Consumer finance, and retail banking and payments, are accessible and established industries in the UK. The regulatory environment is mature and is derived from both domestic and European legislation. Fast-paced innovation has diversified the market in recent years, with many new products and providers, although the availability of credit has in recent years become more restricted in some respects owing to the response of regulators and lenders to the financial crisis and other developments. For the most part, regulators have sought to facilitate innovation as the UK government tries to keep the jurisdiction competitive, while increasing consumer protection in a number of areas.


i Legislation

In the UK, consumer lending, deposit-taking and payments are regulated under a number of ‘vertical’ (i.e., product-specific) and ‘horizontal’ (non-product-specific) regulatory regimes, which to a large extent derive from EU laws. There is therefore a large degree of consistency of regulation across the European Economic Area2 (EEA) in these areas, with this being particularly the case for payments.

The consumer credit regimes for secured and unsecured lending are set out in the Consumer Credit Act 1974 (CCA), the Financial Services and Markets Act 2000 (FSMA), secondary legislation and the UK Financial Conduct Authority (FCA) Handbook of rules and guidance (the FCA Handbook).3 The FCA Handbook includes, among other things, the Consumer Credit sourcebook (CONC) and the Mortgage and Home Finance Conduct of Business sourcebook (MCOB). The CCA and FSMA implement and supplement the EU Consumer Credit Directive and Mortgage Credit Directive (MCD).4 FSMA sets out the licensing regime for different types of lending, as well as a range of intermediary and ancillary activities.

The consumer credit regimes are also highly prescriptive of conduct matters, such as the format and content of advertising and the information to be provided before, during and after entering into credit agreements; consumer rights; and required or prohibited practices, in areas such as underwriting, charging or collecting on loans. Failure to comply can in many cases have an impact on the enforceability of loan agreements and result in customer remediation and enforcement action. In many cases the consumer credit regime protects not only consumers, but also ‘quasi-consumer’ borrowers such as sole traders and certain small partnerships and unincorporated associations in the case of non-mortgage lending (certain business mortgages are also regulated). We discuss the consumer credit regime in more detail below.

FSMA also includes the licensing regime for deposit-taking, namely provision of banking products such as current and savings accounts, as well as a range of related conduct requirements protecting ‘banking customers’ (consumers and quasi-consumers5) under the Banking Conduct of Business sourcebook (BCOBS) in the FCA Handbook. BCOBS sets out a variety of obligations on banks (and rights for customers) in relation to bank accounts, for example:

  • a rights for banking customers to switch their accounts from one bank to another, where they do not already have such rights under the Payment Accounts Regulations (see below);6
  • b cancellation rights;7
  • c information requirements, which in many respects mirror those under the Payment Services Regulations 2009 (PSRs), distance marketing and e-commerce regimes (see below), but also apply more widely – for example to advertising;8 and
  • d liability of banks for unauthorised and improperly executed transactions, again mirroring those under the PSRs.9

As a general rule, where a bank account is already subject to the PSRs, matching requirements under BCOBS are disapplied.10

The payments regime is set out primarily in the PSRs, supplemented by detailed guidance in ‘The FCA’s role under the Payment Services Regulations 2009: Our approach’ document. The PSRs implement the EU Payment Services Directive (PSD),11 and include both a licensing regime for ‘payment institutions’, which are a form of non-bank financial institution, and extensive conduct requirements, which apply not only to payment institutions but also to other types of financial institution such as banks and electronic money institutions (EMIs) when providing payment services in relation to their products. We describe the PSRs in more detail later in this chapter.

Closely related to the payments regime is the electronic money (or e-money) regime under the Electronic Money Regulations 2011 (EMRs), which implement the EU Electronic Money Directive.12 The EMRs include a licensing regime for EMIs, which are non-bank financial institutions permitted to issue and hold e-money balances (effectively quasi-deposit balances that are intended as a means of spending rather than as a means of saving), and which can also provide the same payment services as payment institutions and limited credit facilities such as credit cards or quasi-overdraft facilities. The EMRs have a limited number of conduct requirements specifically for e-money, including prohibitions on payment of interest (or equivalent) and customer rights to refunds of their e-money.13 Again, the conduct requirements generally apply to all customers, although there is a partial opt-out from the refund provisions available for non-consumers.14

Other areas of payments regulation are:

  • a the EU Interchange Fee Regulation,15 which caps interchange fees, potentially requires reorganisation of card schemes (such as Visa and MasterCard), and requires changes to card scheme rules and customer agreements to provide, in particular, merchants with new rights when taking payments through the card schemes;
  • b the EU Payment Accounts Directive,16 as implemented in the UK by the Payment Accounts Regulations 2015, which impose fees transparency, account switching and accessibility obligations typically in relation to current accounts provided by banks but also potentially certain other payment accounts;17 and
  • c a purely UK regime under the Financial Services (Banking Reform) Act 2013 (FSBRA), which includes broad provisions geared toward improving competition, innovation and the service user experience in the context of payment systems (e.g., Visa, MasterCard and domestic UK clearing systems such as the faster payments service).

There are, additionally, a variety of ‘horizontal’ requirements generally applicable across all the consumer lending, retail banking and payment services referred to above, including for example:

  • a the anti-money laundering, terrorist finance and sanctions regimes under legislation such as the Money Laundering Regulations 2007, Proceeds of Crime Act 2002, Terrorism Act 2000, EU Wire Transfer Regulation18 and HM Treasury’s Consolidated List;19
  • b fairness requirements under the Consumer Rights Act 2015 (CRA) and (other than for payment institutions and EMIs) the FCA’s ‘treating customers fairly’ regime;20
  • c consumer cancellation rights and information requirements for financial services contracts entered into remotely with consumers (e.g., online or through a phone, under the Financial Services (Distance Marketing) Regulations 2004);
  • d information requirements and provisions on the placing and confirmation of orders under the Electronic Commerce (EC Directive) Regulations 2002, which also apply in part to non-consumers;
  • e prohibitions on a range of inappropriate practices with respect to consumers, including, for example, misleading omissions from advertising, under the Consumer Protection from Unfair Trading Regulations 2008; and
  • f restrictions and requirements regarding use of individuals’ personal data, including for marketing purposes, under legislation such as the Data Protection Act 1998 (deriving from the EU Data Protection Directive 1995,21 to be replaced by the EU General Data Protection Regulation22 with effect from May 2018) and the Privacy (Electronic Communications) Regulations 2003 (deriving from the Privacy and Electronic Communications Directive).23

Again, to a large extent those requirements derive from EU legislation.

As regards the impact of the ‘Brexit’ referendum on 23 June 2016, resulting in a vote for the United Kingdom to leave the EU, the general approach of the UK financial services regulators appears to be that it is business as usual24 and that financial institutions should continue to comply with EU laws or UK laws deriving from EU laws unless and until they are amended following implementation of Brexit.

Finally, although it falls outside the discussion in this chapter, it is worth noting that payment service providers (PSPs) and others involved in the issue or acceptance of credit cards, debit cards and similar products under the aegis of a card scheme, such as Visa or MasterCard, are usually subject to detailed rules, operating regulations or similar requirements set by the governing authority of the scheme.

ii Regulation

Following the financial crisis in 2007/8, the UK government undertook a review of all aspects of financial regulation, which led to a reformation of the UK’s financial regulators.

On 1 April 2013, the UK’s Financial Services Authority was abolished and its licensing and regulatory functions – including in relation to banking, e-money and payment services – were transferred to two new regulators: the Prudential Regulatory Authority (PRA) and the FCA. On that date the PRA became the licensing authority for banks (the powers of the PRA are, however, now planned to transfer to a Bank of England Prudential Regulation Committee)25 and the FCA became the licensing authority for non-bank mortgage lenders and intermediaries, payment institutions and EMIs. The FCA also became the conduct regulator for banks as well as most mortgage lenders, intermediaries, payment institutions and EMIs.

The Office of Fair Trading (OFT) had for a long time been the licensing and conduct regulator for most non-mortgage consumer lending, but it was dissolved and its responsibilities passed to the FCA in April 2014.

A subsidiary of the FCA, the Payment Systems Regulator (which became operational on 1 April 2015), is the lead regulator for the UK payment systems regime under FSBRA and the lead enforcement authority for the EU Interchange Fee Regulation.

Those regulators have at their disposal a wide range of investigative, enforcement and disciplinary tools. For example, they have a broad range of information gathering and investigatory powers; and they can impose (or apply to court for) a range of sanctions, typically including public censure, powers to give directions, financial penalties, disgorgement of illgotten profits, customer restitution, imposition of conditions on licences (or their revocation), injunctions and, in some cases, criminal prosecution.26

Finally, it is worth noting the out of court disputes resolution regime presided over by the Financial Ombudsman Service (FOS). This is governed by the Dispute Resolution: Complaints manual (DISP) in the FCA Handbook, and generally provides consumers and quasi-consumers with a free channel for bringing complaints against banks, lenders, payment institutions and EMIs (with those providers typically having to pay case fees to FOS). FOS has a mandate for determining complaints on the basis of what it considers to be ‘fair and reasonable in all the circumstances of the case’.27 If FOS upholds a complaint, as it often does, it can make a substantial financial award against the provider.


The payment services regime was introduced under the PSRs on 1 November 2009. At that time, its main impact was on traditional products such as current accounts, credit cards, money remittance and merchant acquiring. Since then, the range of payment products and PSPs on the market has diversified, particularly in the areas of digital and mobile banking, e-money and mobile payments – and the application of payment services regulation has broadened accordingly.

i Overview

In the following paragraphs, we summarise some of the main obligations on PSPs.

Regulated payment services

The PSRs regulates the following activities:

  • a executing funds transfers, for example, transfers to or from a payment account (such as a current account or e-money account), or placing or withdrawing of cash on such accounts, or money remittance services involving transfers that are not from or to an account;
  • b issuing payment instruments (e.g., payment cards or potentially apps in mobile phones); or
  • c acting as merchant acquirers or some other forms of payment processor.28

There are also a number of exemptions from those regulated payment services, perhaps most notably the following.

The commercial agent exemption is available for ‘payment transactions . . . through a commercial agent authorised to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee’. There has been much discussion over whether and when online marketplaces (or equivalent) should be able to rely on this exemption.

The limited network exemption, which most notably applies to ‘services based on instruments that can be used to acquire goods or services only . . . under a commercial agreement with the issuer, either within a limited network of service providers or for a limited range of goods or services’. This exemption lends itself to products such as certain fuel, restaurant or store cards – although some providers have sought to rely on it for broader networks of service providers, or wider ranges of goods and services, so requiring an exercise of judgment (and potentially engagement with local regulators) as to how far it is appropriate to do so.29

Authorisation and passporting

Where a PSP provides a regulated payment service in the UK, and an exemption does not apply, the PSP needs to be suitably licensed by the FCA or another relevant authority including in another EEA country. Typically, the PSP will be licensed as a bank, EMI or payment institution.

The PSRs set out the licensing regime for payment institutions.30 Licensed payment institutions are required to maintain a certain level of regulatory capital, and to safeguard customer funds. There are number of options for how to safeguard, with the most common method being to put funds received from or for customers (or matched amounts) in a ring-fenced bank account. Although this is the most common way to safeguard, it does often raise a number of operational challenges, and some PSPs will accordingly look to alternative safeguarding options such as safeguarding insurance (although this can be expensive and hard to obtain).31

Other key areas of focus under the licensing regime are the robustness of a payment institution’s systems and controls,32 particularly its IT systems; and the need for any functions outsourced by a payment institution – including intra-group outsourcings – to be appropriately overseen by the payment institution and to meet a number of other requirements.33

As well as payment institutions being permitted to provide regulated payment services, they can also provide credit in limited circumstances,34 for example by issuing credit cards.

A payment institution authorised in one EEA state (such as the UK) can use its licence in all other EEA states – the ‘passporting’ regime. This means that, once authorised in one EEA jurisdiction, a payment institution does not need fresh licences to provide payment services in others EEA countries, although it may need to comply with other local law requirements (such as anti-money laundering and data protection regulations).

Finally, a ‘small payment institution’ regime also exists but with restrictions on total monthly transaction amounts, and without the ability to passport.35

Conduct of business requirements

As well as the licensing regime for payment institutions, the PSRs set out extensive conduct requirements for all PSPs when providing payment services – including banks and EMIs, as well as payment institutions. Those requirements largely only apply to transactions executed in an EEA currency (such as the euro or sterling) where both the payer’s PSP and payee’s PSP are operating from a location in the EEA.36

PSPs have to provide pre-contract and transactional information to customers. In some cases, the information needs to be ‘provided’ in a ‘durable medium’, which raises a number of challenges as to how and when information is provided or stored.

The PSRs govern the time frames in which payments must be executed, after being initiated by a customer, in order to reduce the scope for PSPs to retain ‘float’ (i.e., to keep hold of funds for their own purposes rather than putting them at the disposal of their customers).

For transfers in euros (and domestic transfers in the domestic currency, such as sterling transfers within the UK), the payer’s PSP usually needs to ensure that cleared funds are received by the payee’s PSP by the end of the business day after the transfer was initiated. For other EEA currency transfers, up to four business days are usually permitted.37

Once the payee’s PSP receives cleared funds, it must immediately put them at the disposal of the payee.38

Departures from those rules apply most notably for internal transfers (where the same PSP is acting for both payer and payee), which need to be executed immediately; and for card payments, where there is a usually a basis for delaying putting funds at the disposal of the payee (i.e., of the merchant taking payment).

The PSRs also have detailed provisions as to the rights and liabilities of customers and PSPs; in particular, PSPs need to immediately re-credit unauthorised transactions to customers’ accounts (with limited scope for making customers liable for them), and are also ordinarily liable for misexecution of transactions, for example if they are sent to the wrong payee or not sent at all.39 These requirements brought important protections to customers, whose rights were – prior to introduction of the PSRs – less well defined in these areas, with delayed refunds of unauthorised transactions having been a particular concern of regulators.

Finally, it is worth noting that the PSRs set out high-level provisions on payments security, and constraints on certain charges and charging practices.

The conduct of business requirements in the PSRs apply to payment services provided not only to consumers but also to business customers, although non-consumers (other than micro-enterprises and charities)40 can be asked to opt out of many of the conduct requirements.41

ii Recent developments

The PSD will be replaced by the second EU Payment Services Directive42 (PSD2), which must be implemented into each EEA state’s national laws by 13 January 2018. PSD2 has made a number of changes to the scope of the PSD, most notably in the following areas.

‘One-leg-out’ transactions – where only one of the PSPs executing a transaction is operating from a location in the EEA – are largely out of scope of the PSD conduct requirements. The EEA end of one-leg-out transactions will, however, largely fall within the scope of PSD2.43

The current PSD conduct requirements only apply to transactions carried out in an EEA currency, whereas many of those requirements will apply to transactions in all currencies under PSD2.44

The limited network exemption (and another exemption relied on by mobile operators) will be narrowed, and greater emphasis has been given to the intended parameters of the commercial agent exemption.

A definition of ‘acquiring of payment transactions’ is introduced for the first time,45 which means that some payment processors who currently have unregulated relationships with merchants may have regulated relationships in future (and may need to seek authorisation accordingly).

Two new third-party payment services are introduced by PSD2, namely payment initiation services and account information services, each of which involves a PSP that does not handle funds providing customers with services in relation to payment accounts offered by third-party PSPs, where those payment accounts are accessible online.

A payment initiation service is a ‘service to initiate a payment order at the request of the payment service user with respect to a payment account held at another [PSP]’.46 It is anticipated as a ‘software bridge between the website of the merchant and the online banking platform of the payer’s account servicing [PSP] in order to initiate internet payments on the basis of a credit transfer’,47 and in practice is likely to include services that allow customers to pay online merchants directly from their bank accounts rather than using credit or debit cards. Such payments would typically be routed through domestic payment systems (such as the faster payment service in the UK) and may offer merchants the benefits of payments clearing to their accounts more quickly, more cheaply and with less risk of being reversed back to the customer, by comparison to card scheme payments such as Visa or MasterCard. However, it remains to be seen whether such payment methods are as advantageous to customers.

An account information service is ‘an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another [PSP] or with more than one [PSP]’.48 They are likely to include account aggregation services such as Money Dashboard, which offer customers a single place in which to view information for a number of different payment accounts offered by multiple PSPs.

After implementation of PSD2, the third-party PSPs will have (at their customers’ request) mandatory access to payment accounts or payment account data, on non-discriminatory terms, to enable delivery of their payment initiation and account information services.49 The EBA has published draft regulatory technical standards (discussed further below) covering the basis on which the account providers and third-party PSPs will securely communicate with each other in order to facilitate delivery of those third-party services.50

The new provisions are intended to encourage introduction of new, competing services. The example of how payment initiation services may benefit merchants has been given above; in the case of account information services (potentially offered in conjunction with payment initiation services), there is an opportunity for third-party PSPs to obtain transactional data, provide customers with added value services and potentially cross-sell them other products.

The other major impact of PSD2 will be to introduce detailed and rigorous security requirements, by comparison to the PSD. The new regime includes:

  • a a requirement for PSPs to establish a framework of appropriate mitigation measures and control mechanisms to manage the operational and security risks relating to the payment services they provide, and to submit a comprehensive assessment of such operational and security risks to their regulators on an annual basis;51
  • b obligations to notify a ‘major operational or security incident’ to regulators and, if the incident could have an impact on the financial interests of customers, obligations to also notify customers without undue delay of the incident and of all measures that they can take to mitigate the adverse effects of the incident;52 and
  • c a requirement for customers to undergo ‘strong customer authentication’ when accessing their payment accounts or initiating electronic payment transactions.53 Strong customer authentication requires payers to authenticate themselves to their PSPs using ‘two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others’.54

The EBA is tasked with producing various related regulatory technical standards, including on strong customer authentication.55 The EBA published a consultation draft of the standards in August 2016.56 The responses to the consultation have expressed a wide range of concerns, most notably at lack of clarity as to which technical solutions might meet the standards, and concerns that the standards are over-prescriptive and do not allow for a risk-based approach. If so, that could result in a cumbersome customer experience (particularly when shopping online) and restrict future innovations.

Passporting after Brexit

Following the Brexit vote on 23 June 2016, one of the major questions facing the payments industry is whether, and if so how, passporting rights will operate once Brexit is implemented. This will depend on what outcome is negotiated for Brexit: in particular, if the UK stays in the single market (or possibly negotiates a similar arrangement, such as mutual recognition of financial services licences), then a UK payment institution (or indeed bank or EMI) authorisation may continue to serve in other EEA countries and vice versa. At the time of writing, however, it is difficult to assess whether such an outcome is likely or not.


i Overview
Access to banking services

The Payment Accounts Regulations 2015, which came into force on 18 September 2016, obliged certain UK banks57 to provide payment accounts with basic features to any consumers who meet certain criteria including being legally resident in the EU, with it in some cases being a challenge to ascertain eligibility.58

Deposit guarantee

The deposit guarantee scheme in the UK is the Financial Services Compensation Scheme (FSCS). The FSCS protects certain customers with deposit accounts in the UK against losses in the event that their bank is unable to meet its obligations to them.

The obligations on banks and building societies in relation to deposit guarantees are set out in the ‘Depositor Protection’ part of the PRA Rulebook.59 Among much else, the PRA’s rules set out that the maximum compensation payable for the aggregate eligible deposits of each depositor is £75,000 (except, in certain circumstances, where the maximum compensation is £1 million or unlimited in connection with personal injury or incapacity).60


Overdrafts allow customers to withdraw or spend more than the amount of the funds currently available in their payment account. As a form of unsecured lending, they are subject to many of the provisions of the consumer credit regime described above and below. Charges for using overdrafts have in the past been subject to litigation under the fairness regime currently set out in the CRA,61 and are also under scrutiny by various organisations, such as the UK Competition and Markets Authority (CMA) (see below).

ii Recent developments
Open banking

On 9 February 2016, the Open Banking Working Group62 published a detailed framework for delivering an Open Banking Standard in the UK.63 It has been designed to ‘help improve competition and efficiency, and stimulate innovation in the banking sector’.64

The Open Banking Standard recommends that open application programme interfaces (APIs) be built ‘to help provide open access to open data and shared access to private data of the customer’.65 The intention is that customers can procure access to their own ‘private’ banking data, so that they may better manage their finances and make better decisions about the financial products they chose. The Open Banking Standard also promotes open data exchange between financial institutions.

It will be noted that in these respects, the UK Open Banking Standard pre-empts aspects of the account information service regime being introduced by PSD2.

CMA final report on retail banking market investigation

The CMA launched a market investigation into the supply of retail banking services to personal current account customers and small and medium-sized enterprises in November 2014. The CMA’s final report66 was published in August 2016, and introduced a package of binding remedies, including the following.

The CMA is requiring the largest retail banks67 in the UK to develop and adopt an open API banking standard in order to share information, for the reasons propounded by the Open Banking Working Group (see above). According to the CMA, of all the measures it considered as part of its investigation, ‘the timely development and implementation of an open API banking standard has the greatest potential to transform competition in retail banking markets . . . by making it much easier for both personal customers and [small and medium sized enterprises] to compare what is offered by different banks and by paving the way to the development of new business models offering innovative services to customers’.68

The CMA is implementing a set of remedies to increase customers’ awareness of their overdraft usage and help them manage it. These remedies include:

  • a requiring banks to alert customers that they have exceeded, or are about to exceed, their credit limit; and
  • b where customers are permitted to exceed their credit limit, a requirement that banks provide information about a ‘grace period’ during which no additional charges will be applied if the account returns to being within its pre-agreed credit limit by the end of the grace period.69

It is worth noting that, for many customers, banks have already offered such alerts and grace periods for some time.


In this section, we discuss credit cards (as illustrative of revolving credit) and some related areas of regulation and recent developments.

Like overdrafts, credit cards involve provision of both payment services and credit facilities, and as such are subject to both the payment services regime (discussed above) and the consumer credit regime. Where these regimes overlap, the consumer credit regime usually takes priority.

i Overview

As noted above, the consumer credit regime derives largely from the CCA and FSMA, including CONC and other aspects of the FCA Handbook. They include both a licensing regime and detailed conduct requirements.

As regards conduct requirements, the regime is highly prescriptive of matters such as the format and content of advertising and information needing to be provided before, during and after entering into credit agreements; consumer rights; and required or prohibited practices, in areas such as underwriting, charging or collecting on loans. The conduct requirements vary depending on the type of consumer credit activity being carried on, with the heaviest burden falling on lenders themselves. We provide a more detailed description of some of the requirements below.

Failure to comply with the consumer credit regime can in many cases have an impact on the enforceability of loan agreements or related charges, and result in customer claims, customer remediation and enforcement action.


FSMA sets out a licensing regime (similar in various respects to the payment institution licensing regime) under which firms can obtain ‘permissions’ for lending and a range of intermediary and ancillary activities such as credit broking, operating an electronic system in relation to lending, debt adjusting, debt counselling, debt collecting and debt administration.70

Such activities are generally regulated if the lending is to:

  • a individuals, whether consumers or sole traders; or
  • b ‘relevant recipients of credit’ (or in the case of lending through an electronic system, ‘relevant persons’), being partnerships of two or three partners (of which at least one partner is a natural person) or unincorporated associations (of which at least one member is a natural person).71

There are a variety of exemptions from the regulated activities, perhaps most notably the business borrowing exemption and the charge card exemption.

The business borrowing exemption is where the borrowing is for business purposes and exceeds £25,000 – so, for example, a business credit card with a credit limit of £26,000.

The charge card exemption applies to credit cards or other forms of revolving credit where all the credit drawn down over a period of three months or less is repayable in one go, and where no interest or other significant charges apply (or where the credit is secured on land).72

Generally, the above UK credit-related licences cannot be passported (i.e., cannot be used in other EEA countries), although banks and (as noted above) payment institutions and EMIs can passport certain lending activities.

Pre-contractual information

Before a customer enters into a credit agreement, the lender must provide certain pre-contractual information, including:

  • a an ‘adequate explanation’ of various specified features of the credit agreement, in order to put the customer in a position to assess whether the agreement suits their needs and financial situation;73
  • b the Standard European Consumer Credit Information (SECCI), which contains detailed information relating to the credit agreement;74 and
  • c a summary box, designed to set out key information about the credit card product in a simple, standard format, in order to make it easy for customers to understand and compare credit cards.75

Before entering into a credit card agreement, the lender must undertake an assessment of the creditworthiness of the customer. The assessment should take into the account not only the customer’s ability to repay the proposed credit within a reasonable period but also the potential for the commitments under the credit agreement to adversely impact the customer’s financial situation. The assessment has to be based on ‘sufficient information’ obtained from the customer ‘where appropriate’ and a credit reference agency ‘where necessary’.76

The lender must carry out a fresh creditworthiness check before significantly increasing a customer’s credit limit,77 and must not increase it if the customer is opposed to the increase or is at risk of financial difficulties.78

The creditworthiness assessment, as a safeguard against over-indebtedness post-financial crisis, is a key area of regulatory scrutiny. CONC contains detailed rules and guidance, which, while fairly prescriptive, do allow some flexibility as to the information to be gathered and assessed. Industry guidance is also available.79

Failures in the creditworthiness assessment can lead to regulatory or other action (resulting potentially in customer remediation and other sanctions).

Form and content of the agreement

The CCA and underlying regulations80 prescribe the form and content for credit agreements, and require the agreement to be signed by both the lender and borrower, using either ‘wet ink’ signatures or electronic signatures.

Connected lender liability

The consumer credit regime sets out a wide variety of rights for borrowers, the best known of which is perhaps Section 75 CCA.

Section 75 provides that where a customer uses their credit card to make a purchase for something which costs between £100 and £30,000, they have a claim against their lender in the event of a misrepresentation or breach of contract by the supplier. The customer is free to bring such claim directly against the card issuer, without needing to bring a claim against the supplier first. Section 75 also applies in relation to other similar arrangements, not credit cards alone.

From a lender’s perspective, Section 75 is potentially very significant in that customers could bring a claim for consequential losses (i.e., claims against the lender are not limited to the amount of credit provided).

Statements and statutory notices

Lenders must provide borrowers with statements and a range of statutory notices (generally with highly prescribed content and timings) in a variety of circumstances, perhaps most notable of which – in the context of a credit card – is the obligation to provide customers missing two consecutive payments with a ‘notice of sums in arrears’ (NOSIA).81

Failure to comply strictly with the requirements can result in sanctions such as unenforceability of the credit agreement and inability to charge any interest or default sums during the period of default. A number of lenders have had to undergo costly remediation exercises to remedy failures in this area.

ii Recent developments
The FCA’s credit card market study

Within days of taking over responsibility for the regulation of consumer credit in the UK in April 2014, the FCA announced its intention to launch a market study into the credit cards sector, in order to explore whether competition was working effectively and ‘to ask how the industry worked with those people who were in difficult financial situations already’.82

The FCA published its final report on 16 July 2016.83 The major concern expressed was the extent and nature of ‘problem’ credit card debt. According to the report, in 2014 around 6.9 per cent of UK cardholders (which equates to about 2 million people) were in arrears or had defaulted. The FCA also found that 8.9 per cent of credit cards active in January 2015 (5.1 million accounts) will take – based on current repayment patterns and assuming no further borrowing – more than 10 years to pay off their balance.84

Also set out in the final report was a package of reforms that the UK Cards Association has, on behalf of the credit card industry, volunteered to implement. They include sending notifications to all consumers before the expiry of a promotional offer; and helping borrowers mitigate the risk of inadvertently incurring charges by alerting them before they reach their credit limits, and allowing them to request card repayment dates falling after their pay days.

Review of retained CCA provisions

When the FCA took over responsibility for the regulation of consumer credit in 2014, much of the CCA was replaced with rules under FSMA. However, a range of provisions have been retained in the CCA and its subordinate legislation.

By 1 April 2019, the FCA must review the retained CCA provisions and submit a report to HM Treasury, setting out any recommendations for legislative change. The aim of the review is to consider the appropriateness of repealing the remaining provisions of the CCA, taking into account the proportionality of the consumer credit regime and the extent to which retained provisions of the CCA could be replaced by FCA rules or guidance.85

Accordingly, in February 2016, the FCA launched a ‘call for input’ on the retained provisions in the CCA.86 Many players in the consumer finance market are using this as an opportunity to make submissions about aspects of the consumer credit regime that they believe need to be amended (not just simplified), such as moderating the stringent sanctions for certain breaches, for example of the NOSIA requirements.


i Overview
Personal loans

Typically, non-mortgage personal loans based on provision of a fixed amount of credit (as opposed to revolving credit) are subject to broadly the same regulatory regime as credit cards. Some key areas of difference are:

  • a the equivalent exemption to the ‘charge card exemption’ applies where credit is repaid within one year in 12 instalments or less, with no significant charges for credit applying;87 and
  • b in addition to NOSIAs, a key area for enforcement action and customer remediation is incorrect annual statements.88

Any security provided in relation to a consumer credit agreement must be in writing, setting out specified information in a prescribed manner and executed by the surety.89 Failure to document and execute a security agreement in accordance with the CCA will mean that the security is only enforceable with a court order. Various other provisions also apply under the consumer credit regime in relation to security.

Hire purchase and conditional sale

Two of the most common forms of secured consumer lending in the UK (popular in the context of car financing, for example) – hire-purchase agreements and conditional sale agreements – both involve a delayed transfer of title, which, as one legal commentator notes, ‘is technically not a form of security so far as the law is concerned’.90

A hire purchase agreement is an agreement for the hire of goods in return for periodical payments with an option (or other specified trigger) for ownership of the goods to pass to the borrower.91

A conditional sale agreement is an agreement for the sale of goods under which the purchase price (or part of it) is payable by instalments and the seller owns the goods until the purchase price is paid or another specified condition is satisfied.92

These agreements are treated as credit agreements and are, again, subject to largely the same requirements as credit card agreements. A key difference is a right for borrowers to terminate their credit agreement early without having to repay the whole of the credit; instead, they normally need to pay (or have paid) half of the total price of the goods and return the goods to the creditor.93

Student loans

The Student Loans Company (a non-profit-making, government-owned organisation) administers government-provided loans to students attending universities and colleges in the UK. Loans are available for tuition fees and maintenance support, with repayments ordinarily being taken directly from a borrower’s salary by their employer on behalf of HM Revenue and Customs, once their salary reaches a certain level.94

There are various legislative provisions in place to enable student loans to fall outside of the consumer credit regime in the CCA and FSMA.95


Mortgages largely fall outside of the CCA. They are nonetheless subject to a similar licensing regime and conduct requirements under FSMA, although MCOB generally applies in place of CONC, with some areas of difference including substantially different information requirements and detailed rules on early repayment charges.

Consumer buy-to-let mortgages, however, are governed by a special, lighter touch regime under the Mortgage Credit Directive Order 2015.

ii Recent developments
High-cost short-term credit

High-cost, short-term credit (HCSTC) is defined as unsecured credit made available to individuals (or ‘relevant recipients of credit’) in relation to which the APR is at least 100 per cent and which is advertised as being provided for at most a year (or similar) or under which the credit is due to be substantially repaid within a year.96 ‘Payday lending’ is the example cited most often, and has been one of the FCA’s top priorities since it took over responsibility for regulating consumer credit. Of particular note:

  • a the FCA has granted lending permissions to very few pay day lenders, compared with the previous licensing regime under the OFT; and
  • b CONC has introduced rules that apply specifically to HCSTC firms, including specific conduct standards and price caps: interest and charges must not exceed 0.8 per cent of the amount borrowed per day over the contractual period of the loan; default fees must not total more than £15; and the total cost of the credit cannot exceed 100 per cent of the amount borrowed.97

In November 2016, the FCA launched a consultation on whether, among other things, aspects of the HCSTC regime should be extended to other forms of high-cost credit products, such as catalogue credit, some rent-to-own credit, pawn-broking, credit cards and overdrafts.98

Peer to peer lending

On 1 April 2014, the UK introduced a new regulatory framework for ‘peer-to-peer’ lending, also known a ‘loan-based crowd funding’, which included the introduction of a new regulated activity: ‘Operating an electronic system in relation to lending’.

Firms (P2P platforms) that operate an electronic system in the UK must be authorised by the FCA if they facilitate lending or investment by individuals and relevant persons99 or borrowing by individuals and relevant persons, provided that the P2P platform:

  • a is capable of determining which credit agreements should be made available to each of the borrowers and lenders;
  • b undertakes to receive and pay out amounts of interest or capital due to lenders; and
  • c either takes steps to collect (or arrange for the collection) of repayments or exercises, or enforces rights under the credit agreement.100

P2P platforms are also entitled to conduct other activities ancillary to the running of the platform, including interaction with credit information agencies.

P2P platforms must comply with various sections of the FCA Handbook. Notably, FCA rules in CONC require P2P platforms to provide certain protections to borrowers who are individuals or ‘relevant recipients of credit’. They in many ways mirror obligations on lenders elsewhere under the consumer credit regime. Accordingly, P2P platforms must, among other things, provide adequate explanations of the key features of the credit agreement to borrowers; assess the creditworthiness of borrowers; and provide post-contract information where the borrower is in arrears or default.

In July 2016, the FCA published a call for input to the post-implementation review of the FCA’s crowdfunding rules, including those mentioned in the previous paragraph.101 An interim feedback statement published in December 2016 announced that the FCA has identified areas of specific concern, including the improvement of wind-down plans to allow existing P2P loans to be administered in the event of the P2P platform’s failure; cross-investment (i.e., investment in loans originated on other P2P platforms); the application of mortgage-lending standards where the funds raised through the P2P platform is to finance the acquisition of property; and rules on the content and timing of disclosures (including financial promotions) to persons lending or investing through the platform.102


The MCD as implemented in the UK broadly applies to credit agreements entered into with individuals (or trustees) secured by a mortgage on residential land in the EEA.103

The MCD was implemented in the UK on 21 March 2016, although certain provisions are subject to later implementation including transitional arrangements. The implementing measures were – with a view to minimising disruption – in effect added on top of the existing UK regulated mortgages regime under FSMA, particularly through changes to MCOB (with the exception of consumer buy to let mortgages which, as noted above, are regulated under a separate Mortgage Credit Directive Order 2015).

Among the key changes under the MCD were:

  • a bringing second charge mortgages (in many cases previously regulated under the CCA) within the FSMA mortgage regime;
  • b changes to exemptions from mortgage-related regulated activities;104
  • c amended advertising rules;105
  • d restrictions on bundling mortgages with the sale of other financial products;106
  • e additions to the affordability assessment requirements;107
  • f introduction of standard pre-contractual information in the form of a European Standardised Information Sheet (ESIS) although, for a transitional period up to 21 March 2019, mortgage lenders can for certain mortgages continue to use the existing ‘key facts illustration’ with extra information;108
  • g introduction of a new step involving making a binding mortgage offer and a related cooling-off period;109
  • h an amended APR calculation and introduction of a requirement to have an additional APR in the ESIS for certain mortgages (particularly variable rate mortgages);110 and
  • i new early repayment rights.111


The CRA sets out a detailed fairness regime that applies both to terms in consumer contracts and notices given to consumers. It generally applies in relation to all finance, payments and retail banking relationships with consumers.

The CCA also has a regime giving courts wide powers of redress where a credit agreement, or related relationships or practices, give rise to an unfair relationship between the lender and borrower.112 It also applies to business borrowers falling within scope of the CCA (as described above) irrespective of the amount borrowed.

In addition, the FCA’s ‘treating customers fairly’ regime113 broadly applies to unfair practices across the financial services described in this chapter (although, notably, not generally to payment institutions and EMIs). The regime also applies with respect to business customers.

Key areas of scrutiny and challenge in this area include misselling, the breadth of contract variation provisions, and the levels (and disclosure) of charges.


i Enforcement actions

On 28 September 2016, the FCA issued final notices114 to an HCSTC provider, Wage Payment and Payday Loans Ltd (WPPL), and its director, in which the FCA:

  • a cancelled WPPL’s interim permissions to provide regulated activities including consumer credit lending;
  • b refused WPPL’s application for full permission; and
  • c banned the director from carrying out any regulated activity carried on by an authorised firm.

This illustrates the FCA’s tough regulatory stance on HCSTC (described above), and specifically reflected its concerns over the inappropriate dismissal of certain customer complaints, excessive sums being removed from some customers’ accounts, and failures in assessing whether customers could afford loans before lending to them.

In November 2015, in another enforcement case the PRA issued a fine of more than £1.2 million115 to a bank, R Raphael & Sons Plc, which outsourced certain functions to another group company without putting in place an appropriate outsourcing agreement or adequately overseeing the outsourcing. The PRA fine illustrated the importance of having robust arrangements in place even for an intra-group outsourcing.

Finally, after Northern Rock (in December 2012) and Barclays Bank (in September 2013) announced that errors in their NOSIAs had been identified, the OFT asked all retail banks to perform a detailed review of their consumer statements and notices, and as a result 17 banks and building societies have agreed to refund interest incorrectly charged following the delivery of incorrect NOSIAs.116 This industry-wide remediation process is likely to be ongoing, and will probably involve many millions of pounds.

ii Litigation
Durable medium

The PSD requires that various information be provided in a durable medium. Historically, this was generally done by sending a paper mailing to customers, but nowadays for obvious reasons many PSPs aim to provide information electronically. While sending personal emails is often an adequate way of meeting the requirements, for a variety of reasons some PSPs aim to use alternative means of electronic communications, and there is some uncertainty as to whether and how those alternatives can meet the requirements. At the time of writing, in the BAWAG case117 the Court of Justice of the European Union (CJEU) is being asked to consider whether and how e-banking mailboxes can be used to provide information in a durable medium under the PSD.

The judgment, once given, may have an impact not just on how information can be provided in a durable medium under the PSD, but also under various other EU financial services and consumer protection legislation.

Unfair relationships

In the 2014 Plevin case118 on unfair relationships under the CCA, the UK Supreme Court held that a credit broker’s non-disclosure of the amount of commission it received from a lender for arranging payment protection insurance (which was 71.8 per cent) could, and in this case did, amount to an unfair relationship between the customer and the lender in respect of the related credit agreement.

Unfair terms

There has been renewed focus on the drafting of unilateral rights of variation in consumer contracts, to ensure that they are fair and enforceable under the CRA, following recent CJEU decisions,119 which set out the following principles.

The contract must – in plain, intelligible language – set out the reasons for and method of any such variation, so that before entering into the agreement the consumer can foresee alterations that may be made.

Not providing this information cannot be compensated for by the mere fact that consumers will, during the performance of the contract, be informed in good time of the variation and of their right to terminate their contract if they do not wish to accept the variation.

It will also be relevant whether the consumer’s right of termination can actually be exercised in the specific circumstances.

1 Harriet Russell is an associate, Ben Regnard-Weinrabe is a partner and Nikki Johnstone is a senior associate at Paul Hastings (Europe) LLP.

2 Made up of the countries of the EU plus Norway, Iceland and Liechtenstein. EU financial services laws tend to be ‘single market’ measures that also apply to the additional EEA countries.

3 The FCA Handbook is available at: www.handbook.fca.org.uk/handbook/.

4 Respectively, Directives 2008/48/EC and 2014/17/EU.

5 Namely, micro-enterprises, charities with an annual income below £1 million and certain trustees – see BCOBS 1.1.1 and the definition of ‘banking customer’ in the glossary to the FCA Handbook.

6 BCOBS 5.1.5 to 5.1.8.

7 BCOBS Chapter 6.

8 BCOBS Chapters 2 to 4, in particular. Certain information requirements apply with respect to consumers only.

9 BCOBS 5.1.12 and 5.1.14 to 5.1.19.

10 BCOBS 1.1.3 and 1.1.4.

11 Directive 2007/64/EC.

12 Directive 2009/110/EC.

13 EMRs 39-45.

14 EMR Section 44.

15 Regulation (EU) 2015/751.

16 2014/92/EU.

17 For regulatory guidance on which payment accounts are subject to the UK regulations, see www.fca.org.uk/publication/policy/ps16-20.pdf.

18 Regulation (EC) 1781/2006.

19 www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets.

20 Principles 6 and 7 in section 2.1 of the FCA’s Principles for Businesses (PRIN) in the FCA Handbook.

21 Directive 95/46/EC.

22 Regulation (EU) 2016/679.

23 Directive 2002/58/EC.

24 For example, the FCA has stated that consumers’ ‘rights and protections, including any derived from EU legislation, are unaffected by the result of the referendum and will remain unchanged unless and until the Government changes the applicable legislation’.

25 Under the Bank of England and Financial Services Act 2016.

26 See, for example, the FCA’s Enforcement Guide (EG) and Decision Procedure and Penalties Manual (DEPP) in the FCA Handbook; and the PSR’s Powers and Procedures Guidance (March 2015) in relation to FSBRA and Guidance on the PSR’s approach as a competent authority for the EU Interchange Fee Regulation (October 2016).

27 DISP 3.6.1.

28 The full list of regulated payment services (and related exemptions) is set out in Part 1 of Schedule 1 to the PSRs.

29 The full list of exemptions is in Part 2 of Schedule 1 to the PSRs; the commercial agent and limited network exemptions are in paragraphs (b) and (k) of Part 2, respectively.

30 See PSRs 5-17. The EMRs set out a similar licensing regime for EMIs.

31 See regulation 19 PSRs for further details of the safeguarding requirements.

32 PSR 6(5).

33 PSR 21.

34 PSR 27.

35 PSRs 12-15 and 23.

36 PSRs 33 and 51.

37 PSR 70.

38 PSRs 72 and 73.

39 PSRs 60-62, 75 and 76.

40 As defined in PSR 2.

41 PSRs 33 and 51.

42 Directive 2015/2366/EU.

43 Article 2 PSD and Article 2 PSD2.

44 Article 2 PSD and Article 2 PSD2.

45 Under Article 4(44) PSD2.

46 Article 4(14) PSD2.

47 Recital (27) PSD2.

48 Article 4(16) PSD2.

49 Articles 36 and 66-68 PSD2.

50 Article 98, PSD2 and EBA Consultation Paper 2016-11 on the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2, available at www.eba.europa.eu/documents/10180/1548183/Consultation+Paper+on+draft+RTS+on+SCA+and+CSC+%28EBA-CP-2016-11%29.pdf.

51 Article 95 PSD2.

52 Article 96 PSD2.

53 Unhelpfully, the term ‘electronic payment transactions’ is not defined, creating some uncertainty of scope.

54 Articles 4(30) and 97 PSD2.

55 Article 98, PSD2.

56 ‘Consultation Paper: On the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2’, 12 August 2016, www.eba.europa.eu/documents/10180/1548183/Consultation+Paper+on+

57 Under Regulation 21.

58 For example, asylum seekers and ‘consumers who have not been granted a residence permit but whose expulsion is impossible for legal or practical reasons’ may be among those eligible, and it may not be straight forward to establish their status. See Regulation 23.

59 The PRA Rulebook is available at: www.prarulebook.co.uk.

60 Rule 4 (Limits on compensation payable), Depositor Protection rules, PRA Rulebook.

61 Most notably, Office of Fair Trading v. Abbey National plc [2009] UKSC6, [2010] 1 AC 696.

62 The Open Banking Working Group is a joint industry and government group made up of representatives from banks, fintech companies, consumer bodies and the government.

63 https://theodi.org/open-banking-standard.

64 ‘Introducing the Open Banking Standard’, Open Data Institute 2016, page 5.

65 Ibid.

66 ‘Retail banking market investigation: Final report’, CMA, 9 August 2016, https://assets.publishing.service.gov.uk/media/57ac9667e5274a0f6c00007a/retail-banking-market-

67 RBS, Lloyds, Barclays, HSBC, Santander, Nationwide, Danske Bank, Band of Ireland and AIB.

68 Paragraph 166.

69 As summarised in Figure 15.1 of the final report.

70 Respectively, Articles 36A, 36H, 39D, 39E, 39F and 39G of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (the ‘RAO). See the RAO for the full list of regulated activities.

71 Articles 60L and 36H of the RAO, respectively.

72 The business borrowing and charge card exemptions are in Articles 60C(3) and 60F(3) of the RAO respectively.

73 Under CONC 4.2.5.

74 Most notable under the Consumer Credit (Disclosure of Information) Regulations 2010.

75 Further information, including an example of the standard summary box, is provided by the UK Cards Association: www.theukcardsassociation.org.uk/individual/credit-card-summary-box.asp.

76 CONC 5.2 (Creditworthiness assessment: before agreement).

77 CONC 6.2.1.

78 CONC 6.7.7.

79 Such as the Common Financial Statement produced by the Money Advice Trust, the Finance and Leasing Association and the British Bankers’ Association; and Information for Practitioners produced by the Lending Standards Board.

80 Most notably the Consumer Credit (Agreements) Regulations 2010.

81 Section 86C CCA.

82 ‘FCA announces competition review into credit cards – particular focus on how industry works with those in difficult financial situations’, 3 April 2014, www.fca.org.uk/news/press-releases/fca-announces-competition-review-credit-cards-particular-focus-how-industry.

83 FCA Market Study MS14/6.3, ‘Credit card market study: Final findings report’, www.fca.org.uk/publication/market-studies/ms14-6-3-credit-card-market-study-final-findings-report.pdf.

84 Paragraph 1.30, FCA Market Study MS14/6.3.

85 Part 5 of the Financial Services and Markets Act 2000 (Regulated Activities) (Amendment) Order 2014.

86 www.fca.org.uk/publication/call-for-input/call-for-input-review-retained-provisions-

87 Article 60F(2) RAO.

88 Lenders must provide annual statements to borrowers in relation to fixed-sum loan agreements under Section 77A CCA. A non-compliant annual statement results in the same consequences as an incorrect NOSIA, which is that the statement will be deemed to have not been sent at all. See JP Morgan Chase Bank, National Association v. Northern Rock (Asset Management) Plc [2014] EWHC 291 (Ch) (19 February 2014).

89 Section 105 CCA.

90 Paragraph 3.4 Hire-Purchase and Instalment Sale, Goode: Consumer Credit Law and Practice.

91 Section 189 CCA.

92 Section 189 CCA.

93 Sections 99 and 100 CCA.

94 See the student loans regime under the Teaching and Higher Education Act 1998.

95 See for example Section 8 of the Sale of Student Loans Act 2008.

96 See the glossary to the FCA Handbook.

97 CONC Rule 5A.2.

98 FCA Call for Input: High-cost credit – Including review of the high-cost, short-term credit price cap.

99 ‘Individual consumers’ would include natural persons such as consumers and sole traders. ‘Relevant persons’ include partnerships of two or three persons, not all of whom are bodies corporate, or unincorporated bodies of persons that do not consist entirely of bodies corporate and are not a partnership.

100 Article 36H RAO.

101 www.fca.org.uk/publication/call-for-input/call-input-crowdfunding-rules.pdf.

102 www.fca.org.uk/publication/feedback/fs16-13.pdf.

103 Article 3 MCD.

104 Article 4(4B) RAO.

105 Chapter 3A of MCOB.

106 MCOB 2A.2.

107 Chapter 11A of MCOB.

108 Chapter 5A of MCOB, and MCOB TP 1 MCD Transitional Provisions.

109 MCOB 6A.3.

110 Chapter 10A of MCOB.

111 MCOB 2A.4.

112 Sections 140A to 140C CCA.

113 Principles 6 and 7 in section 2.1 of PRIN.

114 www.fca.org.uk/publication/decision-notices/wage-payment-payday-loans-limited.pdf.

115 www.bankofengland.co.uk/pra/Documents/supervision/enforcementnotices/en271115.pdf.

116 http://webarchive.nationalarchives.gov.uk/20140402142426/http://www.oft.gov.uk/news-and-updates/press/2014/18-14.

117 BAWAG PSK Bank für Arbeit und Wirtschaft und Österreichische Postsparkasse AG v. Verein für Konsumenteninformation.

118 Plevin v. Paragon Personal Finance Ltd [2014] UKSC 61 (12 November 2014).

119 Nemzeti Fogyasztóvédelmi Hatóság v. Invitel Távközlési (Case C-472/10, judgment given 26 April 2012) and RWE Vertrieb AG v. Verbraucherzentrale Nordrhein-Westfalen e.V. (Case C-92/11, judgment given 21 March 2013).