Law and Practice
1. Fintech Market
1.1 Evolution of the Fintech Market
Ireland is home to well-developed and globally recognised technology and financial services sectors and is a fintech hub.
IDA Ireland, the country's industrial development agency, reports that Ireland is the world's second-largest exporter of software, and that 16 of the top 20 global technology firms and 20 of the top 25 global financial institutions operate from the jurisdiction.
Ireland is also home to a large number of fintech firms, the European home for global innovation labs and incubators. The Central Bank of Ireland (the "Central Bank") established its Innovation Hub in April 2018 to provide a direct and dedicated point of contact for firms developing or implementing innovations in financial services based on new technologies, outside of the existing formal regulator/firm engagement processes. The Innovation Hub had facilitated 253 engagements as of the publication of the Central Bank's 2020 update.
Increase in Fintech Activity in Ireland
Recent years have seen an increase in fintech activity in Ireland and in the number of entities operating in the country, reflecting the positive ecosystem that has been developed. Ireland is a popular location for firms seeking an EU base, which has increased further following the UK's withdrawal from the EU (“Brexit”), so as to "passport" their Irish authorisations to provide services into other EU member states. Examples include Coinbase Stripe, Square/Block, SumUp and Modulr which have obtained electronic money institution authorisations, which also allow for the provision of payment services.
Domestic firms, such as Wayflyer, have also established themselves successfully. Several Irish retail banks are seeking to create a digital money transfer service in response to fintech challengers. This initiative is currently subject to competition law scrutiny. The government's strategy for the development of Ireland's international financial services sector to 2025, Ireland for Finance, includes actions to help drive fintech, including blockchain technologies. In the short term, fintech developments in Ireland are likely to continue to focus on the payments sector, regulatory technology ("regtech"), artificial intelligence and blockchain, among other sectors. From a regulatory or supervisory perspective, it is expected that anti-money laundering (AML), outsourcing and data protection will remain key topics. The Central Bank has recently published Guidance on Operational Resilience and on Outsourcing which, along with existing guidance on IT and Cybersecurity Risks, will require all regulated firms in the Irish market to review their frameworks.
EU Legislative Developments
EU legislation is implemented into Irish law and/or is directly applicable. In the context of virtual assets, the Fifth Money Laundering Directive (Directive (EU) 2018/843) (5MLD), transposed into Irish law by the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021, impacts providers engaged in various services in respect of virtual assets. Regulation (EU) 2020/1503 on European crowdfunding service providers for business (Crowdfunding Regulation) provides a framework for equity and peer-to-peer lending-based crowdfunding within the EU and allows for operators of crowdfunding platforms to obtain authorisation as a crowdfunding service provider, which can be passported across the EU. The Crowdfunding Regulation came into force on 10 November 2021.
Other EU initiatives impacting fintech include the European Commission's September 2020 adoption of the Digital Finance Package (the "Digital Package"), which includes a proposal for a regulation on markets in crypto-assets ("MiCA"), a proposal for a regulation on a pilot regime for market infrastructures based on distributed ledger technologies or DLTs (the "Pilot Regime") and a proposal for a regulation on digital operational resilience for the financial sector ("DORA"). These proposals are not yet law and are moving through the European legislative process, and are subject to amendment prior to implementation. The current draft of MiCA proposes to implement a legislative framework including rules applicable to the issuance of crypto-assets and the provision of various services in relation to crypto-assets. MiCA also seeks to implement market abuse-type rules in relation to crypto-assets and an EU supervisory regime. On 21 November 2021 the Council of the European Union announced that it had adopted its position on MiCA and DORA, and that negotiations are ongoing. The Pilot Regime is at a more advanced stage of the legislative process and is expected to come into force in the second half of 2022, and to apply nine months later. The European Securities and Markets Authority (ESMA) commenced a stakeholder consultation process on the Pilot Regime on 4 January 2022.
The Digital Package follows a public consultation in respect of a proposed EU regulatory framework for crypto-assets (the "Crypto Consultation"). In its April 2020 response, the Central Bank stated that it is supportive of the initiative and welcomes the development of a more harmonised approach to crypto-assets, although it raised concerns with certain issues, including the monetary policy implications of the emergence of global stablecoins.
The Eurosystem published a new framework for overseeing electronic payment instruments, schemes and arrangements (which will also cover crypto-asset-related services, such as the acceptance of crypto-assets by merchants within a card payment scheme and the option to send, receive or pay with crypto-assets via an electronic wallet) which comes into force in November 2022 (PISA Framework).
2. Fintech Business Models and Regulation in General
2.1 Predominant Business Models
The Central Bank has commented that fintech activity in Ireland is at its most intense in the payments sector. This is reflected in an increased number of authorised payment institutions and electronic money institutions in Ireland in recent years, including Stripe, Coinbase (a cryptocurrency platform), MoneyCorp, Square, SumUp, and Modulr. Bigtech firms have also established in this space, and it is likely that payment services will continue to be an area of focus in Ireland. This is helped by the existing fintech and payments-friendly ecosystem, while Brexit has also resulted in a number of payments firms locating their EU operations in Ireland.
Other areas for innovation include regtech, insurance, digital identity and asset management, with loan and investment crowdfunding set to increase.
In the context of its Innovation Hub, the Central Bank has commented on the growth and maturity of blockchain and an increase in engagements regarding crypto-asset infrastructure (such as exchanges and wallet providers), as well as a broadening of use cases for blockchain beyond crypto-assets and as an element of firms' overall technology stack.
2.2 Regulatory Regime
Fintech firms must look to the regulatory regimes that may be applicable to their business model on a case-by-case basis. Fintech-specific legislative developments are in the pipeline, including the introduction of MiCA and the Digital Package, which will provide a bespoke regulatory framework for crypto-assets in due course. Recent fintech-specific legislative developments include the implementation of amendments to AML legislation applying a registration requirement and AML obligations to certain virtual asset service providers and the implementation of the Crowdfunding Regulation.
In relation to the provision of payment services or the issuance of electronic money, the primary rules to be considered are the European Union (Payment Services) Regulations 2018 (the “Payment Services Regulations”) – which transpose Directive 2015/2366/EU (PSD 2) into Irish law – or the European Communities (Electronic Money) Regulations 2011 (the “Electronic Money Regulations”) – which transpose Directive 2009/110/EC (the “Electronic Money Directive”) into Irish law. The domestic Irish regime governing money transmission businesses under the Central Bank Act, 1997 ("CBA 1997") may be relevant to a money transmission service falling outside the Payment Services Regulations.
Challenger banks seeking to undertake "banking business" require a bank licence under the Central Bank Act, 1971 ("CBA 1971") and will be subject to the Irish implementation of the EU Capital Requirements Directive (Directive 2013/36/EU) (as amended) and the directly applicable EU Capital Requirements Regulation (Regulation 575/2013/EU). Banking business, in summary, means any business that consists of or includes receiving money on own account from members of the public either on deposit or as repayable funds, and the granting of credits on own account. Licensing decisions are taken by the European Central Bank.
Credit institutions authorised in other European Economic Area (EEA) jurisdictions may passport their authorisation into Ireland, which requires notification to their regulator in the first instance. All companies that are not licensed banks (or passported credit institutions) must avoid including “bank” in their name, as this is restricted under the CBA 1971.
Generally speaking, the provision of regtech services is less likely to be a regulated activity in Ireland as these will typically involve supporting technical services rather than regulated financial services. However, a case-by-case analysis is required.
Investment Services/Asset Management
Depending on the services provided, a fintech firm providing asset management solutions may be subject to regulation. For example, if the activities constitute "investment services" in respect of "financial instruments" for the purposes of European Union (Markets in Financial Instruments) Regulations 2017 (the “MiFID Regulations”), an investment firm authorisation will be required, unless an exemption applies. The MiFID Regulations implement Directive 2014/65/EU (MiFID II) into Irish law. Investment business services, including depository or administration services, would require authorisation under, for example, the Investment Intermediaries Act 1995 (IIA). Fund management companies are also regulated.
Following the implementation of the Crowdfunding Regulation, the operation of a loan or investment-based crowdfunding platform is now a regulated activity. However, depending on the services they provide, a number of existing rules may also be applicable and are discussed elsewhere in this guide (eg, payment services).
Firms providing software or blockchain solutions will need to examine the particular service they are offering and the activities they are undertaking in order to assess if a licence or registration is required. These firms will need to consider whether AML rules applicable to virtual asset service providers (VASPs) are applicable (see below) and, in the longer term, MiCA.
The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended ("CJA 2010") implements the European AML rules into Irish law.
The CJA 2010 was amended in 2021 to implement 5MLD to include a registration requirement for VASPs, which include persons engaging in exchange services between virtual assets and/or virtual assets and fiat currencies, transfers of virtual assets, the provision of custodian wallet services and/or participation in, and provision of, financial services related to an issuer's offer or sale of virtual assets.
Fintech firms will also need to be aware of and comply with specific security requirements introduced under PSD 2 (eg, strong customer authentication) where they provide payment services, and, more broadly, cross-industry and industry-specific guidance from the Central Bank and EU regulators in relation to ICT and cyber risks. Such guidance includes the European Banking Authority (EBA) revised Guidelines on ICT and security risk management, applicable to credit institutions, certain investment firms, and payment institutions and electronic money institutions, and the Central Bank's September 2016 Cross-Industry Guidance in respect of Information Technology and Cybersecurity Risks. Other cybersecurity and criminal legislation or guidance may also be relevant.
In the longer term, the Digital Package includes a proposal for a regulation on digital operational resilience for the financial sector.
Fintech firms will need to comply with data privacy laws, including the European Union General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR), in respect of any processing of personal data. The GDPR is broad in application, such that the vast majority of companies are impacted regardless of regulatory status or services being provided.
The GDPR was designed to be technology neutral, meaning that it protects personal data no matter what technology is used or how the personal data is stored. However, such neutrality means that fintech firms will be presented with challenges when navigating through the obligations imposed by the GDPR. Among the issues to be considered are transfers of personal data to countries outside the EEA, provision of transparent and accessible privacy notices, the principles of "privacy by design" and "privacy by default", implementation of risk-based data security measures, data breach reporting obligations and the enhanced rights of data subjects, including the right to be forgotten and the right to data portability.
2.3 Compensation Models
The permissible compensation models for fintech firms will depend on the type of service they provide, their customer base, regulatory status and the rules applicable to those services or customer types. Similarly, disclosure requirements in relation to fees and charges will depend on these factors.
2.4 Variations between the Regulation of Fintech and Legacy Players
As a general rule, there is no differentiation between services provided by fintech firms or legacy players. However, some regulated services or activities are more likely to be performed by fintech firms.
2.5 Regulatory Sandbox
There is currently no regulatory sandbox in Ireland. The Central Bank has established an Innovation Hub to provide a direct and dedicated point of contact for firms developing or implementing innovations in financial services based on new technologies, outside of existing formal regulator/firm engagement processes. As part of the Digital Package, the European Commission has proposed the Pilot Regime, which is a regulation that seeks to create a sandbox for the integration of blockchain technology into European financial market infrastructure, and is expected to come into force in the second half of 2022.
2.6 Jurisdiction of Regulators
The Central Bank is the financial services regulator in Ireland with responsibility for authorisation and supervision of financial services providers. The Central Bank supervises Irish firms from both a prudential and conduct of business perspective. For EEA passporting firms, the Central Bank will generally have a level of competence in relation to conduct of business requirements, rather than prudential requirements.
The European Central Bank is the competent licensing authority for new Irish credit institutions (banks) and it supervises significant credit institutions directly under the Single Supervisory Mechanism.
The Data Protection Commission is the Irish supervisory authority for the GDPR.
2.7 Outsourcing of Regulated Functions
If a regulated function is outsourced, the vendor is likely to require authorisation to provide that service unless it can rely on an exemption.
A number of rules and requirements may apply to regulated firms that are engaged in outsourcing regulated and unregulated functions. These are generally sector specific; for example, the Payment Services Regulations and MiFID II contain outsourcing requirements relevant to in-scope firms.
In December 2021 the Central Bank implemented its Cross-Industry Guidance on Outsourcing (the "CBI Outsourcing Guidance"), which firms need to have regard to alongside specific outsourcing rules under various sectoral legislation. The CBI Outsourcing Guidance is heavily influenced by the EBA Guidelines on outsourcing arrangements (the “EBA Outsourcing Guidelines”).
The EBA Outsourcing Guidelines are applicable to credit institutions, certain investment firms, and payment institutions and electronic money institutions, and set out a number of requirements for internal governance and risk management, as well as specific requirements in relation to outsourcing contracts. These requirements include the vendor agreeing to provide access and audit rights for the regulated firm and its regulators for critical or important functions.
ESMA has also implemented guidelines on outsourcing to cloud service providers (the "ESMA Cloud Guidelines"), which apply to a broad range of regulated financial services providers falling under ESMA's remit. In-scope entities must review and amend their cloud outsourcing arrangements to align with these requirements by 31 December 2022. The European Insurance and Occupational Pensions Authority has also published guidelines on outsourcing to cloud service providers (the "EIOPA Cloud Guidelines").
2.8 Gatekeeper Liability
The extent to which any fintech provider is deemed to be a "gatekeeper" will depend on its activities or the services it provides. Fintech providers may be subject to various authorisation requirements as discussed throughout this chapter, or may fall within the scope of Irish AML legislation. Where AML legislation is applicable, fintech providers may be required to undertake customer due diligence and may be subject to an obligation to identify, escalate and report to the authorities transactions they deem suspicious or unlawful.
The Criminal Justice Act 2011 imposes a reporting obligation on a person who has information that said person “knows or believes might be of material assistance” in preventing or prosecuting a “relevant offence”, to disclose this information to the Garda Síochána (the Irish police force).
2.9 Significant Enforcement Actions
The Central Bank has taken enforcement actions in a broad range of areas where breaches of financial services legislation have been committed by regulated entities.
It is noteworthy that the Irish authorities have successfully confiscated cryptocurrencies that were determined by the Irish courts to be assets that were the proceeds of crime (in the case of CAB v Mannion (2018) IEHC 729). In its 2020 Annual Report, the Irish Criminal Assets Bureau noted a 2019 seizure of cryptocurrency in excess of EUR53 million.
2.10 Implications of Additional, Non-financial Services Regulations
Firms will need to ensure that they operate in accordance with non-financial services requirements in Ireland. These include data protection laws, cybersecurity requirements, consumer protection legislation, company law and intellectual property law.
2.11 Review of Industry Participants by Parties Other than Regulators
Where companies are required to produce audited financial statements, their statutory auditors will review their financial accounts. A broad range of bodies may be relevant during a firm's life cycle, including tax authorities, the Office of the Director of Corporate Enforcement, exchanges, and the Financial Services and Pensions Ombudsman.
2.12 Conjunction of Unregulated and Regulated Products and Services
For the most part, it is possible for a regulated entity to offer regulated and unregulated services, unless restricted by its financial services licence. Under both the Payment Services Regulations and Electronic Money Regulations, the Central Bank is empowered to require firms that undertake additional activities to establish separate entities.
The Consumer Protection Code 2012 (CPC) applies to Irish regulated entities and EEA firms operating in Ireland on a branch basis or cross-border basis and primarily impacts services provided to consumers. The CPC can under certain circumstances require regulated entities to provide regulatory disclosure statements which must relate solely to a regulated activity, and to have separate sections on its website for regulated activities and any other activities.
2.13 Impact of AML Rules
The applicability of AML rules will depend primarily on whether a fintech company falls within the categories of "designated persons" under the CJA 2010. Where a fintech firm is regulated by the Central Bank, it will typically be a designated person as would, for example, VASPs (which are not "regulated" but which require an AML registration) and potentially other businesses including lenders, operators of a casino or traders in artworks or cash traders in high-value goods.
The requirements imposed on designated persons include:
- carrying out a money laundering/terrorist financing risk assessment of their business;
- undertaking customer due diligence;
- carrying out ongoing monitoring of customers and customer transactions;
- filing Suspicious Transaction Reports in instances where money laundering or terrorist financing is known or suspected;
- maintaining and implementing AML/counter financing of terrorism (CFT) policies, procedures and controls;
- retaining appropriate records;
- providing AML/CFT training to all staff on an ongoing basis; and
- implementing an appropriate AML governance framework.
3.1 Requirement for Different Business Models
Per the EBA Glossary for Financial Innovation, robo-advisers are defined as “Applications that combine digital interfaces and algorithms, and can also include machine learning, in order to provide services ranging from automated financial recommendations to contract brokering to portfolio management to their clients. Such advisers may be standalone firms and platforms, or can be in-house applications of incumbent financial institutions” (“Robo-advisers”).
While the specific services and business models of differing Robo-advisers will vary, once the activities of the Robo-adviser constitute MiFID II "investment services" in respect of "financial instruments", they will require authorisation as a MiFID II investment firm under the MiFID Regulations, unless an exemption applies.
The MiFID II investment services most likely to be triggered by Robo-adviser activity are portfolio management and/or the provision of investment advice. MiFID II financial instruments include:
- transferable securities;
- units in collective investment undertakings;
- certain options, futures, swaps and other derivatives; and
- emissions allowances.
MiFID II investment firms are subject to extensive conduct of business rules when providing investment services. The authorisation requirements and process will help shape and define a MiFID II investment firm's business model.
The MiFID Regulations requirements in relation to suitability assessments will also affect Robo-advisers, and certain of the ESMA Guidelines on MiFID Suitability – which define Robo-advice as “the provision of investment advice or portfolio management services (in whole or in part) through an automated or semi-automated system used as a client-facing tool” – are stated to be particularly applicable to Robo-advisers, given the limited amount or total absence of human involvement in the investment service performance process.
3.2 Legacy Players' Implementation of Solutions Introduced by Robo-Advisers
No information is available in this jurisdiction.
3.3 Issues Relating to Best Execution of Customer Trades
A Robo-adviser authorised under the MiFID Regulations that executes orders on behalf of clients is subject to the MiFID II rules, including the obligation to execute orders on terms most favourable to its clients and the client order handling rules. MiFID II and the MiFID Regulations also set out related requirements for portfolio managers placing orders or where firms receive and transmit orders.
4. Online Lenders
4.1 Differences in the Business or Regulation of Loans Provided to Different Entities
There are significant differences between the regulation of lending to individuals and companies in Ireland.
Commercial lending (ie, lending to corporates) does not generally require a financial services licence in Ireland although AML registration may be required.
The Crowdfunding Regulation facilitates peer-to-peer business lending, with crowdfunding service providers authorised to facilitate the granting of loans. Crowdfunding service providers can also perform individual portfolio management of loans for investors within certain criteria.
Loans to Individuals and SMEs
By contrast, lending to individuals may require a retail credit firm authorisation under the CBA 1997, subject to certain exemptions. This is a domestic Irish requirement. The Consumer Credit Act, 1995 (CCA) contains another domestic-only regime whereby a person who meets the definition of a “moneylender” lending to consumers is required to obtain authorisation in certain circumstances.
Credit servicing (including legal title loan ownership, managing or administering a credit agreement and related borrower communications) in relation to loans to individuals and small and medium enterprises (SMEs) requires authorisation in certain circumstances. Directive (EU) 2021/2167 on credit servicers and credit purchasers became effective in December 2021 and member states are required to implement its provisions by December 2023. This directive applies to non-performing loans issued by banks established in the EU. In-scope credit servicers which are authorised in their home state can passport their services across the EU.
Lending to individuals acting outside their business is subject to the requirements of a range of consumer protection legislation. Additional rules apply in respect of mortgage lending.
Regulated financial service providers (including EEA lenders operating in Ireland on a cross-border basis) may also be subject to certain conduct of business rules when lending to individuals, certain small companies or SMEs. These rules include the CPC and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Lending to Small and Medium-Sized Enterprises) Regulations 2015 (the “SME Regulations”).
4.2 Underwriting Processes
Irish conduct of business rules and legislation require creditworthiness or suitability assessments in certain circumstances. For example, the European Communities (Consumer Credit Agreements) Regulations 2010, the CPC and the SME Regulations are relevant in this regard.
Ireland has established a Central Credit Register (CCR) under the Credit Reporting Act 2013 (CRA). The CRA requires lenders to check the CCR prior to advancing in-scope credit, and also imposes a requirement on lenders to report information relating to certain loans and borrowers.
4.3 Sources of Funds for Loans
Credit institutions such as banks raise funds for their lending activities from a wide range of sources, including deposits, inter-bank lending, issuing debt and securitisations. Deposit-taking in Ireland triggers a requirement for a banking licence, and securitisations are subject to a number of Irish and EU rules.
Dedicated lending entities – eg, a retail credit firm – may raise funds for their lending activities from securitisations or lending from other investors or institutions. Funds may also be sourced through peer-to-peer lending, eg, via a crowdfunding service provider.
4.4 Syndication of Loans
It is not typical for consumer loans or loans to small businesses to be syndicated. Where peer-to-peer lending is taking place, there may be multiple bilateral loan agreements. The Crowdfunding Regulation provides a European framework for peer-to-peer lending platforms.
5. Payment Processors
5.1 Payment Processors' Use of Payment Rails
Payment processors may use existing payment infrastructure or create or implement new payment rails, as long as they operate within the bounds of their financial services authorisation and adhere to relevant regulatory requirements.
5.2 Regulation of Cross-Border Payments and Remittances
Cross-border payments may be regulated under the Payment Services Regulations, which cover services including the execution of various forms of payment transactions, issuing payment instruments and money remittance. There are also requirements in respect of wire transfers, credit transfers and direct debits; eg, the Single Euro Payments Area (SEPA). The PISA Framework is also relevant to companies enabling or supporting the use of payment cards, credit transfers, direct debits, e-money transfers and digital payment tokens, including e-wallets.
6. Fund Administrators
6.1 Regulation of Fund Administrators
Fund administrators in Ireland are generally authorised pursuant to the IIA but may also be authorised pursuant to the MiFID Regulations depending on the types of activities to be undertaken.
In addition, fund administrators are subject to the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2017, the Central Bank's Investment Firms' Q&A and the Investor Compensation Act 1998.
6.2 Contractual Terms
Boards of directors of Irish investment funds and fund management companies ("Boards") require administrators to enter into service-level agreements setting out in granular detail the services described in the administration agreement and the parties' expectations in terms of timing, performance, escalation of issues and actions to be taken in the event of non-compliance with specific provisions of the service-level agreement.
In addition, administrators are being requested to provide key performance indicators as part of their quarterly reporting to Boards in respect of services such as the calculation and release of the net asset value. Such requests are a result of increased focus by regulators on oversight of service providers, which has resulted in the contractual terms relating to ongoing reporting by the fund administrator becoming increasingly important.
The increasing reliance by firms operating within the global financial sector on IT has led to a focus by regulators and firms alike on improving cybersecurity and data protection within the financial industry. As fund administrators maintain trading data, account details and extremely sensitive investor information, they are at particular risk from the evolving sophistication of cyber-attacks and the heightened frequency of data breaches. Accordingly, Boards are increasingly seeking to impose contractual terms that ensure fund administrators have appropriate IT and cybersecurity risk management procedures and frameworks in place to protect against cybercrime and data breaches, as well as IT disaster recovery and business continuity planning arrangements encompassing the recovery and resumption of daily operations should a disruptive event occur. These provisions stem from the sharpened focus of regulators on data protection as well as the management of cybersecurity across the financial sector, but also from an increasing awareness by industry of the devastating financial and reputational implications that a successful cyber-attack could yield.
Fund administrators are likely to be under a contractual obligation to report any data breaches and cybersecurity issues that may impact their client. They may also be subject to industry guidance and best practice in this regard.
7. Marketplaces, Exchanges and Trading Platforms
7.1 Permissible Trading Platforms
The activity of operating a peer-to-peer crowdfunding platform is regulated under the Crowdfunding Regulation, which provides a European framework for loan and investment-based crowdfunding.
In summary, it provides for a single set of rules that apply to crowdfunding offers in the EU up to EUR5 million over a 12-month period. A platform operator can become authorised as a crowdfunding service provider and can provide crowdfunding services across the EU on the basis of its home state authorisation.
Payment Services Providers
Payment services involving fiat currencies will typically have to be carried out by a regulated payment services provider.
Investment Services, Exchanges and Trading Platforms
The provision of investment services, exchanges and trading platforms in respect of MiFID II financial instruments is primarily regulated by the Central Bank under the MiFID Regulations, which provide for the regulation of investment firms and various types of securities exchanges, including market operators, regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs).
The operation of a crypto-asset exchange, involving either exchange services between virtual assets and/or virtual assets and fiat currencies, from Ireland will require registration as a VASP. Where a crypto-asset amounts to a MiFID financial instrument, a crypto-exchange will be subject to regulation under the MiFID Regulations.
Crypto-exchanges should also consider whether they are providing payment services and/or electronic money (where issuing their own tokens). In the longer term, MiCA proposes to regulate the operation of crypto-asset exchanges, with the operation of such an exchange being a regulated service that will require authorisation.
7.2 Regulation of Different Asset Classes
No information is available in this jurisdiction.
7.3 Impact of the Emergence of Cryptocurrency Exchanges
The implementation of the 5MLD, brings providers of exchange services between various virtual assets and between virtual assets and fiat currencies within the scope of Irish AML legislation. MiCA also proposes to require the providers of crypto-asset exchange services to obtain authorisation.
7.4 Listing Standards
No formal listing standards exist for unregulated platforms. General contractual principles should apply, and certain general consumer protection rules may also apply. Exchanges for MiFID II financial instruments established under the MiFID Regulations will usually have detailed listing/admission to trading rules to ensure transparency and compliance with applicable laws and regulations (eg, the Euronext Dublin Listing Rules), while rules in relation to the requirement to publish a prospectus may also be relevant.
7.5 Order Handling Rules
No formal order handling rules apply for unregulated platforms; general contractual principles should apply. Detailed order handling rules apply to MiFID II investment firms when executing orders in MiFID II financial instruments.
7.6 Rise of Peer-to-Peer Trading Platforms
No information is available in this jurisdiction.
7.7 Issues Relating to Best Execution of Customer Trades
No formal best execution standards apply to an unregulated platform in Ireland; general contractual principles should apply.
Detailed best execution standards apply for MiFID II investment firms dealing in MiFID II financial instruments.
7.8 Rules of Payment for Order Flow
The MiFID II inducements, conflicts of interests and best execution rules will apply to all MiFID II investment firms, including in the context of payment for order flow (PFOF). PFOF is the practice of brokers receiving payments from third parties for directing client order flow to them as execution venues.
In February 2021, the chair of ESMA stated: "The phenomenon of zero-commission trading needs to be looked at in more detail. To be sure, as such lower costs for retail investors are a welcome development, given the importance of costs in determining investors' long-term returns. However, there is no such thing as a free lunch. Payments for order flow from third parties such as market makers may substitute commissions that are otherwise paid by clients, creating conflicts of interest and resulting in less transparency for retail clients. In my view, the practice of payment for order flow needs to be carefully assessed against the MiFID II requirements on conflicts of interest, best execution and inducements."
In a public statement issued on 13 July 2021, ESMA restated its concerns regarding investor protection, conflicts of interest and best execution, and inducements and cost transparency. ESMA considers that in most cases it is unlikely that PFOF could be compatible with MiFID II and its delegated acts.
A proposal to amend Regulation 600/2014/EU ("MiFIR") adopted by the European Commission on 25 November 2021 seeks to effectively ban PFOF.
7.9 Market Integrity Principles
In addition to domestic requirements, Ireland has implemented EU securities markets legislation, some of which is directly applicable. These measures include:
- the Prospectus Regulation;
- the Market Abuse Regulation;
- the Transparency Regulation;
- the Short Selling Regulation;
- the Securities Financing Transaction Regulation;
- Regulation 648/2012 on OTC Derivatives, Central Counterparties and Trade Repositories (EMIR); and
- MiFID II.
See 9.2 Regulation of Unverified Information and 9.3 Conversation Curation in relation to market abuse.
8. High-Frequency and Algorithmic Trading
8.1 Creation and Usage Regulations
The primary method of regulation of these technologies is under the MiFID Regulations. The definition of algorithmic trading contained in the MiFID Regulations is limited to trading in MiFID II financial instruments, so asset classes outside the scope of regulation under the MiFID Regulations will not be regulated.
8.2 Requirement to Register as Market Makers when Functioning in a Principal Capacity
Specific, detailed rules apply where a MiFID II investment firm engages in algorithmic trading to pursue a market-making strategy. These include carrying out the market-making continuously during a specified proportion of the trading venue's trading hours, and entering into a binding written agreement with the trading venue.
8.3 Regulatory Distinction between Funds and Dealers
No information is available in this jurisdiction.
8.4 Regulation of Programmers and Programming
Programming is not a regulated activity in Ireland. It will need to be assessed on a case-by-case basis whether programs or programmers are carrying out regulated activities, in which case the applicable regulations will be relevant.
9. Financial Research Platforms
Platforms providing financial research are not specifically regulated by the Central Bank. However, participants and platforms should consider whether a regulated investment service is being provided.
The provision of investment research and financial analysis or other forms of general recommendation relating to transactions in financial instruments is an ancillary service under Part 2 of Schedule 1 of the MiFID Regulations. The provision of this service without any other MiFID II investment services would not trigger a requirement for authorisation as a MiFID II investment firm.
In contrast, the provision of investment advice (as defined in MiFID II) in relation to MiFID II financial instruments is an activity requiring authorisation under the MiFID Regulations, unless an exemption applies.
The MiFID Regulations and Commission Delegated Regulation (EU) 2017/565 provide requirements in relation to conflicts of interest and inducements that apply to regulated MiFID II investment firms in relation to research.
The IIA regulates the provision of investment advice in relation to investment instruments, subject to certain exemptions. The IIA definition of investment instruments captures certain instruments that are not MiFID II financial instruments and certain activities or firms that might fall outside the MiFID Regulations.
9.2 Regulation of Unverified Information
The Market Abuse Regulation
The Market Abuse Regulation (Regulation (EU) 596/2014) (MAR) establishes a common EU regulatory framework on insider dealing, the unlawful disclosure of inside information and market manipulation (“market abuse”) as well as measures to prevent market abuse.
MAR prohibits insider dealing, the unlawful disclosure of inside information, market manipulation and attempted market manipulation. Market manipulation is broadly defined under MAR, and includes disseminating information through the media, including the internet or by any other means, which gives, or is likely to give, false or misleading signals as to the supply of, demand for, or price of a financial instrument, a related spot commodity contract or an auctioned product based on emission allowances, or which secures, or is likely to secure, the price of one or several MiFID II financial instruments, a related spot commodity contract or an auctioned product based on emission allowances at an abnormal or artificial level, including the dissemination of rumours, where the person who made the dissemination knew, or ought to have known, that the information was false or misleading.
Recital 48 to MAR confirms that, given the rise in the use of websites, blogs and social media, disseminating false or misleading information via the internet (including through social media sites or unattributable blogs) should be considered to be equivalent to doing so via more traditional communication channels for the purposes of MAR.
In summary, MAR applies to MiFID II financial instruments admitted to trading on an EU-regulated market or for which a request for admission to trading has been made, as well as any MiFID II financial instruments traded on an MTF, admitted to trading on an MTF or for which a request for admission to trading on an MTF has been made, or traded on an OTF and certain other financial instruments, the price or value of which depends on, or has an effect on, the price or value of the above and emission allowances. MAR can apply to other instruments and is not limited to transactions, orders or behaviour on a trading venue.
Market manipulation, as defined under the European Union (Market Abuse) Regulations 2016 (the “MAR Regulations”), is an offence in Ireland. The MAR Regulations also provide certain civil sanctions for breaches of MAR, such as a breach of the prohibition on market manipulation.
Central Bank focus
The Central Bank has increased its focus on market abuse compliance by issuers, firms and their advisers and published "Dear CEO letters" to the industry in July 2021 detailing its expectations of various stakeholders.
ESMA has advised retail investors to be careful when taking investment decisions based exclusively on information from social media and other unregulated online platforms if they cannot verify the reliability and quality of that information. This ESMA statement also notes that organising or executing co-ordinated strategies to trade or place orders under certain conditions and at certain times to move a share's price could constitute market manipulation.
ESMA noted that special care should be taken when posting information on social media about an issuer or a financial instrument, as disseminating false or misleading information may also be market manipulation, and when disseminating investment recommendations through any media, including social media and online platforms.
In August 2021, ESMA published its Guidelines on marketing communications under the Regulation on cross-border distribution of funds which include requirements for marketing communications via social media, and in October 2021 ESMA published a statement on investment recommendations on social media. In January 2022 the European Supervisory Authorities published a joint response to the Commission's Call for Advice on digital finance and related issues which, among other points, noted the "rise of so called finfluencers – individuals with a wide social media reach, discussing money-related topics and sometimes offering financial recommendations".
9.3 Conversation Curation
The MAR prohibition on market manipulation (including attempted market manipulation) includes a prohibition on “taking advantage of occasional or regular access to the traditional or electronic media” to voice opinions about in-scope instruments with a view to profiting from the impact of those opinions, without having simultaneously publicly disclosed that conflict of interest.
MAR is also intended to ensure that the prohibitions against market abuse should also cover those persons who act in collaboration to commit market abuse, so the platform should ensure it takes steps to avoid being seen to collaborate with such activity.
Liability under the MAR Regulations can also attach to an entity that collaborates or facilitates market abuse/manipulation. MAR also requires member states (including Ireland) to put mechanisms in place to allow for the reporting of infringements of MAR (ie, whistle-blowing mechanisms).
10.1 Underwriting Processes
The EU's Solvency II regime (as implemented in Ireland) applies to the majority of Irish (re)insurance undertakings, including the underwriting process of these undertakings.
The Solvency II framework sets out detailed requirements around capital, governance and risk management in all Irish and EU authorised (re)insurance undertakings.
10.2 Treatment of Different Types of Insurance
In broad summary, Solvency II undertakings must obtain an authorisation under the European Union (Insurance and Reinsurance) Regulations 2015, to carry on either life insurance business, non-life insurance business, or both.
11.1 Regulation of Regtech Providers
Generally speaking, the provision of regtech services is less likely to be a regulated activity in Ireland as these will typically involve supporting technical services rather than regulated financial services. However, certain exceptions to this position could apply, depending on the nature of the regtech service performed and the nature of the entity to which such services are provided. Therefore, a case-by-case analysis is required.
11.2 Contractual Terms to Assure Performance and Accuracy
Depending on the particular service provided and the particular financial services firm receiving those services, they may fall within the legal and regulatory requirements governing outsourcing and this will impact the contractual provisions required.
The CBI Outsourcing Guidance
Outsourcing is a particularly topical issue for the Central Bank. The CBI Outsourcing Guidance applies to all Irish regulated firms and is to be implemented alongside any specific sectoral legislative outsourcing requirements. The CBI Outsourcing Guidance imposes similar contractual requirements to the EBA Outsourcing Guidelines (which apply directly to credit institutions, certain investment firms and payments/e-money institutions).
The EBA Outsourcing Guidelines
The EBA Outsourcing Guidelines require, inter alia, that outsourcing agreements specify service levels and precise quantitative and qualitative performance targets to allow for the timely monitoring of the performance of the outsourced function. In addition, specific termination rights, provisions around business continuity, data and access and audit rights for the regulated firm and its regulators are also required. The EBA has commented that it is imperative that business continuity and data protection are appropriately considered when outsourcing IT or data services. The ESMA Cloud Guidelines and the EIOPA Cloud Guidelines may also be relevant to applicable entities where services are provided on a cloud basis.
Regtech providers may have legal and regulatory or contractual obligations to notify certain behaviour, depending on their regulatory status and contractual arrangements, the sector in which they operate and the information and material that they come into contact with.
12.1 Use of Blockchain in the Financial Services Industry
Domestic institutions are investigating the use of blockchain, and certain institutions have conducted trials in this area, including in the area of payments. In a November 2021 speech, the Central Bank noted in the context of its Innovation Hub that, in crypto-related activities, it has observed growing activity reflecting greater institutional interest, a trend reflected in the wider market.
We.trade, a blockchain-based trade finance service provider that was established by an international consortium of banks, is based in Dublin. In April 2021, ConsenSys, a blockchain company which develops DeFi (decentralised finance) and Web3 applications announced a significant expansion of its Dublin operations.
In addition, in February 2021, the Institute of Banking, domestic banks Bank of Ireland, AIB and Ulster Bank (part of the RBS Group), and Deloitte announced the launch of EdQ, a blockchain-based education credentialling platform for financial services. The platform provides real-time access to unalterable records of professional credentials that facilitates financial services firms' compliance with regulatory obligations that involve the credentialling of employees.
12.2 Local Regulators' Approach to Blockchain
The Central Bank's Approach
The Central Bank requires firms providing certain services in relation to crypto-assets to register as VASPs (see 2.2 Regulatory Regime and 2.13 Impact of AML Rules for more detail). Outside of this process, the Central Bank has not provided any specific regulatory updates or guidance to address blockchain technology, other than issuing consumer warnings regarding the risks of virtual currencies, most recently in April 2021, and initial coin offerings (ICOs).
In a July 2021 blog post, the governor of the Central Bank noted the concerns regarding the environmental impact of crypto-assets and the facilitation of crime by the anonymity these can provide, and stated that, as things stand today, the negatives surrounding crypto far outweigh any benefits. The governor also noted that the positive elements of the underlying technology should not, however, be ignored.
Aside from the VASP registration requirement, Ireland does not have any legislation specific to blockchain technologies.
EBA and ESMA Reports
The January 2019 EBA report with advice for the European Commission on crypto-assets (the “EBA Crypto Report”) and ESMA advice in relation to ICOs and crypto-assets (the “ESMA Crypto Report”) provide useful information in relation to the interpretation of blockchain assets within existing rules and highlighting gaps, as well as suggesting that further consideration be given at an EU level to legislating in the area. This work fed into the Crypto Consultation, which, among other things, looked at crypto-assets that are covered by EU rules and whether the rules can be effectively applied, as well as crypto-assets that are not covered by EU rules at present, and a possible common regulatory approach. The Crypto Consultation, in turn, has fed into the Digital Package and MiCA.
Ireland for Finance
The government's international financial services sector strategy document to 2025, Ireland for Finance, includes actions to help drive fintech, including blockchain technologies.
12.3 Classification of Blockchain Assets
The Central Bank has confirmed in a consumer warning that virtual currencies are not legal tender, and has also issued a consumer warning regarding the risks of ICOs.
Definition of "Virtual Assets"
While the 5MLD includes a definition of "virtual currencies", the implementation of the VASP regime into the CJA 2010 instead predominantly uses the term "virtual asset", which aligns Irish legislation with the relevant Financial Action Task Force (FATF) recommendations. The Irish legislation defines "virtual asset" as "a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes but does not include digital representations of fiat currencies, securities or other financial assets".
The initial draft of MiCA also defines various forms of blockchain assets, including:
- asset-referenced tokens – "a type of crypto-asset that purports to maintain a stable value by referring to the value of several fiat currencies that are legal tender, one or several commodities or one or several crypto-assets, or a combination of such assets" (ie, a stablecoin);
- electronic money tokens – "a type of crypto-asset the main purpose of which is to be used as a means of exchange and that purports to maintain a stable value by referring to the value of a fiat currency that is legal tender"; and
- utility tokens – "a type of crypto-asset which is intended to provide digital access to a good or service, available on DLT, and is only accepted by the issuer of that token".
Blockchain assets and/or services in relation to those assets may fall within existing regulatory regimes and, depending on the features of a particular blockchain asset, its legal classification may vary.
MiFID II Definition of Transferable Securities' Significance to Regulatory Approach
One area of focus has been whether a particular blockchain asset qualifies to be considered as a MiFID II financial instrument, typically focused on the definition of a transferable security. Given the variance in structure among blockchain assets, it is necessary to analyse individual blockchain assets against the criteria for the MiFID II financial instrument of “transferable securities”, defined under Article 4 (1) (44) of MiFID II as those “classes of securities which are negotiable on the capital market, with the exception of instruments of payment, such as:
(a) shares in companies and other securities equivalent to shares in companies, partnerships or other entities, and depositary receipts in respect of shares;
(b) bonds or other forms of securitised debt, including depositary receipts in respect of such securities;
(c) any other securities giving the right to acquire or sell any such transferable securities or giving rise to a cash settlement determined by reference to transferable securities, currencies, interest rates or yields, commodities or other indices or measures."
If a blockchain asset is determined to be a transferable security, then it falls within the regulatory scope of, inter alia, MiFID II, the Prospectus Regulation and MAR. The ESMA Crypto Report also states that several European regulators considered that certain types of crypto-assets could qualify as units in collective investment undertakings (another MiFID II financial instrument), most likely alternative investment funds, and thus the Alternative Investment Fund Managers Directive (Directive 2011/61/ EU) (AIFMD) could be relevant. The ESMA Crypto Report notes that existing rules that may be applicable do not fit perfectly with the characteristics of blockchain.
In very broad terms, a blockchain asset with characteristics that are similar to shares, bonds or other securities, or related derivatives, including being transferable, will be more likely to fall within the definition of a “transferable security”. An investment-type blockchain asset may be more likely to have these characteristics, while the ESMA Crypto Report specifically notes that a pure payment-type cryptocurrency (such as Bitcoin) is less likely to be considered a “transferable security”. The ESMA Crypto Report cautions against extrapolating its analysis against the entire crypto-asset universe.
Crypto-Assets and Payment Services under the Electronic Money Directive
In the EBA Crypto Report, the EBA notes that a crypto-asset can qualify as electronic money under the Electronic Money Directive, and thus be regulated under that directive, provided the following circumstances are met:
- it is electronically stored;
- it has monetary value;
- it represents a claim on the issuer;
- it is issued on receipt of funds;
- it is issued for the purpose of making payment transactions; and
- it is accepted by persons other than the issuer.
Additionally, if a person performs a "payment service" as listed in PSD 2 with a blockchain asset that qualifies as "electronic money" under the Electronic Money Directive, such activity would fall within the scope of PSD 2 by virtue of constituting "funds". More generally, PSD 2 and the domestic Irish regime of money transmission should also be considered in the context of fiat transfers or services related to blockchain activities.
12.4 Regulation of “Issuers” of Blockchain Assets
There is currently no specific regulatory regime for, or prohibition of, the issuance of blockchain assets or ICOs in Ireland or at EU level, although the provision of services in relation to such issuances is within the scope of Irish AML legislation and may require a VASP registration. Additionally, MiCA proposes to impose extensive requirements on the issuers of blockchain assets.
As with the applicability of the existing legal or regulatory requirements to a blockchain asset depending on its particular structure, an issuance may come within the scope of existing Irish legal regimes, depending on its specific characteristics.
In two statements from November 2017, ESMA alerted participants in ICOs of the potential applicability of MiFID II, AIFMD, the Prospectus Directive and the applicable AML rules, depending on the structure of the issuance, and alerted investors of the risks of ICOs.
12.5 Regulation of Blockchain Asset Trading Platforms
The provision of exchange services between various virtual assets and/or between virtual assets and fiat currency is within the scope of Irish AML legislation and may require a VASP registration.
The operation of blockchain asset trading or exchange platforms may involve the issuance of electronic money or provision of payment services, in order to facilitate wallet and payment features.
Where blockchain assets constitute MiFID II financial instruments – such as transferable securities – then the operation of a trading platform will be in the scope of existing regulatory regimes.
Platforms will also need to consider data protection and cybersecurity requirements where applicable.
MiCA also proposes to impose requirements in relation to the provision of exchange services.
12.6 Regulation of Funds
Irish regulated investment funds are either authorised as undertakings for collective investment in transferable securities (UCITS) or as alternative investment funds (AIFs).
Distinctions between Crypto-Assets
The Central Bank has provided guidance on investment in crypto-assets which states that such assets are generally considered to be private digital assets that depend primarily on cryptography and distributed ledger or similar technology. This guidance recognises that the nature and characteristics of crypto-assets vary considerably and it distinguishes between crypto-assets that are tokenised traditional assets (the value of which is linked to an underlying traditional asset or a pool of traditional assets, such as financial instruments or commodities) and those assets that are based on intangible or non-traditional underlying assets. In respect of this latter type of crypto-asset the guidance states that the Central Bank is highly unlikely to approve a UCITS or an AIF marketed to retail investors proposing any exposure (either direct or indirect) to crypto-assets. For AIFs marketed to qualifying investors that seek to gain exposure to this latter type of crypto-asset, a submission is required to be made to the Central Bank outlining how the risks associated with exposure to such assets will be effectively managed by the alternative investment fund manager. This submission will need to be made to the Central Bank in advance of seeking to have a fund with such exposures authorised by the Central Bank. The guidance states that the Central Bank's approach in relation to crypto-assets will be kept under review, continue to be informed by European regulatory discussions on the topic and may change should new information or developments emerge in the future.
The Digital Package Proposals on Crypto-Assets
As part of the Digital Package, the European Commission published legislative proposals relating to crypto-assets which, once finalised, should provide certainty in terms of:
- the classification of crypto-assets that do not currently qualify as financial instruments; and
- the custody requirements relating to such assets.
Rules for Crypto-Assets That Are Not Financial Instruments
Currently for crypto-assets that do not qualify as financial instruments, the rules for "other assets" under the UCITS Directive and AIFMD apply and in such cases the depositary needs to ensure the safekeeping (which involves verification of ownership and up-to-date record-keeping) but not the custody of such assets. As well as regulatory uncertainty, practical obstacles still exist in the Irish market to the extent that currently many depositories are not comfortable that they can capably hold or sub-custody crypto-assets while also meeting their safekeeping obligations.
12.7 Virtual Currencies
The legal treatment of any cryptocurrency or other blockchain asset will be determined by whether that particular asset's features come within the scope of existing legislative and regulatory regimes. Typically, a pure cryptocurrency will not be considered a financial instrument under MiFID II.
12.8 Impact of Regulation on “DeFi” Platforms
DeFi transactions will require a case-by-case analysis to determine the regulatory categorisation of the activities involved and jurisdictional questions regarding applicable legislation and relevant regulatory bodies. This is a rapidly developing area and the authors expect to see increasing regulatory interest in DeFi. In its September 2021 "Report on Trends, Risks and Vulnerabilities", ESMA stated that although the size of the DeFi market itself is not yet large enough to be considered a risk to financial stability, it is still worthwhile for regulators and supervisory authorities to closely monitor its developments and better understand its activities, structures, potential benefits and underlying risks.
12.9 Non-fungible Tokens (NFTs)
There are no specific legal or regulatory provisions that apply to NFTs.
It is unlikely that NFTs constitute virtual assets for the purposes of the VASP registration requirement under the CJA 2010 but a case-by-case analysis is required. The FATF October 2021 Guidance on virtual assets and virtual asset service providers (which is helpful, but not binding or directly applicable in interpreting the scope of the CJA 2010 VASP regime) provides that, depending on their characteristics, digital assets that are unique, rather than interchangeable, and that are in practice used as collectibles rather than as payment or investment instruments, are generally not considered to be virtual assets under the FATF definition. However, it is important to consider the nature of the NFT and its function in practice.
It is also unlikely that an NFT would constitute a financial instrument under MiFID, as the definition of "transferable security" refers to "classes of securities" which are negotiable on the capital market. The inherent non-fungible nature of an NFT would appear inconsistent with this requirement. However, a case-by-case analysis may be required in some circumstances.
While an NFT would look to qualify as a crypto-asset under the definition in the initial draft of MiCA, that draft dis-applies its requirement to publish a "white paper" to issuers of crypto-assets where "the crypto-assets are unique and not fungible with other crypto-assets", and so limited requirements may apply. However, it remains to be seen how NFTs will be treated in the final legislation and categorisation will depend on the individual NFTs and rights involved.
13. Open Banking
13.1 Regulation of Open Banking
PSD 2 introduced two new regulated payment services: payment initiation service and account information service. A disruptive aspect of PSD 2 is the customer's right to make use of third parties to obtain payment initiation services and for third parties to access payment data to provide account information services. This facilitates open banking and opens up opportunities for challenger banks and other fintech firms to bring new products to the market. Application programming interfaces are to be used for third-party access to online payment accounts.
13.2 Concerns Raised by Open Banking
PSD 2 imposes certain conditions on access to and use of data by firms providing a payment initiation service or account information service. This includes a requirement for customer consent and other requirements in relation to security and the use of data.
In addition, the GDPR requires customers to be made fully aware – in a clear, concise and transparent fashion – of how their personal data will be used and by whom. It also provides for the right to withdraw consent, access to data and a right for information to be erased. In sharing data with third parties such as account information service providers, banks will need to be aware of the potential for fraud or other risks.
Originally Published by Chambers and Partners Fintech Practice Guide 2022.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.