The Law and Brexit

Thomas J. Reid is Managing Partner of Davis Polk & Wardwell LLP. This post is based on a Davis Polk memorandum. Additional posts on the legal and financial impact of Brexit are available here.

Third Country Passport Under MiFIR—
Panacea for Post Passport Pain?

A financial institution established in the UK can provide banking, fund management, payment and investment services throughout the rest of the EU using “passports” available under various EU directives. Since the outcome of the Brexit referendum was announced, the continuing availability of these financial services passports has emerged as the primary concern of larger financial institutions.

What is the passport and how might we lose it?

Financial institutions established in EU member states can obtain a “passport” that allows access to the markets of other EU member states without being required to set up a subsidiary or branch and obtain a separate license to operate as a financial institution in that member state.

At the moment, many international banking groups maintain authorized subsidiaries in London that enable them to provide banking and broker-dealer services across the EU through a passport. Although certain of these groups have also set up subsidiaries elsewhere in the EU, many are still heavily dependent on the ability of the UK subsidiary to provide services across the EU. Many banks headquartered on the Continent also carry out substantial business in London using a “branch” passport (which allows the branch to avoid the need for separate authorization by the UK regulator).

Unless the UK successfully negotiates a solution during the Brexit negotiations (such as retaining membership of the European Economic Area (the “EEA”)), UK financial services institutions, including subsidiaries of US and other non-EU parent companies, will no longer benefit from the financial services passport after Brexit. In this scenario, the UK would be a “third country” in EU regulatory parlance, meaning that it would face a different set of rules, requirements and obstacles in accessing the EU market.

The process of obtaining separate authorization in a remaining EU member state, or amending or upgrading an existing license in such a member state, is likely to be time-consuming and costly. Costs could include moving people and infrastructure to the new site and legal and compliance expenses in setting up or expanding a subsidiary, as well as an increase in the amount of capital needed to support the group’s operations within the EU.

In the wake of the referendum, attention has turned to the third country access provisions of the Markets in Financial Instruments Regulation (“MiFIR”) as a potential solution. Together with the recast Markets in Financial Instruments Directive (“MiFID II”), MiFIR is part of an EU legislative package designed to replace the existing Markets in Financial Instruments Directive (“MiFID I”). As an EU regulation, MiFIR will apply from January 3, 2018 across the EU without the need for transposition into national law. [1] The third country access provisions under MiFIR provide a mechanism for UK financial services institutions to provide services to clients throughout the EU.

How would a firm obtain a third country passport under MiFIR?

The third country passport will be available where a third country firm deals with “per se professional clients” and “eligible counterparties” (essentially, banks, investment firms, insurers, asset managers and other institutional investors, including large corporations). When a third country firm deals with such a client, EU member states may not require that firm to establish a branch or subsidiary in their jurisdiction, as long as such a firm is registered with the European Securities and Markets Authority (“ESMA”) in accordance with MiFIR. But, in order for a third country firm to register with ESMA:

  • an “equivalence determination” must be reached in relation to the third country by the European Commission, the political executive of the EU, meaning that the third country’s prudential and conduct framework must have equivalent effect to the requirements under MiFID II; and
  • co-operation arrangements must be in place between the relevant third country regulator and ESMA to allow for the exchange of information, prompt notification to ESMA if the firm infringes any conditions of its authorization and the coordination of supervisory activities, including, where appropriate, onsite inspections.

In addition, the firm must be authorized by the relevant regulator in its home country to supply the investment services which are to be provided in the EU; and it must also be subject to supervision and enforcement by that third country regulator.

Where a third country firm wishes to provide investment services to retail clients in an EU member state, that member state will still be able to require the establishment of a branch or subsidiary.

Member states will also be permitted to allow third country firms to provide investment services to professional clients and eligible counterparties solely upon a client’s explicit request, i.e., on the basis of reverse solicitation. Such an approach is not, however, practicable for larger financial services institutions.

Which activities would the third country passport apply to?

A firm using the third country passport would be able to continue to provide certain regulated services and activities to professional clients and eligible counterparties in the remaining member states of the EU. These MiFID services and activities include many of the services necessary to provide broker-dealer or corporate finance services, including underwriting of financial instruments, reception, execution and transmission of orders and the provision of investment advice.

The MiFIR passport, however, will not extend to critical non-MiFID services such as deposit-taking, commercial lending, trade finance, payment services and management of alternative investment funds (“AIFs”). A separate third country regime for managers of AIFs under the Alternative Investment Fund Managers Directive (“AIFMD”) will not be available until 2018 at the earliest.

Potential pitfalls

For wholesale investment banking businesses, then, the MiFIR third country access provisions appear to offer a route to retaining access to customers in the EU from a UK base. There are several risks to this approach, however, which suggest that larger financial institutions operating from the UK should not solely rely on these provisions in their Brexit contingency plans.

The process of obtaining an equivalence determination from the European Commission may seem straightforward given that the UK is likely to implement MiFID II (and would, therefore, have in place the same rulebook for investment services as the rest of the EU). The UK Financial Conduct Authority (the “FCA”) has made clear that it expects to continue with the implementation process while the UK remains a member of the EU. There are, however, several reasons to be concerned about the certainty and timing of an equivalence decision and the utility of the MiFIR third country passport.

  • AIFMD sets out a similar third country access regime, with the third country passport supposed to replace national private placement regimes in the member states in 2018. To date, however, equivalence decisions have been reached in respect of Guernsey, Jersey and Switzerland only. ESMA is also considering the equivalency of the regimes in the US, Hong Kong and Singapore, but, after 18 months, has not yet been able to finalize its assessment. The AIFMD experience shows that the equivalence assessment process can be a long and painful one.
  • The European Commission may not be willing to run the equivalence decision process in parallel with the withdrawal negotiations. The European Commission could, indeed, delay starting its assessment process until the final regulatory structure in the UK is settled (i.e., after the Brexit negotiations are concluded).
  • The equivalence decisions may well have a political element. Paris, Frankfurt and other cities are already lobbying, discreetly or openly, for financial institutions to move their operations to those cities. Many EU politicians are also openly hostile to the prospect of the UK financial services sector maintaining market access in the wake of Brexit. In this climate, any divergence by the UK from the MiFID II rulebook (e.g., in relation to the detailed provisions on trade transparency or remuneration) could open the way for an equivalence decision to be delayed or even rejected.
  • The relevant provision in MiFIR envisages a substantial time delay for a third country firm to obtain registration from ESMA. Following a 30 working day period for ESMA to confirm that an application is complete after it has been received, ESMA then has a further 180 working days (approximately 9 months) to decide whether registration should be granted. ESMA could refuse to accept applications from UK firms while the UK remains a member of the EU or decline to fast-track the registration applications of a large number of complex UK financial institutions to enable them to continue a business-as-usual approach in the EU after the eventual Brexit date. This could lead to a significant gap between any Brexit date and the registration of a UK firm to allow passporting of its MiFID services into the EU.
  • As noted above, the MiFIR third country passport covers only MiFID investment services; it does not cover all of the activities carried on by a full-service investment bank in London. Deposit-taking, commercial lending, payment services and some fund management activities would not be covered by the MiFIR third country passport. Disentangling MiFID activities from the related banking and payment services activities in a particular institution could be time-consuming and costly (and not even feasible for some products and services), while ensuring that the terms of the passport (i.e., to only use it to provide MiFID investment services) are met could be an ongoing compliance challenge. If a service were inadvertently provided for which a passport was not available, the firm could face the prospect of enforcement action by the relevant member state regulator and/or the removal of its third country passport for MiFID services.

Not a panacea

Banking groups with significant UK subsidiaries have begun their planning for Brexit in the absence of certainty as to the regulatory environment that will apply to them. The value of the third country passport may not be clear for some time and should be considered critically in the planning process.

EEA membership retained Establishment or expansion of a subsidiary in the EU MiFIR passport
Pros No change in passporting—banking, fund management, payment and investment services can be passported

No need to incur operational costs of moving staff and resources from the UK into a EU member state

Passport available to the EU subsidiary for banking, fund management, payment and investment services

EU financial centres may offer incentives for banks to relocate to that city (e.g. tax, visa concessions)

No change in passporting position for the provision of investment services

ESMA registration for the passport could be straightforward if the UK is deemed equivalent prior to Brexit date

Cons Lack of UK influence on future EU financial services legislation

Compliance burden of monitoring the implementation of EU financial services law through the EEA Agreement

Time and administrative costs associated with obtaining or amending license in the EU member state

Operational costs of establishing a subsidiary

Possible capital inefficiencies at group level if a substantial UK operation is retained

Different, possibly increased level of regulatory scrutiny from regulator in the EU member state

The passport does not cover all services provided by international banking groups out of the UK, including payment services

ESMA registration and equivalence determinations could be time-consuming and difficult

Operational and capital inefficiencies could occur if activities of a major investment bank in London have to be split between those covered by the MiFIR passport and other regulated activities

Impact of Brexit on UK Payment Service Providers

London is home to a large number of financial services firms that use technology to transform commercial activities like payments, lending, banking, virtual currencies and insurance. Ahead of the referendum, the fintech industry warned that London’s position as the European capital of fintech might come to an end if the UK were to leave the EU. Here, we consider one of the concerns: Brexit’s implications for UK payment service providers (“PSPs”) and the evolution of the regulatory ecosystem for payment services.

The current regime

The Payment Services Directive (“PSD”) harmonizes the European regulatory regime for payment services and thereby seeks to promote the establishment of safer and more innovative payment services across the EU. The PSD was implemented in the UK primarily by the Payment Services Regulations 2009 (the “PSRs”).

Passporting under PSD

Under the current regime, PSPs that are authorized in the UK have the right to carry on business in another EU state, provided the requirements of the PSRs are met. The PSD passport, therefore, grants UK-authorized PSPs free access to EU markets, including through the use of agents that have been registered with the relevant regulator in each member state. The UK is one of the largest users of the PSD passporting regime, and many fintech firms from outside the EU have set up in the UK to take advantage of the PSD passport.

If the UK does not retain separate membership of the EEA following Brexit or secure an EEA-like solution, UK-authorized PSPs may lose their PSD passport and face difficulties in accessing EU markets. If these PSPs—as well as any other PSPs who are not authorized to provide payment services within the EU—wish to benefit from the passporting regime under PSD, they will likely need to establish a payment institution within the EU and apply for authorization as a payment institution under the laws implementing PSD in the relevant member state. Reports indicate that fintech firms have started to look at alternative member states in which to set up subsidiaries and apply for authorization, including Germany, the Netherlands and Ireland. The process of establishing a subsidiary in another member state and applying for the appropriate authorization could be costly and time-consuming.

Payment Services Directive II

Since PSD was first introduced in 2007, much has changed in the payment services industry. New technologies for the provision of payment services are steadily being introduced, and the regulatory regime has struggled to keep pace. On January 12, 2016, a revised Payment Services Directive (“PSD2”) was published, which member states must transpose into national law by January 13, 2018. Its key objectives include improving the integration and efficiency of the European payments market, leveling the playing field for PSPs (including new entrants), making payments safer and more secure and encouraging competition and lower prices for payments.

Key differences between PSD and PSD2 include:

  • PSD2 extends the scope of the original PSD. PSD2 will apply to payment transactions in all currencies, including where only one of the PSPs is located in the EU—but only to those parts of the payment transaction that are carried out in the EU.
  • PSD2 seeks to encourage new players to enter the payment services market. It does so by requiring banks to share their customers’ data with external parties, which are known as third party payment service providers (“TPPs”) under PSD2. TPPs include account information service providers, which retrieve and aggregate information from payment accounts maintained by other institutions, and payment initiation service providers, which initiate payment transactions at the request of a user with respect to a payment account maintained by another institution.
  • Recognizing that allowing new players to access customers’ bank accounts presents risks, PSD2 also introduces additional security requirements.

Although the text of PSD2 has been agreed, PSD2 also delegates to the European Commission the power to adopt various technical standards, which will, for example, contain more detail on the new security requirements. The relevant authority—the European Banking Authority (the “EBA”)—is yet to produce finalized drafts of these standards.

What does Brexit mean for PSD2?

Since the result of the referendum was announced, it appears that the influence of the UK in negotiations over in-train legislation (i.e., legislation where the framework legislation has been agreed but the detailed technical standards are still under development, such as PSD2) has diminished. In addition, the UK will not have a role in the development of any further EU-wide legislation aimed at regulating the payment services industry. This loss of influence will occur even where the UK retains EEA membership, as such membership would not permit the UK to participate in the EU legislative process for making financial services rules (e.g., at the EBA level). The FCA is known as a relatively forward-thinking and business-friendly regulator in the fintech sector. Its absence from the EU legislative process, as well as that of the UK more generally, will impact the policies that are pursued.

There is also a question of whether or not the UK will implement PSD2 at all. Allowing external parties to access customers’ data held by banks is a controversial provision, and it remains unclear, for example, how security will be managed, and where liability lies when a data leak or similar event occurs. This poses a risk for all parties involved, though some commentators have stated that consumers may be particularly vulnerable. In addition, some have noted that PSD2 may not be in the economic interests of those banks that currently possess the data. As a result, certain industry commentators have suggested that, if the UK negotiates its departure from the EU (without seeking to retain its membership of the EEA), it should not implement PSD2. Instead, they suggest, the UK could maintain the PSRs and amend these incrementally as and when required. At the same time, the key force behind PSD2 is technological rather than political, as it aims to reflect new market developments and promote Europe’s fintech industry. If the UK does not implement PSD2, UK TPPs may find themselves at a disadvantage as compared to their counterparts on the European continent, which may hamper innovation and growth in the UK fintech industry.

“One thing we all need is confidence on PSD2 implementation. The FCA has to step out of the shadows and provide clear guidance on what is going to happen and by when.”

—James Sherwin-Smith, CEO of Growth Street, a fintech firm providing business finance facilities to UK companies

It is clear that, while the UK negotiates its withdrawal from the EU and the effect of EU legislation remains uncertain—particularly as regards legislation which is in-train—banks will be in a stronger negotiating position vis-à-vis the UK government. As a result, implementing PSD2 may become less of a priority. In the absence of any definitive guidance from the FCA, it is unclear whether the UK’s implementation of the PSD2 remains on track, or whether it will be delayed or even derailed.


[1] An EU directive does not have direct effect. Member states must pass domestic legislation to implement the terms of MiFID II.
(go back)

Both comments and trackbacks are currently closed.