Ireland: Payments, E-Money And Crypto-Assets Quarterly Legal And Regulatory Update: 1 January 2023 - 31 March 2023

1. PAYMENTS

1.1 EBA updates Single Rulebook Q&A on PSD2

During the period 1 January 2023 to 31 March 2023, the European Banking Authority (EBA) updated its Single Rulebook Questions and Answers (Q&As) publication on Directive (EU) 2015/2366 (the Revised Payment Services Directive or PSD2) (the Single Rulebook Q&A). The Q&As in respect of the following articles have been updated:

• Article 4 - Definitions;
• Article 9 - Calculation of own funds;
• Article 10 - Safeguarding requirements;
• Article 11 - Granting of authorisation;
• Article 19 - Use of agents, branches or entities to which activities are outsourced;
• Article 21a - Approval of financial holding companies and mixed financial holding companies;
• Article 28 - Application to exercise the right of establishment and freedom to provide services;
• Article 54 - Changes in conditions of the framework contract;
• Article 64 - Consent and withdrawal of consent;
• Article 70 - Obligations of the payment service provider in relation to payment instruments;
• Article 74 - Payer's liability for unauthorised payment transactions;
• Article 95 - Management of operational and security risks;
• Article 97 - Authentication;
• Article 98 - Regulatory technical standards on authentication and communication

A copy of the Single Rulebook Q&A can be accessed here.

1.2 EBA publishes peer review on authorisation under PSD2

On 11 January 2023, the EBA published a report on the peer review on the authorisation of payment institutions (PIs) and electronic money institutions (EMIs) under PSD2 (Report). The Report sets out the findings of the EBA's peer review into the authorisation process for PIs and EMIs, taking into account the EBA Guidelines on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers (Guidelines) issued in 2017.

The Report finds that overall competent authorities have been largely successful in implementing the guidelines, but the EBA does note a number who need further implementation (for example, "local substance" jurisdiction requirements). The EBA notes "significant divergences" in procedures across competent authorities, including resources available and the length of authorisation process which ultimately results in a different supervisory standard. The EBA has laid out a series of measures to address such divergencies, to harmonise the supervisory approaches of competent authorities and to prevent "forum shopping" within the EU.

The Report concludes with several good supervisory practices observed during the EBA's analysis. The EBA will conduct a follow up review in 2 years.

A copy of the Report can be accessed here.

A copy of the Guidelines can be accessed here.

1.3 Decision of the European Banking Authority of 23 March 2023 amending Decision EBA/DC/453 of 24 June 2022 concerning the reporting of payment fraud data under PSD2

On 23 March 2023, the EBA published Decision EBA/DC/482 amending their Decision EBA/DC/453 of 24 June 2022 regarding the reporting of payment fraud data under PSD2 (EBA Amending Decision).

In accordance with Article 96(6) of PSD2, payment service providers must provide at minimum on an annual basis, statistical data on fraud relating to different means of payment to their competent authorities, who then provide this data to the EBA in aggregated format. Further details on this aggregated data can be found in the EBA Guidelines (EBA/GL/2018/05) on fraud reporting under PSD2, as amended.

The EBA Amending Decision amends the earlier Decision EBA/DC/453 of 24 June 2022 and now imposes upon competent authorities an obligation to "submit to the EBA the data referred to in Article 2 on a semi-annual basis for the reporting periods ending on 30 June and on 31 December, respectively by 10 February and by 10 August of the subsequent year."

The EBA's Amending Decision of 23 March 2023 can be accessed here.

A new consolidated version of Decision EBA/DC/453 of 24 June 2022 can be found here.

The Guidelines on fraud reporting under PSD2 can be accessed here.

2. DIGITAL FINANCE & CRYPTO-ASSETS

2.1 ESMA updates Q&As on DLT Pilot Regime Regulation

During the quarter, ESMA published updated versions of its Q&As relating to the implementation of Regulation (EU) 2022/858 (DLT Pilot Regime Regulation) (DLT Q&As). The DLT Q&As were updated on 3 February and again on 27 March 2023.

The Q&As have updated as follows:

• Transaction Reporting. A new Q&A 6 relating to reporting on behalf of natural persons was added on 3 February.
• Financial Instruments Reference Data. A new Q&A 3 on how to populate DLT financial instruments that are the digital representation of a previously issued financial instrument, and a new Q&A 4 on how to populate DLT financial instruments that are exclusively created on the DLT were added on 3 February.
• Transparency. A new Q&A 1 on the identification code for post-trade transparency obligations was added on 3 February.
• DLT Financial Instruments. A new Q&A 1 on how e tentative market capitalisation of DLT shares should be calculated was added on 27 March.

A copy of the updated DLT Q&As can be accessed here.

2.2 European Payments Council yearly update of the "Guidelines on cryptographic algorithms usage and key management"

On 13 March 2023, the European Payments Council published its annual update of the guidelines on cryptographic algorithms usage and key management (v12.0). The European Payments Council has committed to review and update the guidelines annually in light of the constantly changing landscape of cryptology.

The guidelines' purpose is to provide guidance to the European payment industry regarding cryptographic algorithms and related topics. The document specifies a number of recommendations and best practices on cryptographic algorithms, security protocols, confidentiality and integrity protection and key management. Key updates in this revised v12.0 of the guidelines includes updates related to quantum computing and DLT.

The updated guidelines can be found here.

3. CENTRAL BANK OF IRELAND

3.1 Dear CEO letter - Re: Supervisory Findings and Expectations for Payment and Electronic Money (E-Money) Firms

On 20 January 2023, the Central Bank published a letter addressed to Payments and E-Money firms reporting on its findings within the sector over the last year. The letter sets out the Central Bank's risk-based supervisory approach for the sector, and its supervisory findings identifying five key areas for the sector: Safeguarding; Governance, Risk management, Conduct and Culture; Business Model, Strategy and Financial Resilience; Operational Resilience and Outsourcing; and Anti-Money Laundering / Countering the Financing of Terrorism.

The Central Bank's key supervisory findings can be summarised as follows:

• Safeguarding. The Central Bank recognises the protection of users' funds as one of its most important objectives and expects firms to have robust, Board approved, safeguarding risk management frameworks in place. After requesting all firms to comprehensively review their safeguarding regulation compliance in their December 2021 Dear CEO letter, the Central Bank found that nearly a quarter of those firms self-identified deficiencies in their safeguarding risk management frameworks, and deficiencies were later identified in other firms. In light of this, the Central Bank has requested all firms within the sector who are subject to the safeguarding requirements to commission an audit of their compliance with those requirements from an audit firm. The Central Bank has called for the auditor to issue an audit opinion as to whether the firm has maintained adequate organisational arrangements to meet the safeguarding requirements, along with a response from the Board on the outcome. The audit opinion must be submitted to the Central Bank by 31 July 2023.
  
  
• Governance, Risk Management, Conduct and Culture. The Central Bank expects firms to foster a consumer-focused culture. During its review, the Central Bank observed a number of recurring issues including that some firms' governance, risk management and internal control frameworks are not consistently aligned to business strategies and business objectives including in circumstances where the firm's business growth is prioritised ahead of its internal systems and control framework. The Central Bank also found certain firms had inadequate succession planning, resourcing for internal control functions and reporting to the Board, in particular, with respect to customer complaints, fraud levels etc. The Central Bank also noted that some firms seemed to display a culture of "achieving minimum compliance", that sees regulation as a cost rather than as a business tool to ensure better outcomes for consumers and firms alike, and that product/service disclosures were unclear or not transparent. The Central Bank expects firms to consider their governance, risk management and internal control frameworks, as well as the composition of the Board and management team to ensure they are sufficient to run the business of the firm adequately and in line with expectations.
  
  
• Business Model, Strategy and Financial Resilience. The Central Bank conducted a thematic review of business model and strategic risk of firms in the sector during 2022 that identified some failures in firms' strategic and capital planning frameworks. The Central Bank has focused on firms' compliance with their regulatory obligations to ensure they meet their minimum capitalisation requirements and the submission of complete and accurate regulatory returns in light of the fact that approximately one in every five firms submitted inaccurate regulatory returns to the Central Bank during the last 12 months. Issues identified include incorrect methodologies used for calculating own funds requirements; incorrect classification of regulatory capital held; and inaccurate payment values provided. The Central Bank expects firms to understand and meet their capital requirements at all times and to have robust internal controls to ensure the accuracy and integrity of data used by firms for regulatory reporting purposes, and for strategic and financial planning.
  
  
• Operational Resilience and Outsourcing. The letter states that the Central Bank is increasingly focused on the need for firms to demonstrate their readiness for, and resilience to, operational disruptions and references its Cross Industry Guidance on Operational Resilience and Cross Industry Guidance on Outsourcing, issued in December 2021 as guidance to underpin this. The Central Bank has called for an improvement at Board and senior management level regarding the IT risks faced by firms, and a review and adoption of measures aimed to improve operational resilience in terms of outsourcing frameworks stating that the ultimate responsibility for a firm's IT risk, strategy and governance rests with executive management of the firm. The Central Bank expects Boards and senior management of payment and e-money firms to review and adopt appropriate measures to strengthen and improve their operational resilience frameworks in line with the Guidance.
  
  
• Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT). The Central Bank called for firms to improve their AML/CFT procedures as well as requesting that firms be cognisant of the risk factors set out in the EBA's ML/TF Risk Factors Guidelines (EBA/GL/2023/03) such as high transaction limits, the use of cash to fund transactions and the cross-border nature of transactions.
  
  The Central Bank set out its observations and expectations in respect to firms' AML/CFT framework including (i) Risk-Based Approach: seeking improved transaction monitoring controls and a better understanding of how products/services could be used for money laundering or financing terrorism; (ii) Distribution Channels: enhancing the oversight of the relationships between the firm and its distributors or agents, have firms ensure that customer due diligence procedures are completed in line with the firms' own ML/TF risk assessment and AML/CFT policies and procedures, and assessing their distributors and agents regularly (with resulting management information being sent to the Board); and (iii) Electronic Money Derogation and Simplified Due Diligence: having identified some areas of misapplication of both the derogation and the simplified due diligence requirements in general, the Central Bank expects that the use of the simplified customer due diligence derogation for e-money is used only where all relevant criteria are met (i.e. it cannot be used where the customer is a PEP or resident in a high-risk third country) and that simplified due diligence is only carried out where appropriate to do so following a risk assessment of the individual relationship.

The Central Bank states that the contents of the letter are non-exhaustive and urges firms seek to identify other potential risks that could lead to consumer detriment, or which could impact their financial and operational soundness.

The Central Bank expects all firms in the sector to discuss the letter with their Board, and to reflect on the Central Bank's supervisory findings and, as mentioned above, has requested that firms submit their audit opinions on the safeguarding requirements by 31 July 2023.

The Dear CEO letter can be accessed here.

Click here to continue reading . . .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.