Consider whether the financial regulations applyAll CFPs should be aware of the Crowdfunding Association (UKCFA) and the key external regulatory body for CFPs, the Financial Conduct Authority (FCA). While most CFPs do not need to be FCA regulated, loan and investment-based CFPs generally do.
The two key issues for any CFP to determine in respect of financial services regulations are:
- Whether the CFP requires authorisation; and
- Whether the financial promotion regime applies.
Think carefully about how payments will be processedA common issue is when investments/donations come through a CFP’s own bank accounts as this could be deemed to be a money remittance service under the Payment Services Regulations 2009 (PSR). This is a complex area, due to both the numerous exemptions but also the effect of the PSR, as CFP operators often opt to use third party online processing providers (like WePay, PayPal and Stripe) to process payments on their behalf.
Mitigate risk through CFP terms and conditionsAll CFPs will need terms and conditions (T&Cs) governing the use of their platform, ensuring users accept the terms and conditions by taking an active step (for example, clicking “I accept”). Depending on the model, the T&C should clarify what the CFP is and is not liable for. If the CFP is consumer-facing, the operator will need to comply with consumer protection legislation.
Consider the data protection law requirementsCFPs processing personal data have statutory obligations relating to the collection, use, storage and sharing of that data. In order to comply with the Data Protection Act 1998 (DPA) and other legislation, CFPs will need to (among other things):
- Register with the Information Commissioner’s Office (ICO), as failure to do so is a criminal offence;
- Establish and maintain a robust privacy and cookies policy, and make sure that the policy is easily accessible via the CFP;
- If any third party processes data on the CFP’s behalf (as the “data processor”), enter into an agreement to ensure that the third party is contractually obliged to process the data in accordance with the statutory requirements;
- Ensure that no personal data is transferred outside the EEA unless certain pre-conditions are satisfied;
- Put in place adequate security measures to mitigate the risk of users’ data being accidentally or deliberately compromised; and
- Comply with cookie legislation by providing the purpose of cookies used and obtaining users’ consent before cookies are placed on their machines.
Think about getting local adviceIf the CFP is specifically targeting another jurisdiction (or if use of the platform is permitted in specific locations), it may be advisable to take specific local regulatory advice, will depend on the type of crowdfunding model; the relevant jurisdiction(s) in which the CFP is permitted to be used; whether the CFP will be carrying out any marketing / promotions in the jurisdiction(s); and whether the CFP operator has an active presence in the jurisdiction(s).
…One final thoughtWhile the various regulatory regimes which may apply to CFPs can seem overwhelming, particularly for start-ups on tight budgets, potential pitfalls can be avoided by taking advice during the early stages of set-up. The increasing prevalence of CFPs shows that the challenges are far from insurmountable.
Louise Taylor is a partner at international law firm Taylor Wessing.
Share this story