The Financial Technology Law Review: Guernsey
As a jurisdiction, Guernsey's economy is built largely around the provision of financial services to a global marketplace. As such, fintech businesses operate within the broader regulatory regimes established to maintain Guernsey's financial services status internationally. Fintech is expected to play an ever-increasing role in Guernsey's financial services sector, and significant attention and resourcing is being devoted to creating a regulatory environment wherein the latest technological developments can be utilised while maintaining the controls necessary to ensure continuity of Guernsey's reputation. As a result of this, Guernsey is increasingly fintech friendly. Fintech is one of the core focuses for the island's ongoing development, a position underscored by its inclusion as one of the pillars of the island's strategic development framework as set out in the States of Guernsey and Guernsey Finance's 'Financial Services Policy Framework'.2
The Guernsey Financial Services Commission (GFSC) is primarily responsible for financial services regulation on the island. It has introduced its Innovation SoundBox to serve as a GFSC hub for enquiries regarding innovative financial products and services.
The Innovation Soundbox is intended to assist prospective innovative or start-up financial services businesses with access to regulators and GFSC policymakers, transparency on the Bailiwick of Guernsey's regulatory requirements and guidance on the regulator's approach to innovative propositions. While the Innovation Soundbox is not restricted to fintech issues, it has been broadly interpreted as a response to the potentially disruptive effects of fintech upon financial services business and regulation more generally. Similarly, the GFSC has been working internationally to develop common regulatory approaches to innovative propositions as part of the Global Financial Innovation Network (GFIN).
In terms of local development of fintech, while this has been led by the private sector, Guernsey has established the Digital Greenhouse to act as a focal point for the growth of the digital and creative sector locally, offering a dedicated space to accelerate start-up and growth activity in Guernsey.
i Licensing and marketing
To date, Guernsey has chosen not to create fintech-specific regulation or legislation. Fintech companies are therefore subject to regulation only within the wider Guernsey financial services regulatory regimes applied by the GFSC to the extent these regimes apply. The GFSC has indicated that they will treat applications related to fintech in the same manner and apply the same standards of control as they would in respect of more traditional applications.
The most applicable of these laws is the Protection of Investors (Bailiwick of Guernsey) Law 1987, as amended (the POI Law), which sets out nine 'restricted activities' that cannot be carried out, by way of business by a Bailiwick body, in relation to a 'controlled investment' (as defined in the POI Law), without licensing. These are promotion, subscription, registration, dealing, management, administration, advising, custody and operating an investment exchange. Failure to have the appropriate licence when carrying on controlled investment business is a criminal offence.
The definition of controlled investment3 is a broad one, including investments in collective investment schemes, general securities and derivatives (these terms are themselves defined within the POI Law), meaning the licensing regime of the POI Law has the capacity to capture a number of fintech business models and related activities. The positioning of cryptocurrencies, coins and tokens within or outside this definition will likely be determined on a case-by-case analysis of the specific rights and assets attributable to a coin, token or cryptocurrency.
The marketing of a fintech product in Guernsey would therefore be regulated under the POI Law to the extent that such a product constituted a controlled investment in line with the above definition.
Additionally, the POI Law puts in place a regime for the regulation of investment funds domiciled in Guernsey. Businesses that require licensing under the POI Law are required to have in place client identification and broader anti-money laundering processes as well as meeting various other standards designed to protect investors. For licensees, the GFSC will focus upon adequacy of resourcing, controls and the provision of suitably skilled personnel, whereas for funds, among other things, controls around valuation, liquidity, custody and the protection of assets are key.
The POI Law will be repealed and replaced with a successor regime in the course of 2021; however, the changes made will not significantly alter the analysis above.
In addition to the POI Law, the Registration of Non-Regulated Financial Services Businesses (Bailiwick of Guernsey) Law 2008 (the NRFSB Law) creates a public register of non-regulated financial services businesses (and as such does not apply to licensed financial services businesses). The NRFSB Law is part of the Bailiwick's framework for anti-money laundering (AML) and combating the financing of terrorism (CFT). The framework, including the registration, has no effect on the operational requirements and activities of a registered business except for the carrying out of AML/CFT measures.
The NRFSB Law applies to a number of types of financial services businesses, some of which have direct or indirect applicability in the fintech space, including:4
- financial leasing;
- operating a money service business (including, without limitation, a business providing money or value transmission services, currency exchange (bureau de change) and cheque cashing);
- facilitating or transmitting money or value through an informal money or value transfer system or network;
- issuing, redeeming, managing or administering means of payment. Means of payment includes, without limitation, credit, charge and debit cards, cheques, travellers' cheques, money orders and bankers' drafts and electronic money;
- providing financial guarantees or commitments;
- trading (by way of spot, forward, swaps, futures, options, etc.) in money market instruments (including, without limitation, cheques, bills and certificates of deposit), foreign exchange, exchange, interest rate or index instruments, and commodity futures, transferable securities or other negotiable instruments or financial assets;
- participating in securities issues and the provision of financial services related to such issues;
- providing settlement or clearing services for financial assets including, without limitation, securities, derivative products or other negotiable instruments;
- providing advice to undertakings on capital structure, industrial strategy or related questions, on mergers or the purchase of undertakings except where the advice is provided in the course of carrying on the business of a lawyer or accountant;
- money broking;
- money changing;
- providing individual or collective portfolio management services or advice;
- providing safe custody services;
- providing services for the safekeeping or administration of cash or liquid securities on behalf of clients;
- carrying on the business of a credit union;
- accepting repayable funds other than deposits; and
- otherwise investing, administering or managing funds or money on behalf of other persons.
Businesses carrying on the operations listed above on an incidental or occasional basis may not be required to register with the GFSC or to meet the AML/CFT regulations and rules in the GFSC's Handbook for Financial Services Businesses on Countering Financial Crime and Terrorist Financing.
The test for exclusion from the requirements of the NRFSB Law requires businesses to meet all of the criteria below:5
- the total turnover of that business, plus that of any other financial services business carried on by the same person, does not exceed £50,000 per annum;
- no occasional transactions are carried out in the course of such business; that is to say, any transaction involving more than £10,000, where no business relationship has been proposed or established, including such transactions carried out in a single operation or two or more operations that appear to be linked;
- the turnover of such business does not exceed 5 per cent of the total turnover of the person carrying on such business;
- the business is ancillary, and directly related, to the main activity of the person carrying on the business;
- in the course of such business, money or value is not transmitted or such transmission is not facilitated by any means;
- the main activity of the person carrying on the business is not that of a financial services business;
- the business is provided only to customers of the main activity of the person carrying on the business and is not offered to the public; and
- the business is not carried on by a person who also carries on a licensed financial services business.
Proposals to reform the NRFSB Law are currently being considered. While it is not yet possible to predict the final shape of the successor legislation, it seems clear from initial proposals that consumer lending and digital platforms will be a focus of the new regime (again with a view to both ensuring international standards regarding AML/CFT are met while also ensuring consumer protection). It seems clear that the following fintech areas will be captured by the new regime from the consultations to date:
- operating a peer-to-peer electronic platform;
- operating a crowdfunding platform;
- providing alternative non-bank credit or finance intermediation; and
- operating an AML/CFT platform.
Additionally, the GFSC has recently introduced the Cyber Security Rules and Guidance, 2021 which have application to all licensees under the Guernsey regulatory laws (but not to registered persons under the NRFSB Law). The regime under these rules focuses on five core principles outlined in a number of international cybersecurity frameworks: identify, protect, detect, respond and recover. As with other material risks, all licensed institutions are required to have robust policies, procedures and controls in place to identify, assess and manage cybersecurity risks on an on-going basis consistent with the minimum licensing requirements. However, the Commission recognises that there is no 'one size fits all' approach to addressing cyber risks with specific business circumstances varying greatly from firm to firm. Clearly, for institutions working in the digital space, expectations are likely to be higher as regards the level of protection and security in place.
ii Cross-border issues
Guernsey is a leading centre in the global funds industry, which in recent years has included a focus on technology funds. Guernsey has never been a Member State of the European Union (EU) but has put in place all of the infrastructure needed to allow funds and other similar investment structures launched in Guernsey to be marketed to both UK and EU investors. Guernsey has implemented a voluntary regime that mirrors the requirements of the Alternative Investment Fund Managers Directive (AIFMD). While the full AIFMD passport has not yet been extended to non-EU 'third countries', Guernsey funds are able to market to EU investors through the National Private Placement Regimes of EU Member States.
The GFSC is one of 12 financial regulators or related organisations that have collaborated on the establishment of the GFIN, building on a proposal in early 2018 to create a 'global sandbox'. This project will seek to provide a more efficient way for innovative firms to interact with regulators, helping them navigate between countries as they look to scale new ideas. It will also create a new framework for cooperation between financial services regulators on innovation-related topics, sharing different experiences and approaches.
Among the primary functions of the GFIN is to allow collaboration and share regulatory experience of innovation in respective markets, including emerging technologies and business models among which issues highlighted were artificial intelligence, distributed ledger technology, data protection, regulation of securities and initial coin offerings (ICOs), know-your-customer and anti-money laundering.
Digital identity and onboarding
A barrier to the electronic onboarding of clients in the financial services industry has traditionally been the need for certified copies of client due diligence information to permit the completion of necessary anti-money laundering processes. The latest version of the GFSC's Handbook for Financial Services Businesses on Countering Financial Crime and Terrorist Financing explicitly addresses electronic methodologies for onboarding clients and obtaining the necessary certifications digitally (e.g., by way of an app that takes control of a smartphone's camera to photograph potential clients holding their identification documents) for later verification.
While responsibility for anti-money laundering procedures always remains with the board of the licensed financial services business in question, a number of service providers have begun operating a client identification service that financial services businesses can contract with allowing clients to identify themselves once to the client identification service and then allow this data to be shared digitally with other businesses as necessary. Notable among these is the ID Register, which at the time of writing has an authenticated due diligence record of more than 25,000 investors shared among 274 (largely investment fund) clients and around 750 pension plans.
Guernsey does not provide individuals with a generally recognised digital identity but has endorsed the digital identity card provided by the UK non-profit scheme CitizenCard Limited, which can be used to self-identify online (or physically).
Digital markets, payment services and funding
Guernsey collective investment schemes are regulated under the POI Law and are required to be administered by a Guernsey-licensed administrator. Additionally, open-ended funds are usually required to custodise their assets with a Guernsey-licensed custodian. The definition of collective investment scheme sets out four characteristics that must be met for an entity to comprise a collective investment scheme. These are:
- the vehicle involves pooling of investors' money for investment in a common portfolio ('Spread of Investors');6
- the common portfolio holds assets intended to spread risk ('Spread of Risk');7
- there is no intention to exercise day-to-day management control over any business in which the vehicle invests;8 and
- the portfolio is managed by a professional manager, at arm's length from the investors in the collective investment scheme (this is covered by (c) and (d), together referred to as 'Independent Management').9
In short, a structure is likely to be a collective investment scheme for the purposes of the POI Law where there is a Spread of Investors, a Spread of Risk and Independent Management. Investing in cryptocurrencies, ICOs or both is possible for collective investment schemes; however, the GFSC have emphasised the perceived volatility of this asset class and will expect collective investment schemes operating in the space to have adequate controls in place to address this.
All collective investment schemes in Guernsey are required to have in place a Guernsey-licensed fund administrator. For open-ended schemes, a Guernsey-licensed custodian is also required although alternative custody arrangements may be approved by the GFSC where the assets involved make this appropriate.
Crowdfunding and crowd-lending are both permitted, as is peer-to-peer lending. All three structures are likely to fall within one of the categories defined as a financial services business for the purposes of the NRFSB Law and require registration. Guernsey does not have any consumer lending regulation in place (although there is a long-standing but rarely utilised prohibition dating to the 1930s on the charging of excessive interest, likely only to apply where the interest is owed by an individual).10
A consultation was commenced in 2017 around revised regulation in respect of lending, credit and finance regulation in Guernsey – the proposals would involve the replacement of the NRFSB Law and regulation around consumer lending and credit. A core goal of this consultation was ensuring consumer interests were matched with the ability for Guernsey companies to operate internationally. Noted among the responses to the consultation was industry 'encouragement to implement a framework that portrays a positive approach towards progressing advances in the use of technology and the digital sector'.11 Development of legislation in respect of this consultation is ongoing and is likely to form part of the Guernsey government's stated intention to continue to develop the fintech sector in Guernsey.
Operating an investment exchange is a restricted activity in Guernsey under the POI Law. To the extent businesses permit trading in loans or financing on a secondary market (or unitise or securitise those loans and permit trading in those), consideration should be given to whether an investment exchange is being created. To the extent that what is being transferred or offered meets the POI Law definition of a general security or derivative, consideration should also be given as to whether any other restricted activity (promotion or advising for example) is being undertaken that would trigger a licensing requirement.
Payment services operations are also unlicensed and again typically require registration under the NRFSB Law to ensure suitable AML and CFT procedures are in place.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
There is no specific regulation of blockchain technology, which is increasingly being used in the broader regulated financial services sector in Guernsey. In February 2017, Northern Trust in Guernsey, in collaboration with IBM, launched the first commercial deployment of blockchain technology for the private equity market – a distributed ledger solution used for the management and administration of a private equity fund by Unigestion, a Swiss-based asset manager with US$20 billion assets under management. This use of blockchain was launched following the approval of the GFSC.
Guernsey insurance businesses have also utilised the blockchain: Solidum Partners utilises the private ILSBlockchain to create, settle and permit transfers of catastrophe bonds issued by its Guernsey-based transformer, Solidum Re (Guernsey ICC) Limited.
Basic anti-money laundering laws apply to all businesses operating in Guernsey. These laws create a series of obligations and offences around disclosure to the Financial Intelligence Unit if knowledge or suspicion of money laundering or terrorist financing arises (or where an individual has reasonable grounds for such suspicion).
More specific anti-money laundering rules apply to Guernsey companies and businesses that are captured within the Guernsey regulatory regime. For the purposes of this chapter, those are primarily those companies carrying on activities requiring a licence under Guernsey's financial services regulatory regime or the NRFSB Law.
To the extent that such a business falls outside the licensing regime of the POI Law, it will almost certainly be captured by one of the heads of business set out in the NRFSB Law (notably, operating a money service business,12 facilitating or transmitting money or value13 or issuing, redeeming, managing or administering means of payment)14 or its successor. As previously noted, the extent to which the POI Law licensing obligations will apply in the cryptocurrencies or ICO space will depend upon the extent to which the assets in question constitute 'general securities and derivatives', as that term is defined in Category 2 of Schedule 1 of the POI Law and is likely to come down to a factual analysis of each situation.
Other new business models
Guernsey has had an electronic transactions law in place (providing for the electronic execution of contracts) since 2000.15 At the time of writing, a new ordinance is in the process of being passed (and is expected to be in force by the time of publication), which will clarify that:
- the formation, execution, performance or termination of a contract shall not be denied legal effect solely because it involved the action of one or more electronic agents;
- contracts may be formed by the interaction of electronic agents (without input from natural persons); and
- contracts may be formed by the interaction of an electronic agent and a natural person.
An 'electronic agent' is defined in The Electronic Transactions (Guernsey) Law 2000 as:16
A computer program or electronic or other automated means used independently to initiate an action or to respond in whole or in part to information or actions in electronic form or communicated by electronic means, without review or action by a natural person.
As such, the use of 'smart' contracts and other self-executing mechanisms derived using artificial intelligence or algorithms is fully recognised under Guernsey law.
Funds utilising fully automated investment processes have been approved by the GFSC. In this situation, the regulator will expect there to be sufficient oversight of the algorithm or automation to ensure investors are suitably protected. Responsibility for this oversight rests with the board of a licensee, and the GFSC is expected to apply this approach to any use of artificial intelligence by a licensee. The GFSC has been clear that its expectations of board members on technology issues are that they need to engage with and understand any use of technologies by their businesses to understand the limitations and risks therein and ensure proper human oversight of those risks.
Third-party websites comparing products or providing information about financial products would be subject to the Data Protection (Bailiwick of Guernsey) Law 2017 (DPGL) regime detailed below to the extent they were operating in Guernsey and dealing with the data of individuals. The POI Law (and other financial services laws depending on the product offered, for example, insurance) may also apply to the extent the website constituted promotion or the offering of a product for sale in or from within Guernsey.
Intellectual property and data protection
Guernsey has a robust and extensive suite of intellectual property laws, including certain rights not available in many other jurisdictions.
Potentially of particular relevance to fintech business models is the Guernsey database right. In Guernsey (in addition to any copyright subsisting in a database), databases are protected under the Database Rights (Bailiwick of Guernsey) Ordinance 2005 (the Database Ordinance).
A database is defined under the Database Ordinance as 'a collection of independent works, data or other materials which (a) are arranged in a systematic or methodical way, and (b) are individually accessible by electronic or other means', a wide definition covering a range of data-holding structures. A database right protects the compilation of information comprising the data and subsists where there has been a substantial investment in the collation of the contents of the database.
Database rights, like other property rights, can be sold, licensed or assigned to third parties. A database is often a valuable asset that businesses are increasingly looking to exploit in their own right.
Similar to copyright, a database right is an automatic right and subsists from the moment the database is created in a recorded form. Database rights last for a period of 15 years from the end of the calendar year in which the database was completed. Where a database is made available to the public before the end of the 15-year period, the protection period will be extended by a further 15 years from the end of the calendar year in which it was first made publicly available. Additionally, if there is a substantial change to the contents of the database then the 15-year protection period recommences. In effect, this means that an indefinite term of protection is available for many databases that are continually updated.
Other more typical intellectual property rights and protections such as copyright, patents and trademarks are all also available in Guernsey as well as the world's first registerable image right. Typically, Guernsey intellectual property laws provide a presumption that intellectual property rights developed by an employee in the course of their employment belong to the employer (this is the case for patent,17 copyright18 and database rights,19 among others) subject to rebuttal by reference to specific factual differences.
From a data protection perspective, Guernsey is one of a small number of jurisdictions historically deemed to have an equivalent data protection regime to the European Union. To maintain this status following the General Data Protection Regulation, the DPGL was enacted.
The DPGL deals with duties of data controllers (including the data protection principles), duties of data processors, conditions for processing, obligations to appoint data protection officers, rights of data subjects, exemptions to parts of the law, cross-border transfers and exemptions to the adequacy requirements and remedies and enforcement. The DPGL largely mirrors the EU position and the rules around digital profiling are similar to those in the EU.
The DPGL established the office of the Data Protection Authority in Guernsey, and includes powers allowing it to investigate complaints and undertake inquiries along with granting it powers of sanction following a finding of a breach (including fines). Owing to the similarity of Guernsey law to EU law in this area, the approach of the Data Protection Authority in Guernsey in enforcing the law and treatment of certain technologies and uses of data (such as profiling) is likely to be similar to that employed by European data protection regulators (and indeed the UK Information Commissioner's Office post-Brexit). European case law and enforcement actions will likely be influential.
Year in review
From a Guernsey perspective, the most significant aspect of the past year has been the increased embracing of existing digital and fintech related regulatory tools by Guernsey's financial services industry as a result of disruption related to the covid-19 pandemic. The island's businesses have demonstrated their ability to operate in a remote and decentralised fashion at this time and we are seeing increased comfort with the use of (for example) electronic transactions or due diligence. Fintech remains formally identified as one of the keys for ongoing financial services development in the eyes of the States of Guernsey and Guernsey Finance's 'Financial Services Policy Framework'.
While no individual change has been groundbreaking, and we have not seen the enactment of legislation directly aimed at fintech specifically, this continued engagement together with recent and proposed minor legislative changes has seen the island's technical and regulatory capability grow in relation to fintech work. Related to this, we have also seen the GFSC work with industry to facilitate the use of a range of disruptive technologies within industry, and this engagement has been received very positively by industry.
Outlook and conclusions
We expect to see continued growth in Guernsey's fintech sector over the forthcoming year. In our view, much of this growth will come from the application of financial technologies to traditional business models.
Specifically, we expect to see continued growth in the use of blockchain for private equity transactions and other investment asset exchanges, as well as the expansion of the use of digital onboarding of clients by investment funds, fiduciary service providers and local banks. We also anticipate the expanded use of artificial intelligence in Guernsey financial services (subject to appropriate human oversight).
As regards cryptocurrencies and ICOs, these are likely to continue to be used as investment assets by structures based in Guernsey rather than structures or assets launched out of Guernsey in their own right (as has been the case to date).
At this time, we are unaware of plans for significant legislative change that would directly impact the fintech sector. It seems likely, however, that updates to the POI Law and NRFSB Law will be made in a way that enables and supports the use of financial technologies wherever possible.
1 Wayne Atkinson is a group partner at Collas Crill.
3 Schedule 1, Protection of Investors (Bailiwick of Guernsey) Law 1987.
4 Schedule 1, NRFSB Law.
5 Section 3, the NRFSB Law.
6 Paragraph 1(1)(c)(i) of Schedule 1 to the POI Law.
7 Paragraph 1(a) of Schedule 1 to the POI Law.
8 Paragraphs 1(1)(b) and 1(1)(c)(ii) of Schedule 1 to the POI Law.
9 Paragraph 1(c)(ii) of Schedule 1 to the POI Law.
10 The Ordonnance Donnant Pouvoir à La Cour de Réduire Les Intérêts Ecessifs, 1930.
12 Paragraph 4, Schedule 1 Part 1, NRFSB Law.
13 Paragraph 5, Schedule 1 Part 1, NRFSB Law.
14 Paragraph 6, Schedule 1 Part 1, NRFSB Law.
15 The Electronic Transactions (Guernsey) Law 2000.
16 Section 14(3), the Electronic Transactions (Guernsey) Law 2000.
17 Section 54, the Registered Patents and Biotechnological Inventions (Bailiwick of Guernsey) Ordinance 2009.
18 Section 12(1), the Copyright (Bailiwick of Guernsey) Ordinance 2005.
19 Section 4(2), the Database Rights (Bailiwick of Guernsey) Ordinance 2005.