United Kingdom: Fintech

The most significant piece of law governing payments in the UK is the Payment Services Regulations 2017 (referred to in this chapter as the “PSRs”). These are the UK implementation of the Second Payment Services Directive (commonly known as PSD2), which is a piece of European Union legislation that came into force on 13 January 2018, having been finalised in late 2015. PSD2 was created by the European Commission as a result of learnings from and in response to market developments since the introduction of the first Payment Services Directive in 2007, which was itself introduced in order to open up the payments market and govern various payment-related activities that had previously been unregulated. These included money remittance (i.e. sending money from one place to another), operating a payment account, the execution of payment transactions and the issuing or acquiring or payment instruments. Under PSD2 and the PSRs, this scope was increased to include third party providers (“TPPs”), the so-called “open banking” account information service providers (or “AISPs” – who are enabled to pull digitised transaction data out of a payment account that is operated by another payment service provider), and payment initiation service providers (or “PISPs” – who are enabled to initiate a push payment such as a bank transfer, from an account operated by another payment service provider). Further detail is given on open banking in answer to questions 4 and 5 below. PSD2 and the PSRs are supplemented by a range of Guidelines and Regulatory Technical Standards that are produced by the European Banking Authority pursuant to its mandate in Article 98 of PSD2. The most well-known of these is the Regulatory Technical Standard for strong customer authentication and common and secure open standards of communication (commonly known as the “SCA RTS”, official title the Commission Delegated Regulation (EU) 2018/389), which governs the methods by which payment service providers will have to carry out authentication in relation to payment transactions and online access to account information as well as the communication between the TPPs and other payment service providers. Broadly speaking this mandates two-factor authentication, under which authentication must be carried out using any two of three factors of something you know (such as a password), something you possess (such as a mobile phone or a credit card) or something you are (such as a biometric marker like a thumbprint). There are exemptions from the need to carry out strong customer authentication – for instance for certain low value transactions, contactless card payment transactions or recurring transactions – but these are tightly controlled. The SCA RTS was due to come into full effect in September 2019, but in response to calls from the payments and retail industries, who largely did not have strong customer authentication technologies and processes fully implemented, the FCA agreed (with some conditions) to delay enforcement of the SCA until March 14 2021. Due to the effects of the Covid-19 pandemic, this has now been delayed further for the e-commerce industry (including card issuers, payments firms and online retailers) until March 2022. The other main piece of payments-related legislation in the UK is the Electronic Money Regulations 2011. These govern the particular payment service of issuing and distributing “e-money”, which is an electronic representation of cash. The typical example of e-money is a prepaid card, but these days e-money structures underlie anything from gift cards to mobile banks. Lastly, whilst it is not strictly speaking legislation, the documents “Payment Services and Electronic Money – Our Approach” published by the Financial Conduct Authority (available here) is an excellent guide on how the FCA views the application of the various pieces of legislation.

However, the UK government is in the process of conducting a full review of the payments landscape, and in October 2021 published a response to its call for evidence, available here, in which it set out its four priority areas and key actions for Government regulators and industry to deliver them.  These are (i) future-proofing the regulatory and legislative framework that governs payments, (ii) strengthening consumer protections in Faster Payments; (iii) unlocking the future of Open Banking-enabled payments; and (iv) enhancing cross-border payments. As such, it seems likely that at some point in 2021 or 2022 there will be further announcements and/or implementations of amendments to the legal and regulatory framework governing payments.

Under the Payment Service Regulations, non-banks can become authorised to provide payment services. There are a number of ways that they can do this. The first is to become an authorised payment institution. In order to do so they must go through the authorisation process with the FCA, for which purpose they must meet a number of requirements including the holding of capital, safeguarding funds, record keeping, accounting and audit, conditions around material outsourcings, and provision of information to customers of the payment services. The second is to become authorised as a small payment institution. The compliance burden is significantly less than for an authorised payment institution, but with restrictions such as that a small payments institution cannot have an average monthly transaction volume over the previous year (or projected volume) of more than €3 million. In addition, the FCA provides for a simplified application process for entities providing account information services only. The application is shorter and the compliance burden is lower, reflecting the fact that AISPs transact in data only and do not move or hold funds. The FCA decides when an application is complete, and has up to 3 months from receipt of the completed application to make a decision on whether or not the application is successful.

The most popular payment method by far is the debit card, which overtook cash as the most frequently used payment method in the UK in the last quarter of 2017. Around 98 per cent of the population holds a debit card, using these to make 15.8 billion payments in 2020. This represents a decrease of 7 per cent over 2019, largely due to the effects of the pandemic. However, although the total volumes of debit card transactions declined, the proportion of payments made by debit card increased in 2020, driven by factors such as the growth in popularity of contactless payments and the increased decline of the us of cash. The use of credit cards also decreased in 2020, by 18 per cent compared to 2019, to account for 2.8 billion payments. Around 69 per cent of adults in the UK hold a credit card. In terms of payment method, the number of contactless payments in the UK has increased further, rising a to 9.6 billion payments, representing 27% of all payments made via contactless cards. These payments are made by the 135 million contactless-enabled cards in circulation by the end of 2020, with 88 per cent of debit cards and 81 per cent of credit cards capable of making contactless payments. In contrast to credit and debit cards, the use of cash as a payment method has continued to decline. While 61 per cent of payments made in 2007 were made in cash, only 17 per cent of payments made in 2020 were. This decline is forecast to continue, although predictions do not indicate that cash will become extinct as a means of payment. In terms of payment methods used for credit transfers, direct debit, standing orders, Bacs Direct Credit and CHAPS are all used. Of these, the use of direct debit is widespread, with 90 per cent of UK consumers using direct debit to pay some or all bills. This amounts to 4.5 billion payments for a value of £1.178 billion in 2020. The payment method most frequently used by businesses and government remained Bacs Direct Credit. CHAPS is used principally by financial institutions for (large) corporate treasury payments. The result is that a mere 0.1 per cent of the total volume of UK payments made via CHAPS accounts for 91 per cent of the total value of all payments made: 44.5 million payments for a value of £91.9 trillion. Online banking and mobile banking transfers, which are largely underpinned by the Faster Payments Service, have also enjoyed significant increases in popularity, with 72% of UK adults using online banking and 54% using mobile banking in 2020. Last and least, the use of cheques to make payments continued to decline, with only 185 million cheques used in 2020, compared to 546 million in 2015, and 1,580 million in 2010. With the increase in the use of card and other newer methods of payment, this decline is forecast to continue. Looking forward, the use of newer payment methods such as PayPal, Google Pay, Samsung Pay and Apple Pay is projected to increase in the coming years (in 2020 32% of the adult population of the UK had registered for some form of mobile payment method, an increase of 75% compared with 2019) as is the use of payment initiation services to make credit transfers at an online (or potentially in-person) checkout. Source: UK Payment Markets Summary 2019, available at https://www.ukfinance.org.uk/sites/default/files/uploads/SUMMARY-UK-Payment-Markets-2021-FINAL.pdf

In the UK, open banking is facilitated by the PSRs, implementing PSD2, (see answer to question 1 above for more detail), and the work done by the Open Banking Implementation Entity (the “OBIE”) and other private entities and financial institutions seeking to implement its effect. The PSRs provide that an account servicing payment service provider – that is, the payment service provider maintaining a payer’s payment account – must allow access to AISPs and PISPs (together referred to as “third party providers” or “TPPs”). AISPs – account information service providers AISPs are given access to a payment service user’s account and transaction data, under certain conditions. This requirement applies to all account servicing payment service providers who make payment accounts accessible online, and can therefore include not only traditional banks but also e-money institutions and credit card providers. PISPs are given similar access, but practically speaking access will be limited to those payment accounts from which a credit transfer payment can be initiated.

The PSRs impose requirements on both the account servicing payment service provider and the AISP. The PSRs require that the account servicing payment provider: must communicate securely with the AISP in accordance with the EBA RTS on SCA; treat any request for data access from an AISP exactly it would a data access request from the payment account owner; and not require the AISP to enter into a contract with it. The PSRs require that AISPs act only with the explicit consent of the payment service user (account owner); ensure the confidentiality of the payment service user’s personalised security credential; communicate securely with the account servicing payment service provider in accordance with the EBA RTS on SCA; restrict its access to designated payment accounts and transactions only; not request “sensitive payment data”; and not use, access or store any information for any purpose other than the provision of the account information service that the payment service user has explicitly requested. In this, the PSRs implement the requirements set out in PSD2; however, the PSRs definition of account information services is slightly narrower than that set out in PSD2. While PSD2 takes a broad view of account information service as the provision of consolidated information on one or more payment accounts, the PSRs narrow this by including in the definition the provision that account information thus obtained be provided “only to the payment service user” or “the payment service user and to another person in accordance with the payment service user’s instructions”. In other words, any AISP registered with the FCA in the UK will need to be able to provide the account information back to the payment service user and not simply route the information to a third party.

In relation to PISPs – payment initiation service providers – similarly, account servicing payment service providers must execute payments initiated by PISPs. The PSRs impose requirements on both the account servicing payment service provider and the PISP. The PSRs require that the account servicing payment provider:

• must communicate securely with the PISP in accordance with the EBA RTS on SCA;
• make available to the PISP all information about the initiation of the payment transaction as well as all information the account servicing payment service provider has regarding the execution of the payment transaction;
• treat any payment order exactly as it would a payment order requested directly by the payment account owner; and
• not require the PISP to enter into a contract with it. The PSRs require that PISPs do not hold the payer’s funds at any time;
• ensure the confidentiality of the payment service user’s personalised security credential;
• do not provide any information about the payer to anyone other than the payee, and then only with the payer’s explicit consent;
• identify themselves to the relevant account servicing payment service provider upon initiating a payment order and communicate securely with the account servicing payment service provider in accordance with the EBA RTS on SCA (see answer to question 1 above);
• not store “sensitive payment data”;
• not request information from the payer except as necessary for the payment initiation;
• not use, access or store any information for any purpose other than the provision of the account information service that the payment service user has explicitly requested; and
• not modify any feature of the initiated transaction.

OBIE – the Open Banking Implementation Entity

The EU-based PSD2 and PSRs were preceded by and are now in force concurrently with the UK-specific OBIE provisions. The OBIE was initially set up by the UK’s Competition and Markets Authority (“CMA”) in 2016 to deliver open banking to the UK, in response to a CMA report on the UK retail banking that found that established banks do not need to compete hard enough for customers, and that new entrants to the market encountered difficulty in obtaining access. The OBIE required nine major retail banks (known as the CMA 9) to develop application programming interface (“API”) standards to facilitate the payment service users’ access to their current account data. Standard implementation requirements for firms using these API standards have been published by the OBIE, with a view to aligning the firms’ APIs with the requirements and goals for establishing TPP access to accounts set out in PSD2. Additional information on the OBIE, including its Customer Experience Guidelines and Technical Specifications, can be found here. The OBIE is continuing to work with the CMA 9 to improve the existing APIs, and to introduce additional functionality to boost the uptake of open banking services.

Dedicated interfaces

As regards the more widely applicable PSD2 and PSR requirements around open banking, when the RTS on SCA comes into force, all account servicing payment service providers must provide access to TPPs, whether through dedicated interfaces (such as APIs) or by direct access to the customer account. Prior to the date when this comes into force, account servicing payment service providers must nonetheless provide access to TPPs pursuant to the PSRs, even where access cannot be provided through dedicated interfaces. This means that “screen-scraping” (i.e. a TPP using a customer’s own login details to obtain access to the relevant account) is permitted until the SCA fully comes into force, unless the account servicing payment service provider gives the option to the TPP of obtaining access through dedicated interfaces such as an API. As regards the nature of the dedicated interface, the PSRs and PSD2 are neutral on the means of access; however, the FCA encourages the use of standardized APIs, such as those already developed by the OBIE, though many others are already developed and in use.

Implementation in practice

In practice, AISPs are already offering payment service users innovative products and services based on their account and transaction data, expanding quickly on the government’s initial, relatively narrow, vision for account information services, which saw AISPs providing dashboard services providing an aggregated view of accounts and income and expenditure analysis. In the event, UK-registered AISPs have gone further and are providing payment service users with services ranging from loyalty cashback services run entirely through the AISP to analysis of small and medium business cashflow needs to speedier and more effective credit analysis.

In contrast to AISPs, PISPs have been slower off the mark, but more PISP-based payment services based are starting to emerge and there is regulatory appetite to promote their use (see question 1 above) . The development of the OBIE APIs by the CMA 9 banks continues apace, with new functionality and scope being added in various releases. The Open Banking Standards are currently on Version 3.1.9, and apply to many of the products covered by PSD2 such as credit cards, e-wallets, prepaid accounts, currency accounts and other accounts that can be used to make payments, such as loans, mortgages and savings accounts, as defined in PSD2.

The main piece of legislation around data is the General Data Protection Regulation (GDPR), which has been incorporated into UK law and tailored by the Data Protection Act 2018 (DPA). As in other jurisdictions within the European Union, the GDPR is an evolution of the previous legislation around data protection and in many ways codifies and puts on a mandatory footing what was already best practice in relation to the treatment of personal data. The scope of data covered by the GDPR is broader than under the previous legislation, in ways that are likely to be relevant for a number of fintech business models. For instance, GDPR explicitly includes biometric data within the scope of the “personal data” it governs, which is likely to be of relevance to those providing identity verification or authentication services. It also includes location data, which may well be relevant to fintech providers that are operating mobile based services.

Privacy by design and by default

Among the many other obligations emanating from GDPR around the treatment of personal data, some of the most important for early-stage fintechs to consider are the obligations in Article 25 around data protection be design and by default. These entail the building of systems and processes in a way that integrates data protection principles as a matter of technical architecture and process management. One aspect of this is ensuring that personal data is stored in such a way that it is only seen by people who really need to see it, using techniques such as data minimisation and pseudonymisation, meaning that having one single repository of all customer data is unlikely to be acceptable. Existing large organisations, both within and outside the financial services arena, have had to put a large amount of effort into complying with these requirements; new fintechs have an opportunity to get this right from the outset.

Transparency and accountability

Another key focus of GDPR is transparency and accountability. This means that organisations handling personal data have to be very explicit and clear with their customers and their employees about the personal data they are collecting and how they are using it, and have to keep clear records of the same. There are also obligations to include in contracts with data processors (for instance subcontractors for IT services) specific obligations that are designed to draw out the detail around the treatment of personal data in the contractual arrangement, in a way that will help to ensure compliance with data protection principles. Organisations which carry out certain types of processing activities are also obliged to appoint a data protection officer who is responsible for monitoring the organisation’s compliance with data protection principles.

International data transfers

Fintechs planning to transfer or store personal data outside the European Economic Area should be aware of the strict requirements in doing so. As the GDPR is EU-focused legislation, any entity transferring personal data outside the EEA will need to apply additional protections to that data. This can take the form of, for example, mutual contractual obligations between the transferring and receiving parties. The use of cloud providers, third-party hosting platforms and data centres are just some examples of where personal data is commonly transferred and stored outside the EU. Following the UK’s departure from the EU, on 28 June 2021 the EU adopted an “adequacy decision” under which it is viewed as having protections which are equivalent to those in the EU, meaning that most data can still flow from the UK to the EU and the EEA without additional safeguards having to be put in place.

Profiling

The GDPR also places restrictions and obligations on entities using personal data for the purpose of profiling data subjects or making solely automated decisions about them. Profiling and automated decision making can only be carried out in certain circumstances, and data subjects have additional rights in relation to this type of processing, such as the right to object and the right to have any such decision manually reviewed. Technology involving big data, artificial intelligence and machine learning frequently involve profiling and/or automated decision making.

Data subjects’ rights

One other area of GDPR which is potentially a great advantage in fintech is the new set of obligations which empower individuals whose data you are holding (“data subjects”) to transfer the personal data you hold about them electronically to another service provider. These “data portability rights” can be very useful for a data-driven fintech company, as they may enable it to some extent to get hold of data collected in the context of other services that might otherwise not be obtainable – in many ways this is a broad data access right that is similar in principle to open banking (see answers to question 4 above).

Regulatory fines

The data protection and privacy regulator in the UK, responsible for enforcing GDPR and the DPA, is the Information Commissioner’s Office (“ICO” – not to be confused with “initial coin offerings”). As with all European privacy regulators, the ICO is empowered to conduct investigations into the application of GDPR, and impose fines or restrictions on processing. The fines for the most serious breaches can be up to EUR 20m or 4% of worldwide turnover; however, most fines are likely to be significantly less than this.

Marketing

The other major pillar of data regulation in the UK likely to affect fintech is around marketing. This is often confused with being part of GDPR, but is a separate regime that sits alongside it. The UK regulations governing marketing communications are the Privacy and Electronic Communications Regulations 2003, commonly referred to as “PECR” or the “PEC Regs”. These govern the way that organisations deal with marketing calls and messages, including as to how consent for such communications is to be obtained and maintained; they also cover the use of cookies and similar tracking technologies. The PEC Regs are again a UK implementation of a European Directive, known as the e-privacy Directive, which is currently in the process of being amended.

Scope of privacy regulation – non-personal data

It is worth noting that the above areas of data regulation apply to individuals’ personal data, and while this will cover many of the types of data relevant to fintech, it does not cover everything. For instance, while the laws around open banking refer across to GDPR, the payment account data that they govern will in many cases fall outside the personal data regime, as is the case with much of the payments and finance data of small businesses. There are also other areas of financial services where non-personal data is regulated by different regimes, such as the EU Benchmarks Regulation, but these are more niche in their application.

Against the backdrop of a tightening regulatory landscape in recent years (driven largely by the global financial crisis), UK regulators and policy makers have undertaken a variety of initiatives and projects to understand the implications of technology in financial services. As well as investing in projects through Innovate UK and research councils, the government has carried out a number of calls for information and launched its Digital Strategy – setting out the government’s ambition to make the UK attractive to attracting and growing digital businesses. At the regulator level, the FCA has established the Innovation Hub and the Regulatory Sandbox to support innovation in the interests of consumers. Through the Regulatory Sandbox (now on its seventh cohort since the end of 2015), a wide range of firms are able to test innovative business models, delivery mechanisms, products and services in the real market, with real consumers in a controlled environment. Firms also have direct access to the FCA’s dedicated teams, providing a level of advice and support around the regulatory regime and onward authorisation if this is required. In 2020 the FCA also launched a Digital Sandbox, a permanent facility allowing fintechs access to synthetic data assets to enable testing and validation of solutions, including an API marketplace; and is also operating a Green FinTech Challenge 2021 to support development and live market testing of new products and services that will aid the transition to a net zero economy.

The government is taking an active role, alongside institutions such as Innovate Finance, in promoting the attractiveness of the UK as a destination for growing a fintech business; and is promoting growth amongst the start-up community through initiatives such as the establishment of the Tech Nation Fintech Delivery Panel and various related programmes. Most significantly, in the 2020 Budget, HM Treasury announced the relaunch of an independent review of the UK’s fintech sector, looking to advance the three objectives if ensuring that UK fintech has the resources it needs to grow and succeed, creating conditions for adoption of fintech services, and maintaining UK fintech’s global reputation for the innovation and transformation of financial services. That “Fintech Strategic Review” was led by former Worldpay CEO Ron Kalifa OBE (and is often referred to as the “Kalifa Review”), and recommended a range of measures relating to policy and regulation, skills, investment, international expansion, and national connectivity. In the Autumn 2021 budget, the Chancellor announced that the UK Government would implement a number of the recommendations, including:

• providing seed funding to establish a Centre for Finance, Innovation and Technology (CFIT);
• a review of the Pension charge cap to unlock institutional investment in UK growth firms;
• confirmation of scale—up immigration visas; and
• an extension of the R&D tax credit regime to include data and cloud computing activities.

The most obvious risk is Brexit. This is for three main reasons. The first and most frequently cited is the loss of the passporting regime, under which firms that are authorised to carry out a regulated activity in one Member State of the EU are permitted to carry out that activity in other Member States on the basis of a registration in that Member State, rather than having to go through a full authorisation process, and without having to have an establishment in that jurisdiction. However, this will of course affect only those fintechs that operate in multiple jurisdictions, and which are carrying out regulated activities – so its effect may be limited in practice, not least because the threat of the loss of passporting has forced affected companies to prepare by setting up a continental base of operations.

The second and more real risk continues to be around immigration and access to talent. Fintech businesses need a wide range of skills that are sometimes quoted as not being available from within the UK in large enough numbers to support the UK’s thriving fintech ecosystem, particularly around experienced software engineers. As such, the immigration controls on talent of this type are likely to be key to the success of the UK fintech ecosystem as we navigate the post-Brexit system, and many are watching this particular issue with keen interest.

The third is the potential for regulatory divergence. In many respects, divergence from the rest of European law could of course be a disadvantage, but as with passporting this is likely to affect mainly those aspects of financial services that inherently operate on a cross-border basis, such as international payments. However, for non-international fintechs, there is every possibility that the divergence could be beneficial, allowing UK legislators to create laws that track innovations in financial services more quickly than has been possible at a European level, and perhaps providing templates for other legislators in the process.

However, as set out in answer to question 10 below, they are a great many reasons why the fintech ecosystem should continue to thrive in the UK, and none of the above is likely in our view to damage this materially in practice.

Whilst not specific to fintech, there are a number of generous tax incentives in the UK aimed at promoting investment in small companies by “business angels”.

The first is the Seed Enterprise Investment Scheme (SEIS), which was introduced in April 2012 to help small, start-up stage companies, raise funds through individual investors by providing very generous tax reliefs to investors who take risks on such ventures. Where an investor subscribes for up to £100,000 per year in SEIS qualifying shares, income tax relief of 50% of the amount invested is given with the potential to split the relief between the tax year of the investment and the previous tax year. The scheme also offers 50% exemption from capital gains tax (CGT) on up to £100,000 of gains reinvested in SEIS qualifying shares. There is no CGT on the disposal where the shares are held and relevant conditions met for at least three years. Loss relief is available; however, the relief is reduced by the income tax relief claimed on the investment. The second is the Enterprise Investment Scheme (EIS), which was launched in 1994 to encourage individual investments in small unquoted trading companies in the UK. Under EIS, individual investors can subscribe for up to a maximum of £1,000,000 of EIS qualifying shares per year (or £2m in knowledge intensive companies), and income tax relief of 30% of the amount invested is given. Again, there is no capital gains tax on the disposal where the shares were held and relevant conditions met for at least three years. Loss relief is available, but the relief is reduced by the income tax relief claimed on the investment and can be set against the investor’s capital gains or his income in the year of disposal. Neither SEIS, nor EIS relief is available where an investor possesses or is entitled to acquire in excess of a 30% stake or rights in the company or subsidiary.

The third is Investor’s Relief. This applies a 10% rate of capital gains tax to gains (up to a lifetime maximum of £10m) accruing on the disposal of ordinary shares in an unlisted trading company or group.  The shares must comprise newly issued shares, which must be held for a minimum 3-year period, during which a number of conditions must be met.

One further tax incentive that is likely to be relevant to fintechs is R&D tax relief. This provides businesses with a significant cash tax saving in respect of qualifying expenditure incurred by the business on research and development projects, which seek to achieve an advance in overall knowledge or capability in a field of science or technology, through the resolution of scientific or technological uncertainty. For an SME company with fewer than 500 employees that either has an annual turnover up to €100 million or gross balance sheet assets of up to €86 million, the tax relief on allowable R&D expenditure is an additional deduction of 130% – that is, for every £100 of qualifying expenditure, the company could have the profits on which corporation tax is paid reduced by an additional £130 on top of the £100 spent. A loss-making company of this type could surrender its current period trading loss to HM Revenue & Customs for repayment as cash credit: for example, if a loss-making company undertakes R&D activities and spends £100,000 on qualifying R&D expenditure, it may claim a cash credit of up to £33,350 in return for surrendering trading losses. For a Large company, the R&D Expenditure Credits (RDEC) scheme provides a taxable, above-the-line 13% credit for qualifying R&D expenditure. A tax-paying company may use this credit to reduce its corporation tax liability, with a net tax-saving of 10.53% (for a company paying tax at the main corporation tax rate of 19%) of the qualifying R&D expenditure. A non-tax paying company may claim this as a cash credit: for example, a large company spends £100,000 on qualifying R&D expenditure and is not tax-paying, it may claim a cash credit of £10,530, subject to certain conditions. As such, a fintech that that is carrying out significant amounts of research and development could benefit greatly from this relief.

Some fintechs may also be to benefit from Patent Box, which provides for a reduced rate of corporation tax of 10% to be applied to profits attributable to UK or EU patents. Software providing a technical solution to a technical problem may be patentable. Changes to the Patent Box regime were introduced from 1 July 2016 requiring a claimant to demonstrate a “nexus” between its R&D activities and tax benefit derived from the regime.

Over the past few years most fintech investment has been at Series A and lower, simply because much of the development is coming out of new start-ups. However, the multiples around fintech are high, such that a Series A can be £5-10 million, or in some cases more. However, over the last few years we have seen more UK fintechs progressing to Series B and C funding rounds, in addition to the continued raft of Series A funding, and in spite of the Covid-19 pandemic. In fact, in a number of cases the pandemic appears to have accelerated both adoption of fintech solutions and funding as a result. We’re seeing investment in particular in the following areas: anything which can streamline the client on-boarding process (facial recognition, biometrics etc); mobile banking; wealth management; regtech software; capital markets analysis software; and open banking products.

The UK has established itself as one of the leading jurisdictions in the world for fintech. It has a long history as a centre of financial services and as such has a deep network of institutions, knowledge and talent around all aspects of finance. It also has a long history of technological innovation and the creative arts, meaning that there is ample talent and networks available for people to share ideas and create new businesses; it is for this reason that the start-up scene in the UK – not only in London but across the UK – is one of the most vibrant in the world. As such it was extremely well placed from the outset to be a desirable destination for fintechs to grow: it already had the talent pools for the “fin” and the “tech” firmly in place. Countless accelerators and incubators are testament to this, and have acted as a focal point for some of the most prominent success stories. However, there are a few additional factors that are often overlooked.

The first is political imperative. Uncertainty over Brexit has arguably spurred politicians and regulators on to introduce initiatives that will help the UK to remain at the forefront of fintech – the government’s Fintech Strategic Review (otherwise known as the “Kalifa Review”) is just one example of this; the Tech Nation Fintech programme is another. The effects of Brexit are likely to remain for some time, especially around immigration and passporting, but for any business operating in the fintech arena there are still significant advantages to setting up in the UK and taking advantage of that wave of political impetus.

The second is regulation. The UK has in the FCA a regulator that has shown itself to be both pragmatic and open to debate and engagement, which has helped numerous fintechs to bring their innovations to market far more quickly than would otherwise be the case – see question 6 for more detail on some of the measures that have been taken in this regard including the Regulatory Sandbox and the Digital Sandbox.

The third, more unlikely candidate, is taxation. The tax incentives and reliefs available to investors, outlined in our answer to question 8 above, provide a platform where investors are encouraged to put capital into growing businesses by reducing the risks to the investor should the business fail, which has undoubtedly contributed to the ability of nascent businesses to attract crucial early investment.

The last is engagement by major institutions, including the incumbent banks. The major UK banks have largely already gone through a process of learning to engage with small companies in ways that they have not been accustomed to doing in the past, and many have not only started to deploy fintech-like business models themselves (e.g. digital-only banks), but have also started their own fintech accelerator programmes which are aimed at fostering innovation with a view to long term partnership arrangements. Furthermore, five of the major banks and a group of major fintechs, led by Tech Nation’s Fintech Delivery Panel, collaborated to produce at the end of 2019 a guide for fintechs on the best way to engage with banks and how to avoid common pitfalls. This was to our knowledge the first time in any jurisdiction that major financial institutions had gone out of their way to guide fintechs on the best ways to collaborate with them, and signals significant further development of the fintech industry in years to come. These factors and more – in spite of and arguably because of Brexit – make the UK an excellent place to build a fintech business.

The UK immigration system has specific categories for the tech sector, including the Global Talent category which is designed to attract those who are at the very top of their field. Companies in the UK can apply for a sponsor licence which permits them to bring non-British nationals to the UK to work in skilled roles and importantly, since January 2021, has allowed companies to sponsor new arrivals from the EU. The cap on the number of skilled migrants who can come to the UK was removed in January 2021. The start-up and innovator categories are designed to allow UK businesses and accelerators to sponsor entrepreneurs and innovators. There continues to be widespread criticism that the new schemes do not go far enough to attract seasoned entrepreneurs and innovators (in part due to the requirement to be accepted on incubator/accelerator programmes of the endorsing bodies) with only low numbers of successful applications being granted. It is therefore critical that the Global Innovation Strategy is designed to cope with demand and adequately allows companies to deal with the skills shortages facing industries like fintech.

The UK continues to deal with the challenges of exiting the EU, sector shortages and controlling migration and Covid-19. It is not unique in having to control migration; however, it is doing so in challenging times particularly in a climate where 42% of employees in the tech sector are from outside the UK and 28% are from within the EEA. The UK does have some measures in place to try to address sector shortages, it has a shortage occupation list of professions for which there are not enough resident workers to fill vacancies in the UK. The Migration Advisory Committee (MAC) is an advisory non-departmental body which advises the Government on migration issues. The MAC regularly reviews the list and calls for evidence of which occupations should be included or removed; and there are calls for it to review the shortage occupation list for 2022. Jobs which fall on the shortage occupation list have lower skills and salary thresholds; and the resident labour market test was removed under the new immigration system, a welcome change for many companies. In addition, the skills threshold was lowered for the sponsored worker route, allowing employers to sponsor migrants at RQF level 3 (A-level) or above. Tech Nation is a Government initiative which provides a network of growth programmes, events, skills and data resources to reach all corners and clusters of the UK. The Global Talent programme (mentioned above) is supported by Tech Nation as it is one of the designated competent bodies which reviews and assesses applications for endorsement under the Digital Tech subcategory. In February 2020, the Government removed the cap on the number of visas granted in this category (including those endorsed by other bodies such as the Arts Council England, The Royal Academy of Engineering etc). As before, regulators in the UK need to continue to lobby the Government and push for the UK fintech sector to remain at the forefront of the global fintech industry and achieve its goal of making the UK the best place to imagine, start and grow a digital business.

Fintech companies rely on innovations, usually implemented through software. These assets are almost exclusively protected by intellectual property (IP). Therefore, IP underpins the value of almost all fintech companies. The UK offers a range of IP rights to protect fintech innovations. Some commonly used IP rights of particular relevance to fintech companies are as follows:

• Copyright The law of copyright protects the results and expressions of creative ability and extends from art and literary works to more technical works, including computer code. It arises automatically; the UK does not have a copyright registration system, unlike some other jurisdictions, so there is no need to register to benefit from copyright. It endures for the life of the author plus 70 years. For a fintech company, common copyright protected assets include source code and object code, databases (in terms of their selection and arrangement), pictures, content, sounds/videos, GUI’s and designs/drawings/plans. In order to qualify for copyright protection, the work must be original, and a minimum amount of intellectual creation / labour must have gone into creating the work. Copyright will be owned by the original author unless the author is an employee in which case the employer will own the copyright (providing the work was created by the employee while performing their duties). Where contractors are used, it is important to ensure that assignments of copyright (and other IP rights) are included in their contracts. Copyright gives the owner the exclusive right to exploit the work in a variety of ways (e.g. copying, adapting, rental/lending, issuing copies to the public and communicating the work to the public); and to prevent others doing those acts in relation to the whole or a substantial part of a copyright work (which can be assessed qualitatively or quantitively. However, in relation to software, copyright does not protect functionality itself. While a company can prevent a third party from copying its source code, copyright law does not prevent a party writing its own code to carry out the same functionality. Further, lawful users of software can (i) observe/study/test it to understand underlying principles and (ii) providing certain conditions are met, can decompile software in order to achieve interoperability.
• Databases can be protected either under the law of copyright, or under the a “sui generis” database right. A database is “a collection of independent works, data or other materials which are arranged in a systematic or methodical way and are individually accessible by electronic or other means”. The database right prevents a third party from extracting or reutilising all, or a substantial part, of a database. To qualify, the author must show a substantial effort in the obtaining, verifying or presenting of the contents of the database. Note that this is separate to creating the data itself. While the database right usually lasts for 15 years from creating, or making the database available to the public, a new right arises where there is a substantial change in the contents. Therefore, fintech companies often find their electronic databases have protection on an ongoing basis as those databases continue to grow. As a separate right to the sui generis database right, database copyright requires that there is some intellectual creation in the selection or arrangement of the contents of a database; for this reason, it can be harder to show. If database copyright subsists, it gives the same rights and endures for the same duration as other forms of copyright.
• Registered Designs can be relevant to fintech companies as they can be used to protect user interfaces. Larger tech companies often obtain registered designs of commonly used user and web interfaces which they associate with their brand / technology. This may be useful if a fintech company has a unique app interface. Designs can be registered cheaply, and with a minimal examination process, and can be a useful tool to ward off competitors who might be minded to copy the “look and feel” of an application.
• Patents Despite commonly held views, Europe and the UK allows the patenting of software innovations where there is something of technical effect to protect. Patents protect the functionality of the innovation itself, regardless of the code implementing the invention. This stops a third party from copying the functionality of software. Having patent protection allows the fintech company to exercise a monopoly over the innovation, permitting only that company to commercialise or license the innovation to third parties. To obtain a patent, certain criteria must be met. In short, a patent must be novel and involve an inventive step (new and inventive over any invention which has been previously disclosed). An application should be completed as soon as possible and before commercial exploitation or publication / marketing of the product. In the UK and Europe specifically, to patent an invention implemented in software it must also make a “technical contribution” of some kind. For example, software which speeds up trading or allows customers to connect to services in a new way. Patents last for 20 years and are often seen as valuable by investors. The UK also offers a tax saving on profits generated through patent-protected innovations through its patent box tax system.
• Trade Secrets / Confidential Information Patenting requires disclosing how the invention works; some companies prefer to rely on keeping their innovation confidential. UK common law provides a law of confidence. In addition, the UK is subject to the EU Trade Secrets Directive and this was implemented into UK law by the Trade Secrets (Enforcement, etc.) Regulations 2018. To class as a trade secret, the information must not be generally known by the public or persons specialising in the fintech company’s area, it must have commercial value, and reasonable steps must be taken in order to keep the information secret. A trade secret owner can take legal action where there has been unauthorised use of the information to the owner’s detriment. Fintech companies should look to bolster their legal position by entering into NDAs before disclosing any confidential information regarding their product, giving them an additional contractual protection.
• Trade Marks Although not specific to fintech companies, the UK has an exhaustive trade mark registration system for the protection of word marks and logos.
• Enforcement The UK offers a world-renowned justice system with a high-calibre independent judiciary. As well as the High Court, the UK has a specialist IP court for lower value claims, called the IPEC. This is particularly useful for fintech companies looking to protect their assets at a lower cost, due to its faster outcomes, more limited process, and caps on recovery of legal costs (the usual rule in UK litigation is that the loser pays a proportion of the winner’s costs).

Cryptocurrencies as such are not regulated in the UK at this point in time, however other activities that use, reference, exchange or deal in cryptocurrencies, can require regulatory authorisation, or even be prohibited. The UK regulatory framework defines regulated activities broadly as specified activities that are carried on in the UK by way of business which relate to specified investments. The principal provisions regarding the regulated activities regime are contained in the following: The Financial Services and Markets Act 2000 (‘FSMA’), which is the key statute governing financial regulation in the UK and contains in section 19 the general prohibition on unauthorised persons carrying on regulated activity in the UK unless they are an exempt person (by virtue of being an appointed representative of another authorised firm) or an exclusion is available. The Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (‘RAO’), which contains definitions of the regulated activities and exclusions. Under FSMA it is an offence for a (legal or natural) person to carry on regulated activities in the UK unless it is authorised or an exemption applies. Violation carries criminal penalties and any agreements made in violation may be void. The extent to which this framework applies to cryptocurrencies depends on whether these fall within the definition of a specified investment. This is generally determined on a case-by-case basis and depends heavily on the defining characteristics of the cryptocurrency and the nature of the proposed activity. Where the specified activity involves both cryptocurrency and a specified investment – as is often the case – this will bring the activity within the regulated sphere. Examples of activities that would otherwise be regulated but are not when cryptocurrencies are used include payments and e-money activity.

Specified activities that use of cryptocurrencies typically do not comprise

• Cryptocurrencies will generally fall outside the scope of the Payment Services Regulations 2017 (implementing the second Payment Services Directive 2015/2366 (EU)). This is because cryptocurrencies are not at this point considered by the Bank of England as “money” and therefore not cash.
• Cryptocurrencies will generally fall outside the scope of the Electronic Money Regulations 2011 (the “EMRs”). This is because e-money is defined as being issued on receipt of “funds” and represent a claim on the issuer, which would exclude many cryptocurrencies.

Specified activities that use of cryptocurrencies typically does comprise

Cryptocurrency derivatives typically will fall within the scope of the regulated activity. Notwithstanding that cryptocurrencies are not considered to be currencies or commodities within scope of MiFID II, cryptocurrencies may be caught by the Markets in Financial Instruments Directive II (MiFID II). This is because cryptocurrency derivatives can be financial instruments within the meaning of MiFID II. The FCA have said that it is likely that dealing in, arranging transactions in, advising on or providing other services that amount to regulated activities, as these relate to derivatives with a cryptocurrency as the underlying instrument, will require authorisation by the FCA.

Cryptocurrency-specific regulations

Since 6 January 2021, there has been a ban on the offering of cryptoasset derivatives and cryptoasset exchange traded notes to retail clients – on the basis of protecting consumers from harm, due to volatility, the increased risk of financial crime, an inadequate understanding of cryptoassets by retail consumers, and a lack of legitimate need for retailer consumers to invest in them.

Cryptocurrency-specific extensions to the regulatory regime

Whether or not cryptocurrencies are regulated by the principal financial regulations in the UK, operation of a cryptoasset exchange or custodial wallet service now attracts active ‘know-your-client’ obligations under the updated Money Laundering, Terrorist Financing and Transfer Regulations (SI 2007/2157) as amended to implement the Fifth Anti-Money Laundering Directive ((EU) 2015/849) (“AMLD5”)  The UK gold-plated this directive, implementing a wider definition of cryptoasset exchange than AMLD5 required, by including the initial sellers of cryptoassets,  rather than just service providers in relation to the exchange of them.

Other guidance and policy statements

While cryptocurrencies per se are not currently regulated, the government and the regulators are monitoring their development and actively consulting on the appropriate response. In March 2018, the Chancellor of the Exchequer launched a Cryptoassets Taskforce (the “Taskforce”), consisting of HM Treasury, the FCA and the Bank of England. The Taskforce issued its final report in October 2018 (the “Report”). The Report considered the benefits of cryptoassets, such as their use as a means of exchange, use in investment or to support capital raising. The Report also considered the risks, including the risk of financial crime, risks to consumers who may lack sufficient understanding of cryptoassets, risks to market integrity and the potential implications for financial stability. Following on from the Report, the FCA and HM Treasury set out their plans for further consultations and guidance on various areas. The FCA issued guidance on the regulatory status of cryptocurrencies in July 2019 (PS 19/22), broadly setting out a four-classification system: exchange tokens and utility tokens outside the regulatory perimeter, and security tokens and e-money tokens within it. The guidance includes indicative lists of permissions needed for the issuance of security tokens and e-money tokens, along with the provision of exchanges, wallets, and payment services. These predominantly attach to the activities and the underlying contractual rights or services being offered, rather than the cryptocurrency or cryptoasset itself.  This report preceded the more recent expansion of the ‘DeFi’ business models, so does not address in detail newer trends such as staking and decentralised non-custodial services such as wallets and exchanges – and so there is not clear regulatory judicial guidance on the treatment of these business models.

Initial coin offerings  – i.e. the initial release of a new cryptoasset to the retail market – saw a surge in popularity in the autumn and winter of 2017 as a method of fundraising akin to crowdfunding, typically for the pre-purchase of cryptoassets on platforms that typically have not been built yet, at a discounted price. There were a huge number of ICOs carried out in many different jurisdictions, that raised vast amounts, and not infrequently on the back of vague or even entirely unfounded promises of technical development. Amongst those were a number of genuinely good offerings, but a relatively small proportion of those ICOs launched products with the cryptoasset as a core, and widely adopted means of value storage or transfer.

Through spring and summer of 2021, a different type of ICO has seen a similar surge in popularity and allocation of capital seeking returns: non-fungible tokens (NFTs) representing ownership or licences over images or other digital assets.  There are similar themes: a large number of projects, but only a small portion gaining traction or widespread adoption.  A major difference between the 2021 NFT popularity, compared to the 2017 ICO popularity, is a larger number of traditional businesses launching ‘NFT coins’, using it as a new way to interacting with customers and fans.

The vast majority of ICOs are not financial regulated offerings, since most cryptoassets do not quite fall within any of the “specified investment” definitions that would trigger compliance with the existing regulatory mechanisms. NFTs (representing a digital asset) are further from the regulatory perimeter of “specified investments” than the tokens in a ‘classic’ ICO, which normally represents a voucher that can be used to buy services. In almost all cases, the release of a new coin however will make the issuer a ‘cryptoasset exchange’ for the purposes of the UK money laundering regulations, which imposes active ‘know-your-client’ obligations.

This broad framework, and classification of tokens into: exchange tokens and utility tokens outside the regulatory perimeter, and security tokens and e-money tokens within it, was confirmed in FCA guidance in July 2019 (PS 19/22).

In advance of this, in September 2017 the FCA issued a warning to consumers about the risks of ICOs, describing them as “very high-risk, speculative investments”, pointing out that most are not regulated and have no form of investor protection, and often inadequate documentation.

While some ICOs offer tokens which do constitute “transferable securities”, as per the July 19 FCA guidance in PS 19/22, and therefore trigger compliance with the prospectus regime as with normal share offerings, the majority do not.

Two main points emerge from this, for fintechs considering engaging in an ICO. Firstly, the structure of the tokens and their proposed usage will need to be looked at with great care, as small changes could mean that the tokens and therefore the ICO fall into the regulated sphere. In accordance with the latest guidance, true “utility tokens” will sit outside the regulated sphere, compared to “security tokens” that sit with it, but the distinctions between them can be subtle.  This can include often overlooked types of security such as ‘collective investment schemes’ where assets are pooled to obtain a profit from the management of those assets, among other security types. Secondly, although there is no specific regulatory regime in relation to ICOs, other legal principles will still apply, particularly in relation to consumer rights, misrepresentation and fraud. As such, those offering ICOs need to be clear that what they are offering to consumers is genuine and evidenced – even if heavily caveated – so that they do not fall foul of these protections.

While change in respect of ICO treatment is foreseeable in the next 12-24 months, it is hard to specifically predict it.  Consultations are underway in respect of a UK Central Bank Digital Currency – but this would be a unique ICO, and also would is unlikely within 24 months.  Further consumer warnings are likely, however there is no specific indication of a legislative widening of the regulatory perimeter to cover true utility tokens.  Reasons for this may be the similarity of these services to other non-crypto services which are not intended to be regulated, and the increasing existence of ‘decentralised’ projects which often do not have legal personhood, or a controlling mind, and so present challenges to regulate or enforce sanctions against.  The most likely regulatory change in the next 12-24 months is increased limits on the offering, issuing and trading of cryptocurrency stablecoins.

There are many live operating blockchain projects within England and Wales. Blockchain technologies have been used in respect of equity issuance (Globacap), custodial wallet services (Argent), digital asset trading (Archax), central depository services (SETL), AML (Elliptic), and more.

There are a number of fintech suppliers who are using artificial intelligence actively in enhancing existing financial processes. One such is Eigen Technologies, which is using natural language processing to pull specific data fields out of large amounts of legacy documents in order to help financial institutions to get digital control of the data that they hold in other formats, in a fraction of the time that it would take humans to carry out the same task. There are other examples of regtechs that are using machine learning to extract and package up regulatory information. Other companies are using AI to spot behavioural patterns and anomalies in those patterns – one of AI’s strong suits. These include: payments authentication solution Cybertonica; email security firm Tessian; and Nasdaq Buy-Side Compliance (formerly Sybenetix), which is used by asset managers and hedge funds to spot anomalies and suspicious activity in traders’ trading patterns. Others use machine-learning to spot patterns in order to make predictions. These include: cashflow prediction engines Fluidly and Fractal Labs; and insurance pricing and risk engine Cytora.

There is limited regulation in this area at the moment, the main regulation being those parts of GDPR that touch upon the sorts of data processing that are often involved in machine learning. These will include, in particular, obligations in relation to profiling and automated decision making (see the answer to question 5 above). A House of Lords Select Committee was established in 2017 for the purpose of considering the economic, ethical and social implications of advances in AI. That Committee produced a report in 2018 which made large number of recommendations to the UK Government on a broad range of topics, and a suggested ethical framework for AI. In February 2021 the UK Government published a response to that report, noting that whilst there were many positives, there was also no room for complacency and there was much still to be done. However, there is still no clear legislative framework for AI in the UK.

In April 2021, the European Union published its proposal for an Artificial Intelligence Act, an ambitious proposal for a comprehensive legislative framework for AI – the first from a major global economy. Under the proposal, AI systems that can restrict an individual’s financial and professional opportunities are deemed high-risk and subject to strict requirements. This puts financial services use cases fully into scope, such as AI systems used to assess creditworthiness or monitor employees’ performance and compliance. Providers and users of AI high-risk systems will have to comply with stringent rules before and after the marketing or use of such systems. The Act will also have an extraterritorial impact on AI providers and users in non-EU jurisdictions if their AI systems affect individuals in the EU. We expect the EU to finalise the rules by 2023/2024, but a ‘wait and see’ approach is probably not viable for firms, given the breadth and complexity of the proposed requirements. Firms should assess which of their AI systems are likely to be high-risk and conduct a high-level gap analysis against the Act’s essential requirements. By doing so, they will gain an understanding of the scale of the effort required to implement the Act in due course, and the impact on their AI strategies. Although the UK is free, post-Brexit, to legislate separately – or not at all – in relation to AI, it seems likely that the EU’s proposals indicate at least the direction of travel for any future UK regulation, and will in any case affect any firms seeking to operate within Member States.

As it has in other jurisdictions, insurtech has developed more slowly in the UK than other aspects of the fintech industry. A combination of complex products, relatively heavy regulation and legacy systems have made it difficult for insurtech solutions to make headway, as have barriers to start-ups resulting from prudential capital requirements. Having said that, investment and growth have surged in recent years, as the industry has responded to technological advancement, customer expectations and market conditions. Insurtech is bringing changes to a number of areas, including disintermediation in insurance for SMEs and product development. To the extent that SMEs are increasingly moving toward cloud applications, opening up new avenues for direct connections to insurers, the demand for brokers may decrease. Insurtech is also changing the nature of the product offering, with new products including: parametric insurance, which pays out a defined amount upon an agreed trigger being hit; automated underwriting for single invoice insurance (against bad debt) from companies like Nimbla; predict-and-pay services, which shifts the focus from making indemnity payments as claims arise to predicting and preventing claims from arising in the first place; and narrowly tailored products and pricing, which uses a combination of static data, contextual information and real-time data to develop products and pricing.

It would be difficult to point to any area of fintech that is particularly strong within the UK, given the strong presence of fintech businesses across the board. Fintechs are active within the business and consumer credit space, payments (including account information services and the services built on this), e-money (including e-money as a means to authorisation by challenger banks), robo-advice and insurtech. The UK’s financial regulatory system is effective in enabling products and service offerings across a wide range of regulated services, facilitating innovation across the financial sector.

The beginnings of fintech in the UK were largely hyped as being about disruption, and at the time this was largely true: challenger banks and international money transfer businesses dominated the headlines. However, the market has now matured into three main sections. First are the genuine disruptors: those who take something that the incumbent banks already do, and do it faster, cheaper or in some way better – and steal market share by doing so. These include international money remittance providers and challenger banks. Second are probably the largest group overall, the suppliers: these are the companies supplying services to other financial institutions in order to help those institutions do something that they do already, but do it better. There are obviously a great many options here, but by way of example only this could include data gathering and analytics, onboarding / ID verification technology, or regtechs that help institutions to maintain compliance with their regulatory obligations. Third are arguably the most significant group in terms of the overall effect on the financial system, the niche-fillers. These are the companies that are doing something that no one else was doing before. This covers a broad range of services, from funding platforms that service loans that the incumbent banks would not normally take on, to companies that produce digital receipts for store purchases to companies that choose to offer traditional banking services in a way that makes them more accessible to people who normally find it difficult to get a bank account. In relation to the first category, collaboration is naturally less likely. However, the second and to a large extent the third categories lend themselves to collaboration. An incumbent financial institution can benefit from new innovations of suppliers without having to create them itself, and can partner with niche-fillers to participate in markets that were previously closed to them. It is in this context that we have seen the most activity and change over the past few years, as incumbents become more skilled at adapting their contracting and procurement processes to the start-up world.

In our experience there is still quite some way to go with many of the banks, but it is now far easier for a start-up to partner with a UK bank than it was even three years ago. A significant recent step in the field of collaboration is the release by the British Standards Institute of a guide on “Supporting fintechs in engaging with financial institutions”. This document was created by five of the UK’s biggest banks and a number of leading fintechs, led by Tech Nation and the Fintech Delivery Panel (see answer to question 10 above), to act as a guide for fintechs who may be unfamiliar with the procurement processes and concerns of financial institutions on how best to approach the various issues that typically come up in a “partnering process”. It is an excellent guide that any fintech should read, it is to our knowledge the first of its kind in the world where a number of major banks have come together to try to facilitate better collaboration with fintechs. There is an argument that similar guidance is needed for institutions to further improve their processes and strategy in order to partner with fintechs effectively, as unnecessarily burdensome documentation, policies and sign-off processes often stand in the way effective partnering – efforts are being made by some institutions in this direction but there are significant further improvements that could be made. The institutions that get the partnering process right stand to gain significant competitive advantage over their peers in the acquisition of new functionality for their customers.

A number of incumbent financial institutions (including both banks and insurance companies) are actively involved in running fintech programmes and accelerators. Most of the major retail banks run an innovation or accelerator programme of some kind, often teaming up with tech consultancies. In addition, many of the banks and insurance companies now have their own specific innovation function which is tasked with finding and partnering with fintechs that will be useful for their business.

The UK boasts many examples of fintechs disrupting the traditional financial, payments and insurance systems. The UK has seen more challenger bank activity than other regions, hosting Atom Bank, Tandem Bank, Monzo (the first online-only challenger bank to obtain a full banking licence) Monese, ANNA Money, Pockit, Starling, Tide and Revolut, among others. A number of these have already obtained a full banking licence whilst others have followed the path of first obtaining an e-money licence. The implementation of the second Payment Services Directive ((EU) 2015/2366) paved the way for a host of providers of account information services (“AISPs”) and, to a lesser extent, payment initiation services providers (“PISPs”). Notably, UK AISPs have taken the initial regulatory description of provision of account and transaction data from multiple accounts to a consumer and elaborated on this, developing innovative uses for this data to bring new fintech products to market, whether by improving on existing processes or creating new offerings. For example, AISPs are currently using account and transaction data to speed up the process of evaluating SME and consumer credit eligibility, thus streamlining the process of obtaining loans. Providers of accounting services use access to account data to provide faster and more accurate accounting services to their users. Other uses of AIS include innovative applications such as automated loyalty point and cashback provision. This space has also seen the growth of intermediary providers of account data, such as TrueLayer, Plaid and Yapily, who are registered as AISPs and provide AIS as a service to third parties in the fintech space who then use the data to provide services to end-users. Other areas in which UK fintechs lead run the gamut from robo-advising and app-based investing (Nutmeg and Wealthify), peer-to-peer money remittance (Wise), business-to-business lending (Funding Circle), providers of SME small- and micro-loans (iwoca), identity-verification (Onfido, Yoti), peer-to-peer lending (Zopa), invoice factoring (Market Finance), and open banking (Fractal Labs, Fluidly).