20200701 Wirecard : the FCA's freezing of assets.

20200701 Wirecard : the FCA's freezing of assets.

Nigel Morris-Cotterill

The announcement without warning that the UK's Financial Conduct Authority was freezing assets of German FinTech Wirecard has caused consternation.

But while the fall-out has been severe for many individuals, it was both temporary and fits the profile of interventions. There were also good and prudent reasons for it.

Here's why.

On 29th May 2019, Loot Financial Services Limited entered administration.

Loot was ″an agent″ of Wirecard Card Solutions Limited, a Authorised Electronic Money Institution regulated by the Financial Conduct Authority in the UK. It was not a Wirecard subsidiary.

However, the term "agent" is FCA-speak and in the real world it is misleading.

The actual arrangement was that Wirecard operated the back end for a prepaid card business operated by and in the name of Loot. Remember that: it is relevant later.

The FCA said "As of 28 May 2019, customers of Loot Financial Services have been given 60 days’ notice that the product will be closing (by 26 July 2019) and services no longer provided beyond that point.

As a result, customers of Loot Financial Services have been asked to withdraw their electronic money funds and to make alternative arrangements.

Customers should still be able to access their funds and prepaid cards should remain functional during this period, subject to regulatory and legal obligations." (our emphasis)

The FCA, in a statement dated 29 May 2019 said "We explain what this means for customers."

Well, no, they didn't.

Not really.
The FCA did not say who had issued that notice. Was it Loot's administrators? Was it Wirecard?
Importantly, the FCA did not say who had control of the money of the customers of Loot. Was it Loot's administrators? Was it Wirecard? Hence the emphasis we placed in the FCA notice.

Despite this case, it appears that this part of the FinTech sector was not given the reconsideration that it deserves.
In various jurisdictions where Wirecard was operating, there had been rumblings of problems since early 2019 but there was nothing specific and certainly nothing that anyone (except as we now know its auditors) could take to prosecutors or regulators.

But there was something systemically flawed in the regulatory regimes of the providers of such services.

Moreover, it still is.

The first thing is that the FinTech revolution has put services historically provided by highly regulated bankers into the hands of technologists and salesmen.

They have no history in financial sector risk and often rely on computerised models they have, themselves, developed.

Indeed, to start with, regulators turned a blind eye - first they called it ″a sandbox″ and, then, ″light touch regulation″ - to questions of compliance and, even, financial crime risk, including money laundering risk systems.

As regulators have, at last, arguably a decade too late, come around to imposing those requirements on those providing similar services, many, many have shut up shop or moved to less regulated jurisdictions.

Many FinTech companies, especially in the early days, had no moral hazard. They were funded by easy venture capital - again, often from people with an understanding of technology but not of the financial industry. For example, the Hong Kong Monetary Authority found that applicants for FinTech licences couldn't even fill the applications forms in properly.

There has been a presumption that everyone needs mobile, etc. services. In South Africa in 2018, the regulatory system was cautious. Lobbyists, arguing the case of accessibility, wrote a report as if the case for FinTech outside the banking sector was a done deal.

The South African attitude was simple: if you want to provide banking services, you must be, or must be a registered agent of, a bank.

Maybe they have changed that since: I'll have to look it up sometime.

if it has, South Africa has added risk which it had prudently designed out of its financial system.

I have long argued that the FinTech industry is a bubble waiting to burst and that consolidations were inevitable.

The consolidations would happen by way of acquisition - which is what Wirecard did - and the burst would be when venture capitalists decided enough was enough and that the dot com bubble's symptom of excessive burn rates was repeating itself.

As companies come under pressure and face failure, consolidation would accelerate but only for as long as the venture capitalists supporting the consolidator continue to pump in money.

Sooner or later, they pull out or call for whatever is the current incarnation of Drexel Burnham Lambert, in the hope of raising junk bonds. And yes, we are now seeing something similar to that with Initial Coin Offerings being proposed for takeovers of failing businesses.

The FCA did not issue a press release about suspending the accounts of Wirecard's business in the UK, or rather it appears, as of today, to have issued one and, several days later, re-written it.

Wirecard's largest business in the UK was bought when it acquired the pre-paid card issuing division of the Newcastle Building Society.

It jumped into the big league.

That, perhaps surprisingly, was in December 2011 - we were still using the term "Financial Technology" then and "FinTech" was not in common use. And Americans were still trying to convince the world that pre-paid cards should be called "gift cards."

Wirecard created Wirecard Card Solutions Limited and that company was the takeover vehicle.

But the Newcastle Building Society had been developing its business across Europe - just 24 people in Newcastle ran an operation that had expanded to a further six EU states.

The announcement of that takeover foreshadowed something "The acquisition will happen in two phases: the first will involve Wirecard Card Solutions Ltd. providing core functions to Newcastle Building Society as an outsourcing service provider; and the second seeing Wirecard Card Solutions Ltd. take full control of the business upon receipt of its authorisation as an Electronic Money Institution from the UK Financial Services Authority. "
Move in, start business, sort out the regulatory shit later. It was an Uber-like culture that Wirecard never lost.

And it all came to a head in June 2020.

It is not immediately clear how the Financial Conduct Authority communicated the freezing of Wirecard's UK accounts beyond the notices on the Financial Services Register which is a publicly accessible database for the Financial Conduct Authority and the Prudential Regulation Authority, a division of the Bank of England.
There are several statements on the FCA's website - one is dated 26th June, the date upon which the action was taken - but that statement has been "amended" and now refers to the reinstatement of services. It might be that Wirecard was told early on 26th but the rest of the world later.

In the absence of clear information on the FCA's website, it's not possible to tell from primary sources.

On the Register, the following Order appears:
"Institution to refrain from providing Account Information Services or Payment Initiation Services for an indefinite period.
Must comply with the requirements in regulation 78A(2)(b)of the Electronic Money Regulations 2011 to refrain from providing account information services or payment initiation services for an indefinite period."

That essentially disconnected Wirecard's computers from the outside world.

And no computers equals no card or merchant activity. It is an order that takes immediate effect.

The first question was why, even if there was good reason for it, was it done without notice, especially on a Friday just before the phones are turned off for the weekend at the FCA?

The answer to that is simple: it's how it's done. All over the world, regulators issue notices at close of business before a weekend or public holiday.

All over the world, insolvencies are launched at the same time or, in the case of listed companies, in the minutes before markets open on the day after a weekend or public holiday so that shares can be suspended before their value is wiped out.

One might ask why and the answer is that if the purpose is rescue - through administration or some other method - the last thing anyone wants is a knee-jerk reaction that destroys share values.

In the case of the Friday-night announcement, it's so that those involved can work over a weekend in relative isolation.

In this case it was without regard to the fact that while counter-services may be closed, financial services is now, in many cases, the business that never sleeps.

Or that sleeps when it's dead.

Not that that helps customers who, in the absence of a bank account, use a pre-paid card as a form of current account. They don't know if their salaries or other payments upon which they depend have been credited and they cannot do, as many do, their financial transactions such as paying rent at weekends.

The second question, from outside the immediate circle dealing with the regulatory issue, was "how quickly can we get cards back on-line?"

It might sound contrary to good sense, but in fact, freezing the assets, while it caused hardship for a few days (actually three and a half) was in fact in the best interests of Wirecard's customers in the UK.

And customers in the UK are those that, ultimately, the FCA is bound to protect.

The reasons for that are

a) the failure of regulators (and the EU has to take the brickbats in this case) to put in place adequate measures to protect deposits; and

b) as a result of that, no one outside Wirecard knew where those deposits were.

I could go down the rabbit hole of how deeply flawed EU regulation is, being obsessed with detailed rules for the present but not thinking of what can go wrong in the future.

But I won't. I'll just mention in passing that the UK's electronic money regulation is designed in the EU and because of freedom of movement of capital and so-called "passporting" (which means that a business regulated in one EU state can operate in another state under the same regulatory regime), the Financial Conduct Authority is under restrictions as to what it can do; even if it identifies potential problems, it cannot impose risk management upon companies that are regulated in another state.

Here, Wirecard Card Services Limited was regulated in the UK and, arguably, the UK could have required measures going beyond the EU norms - but to do so would inevitably lead to an exodus of such businesses which would then do business in the UK from offshore as a passported organisation.

There was logic to the suspension: in one of the many LinkedIn threads on this topic, someone else has been discussing the core reason albeit in generic terms.

When the parent entered insolvency proceedings, the primary concern was whether customers' money was ring-fenced against creditors.

Secondly, there was concern that the money should be in the UK and only in the UK.

Remember, for context, that in various jurisdictions, there were investigations as to a "missing" USD1,900 million.

Then questions arose as to whether that money even existed.

Wirecard's primary regulator BaFin was out to lunch, its auditors, Ernst and Young were - we'll wait and see exactly why they were so utterly clueless but my expectation is that they will say, as the Big Four habitually say in the face of major failure, something like "we rely on what the senior executives tell us."

Once Wirecard was on the cusp of a flush, the obvious questions arose: if that money was missing, whose money was it? It's logical to at least question whether it was money that should have been protected as customers' funds.

There is precedent - albeit slightly oblique precedent - for freezing the assets of, in that case, a bank.

In or about 2007, the British government, using an extremely dubious device of alleging economic terrorism which the Chancellor of the Exchequer, Gordon Brown, or someone in his team made up as an excuse, froze the accounts of Landsbanki, a privately owned Icelandic bank that entered an insolvency process.

Brown went further and used that as a reason to seize the assets in the UK of another : Kaupthing Singer & Friedlander, the UK subsidiary of another Icelandic bank, Kaupthing.

The reason was simple: the money wasn't protected under the UK's deposit schemes and the Icelandic scheme would be overwhelmed if either of those banks failed leaving customers in the UK with no effective redress.

So, Brown's nuclear option was a pre-emptive strike.
While his methods were legally dubious, his tactics were good: grab the money before anyone else can get to it.

That's what the FCA was doing in relation to Wirecard, but in this case on far more solid legal ground.

In 2017, China, in the aftermath of a rash of PayTech frauds, realised that the FinTech sector was out of sync with the banking sector.

FinTech had light regulation and a free-wheeling attitude.

What happens, the People's Bank of China asked, if a FinTech company collapses?

The solution implemented by the People’s Bank was simple: in the absence of the ring-fencing of the actual funds held for customers (that's a technical difference that we don't need to consider here), the payments company must hold, in a separate and secure account, a form of trust account, an amount equal to the amounts deposited by customers. In one fell swoop, albeit in a roundabout way, the problem was solved - and it makes sense: banks have a capital adequacy requirement, why not FinTech companies and why should that not be the amount that it owes customers so that it cannot use customers' money for its own purposes?

Equally, a FinTech is not a regulated lender so it can't lend it out.

Across the whole world, because they are not banks, the customers of FinTech businesses, are not protected by the relevant deposit insurance scheme.

The kind of protection that China demands is not enforced in many countries.

The UK's FCA, in its trendy bollocks way of communicating, talks of "safeguarding." It means "protecting."

In the announcement about Loot, it said "We are in contact with Wirecard Card Solutions [i.e. the UK subsidiary of Wirecard in Germany] to ensure that Loot Financial Services customer funds continue to be safeguarded and that customers are given sufficient information on how to access their funds."

So it's clear. A year ago, at the very latest, the FCA was aware of the risks that were faced by customers of WIrecard's associated businesses in the UK. By extension, they were also aware, or should have been, of the risk that the FinTech sector presents when it's allowed to take - and use or export - deposits or does it in breach of regulations.

The notice also implied that the FCA was concerned that funds held by Wirecard and obtained through associated businesses in the UK were not hypothecated i.e. ring-fenced in the case of insolvency. The same extension applies.

In the present case, the conditions under which the UK company is allowed to continue to trade effectively disassociate it from the collapsed German parent.

And on 29th June, the full scale of the conditions imposed on 26th became completely clear.

1. The company must not issue any electronic money (so cards were dead) and must not accept any funds (the FCA studiously avoids using the term "deposit") in consideration for the issue of electronic money (so deposits could not be made to cards). That restriction was removed on 29 June.

2. If deposits are made moneys received in breach of condition 1 must be returned "to the customer."

That, as we know, could not work. It makes a false assumption that only the card holder credits the card account. In fact, many card holders use it as a current account - a fact that became painfully obvious as soon as the action was taken.

In the absence of a bank account to which the card is linked, there is nowhere for moneys to be returned to, if they are to go to the customer.

Returning the moneys to the source, which would include benefits offices and employers, would breach the condition.

This condition was not modified on 29th June but it had become otiose. Sadly, it takes a lawyer to work that out. Way to go, FCA.

3. The company must not carry out any payment services. That condition was removed on 29 June.

Then, at last, the FCA got around to the thing it should have done for years.

The company must preserve and secure all information and systems relating to the regulated services and retain them in the UK available for inspection at the FCA's request.

The FCA has power to do this because the action is against the UK regulated company, not the German parent.
The company "must take all necessary steps to ensure that all relevant funds are protected in designated accounts held at credit institutions authorised by the Prudential Regulation Authority in the UK" (précise). Before midnight (or is it midday? It says 12 PM which is a nonsense expression albeit one in common use) on 26 June, the company must provide the FCA with details of all those designated accounts and evidence of the steps taken to comply with the requirement to so hold moneys.
The company must not "without the written consent of the Authority and save as is necessary to comply with these requirements, in any way dispose of, withdraw, transfer, deal with or diminish the value of any of its own assets, and any funds it holds for, or to the order of its clients (whether in the United Kingdom or elsewhere). "
They are customers. FFS, FCA.

As of 29 June the FCA says it "has provided Wirecard with written consent to make payments in the ordinary course of business. Payments to other companies in the Wirecard group are not permitted unless made in consideration for services provided or as reimbursement for sums paid on Wirecard’s behalf."

Lawyers will recognise the terms as being, effectively, those that would be found in a civil injunction to prevent waste in relation to assets.

From the outside, if one reads the tabloids, the FCA's action was tantamount to an attack on the poor.

In fact, it acted swiftly and decisively to protect their money and to ascertain the facts and to put in place protective measures and then to release the restrictions affecting customers all within a little over 72 hours. It was a superbly executed strategy.

But it was a strategy that should not have been necessary.
The case highlights the problems across the FinTech sector.

Many FinTech companies registered in, say, Singapore operate across the region outside the regulatory regime of the markets in which they operate.

Banks, which provide similar services and, even, money transmitters do not have that privilege.

The Wirecard case should draw attention to the lack of protection for user's money and to ensure that that money is retained within the jurisdiction of the customer. Who'd have thought that the world should be looking to China for leadership on regulatory affairs?

To conclude: who wants a lesson in irony?

In the mid 1990s, a Chinese owned bank applied for a banking licence as a branch in London. The regulators refused and eventually it closed the fully equipped offices it had commissioned in preparation for launch and continued only as a representative office.

The reason was that the UK's regulators did not believe that the Chinese government would stand behind the bank if it fell into difficulty and that would expose the UK banking system to risk.

Only a couple of years later, when Barings collapsed, the UK Government, through the regulators, refused to step in to rescue it or support its customers which were not retail banking customers and therefore outside the scope of the deposit guarantee scheme.

When Loot collapsed, Wirecard did not support it.

That begs the question - fundamentally, what is the difference between Wirecard and the UK subsidiary of a Chinese bank a quarter of a century ago?

Answer - a worrying lack of understanding of the nature of the businesses that are being regulated.

It might not say "bank" over the door but many FinTech companies are providing banking services.

Regulators should stop messing about and regulate them as such.