I Overview

The UK is one of the world's leading centres for 'technology applied to financial services' (the Department for International Trade's definition of fintech),2 and the market has continued to grow year on year. It benefits from the UK's financial services regulatory regime, which is well established, and the Financial Conduct Authority (FCA), which maintains a reputation as one of the gold standard regulatory bodies worldwide, applying the UK's existing regulations without additional requirements (save in the context of the regulated activities created following the implementation of the Payment Services Directive and the Revised Payment Services Directive) while participating in national and international sandboxes. UK regulation is likely to change over the coming years, as Parliament and the regulators grapple with the regulation of cryptoassets and virtual currencies.

There are no dedicated fintech tax incentives in the UK, but there are various features of the UK tax regime that make it attractive for fintech businesses. There are incentives for companies, for example, R&D incentives for both capital and revenue expenditure and the 'patent box' regime.3,4 Additionally, there are incentives for investors and management, including seed enterprise investment schemes, enterprise investment schemes, venture capital trust reliefs, entrepreneurs' relief, investors' relief and tax-advantaged share option arrangements.

The UK, like many other jurisdictions, is still addressing some of the transfer pricing and taxable presence problems arising out of fintech businesses. These depend on the value that is placed on a decentralised system, and new types of questions are likely to need to be answered as to what is required for a taxable presence in a country. The starting point for UK tax is to check whether there is a permanent establishment, and typically this will involve a physical presence. However, there are also anti-avoidance provisions designed to prevent an avoided permanent establishment or profit fragmentation, and in some cases the arrangements around a fintech business will need to be reviewed to see if there is a risk of triggering these provisions. In some cases, it will be harder to judge how these might apply to a global supply chain compared with a more traditional business.

II regulation

i Licensing and marketing


The FCA is technology neutral in its considerations on whether a firm is caught by the regulations and, therefore, the source and details of the rules that apply to fintech businesses operating in the UK will depend on the activities being carried on by each business. As a starting point, businesses will have to consider the general prohibition set out in Section 19 of the Financial Services and Markets Act 2000, which provides that it is a crime for any person to carry on regulated activities by way of business in the UK unless that person is authorised or exempt.5

The list of regulated activities caught by the general prohibition is set out in the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO) and includes, pertinently, accepting deposits,6 issuing electronic money, effecting and carrying out contracts of insurance,7 advising on or arranging deals in investments,8 dealing in investments as agent or principal, providing credit information services and operating an electronic system in relation to lending.9 These are known as 'specified activities', and to be regulated activities must relate to certain specified investments also set out in the RAO. Specified investments include electronic money, contracts of insurance, shares, units in collective investment schemes, rights under a pension scheme and credit agreements.10 It does not matter whether services are offered digitally or in person; an entity carrying on the activities specified in the RAO by way of business in the UK11 will be carrying on a regulated activity for which it must be authorised or exempt.

Where the activities of a fintech business relate to the provision of payment services then the regime implemented in the Payment Services Regulations 2017 (PSR) will apply instead of the Financial Services and Markets Act (FSMA) to the authorisation, registration and conduct of business obligations of those businesses. These aspects are discussed in more detail in Section IV.

Authorisation and registration applications for carrying on regulated activities under FSMA or specified activities under the PSRs must be made to the FCA and, in some cases, to the Prudential Regulation Authority (PRA).12 Once authorised or registered, either or both of the regulators will continue to regulate the activities of the firm. All firms are regulated by the FCA as regards their conduct of business, but larger trading institutions will also be supervised by the PRA, which focuses on financial concerns that have an ability to negatively impact the broader market and economy.

The authorisation process is a lengthy and time consuming one, and the scope of permissions that firms are required to obtain are not always clear for fintech businesses. With that in mind, the FCA launched its regulatory sandbox in June 2016. The sandbox is open to authorised firms, unauthorised firms that require authorisation and technology businesses, and seeks to provide those firms with, among other things, a reduced time-to-market at (potentially) lower cost including by offering a restricted authorisation path that allows those firms to operate in a limited manner under the close supervision of the FCA.13 As 2018 ended, the application deadline passed for the fifth cohort of the sandbox.

Despite the more informal route that may be open to firms accepted into the sandbox, no special fintech licence or permission regime applies to fintech firms looking to operate in the UK.


Subject to certain notable exceptions, firms may generally market themselves freely in the UK as long as any advertisements or marketing materials are accurate, legal, decent, truthful, honest and socially responsible.14

Firms may not, however, in the course of business communicate an invitation or inducement to engage in investment activity (a financial promotion) unless the firm is authorised or the content of the communication is approved by an authorised person.15 Breach of this restriction on financial promotions carries criminal consequences.

The terms 'invitation' and 'inducement' are typically given their natural meaning and, as such, communications that include a promotional element, (rather than those that seek merely to inform or educate about the mechanics or risks of investment) will be caught by the financial promotion restriction.

A number of exemptions may cause a financial promotion to fall outside of the restriction and, therefore, may freely be made by unauthorised firms within the boundaries of the applicable exemption. Alternatively, unauthorised firms may enter into arrangements under which an authorised entity reviews and approves each promotion at the time it is made. This is a structure often implemented in crowdfunding, for example, where the business seeking equity investment through the platform is required to get the platform (which will be authorised) to sign off on the promotion before it is listed on the site.

Authorised firms that make financial promotions in compliance with the financial promotion restriction will also need to bear in mind the additional conduct rules for financial promotions set out in Chapter 4 of the Conduct of Business Sourcebook of the FCA Handbook.

ii Cross-border issues

As identified in the previous section, for a regulated activity to be carried on there must be some link between the activity and the UK. As such, where there is a cross-border element to the services or activities it will be necessary, from a regulatory perspective, to consider where the activity is actually carried on. This will inform the analysis of whether the firm carrying on that activity requires authorisation in the UK under the process described above. Where the business of a fintech does not involve it carrying on any regulated activities in the UK then it will be able to provide those services in the UK, either on a cross-border basis or from a branch office set up in the UK without needing to rely on any passporting mechanism.

As regards those fintechs not based in – but that intend to provide regulated activities in – the UK, it is currently necessary to consider separately those that are based in Europe and those that are based in other continents.

For those that are based in Europe, there is a complex web of EU passporting regimes that may apply depending on the activities carried on by the fintech. For example, electronic money institutions may passport under the Second Electronic Money Directive,16 while fintechs that provide insurance intermediary services may use the regime under the Insurance Distribution Directive.17 The broadest passporting regimes (i.e., those that cover the most activities relevant to fintechs) are set out in the Markets in Financial Instruments Directive (MiFID II)18 and Payment Services Directive (PSD2). Of course, this is complicated at present by the uncertainty surrounding the UK's withdrawal from the EU.

Those firms outside the EU looking to provide similar services in the UK will not benefit from the passporting arrangements (to the extent they would apply to EU-based firms) and will need to seek separate authorisation.

III digital identity and onboarding

There is no official national digital identity in the UK at present. The Government Digital Service has been running GOV.UK Verify as a secure way of accessing government services, but it has largely been considered a failure and it was announced at the end of 2018 that it would be transitioned to the private sector.

Despite that, a number of fintech firms are employing ever more sophisticated digital onboarding services, with the neo-banks in particular now very good at onboarding clients with little more than photographs of passports and a short video. Meanwhile, the market for firms who claim to be able to use cryptographic hashing to create a digital identity for an individual is growing rapidly in the UK. If successful, these services will enable individuals to verify their identity to third parties using only a very small amount of data (e.g., their personal hash, which is a cryptographically generated code combining all elements of that individual's identifying personal data, with a checksum item forming part of the personal hash calcuation, such as the individual's year of birth. In this case the year of birth acts as a way of validating the personal hash and, therefore, the identity of the individual in question).

IV digital markets, funding and payment services

i Digital markets and funding

The UK has a very strong market in crowdfunding, peer-to-peer (P2P) lending and payment services, all of which sit alongside the UK's world-leading financial services marketplace.

The crowdfunding market in the UK is particularly mature and sophisticated – so much so that in July 2018 the FCA launched a consultation19 into the market in order to identify whether the existing regulatory framework is still relevant and robust enough to ensure good standards of business are practised by the platforms, particularly where retail investors are involved.

Certain crowdfunding activities require authorisation by the FCA and others do not. All crowdfunding platforms are subject to the FCA's general high-level standards, including the Principles for Businesses and specific Conduct of Business rules, for example in relation to financial promotions. However, there are differences in the detailed regulatory frameworks that apply to investment-based and loan-based (or P2P) crowdfunding platforms.

Investment-based crowdfunding has evolved from more traditional ways of seeking equity-based investments, and the FCA regulates it as such. Therefore, an investment-based platform will usually ask for authorisation from the FCA to carry on activities such as arranging deals in investments (Article 25 RAO), dealing in investments as an agent (Article 21 RAO) and advising on investments (Article 53). Platforms that provide a nominee structure must also apply for a safeguarding and administration of assets permission (Article 40).

Operating a P2P platform was not adequately captured under the existing list of regulated activities, so, in 2014, the FCA introduced the new activity of operating an electronic system in relation to lending (Article 36H RAO), which captures most of what P2P platforms will be carrying on in practice. However, care should be taken if other regulated activities are built into the business model, such as credit broking, debt administration and debt-collecting, each of which require separate permission from the FCA.

The creation of secondary markets on platforms is not prohibited, but is becoming increasingly unusual with the more established platforms because of the additional regulatory burden of doing so (not least because of the potential financial promotion issues). It is more common for platforms to create venture capital-like fund structures that give investors the ability to exit the fund without having to find other users to buy their units.

ii Payment services

The payment services caught by the PSRs include, among other things, services relating to the operation of payment accounts (e.g., cash deposits and withdrawals from current accounts and savings accounts), execution of payment transactions (whether covered by a credit line or otherwise), card-issuing and money remittance. PSD2, as implemented by the PSRs, also creates authorisation and registration regimes for payment initiation service providers (PISPs) and account information service providers (AISPs). These were newly defined regulated activities in 2017 and are intended to capture those businesses that look to utilise open banking standards to provide consumers with detail about their financial position by taking information directly from their banking providers, or that facilitate payments directly from users' bank accounts without the need to use a payment card.

Firms offering payment services are required to identify at the outset whether they will apply for registration or authorisation under the PSRs. Small payment institutions (SPIs),20 small electronic money institutions (EMIs)21 and firms that will only offer account information services can apply to be registered as such, or as a registered account information service provider (RAISP), and a lighter touch registration and conduct regime will apply to those firms. Firms that do not quality as an SPI, small EMI or RAISP but that intend to carry on payment services in the EEA must apply for authorisation and follow more onerous conduct of business requirements. These alternative routes are particularly popular where available.

PSD2 and the PSRs also facilitated new open banking standards, requiring banks and building societies to give third parties access to customers' accounts and data where the user consents to it. At the moment, only the UK's nine largest banks and building societies must make customer data available through open banking, but a number of smaller banks and building societies have also opted in to the regime. Relevant third parties that benefit from the open banking regime include PISPs and AISPs, who are able to use customer account data to provide these new breeds of services.

V cryptocurrencies and initial coin offerings

Blockchain technology continues to capture the imagination in the UK, and the number of businesses adopting the technology for their own purposes is indicative of longer term trends in the UK. To date, key financial industries utilising the technology include the UK insurance and crowdfunding sectors, with asset management following slightly behind.

Of course, blockchain's original use in cryptoassets continues to be relevant, though that market is under a period of significant flux at the time of writing. This is, in part, due to the global development of rules and regulations that has created a period of instability and regulatory uncertainty. The UK has not yet implemented any specific cryptoasset laws or regulations, and cryptocurrencies are, therefore, not currently regulated by the FCA provided that they are not part of other regulated products or services. This is not the case for cryptocurrency derivatives (i.e., cryptocurrencies that have the same properties as traditional derivative contracts), because these will be treated as derivatives and, therefore, specified investments for the purposes of the regulations. As a result, dealing in, arranging transactions in, advising on or providing other services that amount to regulated activities in relation to derivatives that reference either cryptocurrencies or tokens issues through an initial coin offering (ICO) will require authorisation by the FCA.

The above position is not likely to remain the same for very long because in January 2019 the FCA launched a consultation22 that builds on the work of the UK Cryptoassets Taskforce and the FCA to consider where different types of cryptoassets might fall in the regulatory perimeter. In short, this consultation proposes that cryptoassets be sorted into three categories:

  1. Exchange tokens:
    • not issued or backed by any central authority and intended and designed to be used as a means of exchange;
    • usually a decentralised tool for buying and selling goods and services without traditional intermediaries; and
    • usually outside the regulatory perimeter.
  2. Security tokens:
    • with specific characteristics that mean they meet the definition of a specified investment (see above) like a share or a debt instrument; and
    • within the regulatory perimeter.
  3. Utility tokens:
    • grant holders access to a current or prospective product or service but do not grant holders rights that are the same as those granted by specified investments; and
    • although not specified investments, utility tokens may meet the definition of e-money in certain circumstances (as could other tokens), in which case they would be within the regulatory perimeter.

Although it is clear that potential anonymity (or, more precisely, pseudonymity) afforded to individuals by cryptoassets means that they may have a role in money laundering and terrorist financing, the applicability of the existing money laundering regulations in the UK is not straightforward. To address that issue, one of the proposed outcomes of the FCA's current consultation on cryptoassets is for HM Treasury to consult in 2019 on the transposition of the EU's Fifth Anti-Money Laundering Directive into UK legislation and to broaden the Anti-Money Laundering/Counter Terrorist Financing Regulation further in relation to cryptoassets.

The UK has been reluctant to legislate for the tax treatment of cryptocurrency and crypto-token offerings, and HMRC, the UK tax authority, has focused instead on fitting this within existing tax provisions. However, it was recognised that, in the light of the Final Report from the Cryptoassets Taskforce in October, some clarification was needed, as HMRC's 2014 guidance focused mainly on certain types of cryptocurrency and was very limited in scope. HMRC has therefore produced revised guidance, covering the tax treatment of cryptoassets for individuals and where these are used as a form of employee reward. Unfortunately, there has so far been no clarification on the treatment of ICO and initial token offering issues for the issuing entities, but it is hoped additional guidance will become available in the near future.

Cryptoassets may currently be marketed to UK residents from other jurisdictions, but the UK financial promotion regime will apply and market participants will need to ensure that any financial promotion of products and services, whether regulated or unregulated, is carried on in a way that is clear, fair and not misleading. Firms must make clear in their promotions which activities are, and are not, regulated, especially when marketing their FCA-authorised status, so care will need to be taken in this regard.

VI Other new business models

The UK is awash with new business models. The most recently popular business models include robo-advisers (including fully automated investment processes), e-wallets, crowdfunding, information aggregators and trust-based platform arrangements. Third-party financial comparison sites are commonplace, with insurance as the largest category in both the consumer and business sectors. These sites are subject to the usual credit broking and insurance-related regulation (among others), and the same data protection and competition rules as any other business.

Self-executing, or 'smart' contracts are permitted, and the usual legal framework for contracts applies to them. That means there are a few legal questions still unanswered, especially around liability and agency. When it comes to making corrections, the court is the default option, unless an alternative was agreed in the contract.

Finally, use of big data is also on the rise as a tool to aggregate, analyse and increase the value of vast datasets. For example, the UK's implementation of Open Banking promises a world of build-your-own services and jealously guarded white-labelling agreements. To facilitate data transfers we are seeing trust-based arrangements with clear accountabilities and risk allocation for all participants, careful governance and security governing access, including third-party supply chain players.

VII intellectual property and data protection

i Intellectual property

There are no intellectual property protections that are peculiar to fintech. However, in common with all evolving technologies, some fintech technologies do test the limits of the existing legal framework, this having not been written with these new technologies in mind. The most notable challenges come from blockchain technologies and technologies delivering artificial intelligence and machine learning applications.

The most important intellectual property rights for artificial intelligence are confidentiality, copyright and patent rights. The laws of confidence pose no unusual issues for artificial intelligence. However, from a wider financial services policy perspective, it would be preferable for innovators to disclose AI innovations rather than opt to keep these as trade secrets,23 so other protections come to the fore.

Copyright raises some issues in respect of ownership of the output of artificial intelligence, but otherwise copyright protection of source code remains as applicable to artificial intelligence software systems as it does for more traditional software systems.

It is in the realms of patent that the interesting issues around protection arise. In the UK, and under the European Patent Convention, in order to be granted a patent, the invention must be new, inventive, and capable of industrial application and not specifically excluded from protection as a patent. Mathematical methods are excluded, as are computer programs, which are, of course, at the heart of artificial intelligence development.

This is not to say artificial intelligence and machine learning algorithms cannot form part of a computer-implemented invention where they can be shown to have a 'technical effect'; they are just not patentable in and of themselves. Where they form part of platforms and applications that solve specific technical problems, then the success of a patent application improves significantly. In summary, a combination of copyright and patent protection should provide a good basis for protecting investment in artificial intelligence and machine learning in the UK.

Artificial intelligence is, of course, inextricably linked with the data it consumes and the financial services industry generates vast amounts of data. The data itself comes with a set of intellectual property protections – mostly confidentiality, sometimes copyright and, potentially, the sui generis database right.24 For example, look-up tables (databases accessed by software routines) are potentially protected by copyright in the structure of the database and by the sui generis database right protecting the extraction and reutilisation of the data contained in the database (provided the owner can show substantial investment in obtaining the data).

The database right is a powerful right, and while the protection ostensibly lasts for 15 years, each time substantial investment is expended in obtaining, verifying or presenting the contents of the database, a new database is likely deemed created and thus a rolling protection obtained.25 There has been some debate as to whether aggregations of data, for example, sensor or machine-generated data, can fulfil the 'substantial investment in obtaining' requirement of the database right. The debate continues as to where the threshold of effort lies. Irrespective of whether or not the contents of a database are protected by confidentiality or database rights, both can provide limitless protection. Because big data is becoming such an integral part of any business dealings, the UK competition authorities are sure to consider moves to counteract potentially monopolistic effects of vast datasets being controlled by relatively few market players.

Turning to blockchain technologies, similar issues are encountered: patent protection for spreadsheets is not available, and there will need to be some actual technical effect, similar to software-enabled inventions. Copyright is the most common form of protection for blockchain, both proprietary and open-source. The basic building blocks of many blockchain technologies are open-source software codes, but those building on top of the originating technologies may want to protect their inventions through more commercial protections, such as more restrictive copyright and patent licensing.

ii Data protection

In the same way as for intellectual property, financial services technologies also test the existing legal framework around data protection, despite the General Data Protection Regulation (GDPR) being of very recent provenance.

The UK Information Commissioner's technology priorities for 2019 include cybersecurity, artificial intelligence, big data and machine learning and online tracking technologies, all of which are highly pertinent to technologies within the financial services sector.

Big data analytics again poses difficulties for data protection law. Difficulties include running large numbers of algorithms against vast datasets to find correlations; the opacity of the processing; the tendency to collect 'all the data'; the repurposing of data and the use of new types of data; not to mention the hurdles of distinguishing between data controllers and data processors. Clearly all of these activities have implications for data protection.26

The Information Commissioner's Office is reaching out to partners as part of its Technology Strategy to better understand these technologies, and is seeking to establish a regulatory sandbox, drawing on the successful sandbox process that the FCA has developed. The sandbox is expected to enable organisations to develop innovative digital products and services, while engaging with the regulator, who will provide advice on mitigating risks and data protection by design.27

New blockchain technology also poses data protection challenges. There has been significant debate as to whether or not the hashed information contained on the blockchain could be considered personal information and, if it is, how the GDPR can be reconciled with the benefits of the blockchain being an immutable source of the truth without the need for trusted intermediaries. This question has yet to be resolved.

VIII year in review

The year 2018 began with the deadline for national governments to transpose PSD2 into local legislation and for the largest UK banks to make personal and business current accounts data available through open application programming interfaces to facilitate open banking. These two events were the beginning of a year in which the UK payments industry took centre stage, and a new brand of payment initiation and account information service providers became operational under the new rules.

The past year was also transformational for cryptoassets. January 2018 saw an unprecedented level of interest in the launch of new tokens and cryptocurrencies as the existing UK regulatory perimeter creaked at the edges under the pressure of trying to capture as many different features and concepts as possible. Since then, the FCA started to take a clearer and more robust stance on its interpretation of the existing regulations, before commencing a formal consultation on a bespoke regime for cryptoassets that clearly delineated between the three types of cryptoasset detailed in Section V.

MiFID II also came into effect in the UK on 3 January 2018. It includes a broad spectrum of measures covering everything from data reporting28 and transparency to client categorisation. It has also been used in the latter part of 2018 as a basis of European-level thinking for the regulation on cryptoassets following the publication of a report by the European Securities and Markets Authority's stakeholder group on how to address the risks of ICOs. The rules have directly affected those fintech businesses deemed to be carrying on 'MiFID business' (i.e., (1) investment services and activities and (2) ancillary services carried on by a MiFID investment firm). MiFID's copious data-reporting obligations also boosted those fintech firms operating in the regtech sphere, as a number of financial services businesses sought to outsource compliance with the complex and copious rules to third-party technology providers.

IX outlook and conclusions

Much of the focus in the coming months will be on the outcome of Brexit and how it affects the market based on the deal (or lack of it) reached with the remaining EU Member States.

Currently, in a 'no deal' scenario, UK passporting rights will immediately cease to exist but, at the time of writing, the FCA is working on its no-deal planning including by proposing a temporary permissions regime for firms looking to operate in the UK from the EEA. Meanwhile, if the UK secures consent for a withdrawal agreement then, when it leaves the EU after the transitional period has expired, whether firms will continue to be able to make use of existing passporting regimes will depend on the terms of the agreement over the future relationship between the UK and the EU.

The payments sector is the most likely to be affected by Brexit, given the strength and size of the UK's banking sector relative to other jurisdictions. Indeed, as firms begin to make the most of the new markets created by PSD2, it was the UK that stood to gain most from those. However, a question now remains as to how much of that opportunity will be lost, despite the fact that, even in the event of a no deal, those rules will be transposed into the UK statute book so as to continue to be effective.

One of the continuing regulatory changes that will take full effect in the UK in 2019 (irrespective of the outcome of Brexit) is the Senior Managers and Certification Regime, which has been slowly replacing the Approved Persons regime for authorised firms. Any fintech carrying on regulated activities will need to consider these new rules, which were extended to insurers in December 2018 and will take effect for all firms regulated by the FCA in December 2019.

From an IP perspective, the European Patent Convention is not directly linked to the European Union, so European patents should not be affected by Brexit. By contrast, Community Trade Marks are linked to membership of the European Union. Thus, once the UK has left, Community Trade Marks will technically cease to have effect in the UK. However, the UK government has indicated that even if there are no deals with the EU they will permit Community Trade Mark registrations that are in force at the time of exit from the EU to be extended in to the UK so that pre-existing trade mark rights will not be lost. As for the sui generis database right, the government's Regulatory Policy Committee states that the UK government's preferred option is to maintain the status quo after Brexit so far as possible for UK database creators and consumers.29

Blockchain will continue to present challenges around applicable law, as it involves computers located across the globe. In cross-border decentralised blockchains, individual transactions will need to analysed on a case-by-case basis.

It is also likely that clarification of the tax treatment of ICOs and initial token offerings will be forthcoming during 2019.


1 Gareth Malna is an associate and Sarah Kenshall is a director at Burges Salmon LLP.

2 See 'Landscaping UK Fintech' Report 2014, Ernst & Young LLP commissioned by UK Trade and Investment (now the Department for International Trade): https://www.ey.com/Publication/vwLUAssets/Landscaping_UK_Fintech/$FILE/EY-Landscaping-UK-Fintech.pdf.

3 The 'patent box' is simply a calculation, though the way in which the patent is owned and used within a group structure can make the calculation and attribution of relevant amounts easier administratively. It allows the company to benefit for a low tax rate of 10 per cent for profits within the 'box'. The benefit of the regime is no longer available for acquired patents; however, it does cover cases where part of the relevant work was subcontracted. For fintech companies, patents that qualify have become more common. However, it is critical to note that because the regime only applies to profits related to patents registered with the UK Intellectual Property Office or the European Patent Office or an European Economic Area State, the benefit of the more flexible regime for software patents in certain jurisdictions (for example, the US and Singapore) is not available.

4 There is no equivalent regime for other forms of intellectual property such as copyrights and trademarks.

5 See Sections 19 and 20 FSMA.

6 Relevant for neo-banks acting with full deposit-taking permissions such as Starling and Monzo who were both granted permission during 2018.

7 Relevant for those platforms offering peer-to-peer insurance.

8 Relevant to digital wealth platforms such as Nutmeg and MoneyFarm.

9 Directly applicable to loan-based crowdfunding platforms such as FundingCircle.

10 See Part III of the RAO.

11 The question of whether an activity is being carried on 'in the United Kingdom' has to be answered in the context of each activity. Entities that arrange deals in investments are said to be carrying on that activity from the place of their establishment, whereas the activity of advising is said to be carried on where the advice is received.

12 The PRA supervises around 1,500 banks, building societies, credit unions, insurers and major investment firms.

13 The FCA can also offer through the sandbox: (1) the ability to test products and services in a controlled environment; (2) support in identifying appropriate consumer protection safeguards to build into new products and services; (3) better access to finance; and (4) individual guidance, informal steers, waivers and no enforcement action letters. For further details on the sandbox see https://www.fca.org.uk/firms/regulatory-sandbox.

14 i.e., they must not encourage illegal, unsafe or antisocial behaviour.

15 Section 21 FSMA.

16 2009/110/EC.

17 (EU) 2016/97.

18 Being the collective noun for both the Directive on markets in financial instruments repealing Directive 2004/39/EC (2014/65/EU) and the Regulation on markets in financial instruments and amending Regulation [EMIR] on OTC derivatives, central counterparties and trade repositories (Regulation 600/2014).

19 CP18/20, which closed in October 2018 with a final policy statement due in Q2 2019.

20 Firms operating below an average monthly turnover in payment transactions of €3 million.

21 Firms in which total business activities will not exceed an average of €5 million of outstanding e-money immediately before registration.

22 CP19/3: Guidance on Cryptoassets.

23 European Patent Office, Patenting Artificial Intelligence 30 May 2018.

24 EU Directive 96/9/EC on the legal protection of databases (the Database Directive) implemented in the UK by the Copyright and Rights in Databases Regulations 1997 (SI 1997/3032) (the Database Regulations).

25 The organisation that originates the contents of the database does not get the benefit of the protection as they do not need to expend time finding, checking and verifying the contents (since they originated the contents). Clearly, the key is investment in collection rather than creation of the content.

26 ICO Big data, artificial intelligence, machine learning and data protection report 2017.

27 ICO Technology Strategy 2018–2021.

28 This was augmented by the coming into force of the General Data Protection Regulation on 25 May 2018, which caused some consternation among firms trying to marry the two regimes.

29 Intellectual Property (Amendment) (EU Exit) Regulations 2018 and various impact assessments published by the Regulatory Policy Committee (RPC).