FIFTY PLAYERS, FIFTY CABS

Navigating the Jungle of Money Transmission Licensing in the United States

 

In the bad old days prior to the Boston Red Sox winning their first World’s Championship in 86 years (I refuse to employ a certain oft-used phrase to describe this period of drought), one of the criticisms most often levelled at the team was that they would go about their business on the field and then exit the ballpark via “twenty-five players in twenty-five cabs”.  The charge, largely unfair, was meant to reflect the sense that the lack of post-game togetherness was indicative of why the team was never able to reach a common destination (i.e. "a championship ring") at the end of the long season. 

Much the same criticism can be levelled at the current set up for licensing money transmission businesses in the United States – except you need to double the number of players from twenty-five to fifty in order to cover each of the individual states.  They all purport to want to get to the same destination (the orderly regulation of the money transmittal business) but they all employ separate means of getting there.  There are efforts underway to correct this (and we’ll explore some of them) – but as of right now there is still a vast amount of repetition and confusion about how each jurisdiction licenses, documents, regulates and sanctions the players in this industry – and the resulting chaos is not good for American business.

It's not good for the foreign subsidiaries of American businesses either – which is why the CEO of a foreign subsidiary of a U.S. based payments business (myself) is writing this article.  I’ve been in the payments industry for decades now – and one of the greatest burdens that I have watched my U.S. colleagues bear is the regulatory management obligations associated with multi-state licensing.  I am an American – but I’ve represented U.S. businesses in Europe as General Counsel for many years – so I’ve seen the impact of the multi-state conundrum from both an internal and external perspective. Internally, it eats up people, money and time as the duty of maintaining a presence in the various states calls on the resources of departments that could be tasked with far more productive, work.  Externally, to those of us who would like to offer products globally, it means that whenever we present a new initiative to our U.S. based parents – one of the elements that we have to factor into any proposal is whether this will be cost effective in the States given the many hoops that will have to be jumped through in order to get to market.  In a Europe where cross-jurisdictional passporting is the norm – it’s often hard to get people to understand how a country that was formed 200 years before the EU really got up and running can still be so fragmented when it comes to reciprocity amongst its component parts.  It is as if the U.S. motto – “E Pluribus Unum” or “out of many – one”, becomes “E Unum Pluribus” – “out of one – many” when it comes to issues like “what do you have to do to get a money transmission license”.

Of course, this is not the only area where the lack of uniformity has caused problems with the American legal system.  Since the end of the 19^th century, when interstate and international commerce became more prevalent (and more immediate), there has been a highly organized effort to address this concern.  For instance, the “National Conference of Commissioners on Uniform State Laws”, originally formed in 1892, has pushed continually for the adoption of uniform codes in areas ranging from commercial contracting to the administration of probate.  Its most successful and well-known undertaking has been the promotion of the Uniform Commercial Code (UCC), a standard set of laws adopted by most states that regulates business arrangements concerning the transfer of goods, perfection of security interests, leasing and other matters.  Other attempts to get the various states to fall into line with each other have not been as successful – but the effort has nonetheless continued.

There are many reasons why states refuse to coordinate their statute books. The loss of perceived “sovereignty” is one of them – but there is also the very real fear that in a mostly uniform world slight deviations can lead to forum shopping detrimental to those who don’t keep up – so rather than take the chance on following the herd the legislatures prefer to keep their options open when it comes to matters within their jurisdiction.  There is also the very real problem of a deep-rooted establishment that tends to be very skillful at protecting its self-interests.  A uniform Probate Code, for instance, might endanger the very well entrenched, if not particularly efficient, bureaucracy that provide thousands of jobs across the fifty states. 

Which leads us to the story of the “fifty cabs for fifty players” approach to money transmittal licenses.  Despite a number of very sensible proposals to standardize the licensing and regulation of money transmittal services there is still a wildly disparate approach to this topic amongst the various states. These efforts include proposals like the “Uniform Money Services Act” put forward by the Uniform Law Commission; the “Uniform Money Transmission Modernization Act” proposed by the Conference of State Bank Supervisors; and, in particular, the “Multistate Money Services Businesses Licensing Agreement” (a program promoting increased reciprocity amongst states recommended by the Nationwide Multistate Licensing System).  All of these have strong arguments in favor of their approaches.  The problem has been getting states to act on the proposals.  They are not “sexy”, high profile pieces of legislation – and they scare the people in charge of the existing protocols into thinking the adoption of uniform standards might threaten their jobs. These same people are not the holders of government positions because they lack influence amongst state legislators – so the task of getting these measures to the legislative forefront can be daunting.

Still – the fight is worth it – and thinking lawmakers should take up the cause.  I speak as someone who is put in the often unenviable position of defending the American legal system to a skeptical foreign audience. “The U.S. is too litigious” I am told.  “The awards that get handed out are ridiculous” I am informed. “The system where you can win the case and still be saddled with huge attorney’s fees is unfair” exclaim the proponents of the “loser pays” model used in places like the UK and Ireland.  There are legitimate points in all of these – but they ignore the larger picture.  The United States, while operating a legal system with flaws, also manages to end up with something at the end of its process that is perhaps even more important – impact.

That “flawed” system – it has resulted in seatbelts being present in your cars, asbestos being absent from your homes, flame proof clothing being on your children’s back, lists of ingredients appearing on your food – and many other things that arise simply because large corporates and other decision makers would rather fix things than worry about subjecting themselves to that “unfair” court system.  So - I defend that aspect of the American system. Flawed though it may be - it drives reform. “Impact”, the ability to facilitate change and promote innovation, – matters. 

But consider this - when the American legal system fails to implement competitive, uniform laws such as those proposed in the money transmittal/financial services realm – it loses that impact.  Right now it is easier to form these sorts of businesses in the Far East, Europe – even in the ANZ/Pacific Rim – than it is in America.  Sure, some will do it simply because of the economic clout wielded in the U.S. – but much of the really innovative, forward-thinking development is happening elsewhere – and a major cause of this is the clunky, antiquated, not-fit-for-purpose morass that is the interstate jungle of often duplicative, and sometimes downright conflicting, laws and regulations.

This hurts American businesses and – speaking from direct experience – subsidiaries of American businesses.  So – let’s see if we can get some brave legislators to break away from the past and spearhead an effort to slay this particular dragon. There may be some short-term stress involved with confronting an entrenched bureaucracy – but there are definite long-term benefits (and credit) to be had for doing so. 

BLACKMAIL AND WHITE LIES

 

A couple of years ago I gave a talk before a group of forensic examiners that dealt with the topic of data protection and cyber security.  The speech proceeded along the typical lines, dealing with some interesting topics - still I’m certain more than a few people were eager to hit the road as the afternoon wound down.  Then, as we proceeded into the question and answer period, things started to heat up.  For people following the news in recent weeks there will be little surprise concerning the topic that got things going.  The discussion in the room had turned to ransomware.

Everyone had a view on what was then an emerging threat – but I think I shook up more than a few people when I said that this was the one instance where I think it should be legal for companies to “lie”.

Now, for a group of professionals whose job largely revolves around uncovering and exposing truth this was quite a bombshell – but once I explained my motivations and what I meant I believe a good few people had come over to my view.  By “lie” I wasn’t advocating that companies (or governments) be allowed to use a false threat of cyber attack to their advantage, or to mislead people as to the financial status of their business.  What I did think needed to be addressed – and I continue to feel this way – was the distressing impact that publicising ransomware attacks could have on the frequency of the next ransomware attack.

Put yourself in the shoes of a board of directors or CEO.  Your company, which for the purposes of this thought experiment is publicly listed, is attacked by a malware virus and the perpetrators demand payment before freeing the company’s systems.  You therefore have a few choices – (1) you pay and hope that the pirates keep their word; (2) You go to the authorities and place the company and its shareholders at risk for huge losses; (3) You do nothing and hope that you can find an internal solution to defeat the blocks.  All of these choices are going to be complicated by other factors – if you’re in a critical industry (as with a recent energy company) you have public welfare to worry about.  Perhaps you are in the middle of acquisition negotiations and even the publicity of a cyber attack could cripple those talks.  Maybe you do a cost benefit analysis and realize that the risk of loss from paying is de minimus compared with the threat of holding out - so you pay – regardless of whether there were other viable options. 

Whatever you do the risks involved are potentially great.  This article is not an essay on how to analyse that risk – but I do wish to discuss why publicising it is potentially an even greater threat. 

It needs to be understood that during a ransomware attack there are two parties doing cost/benefit analyses.  One is the victim – but the perpetrator is likewise carrying out the same exercise. Ransomware attacks increase in frequency in direct correlation to the perceived reward available.  If it becomes common practice to disclose the frequency, targets, origin, methods, outcome and gain associated with ransomware attacks – it only increases the associated value of said attacks.  Currently many companies feel it incumbent to disclose the fact that they have been attacked – and in some cases rules with regard to financial disclosure can be interpreted to require such revelations. It might be time to rethink our approach to that.

That need to reassess approach is what I was advocating during my talk to those examiners.  Current rules in respect of data breach and cyber attack have been largely geared towards ensuring that companies disclose publicly when those instances take place.  It is entirely understandable why those laws – ranging from SEC guidance to the broad scope of GDPR – were put on the books. Letting individuals know when their data may have been compromised is extremely important.  But the time has come when the proliferation of ransomware attacks has made it necessary to take a deep breath, step back, and assess whether or not we are “feeding the beast” when we make disclosure of a ransomware attack a requirement.  Surely – it is not too much to realise that there are instances when companies should be given the opportunity to assess (with the help of regulatory oversight) whether a disclosure is in the best interest of the public welfare and what form that disclosure should take.

So yes, I do believe there are times when, if asked whether their company has ever made payments in respect of data breaches or cyber-attacks – a company should be able to have a way to avoid confirming that fact to a public forum.  "Shield" laws and regulations should be established. Reporting requirements concerning the existence of, or financial steps taken to, deal with cyber-attacks should likewise be tempered in certain circumstances.  To fail to take these steps will only encourage the next attack.  I also believe there are times when the relevant authorities should be able to green-light the making of payments which might otherwise be prohibited.  Finally – as with other types of reporting I believe the press should establish a set of self-imposed regulations and standards when dealing with cyber-attacks.

I do not believe that all this should take place in a vacuum.  There needs to be greater clarity concerning the regulations that will apply to disclosure concerning cyber-attacks.  There certainly needs to be more international coordination in respect of that approach.  There should also be specialist agencies (or inter-departmental specialists) that are tasked with the resources to assist companies faced with such attacks.  Finally – we have reached the point where penalties for making or abetting cyber-attacks need to be strengthened – both in the case of rogue actors and state-sponsored perpetrators.

This morning I awoke ready to go to the local vaccination centre to receive my first inoculation.  The first bit of news I was hit with was that the Irish Health Services Executive had been the victim of a ransomware attack by cyber criminals.  There was uncertainty as to whether any of the scheduled vaccinations could proceed.  Happily – I was able to go – but the news was filled with reports of other services – cancer screenings, pre-operative assessments, organ-transplant reviews – that were cancelled.  If we have learned anything in the past year and a half it is how interference with the orderly provision of health care inevitably leads to increased mortality.  People are dying by their thousands in India right now not because we are worse at dealing with Covid than we were a year ago (in fact – we are much better) – but because the medical infrastructure there has been compromised. 

So people die.

Let me state an unpleasant hidden fact – but something that nonetheless remains a fact.  The interference with the Irish medical infrastructure by cyber-criminals means that people will die.  The heartless attack by those criminals killed someone today – we just don’t know their name yet. Someone who missed a test, had to re-schedule an appointment, was passed over for a screening – will pay for the delays caused by greedy hackers.  We cannot afford to make such a crime easy, we cannot afford to make such a crime attractive, we cannot afford make such a crime, for lack of a better term, “affordable”.  We must band together to end the perception on the part of cyber criminals that the risk of undertaking a ransomware attack is "worth it".

A KEY TO THE MINEFIELD

 

A few weeks back I posted an article on this space outlining how “equivalence” was likely to become one of the “words of the year” for 2021.  The growing pains associated with defining the parameters of Brexit would make finding such equivalent standards a vital issue.  Matters remained fairly quiet on this front for approximately the first six weeks of the year.  Then, on the 19^th of February the European Commission issued two draft decisions which go a long way towards bringing “equivalence” to the fore once again. These decisions set out the terms under which the EU will continue to allow personal data into the UK on the basis that it has established a system with an “adequate standard” of data privacy.  Essentially, before issuing such an “adequacy” finding the EU seeks to establish that the data protection laws in a given country are equivalent to those in the EU.  Thus far the EU has found such adequate protections in only a small number of jurisdictions (e.g. Canada, Switzerland, Japan and a few others).  Post Brexit, the question of whether the UK has adequate data protection laws needed to be considered, and it was this exercise that led to the Commission issuing the drafts on the 19th of February.  The two opinions address the question of whether the UK has laws that are up to the levels of the two most relevant EU laws, the General Data Protection Regulations (GDPR) and the Law Enforcement Directive (LED).

In both cases the Commission’s draft decisions recommend recognising the UK as having adequate provisions in place to allow the continued flow of personal data.  The findings, which will now have to be reviewed by the European Data Protection Board (EDPB), are not surprising given that the framework legislation for the UK’s current approach to data protection is the GDPR and LED.  It would be exceedingly surprising if the EDPB does not agree with the draft assessment when it undertakes its review. The Commission will then forward the draft to a representative body of member states, who will vote on whether to accept its terms. Once again – approval would be expected.

There are, however, a few key items that could derail the orderly progress of the draft adequacy decisions.  Again, as will be the case for many areas of comparison between the EU and UK, the word of the year will be “equivalence” – whether it is present, where it may be absent – and how it is defined. Here’s a closer look at some of those key areas:

Recognition of 3^rd Party Countries:  In many ways this is the most important of the measures to be taken when it comes to assessing equivalence.  The existence of the GDPR and LED as base legislation in the UK probably makes the treatment of personal data that goes into the UK from the EU and then stays there of lesser concern.  After all, the laws within the UK about what might be done with that data are currently nearly identical to the EU.  The greater worry, under the Schrems II decision and similar lines of thought would be that the UK becomes a mere “way station” for transfer on to other, non-equivalent countries.  This could be accomplished if the UK were to recognise countries as “adequate” or equivalent in terms of their approach to data, while the EU continues to hold those same jurisdictions as inadequate.  The most prominent country where these potential conflicts might arise is, of course, the United States.  The EU has never seen the U.S.  as having adequate data protections in place and has tied itself in knots, through “safe harbour” mechanisms and various attempts at replacing the same, to find ways to address this concern. Theoretically the UK could do away with this difficulty with a stroke of the pen by simply finding the U.S. to have an adequate approach to data protection.  This would be a nightmare scenario for the EU, both from a standpoint of pure data protection and with regard to competitiveness.  The draft decision seeks to somewhat address this possibility but it does not eliminate it, and it is likely that there will be some further discussion around this scenario and how it can be dealt with in the near future.

Treatment of Corporates and Industry Sectors: Countries are, naturally, the first type of entity one thinks of when it comes to dealing with broad brush “data protection” measures – but they are by no means the only sorts of collectives to be considered.  One must also take into account how the laws in a given jurisdiction are applied against entities like multi-national corporates and sometimes very ill-defined sectors like “big-data”, “social media”, “medical-pharma” and the like. The current draft decision does not specifically call out these areas, presumably because it assumes that the UK will continue to approach these questions in a manner consistent with existing EU law.  That may be the case – but in the event the manner in which a given sector is treated does become inconsistent between the two jurisdictions – (for instance if the EU were to become more prescriptive than the UK in terms of what level of control might be required when it comes to Twitter accounts) – then this too could become an area where “equivalence” breaks down.

Treatment of Law Enforcement Requests:  This is obviously an area of major concern for certain groups but, in a commercial sense, its relevance is largely contingent upon whether a dispute over policing or intelligence could upset the entire data arrangement in place between the EU and UK.  Unlike the instances where differing standards of recognition or favouritism for industry sectors could lead to competitive imbalance – if the UK were ever to share information with law enforcement groups in a manner that is not equivalent to that of the EU that would not directly impact commercial arrangements.  However, if the standards for sharing data with law enforcement were to become a matter of contention the knock-on effect may result in the adequacy decision being overturned.  The impact of that sort of finding would be substantial.  Moreover – it is exactly this sort of sharing of information (as reflected in the various Schrems cases) that gives rise to the most impactful litigation, making this an area that bears careful monitoring.

Recognition of Judicial and Administrative Findings: One of the primary concerns expressed by the Brexit movement was the “loss of sovereignty” that was alleged to result from deference to “Brussels”.  Along with this fear was the Brexiteers’ express worry that, somehow, remaining in the EU would weaken the position of British litigants in international disputes. This was accompanied by the somewhat illogical stance that ending the UK's direct participation as a member of those courts would strengthen that same position.  Brexiteers did not see this as contradictory and claimed that having the ability to be “different” would increase UK competitiveness.  The entire concept of “equivalence” is designed to put that theory to the test by demanding some degree of joint recognition of authority between the two jurisdictions.  The draft adequacy finding discusses in some detail the ability of the UK Information Commissioner’s Office (ICO) to effectively handle claims for redress from EU based data subjects and assesses the oversight powers that sit within the remit of that office.  These are found to be adequate.  What is not dealt with quite as extensively, but which might eventually have to be reckoned with, is the degree to which the UK Courts and regulatory boards will need to defer to or adopt EU positions that arise from judicial or administrative decisions.  For instance – if the ECJ were to interpret the definition of “personal” data in such a way that such classifications would be narrowed – would UK courts, following the principle of maintaining adequacy, defer to that finding or insist that a unique “UK” definition be maintained?  Those who advocated for Brexit would, under this scenario, be faced with having established a system that is certainly more independent – but would quite clearly be less “competitive”. Of course, the opposite situation, where the ECJ broadens the definition of “personal” data – thereby leaving the UK courts to contemplate whether to follow that precedent – could arise as well. No matter the scenario, if there is not to be some degree of shared jurisprudence in areas that require the maintenance of equivalent systems then there will be a constant threat that we are only ever one decision away from losing that equivalence. This is essentially what happened in the case of Schrems.  The EU and U.S. thought they had carefully constructed a “safe harbour” system that addressed a major concern.  Then the Schrems decision came down – and it was back to the drawing board.  The EU relationship with the UK is now vulnerable to the same sort of Jenga rules – one block out of place – the whole structure topples.

So, the decision of the EC to issue a positive draft finding on adequacy is certainly a step in the right direction when it comes to establishing a system of equivalence between the EU and UK.  Having such a decision on the books is like a key to opening the first gate into a shared future.  That said, given the care with which the parties will have to negotiate that future one hopes that we haven’t simply been presented with a key to a minefield.

THE WORD OF THE YEAR

 

There are awards for everything these days, especially during the transition from one year to the next. Merriam-Webster, the publisher of dictionaries and other language-oriented books annually select a “word of the year”, and for 2020, (in what might be the least surprising choice ever) “pandemic” topped their charts.  Meanwhile, the people over at the Oxford English Dictionary, while acknowledging that the use of the term “pandemic” had increased “57,000%” felt that 2020 was an “unprecedented” year and broke tradition to name an entire slate of “words of the year”.  These included “bushfires, Covid-19, WFH, lockdown, circuit-breaker, support bubbles, keyworkers, furlough, Black Lives Matter and moonshot”.  That’s quite a mouthful of words, but, then again, – it was quite a year.

One of the words Oxford noted as being substantially down in usage throughout 2020 was “Brexit”, which comes as somewhat of a surprise.  Of course, the reduced rate of usage is relative as one can imagine that during 2019 there may have been times when a sentence in your typical BBC report consisted of “Brexit [verb], [adjective] Brexit, Brexiteer, Brexit [verb] [expletive] Brexit”.

Now that Brexit is fully upon us one might expect to see similar peaks and troughs in usage of the “B” word as the finer details of its workings are developed.  Perhaps of even more importance will be some of the Brexit associated words that will come to the fore as everyone starts to incorporate the reality of a separate and distinct UK and EU into their respective commercial lives.  As the contest begins to choose which Brexit related term might become the 2021 “word of the year” an early favourite has emerged. 

That would be “EQUIVALENCE”.

You see, up to now much of what has driven the Brexit movement has been the urge to emphasise the differences between Britain and the rest of the EU.  You have heard about contrasts in language, culture, sovereignty concerns, unique relationships with Commonwealth partners and the United States, an unwillingness to defer to “Brussels” in multiple areas – all of which may or may not be legitimate but which, now that Brexit is a reality – become of less urgency.

What will remain (and increase) in importance will be the areas where the UK will attempt to show that they remain much the same as their former EU partners.  Areas where the standards under which the UK operates are substantially similar to and compatible with those of the EU and therefore should be viewed as (that word again) “equivalent”.

The various governments’ ongoing assessment of where the EU and UK retain (or build) equivalent standards will take up a significant amount of time and will evidence itself in a variety of forms.  It is well worth exploring in some detail what those will look like. The idea of “equivalance” in a legal or regulatory sense will arise in a variety of circumstances – but the concept will essentially be the same for each – it will be an attempt to answer some form of this question:

Can one view the laws, regulations, guidelines and principles under which the two jurisdictions operate as sufficiently compatible for each to acknowledge and accept the sufficiency of those standards?

So where will we find situations where this question arises – and how do we establish the answers when it does?  One place that will certainly give rise to queries concerning equivalence will be the field of financial services regulation.  Here are a couple of helpful examples of where regulators will be faced with determining “equivalence” in the very near future. 

First, let’s consider the topic of “outsourcing” – a key focus of European regulatory reform within just the past couple of years, and one which gives rise to many instances of cross border interaction.  If an EU based subsidiary of a UK parent company wishes to make use of the parent as a provider of outsourced services (such as for internal audit) – or if they wish to use a UK based company for other such remote services (e.g. cloud based storage), then the status of that relationship will likely have changed as the result of Brexit. There would have been, under a pre-Brexit EU based regime, minimal legal differentiation between an entity based in, say, Ireland and that same entity’s registered branch in the UK (and vice-versa).  Post-Brexit, with branches not being recognised by the EU as a viable means of establishment for UK based entities, and with only a temporary permissions regime in place in the UK itself, a split in recognised authority has taken place.  As many will be aware, a number of changes were made to many group structures to address this circumstance, particularly where a UK based parent had previously operated cross-border branches.  In those instances, parent structures were often re-located to a jurisdiction that retained EU membership (and thus passporting rights). The remaining UK entity now will offer its regulated services only to U.K. based customers. But what if that U.K. entity still offers certain “outsourced” services to the other group companies?  What if they still provide things like the group’s sanctions screening process, vendor management programme or IT security upgrades?  What if they receive those services from other group companies or 3^rd parties? When formulating their restructures did groups factor in the need to answer these questions (for both internal and external outsourcing)? What standards will apply, what will the contracts have to look like – where are the rules to be found?

For questions surrounding outsourcing the answer used to be relatively simple – you would look to the “EBA Guidelines on Outsourcing Arrangements” as a primary source.  The “EBA” is, of course, the European Banking Authority – a distinctly EU based organisation.  Post-Brexit that means that the answer (at least with respect to services touching in some way upon UK based entities) is not quite so straightforward.  Given that many groups had undertaken a restructure to address Brexit – had they also fully considered whether their outsourcing profile had changed?  Even if they had – was the EBA still the authority to look to when undertaking that analysis?  Did those standards maintain the necessary (here it comes) “equivalence”?

The simple fact is that in undertaking their restructures many companies continued to avail of services offered from their UK entity to the former branches, (or vice versa) without having fully considered the outsourcing implications.  Whereas it may have been possible, under prior legal structures, to posit that those services were not “outsourced” (due to the fact that they derived from the same legal entity), that likely will not be the case any longer.  A contract for outsourced services will certainly be required where a former EU branch is receiving those services from a now separate UK entity. I would posit that this may even be the case where an EU parent is receiving a service from a UK branch that is operating cross-border pursuant to the Temporary Permissions Regime (“TPR”).  The TPR is a mechanism by which the UK regulator becomes comfortable with the continued presence of an EU registered firm within the UK.  It does not necessarily have any impact on how an EU regulator would view the status of that (now non-EU based) branch.  The safe route would be to contract those services in a manner that complies with the EBA Guidelines, because, for now (and here comes that word again) those standards would still be seen as equivalent in the two jurisdictions. Indeed, indications are that UK regulators are quite keen to retain the equivalent standards for at least the mid-term.

This is evidenced by the fact that UK regulators (e.g. Bank of England, FCA and PRA) are currently stating that UK based entities should make every effort to adhere to guidelines like those espoused by the EBA on outsourcing "to the extent that they remain relevant when the UK leaves the EU”.  Such relevance will be retained for guidance that existed pre-Brexit (in this case January of 2021), but what if there are amendments or additions to that guidance post-Brexit? The FCA has noted that in such instances it will “clarify” whether the rules will continue to apply on an “equivalent” basis.  One would expect that there will be a significant bias in favour of retaining equivalence where possible – and this is quite possibly going to remain the case in most instances.  However, in certain other areas, (cloud outsourcing comes immediately to mind) the UK may decline to recognise the EU standard thereby creating an area of divergence.  Firms should build the monitoring of such “equivalence gaps” into their regulatory change management structures.

The question has arisen as to whether a regulator based, for example, in the EU would be much interested in what the contract of an entity they regulate says when that entity is the provider of outsourced services.  Although the motivation for review will be different it is relatively easy to envision why there may be such dual interest. Consider the case where EU based parent Company “A” derives a significant portion of its revenue from UK based subsidiary group Company "B". It would not be unusual for the UK subsidiary "B" to receive outsourced services from Parent "A" or another external provider and certain of those services may be "critical" when it comes to allowing "B" to function. While it may be the UK regulator who examines "B" as the recipient of those services, an EU based regulator would also have a prudential concern based upon the potential disruption of that channel or service.  After all - if "B" gets shut down due to inadequate outsourcing protections - there goes a huge chunk of "A's" revenue. Thus, it would not be surprising, under many existing group structures, to see both recipient and provider regulators evidencing an interest in reviewing outsourcing arrangements and retaining equivalent standards when doing so.

Where else might the concept of “equivalence” raise its head?  One intriguing area concerns the area of payment services, as such field was re-defined under the Payment Services Directives.  This EU legislation created a new type of entity (the “Payment Institution”) which was allowed to offer “payment services”, as defined in those laws.  Fully licensed banks (“Credit Institutions”) are similarly authorised to offer these services as well as the additional banking services that go along with that more expansive license.

Here is where things get interesting from an equivalence standpoint.  While a member of the EU, the UK, almost exclusively, allowed certain banks licensed in non-EU jurisdictions to open “3^rd country branches” in the UK.  So, under this approach, a large U.S. based bank could apply for the right to open a “branch” in the UK without meeting the prudential requirements associated with full “credit institution” status.  That “3^rd country branch” could operate in the UK but would not be eligible to passport any of its services to the rest of the EU.  It would probably be more than a mild understatement to say that this practice was looked on with skepticism from the rest of the EU.

The UK argued that it was within its rights to do this because they were able to establish, to their satisfaction, that the home state regulatory regime of the institutions so authorised were largely (you guessed it) “equivalent” to those that would apply in the UK.  A bank regulated in the United States was thus able to apply and receive branch status based upon that concept.

Presumably, if a U.S. based institution can avail of such 3^rd country branch status, a credit institution regulated in the EU, which has a regime structurally in line with all the UK could expect (since they belonged to that same regime until just one month ago), should be able to do the same. This appears to be the position the PRA is taking in the UK and, particularly for “wholesale banking”, the “3^rd country branch” approach will remain viable.

But what of “payment institutions” (and the related class of “e-money institutions”)?  Will the UK grant these smaller, less capital intensive, limited entities the same ability to establish a branch that currently exists for their larger, more complex cousins?  Logic would, seemingly, dictate that this be the case.  What merit is there in requiring separate legal entities (and attendant board structures, capital outlays, risk frameworks and duplicative reviews) for a type of business that was created out of thin air less than two decades ago by an EU based directive? 

Logic, alas, is not always the primary driver of regulatory oversight.  As of right now there does not appear to be significant movement afoot to establish 3^rd country branch status for payment or e-money institutions.  As the temporary permissions regime proceeds towards its conclusion it would seem likely – under that pervasive desire to achieve “equivalence” when possible – that such a movement will arise.  The ironic thing is that whereas the non-UK EU members despised the existence of the “3^rd country branch” pre-Brexit – it may become a favoured tool for maintaining ties between the two jurisdictions in this post-Brexit environment.

So, in conclusion, those who work in the field of regulatory change management would be well served to search out and understand the concepts surrounding “equivalence” over the next few years as the EU and UK engage in the dance surrounding their future relationship.  As standards evolve and relationships mature the equivalence concept will keep coming up - in areas as diverse a data protection or units of measure. Knowing when it has been achieved – and when it may no longer be present – will be a key to many future decisions.