2022 was tough for FinTech. The year was defined by the so-called “market correction” following rising interest rates, which depressed the valuation of many FinTech firms, and by the “crypto winter”. There is, however, a case for optimism. Data published by Innovate Finance, the industry body representing the UK’s FinTech sector, suggests investment in UK FinTech grew by 24% to US$9.1 billion in the first half of 2022 and outperformed the global FinTech market.
As we look to the year ahead, we consider some of the upcoming themes which are likely to be important to the FinTech industry in 2023.
1. New rules for cryptoassets
Even Coinbase, one of the largest cryptocurrency trading platforms, acknowledges in its 2023 Crypto Market Outlook that “no one is arguing that digital assets haven’t faced an important setback”, with the total market capitalisation of cryptocurrencies falling 62% in 2022, from around US$2.2 trillion at the end of 2021 to US$835 billion at the end of 2022. Following the collapse of FTX in November 2022, governments are rushing to tighten the regulation of cryptoassets.
In the UK, section 65 of the Financial Services and Markets Bill 2022-2023 (FSM Bill) makes a number of clarifications to the regulation of cryptoassets and provides a statutory basis for additional powers to regulate the sector. The current version of the FSM Bill, published on 8 December 2022, is going through the House of Lords with Royal Assent expected by mid-2023. The UK Treasury and Bank of England (BoE) are also expected to issue separate consultations in February 2023 covering the extension of investor protection, market integrity and other regulatory frameworks that cover the promotion and trading of financial products to activities and entities involving cryptoassets, in the case of the UK Treasury, and provide detail on the regulatory framework that will apply to systemic payment systems, in the case of the BoE.
In the EU, the European Parliament is expected to vote on the controversial Markets in Crypto-Assets (MiCA) Regulation in February 2023, which establishes a harmonised set of rules for cryptoassets and related activities. MiCA is expected to enter into force in the first quarter of 2023, but is likely to be subject to a transitional period of 18 months. On 10 January, the UK’s City minister Andrew Griffith told the Treasury select committee that MiCA was a “good attempt” at regulating cryptocurrencies but that it only covered some of the areas which will be addressed by the UK regime when it publishes its own plans in the coming weeks. The EU Parliament is also due to vote on the Transfer of Funds (TFR) Regulation, which extends traceability requirements to cryptoassets in early 2023, which will cause significant compliance challenges for crypto holders and exchanges once in effect.
Central Bank Digital Currencies (CBDCs) may thrive in a more regulated crypto market. A CBDC is money produced by a central bank that is fully digital. Like a stablecoin, a CBDC avoids price volatility as it is pegged to a fiat currency, but it also has the security of being backed by a central bank. However, the central bank will generally wish to retain governance and control of its CBDC. For some, a CBDC is doomed to fail if it does not adopt the most revolutionary aspect of cryptocurrencies: decentralisation. Nonetheless, according to the IMF, around 100 countries are exploring a CBDC, with some already available to the public, including the Bahamas “Sand Dollar”. On 9 December 2022, the BoE posted a request for applications for a “proof of concept” for a sample CBDC wallet.
Some crypto firms are actively inviting regulation and scrutiny. Crypto trading app Tap Global listed on London’s Aquis stock exchange this month, stating it was “going down the fully regulated route“. This may not be the only crypto listing in 2023.
2. New rules for BNPL
On 20 June 2022, the government published its consultation response setting out the government’s proposals for the regulation of buy now, pay later (BNPL). The government aims for new legislation to enter into force in mid-2023 (a consultation on this is now due), after which the Financial Conduct Authority (“FCA”) will consult on its rules for the sector.
The consultation confirms:
- the scope of regulation should capture BNPL and short-term interest-free credit (STIFC) when they are provided by third party lenders;
- this scope should extend to also capture STIFC provided directly by merchants where it is offered online or at a distance, but further stakeholder engagement is necessary to fully understand the scale of the merchant-offered STIFC market;
- exemptions will be allowed for specific agreements where there is limited risk of potential consumer detriment and where regulation would otherwise adversely impact day-to-day business activities; and
- the application of the Consumer Credit Act 1974 (CCA) will be tailored to these products and the elements of lending practice most linked to potential consumer detriment.
In a similar vein, an increasing number of employers are looking to offer early wage access schemes, which allow employees to receive part payment of their wages or salary in advance of their normal payday. Depending on how these schemes are structured, they may or may not amount to consumer credit and the FCA has shown interest in this area. As these schemes become more prevalent, there is likely to be further FCA scrutiny in 2023.
3. Open Banking and PSD3
Open Banking allows third party financial services firms to access a consumer’s financial data, with their permission, to allow the networking of accounts and data across institutions. Open Banking aims to enable customers to better manage their accounts and control their finances.
The EU’s Second Payment Services Directive (PSD2) came into force on 13 January 2018. PSD2 introduced new rules that provided the basis for Open Banking across the EU and set requirements for firms that provide payment services.
Between 10 May 2022 and 5 July 2022, the European Commission (EC) opened consultations on revisions for the Second Payment Services Directive and on the open finance framework and data sharing in the financial sector. In parallel, the EC also launched a public consultation on PSD2 between 10 May 2022 and 2 August 2022. The digital finance strategy and the retail payments strategy announced the launch of a comprehensive review of the application and impact of PSD2 to assess whether the legislation remains fit for purpose. The consultations may ultimately result in new legislation (PSD3). There is no exact timeline of when PSD3 will come into force, but it is expected that the EC will publish the final draft in the first half of 2023.
Post-Brexit, the UK is of course not bound to follow EU law and can choose whether or not to incorporate any aspects of PSD3 into UK legislation. On 16 December 2022, the joint regulatory oversight committee, a cross-authority committee, published a joint statement on its future vision for Open Banking in the UK. It is notable that there has been growing divergence between the UK and EU approach to PSD2. For example, the FCA has taken a different approach to the EU on the definition of “Strong Customer Authentication” (SCA). FinTech firms will watch carefully how the UK responds to the EU’s approach to PSD3, particularly if there is a divergence in approach.
4. The rise of Embedded Finance
There is increasingly a divergence between firms that are responsible for customer acquisition and firms that are responsible for providing financial products. “Embedded Finance” is the integration of traditional finance and banking services into a non-financial service business (an EF Provider). It allows EF Providers to offer financial services, such as bank accounts, payments and lending, to create new revenue streams from their customers. EF Providers with a strong brand and high volume of customers, such as retailers and telcos, are particularly well placed to benefit from Embedded Finance.
McKinsey estimates that the Embedded Finance market could double in size within the next three to five years. In response, both traditional financial institutions and innovative FinTechs are offering aspects of the financial services value chain to EF Providers (for example, via “Banking-as-a-Service” (BaaS) solutions).
This is not new. Brand-led businesses have been offering white-labelled financial services products in partnership with financial institutions for decades. What is new is that technologies now allow financial products to be easily embedded into an EF Provider’s traditional offerings, leveraging innovative APIs. This has made Embedded Finance solutions far easier to adopt and more accessible to customers in the ordinary course of their interactions with an EF Provider.
EF Providers must be careful. Even introducing customers to providers of financial products can amount to a regulated activity and generally must only be conducted by a business with authorisation to do so, or in reliance on an exemption. EF Providers will need to carefully assess if they may be conducting any regulated activities and may require FCA authorisation prior to offering any Embedded Finance product. EF Providers may be able to rely to some extent on the authorisations of their BaaS provider, but this will become more challenging in the future (see Section 5 below).
5. Tighter rules for Appointed Representatives
FinTech firms have often made use of the Appointed Representative (AR) regime to comply with regulatory requirements at the early stages of their development. The AR regime enables unauthorised firms to engage in regulated activities on behalf of a “principal” firm, which is authorised by the FCA. The principal will be responsible to the FCA for the acts and omissions of the AR when carrying out the regulated activities (and will, in turn, require the AR to comply with FCA rules).
The AR regime has been useful for FinTech. The FCA has acknowledged that it has helped to foster innovation in financial services. In particular, the AR regime has lowered the barriers to entry for FinTech firms. It is quicker and cheaper than direct authorisation which requires a substantial investment, both in applying for authorisation and developing a compliance function. A FinTech start-up may not want to initially incur this overhead while developing its business model.
However, the FCA became concerned that the AR regime was being used to avoid regulatory scrutiny and this has resulted in consumer harm. FCA policy statement PS22/11 introduced new requirements which came into force on 8 December 2022 and has substantially tightened the rules governing the AR regime, with a focus on improving principals’ oversight of their ARs. The FCA expects this to reduce the number of ARs by about 10%. Together with the Treasury, it is also considering additional regulation in 2023.
These changes will have a significant impact on the FinTech sector in 2023, both by reducing the number of principals willing to act as ARs and increasing the scrutiny on firms, both before and after becoming an AR.
6. New Consumer Duty
The implementation deadline for the new Consumer Duty is 31 July 2023. The Consumer Duty describes a tiered suite of principles, rules and outcomes requiring firms to avoid causing foreseeable harm to retail customers and to deliver good outcomes for them.
The Consumer Duty will apply to all parties involved in distributing regulated products to retail customers, including those who have no direct relationship with them. The extent to which the duty will apply will depend on the role the party plays, with more expected of firms with a direct relationship than those without. The FCA expects the Consumer Duty to trigger a wholesale reassessment of firms’ activities in regard to consumers.
FinTech firms in particular will need to review third party arrangements, conduct a gap analysis of their dealings with consumers, amend existing policies and update Conduct Rule training to reflect the new Conduct Rule 6 (requiring staff to act to deliver good outcomes for retail customers).
7. Artificial Intelligence
Artificial Intelligence (AI) solutions underpin many of the innovations in FinTech. Firms will be cautious of any regulation which places new restrictions on the use of this technology. This is, however, an area of intense regulatory activity.
On 18 July 2022, the UK government set out its new proposals for regulating the use of AI. This outlines a framework that is principles based and focused on how AI is used rather than the technology itself. In addition, the Data Protection and Digital Information Bill, which will also impact on the use of AI, has completed its second reading in the House of Commons. A white paper giving further details of the government’s approach is expected imminently.
On 11 October 2022, the FCA published Discussion Paper DP5/22 on Artificial Intelligence and Machine Learning. The key question raised by the paper is whether AI can be managed through clarifications of the existing regulatory framework, or whether new regulations are needed. FinTech firms will no doubt have a clear position on this and have until Friday 10 February 2023 to make their views heard.
In the EU, the EC adopted its proposal for the AI Act in April 2021. The Act aims to ensure that AI systems used within the EU are safe and respect existing laws on fundamental rights and EU values. In addition, the EC adopted the Proposal for an Artificial Intelligence Liability Directive on 28 September 2022. While the AI Act aims to prevent damage, the AI Liability Directive outlines a compensation structure in the event of damage. The EC’s proposals will now need to be adopted by the European Parliament and Council. The European Parliament aims to vote on the text sometime in the first quarter of 2023.
8. From Big Tech to FinTech
“Big Tech” firms have expanded rapidly into financial services. In October 2022, the FCA published Discussion Paper DP22/5 on the potential competition impact of this activity. The FCA specifically looked at four retail markets: payments, deposit taking, consumer credit and insurance. To date, Big Tech firms have been most active in payments, but are increasingly venturing into new markets, like consumer credit and insurance. They have avoided those financial services carrying the most significant regulatory requirements, such as deposit taking, mortgages and pensions.
Source: FCA Discussion Paper DP22/5
The FCA discussion period finishes on 15 January 2023. Following this, the FCA will consider feedback and publish a Feedback Statement in the first half of 2023. The discussion will inform the FCA’s approach to Big Tech firms in the context of the UK pro-competitive regime for digital markets.
The FCA’s recent focus on financial promotions in the retail investment space is demonstrated by the voluntary agreement reached with Google under which Google has agreed to ban any financial promotions that have not been approved by an authorised person. Other Big Tech firms may follow suit.
9. Delivering “Operational Resilience”
Following a number of high-profile IT failures and data breaches in the financial services sector, in recent years a key priority for regulators has been to put in place a regulatory framework to promote the operational resilience of firms.
In March 2022, new rules published by the FCA, BoE and the Prudential Regulation Authority (PRA) to improve the operational resilience of the UK financial sector came into force (see FCA’s PS21/3 and PRA’s SS1/21).
By 31 March 2022, financial services firms within scope of the new rules must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.
As soon as possible after 31 March 2022, and by no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances. Given the scale of work required, firms will need to ensure their operational resilience projects are well progressed in 2023 if they are to be confident of meeting the deadline.
On 28 November 2022, the EU Council adopted the Digital Operational Resilience Act (DORA) which contains similar requirements, with obligations coming into effect late in 2024 or early 2025 at the latest.
10. Critical third parties to be directly regulated
As financial services firms have increasingly transitioned into cloud computing, they have become heavily reliant on the cloud infrastructure provided by a small number of Big Tech firms. The services and products provided by FinTech firms will often be cloud-based solutions, allowing for scalability as the business grows.
The failure of such critical third party service providers has become a major concern for global regulators, fearing a market-wide, systemic risk. To some extent, these risks are addressed by operational resilience requirements (see Section 9), the EBA Outsourcing Guidelines and other regulations applicable to authorised firms. However, the service providers themselves have generally remained beyond the reach of regulators, as they are generally not themselves authorised.
This has led to a flurry of discussion papers, consultations and new regulations considering how to regulate these critical third parties. In particular:
- The FSM Bill (see Section 1) sets out a statutory framework for overseeing the resilience of critical services provided by third parties (see here).
- In July 2022, the PRA Discussion Paper 3/22 and FCA Discussion Paper 22/3 set out the potential ways to manage the systemic risks, including the direct regulation of critical third parties (see here). The opportunity to provide feedback closed on Friday 23 December 2022. The FCA/PRA plan to consult on these requirements in 2023.
- In October 2022, the Bank of International Settlements issued a discussion paper on a regulatory framework for Big Tech (see here).
FinTech firms which have previously provided technologies and services to authorised firms, but have not been authorised themselves, will need to consider if they will be subject to direct regulation in the future.