International data transfers – Commission adopts UK adequacy decisions just in time

On 28 June 2021, the European Commission adopted two decisions confirming the UK as an adequate jurisdiction for GDPR and Law Enforcement Directive purposes.  As the interim data transfer window under the Brexit Trade Agreement expired on 30 June, this was just in time to allow the uninterrupted free flow of personal data from the European Union to the UK. Continue reading

High Court says bank need not comply with numerous and repetitive DSARs which were being used for a collateral purpose

The High Court has dismissed a Part 8 claim against a bank for allegedly failing to provide an adequate response to the claimant’s Data Subject Access Requests (DSARs). This is a noteworthy decision for financial institutions, particularly those with a strong retail customer base, as it highlights the robust approach that the court is willing to take where it suspects the tactical deployment of DSARs against the institution: Lees v Lloyds Bank plc [2020] EWHC 2249 (Ch).

Continue reading

Feedback Statement: Distributed Ledger Technology

The FCA has today published the Feedback Statement (FS) to its April 2017 Discussion Paper (DP) DP17/03 on Distributed Ledger Technology (DLT).

  • In its introduction to the FS, the FCA articulates its position on DLT as follows: “Our aim is to be alive to current and potential developments involving DLT, to keep pace with them, and to strike a proportionate regulatory balance between the risks and opportunities they present. We see regulation as an enabler of positive innovation based on new technologies as well as a means of containing undue risk. Our regulatory philosophy (subject to any risks to our objectives) is to be ‘technology-neutral’.”
  • The FS covers the following areas (key points for each topic are summarised below):
  •  Operational risk, including outsourcing and network security;
  • Digital currency, including derivatives and Initial Coin Offerings (ICOs);
  •   Digital asset trading and smart contracts;
  • Regulatory reporting;
  •    Financial crime; and
  • The General Data Protection Regulation (GDPR).
  • The FCA says that the DP was positively received, with particular support expressed for the FCA’s ‘technology-neutral’ position.
  • Feedback received to the DP also supported the view that the FCA’s current rules are sufficiently flexible to accommodate various technology, including DLT. Rules were said to present ‘no substantial barriers’ to adopting DLT. Although, some respondents doubted the compatibility of permissionless networks with the regulatory regime.
  • Some 47 responses were received to the DP, ranging from regulated firms, trade associations, technology providers, law firms and consultancies.
  • As next steps, the FCA will continue to monitor DLT-related market developments and engage both internationally and nationally to help shape the regulatory response.

Operational Risk

  • Use of DLT may affect firms’ exposure to operational risk via changes to/potentially reduced control over people, processes and systems.
  • Permissioned and permissionless DLT does, however, have the potential to enhance operational soundness.
  • Specific operational risks will be dependent on the actual application of DLT.
  • Use of DLT might affect how individual responsibility and accountability is allocated; firms are reminded of the requirements under the SMCR.


  • FCA says that use of permissionless and public networks is not inherently incompatible with the regulatory regime.
  • Firms will need to assess each case to see whether using a DLT network amounts to ‘outsourcing’ in the context of FCA’s regulatory requirements. FCA states that it does not consider that using a permissionless network always necessarily amounts to outsourcing in that context

Network Security

  • Whatever technology is deployed, the FCA expects firms to actively manage their operational risks.
  • Where technology is core to the delivery of a regulated service, FCA expects firms to give their full attention to operational risk management.

Digital Currencies

  • FCA recognises a positive competitive potential in the context of value transmission.
  • With sound risk management, digital currencies may enhance the delivery of financial services, but volatility risk posed by the magnitude and mercurial nature of price fluctuations is one of the risks firms must adequately address.

ICOs and Derivatives

  • FCA says that it is unlikely for most ICOs that investors will have access to UK regulatory protections such as the FSCS or the FOS.
  • FCA comments on the high potential for ICO-related fraudulent activities and the inadequate documentation in so-called white papers that projects (often only in very early stages of development).
  • Whether an ICO falls within the regulatory perimeter needs to be considered on a case-by-case basis.
  • As the ICO market is evolving at a great speed, the FCA will continue to monitor it and engage with the industry, regulators nationally and internationally, and global standard setters to determine whether there is a need for regulatory action. The regulator points to:
  • Its recent consumer alert; and
  • The information it set out on designing an ICO-related business proposition to satisfy the ‘consumer benefit’ criterion for access to the FCA’s Innovation Hub.
  • An Annex to the FS provides detailed regulatory analysis of ICOs.

Digital asset trading and smart contracts

  • DLT could bring several benefits to securities markets, e.g., more efficient post-trade processes and enhanced reporting and data management capabilities. It has the potential to form the core of a central securities depository.
  • It might also help to improve straight-through processing, offer real-time settlement and the elimination of settlement risk, and lead to disintermediation such as the possible removal of the roles played by custodians and settlement agents.
  • A number of challenges need to be addressed before substantial benefits can materialise:

o   It is unclear whether DLT might be adopted broadly across securities markets or remain limited to niche uses.

  • Central banks deciding in future to issue or support a digital currency might spur market participants to invest more resources in DLT.
  • Since it is unlikely that DLT will replace existing market infrastructure for some time, a combination of multiple DLT systems and legacy systems would need to operate with one another.
  • Legal issues such as the legal status of digital assets and the enforceability of smart contracts, would have to be clarified.
  • DLT-based real-time settlement could eliminate the need for equity clearing, but market users might have a limited appetite for such a development because of the potential loss of opportunities for netting and the absence of the anonymity.
  • The continued existence of materialised securities may pose challenges to the adoption of DLT.
  • At this juncture, the FCA does not intend to propose DLT-driven rule changes in the context of asset management or securities markets. It will continue to monitor market developments.

Regulatory Reporting

  • The FCA agrees with the potential benefits of adopting DLT as a RegTech solution and also acknowledge the associated risks.
  • DLT is not the only technology that could improve regulatory reporting. So the FCA continues to explore other possibilities, such as model-driven machine-executable regulatory reporting.
  • Encouraged by the strong level of interest in RegTech by industry stakeholders, FCA will continue to prioritise our RegTech initiatives as part of FCA Innovate.

Financial Crime

  • DLT has the potential to provide a more robust, tamper-proof record of transactions and, as a result, improve data quality while reducing the likelihood of fraud.  Using DLT does not automatically introduce or increase fundamental financial crime risks.
  • The FCA has however observed the denial of banking services to a number of firms, particularly those who leveraged DLT to facilitate their services. Deploying DLT should not result in a wholesale denial of access to traditional banking services.
  • FCA is keen to explore how DLT can support firms and regulators in fighting financial crime.
  • FCA notes that in some instances, the current regime may need to evolve as more sophisticated tools become available. One of the challenges is the current reliance provisions in the Money Laundering Regulations (MLRs).  However, this is a longer-term reform which would require renegotiation of international standards, e.g., FATF recommendations.


  • The FCA underscores that the Information Commissioner’s Office regulates and enforces GDPR, and encourages firms to follow the Office’s available guidance.  It says it will continue to work with the Office as further use cases emerge.
  • The FCA has not identified any substantial incompatibilities between the Handbook and the GDPR’s requirements, and does not see a material need for further FCA guidance on this issue.


Cat Dankos
Cat Dankos
Consultant, London
+44 20 7466 7494

EU General Data Protection Regulation: Practical Steps for Employers

The General Data Protection Regulation ("GDPR") aims to harmonise data protection procedures and enforcement across the European Union. It will apply to all EEA countries and the companies that conduct business in them from 25 May 2018. New standards for consent, enhanced information rights and greater sanctions for data processors and controllers indicate a potentially significant impact for employers; companies should take steps now to prepare for the changes. But what steps should they take in light of the referendum result and the potential UK exit from the European Union?

This briefing from our Employment team focuses on the implications of the GDPR in the employment sphere and the practical steps that employers should take in relation to data protection in relation to recruitment, during employment and on termination of employment.