined as information available in the public domain that financial institutions would consider relevant to managing the risk of financial crime. In addition to helping financial institutions better understand who they are dealing with, filtering negative news can also add value in the following ways:
- disclose involvement in criminal activity which may determine the need for additional due diligence and/or targeted reviews of past transactional activity;
- provide additional context to support an investigation of potentially suspicious activity; and
- help identify potential risks with respect to a client’s source of wealth and/or source of funds description.
8. The FCA encourages the reporting of sanction evasions or screening issues
The UK FCA has issued a Press release encourage the reporting of sanction evasion or enforcement issues where they relate to companies on the Financial Services Register, other FCA registers or companies with securities listed in the UK. FCA’s main areas of intervention are broad and cover:
- any suggestion that companies have poor sanctions controls;
- alleged breaches of the sanctions regime;
- actual violations of the sanctions regime; and or
- any method used by companies or individuals to violate the sanctions regime.
When reporting to the FCA on these matters, it is important that companies comply with any legal disclosure, reporting and data protection requirements they may have and carefully consider whether another control or an appropriate professional body must also be notified of the potential disclosure. .