On 2 March 2023, the Central Bank of Ireland ("Central Bank") published its Securities Markets Risk Outlook Report 2023 - Risks in a Rapidly Changing Environment ("Report").
The Report highlights the key risk areas identified and the steps regulated financial service providers ("firms") should take to effectively identify, mitigate and manage risks in the context of their particular business activities.
The Central Bank has determined its supervisory priorities for the coming year with reference to these key risk areas.
Key Areas of Focus
The Report identifies eight key areas that will be the focus of its supervisory engagement with firms in the coming year.
External Risk Environment
The current macro-financial environment remains a challenging landscape and global markets remain susceptible to shocks. The Central Bank has identified how, in particular, highly leveraged and less liquid funds are susceptible to these fraught conditions.
Greenwashing continues to be a key area of concern for the Central Bank.
Investment funds are expected to comply with their Sustainable Finance Disclosure Regulation ("SFDR") obligations and disclose accurate sustainability related information in product offerings.
Firms are expected to have robust procedures and policies in place to ensure products marketed as 'green' or 'sustainable' meet the criteria to be described as such.
Green bonds are also coming under increased focus.
Although the number of suspicious transaction and order reports ("STORs") received increased in 2022, this number has not kept pace with increased trading volumes.
As such, the identification, assessment and reporting of suspected instances of market abuse continues to be an area of priority.
Firms and issuers of financial instruments are expected to review and fully understand their obligations under the Market Abuse Regulation. Additional emphasis should be placed on STOR reporting requirements by both firms and trading venues, and maintenance of insider lists.
Market Conduct Risk Management
Firms should maintain adequate governance, control and surveillance frameworks that are robust for the management of wholesale market conduct risk inherent in their business to mitigate emerging conduct risks.
The Central Bank continues to observe deficiencies in firms' frameworks for the identification, assessment and management of market conduct risk.
Delegation and Outsourcing
Firms are expected to and comply with the Central Bank's Cross-Industry Guidance on Outsourcing, in addition to any other industry-specific requirements, when putting in place third-party service arrangements. For further information, see our previous update CP138: Central Bank of Ireland Publishes Cross-Industry Outsourcing Guidance.
Outsourcing in the funds sector is an area of particular focus – for both the Central Bank and at the EU level.
The Report makes clear that the Central Bank is aware of the growing market preference towards externally managed fund structures and the corresponding increase in scope of delegated activities. Fund Management Companies ("FMC") must exercise oversight over outsourced services. The Central Bank expects resources and expertise to increase as the nature, scale and complexity of third-party FMCs grow. This will be an area of particular focus in the future.
The Report also notes that firms should be aware of the concentration risk presented where cybersecurity and digital business processes are outsourced to a third party.
Cyber-attacks targeted at financial institutions are becoming increasingly sophisticated and have the potential to cause widespread disruption to the operations of critical market infrastructure and individual firms.
The Central Bank expects firms to ensure adequate ICT / cybersecurity risk management frameworks are implemented in line with the Central Bank's existing guidance.
The EU Digital Operational Resilience Act ("DORA") creates a harmonised European regulatory framework to strengthen the financial sector's resilience to ICT disruptions and threats. Although it does not come into effect until 17 January 2025, firms may wish to consider their obligations under DORA in advance of the 1 December 2023 deadline for compliance with the Central Bank's Cross Industry Guidance on Operational Resilience. For further information, see our previous updates: CP140: Central Bank of Ireland Publishes Operational Resilience Guidance and DORA: New EU Operational Resilience Regime for the Financial Sector.
The Central Bank underscores the importance of firms providing sufficient resources to data quality controls and regulatory reporting.
Firms are expected to submit data on a timely basis in line with their regulatory obligations. Appropriate oversight mechanism and controls should be adopted (including where data reporting is outsourced). Clearly defined escalation channels should be in place to promptly address data reporting issues. Firms are required to engage with the Central Bank as soon as possible after any data issues are identified (failure to do so may warrant supervisory intervention up to and including enforcement action).
The Report places a sharp focus on the benefits and risks that new technologies introduce to the securities markets. Changes in technology require careful management to ensure adequate investor protections are implemented and maintained. In particular, the Central Bank has highlighted the need for enhanced governance, cybersecurity, privacy, and product and operational risk frameworks to mitigate the risks associated with operational changes as a result of technological innovations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.