knowledge 17 December 2021 |

Central Bank Issues “Dear CEO” Letter to Payment and E-Money Firms

On 9 December 2021, the Central Bank of Ireland (the “CBI”) issued a letter to the CEOs of Payment and Electronic Money (E-Money) Firms (“Firms”) entitled ‘Supervisory Expectations for Payment and Electronic Money (E-Money) Firms’ (the “Letter”) (here).

The Letter is issued in the context of substantial growth in the payments sector over the last number of years and the increasingly important role Firms play in the financial system.  The CBI highlights that a failure of Firms to meet supervisory obligations may have a significant impact on the functioning of the wider financial system and those consumers who rely on their services.

The Letter outlines the CBI’s supervisory expectations for Firms - the most significant features of these expectations are highlighted in the box below:

 

Supervisory expectations

Governance and Risk Management

  • Firms must maintain governance arrangements, control mechanisms and procedures that are proportionate and appropriate in accordance with relevant legislation, including The European Communities (Electronic Money) Regulations 2011 (“EMR”) and The European Union (Payment Services) Regulations 2018 (“PSR”); and
  • Firms must comply with the CBI’s fitness and probity regime and ensure a functioning Board is in place which is responsible for the effective and prudent oversight of the Firm.

Conduct and Culture

  • Firms must ‘embed a consumer-focused culture’;
  • Firms must ensure products are suitable for their customers’ needs, are capable of delivering the promised benefits and disclose any key product risks; and
  • Firms should examine each risk identified to consumers in the CBI’s Consumer Protection Outlook Report 2021 (here) and take all appropriate actions to protect their consumers.

Safeguarding
  • Firms must have robust, Board-approved, safeguarding risk frameworks in place which ensure that relevant client funds are appropriately identified, managed and protected on a day-to-day basis; and
  • Safeguarding arrangements should be reviewed regularly to ensure they remain compliant with the relevant regulations.

Business Model and Financial Resilience

  • Firms must have sufficient financial resources in place to support current and projected business plans;
  • Firms must understand and meet their own funds requirements at all times; and
  • Firms must notify the CBI as soon as they become aware of any breach of legal or prudential requirements, or, any other material adverse development that may impact on a Firm’s business, or, where there is an expectation of a material change to a Firm’s business model.

Operational Resilience

  • Firms must be able to respond to, recover and learn from operational disruptions;
  • Firms must operate sufficiently on a stand-alone basis to ensure the ‘primacy’ of the legal entity authorised in the State; and
  • Ultimate responsibility for a Firm’s IT and cyber risk strategy and governance (including outsourced activities) must rest with the Board.

Financial Crime
  • Firms must invest in and maintain strong anti-money laundering (“AML”) and Countering the Financing of Terrorism (“CFT”) control frameworks;
  • Firms are required to comply with the European Banking Authority’s Guidelines on Outsourcing Arrangements; and
  • Firms’ AML/CFT frameworks should be based on a risk assessment that focuses on the money laundering and terrorist financing risks arising from a Firm’s business model.

Resolution and Wind-Up

Firms are expected to have an appropriate exit/wind-up strategy which is linked to their business and operational model and considers the return of customer funds as soon as is reasonably practical in an exit/wind-up scenario.


Next Steps

The CBI expects Firms to complete a comprehensive assessment of their compliance with their safeguarding obligations under Regulation 17 of the PSR and Regulation 29-31 of the EMR and the conditions of their authorisation. The CBI states that the Board should oversee this review and consider the conclusions and any remediation actions emanating from it. A ‘Board approved attestation’ confirming the completion and conclusion of the assessment must be provided to the CBI by 31 March 2022. If any issues are identified as part of this review, a Board-approved remediation plan must be put in place which ensures timely resolution of those issues.

Comment

The Deputy Governor (Prudential Regulation) of the CBI recently stated that it is “important that technology-driven firms recognise that they need appropriate governance and risk management arrangements and demonstrate appropriate cultures that sustainably deliver for their customers and maintain trust in the financial system” here. The Letter clearly indicates that supervision of the technology-driven payments sector will be a CBI priority in 2022. Firms should take note of the CBI’s supervisory expectations as set out in the Letter and, in particular, commence the required assessment with a view to completing same in advance of the CBI’s deadline of 31 March 2022.  

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.