The Central Bank of Ireland ("Central Bank") regulates the provision of certain FinTech products and services by e-money and payment institutions ("Firms") in Ireland.
As FinTech comes under increased regulatory scrutiny, the Central Bank recently highlighted the following six key areas for the sector:
Following industry-wide inspections, the Central Bank reiterated safeguarding as a supervisory priority in its Dear CEO Letter issued to Firms on 9 December 2021.
The Central Bank expects Firms to assess their compliance with their safeguarding obligations under the European Union (Payment Services) Regulations 2018 ("PSR") and the European Communities (Electronic Money) Regulations 2011 ("EMR") and to have robust, board-approved, safeguarding risk frameworks in place, which ensure that relevant client funds are appropriately identified, managed and protected daily (including the clear segregation, designation and reconciliation of user balances).
Firms were required to submit attestations to the Central Bank at the end of March 2022, disclosing any gaps in their safeguarding frameworks.
Outsourcing and Operational Resilience
On 17 December 2021, the Central Bank issued its Cross Industry Guidance Paper on Outsourcing. This guidance is relevant to all regulated firms which use outsourcing as part of their business model and is applicable proportionately, based on the nature, scale and complexity of each firm's business model and degree to which it engages in outsourcing.
It complements existing EBA Guidelines on Outsourcing Arrangements and PSR / EMR outsourcing requirements.
Firms need to conduct a gap analysis and update contracts and internal governance frameworks to address any gaps. For further details, please see our update CP138: Central Bank of Ireland Publishes Cross-Industry Outsourcing Guidance.
On 1 December 2021, the Central Bank issued its Operational Resilience Guidance Paper.
Consistent with the Central Bank's strategic commitment of strengthening resilience throughout the financial system, the Operational Resilience Guidance's objective is to communicate how Firms should prepare for, respond to, and recover and learn from an operational disruption that affects the delivery of critical or important business services.
The guidance is not prescriptive and is designed to be flexible and applicable proportionately based on the nature, scale and complexity of each Firm's business.
For further details, please see our update CP140: Central Bank of Ireland Publishes Operational Resilience Guidance.
Culture / Fitness and Probity
In its Consumer Protection Outlook Report 2021, the Central Bank indicated its expectation for Firms to review the risks to consumers of financial services and take concrete action to deliver on these expectations where appropriate.
Firms are required to embed a consumer-focused culture supported by internal systems and controls, including appropriate and well-developed risk management frameworks. For further details, please see our update Further Focus on the Central Bank of Ireland's 2022 Priorities.
New legislation is to be introduced shortly to formalise an Individual Accountability Framework ("IAF") and a new Senior Executive Accountability Regime ("SEAR") although it is not initially anticipated that payment and e-money firms will be in scope for Phase 1 of this new regime.
New fitness and probity regulations came into force in April 2022 and introduce new categories of pre-approval control functions ("PCFs") under the Central Bank's fitness and probity regime. Non-executive directors (formerly PCF-2) are identified under separate PCF designations, depending on whether they are independent (PCF-2B) or non-independent (PCF-2A). The role of Head of Compliance with responsibility for Anti-Money Laundering and Counter Terrorist Financing Legislation (PCF-15) has fallen away and in addition to the existing Head of Compliance (PCF-12), a new Head of Anti-Money Laundering and Counter Terrorist Financing (PCF-52) has been introduced as a standalone PCF role. Firms should consider the impact of the changes on their existing PCF role holders.
For further details, please see our update Updated Central Bank of Ireland PCF List – Required Actions and Filings.
Firms should be mindful of the Central Bank's requirements on certain changes to their business which may trigger a notification to it or an application seeking its approval, at the earliest possible opportunity. For example, where the Firm expects to make a material change to its business model including: (i) where it makes a substantive change to its service or product offering or materially changing the way in which its service / product offerings are provided; or (ii) its business projections are forecast to be significantly in excess of those in its authorisation process.
Any new outsourcing arrangements for critical or important functions, or material changes to existing arrangements, must also be notified in advance.
Change of control notifications must also be filed in advance.
Anti-Money Laundering ("AML") and Countering the Financing of Terrorism ("CFT") Guidelines for the Financial Sector and Sanctions
In line with the Central Bank's AML and CFT Guidelines for the Financial Sector, Firms must ensure they have a robust AML / CFT compliance framework, based on the Firm's risk assessment (that is specifically focused on the money laundering and terrorist financing risk arising from the relevant Firm's business model). For further details, please see our update Central Bank of Ireland issues Revised AML and CFT Guidelines: Key Changes.
In light of the situation in Ukraine and the introduction of new EU and international restrictive measures, Firms should ensure that they have appropriate processes to ensure adherence with the applicable sanctions.
On 23 March 2022, the European Parliament published the report adopted by its Economic and Monetary Affairs Committee on the European Commission's legislative proposal for a Regulation on markets in crypto assets ("MiCA").
MiCA proposes a comprehensive EU-wide framework for the regulation and supervision of issuers and providers of crypto asset services, with a view to protecting investors and the integrity and stability of the financial system. If introduced, this regime would establish an EU-wide framework, similar to the current MiFID framework, for crypto assets which are not financial instruments, provide for investor protection, conduct, safeguarding and prudential requirements for in-scope providers, and a passporting regime to facilitate pan-European access and consistency in how these assets and providers are regulated.
The Fifth Money Laundering Directive EU/2018/843 brought previously unregulated crypto assets within its scope and since April 2021, virtual asset service providers (VASPs) are subject to fitness and probity and AML and CFT requirements under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.
For further details, please see our update Introducing the Irish AML Regime for Crypto Providers.
How We Can Help
With a depth of experience, our dedicated Financial Services Regulatory team supports clients across all regulated sectors in managing regulatory change, drafting policies, procedures and customer documentation, negotiating outsourcing arrangements, assessing corporate governance structures and guiding clients through engagements with the Central Bank on authorisation applications to supervisory and PRISM engagements (including interview preparation) and the administrative sanctions procedure.
Further information on our Irish Financial Services Regulatory Group and the services we provide is available on our website and in our FSR and FinTech brochures. If you would like further information, please liaise with your usual Maples Group contact or the persons below.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.