A Practical Approach to the Regulation of Investment Business Conducted over the Internet

Jonathan E Halsey

Head of Compliance, Old Mutual Asset Managers (UK) Ltd.
Editor of The Compliance Exchange - www.compliance-exchange.com
Member of FMA E-commerce Working Party

4 February, 2000

Many well-established global investment firms, regulated in the territories from which they carry on business, have already set up their billboards on the web to sell their image and promote their products, and some are conducting "E-business". What should these firms have regard to in order to manage the regulatory and reputational risks associated with such activity?

Most countries around the world have by now enacted laws governing the conduct of investment business and financial services. These laws are designed for a number of reasons including the protection of investors and in order to attract good business. Regulatory organisations such as the UK's Financial Services Authority have evolved in many jurisdictions whose purpose it is to uphold the integrity of the investment industry in their particular geographical locations. These organisations use a variety of regulatory tools such as licensing, rulemaking and enforcement.

When conducting investment business outside the confines of the UK one is expected to observe relevant local regulations and customs. The detail of these rules can vary considerably from place to place. Investment companies need to be sensitive to local cultural and regulatory constraints in the jurisdictions in which they operate.

The internet offers unprecedented opportunities for investment firms to present themselves and their products and services to existing and potential customers on a worldwide basis. There is however still considerable uncertainty surrounding the regulatory implications of presenting investment advertisements and advice on the internet and about conducting business over the internet.

The new communications technology raises many questions about legal jurisdiction and territoriality which remain largely unresolved. Because the internet is global it seems unlikely that any particular regional or national legal or regulatory system will be able to prevail in relation to any type of business let alone investment business. Rules will always be unenforceable somewhere. And rules under one regime may conflict with or contradict rules under another.

The "home versus host" approach adopted by the European Union loses the clarity of its definition when home could be anywhere and host is everywhere. Must those doing business over the internet simultaneously observe the laws of every single country in the world? Such a suggestion will remain impracticable so long as there is divergence amongst legal systems and regulations in different jurisdictions.

So what can be done about all this?

It has been observed that innovations happen in the USA before they happen elsewhere. This is referred to as the "bellwether" effect. Technology is considered to be more advanced and Americans have had more time to become accustomed to using the internet.

It therefore makes sense to look at what is happening in America as a tool for predicting what will happen in the future in the rest of the world. If we look at recent developments in America we can make an informed guess at what will emerge shortly in the UK and elsewhere.

The consumer is king in America. Service providers recognise that their customers will disappear overnight if they conduct themselves in an untrustworthy manner. Trust is a crucial factor in all relationships but when you are dealing with a counterparty whom you have never met other than in cyberspace it is doubly important that a consumer or customer has faith that they will not be dealt with unfairly. Businesses setting up on the web must do all they can to reassure potential customers as to their integrity and adherence to high ethical standards of business conduct.

One way in which e-business integrity and consumer confidence is maintained in the USA is by having an independent professional accountant provide a digital certificate to the effect that a website observes certain standards. This is referred to as an "attestation service". The American Institute of Certified Public Accountants (AICPA) in conjunction with the Canadian Institute of Chartered Accountants has devised such a seal-of-approval approach through WebTrust. (See www.aicpa.org.) WebTrust is the AICPA's initiative to promote trust in E-commerce by articulating standards for consumer information protection, transaction integrity and sound business practices. E-businesses who agree to abide by the code can kitemark their websites as long as they continue to comply. Compliance is enforced through frequent review by an appropriately qualified independent accountant.

The principles that a website must observe continuously in order to retain its WebTrust certificate are:

The entity discloses its business and information privacy practices for E-commerce transactions and executes transactions in accordance with its disclosed practices.

The entity maintains effective controls to provide reasonable assurance that customers' transactions using E-commerce are completed and billed as agreed.

The entity maintains effective controls to provide reasonable assurance that private customer information obtained as a result of E-commerce is protected from uses not related to the entity's business.

These are very general and high level but the key themes of disclosure, keeping promises and safeguarding of customer information are apparent. The importance of protecting and respecting the confidentiality of private and personal data gathered from those who register or apply for products using online forms is paramount.

Returning to investment E-business, what can we learn from the American experience? Perhaps that all stakeholders and participants should agree to a code or set of standards to be observed by investment firms' websites wherever in the world they might be uploaded, stored or accessed. Regulators of investment business in different countries could then require their local constituents to observe this code, enforcing it to the extent they consider appropriate. Independent third parties could then provide assurance that service providers are observing the code.

Work is already underway in the UK to draft a code of conduct for financial services websites. The Investment Management Association (IMA) has appointed an E-Commerce Working Group, whose terms of reference include, "in consultation with other financial services trade associations to devise best practice standards regarding the contents of websites of, and web advertising by, financial service firms". The intention is to encourage regulators to adopt or at least recognise these standards when they have been articulated.

Although only in its second draft at present the FMA code is likely to require investment firms to make a "mandatory disclosure" statement at their websites. This statement would disclose certain aspects of the firm's identity, such as its name, place of incorporation, registered office, registration number and legal status and the identity of its regulator. Firms would also have to state whether they are in compliance with other applicable codes of practice and laws relating to general E-commerce, privacy and data protection. Specific disclosures would be required for certain types of product or service offered by the firm along with types of customer the material is targeted at. The Mandatory Disclosure Statement would have to displayed in a reasonably prominent manner and be accessible from all relevant pages at the website.

The FMA code will represent a practical approach to regulating investment business conducted over the internet. It will be important that the Financial Services Authority support the initiative. FSA have stated that they will include trade association codes of conduct and practice in their own forthcoming "sourcebook" of rules. Over time FSA may be the body that enforces the code. Regulators in other countries might also adopt and enforce the code which could become a global standard.

Further into the future we may see regulators and trade associations as custodians and issuers of digital certificates of compliance backed by automated compliance audit programmes. This will help ensure that consumers and users have trust in the firms that operate websites. When that consumer trust has been established E-commerce will be able to flourish.