Identity-Centric Bank & Finance Regulations - UK

The regulatory landscape for financial services in the United Kingdom (UK) is comprehensive, though not as fragmented as in other regions of the world, given centralized oversight from a few main regulatory bodies.

Like other established regions, the country’s financial regulations focus on upholding safe and fair markets. However, UK laws also have a strong emphasis on innovation, especially in the post-Brexit environment.

Though requirements continue to be revised to offer more flexibility for providers, UK regulators still impose important identity-centric requirements, such as authentication measures and consent management, for compliance purposes and adequate consumer protection.

In this blog, we’ll review some of the identity-centric regulations shaping the finance industry in the UK and the regulatory bodies that enforce and guide their implementation.

Three major regulatory bodies oversee the financial industry in the United Kingdom. These include the Bank of England, its Prudential Regulation Authority, and the Financial Conduct Authority. Each has certain overlapping duties and responsibilities, though they work in collaboration to shape the industry's regulatory framework to encourage stability, fairness, and integrity in the markets.

Bank of England (BoE)

The Bank of England (BoE) is the United Kingdom’s central bank. It is responsible for maintaining monetary and financial stability in the UK, primarily through its two statutory bodies: the Prudential Regulation Authority (PRA) and the Financial Policy Committee (FPC).

In support of operational resilience among financial service providers, the Bank supervises, identifies, and helps providers take action against potential risks, including cybersecurity threats and digital identity challenges.

Financial Conduct Authority (FCA)

The Financial Conduct Authority (FCA) is a regulatory body that oversees and enforces regulations in the UK financial services industry. Its goal is to protect consumers, encourage healthy competition in the space, and maintain overall market stability.

The FCA directly assists financial service providers in the UK in enhancing payment security and reducing fraud by enforcing and providing guidance on laws like Strong Customer Authentication (SCA) and Customer Due Diligence (CDD) requirements.

Prudential Regulation Authority (PRA)

banks, insurers, and investment firms to ensure their safety, soundness, and resilience.

Like the Bank’s FPC, the PRA is concerned with mitigating systemic risks to uphold the stability of the industry, where effective identity and access management (IAM), including authentication, play an important role in protecting customers’ personal identifiable data (PII), systems and sensitive information from malicious actors.

Financial industry regulations in the UK aim to uphold the soundness of the markets, ensure healthy competition, and protect consumers with fair products and services.

However, in the post-Brexit environment, UK regulators have pursued new legislation to ensure the industry remains competitive on the global stage–with important implications for consumer identity and authentication standards.

Financial Services and Markets Act (FSMA)

The Financial Services and Markets Act (FSMA) was a landmark piece of legislation enacted by the UK parliament in 2000. The Act established the Financial Services Authority (FSA) as the single regulatory body overseeing the country’s insurance, banking, and investment sectors. The FSA replaced the multiple self-regulatory bodies that had previously overseen the finance industry.

The FSMA has been amended several times over the years. In particular, the Financial Services Act 2012 significantly reformed the regulatory framework established in the initial FSMA in response to the 2008 financial crisis. It abolished the FSA, replaced it with the Bank of England’s PRA, and created the FCA to oversee the conduct of UK financial services providers.

Overall, the FSMA has significant implications for identity management and financial service providers’ responsibility to protect customer digital identities. The FCA and BoE’s PRA have used the regulatory powers granted to them under the FSMA to establish rules and guidance that aren’t explicitly detailed in the Act while enforcing further legislation to uphold fair and transparent financial markets.

For instance, the FCA is responsible for enforcing Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF). These regulations require financial service providers to implement robust identity verification mechanisms to comply with Know Your Customer (KYC) and Customer Due Diligence (CDD) requirements.

Future of Payments Review

The Future of Payments Review, published in 2023, was commissioned by the UK HM Treasury and evaluates what payments will look like in the coming years. It provides recommendations to help the UK bolster its fintech competitiveness, encourage frictionless digital payments, and stay at the forefront of retail payments as the landscape evolves.

The Review was completed with input from around 150 stakeholders and roundtable discussions with fintech firms, Big Tech companies, telecommunications providers, consumer groups, regulators, retailers, and trade associations.

The major takeaway of the review is the author’s recommendation that the UK government establish a national payments strategy, citing the critical nature of payments to individuals and the overall economy, the ongoing investments in payments solutions, and the impact of payments on other sectors.

Regarding digital identity, the Review includes a recommendation to update the existing Strong Customer Authentication (SCA) requirements. The goal is to enhance customer convenience at purchase while combating fraud in digital transactions. The author states that greater flexibility for authentication requirements can result in a better customer experience and lower cart abandonment rates.  

The Review recommends the FCA amend the current SCA guidance to become more outcomes-based, moving away from the strict technical standards set by the EU Payment Services Directive in the post-Brexit environment. In other words, this would allow organizations to take a dynamic, risk-based approach, prompting the appropriate authentication challenge based on a transaction's sensitivity.

Another evolution of digital payments regulation in the UK stems from the new reimbursement rule introduced last year. Starting October 7, 2024, the nation’s Payment Systems Regulator (PSR) will require all UK Payment Service Providers to reimburse customers who are victims of authorized push payment (APP) scams, which are now the number one threat vector in the UK and the EU.

UK Consumer Duty

In 2022, the FCA issued new rules for financial service providers to uphold consumer protection, referred to as the Consumer Duty. The rules came into force in July 2023 and are issued under section 139A of the FSMA. The purpose of releasing the new set of rules was the clarify the responsibilities of financial service providers in protecting retail customers and foster greater trust in the markets.

The FCA outlines a list of ten expectations for financial services firms under the Consumer Duty, including delivering positive outcomes for consumers, not exploiting customers’ lack of knowledge, communicating effectively with customers so they can make informed decisions, and considering customer needs at every stage of the financial product lifecycle, among others.

The Consumer Duty does not include explicit requirements for customer IAM. However, overarching themes of the Duty, like addressing foreseeable risks that could harm consumers and strengthening trust in the financial services industry, directly relate to such practices and help to tackle digital vulnerability.

Thus, the Duty has implications for a firm’s cybersecurity framework and the authentication mechanisms it has in place to prevent potential breaches and unauthorized access to sensitive consumer information.

UK Open Banking

Open Banking in the UK was established in paralel to the E.U.’s Second Payment Services Directive (PSD2), which came into force in 2018. It requires banks to allow authorized third parties to access customer accounts and payment information.

Open Banking hopes to increase competition in the financial services sector and encourage innovation in the space. Its core principle is that consumers can securely share their data with third parties. This gives consumers more control over their data and ensures they receive the best possible financial services and products customized to their needs.

Open Banking Limited (OBL) was established by the Competition and Markets Authority (CMA) to develop the standards and industry guidelines for the country’s open banking initiative. It does not have regulatory authority, though it does help providers implement open banking.

To comply with open banking standards, financial services providers must have appropriate consent management systems, authentication mechanisms, and access controls in place. These measures will ensure the seamless flow of customer financial data between banks and third parties while preventing unauthorized access.

Financial Conduct Authority Handbook (FCA)

The FCA Handbook is a compiled set of rules, guidelines, and provisions made by the FCA for financial services providers that operate within the United Kingdom. The purpose of the Handbook is to help firms maintain compliance and stay current on changing financial regulations.

The Handbook contains various modules and principles that explicitly state the requirements providers must adhere to in areas like client communications, financial crime prevention, and market conduct.

This includes multiple mentions of SCA requirements, which ensure firms have robust authentication methods in place to meet compliance, safeguard customer identities, and encourage trust in the markets.

Much of the modern-day regulatory landscape for financial services in the UK stems from the FSMA and subsequent amendments to the Act. The FCA and PRA continue to make new updates to the framework as technology advances and market trends evolve, helping to find the right balance between a seamless customer experience, fair markets, and strengthened security against emerging threats.

There tends to be a consumer-centric theme in the recent updates to UK finance regulations and guidelines. Take the Consumer Duty, for instance. Plus, as evidenced in the Future of Payments Review, UK financial sector leaders are forward-thinking and hope the country’s regulators will help them lead global peers in terms of open banking initiatives, payments, and fintech developments.

Identity is an important enabler of UK financial services innovation, though many recent regulatory updates pose important implications for how providers safeguard consumer identities.

Financial services providers can leverage IAM solutions  to align with rapidly evolving regulatory requirements and opportunities at lower cost and effort. This helps firms achieve compliance and create a security framework that is more responsive to changing regulations.

The UK regulatory landscape for financial services continues to evolve and become more complex. Providers can ensure compliance by adopting a robust IAM solution, like that offered by the Ping Identity Platform, while delivering a seamless and personalized customer experience.

IAM solutions, like those provided by the Ping Identity Platform, support compliance with FSMA, Consumer Duty, and Open Banking requirements with features like consent management, granular access controls, strong user authentication methods, continuous monitoring, and more.