Fintech landscape and initiatives

General innovation climate

What is the general state of fintech innovation in your jurisdiction?

The United Kingdom has been at the forefront of innovation in technology and finance for many years and this remains the case today. As the worlds of technology and finance become increasingly linked, London, in particular, has unique advantages as the national centre of government and finance and with many world class universities nearby. Fintech businesses also benefit from the UK’s time zone, language and legal system.

While the continuing uncertainty regarding the nature and timing of the UK’s departure from the EU does not help fintech innovation, the government remains committed to attracting start-ups and scale-up entrepreneurs and investors. Indeed, the government believes that the UK is the global home of the fintech revolution, noting that in 2018 fundraising for UK fintech companies reached £15 billion, representing one in every six pounds invested in fintech globally. Moreover, the fintech sector now employs more than 67,000 people in the UK and is worth nearly £7 billion to the UK economy.

While the UK is home to fintech innovation across the waterfront, there is particular strength and expertise in AI and automation, blockchain and distributed ledger technology (DLT), cloud computing, cryptoassets, cybersecurity, big data, insurtech, open banking, payments, peer-to-peer (P2P) lending and crowdfunding, and regtech.

Government and regulatory support

Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

Fintech in the UK is promoted by a range of government and regulatory bodies.

The Financial Conduct Authority (FCA) started ‘Project Innovate’ in 2014 to encourage innovation and promote competition. Currently, Project Innovate includes six initiatives:

  • the Regulatory Sandbox allows businesses to test innovative propositions in the market with real consumers;
  • the Innovation Hub provides tailored regulatory support for innovative firms;
  • the Advice Unit provides feedback to firms developing automated advice and guidance models;
  • the Global Financial Innovation Network is an international group of financial regulators and related organisations, including the FCA, committed to supporting financial innovation internationally;
  • supporting regtech by encouraging the development of new technologies to help overcome regulatory challenges in financial services; and
  • engaging with firms across the UK and internationally to maximise the reach of the FCA’s Innovate initiatives.

The Bank of England is also interested in fintech. Its FinTech Hub includes the FinTech Accelerator Project, which works with businesses on fintech proofs of concept.

Financial regulation

Regulatory bodies

Which bodies regulate the provision of fintech products and services?

The FCA is the financial services regulator for most regulated activities and services that a fintech would provide. The Prudential Regulation Authority (PRA) is the regulator for banks in the UK. The FCA regulates conduct matters for banks.

Regulated activities

Which activities trigger a licensing requirement in your jurisdiction?

There are a large number of activities (‘specified activities’) that, when carried on in the UK by way of business in respect of specified kinds of investments, trigger licensing requirements in the UK. These are set out in the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO). While it is not practical to list them all, the most common include the following:

  • Accepting deposits: this is mainly carried on by banks and building societies. An institution will accept a deposit where it lends the money it receives to others or uses it to finance its business.
  • Dealing in investments (as principal or agent): buying, selling, subscribing for or underwriting particular types of investments. In respect of dealing as principal, the specified investments are ‘securities’ and ‘contractually based investments’. In respect of dealing as agent, the specified kinds of investments are ‘securities’ and ‘relevant investments’:
    • securities include shares, bonds, debentures, government securities, warrants, units in a collective investment scheme (CIS) and rights under stakeholder and personal pension schemes;
    • contractually based investments include rights under certain insurance contracts (excluding contracts of general insurance), options, futures, contracts for differences and funeral plan contracts; and
    • relevant investments include the same investments as contractually based investments but also include contracts of general insurance.
  • Arranging deals in investments (this is split into two activities and specified investments in respect of arranging include securities and relevant investments):
    • arranging (bringing about) deals in investments, which applies to arrangements that have the direct effect of bringing about a deal; and
    • making arrangements with a view to transactions in investments, which is much wider and includes arrangements that facilitate others entering into transactions.
  • Advising on investments: advising a person in their capacity as an investor on the merits of buying, selling, subscribing for or underwriting a security or relevant investment or exercising any right conferred by that investment to buy, sell, subscribe for or underwrite such an investment.
  • Managing investments: managing assets belonging to another person, in circumstances involving the exercise of discretion, where the assets include any investment that is a security or contractually based investment.
  • Establishing, operating or winding up a CIS: this is discussed in more detail in question 7.
  • Certain lending activities: entering into a regulated mortgage contract or a regulated (consumer) credit agreement (or consumer hire agreement) as lender.
  • Certain insurance activities: effecting a contract of insurance as principal and carrying out a contract of insurance as principal.
  • Payment services: providing payment services.
  • Electronic money: issuing electronic money.
Consumer lending

Is consumer lending regulated in your jurisdiction?

The general position is that lending by way of business to consumers is regulated in the UK. The FCA is responsible for authorising and regulating consumer credit firms.

There are two categories of regulated lending: regulated credit agreements and mortgages.

Any person (A) who enters into an agreement with an individual (or a ‘relevant recipient of credit’, which includes a partnership consisting of two or three persons not all of whom are bodies corporate and an unincorporated body of persons that does not consist entirely of bodies corporate and is not a partnership) (B) under which A provides B with credit of any amount must be authorised by the FCA - unless an appropriate exemption applies.

Two of the most common exemptions are: where the amount of credit exceeds £25,000 and the credit agreement is entered into wholly or predominantly for business purposes; and where the borrower certifies that they are ‘high net worth’ and the credit is more than £60,260.

Other complex exemptions are available that relate to, among other things, the total charge for the credit, the number of repayments to be made under the agreement and the nature of the lender.

If an exemption applies, the lender does not need to comply with the detailed legislative requirements that apply to regulated credit agreements contained in the Consumer Credit Act 1974 (CCA) (and secondary legislation made under it) and the FCA’s Consumer Credit Sourcebook (CONC).

Broadly, the CCA sets out the requirements lenders need to comply with in relation to the provision of information, documents and statements and the detailed requirements as to the form and content of the credit agreement itself.

The CONC chapter in the FCA Handbook sets out detailed rules that regulated consumer credit firms must comply with and covers areas such as conduct of business, financial promotions, pre-contractual disclosure of information, responsible lending, post-contractual requirements, arrears, default and recovery, cancellation of credit agreements and agreements that are secured on land.

In addition to the CONC, authorised consumer credit firms must also comply with other applicable chapters of the FCA Handbook.

Failing to comply with the requirements of the CCA may result in those agreements being unenforceable against borrowers and the FCA imposing financial penalties on the firm in question.

Entering into a regulated mortgage contract (RMC) is a regulated activity. Such contracts are loans where:

  • the contract is one under which a person (lender) provides credit to an individual or trustee (borrower);
  • the contract provides for the obligation of the borrower to repay to be secured by a mortgage on land in the European Economic Area (EEA); and
  • at least 40 per cent of that land is, or is intended to be, used:
    • in the case of credit provided to an individual, as or in connection with a dwelling by the borrower; or
    • in the case of credit provided to a trustee that is not an individual, as or in connection with a dwelling by an individual who is a beneficiary of the trust, or by a related person.
Secondary market loan trading

Are there restrictions on trading loans in the secondary market in your jurisdiction?

Provided that the loan itself is being traded, and not the loan instrument (eg, an instrument creating or acknowledging indebtedness), then there are no restrictions on trading loans in the secondary market.

Collective investment schemes

Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

Establishing, operating or winding up a CIS is a regulated activity in the UK for which firms must be authorised by the FCA.

The definition of a CIS is set out in section 235 of the Financial Services and Markets Act 2000 (FSMA 2000). Broadly speaking, a CIS is any arrangement with respect to property of any description, the purpose or effect of which is to enable the persons taking part in the arrangements to participate in or receive profits or income arising from the acquisition, holding, management or disposal of the property or sums paid out of such profits or income. The persons participating in the arrangements must not have day-to-day control over the management of the property. The arrangements must also have either or both of the following characteristics:

  • the contributions of the participants and the profits or income out of which payments are to be made to them are pooled; or
  • the property is managed as a whole by, or on behalf of, the operator of the scheme.

Whether a fintech company falls within the scope of this regime will depend on the nature of its business. For example, fintech companies that manage assets on a pooled basis on behalf of investors should consider carefully whether they may be operating a CIS. On the other hand, fintech companies that only provide advice or payment services may be less likely to operate a CIS. Fintech companies are advised to seek legal advice on this subject and to have regard to their other regulatory obligations.

Alternative investment funds

Are managers of alternative investment funds regulated?

Managers of alternative investment funds are regulated in the UK under the Alternative Investment Fund Managers Directive (AIFMD), which has been implemented in the UK by the Alternative Investment Fund Managers Regulations 2013 and rules and guidance contained in the FCA Handbook.

Peer-to-peer and marketplace lending

Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

P2P lending is a term that generally refers to loan-based crowdfunding. In the UK, the FCA regulates loan-based crowdfunding platforms.

Under article 36H of the RAO, operating an electronic system that enables the operator (A) to facilitate persons (B and C) becoming the lender and borrower under an article 36H agreement is a regulated activity (and a firm will require FCA authorisation) where the following conditions are met:

  • the system operated by A is capable of determining which agreements should be made available to each of B and C;
  • A (or someone acting on its behalf) undertakes to receive payments due under the article 36H agreement from C and make payments to B that are due under the agreement; and
  • A (or someone acting on its behalf) takes steps to procure the payment of a debt under the article 36H agreement or exercises or enforces rights under the article 36H agreement on behalf of B.

An article 36H agreement is an agreement by which one person provides another with credit in relation to which:

  • A does not provide the credit, assume the rights of a person who provided credit or receive credit; and
  • either the lender is an individual or the borrower is an individual and the credit is less than £25,000, or the agreement is not entered into by the borrower wholly or predominantly for the purposes of a business carried on, or intended to be carried on, by the borrower.

In addition to falling within the definition of an article 36H agreement, a loan may also constitute a regulated credit agreement, unless an exemption applies (see question 5) and so a lender, through a platform authorised under article 36H, may also be required to have permission to enter into a regulated credit agreement as lender.

The FCA recently produced a policy statement confirming that new rules will come into place in December 2019 in relation to P2P lending. These will include:

  • enhanced requirements for platform governance arrangements including in relation to credit risk assessment, risk management and fair valuation practices;
  • strengthening rules on wind-down planning in the event of platform failure;
  • setting out the minimum information that a platform should provide to investors; and
  • introducing a requirement to monitor the investors that can use a platform, including that platforms assess investors’ knowledge and experience of platform lending where no advice has been given to them. Firms are required to ensure that retail clients:
    • be certified or self-certified as ‘sophisticated investors’ or ‘high net worth investors’; or
    • confirm before a promotion is made that they will receive regulated investment advice or investment management services from an authorised person; or
    • not invest more than 10 per cent of their net investible assets in P2P agreements in the 12 months following certification.

Describe any specific regulation of crowdfunding in your jurisdiction.

In the UK, reward-based crowdfunding (where people give money in return for a reward, service or product) and donation-based crowdfunding (where people give money to enterprises or organisations they wish to support) are not currently regulated in their own right.

Equity-based crowdfunding is where investors invest in shares in, typically, new businesses. Equity-based crowdfunding is not specifically regulated in the UK (in the same way as loan-based crowdfunding).

However, a firm operating an equity-based crowdfunding service must ensure that it is not carrying on any other regulated activity without permission. Examples of regulated activities that equity-based crowdfunding platforms may carry on (depending on the nature and structure of their business) include:

  • establishing, operating or winding up a CIS;
  • arranging deals in investments; and
  • managing investments.

Additionally, equity-based crowdfunding platforms must not market to retail clients unless an appropriate exemption applies.

The FCA recently produced a policy statement in respect of investment-based crowdfunding platforms. Recent work has focused on restrictions on the types of clients these platforms can market to and how this is managed. Further analysis and regulator comment is expected.

Invoice trading

Describe any specific regulation of invoice trading in your jurisdiction.

Currently, there are no regulations relating specifically to invoice trading.

However, depending on how the business is structured, a firm that operates an invoice-trading platform may be carrying on regulated activities for which it must have permission, including:

  • establishing, operating or winding up a CIS; and
  • managing an alternative investment fund.
Payment services

Are payment services regulated in your jurisdiction?

Payment services are regulated under the Payment Services Regulations 2017, which implement the second Payment Services Directive (PSD2) in the UK. Payment services include:

  • services enabling cash to be placed on a payment account and all the operations required for operating a payment account;
  • services enabling cash withdrawals from a payment account and all the operations required for operating a payment account;
  • the execution of the following types of payment transaction:
    • direct debits, including one-off direct debits;
    • payment transactions executed through a payment card or a similar device; and
    • credit transfers, including standing orders;
  • the execution of the following types of payment transaction where the funds are covered by a credit line for the payment service user:
    • direct debits, including one-off direct debits;
    • payment transactions executed through a payment card or a similar device; and
    • credit transfers, including standing orders;
  • issuing payment instruments or acquiring payment transactions;
  • money remittance;
  • payment initiation services (initiating a payment order at the request of a payment service user with respect to an account held with another payment service provider); and
  • account information services (online service to provide consolidated information on one or more payment accounts held by the payment service user with another one (or more) payment service provider).

PSD2 broadens the scope of transactions governed by its provisions, narrows the scope of certain exclusions, amends the conduct of business requirements and introduces security requirements.

To provide payment services in the UK, a firm must fall within the definition of a ‘payment service provider’. Payment service providers include ‘authorised payment institutions’, ‘small payment institutions’, credit institutions, electronic money institutions, the post office, the Bank of England and government departments and local authorities.

A firm that provides payment services in or from the UK as a regular occupation or business activity (and is not exempt) must apply for authorisation or registration as a payment institution.

Open banking

Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

Following its investigation into the retail and SME banking sectors between 2013 and 2016, the UK’s competition authority (the Competition and Markets Authority (CMA)) ordered a number of remedies to help promote greater competition in the retail and SME banking markets.

One of the core remedies ordered by the CMA requires the nine largest retail banks in Great Britain and Northern Ireland to develop and implement an open banking standard application programming interface (API) to give third parties access to information about their services, prices and service quality in order to improve competition, efficiency and stimulate innovation. The open APIs also allow retail and SME customers to share their own transaction data with trusted intermediaries, which can then offer advice tailored to the individual customer.

These measures are intended to make it easier for customers to identify the best products for their needs. Additionally, PSD2 (see question 12) requires banks to allow third-party payment service providers to initiate payments from their customers’ accounts.

Insurance products

Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

Effecting or carrying out a contract of insurance is a regulated activity and fintech companies that wish to do this must be regulated. Companies that wish to market insurance products must either be regulated, have their marketing material approved by a regulated firm or fall within an applicable exclusion (see question 18).

Credit references

Are there any restrictions on providing credit references or credit information services in your jurisdiction?

Providing credit information services and providing credit references are regulated activities for which firms must be regulated. A firm provides credit information services where it takes any of the following steps (or gives advice in relation to any of the following steps) on behalf of an individual or relevant recipient of credit:

  • ascertaining whether a credit information agency holds information relevant to the financial standing of an individual or relevant recipient of credit;
  • ascertaining the contents of such information;
  • securing the correction of, the omission of anything from, or the making of any other kind of modification of, such information; and
  • securing that a credit information agency that holds such information:
    • stops holding the information; or
    • does not provide it to any other person.

Providing credit references involves providing people with information relevant to the financial standing of individuals or relevant recipients of credit where the person has collected the information for that purpose.

In addition, the Small and Medium-Sized Business (Credit Information) Regulations 2015 (SMB Regulations) require:

  • designated banks to share specified credit information about SMEs with designated credit reference agencies (with the permission of the relevant SME); and
  • designated credit reference agencies to provide this information to finance providers at the request of the SME and to the Bank of England.

While the provision of this information is not a regulated activity under FSMA 2000, the FCA does monitor and enforce compliance with the SMB Regulations.

Cross-border regulation


Can regulated activities be passported into your jurisdiction?

An EEA firm that has been authorised under one of the EU single market directives may provide cross-border services into the UK. For these purposes, the relevant single market directives include the:

  • fourth Capital Requirements Directive;
  • Solvency II Directive;
  • second Markets in Financial Instruments Directive (MiFID II);
  • Insurance Distribution Directive;
  • Mortgage Credit Directive;
  • fourth Undertakings for Collective Investment in Transferable Securities Directive;
  • AIFMD;
  • PSD2; and
  • Electronic Money Directive.

In order to passport a regulated activity into the UK, a firm must first provide notice to its home regulator. The directive under which the EEA firm is seeking to exercise passport rights will determine the conditions and processes which that firm must follow.

Operating an electronic system that enables the operator to facilitate persons becoming the lender and borrower under an ‘article 36H agreement’ (see question 9) is not currently an activity that may be passported.

It is unclear at this point how Brexit might affect the ability for EEA firms to passport services into the UK, and UK firms to passport services into the EEA, in the future.

Requirement for a local presence

Can fintech companies obtain a licence to provide financial services in your jurisdiction without establishing a local presence?

An EEA firm may exercise passport rights to provide services in the UK (see question 16). Alternatively, in the case of a non-EEA firm or an EEA firm that is not undertaking an activity that can be passported into the UK, it must establish a local presence and obtain an appropriate licence. For example, an equity crowdfunding platform with the relevant permissions in another EEA state may be able to passport into the UK without establishing a local presence.

Operating an electronic system that enables the operator to facilitate persons becoming the lender and borrower under an article 36H agreement (see question 9) is not currently a passportable activity.

Therefore, P2P or marketplace lending platforms that are licensed under local rules governing P2P or marketplace lending in other jurisdictions (whether inside or outside the EEA) would have to establish a local presence and become appropriately regulated.

Sales and marketing


What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?


The UK has a comprehensive set of rules relating to financial promotions. These are set out in Chapter 4 of the FCA’s Conduct of Business Sourcebook (COBS).

The definition of a financial promotion is very wide and includes an invitation or inducement to engage in investment activity that is communicated in the course of business. Marketing materials for financial services are likely to fall within this definition.

The basic concept is that financial promotions must be fair, clear and not misleading. FCA guidance suggests that:

  • for a product or service that places a client’s capital at risk, it makes this clear;
  • where product yield figures are quoted, this must give a balanced impression of both the short- and long-term prospects for the investment;
  • where the firm promotes an investment or service with a complex charging structure or the firm will receive more than one element of remuneration, it must include the information necessary to ensure that it is fair, clear and not misleading and contains sufficient information taking into account the needs of the recipients;
  • the FCA, PRA or both (as applicable) are named as the firm’s regulator and any matters not regulated by either the FCA, PRA or both are made clear; and
  • where if it offers ‘packaged products’ or ‘stakeholder products’ not produced by the firm, it gives a fair, clear and not misleading impression of the producer of the product or the manager of the underlying investments.

However, an exemption may be available to keep marketing materials outside the scope of the financial promotion rules. For example, exemptions may be available for communications to high-net-worth individuals and companies and sophisticated individuals and other investment professionals.

Only authorised persons may make financial promotions and it is a criminal offence for an unauthorised person to communicate a financial promotion. Any agreements entered into with customers as a result of an unlawful financial promotion are unenforceable.


In relation to lending, there is also a comprehensive set of rules and the position is similar, but not identical, to that set out in COBS.

In respect of credit agreements, CONC 3.3 applies and provides that a financial promotion must be clear, fair and not misleading. In addition, firms must ensure that financial promotions:

  • are clearly identifiable as such;
  • are accurate;
  • are balanced (without emphasising potential benefits without giving a fair and prominent indication of any relevant risks);
  • are sufficient for, and presented in a way that is likely to be understood by, the average member of the group to which they are directed, or by which they are likely to be received;
  • are presented in a way that does not disguise, omit, diminish or obscure important information, statements or warnings;
  • present any comparisons or contrasts in a fair, balanced and meaningful way;
  • use plain and intelligible language;
  • are easily legible and audible (if given orally);
  • specify the name of the person making the communication (or whom they are communicating on behalf of, if applicable); and
  • do not state or imply that credit is available regardless of the customer’s financial circumstances or status.

Various other detailed requirements apply depending on the type of credit (eg, P2P, secured, unsecured or ‘high-cost short-term’ credit) and the type of agreement (eg, whether it is secured on land), which govern things such as:

  • the requirement to include particular risk warnings and how those warnings must be worded;
  • when and how annual percentage rates and representative examples must be included and displayed; and
  • expressions that cannot be included in financial promotions.

In relation to mortgages, chapter 3A of the MCOB sourcebook applies. In addition to being clear, fair and not misleading, financial promotions must:

  • be accurate;
  • be balanced (without emphasising any potential benefits without also giving a fair and prominent indication of any relevant risks);
  • sufficient for, and presented in a way that is likely to be understood by, the average member of the group to whom it is directed, or by whom it is likely to be received;
  • make it clear, where applicable, that the credit is secured on the customer’s home;
  • presented in a way that does not disguise, omit, diminish or obscure important items, statements or warnings; and
  • where they contain a comparison or contrast, be designed in such a way that the comparison or contrast is presented in a fair and balanced way and ensures that it is meaningful.

As with credit agreements, other provisions apply depending on the particular type of mortgage, covering, among other things:

  • the inclusion and presentation of annual percentage rates and other credit-related information;
  • points of contact; and
  • when and how financial promotions can be made.

Change of control

Notification and consent

Describe any rules relating to notification or consent requirements if a regulated business changes control.

Part 12 of FSMA 2000 sets out a strict system concerning changes of control of regulated firms, and failure to adhere to the appropriate statutory requirements can be a criminal offence, depending on the nature of the breach.

Controllers or potential controllers of FCA-authorised firms are required to make notifications to and obtain approval from the FCA when a change of control occurs. The notification must be made before a change of control takes place. A person who fails to obtain the appropriate FCA approval will be guilty of a criminal offence.

The notification process takes place under three parallel processes:

  • each new controller submitting the appropriate controller notification form to seek the FCA’s pre-approval;
  • each exiting controller notifying the FCA of the change of control; and
  • the FCA-regulated firm notifying the FCA of these changes.

In practice, a joint notification is usually made, coordinated by the FCA-regulated firm with the new controllers and exiting controllers. Any potential controllers must provide detailed information, including in respect of its group structure, senior management, commercial activities, any criminal or civil proceedings against the company, and details of the acquisition.

The FCA has a statutory assessment period of 60 working days to determine change-of-control applications. This can be interrupted for a period of 30 days. In practice, determinations are made more quickly. There is no application fee.

Financial crime

Anti-bribery and anti-money laundering procedures

Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

There is no legal or regulatory requirement for fintech companies to have anti-money laundering (AML) procedures unless the company is authorised by the FCA or carries out business that is subject to the Money Laundering Regulations 2017. However, the UK intends to implement the Fifth Money Laundering Directive (5MLD), which must be implemented by EU member states by 10 January 2020, irrespective of Brexit. Under 5MLD, the types of entities required to have money laundering procedures will be widened to include virtual currency exchanges providing exchange services between cryptoassets and fiat currencies, and custodian wallet providers. Further, following consultation, it is possible that the UK government may ‘gold plate’ the scope of 5MLD and also capture providers engaged in alternative exchange services of cryptoassets (such as P2P exchanges). Entities subject to UK money laundering regulation are or will be required to, among other things:

  • identify and assess the firm’s exposure to money laundering risk by, for example, undertaking a risk assessment;
  • perform customer due diligence to an adequate standard depending on the risk profile of the customer;
  • keep appropriate records;
  • monitor compliance with the AML regulations, including internal communication of policies and procedures; and
  • report suspicious transactions.

With respect to anti-bribery policies and procedures, fintech companies incorporated in or carrying on part of their business in the UK are subject to the Bribery Act 2010. While the Bribery Act does not require the implementation of policies or procedures to combat bribery, it creates a de facto requirement to do so. This is because a company charged with ‘failing to prevent bribery’ may rely on the statutory defence that the company had adequate policies and procedures in place designed to prevent such bribery. It is important to note that it is not just large companies that need to be concerned with this law. The successful prosecution of Skansen Interiors Ltd (a company with fewer than 30 employees) for failing to prevent bribery in 2018 indicates that UK prosecutors will target smaller companies for such an offence.


Is there regulatory or industry anti-financial crime guidance for fintech companies?

There is no anti-financial crime guidance specifically for fintech firms. However, firms that are authorised by the FCA should comply with its ‘Financial Crime Guide: A firm’s guide to countering financial crime risks’ ( In addition, the Joint Money Laundering Steering Group has issued guidance for the financial sector (

We also consider that it is important for fintech firms to understand the concerns and policy drivers that financial institutions have with respect to their fintech clients. In June 2018, the FCA sent a ‘Dear CEO’ letter to financial institutions, advising them to take ‘reasonable and proportionate measures to lessen the risk of your firm facilitating financial crimes which are enabled by cryptoassets’. This will have a consequential effect on fintech companies, as financial institutions are likely to apply the FCA’s guidance when conducting due diligence on and monitoring their relationships with crypto-businesses as a result of this letter. While not addressed to fintech companies, they may also find this guidance helpful in mitigating financial crime risks in their own relationships with individuals and entities whose wealth, funds or revenue derives from crypto-related activities.

Peer-to-peer and marketplace lending

Execution and enforceability of loan agreements

What are the requirements for executing loan agreements or security agreements? Is there a risk that loan agreements or security agreements entered into on a peer-to-peer or marketplace lending platform will not be enforceable?

Provided the essential elements of a contract are present, loan agreements governed by English law can be executed in the form of agreements by signatories of the respective parties having due authority. See question 5 for regulatory restrictions on lending.

The execution requirements for an English law security agreement will depend on the form of security agreement. However, most English law security agreements will be executed in the form of a deed to ensure that no challenge can be made on the grounds of a lack of consideration or owing to the form of property being secured. It is also common for a security agreement to grant the lender a power of attorney, which must be executed as a deed to be enforceable. Certain formalities are required for the execution of a deed. These are the following:

  • the deed must be in writing;
  • it must be clear on its face that it is intended to take effect as a deed;
  • it must be executed as a deed, the requirements of which will vary according to the legal personality of the executing party (for example, whether it is an individual or a company);
  • the signature of the executing party must be attested (in other words, witnessed); and
  • it must be delivered as a deed, which is to say that the parties must demonstrate an intention to be bound.

Typically, P2P marketplace lending platforms require agreements to be entered into electronically (e-signing). The e-signing of simple contracts (such as loan agreements) is accepted as creating enforceable agreements, subject to complying with regulatory requirements (eg, in respect of regulated lending). E-signing can take a range of forms, including typing the signatory’s name, signing through biodynamic software (ie, the signatory signing on a screen or on a digital pad) and clicking an icon on a web page. Certain limitations on e-signing generally need to be borne in mind. These are the following:

  • English law prohibits e-signing in respect of certain types of contract, including documents required to be registered at HM Land Registry.
  • Questions arise as to whether the prescribed formalities for executing deeds can be satisfied by e-signing. In particular, difficulties are likely to arise in satisfying the attestation requirement (where a deed is executed by an individual or by a single director of a company in the presence of a witness) by electronic means.
  • Even if it were possible to satisfy these formalities, there may be practical reasons (such as certainty and evidential issues) why executing a deed with a ‘wet-ink’ signature (rather than e-signing it) may be preferable. As such, best practice remains for deeds to be executed with a wet-ink signature.

Certain of these issues are currently being considered by the Law Commission (following a consultation in 2018), which is expected to report later in 2019.

Assignment of loans

What steps are required to perfect an assignment of loans originated on a peer-to-peer or marketplace lending platform? What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these loans without informing the borrower?

To perfect a legal assignment of loans originated on a P2P lending platform, various criteria must be met. Most importantly, notice of the assignment must be received by the other party to the loan agreement.

In addition to this, the benefit under the loan that is being assigned must be absolute, unconditional and not purporting to be by way of charge only, the contract effecting the assignment of the loans must be in writing and signed by the assignor, and the assignment must be of the whole of the debt under the loan agreement.

Subject to certain exceptions, notice by email will comprise notice in writing under English law and, therefore, sending a notice to the other party to the loan agreement by email should not preclude it from being effectively delivered. However, a question remains over whether notice of assignment can be effectively delivered solely by updating the relevant party’s account on the P2P lending platform. It is therefore best practice to notify the other party to the loan agreement of the assignment both by email and an update to their P2P account.

If the assignment does not comply with the above criteria for a legal assignment, it may nevertheless take effect as an equitable assignment. One of the key distinctions between a legal and an equitable assignment is that, in the case of an equitable assignment, the person to whom the loan has been transferred would not be able to bring an action under the contract in their own name.

Securitisation risk retention requirements

Are securitisation transactions subject to risk retention requirements?

The risk retention requirements set out in EU Securitisation Regulation 2017/2402, which came into force on 1 January 2019 (the EU Securitisation Regulation) will apply directly to the ‘originators’, ‘sponsors’ and ‘original lenders’ of a ‘securitisation’ transaction (as each such term is defined in the EU Securitisation Regulation) where any of the originator, sponsor or original lender is established in the EU, and indirectly to originators, sponsors and original lenders of securitisation transactions that are offered to ‘institutional investors’ (as defined in the EU Securitisation Regulation) regulated by a competent authority of an EU member state (in each case, including any P2P Securitisation that falls within the definition of ‘securitisation’ in the EU Securitisation Regulation), as described further below.

What are the risk retention requirements?

The EU Securitisation Regulation requires the originator, sponsor or original lender in respect of a securitisation to retain on an ongoing basis a material net economic interest in such securitisation of not less than 5 per cent using one of five prescribed risk retention methods, including (among other things) retention of:

  • the most subordinated tranches, so that the retention equals no less than 5 per cent of the nominal value of the securitised exposures;
  • 5 per cent of the nominal value of each of the tranches sold to investors; or
  • randomly selected exposures equivalent to no less than 5 per cent of the nominal value of the securitised exposures.
Direct and indirect approaches

The retention requirement applies on a direct basis, as originators, sponsors and original lenders are required to agree on an entity that will act as retention holder and to ensure compliance with the retention requirements, and on an indirect basis, since it is incumbent upon investors in securitisation transactions to ensure that the retention requirement has been complied with. In the absence of agreement among the originator, sponsor or original lender as to who will be the retention holder, the originator shall be the retention holder. Originators, sponsors and original lenders may potentially be subject to a broad range of administrative sanctions (including significant fines) or remedial measures, or even criminal sanctions, where the they have negligently or intentionally infringed the risk retention requirements under the EU Securitisation Regulation. Investors in a securitisation that is non-compliant will be subject to higher regulatory capital charges.

Jurisdictional scope

The EU Securitisation Regulation does not explicitly set out the jurisdictional scope of the direct retention obligation (which is where the originator, sponsor or original lender would be required to comply with the risk retention requirements), but there is a helpful note in the Explanatory Memorandum to the original Commission proposal for the EU Securitisation Regulation that the intention is that the direct approach would not apply where none of the originator, sponsor or original lender is ‘established in the EU’. ‘Establishment’ is typically described by reference to the jurisdiction in which the legal entity is incorporated or has its registered office. Therefore, the non-EU subsidiary of an EU entity may not be subject to the direct retention obligation because a subsidiary is typically a separate legal entity, whereas a non-EU branch of an EU entity may be caught within this provision because a branch is typically not a separate legal entity.

Further, an unexpected and unintended consequence of the drafting under article 1(11) in a regulation amending Regulation (EU) No. 575/2013 (the CRR) (the CRR Amendment Regulation), which results in amendments to article 14 of the CRR, is that various new obligations, especially the direct obligation on the sponsor, originator, or original lender to comply with the risk retention obligations, will be applied on a consolidated basis. This raises challenges for third-country entities that are consolidated into European groups, as they may be required to comply with two potentially conflicting sets of requirements.

Possible retaining entities in respect of P2P securitisations

Typically, a P2P lending platform will not qualify as the ‘sponsor’ or ‘original lender’ of a P2P securitisation. However, it may qualify as an ‘originator’ if it was (either itself or through related entities) directly or indirectly involved in the original agreement that created the P2P loans being securitised. Whether or not the P2P lending platform comprises an originator will ultimately be a question of fact, but it is likely that some P2P lending platforms in the market will (by virtue of their documentation structure and role as operator of the platform) comprise originators for the purposes of the EU Securitisation Regulation. If this is the case, any such P2P lending platform will be required to retain a 5 per cent economic interest in any securitisation of loans originated on their platform unless the originator, sponsor or original lender have agreed between them that another entity will retain.

In the event that a P2P lending platform does either not qualify as an originator or does qualify as an originator but does not wish to retain, another entity with the capacity to retain will need to be identified and such entity will need to agree to retain in accordance with the terms of the EU Securitisation Regulation. Any entity that retains in the capacity of ‘originator’ is expected to be an entity of substance, and the EU Securitisation Regulation expressly provides that an entity will not be considered to be an originator where it has been established or operates for the sole purpose of securitising exposures. The EU Securitisation Regulation does not specify in what circumstances an entity will be considered to have been established for the sole purpose of securitising exposures but, in Final Draft Regulatory Technical Standards published in December 2018, the European Banking Authority (EBA) proposed that an originator will not be considered to have been established with the ‘sole purpose’ of securitising exposures if it satisfies certain conditions, including that:

  • it has a broader business enterprise and strategy;
  • it has sufficient decision makers with the required experience; and
  • its ability to make payment obligations does not depend on the exposures to be securitised or on any exposures retained for the purposes of the risk retention regulations.
Securitisation confidentiality and data protection requirements

Is a special purpose company used to purchase and securitise peer-to-peer or marketplace loans subject to a duty of confidentiality or data protection laws regarding information relating to the borrowers?

The entity assigning loans to the special purpose vehicle (SPV) must ensure that there are no confidentiality requirements in the loan documents that would prevent it from disclosing information about the loans and the relevant borrowers to the SPV and the other securitisation parties. If there are such restrictions in the underlying loan documentation, the assignor will require the consent of the relevant borrower to disclose to the SPV and other securitisation parties the information they require before agreeing to the asset sale. In addition, the SPV will want to ensure that there are no restrictions in the loan documents that would prevent it from complying with its disclosure obligations under English and EU law (such as those set out in the Credit Rating Agency Regulation).

Again, if such restrictions are included in the underlying loan documents, the SPV would be required to obtain the relevant borrower’s consent to such disclosure. In addition, if the borrowers are individuals, the SPV, its agents and the P2P platform would each be required to comply with the statutory data protection requirements under English law (see question 31).

Artificial intelligence, distributed ledger technology and crypto-assets

Artificial intelligence

Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

No specific rules or regulations exist governing the use of artificial intelligence in the UK (including in respect of robo-advice), save in respect of some limited specific regulatory provisions, most notable of which is in the EU General Data Regulation (GDPR) (see question 31), which provides limited requirements relating to automated decision-making, and the data protection implications of that activity.

Article 22 of the GDPR provides that individuals have a right not to be subject to solely automated decisions, where those decisions would have a legal or similarly significant effect on the individual. In practice this means that individuals can question decisions made by automated processes for decision-making, which are often implemented by fintech businesses using artificial intelligence, and have a right to have those decisions reviewed by a human. For example, a decision made by an online platform as to an individual’s approval for a loan would be capable of being questioned by the individual, if that decision is made solely on an automated basis by the online platform.

On robo-advice specifically, currently there are no specific regulations as noted above. However, the FCA’s regulatory regime is technology-neutral, and the underlying elements of a robo-advice product may be regulated, depending on what the product offers. The advice offered by a robo-adviser will be a regulated activity where that advice involves an element of personal recommendation as to what the recipient of the advice should do in respect of investments. The mere provision of information or guidance may not be regulated.

The subject of automated investment advice has in recent years received significant interest from regulatory bodies in the UK and the EU. For example, in September 2017 the FCA published guidance on ‘Streamlined advice and related consolidated guidance’ in its Finalised Guidance paper FG17/8. A more recent review by the FCA of automated investment services found failings in the provision of robo-adviser services in areas including (but not limited to):

  • the clear provision of appropriate information about services;
  • costs and associated charges;
  • the quality of suitability assessments taken by firms;
  • weaknesses in identifying vulnerable customers; and
  • the place of robo-advice in firms’ governance structures.
Distributed ledger technology

Are there rules or regulations governing the use of distributed ledger technology or blockchains?

There are no rules or regulations specifically governing the use of distributed ledger technology or blockchains in the UK.

Regulators in the UK in general seek to adopt a technology-neutral stance, regulating the outputs of systems rather than how they operate in the background. For example, the FCA in 2017 undertook a review of distributed ledger technology and its use in the financial services industry, and concluded that no technology-specific regulation is required to govern its use.

Having said that, some rules and regulations applicable in the UK indirectly have an effect on the deployment of distributed ledger technologies and blockchains as a result of the nature of the operation of these types of systems. For example, the GDPR (see question 31) generally requires personally identifiable information to be capable of erasure once it is no longer needed, which causes difficulties for those seeking to use distributed ledger technology to govern the use of that type of data, given the technology’s generally immutable (ie, unchangeable) nature. Another example is the Centralised Securities Depositary Regulation (an EU-level regulation applicable in the UK), which requires dematerialised securities to be settled through a Centralised Securities Depositary, which is a hurdle to be overcome for those fintech businesses seeking to settle securities via distributed ledger technologies (‘security tokens’).


Are there rules or regulations governing the use of cryptoassets, including digital currencies, digital wallets and e-money?

In the UK there are currently no specific rules or regulations governing the use of cryptoassets, although a number of different processes are ongoing to consider sector-specific regulation.

In 2018 the FCA, Bank of England and HM Treasury together launched the Crypto Assets Task Force, a group given the mandate to investigate the cryptoassets industry and consider regulation of that sector. In late 2018 the task force reported on its findings, recommending regulation of exchanges dealing in cryptoassets, and announcing the intention to launch a series of consultations on regulation of the cryptoassets industry, including on:

  • the transposition of the Fifth Anti-Money Laundering directive into UK law;
  • guidance around the application of existing financial services regulation to the cryptoassets market;
  • the potential extension of the FCA’s regulatory perimeter to encompass certain assets and activities within the cryptoassets sector; and
  • a potential ban on the offering of derivative products to retail customers, where those products reference cryptoassets.

At the time of writing, the first two consultations noted above had been launched. The first listed consultation on 5MLD is dealt with in question 20.

On the consultation for guidance on cryptoasset regulation (, this was launched in January 2019, and closed in April 2019. In broad terms this consultation sought input on proposed guidance to be issued by the FCA around how to apply existing financial services regulations to cryptoassets. In doing so, the FCA proposed a taxonomy covering exchange tokens (decentralised assets such as bitcoin), security tokens (blockchain traded products that have similar characteristics to traditional regulated securities) and utility tokens (blockchain traded products or other items that do not have similar characteristics to traditional regulated securities). At the time of writing, the results of this consultation have not been released, although it is reasonably likely that the draft guidance proposed in January 2019 will not be radically changed.

Therefore, in broad terms the approach in the UK to regulation of cryptoassets at present is for:

  • exchange tokens to not be specifically regulated;
  • utility tokens to not be specifically regulated, unless they fall within the definition of electronic money (see question 12); and
  • security tokens to be subject to the same regulations that apply to the traditional securities that those tokens represent - essentially confirming the FCA’s original view from 2017 that ‘tokenising’ a security does not assist in avoiding securities regulation.
Digital currency exchanges

Are there rules or regulations governing the operation of digital currency exchanges or brokerages?

There are no rules or regulations specifically governing the operation of digital currency exchanges or brokerages, where they deal in spot transactions of exchange tokens or unregulated utility tokens (see question 28). Where a digital currency exchange or brokerage deals in security tokens or any other regulated product (even if in tokenised form), FCA regulations will apply around authorisation and compliance to the same extent that they would apply to a traditional exchange or brokerage.

As noted in question 28, regulation around cryptoassets in the UK is undergoing some change at the time of writing. It is anticipated that further information on regulatory direction in respect of digital currency exchanges and brokerages will be released as part of the upcoming consultations referred to in question 28.

Initial coin offerings

Are there rules or regulations governing initial coin offerings (ICOs) or token generation events?

There are no rules or regulations specifically governing ICOs, token generating events or any other analogous token distribution process, provided that the tokens being issued as part of the process in question are unregulated utility tokens (see question 28). Where the token being issued is a security token, FCA regulations will apply around the issuing of securities (including without limitation requirements relating to prospectuses and financial promotions).

As noted in question 28, regulation around cryptoassets in the UK is undergoing some change at the time of writing. It is anticipated that further information on regulatory direction in respect of ICOs will be released as part of the upcoming consultations referred to in question 28.

Data protection and cybersecurity

Data protection

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

On 25 May 2018, the GDPR came into force with direct effect across the entire EU. The GDPR governs the storage, viewing, use of, manipulation and other processing by businesses of data that relates to a living individual. In summary, the GDPR requires that businesses may only process personal data where that processing is done in a lawful, fair and transparent manner, as further described in the GDPR.

The GDPR requires that any processing of personal data must be done pursuant to one of six lawful bases for processing. The most commonly used lawful basis for processing is to obtain the consent of the data subject to that processing - in relying on this lawful basis, the business must ensure that the consent is freely given, specific, informed and unambiguous, and capable of being withdrawn as easily as it is given. This places a significant burden on businesses to ensure that their customers are fully informed as to what their personal data is being used for, which is a crucial change to the previous regime under which disclosure did not need to be so transparent. Other lawful bases for processing data include where that processing is necessary for the business to perform a contract it has with the data subject, or where required to comply with an obligation the business has at law (not a contractual obligation).

The GDPR further differs from the previous regime in that it places a significantly increased compliance burden on businesses, including for example mandatory requirements to notify regulators of data breaches, obligations to keep detailed records on processing, and requirements for most entities to appoint a data protection officer.

The GDPR does not apply to personal data that has been truly anonymised - as anonymised data cannot, by definition, be personal data. However, in order to ensure that GDPR does not apply to a certain data set, that data set must be truly anonymised. The GDPR itself gives limited guidance on anonymisation in Recital 26, requiring data controllers to consider a number of factors in deciding if personal data has been truly anonymised, including the costs and time required to de-anonymise, the technology available at the time to attempt de-anonymisation, and further developments in technology.

Businesses that infringe the GDPR may be subject to administrative fines of an amount up to €20 million or 4 per cent of global turnover, whichever is higher.

In the UK, the Data Protection Act 2018 came into force at the same time as the GDPR. Among other things, it replaces the Data Protection Act 1998, fills in gaps in the GDPR and ensures that on leaving the EU, the UK will have an ‘adequate’ data protection regime compared to that of the EU (with the aim of ensuring an unhindered ability for businesses to transfer personal data between the UK and the EU). The oversight of UK businesses’ compliance with the GDPR and related legislation, and enforcement of them, is carried out by the UK regulator, the Information Commissioner’s Office.

There are no rules or regulations in the UK relating to personal data that are specifically aimed at fintech companies.


What cybersecurity regulations or standards apply to fintech businesses?

There are no rules or regulations in the UK that provide cybersecurity requirements for fintech businesses specifically. More generally, the GDPR (see question 31) imposes more general requirements on businesses in the UK to ensure a high standard of security over personal data that they process, including a general obligation to have in place reasonable technical and organisational measures to ensure the security of that data, compliance with which requires measures relating to cybersecurity to be put in place.

Further, for FCA-regulated businesses, the FCA has significant powers of oversight and enforcement in respect of those businesses’ internal systems and controls relating to protection of confidential client information. The FCA actively manages and oversees these requirements and in recent years has imposed significant fines on entities that have failed to meet these requirements.

Outsourcing and cloud computing


Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

The position on regulation of outsourcing by financial services companies in the UK has in recent months become a complex picture, encompassing a number of different requirements that apply in different ways, depending on the type of financial services business in question.

The most important of these recent updates are the new EBA guidelines. On 25 February 2019, the EBA published revised (final) guidelines on outsourcing arrangements (the Guidelines) for credit institutions and certain investment firms as well as payment and electronic money institutions. The Guidelines amend and finalise previously published draft guidelines in light of extensive consultation responses from the industry and industry bodies. The Guidelines therefore are consistent with, and build upon, the previous Senior Management Arrangements, Systems and Controls (SYSC 8) requirements (which now operate mostly as guidance rather than as requirements), but it should be noted that they apply to a broader set of businesses than SYSC 8 - most noteworthy is the inclusion of payment and electronic money institutions, which are not subject to SYSC 8.

In broad terms, the Guidelines seek to provide more granular detail around requirements that relevant businesses must comply with when carrying out an outsourcing, compared to the SYSC 8 requirements.

Subject to the UK incorporating the Guidelines into its national regulatory framework, the Guidelines will take effect on 30 September 2019. Until then, the EBA’s existing (and more limited) December 2017 recommendations on outsourcing to cloud services providers will continue to apply. There is also a backstop date for upgrading pre-existing contracts to comply with the Guidelines by 31 December 2021. The Guidelines support harmonisation of existing regulation and guidance applicable to different types of financial services firms.

Cloud computing

Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

There are no specific legal requirements in the UK with respect to the use of cloud computing in the financial services industry. However, there does exist a body of guidance on the subject, and a number of legal requirements that apply to indirectly regulate the use of cloud computing in financial services.

The primary legal requirements relevant to this question are the outsourcing requirements noted in question 33, which apply to financial services businesses when outsourcing material functions within their businesses. In many different contexts, use of cloud services will be of sufficiently significant importance to the business’ operations to bring that requirement into scope, and require the business to meet the outsourcing requirements referred to in question 33 in undertaking that outsourcing.

In respect of firms regulated by the FCA, the FCA retains jurisdiction over those firms in respect of their internal systems and controls, as noted in question 32.

Intellectual property rights

IP protection for software

Which intellectual property rights are available to protect software, and how do you obtain those rights?

Computer programs (and preparatory design materials for computer programs) are protected by copyright as literary works. Copyright arises automatically as soon as the computer program is recorded. No registration is required.

Databases underlying software programs may also be protected by copyright and, in certain circumstances, by database right. Database right is a standalone right that protects databases that have involved a substantial investment in obtaining, verifying or presenting their contents. Both database copyright and database rights arise automatically without any need for registration.

If the software code has been kept confidential, it may also be protected as confidential information. No registration is required.

Programs for computers, and schemes, rules or methods of doing business ‘as such’, are expressly excluded from patentability under the Patents Act 1977 (PA 1977). These exclusions ultimately flow from the European Patent Convention. Notwithstanding these exclusions, it is possible to obtain patents for computer programs and business methods if it can be shown that the underlying invention makes a ‘technical contribution’ over and above that provided by the program or business method itself, such as an improvement in the working of the computer. Accordingly, a well-drafted patent may be able to bring a computer-based, software or business method invention within this requirement, but this may be difficult to do and will not always be possible. Registration formalities must be followed to obtain protection.

IP developed by employees and contractors

Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

Copyright and database rights created by an employee in the course of their employment are automatically owned by the employer unless otherwise agreed. Inventions made by an employee in the course of their normal duties (or, in the case of employees who owe a special obligation to further the interests of their employer’s business, in the course of any duties) are automatically owned by the employer.

However, copyright and inventions created by contractors or consultants in the course of their duties are owned by the contractor or consultant unless otherwise agreed in writing. Database rights are owned by the person who takes the initiative and assumes the risk of investing in obtaining, verifying and presenting the data in question. Depending on the circumstances, this is likely to be the business that has retained the contractor or consultant.

Joint ownership

Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

Restrictions on a joint owner’s ability to use, license, charge or assign its right in intellectual property will depend on the intellectual property right in question. For example, the restrictions on a joint owner of a patent are different from those on a joint owner of copyright.

A joint copyright owner cannot copy, license or grant security over jointly owned copyright without the consent of the other joint owners (see sections 16(2) and 173(2) of the Copyright, Designs and Patents Act 1988). By analogy with the principles established in relation to other intellectual property rights, it is thought that the consent of other joint owners is also required to assign jointly owned copyright (although this is not settled law, since neither the relevant legislation nor current case law specifically address the question as to whether or not the consent of other joint owners is required).

In the case of UK patents and patent applications, a joint owner is entitled to work the invention concerned for his or her own benefit and does not need the consent of the other joint owners to do so (section 36(2) PA 1977). However, the consent of the other joint owners is required to grant a licence under the patent or patent application, and to assign or mortgage a share in the patent or patent application (section 36(3) PA 1977).

The situation is similar for UK registered trademarks. Each joint owner is entitled to use the registered trademark for their own benefit without the consent of the other joint owners (section 23(3) Trade Marks Act 1994 (TMA 1994)), but the consent of the other joint owners is required to grant a licence of the trademark and to assign or charge a share in the trademark (section 23(4) TMA 1994).

Given the variations in the rights and restrictions of joint owners discussed above, and given that the rights of joint owners also differ on a country-by-country basis, it is highly advisable in any situation where parties work together on a project to agree at the outset how the results are to be owned by the parties and their individual rights to exploit the results. In general, joint ownership of intellectual property should be avoided if possible because of the complexities described above.

Trade secrets

How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

Protection of trade secrets in the UK is regulated by the Trade Secrets (Enforcement, etc) Regulations 2018 (Trade Secrets Regulations), which implement the Trade Secrets Directive in the UK and came into force on 9 June 2018. Trade secrets are also protected by the law on breach of confidence, which provides broadly the same level of protection as is required under the Trade Secrets Directive. The Trade Secrets Regulations define what qualifies as a protectable trade secret, providing protection for information that:

  • is secret, in the sense that it is not generally known among, or readily accessible to, persons within the circles that normally deal with the kind of information in question;
  • has commercial value because it is secret; and
  • has been subject to reasonable steps (under the circumstances) by the holder of the information to keep it secret.

The Trade Secrets Regulations also implement aspects of the Trade Secrets Directive that differ from, or add to, the existing law applying to the protection of confidential information. This includes specifying the limitation period for bringing a trade secrets claim and the rules regarding the award of damages and interim and corrective measures.

Confidential information (which may include non-public information that is not captured by the definition of ‘trade secret’) can be protected against misuse, provided the information in question has the necessary quality of confidence and is subject to an express or implied duty of confidence. In the case of both trade secrets and the confidential information, no registration is necessary (or possible). Trade secrets and confidential information can be kept confidential during civil proceedings with the permission of the court.


What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

Brands can be protected as registered trademarks either in the UK alone (as a UK trademark) or across the EU (as an EU trademark). A brand can also be protected under the common law tort of passing-off if it has acquired sufficient goodwill.

Certain branding such as logos and stylised marks can also be protected by design rights and may also be protected by copyright as artistic works.

The UK and EU trademark databases can all be searched to identify registered or applied for trademark rights with effect in the UK. It is highly advisable for fintech businesses to conduct trademark searches to check whether earlier registrations exist that are identical or similar to their proposed brand names. It may also be advisable to conduct searches of the internet for any unregistered trademark rights that may prevent use of the proposed mark.

Remedies for infringement of IP

What remedies are available to individuals or companies whose intellectual property rights have been infringed?

Remedies include:

  • preliminary and final injunctions;
  • damages or an account of profits;
  • delivery up or destruction of infringing products;
  • publication orders; and
  • costs.


Sector-specific issues

Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

Competition authorities in the UK (and elsewhere) face a range of potentially complex competition law issues in relation to fintech offerings. These include:

  • the risks around the exchange of competitively sensitive information;
  • obtaining a dominant position in the market and any behaviour that could potentially exclude other market players;
  • the development and participation in technical standards;
  • exclusivity arrangements between parties to a fintech offering;
  • the limits of any specified tying or bundling of products or services to the fintech solution; and
  • issues around the anticompetitive use of algorithms and machine learning.

The CMA, FCA and Payment Systems Regulator generally consider fintech to represent a procompetitive force, leading to change in markets and encouraging innovation. For example, the FCA is an active participant in the Global Financial Innovation Network.

The CMA has recently undertaken a number of initiatives in order to formulate its approach to the regulation of competition in the UK digital markets, with a view to focusing on the protection of the consumer (see the ‘Tyrie Letter’, sent in February 2019, for more information). As well as undertaking an investigation into the retail banking market, seeking to implement open banking and improve the quality of information provided to customers, the CMA has also taken advice from external experts, advocating a more involved approach to competition regulation. The CMA has been advised to perform more sophisticated analyses of digital mergers, consider the role of big data in creating barriers to entry, and take account of network affects to create more effective rules for large digital platforms (see Furman and Lear reports for further information).

The future of fintech competition regulation will depend in some part on the UK’s relationship with the EU post-Brexit. The FCA has as one of its priorities the development of future bilateral arrangements with the EU and the rest of the world in order to promote its expertise in fintech regulation.



Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

The UK has introduced a wide range of tax incentives that are available to fintech companies and investors in such companies. The key incentives are set out below, although there are a number of conditions to be met to qualify for each scheme:

  • seed enterprise investment scheme (SEIS) - 50 per cent income tax relief and exemption from capital gains tax for investors in high-risk start-up trading companies;
  • enterprise investment scheme (EIS) - 30 per cent income tax relief and exemption from capital gains tax for investors in small high-risk trading companies;
  • venture capital trust (VCT) scheme - 30 per cent income tax relief and exemption from capital gains tax for investors in venture capital trusts, which subscribe for equity in, or lend money to, small unquoted companies;
  • entrepreneurs’ relief - a reduced 10 per cent capital gains tax rate for entrepreneurs selling business assets (only available to directors and employees of businesses);
  • investors’ relief - an additional reduced 10 per cent capital gains tax rate which allows other types of shareholders to benefit from the same relief as is provided under entrepreneurs’ relief when they sell their shares. Unlike entrepreneurs’ relief, this reduced rate is only available to investors who have not been officers or employees in the company whose shares are being sold;
  • research and development tax credits - tax relief for expenditure on research and development;
  • patent box regime - a reduced 10 per cent corporation tax rate for profits from the development and exploitation of patents and certain other intellectual property rights;
  • innovative finance ISA eligibility - P2P loans are eligible for inclusion in tax-free ISAs;
  • tax relief for P2P bad debt - an income tax relief for irrecoverable P2P loans, or P2P bad debt; and
  • P2P interest withholding tax exemption - P2P loan interest payments are exempt from UK withholding tax.

A company may raise up to £150,000 under the SEIS over a three-year investment period and up to a total of £5 million over 12 months from ‘relevant investments’, which includes investments under the SEIS, EIS schemes and investments by VCTs. While financial activities are an excluded activity for the SEIS, EIS and VCT schemes, as long as a fintech company is only providing a platform through which financial activities are carried out, such a fintech company should still qualify for those schemes assuming it meets the other conditions.

Increased tax burden

Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

In the 2018 Budget, the UK announced plans to unilaterally introduce a digital services tax (DST) from April 2020, with draft legislation expected in the 2019/2020 Finance Bill. The government issued its consultation in November 2018, which closed on 28 February 2019.

The proposed approach includes the following:

  • the DST would be a narrowly targeted 2 per cent tax aimed at specific digital business models where the revenue is linked to the participation of UK users;
  • an alternative basis of calculation would be available for businesses operating on a low profit margin. Under this calculation, loss-making companies would not have any DST liability and those with very low profit margins would have a reduced rate;
  • the measure would apply to companies with in-scope revenues of greater than £25 million in the UK and £500 million globally;
  • the revenue streams that the tax would apply to are: advertising via search engine results, advertising on social media platforms and the facilitation of transactions via online marketplaces;
  • the direct sale of goods and services (including goods, software, online content and broadcasting services) would be excluded from the DST;
  • the DST would be an allowable expense for UK corporate tax purposes. However, it would not be within the scope of the UK’s double tax treaties; and
  • where multilateral reform of the international corporate tax framework is achieved prior to 2025, the government would disapply the DST.

Please note that, following the consultation, the draft legislation may differ from the above.


Sector-specific schemes

What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

Nationals from EU countries, Iceland, Liechtenstein, Norway and Switzerland

Fintech businesses are able to recruit workers from EU countries, Iceland, Liechtenstein, Norway and Switzerland in the same way and on the same basis as they recruit British nationals.

Nationals from other countries

Workers from other countries may only be recruited by UK fintech businesses if they meet the relevant eligibility criteria and are awarded sufficient points under a tiered points-based system. The relevant tiers for fintech businesses are likely to be tier 1 and tier 2. Tier 1 is open to workers with exceptional talent in fields including science, engineering and digital technology as well as investors. Tier 2 is open to skilled workers who are sponsored by a licensed organisation where the role is being transferred to the UK from overseas or cannot be filled by someone living in the UK.

A worker with skills deemed to be in short supply receives a number of advantages under the tiered points-based system. Roles currently deemed to be in short supply include IT business analysts, architects and system designers, programmers and software development professionals, and other information technology and communications professionals. Finance roles are not currently considered to be in short supply.

Alternatively, entrepreneurs may apply for either a ‘start-up visa’ or an ‘innovator visa’, depending on their level of experience.

In many cases, entrepreneurs and other workers will require an assessment or endorsement by a relevant UK body, which for fintech related roles is likely to be Tech Nation.


The UK’s immigration system is likely to change following the UK’s departure from the EU and is the subject of a government white paper published in December 2018.

Update and trends

Current developments

Are there any other current developments or emerging trends to note?

Current developments45 Are there any other current developments or emerging trends to note?Brexit

The continuing uncertainty regarding the timing and nature of the UK’s departure from the EU is the single biggest issue on the immediate horizon for the country’s fintech sector. Following a series of extensions, the UK is now due to leave the EU by 31 October 2019. However, at the time of writing, a number of scenarios remain possible, ranging from the UK remaining in the EU to the UK leaving without a deal.

Fintech businesses across the UK and other EU countries are particularly interested in any changes to access to the European single market. They are also concerned about any changes to the current regulatory regime which allows certain financial services businesses to operate across the UK and other EU countries under a single regulatory authorisation.

Similarly, given the reliance many UK fintech companies place on hiring engineers and scientists from elsewhere in the EU, any restrictions on their ability to keep or recruit EU citizens could have a negative impact on their growth.

Until the terms of the UK’s departure from the EU and their future relationship become clear, fintech businesses are advised to be prepared for a range of scenarios, including a ‘hard Brexit’.

Brexit is likely to affect fintech businesses in a variety of ways and timely advice is critical, especially where regulatory authorisations or licences may need to be amended or sought.

UK fintech strategy

The government recently launched its FinTech Alliance to bring together the UK’s fintech ecosystem in one digital marketplace in order to provide access to people, firms and information, including connections to investors, policy and regulatory updates, and the ability to attract and hire workers.

This followed the launch of the government’s fintech strategy in 2018. Key initiatives include:

  • exploring the scope for automating regulatory compliance;
  • investigating the potential of shared platforms to reduce costs for individual firms;
  • publishing industry standards to help fintech companies partner with existing banks;
  • helping firms expand through the use of international fintech bridges; and
  • exploring the risks of cryptoassets, the benefits of DLT and the appropriate regulatory response.
Legal and regulatory developments

There have been significant changes recently to the legal and regulatory landscape for crowdfunding, financial markets, payments, open banking, cryptoassets, ICOs, the protection of trade secrets and the protection of personal data.

There are more changes in the pipeline. Brexit will result in a large number of changes, both initially and over time. The FCA’s other areas of focus this year include:

  • addressing the risks of harm from insufficient operational resilience and outsourcing;
  • examining how firms use data and the impact on consumers;
  • supporting firms’ ability to compete with innovative new products and services;
  • looking at how regtech could reduce the regulatory burden on firms;
  • reviewing open banking and assessing open finance; and
  • publishing proposals on the regulation of cryptoassets.

The authors would like to thank Gareth Wadley at Gately Plc for his contribution as a co-author of question 44 on immigration.