The Financial Technology Law Review: United Kingdom


The UK is one of the world's leading centres for 'technology applied to financial services' (the Department for International Trade's definition of fintech),2 and the market has continued to grow year on year. It benefits from the UK's financial services regulatory regime, which is well established, and the supervision of that regime by the Financial Conduct Authority (FCA), which maintains a reputation as one of the gold-standard regulatory bodies worldwide. The trend in the UK over the past decade has been towards ever increasing regulation, and the current climate is no exception.

There are no dedicated fintech tax incentives in the UK, but there are various features of the UK tax regime that make it attractive for fintech businesses. There are incentives for companies; for example, R&D incentives for both capital and revenue expenditure and the 'patent box' regime.3,4 Additionally, there are incentives for investors and management, including seed enterprise investment schemes, enterprise investment schemes, venture capital trust reliefs, entrepreneurs' relief, investors' relief and tax-advantaged share option arrangements.

The UK, like many other jurisdictions, is still addressing some of the transfer pricing and taxable presence problems arising out of fintech businesses. These depend on the value that is placed on a decentralised system, and new types of questions are likely to need to be answered as to what is required for a taxable presence in a country. The starting point for UK tax is to check whether there is a permanent establishment, and typically this will involve a physical presence. However, there are also anti-avoidance provisions designed to prevent an avoided permanent establishment or profit fragmentation, and in some cases the arrangements around a fintech business will need to be reviewed to see if there is a risk of triggering these provisions. In some cases, it will be harder to judge how these might apply to a global supply chain compared with a more traditional business.

The UK left the European Union on 31 January 2020 (commonly referred to as Brexit). In December 2020, the UK and the EU agreed the UK-EU Trade and Co-operation Agreement (TCA). However, as far as financial services are concerned, this offers little more than would have been the case had the UK defaulted to World Trade Organization rules. Inevitably, therefore, the relationship between the UK and the EU as regards the financial services sector will continue to be a live issue over the coming years.

The absence of any harmonised trade deal as regards financial services certainly poses challenges to fintech business models but it also presents opportunities as the UK adjusts its financial regulatory regime to make itself more attractive to fintech entrepreneurs and enterprise capital while at the same maintaining its world leading reputation as a centre for financial services. With this in mind, the government commissioned the Kalifa Review of UK Fintech5 which has set out a range of proposals with the aim of sparking a post-Brexit 'digital big bang'.


i Licensing and marketing


The FCA is technology neutral in its considerations on whether a firm is caught by the regulations and, therefore, the source and details of the rules that apply to fintech businesses operating in the UK will depend on the activities being carried on by each business. As a starting point, businesses will have to consider the general prohibition set out in Section 19 of the Financial Services and Markets Act 2000, which provides that it is a crime for any person to carry on regulated activities by way of business in the UK unless that person is authorised or exempt.6

The list of regulated activities caught by the general prohibition is set out in the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO) and includes, pertinently, accepting deposits,7 issuing electronic money, effecting and carrying out contracts of insurance,8 advising on or arranging deals in investments,9 dealing in investments as agent or principal, providing credit information services and operating an electronic system in relation to lending.10 These are known as 'specified activities', and to be regulated activities must relate to certain specified investments also set out in the RAO. Specified investments include electronic money, contracts of insurance, shares, units in collective investment schemes, rights under a pension scheme and credit agreements.11 It does not matter whether services are offered digitally or in person; an entity carrying on the activities specified in the RAO by way of business in the UK12 will be carrying on a regulated activity for which it must be authorised or exempt.

Where the activities of a business relate to the provision of payment services then the regime implemented in the Payment Services Regulations 2017 (PSR) will apply to the authorisation, registration and conduct of business obligations of those businesses. These aspects are discussed in more detail in Section IV.

Authorisation and registration applications for carrying on regulated activities under FSMA or specified activities under the PSRs must be made to the FCA and, in some cases, to the Prudential Regulation Authority (PRA).13 Once authorised or registered, either or both of the regulators will continue to regulate the activities of the firm. All firms are regulated by the FCA as regards their conduct of business, but larger trading institutions will also be supervised by the PRA, which focuses on financial concerns that have an ability to negatively impact the broader market and economy.

The authorisation process is a lengthy and time-consuming one, and the scope of permissions that firms are required to obtain are not always clear. With that in mind, the FCA launched its regulatory sandbox in June 2016. The sandbox is open to authorised firms, unauthorised firms that require authorisation and technology businesses, and seeks to provide those firms with, among other things, a reduced time-to-market at (potentially) lower cost including by offering a restricted authorisation path, which allows those firms to operate in a limited manner under the close supervision of the FCA.14 The 2020 regulatory sandbox called out, for the first time, areas where it would like to see innovation, seeking propositions that make finance work for everyone and to support the UK in its move to a greener economy. There are also proposals to enhance the regulatory sandbox, making the digital sandbox pilot permanent, introducing measures to support partnering between incumbents, fintech and regtech firms.

Despite the more informal route that may be open to firms accepted into the sandbox, no special fintech licence or permission regime applies to fintech firms looking to operate in the UK.


Subject to certain notable exceptions, firms may generally market themselves freely in the UK as long as any advertisements or marketing materials are accurate, legal, decent, truthful, honest and socially responsible.15

Firms may not, however, in the course of business communicate an invitation or inducement to engage in investment activity (a financial promotion) unless the firm is authorised or the content of the communication is approved by an authorised person.16 Breaches of the restriction on financial promotions carry criminal consequences.

The terms 'invitation' and 'inducement' are typically given their natural meaning and, as such, communications that include a promotional element, (rather than those that seek merely to inform or educate about the mechanics or risks of investment) will be caught by the financial promotion restriction.

A number of exemptions may cause a financial promotion to fall outside of the restriction and, therefore, may freely be made by unauthorised firms within the boundaries of the applicable exemption. Alternatively, unauthorised firms may enter into arrangements under which an authorised entity reviews and approves each promotion at the time it is made. This is a structure often implemented in crowdfunding; for example, where a business seeking equity investment through the crowdfunding platform is required to get the platform (which will be authorised) to sign off on the promotion before it is listed on the site.

Authorised firms that make financial promotions in compliance with the financial promotion restriction will also need to bear in mind the additional conduct rules for financial promotions set out in Chapter 4 of the Conduct of Business Sourcebook of the FCA Handbook.

ii Cross-border issues

As identified in the previous section, for a regulated activity to be carried on there must be some link between the activity and the UK. As such, where there is a cross-border element to the services or activities it will be necessary, from a regulatory perspective, to consider where the activity is actually carried on. This will inform the analysis of whether the firm carrying on that activity requires authorisation in the UK under the process described above. Where a business does not carry on any regulated activities in the UK then it will be able to provide those services in the UK, either on a cross-border basis or from a branch office set up in the UK.

Prior to Brexit, for those firms that are based in Europe but intending to provide regulated activities in the UK, a complex web of EU passporting regimes applied, depending on the activities carried on by the fintech business.17 As an automatic consequence of the UK's departure from the single market, passporting rights to (and from) the UK have ended. However, the UK has made wide-ranging equivalence declarations in respect of EU members, allowing EU firms access to UK markets to the extent permitted by their home legislation while the UK and the EU continue to negotiate on a wider process of adoption, suspension and withdrawal of equivalence decisions between the two jurisdictions.

Digital identity and onboarding

There is no official national digital identity in the UK at present. However, one of the recommendations in the 'Kalifa Review of UK Fintech' was that the UK government should establish a digital ID trust framework for both corporates and individuals, ideally based on a federated model so that data is not concentrated in one place. Access to data for verification purposes should be controlled and consented to by the individual, and should be limited to what is truly necessary for the data recipient to have the level of assurance that they need to transact. It remains to be seen if and to what extent this will be implemented.

In the meantime, a number of fintech firms are employing ever more sophisticated digital onboarding services. The neo-banks in particular have become very good at onboarding clients with little more than photographs of passports and a short video. Meanwhile, the market for firms who claim to be able to use cryptographic hashing to create a digital identity for an individual is growing rapidly in the UK. If successful, these services will enable individuals to verify their identity to third parties using only a very small amount of data. This can be in the form of their personal hash, which is a cryptographically generated code combining all elements of that individual's identifying personal data, with a checksum item forming part of the personal hash calcuation, such as the individual's year of birth. In this case, the year of birth acts as a way of validating the personal hash and, therefore, the identity of the individual in question.

Digital markets, payment services and funding

i Digital markets and funding

The UK has a very strong market in crowdfunding, peer-to-peer (P2P) lending and payment services, all of which sit alongside the UK's world-leading financial services marketplace.

The crowdfunding market in the UK is particularly mature and sophisticated – in July 2018 the FCA launched a consultation18 into the market to identify whether the existing regulatory framework was still relevant and robust enough to ensure that good standards of business are practised by the platforms, particularly where retail investors are involved. As a result of the consultation, the FCA published a new package of rules and guidance to further improve standards which came into force in December 2019.19

Certain crowdfunding activities require authorisation by the FCA and others do not. All crowdfunding platforms are subject to the FCA's general high-level standards, including the Principles for Businesses and specific Conduct of Business rules; for example, in relation to financial promotions. However, there are differences in the detailed regulatory frameworks that apply to investment-based and loan-based (or P2P) crowdfunding platforms.

Investment-based crowdfunding has evolved from more traditional ways of seeking equity-based investments, and the FCA regulates it as such. Therefore, an investment-based platform will usually ask for authorisation from the FCA to carry on activities such as arranging deals in investments (Article 25 RAO), dealing in investments as an agent (Article 21 RAO) and advising on investments (Article 53). Platforms that provide a nominee structure must also apply for a safeguarding and administration of assets permission (Article 40).

Operating a P2P platform was not adequately captured under the existing list of regulated activities, so, in 2014, the FCA introduced the new activity of operating an electronic system in relation to lending (Article 36H RAO), which captures most of what P2P platforms will be carrying on in practice. However, care should be taken if other regulated activities are built into the business model, such as credit broking, debt administration and debt collecting, each of which require separate permission from the FCA.

The creation of secondary markets on platforms is not prohibited but is becoming increasingly unusual with the more established platforms because of the additional regulatory burden of doing so (not least because of the potential financial promotion issues). It is more common for platforms to create venture capital-like fund structures that give investors the ability to exit the fund without having to find other users to buy their units.

ii Payment services

The UK is also a world leader in payment services. Firms will often seek authorisation from the FCA even where they do not intend to serve customers in the UK to benefit from the halo effect of being a UK-regulated firm when considering international expansion.

Payment service activities regulated under the PSRs in the UK include, among other things, services relating to the operation of payment accounts (e.g., cash deposits and withdrawals from current accounts and savings accounts), execution of payment transactions (whether covered by a credit line or otherwise), card-issuing and money remittance. PSD2, as implemented by the PSRs, also creates authorisation and registration regimes for payment initiation service providers (PISPs) and account information service providers (AISPs), two activities newly defined in 2017 that capture those businesses looking to utilise open banking standards to provide consumers with information about their finances, or that facilitate payments directly from users' bank accounts without the need to use a payment card.

Firms offering payment services are required to identify at the outset whether they will apply for registration or authorisation under the PSRs. Small payment institutions (SPIs),20 small electronic money institutions (EMIs)21 and firms that will only offer account information services can apply to be registered as such, or as a registered account information service provider (RAISP), and a lighter touch registration and conduct regime will apply to those firms. Firms that do not qualify as an SPI, small EMI or RAISP but that intend to carry on payment services in the UK must apply for authorisation and follow more onerous conduct of business requirements. These alternative routes are particularly popular where available.

PSD2 and the PSRs also facilitated new open banking standards,22 requiring banks and building societies to give third parties access to customers' accounts and data where the user consents to it. At the moment, only the UK's nine largest banks and building societies must make customer data available through open banking, but a number of smaller banks and building societies have also opted in to the regime. Relevant third parties that benefit from the open banking regime include PISPs and AISPs, who are able to use customer account data to provide these new breeds of services.

Take-up was initially slow, but in 2019 open banking surpassed 1 million users for the first time. With a greater number of consumers and small businesses authorising their bank accounts to be connected with authorised third parties, responsibility for protection of their data rests with a wider ecosystem of providers. This raises challenges around security, the onward supply of data and the combination of data with other datasets. The trust framework that sits at the heart of open banking and which is administered by the Open Banking Implementation Entity has been so successful that the FCA is keen to develop 'Open Finance' as an extension of Open Banking. Open Finance would open up a wider range of financial products and services to third-party data sharing; for example, pensions and insurance. The FCA is due to issue its findings in the first half of 2021.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

Blockchain technology continues to capture the imagination in the UK, and the number of businesses adopting the technology for their own purposes is indicative of longer-term trends. To date, key financial industries utilising the technology include the UK insurance and crowdfunding sectors, with asset management following slightly behind.

Of course, blockchain's original use in cryptoassets continues to be relevant, though that market is under a period of significant flux at the time of writing. This is, in part, due to the global development of rules and regulations that has created a period of instability and regulatory uncertainty. While the UK has not implemented any specific cryptoasset laws or regulations, the FCA has carried out work on cryptoassets, both as part of a broader UK Cryptoasset Taskforce and independently. The output of that work is the publication of Policy Statement 19/22, which is intended to help market participants to understand whether the cryptoassets they use are within the regulatory perimeter. In general, cryptocurrencies are not separately regulated by the FCA provided that they are not part of other regulated products or services. Instead, cryptoassets will fall within one of two categories – regulated tokens and unregulated tokens. The latter category does not require regulation and we have not considered those tokens further for these purposes. Regulated tokens can be further broken down into two categories – security tokens and e-money tokens.

Security tokens are tokens that provide rights and obligations akin to specified investments as set out in the RAO, including those that are financial instruments under MiFID II.23 Consequently, whether a cryptoasset will be treated as a security token will depend on its characteristics such as (1) any contractual rights and obligations the token-holder has by virtue of holding or owning that cryptoasset; (2) any contractual entitlement to profit-share; or (3) whether the token is transferrable and tradeable on exchanges.

Separately, the new category of e-money tokens is based on the definition of e-money under the Electronic Money Regulations 2011 (EMR); that is, electronically stored monetary value as represented by a claim on the issuer that is (1) issued on receipt of funds for the purpose of making payment transactions; (2) accepted by a person other than the electronic money issuer; and (3) not excluded by Regulation 3 of the EMR.

Although it is clear that potential anonymity (or, more precisely, pseudonymity) afforded to individuals by cryptoassets means that they may have a role in money laundering and terrorist financing, the applicability of the existing money laundering regulations in the UK is not straightforward. To address that issue, the FCA has taken over supervision of anti-money laundering for cryptoasset businesses under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs), effective from 10 January 2020. The MLRs have been amended to bring cryptoasset exchange providers (including providers of automated teller machines (ATMs), peer-to-peer providers and issuers of new cryptoassets) and custodian wallet providers, within scope of the regulations. Businesses carrying on those activities will need to register with the FCA.

The UK has been reluctant to legislate for the tax treatment of cryptocurrency and crypto-token offerings, and HMRC, the UK tax authority, has focused instead on fitting this within existing tax provisions. However, it was recognised that, in the light of the Final Report from the Cryptoassets Taskforce in October 2018, some clarification was needed, as HMRC's 2014 guidance focused mainly on certain types of cryptocurrency and was very limited in scope. HMRC therefore produced revised guidance, covering the tax treatment of cryptoassets for individuals and where these are used as a form of employee reward (in December 2018) and the tax treatment of cryptoassets for companies and businesses (in December 2019). Unfortunately, there has so far been no detailed public clarification of HMRC's view on the treatment of ICO and initial token offering issues for the issuing entities, but it is hoped additional guidance will become available in the near future.

Cryptoassets may currently be marketed to UK residents from other jurisdictions, but the UK financial promotion regime will apply and market participants will need to ensure that any financial promotion of products and services, whether regulated or unregulated, is carried on in a way that is clear, fair and not misleading. Firms must make clear in their promotions which activities are, and are not, regulated, especially when marketing their FCA-authorised status, so care will need to be taken in this regard.

Other new business models

The UK is awash with new business models. Of the new models available, 2020 was the year in which open banking really started to take off, with a rise in the number of AISPs becoming operational. Other popular business models include robo-advisers (including fully automated investment processes), e-wallets, crowdfunding, information aggregators and trust-based platform arrangements. Third-party financial comparison sites are commonplace, with insurance the largest category in both the consumer and business sectors. These sites are subject to the usual credit broking and insurance-related regulation (among others), and the same data protection and competition rules as any other business.

Self-executing, or 'smart' contracts are permitted, and the usual legal framework for contracts applies to them. That means there are a few legal questions still unanswered, especially around liability and agency. When it comes to making corrections, the court is the default option, unless an alternative was agreed in the contract.

Finally, the aggregation and analysis of big data is also on the rise, increasing the size and value of datasets. To facilitate data sharing, we are seeing a proliferation of trust-based arrangements with clear accountabilities and risk allocation for all participants, careful governance and security governing access, including third-party supply chain players. Also relevant here are the comments on Data Trusts in Section VII.ii below.

Intellectual property and data protection

i Intellectual property

There are no intellectual property protections that are peculiar to fintech. However, in common with all evolving technologies, some fintech technologies do test the limits of the existing legal framework, this having not been written with these new technologies in mind. The most notable challenges come from blockchain technologies and technologies delivering artificial intelligence and machine learning applications.

The most important intellectual property rights for artificial intelligence are confidentiality, copyright and patent rights. The laws of confidence pose no unusual issues for artificial intelligence. However, from a wider financial services policy perspective, it would be preferable for innovators to disclose AI innovations rather than opt to keep these as trade secrets,24 so other protections come to the fore.

Copyright raises some issues in respect of ownership of the output of artificial intelligence, but otherwise copyright protection of source code remains as applicable to artificial intelligence software systems as it does for more traditional software systems.

It is in the realms of patent that the interesting issues around protection arise. In the UK, and under the European Patent Convention, to be granted a patent, the invention must be new, inventive and capable of industrial application and not specifically excluded from protection as a patent. Mathematical methods are excluded, as are computer programs, which are, of course, at the heart of artificial intelligence development.

This is not to say artificial intelligence and machine learning algorithms cannot form part of a computer-implemented invention where they can be shown to have a 'technical effect'; they are just not patentable in and of themselves. Where they form part of platforms and applications that solve specific technical problems, then the success of a patent application improves significantly. In summary, a combination of copyright and patent protection should provide a good basis for protecting investment in artificial intelligence and machine learning in the UK.

Artificial intelligence is, of course, inextricably linked with the data it consumes and the financial services industry generates vast amounts of data. The data itself comes with a set of intellectual property protections – mostly confidentiality, sometimes copyright and, potentially, the sui generis database right.25 For example, look-up tables (databases accessed by software routines) are potentially protected by copyright in the structure of the database and by the sui generis database right protecting the extraction and reutilisation of the data contained in the database (provided the owner can show substantial investment in obtaining the data).

The database right is a powerful right, and while the protection ostensibly lasts for 15 years, each time substantial investment is expended in obtaining, verifying or presenting the contents of the database, a new database is likely deemed created and thus a rolling protection obtained.26 There has been some debate as to whether aggregations of data – for example, sensor or machine-generated data – can fulfil the 'substantial investment in obtaining' requirement of the database right. The debate continues as to where the threshold of effort lies.

Irrespective of whether or not the contents of a database are protected by confidentiality or database rights, both can provide limitless protection. Because big data is becoming such an integral part of any business dealings, the UK competition authorities are sure to consider moves to counteract potentially monopolistic effects of vast datasets being controlled by relatively few market players.

Turning to blockchain technologies, similar issues are encountered: patent protection for spreadsheets is not available, and there will need to be some actual technical effect, similar to software-enabled inventions. Copyright is the most common form of protection for blockchain, both proprietary and open-source. The basic building blocks of many blockchain technologies are open-source software codes, but those building on top of the originating technologies may want to protect their inventions through more commercial protections, such as more restrictive copyright and patent licensing.

The UK's departure from the EU has some implications for intellectual property protection in the UK and it is worth commenting on how the main types of protection relevant to fintech are affected. The European Patent Convention is not directly linked to the European Union, so European patents should not be affected by Brexit. By contrast, European Union trade marks that cover the UK are linked to membership of the European Union and from January 2021 will cease to provide protection in the UK. Instead, from 1 January 2021, the UK's Intellectual Property Office (UKIPO) has created a comparable UK registered trade mark for every registered EU trade mark, with the same legal status as a UK registered trade mark so no trade mark rights will be lost. A similar approach has been implemented for international trademarks designating the EU.

As for the sui generis database right, since leaving the EU the reciprocal recognition for new database rights between the EU and the UK has ceased. However, the UK and the EU agreed to continue the reciprocal recognition where those rights had already been awarded (i.e., UK databases created before 1 January 2021 will continue to be protected in the EU and vice versa).27

ii Data protection

The provisions in the General Data Protection Regulation (GDPR) relating to the processing of personal data (now re-named the EU GDPR) have been merged with the UK version of the GDPR (the Data Protection Act 2018) to become the UK GDPR. The UK is one of the most connected countries in the world, and, post Brexit, the maintenance of dataflows between the UK and the EU is an obvious priority. The UK has sought to obtain an 'adequacy' decision from the European Commission as part of the future trading relationship. As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months (known as the bridge). On 19 February 2021, the European Commission published a draft decision on the UK's adequacy under the EU GDPR which found the UK to be adequate. The draft decision will now be considered by the European Data Protection Board, among others. If the decision is approved, the EU can formally adopt it as a legal adequacy decision. If approved, most of the data protection rules affecting fintechs prior to Brexit will stay the same.

If, however, the decision is not approved, at the end of the bridge, the UK will become a third country as far as EU dataflows are concerned, and companies will have to put in place more cumbersome compliance mechanisms to govern these, such as binding corporate rules, EU standard contractual clauses (SCCs) or other approved arrangements. The recent Schrems II decisions will also apply to transfers from the EU to the UK and vice versa. This decision requires that you make an assessment as to whether those SCCs provide protection that is 'essentially equivalent' to the protections in the UK data protection regime, and if necessary, put in place additional measures.28

In the same way as for intellectual property, financial services technologies also test the existing legal framework around data protection, despite the GDPR being of very recent provenance.

The UK Information Commissioner's technology priorities for 2020 include establishing good practice in artificial intelligence and supporting digitalisation, both highly pertinent to technologies within the financial services sector.

AI and big data analytics again poses difficulties for data protection law. Difficulties include: (1) running large numbers of algorithms against vast datasets to find correlations; (2) the opacity of the processing; (3) the tendency to collect 'all the data'; (4) the repurposing of data and the use of new types of data; not to mention (5) the hurdles of distinguishing between data controllers and data processors and obtaining access to sufficient training data. Clearly, all of these activities have implications for data protection.29

The Information Commissioner's Office is reaching out to partners as part of its Technology Strategy to better understand these technologies, and has established a regulatory sandbox, drawing on the successful sandbox process that the FCA has developed. From a fintech perspective, one of the themes of interest in the 2020 ICO sandbox is data sharing, looking at projects where there is genuine uncertainty about what compliance looks like and aiming to show that data protection law is not a barrier to proportionate sharing of personal data. More generally, the ICO sandbox is expected to enable organisations to develop innovative digital products and services, while engaging with the regulator, who will provide advice on mitigating risks and data protection by design.30

New blockchain technology also poses data protection challenges. There has been significant debate as to whether or not the hashed information contained on the blockchain could be considered personal information and, if it is, how the GDPR can be reconciled with the benefits of the blockchain being an immutable source of the truth without the need for trusted intermediaries. This question has yet to be resolved.

In addition to the GDPR, PSD2 includes a number of specific rules concerning the processing of personal data. For example, PSD2 provides for 'explicit consent' raising the question of whether this constrained the use of the various other bases for processing set out in the GDPR. The European Data Protection Board has clarified that it did not. 'Explicit consent' referred to in PSD2 is a contractual consent that is an additional requirement of a contractual nature. Payment services are always provided on a contractual basis between payment service user and payment service. There still needed to be a requisite basis for processing the data under the GDPR; for example, processing necessary for the performance of a contract to which the data subject is party.

Where the financial sector is undergoing huge digital transformation in readiness for the 'smart' world, data is itself a building block of modern living; an extremely valuable economic asset provided its flow can be properly controlled and harnessed.31 To this end, Data Trusts are a recent development, enabling sensitive commercial data (whether commercially confidential or personal or both) to be shared between multiple parties. In additional to the ICO's Data Sharing Code published in December 2020 and its sandbox initiatives, the UK's Open Data Institute is pioneering standards for the data stewardship and sharing, to build trustworthy data ecosystems, maximising the societal and economic value of sharing data, while limiting and mitigating potential harms.

Year in review

From 31 January 2020, the UK was no longer a member of the EU. The parties negotiated an implementation period which saw the UK continue to be subject to EU rules and remain a member of the EU Single Market and customs union. This allowed the parties to continue their current relationship while a future trading relationship was negotiated. The trade deal was finally completed in December 2020 but at the time of going to print, negotiations continue as regards the future regime for data flows between the UK and the EEA and the delivery of financial services into the EEA.

The covid-19 pandemic had a significant effect on fintechs during 2020 but payment services received a boost from the accelerated adoption of digital payment services. Many companies had to grapple with the accelerated shift to e-commerce, which in turn created opportunities for payment service providers through more pronounced payments digitisation needs, contactless payments, enhanced authorisation, fraud and marketplace platforms.

The interest in Data Trusts, originally conceived as a means of solving problems posed by creating training data for AI and machine learning, has increased considerably with many new use cases and initiatives focusing on how best to facilitate data sharing.

Outlook and conclusions

Focus in the coming months will be on the outcome of negotiations between the UK and the EU and how it affects the market for financial services.

The narrative will also move to the implementation of the recommendations in the Kalifa Review of UK Fintech. From a policy and regulatory perspective, the review recommends the creation of a digital finance package creating a new regulatory framework for emerging technology and helping create an enhanced environment for fintech. Recommendations include the creation of a 'scalebox' that supports firms focusing on scaling innovative technology and the establishment of a Digital Economy Taskforce bringing together multiple UK government departments and regulators who have important fintech competencies and functions. Fintech is also likely to form an integral part of UK global trade policy from now on.

From a capital investment perspective, private funding has been crucial to the success of the UK as a fintech hub. The Kalifa Review of UK Fintech has recommended an expansion in the existing R&D tax credits and other investment incentives to encourage fintechs to continue building their companies rather than selling them. Another key proposal of the review is to improve the listing environment for those firms looking to launch initial public offerings through free float reduction, dual class shares and relaxation of pre-emption rights with a view to setting up a UK tech index in the future.


1 Sarah Kenshall is a partner at BPE Solicitors LLP. With thanks to Gareth Malna for his work on the 2020 edition.

2 See 'Landscaping UK Fintech' Report 2014, Ernst & Young LLP commissioned by UK Trade and Investment (now the Department for International Trade):$FILE/EY-Landscaping-UK-Fintech.pdf.

3 The 'patent box' is simply a calculation, though the way in which the patent is owned and used within a group structure can make the calculation and attribution of relevant amounts easier administratively. It allows the company to benefit from a low tax rate of 10 per cent for profits within the 'box'. The benefit of the regime is no longer available for acquired patents; however, it does cover cases where part of the relevant work was subcontracted. For fintech companies, patents that qualify have become more common. Nevertheless, it is critical to note that because the regime only applies to profits related to patents registered with the UK Intellectual Property Office or the European Patent Office or certain European Economic Area (EEA) states, the benefit of the more flexible regime for software patents in certain jurisdictions (for example, the US and Singapore) is not available.

4 There is no equivalent regime for other forms of intellectual property such as copyrights and trademarks.

5 An independent report on the UK Fintech sector, led by Ron Kalifa OBE, former CEO of Worldpay, was published on 26 February 2021 by HM Treasury, the UK government's economic and finance ministry.

6 See Sections 19 and 20 of the Financial Services and Markets Act 2000 (FSMA).

7 Relevant for neo-banks acting with full deposit-taking permissions such as Starling and Monzo who were both granted permission during 2018.

8 Relevant for those platforms offering peer-to-peer insurance.

9 Relevant to digital wealth platforms such as Nutmeg and MoneyFarm.

10 Directly applicable to loan-based crowdfunding platforms such as FundingCircle.

11 See Part III of the RAO.

12 The question of whether an activity is being carried on 'in the United Kingdom' has to be answered in the context of each activity. Entities that arrange deals in investments are said to be carrying on that activity from the place of their establishment, whereas the activity of advising is said to be carried on where the advice is received.

13 The PRA supervises around 1,500 banks, building societies, credit unions, insurers and major investment firms.

14 The FCA can also offer through the sandbox: (1) the ability to test products and services in a controlled environment; (2) support in identifying appropriate consumer protection safeguards to build into new products and services; (3) better access to finance; and (4) individual guidance, informal steers, waivers and no enforcement action letters. For further details on the sandbox see

15 That is, they must not encourage illegal, unsafe or antisocial behaviour.

16 Section 21 FSMA.

17 Passporting is the exercise of the right available to a firm authorised in one EU Member State to carry on certain activities covered by certain EU single market directives in another Member State on the basis of its home state's authorisation.

18 CP18/20.

19 FCA policy statement PS19/14. The majority of the new rules came into force on 9 December 2019.

20 Firms operating below an average monthly turnover in payment transactions of €3 million.

21 Firms in which total business activities will not exceed an average of €5 million of outstanding e-money immediately before registration.

22 Open banking is one of a series of regulatory remedies mandated by the UK Competition and Markets Authority requiring nine UK banks to implement a common standard API to allow third parties to access customer bank accounts (with customers' explicit consent).

23 The EU's Market in Financial Instruments Directive II. The UK's MiFID II EU Exit Regulations ensure that the regime established by the MiFID II Directive functions effectively after Brexit.

24 European Patent Office, Patenting Artificial Intelligence 30 May 2018.

25 EU Directive 96/9/EC on the legal protection of databases (the Database Directive) implemented in the UK by the Copyright and Rights in Databases Regulations 1997 (SI 1997/3032) (the Database Regulations).

26 The organisation that originates the contents of the database does not get the benefit of the protection as they do not need to expend time finding, checking and verifying the contents (as they originated the contents). Clearly, the key is investment in collection rather than creation of the content.

28 UK Information Commissioner's Office – standard contractual clauses after the transition period ends.

29 ICO Big Data, artificial intelligence, machine learning and data protection report 2017.

30 ICO Technology Strategy 2018–2021.

31 Kenshall S, 'The Information Flow', Global Banking & Finance Review.

Get unlimited access to all The Law Reviews content