FINTECH MARKET
The Development of FinTech Products and Services
The combination of Jersey’s strengths in the financial sector and its growing digital sector (with very positive support from the Island’s government) positions Jersey as an ideal jurisdiction for investors, start-ups and established businesses working in FinTech.
The Island’s approach to FinTech can be well illustrated by its recent adoption of a specific regulatory regime for virtual currencies and those who provide virtual currency exchange services. Like other financial services businesses, companies operating in these fast-developing fields must comply with the Island’s laws, regulations, policies and procedures aimed at preventing and detecting money laundering and terrorist financing. However, to ensure innovation in these key areas is not stifled, the regulation also provides a threshold test that exempts start-ups involved in virtual currency exchange from paying fees to the Jersey Financial Services Commission (JFSC) for regulation until they reach a specified turnover threshold. This means that while these businesses have to register and comply with the Anti-money Laundering and Countering the Financing of Terrorism Handbook (the “AML/CFT Handbook”), there is sufficient room for innovation with minimal regulatory costs.
The Key Market Participants in the Specified Activities
As FinTech is such a new and evolving sector, and one that encompasses several industry groups, it is difficult to measure its influence accurately. The current closest proxy is the finance sector, which was the largest component of total Jersey Gross Value Added (GVA) in 2015, accounting for 42% of a total GVA of GBP4.11 billion.
The FinTech sector in Jersey is very active across the full range of the specified activities and while FinTech has not yet begun to displace traditional finance service providers, there are examples of traditional financial institutions and service providers partnering with FinTech companies to develop new systems or products.
The Key Market Participants in the Specified Activities
Local names in the FinTech sector highlight the diversity of FinTech activity on the Island and include the companies below:
- Atam Holdings, which provides kiosk-based solutions, working in the key sectors of banking, telecommunications, identification and transport. It offers a complete turnkey solution from initial consultancy, system design, software design and engineering, hardware design and manufacturing.
- C5 alliance, which works in partnership with businesses that have a financial services product and require technical development and marketing services.
- Enhance, which provides investment consultancy, investment reporting, wealth consultancy and treasury services to trust companies, charities and private clients, with FinTech at its core.
- KYCme, which provides an online storage and secure exchange solution that is AML and know your client (KYC) compliant.
- Microgen Financial Systems, represented across the Channel Islands, which offers a range of financial services technology systems focused on the global wealth management sector, the UK payments market and application management services.
FINTECH REGULATION
Regulatory Regimes for Specified Activities or FinTech Companies
In recent years Jersey has demonstrated its commitment to becoming a world leader for the development of FinTech. Digital Jersey, founded in 2012 as the principal driver of government efforts to establish Jersey as an internationally recognised centre for the digital industries, works closely with government and other professional organisations to remove barriers within the sector.
Through a varied programme of events and activities, Digital Jersey encourages the development of new FinTech innovations and proactively fosters new enterprises. It has a particularly active relationship with Jersey Finance, which represents and promotes the Jersey financial services industry around the world. Digital Jersey also works directly with industry in a more formal setting through its Proposition Development Groups, which focus on the industry-identified priority areas of blockchain, Regtech/KYC and wealth management. These groups are composed of relevant industry representatives and have been set up to develop viable ideas and solutions to common issues in each focus area.
The least regulated area is that of lending and crowdfunding, which may not be considered financial services business in Jersey and therefore outside the scope of the FSJL. FinTech businesses engaging in lending or crowdfunding therefore need only comply with the Anti-money Laundering Legislation (see 2.2 Regulatory or Governmental Agencies for Specified Activities of FinTech Companies) and the AML/ CFT Handbook. In most cases, this will be limited to a simple registration with the JFSC (which as a rule cannot be refused by the JFSC), ensuring suitable client due diligence is undertaken and that record keeping and internal governance complies with the AML/CFT Handbook.
The principal scenario where lending and crowdfunding activities may not benefit from this lighter-touch regulatory approach is where a lending platform utilises securitiesbased crowdfunding (for example, where members of the public invest directly in a business by purchasing investments such as shares or debentures), which may fall within the scope of investment business for the purposes of the FSJL (on which, see below).
The specified activities relating to blockchain are also outside the scope of the FSJL and subject to comparatively light regulation. Like most European jurisdictions, Jersey treats crypto-currency as a currency and not a commodity, and regulation is therefore focused on the interface between the physical and the virtual value chains. To this end, the Antimoney Laundering Legislation was amended to include those who exchange crypto-currency for real money in any form (or vice versa) (Exchangers), who will be subject to the same registration and governance requirements set out above save that the JFSC is granted a greater discretion to refuse their registration to reflect the higher risks associated with this activity.
The specified activity relating to payments is likely to be considered money services business within the scope of the FSJL to the extent that it includes transmitting or receiving funds by wire or other electronic means or engaging in other money transmission services. In addition to the requirements imposed by the FSJL, the Island has implemented the EU Wire Transfer Regulation (WTR), which requires that those providing money transfer services retain and transfer certain information about relevant transferrers and/or transferees for the purpose of preventing money laundering and the funding of terrorism.
A number of exemptions are available in relation to the application of the FSJL and the WTR, so that overly burdensome regulation is not imposed on those undertaking lowrisk activities. For example, regulation of money services business under the FSJL will not apply until the turnover of the relevant enterprises reaches £300,000 (although notification is still required) and the WTR will (subject to certain requirements) not apply to the majority of transactions of less than EUR1,000 or those that are funded using a credit or debit card.
Perhaps unsurprisingly, the most heavily regulated of the specified activities is trading and advising on investments. Generally speaking, the scope of regulated activity in this area includes dealing in investments, discretionary investment management, or providing investment advice.
Whether regulated under the FSJL, Anti-money Laundering Legislation or both, in-scope business are required to comply with the AML/CFT Handbook, which sets out the practical steps required to comply with the relevant statutory obligations and adequately protect against money laundering and terrorist financing.
Regulatory or Governmental Agencies for Specified Activities or FinTech Companies
As a world-class financial centre, the wider financial regulatory regime in Jersey is well established, highly functional and well tuned to industry needs without compromising on quality. The JFSC is the primary regulator of financial services business in Jersey and will also be the primary regulator for most FinTech companies.
In line with the push on FinTech in Jersey, the JFSC is generally supportive of the sector and, as it does with its other regulatory functions, will generally try to work with regulated service providers to resolve issues as part of their supervision process rather than taking formal enforcement action.
The remit of the JFSC in relation to the regulation of the FinTech sector is set out in the legislation and codes of practice that govern the traditional financial services industry, which include:
- the Financial Services (Jersey) Law 1998 (FSJL), which regulates and controls entities undertaking financial services business on or from the Island;
- the mandatory Codes of Practice published by the JFSC pursuant to its powers under the FSJL;
- the Proceeds of Crime (Jersey) Law 1999, Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008, the Money Laundering Order 2008, Community Provisions (Wire Transfers) (Jersey) Regulations 2007 and other related subordinate legislation thereunder (together the “Anti-money Laundering Legislation”); and
- the AML/CFT Handbook produced by the JFSC to outline the requirements of Jersey legislation and the JFSC in relation to money laundering
The principal legislation in relation to the regulation of financial services (and by extension FinTech) is the FSJL, which regulates any entity undertaking financial services business, including investment business, trust company business, money services business or fund services business. If an enterprise is in scope, it will be required to apply for the appropriate registration with the JFSC, which has discretion to refuse the application on a number of grounds, including if it is not satisfied that the applicant is a fit and proper person to be registered. Once registered, the enterprise will be subject to the supervision and oversight of the JFSC, which has a number of powers to monitor and enforce compliance.
In-scope enterprises must also comply with the relevant Code of Practice published by the JFSC for the regulated activity it is undertaking. The codes of practice are general and practical in nature but do set measurable expectations in relation to areas such as corporate governance, internal systems and controls, record keeping, integrity and competence, and the retention of adequate financial resources and insurance.
Whether regulated under the FSJL, Anti-money Laundering Legislation or both, in-scope business are required to comply with the AML/CFT Handbook, which sets out the practical steps required to comply with the relevant statutory obligations and adequately protect against money laundering and terrorist financing.
Capital & Liquidity requirements
In addition to the other governance, registration and supervision requirements summarised in this section, the Code of Practice for Investment Business requires that enterprises undertaking investment business maintain minimum net assets and paid-up share capital of between £10,000 and £25,000 each, and a minimum level of adjusted net liquid assets when compared with their actual and contingent liabilities, and investment risks for the coming year.
Moving away from the day-to-day, any enterprise that falls under the scope of the FSJL will be subject to restrictions on the transfer of ownership and control that must be notified to and approved by the JFSC in advance. As with the initial application for registration, the JFSC is able to refuse permission on a number of grounds, including if the new owners and/or controllers of the business are not fit and proper persons
“Sandbox” or Other Regulatory “Neutral Zones”
As mentioned above, in an effort to encourage innovation and creativity in the crypto-currency sector, a regulatory sandbox has been implemented whereby Exchangers are not subject to regulation or required to register with the JFSC until such time as their turnover exceeds £150,000.
Regulatory Regime’s Approach to Consumers and Small Business Customers
The above summary of the regulatory position in Jersey does not vary based on whether one is dealing with other businesses or directly with consumers, although certain exemptions may be available for enterprises undertaking investment business solely with professional investors.
There are, however, some additional considerations when supplying services directly to consumers:
- the services provided may fall within the remit of the Financial Services Ombudsman, who has the power to take steps to resolve complaints made against those providing financial services to consumers, including awarding compensation of up to £150,000;
- Jersey law imposes obligations in relation to due care and skill, and the delivery of the service within a reasonable time; and
- there is a voluntary Consumer Lending Code of Practice that, while not binding, has been adopted by a number of traditional financial institutions.
Unregulated Specified Activities
The different regulatory regimes apply to some or all of the specified activities to varying degrees but none is entirely unregulated. In a number of cases, FinTech companies may be providing unregulated services to traditional financial institutions or other regulated entities (for example, the development and delivery of an investment platform to be used and operated by a third party) but care should be taken that these arrangements comply with the outsourcing requirements imposed on regulated entities by the JFSC Outsourcing Policy.
Form of Legal entity
Potential Forms of Charter
Most trading businesses in Jersey (as opposed to funds or other investment vehicles) take the form of limited companies incorporated under the Companies (Jersey) Law 1991 and will be suitable for the vast majority of FinTech businesses on the island. The Jersey Registrar of Companies provides a secure and stable supervisory environment whilst also reflecting the generally more permissive approach of Jersey company law when compared with similar jurisdictions.
Traditional partnerships, limited partnerships and LLPs are also available as potential vehicles for a new business but are less common outside an investment context. As there are no specific requirements, structures or vehicles imposed on FinTech businesses, the considerations that affect the choice of legal entity are no different from any other business and will depend on individual circumstances and preferences.
Key Differences in Form
The choice of a company-based vehicle by most local businesses is a reflection of the flexibility and relative simplicity of the company law regime in Jersey. There are no statutory limits on the capacity of a company to undertake business transactions and companies can issue shares that have a nominal capital (or par) value or no nominal capital value.
There is no minimum authorised or issued share capital requirement under Jersey law and it is possible to establish companies with a single shareholder without any loss of the corporate veil. Non-voting shares are allowed and share capital may be structured with different rights, such as ordinary shares, preference shares having preferential rights to dividends or to distributions on a winding-up and redeemable shares.
When returning money to investors and business owners, distributions (for a par value company) may be made out of any source (apart from the capital redemption reserve or the nominal capital account) provided that the directors make a 12-month forward-looking solvency statement. Distributions may be paid on all or only some of the classes of shares in issue. Normally, the directors recommend the level of dividend subject to approval by the shareholders.
Stamp duty in Jersey is not payable on the authorised share capital or on the issue or transfer of shares, other than shares of a Jersey company owning Jersey real estate.
A private company may have only one director and there is no requirement for the directors to be resident in Jersey, although this may have practical and administrative advantages. Jersey companies may have corporate directors if the body corporate acting as a director is registered under the company administration services provisions of the FSJL and does not have any corporate directors.
Jersey companies also provide a certain degree of privacy. There is no public register of directors and there is no public filing required in respect of the accounts of a private company, nor any need to register an accounting reference date
Legal Infrastructure (Non-regulatory)
Desirable Changes to Facilitate Specified Activities
Aside from the regulatory considerations outlined above, the legal infrastructure in Jersey is generally accommodating of FinTech business and there are few areas of the law that inhibit the development of new FinTech opportunities.
For example, electronic KYC and “e-ID” technologies have been embraced on the Island in terms of their use in general business activities and Jersey’s role in the development of the underlying technologies. The AML/CFT Handbook referred to above has specific guidance in relation to the use of smartphone and tablet applications to capture client due diligence information, take photographs and copy documents as part of the KYC process in combination with more traditional documentary evidence.
Whilst not specific to FinTech businesses, the most significant barrier to new entrants will likely be local business and residency regulations. Under the Control of Housing and Work (Jersey) Law 2012 (the “CHW Law”), anyone establishing a new “undertaking” in Jersey (which, for these purposes, includes most trades, businesses and professions whether or not carried on for profit) must obtain a licence. Licences under the CHW Law are administered by the Population Office, which, when doing so, considers the demands on the resources of Jersey and the protection of its integrity and reputation.
Licences issued under the CHW Law contain the permitted undertaking’s quotas (which may be nil) of employees who are classed as “Licensed” (approved as essentially employed) or “Registered” (less than five years’ continuous residence in Jersey). There are no quotas for employees classed as “Entitled” (Jersey-born with ten years’ aggregate residence or ten years’ continuous residence) or “Entitled for Work Only” (five years’ continuous residence) persons.
In recent years the number of new Licensed employees permitted has continued to reduce. This issue has been recognised by the government and industry groups on the Island (including Digital Jersey) continue to work hard to support those looking to set up new businesses in the digital and tech sectors. There are also a number of educational initiatives under way to ensure the local population is able to provide suitably skilled staff without the need to look off Island.
More information is available from the Population Office (www.gov.je) or from Locate Jersey (www.locatejersey.com), a government agency that facilitates inward investment.
electronic signatures
The use of electronic signatures is widely accepted in Jersey and is expressly provided for in Jersey law where a reliable and appropriate method is utilised that identifies the signatory. Whilst there are still some bodies or legislation that require certain formalities in relation to the signing documents (for example, they require wet-ink signatures or a witness), many organisations, such as the JFSC, have introduced their own specific processes for electronic signatures utilising user accounts and security passphrases.
Data Privacy and Cybersecurity
Data Privacy and Cybersecurity Regulatory Regimes
Jersey’s data protection regime, which is currently implemented through the Data Protection (Jersey) Law 2005, broadly mirrors the provisions of the EU Data Protection Directive and, in particular, the UK Data Protection Act 1998. As a result, the EC confirmed in 2008 that Jersey has an “adequate” level of protection for personal data for the purposes of the transfer of personal data from the EU to Jersey.
As is the case across all states that have implemented the EU Data Protection Directive, data controllers are required to register with a regulator (in Jersey, the Information Commissioner) to comply with the eight data protection principles and are subject to data access requests, save where a limited range of exemptions apply. Individuals also have rights to require information on the logic behind any automated decision-making and, where a decision significantly affects the individual, require that the decision is not taken solely based on an automated process. There are no specific requirements in relation to biometric or genetic data but this is set to change shortly with the introduction of the General Data Protection Regulation (GDPR).
The coming into force of the GDPR across Europe in May 2018 brings with it far-reaching reforms in the regulation of personal data. The States of Jersey and the Jersey Information Commissioner have confirmed their intent to implement the GDPR through primary legislation prior to its coming into force but, at the time of writing, draft legislation is not available for review. However, it has been indicated that the legislation will mirror the provisions of the GDPR to ensure that the Island’s adequacy status will be upheld and it remains an attractive location for the storage and processing of data.
The GDPR makes a number of substantial changes that would be expected to be replicated in any Jersey primary legislation:
- Expanded territorial scope. Non-EU data controllers and data processors will be subject to the GDPR if they offer goods or services to data subjects in the EU irrespective of whether payment is received or monitor data subjects’ behaviour in so far as their behaviour takes place within the EU.
- Increased enforcement powers. Currently, fines under national law vary and are comparatively low (there is no knowledge of any fines having been levied in Jersey). The GDPR will significantly increase the maximum fines and the Information Commissioner will be able to impose fines on data controllers and data processors directly on a twotier basis, up to 4% of annual worldwide turnover of the preceding financial year or EUR20 million, whichever is the greater.
- Increased investigatory powers. The investigative powers of the Jersey Information Commissioner will include a power to carry out audits, require information to be provided and obtain access to premises, in accordance with local law requirements
- Stricter consent requirements. The GDPR requires a very high standard of consent, which must be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the individual’s agreement to their personal data being processed, such as by a written (including electronic or oral) statement. An individual’s explicit consent is still required to process special categories of personal data and consent (in either case) can be revoked at any time. Businesses must be able to demonstrate that the data subject gave their consent to the processing and they will bear the burden of proof that consent was validly obtained.
- Mandatory privacy by design and default. Having regard to the state of the art and cost of implementation, and taking into account the nature, scope, context and purposes of the processing as well as the risk to individuals, businesses will be required to implement data protection by design (for example, when creating new products, services or other data processing activities) and by default (for example, data minimisation) at the time of the determination of the means for processing and at the time of the processing itself
- Mandatory privacy impact assessments. Businesses will be required to perform data protection impact assessments before carrying out any processing that uses new technologies (and taking into account the nature, scope, context and purposes of the processing) that are likely to result in a high risk to data subjects.
- Registrations. Instead of registering with the Jersey Information Commissioner, the GDPR will require businesses to maintain detailed documentation recording their processing activities and the GDPR specifies the information this record must contain.
- New obligations of data processors. The GDPR introduces direct compliance obligations for data processors. Whereas under the Data Protection (Jersey) Law, processors generally are not subject to fines or other penalties, under the GDPR, processors may be liable to pay fines of up to 4% of annual worldwide turnover of the preceding financial year or EUR20 million, whichever is greater.
- Strict data-breach notification rules. The GDPR will require businesses to notify the Jersey Information Commissioner of all databreaches without undue delay and where feasible within 72 hours unless the data breach is unlikely to result in a risk to the individuals.
- The right to erasure. Individuals will have the right to request that businesses delete their personal data in certain circumstances (for example, the data is no longer necessary for the purpose for which it was collected or the data subject withdraws their consent). It remains unclear precisely how this will work in practice.
- The right to object to profiling. In certain circumstances, individuals will have the right to object to their personal data being processed, which includes profiling. Profiling is defined broadly and includes most forms of online tracking and behavioural advertising, making it harder for businesses to use data for these activities. The fact of profiling must be disclosed to the data subject and a data protection impact assessment is required.
- The right to data portability. Data subjects have a new right to obtain a copy of their personal data from the data controller in a commonly used and machine-readable format, and have the right to transmit that data to another controller; for example, an online service provider. In exercising their right, the data subject can request the information be transmitted directly from one controller to another, where technically feasible.
Irrespective of whether new legislation is implemented prior to May 2018, the Island’s current adequacy status will remain in force until next reviewed by the EC.
Given Jersey’s position as a leading international financial centre, it is not surprising that financial institutions based on the Island are often targeted by cyber-attacks in an attempt to access the wealth of highly valuable data stored on the Island. Recent figures have suggested that the Jersey Financial Services Commission itself receives upwards of 4,000 attempted cyber-attacks per day and yet to date there have been no significant or high-profile data privacy breaches reported publicly.
The JFSC has published a number of materials and runs masterclasses on the topic of cyber-security, which it sees as an ever-growing issue. Those whose activities are regulated (and are therefore subject to the relevant Code of Practice) will generally be expected, as a minimum, to:
- understand and document the risk of a cyber-attack on their business and take appropriate documented measures to mitigate this risk (the level and type of risk mitigation should be appropriate and proportionate to the type, potential impact and likelihood of the risks identified);
- have in place appropriate contingency arrangements that they can deploy in the event of a cyber-attack;
- keep these matters under review and test their effectiveness at appropriate intervals; and
- ensure the board of directors (or equivalent) takes overall responsibility for ensuring that the business adequately addresses cyber-security risks.
These obligations are broadly consistent with international best practice on cyber-security and emphasis is put on the importance of keeping up to date with, and sharing information on, threat intelligence as a key component of an effective cyber-security programme.
Intellectual Property
Intellectual Property Protection Regime
Unregistered IP rights are protected in Jersey by virtue of the Intellectual Property (Unregistered Rights) (Jersey) Law 2011 (the “2011 Law”), which was introduced as part of an ongoing reform process with the intention of ensuring Jersey law is compliant with the leading international conventions, including the Berne Convention, the Paris Convention, the World Intellectual Property Organization (WIPO) Copyright Treaty, the WIPO Performances and Phonograms Treaty and the WTO Trips Agreement.
As a result of the 2011 Law coming into force, the application of the Berne Convention (the primary convention on the protection of copyright) was extended to Jersey from January 2014 and work in relation to the other treaties is being pushed forward.
The 2011 Law provides for the recognition and protection of copyright in dramatic, literary (to include computer programs and databases), musical and artistic works, sound recordings, films or broadcasts and the typographical arrangement of published editions. The 2011 Law also provides rights for authors in relation to designs, performances, moral and publication rights.
In addition, the 2011 Law provides for property rights in databases if there has been a substantial investment in obtaining, verifying or presenting the contents of the database regardless of whether the database qualifies as a copyrighted protected literary work.
As Jersey serves only as a secondary registry for IP rights already entered on a register in the UK, the law in these areas is less substantive.
While the protection of IP rights in Jersey is still moving forward, all IP relevant to the establishment and development of FinTech on the Island is suitably protected and is not seen by the local players as a barrier to development.
The work undertaken by government in this area has bought the regime in line with current international standards and work is under way on updating treaty coverage to reflect this.
Trade secret regime
There is no statutory protection for trade secrets or similar confidential information in Jersey and the case law is therefore limited. However, to the extent that legal guidance is available, the Jersey courts have largely applied the same approach as the English courts in that there must be a necessary quality of confidence and a disclosure in circumstances importing an obligation of confidence. In practice, however, protection of confidential information is primarily based on contractual confidentiality and non-disclosure agreements.
Copyrights, Patents, Trade Marks
Jersey law provides for the registration of trade marks, patents and designs already entered on the corresponding register in the UK and provides direct protection (without the need for further registration) for Community trade marks, other international trade marks protected in the UK and patents granted under the European Patent Convention that designate the United Kingdom.
Tax Matters
Special Tax Issues, Benefits or Detriments
Although not part of the EU, Jersey has legislated to achieve a uniform income tax system for the whole business sector that meets the stringent requirements of the tax package adopted by all Member States of the EU in June 2003.
This notwithstanding, the Jersey tax regime makes it a desirable location for new business and entrepreneurial activity across all sectors with the standard rate of corporate tax at 0%. A higher rate of 10% is levied on defined regulated business established in Jersey, such as banks, trust companies and investment managers, which may be applicable to some FinTech businesses. Non-financial services companies are zero-rated. There are also no capital gains, inheritance or wealth taxes payable in Jersey.
The tax year in Jersey is aligned with the calendar year, with tax returns due from all companies on December 31 following the year of assessment. Zero-rated companies are still required to submit a return but do not need to submit any accounts or tax calculations.
Individuals are charged income tax on their earnings at a flat rate of 20% with limited deductions and allowances. A marginal relief is available for those on lower incomes. Individuals and their employers are also required to pay social security contributions on their income up to a given monthly earnings limit. The current rates are 6% for employees and 6.5% for employers. Aside from income tax, a Goods and Services Tax is payable on the domestic consumption of most imported and locally produced goods or services at a rate of 5%. Some goods and services, such as financial services, are exempt or zero-rated for public policy reasons or because they are difficult to tax accurately, although a fee may be payable for the exemption.