Central Bank Focus on Payment and E-money Firms

On 20 January 2023, the Central Bank of Ireland (“CBI”) published a ‘Dear CEO’ letter (the “Letter”) on supervisory findings and expectations for payment and electronic money (“e-money”) firms (together, “Firms”) (here).

The Letter follows a 2021 ‘Dear CEO’ letter to Firms, which we detailed in our briefing (here), and highlights the CBI’s continued regulatory focus on this sector.

CBI states that the Letter is intended to reaffirm its supervisory expectations and to enhance the transparency around the CBI’s approach to regulation and supervision. The Letter details the key findings from its supervision activities and outlines several actions that it expects Firms to take.

Supervisory findings and actions to be taken by Firms

The CBI sets out its supervisory findings and actions to be taken by Firms under 5 five headings:

1. Safeguarding

In relation to safeguarding users’ funds, the CBI notes that one in every four Firms has self-identified deficiencies in their safeguarding risk management frameworks. Appendix 1 of the Letter details some of these safeguarding deficiencies.

The CBI confirms that it expects Firms to:

  • have Board-approved safeguarding risk-management frameworks in place which ensure that relevant users’ funds are appropriately identified, managed and protected on an ongoing basis. This framework should include clear segregation, designation and reconciliation of users’ funds held on behalf of customers;
  • be proactive in ensuring that the design and operating effectiveness of the firm’s safeguarding frameworks is tested on an ongoing basis;
  • notify the CBI immediately of any safeguarding issues identified;
  • take mitigating and corrective measures immediately to ensure that users’ funds are safeguarded where, in exceptional instances, issues are identified; and
  • investigate and remediate on a timely basis the underlying root cause of any safeguarding issue(s).

The CBI also requires all Firms who are required to safeguard users’ funds to obtain a specific audit of their compliance with safeguarding requirements set out in Regulation 17 of the European Union (Payment Services) Regulations 2018 (the “PSR”) and Regulations 29-31 of the European Communities (Electronic Money) Regulations 2011 (the “EMR”).

This audit should be carried out by an audit firm, such as a Firm’s external auditors. The proposed auditor must have, or have access to, appropriate specialist skill in auditing compliance with safeguarding requirements under the PSR/EMR taking into account the nature, scale and complexity of the Firm’s business.

The audit opinion must confirm:

“whether the firm has maintained adequate organisational arrangements to enable it to meet the safeguarding provisions of the PSR/EMR on an ongoing basis, with the specific areas, at a minimum, that should be subject to review and assurance by the auditor outlined in Appendix 2”.

The audit opinion, along with a Board response on the outcome of the audit, should be submitted to the CBI by 31 July 2023.

2. Governance, risk management, conduct and culture

The CBI states that governance and risk management capabilities are not being consistently prioritised by Firms and some recurring issues arise, for example:

  • frameworks not being consistently aligned with business strategies;
  • inadequate resourcing of internal audit, risk management and compliance functions; and
  • inadequate reporting to the Board particularly in relation to customer complaints.

The CBI confirms that it expects Firms to consider their governance, risk management and internal control frameworks to ensure they are sufficient to run their business from Ireland.

3. Business model, strategy and financial resilience

The CBI has completed a thematic review of business model and strategic risk across a number of Firms which identified that some Firms do not have defined or embedded Board-approved business strategies in place.

The CBI confirms that:

  • it is critical that Firms ensure that they have sufficient financial and operational capacity and capability to execute Board-approved strategies;
  • Firms must have robust strategic and capital planning frameworks, in order to proactively manage capital to ensure that they are in a position to meet their own funds requirements on a stand-alone basis at all times, including during stress conditions;
  • Firms must have an appropriate exit/wind-up strategy, which is linked to their business model and considers the full return of users’ funds in an efficient and timely manner; and
  • Firms should have Board-approved business strategies in place supported by robust financial projections; and

Firms must have good data and timely and accurate management information. The CBI notes that one in every five Firms has submitted inaccurate regulatory returns to the CBI in the previous twelve months.

4. Operational resilience and outsourcing

The CBI notes that technology is at the core of the operations of the majority of Firms which underlines the importance of IT risk management. The CBI has observed an increase in major incidents/outages, many of which, the CBI notes, arise from issues with group/third party providers.

The CBI states that Boards and senior management teams must ensure that they have the skills and knowledge to meaningfully understand the risks their Firm faces and the responsibilities they have, including risks in respect of outsourced activities.

The CBI expects that Boards and senior management review and adopt appropriate measures to strengthen and improve their operational resilience frameworks in line with the Cross Industry Guidance on Operational Resilience1 and Cross Industry Guidance on Outsourcing.2

5. Anti-money laundering and countering the financing of terrorism (“AML/CFT”)

The CBI notes that Firms are classified as ‘Designated Persons’ for the purposes of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (the “2010 Act”) and, as such, are subject to obligations under this Act.

The CBI expectations in this area include:

  • a risk-based approach: AML/CFT controls, such as transaction monitoring controls, should be risk-sensitive and tailored to the risks identified in a Firm’s ML/TF assessment;
  • distribution channels: the CBI expects that Firms exercise adequate oversight of their agents and distributors with an appropriate level of ongoing assurance conducted; and
  • e-money derogation and simplified due diligence: the e-money derogation3 which allows for a customer due diligence derogation for certain e-money products should only be availed of where it is appropriate and where all criteria are met.

Comment and next steps

A key next step for Firms is complying with the requirement to provide a safeguarding audit opinion to the CBI. Firms should identify a suitable auditor and begin engagement to ensure delivery of this opinion by the deadline of 31 July 2023.

In addition, Firms should take note of the requirement that the Letter be provided to and discussed with the Board. Firms should ensure that the Letter is included on the Board’s agenda and minutes are recorded of the Board’s discussion of the contents of the Letter.

More generally, Firms should note the CBI’s expectation that they take proactive measures to ensure robust and appropriate governance and control arrangements are in place, such that Firms can grow safely and sustainably. Given the Letter is the second ‘Dear CEO’ letter to the payment and e-money sector in a relatively short space of time, Firms should continue to expect a high-level of regulatory engagement from the CBI.

Also contributed to by Jonathan Murchan

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.