Ireland as a Location for Payment Institutions 2023

Ireland is home to a substantial number of payment institutions, some home grown and others drawn to Ireland by its active and thriving FinTech Sector.

Aside from Ireland’s position as a FinTech hub, there are a number of advantages to being authorised in Ireland as a payment institution, including:

  • a strong regulatory framework with a credible and experienced regulator, the Central Bank of Ireland (“CBI”);
  • the ability to engage with the CBI through its Innovation Hub prior to seeking authorisation as a payment institution;
  • a favourable passporting regime with the ability to passport to other EEA Member States either on a branch or a cross-border services basis;
  • a favourable tax regime, due to a combination of a 12.5% corporate tax rate and an exceptionally extensive and comprehensive set of double tax agreements; and
  • access to a sophisticated financial services ecosystem with a deep pool of staff, managers, professional advisers, regulators and service providers including not only native English speakers but a sizeable international population.

Regulatory Framework

Payment institutions are regulated under the revised Payment Services Directive 2015/2366, as transposed into Irish law by the European Union (Payment Services) Regulations 2018 (“Payment Services Regulations”), and related measures.  

The CBI is responsible for the authorisation, prudential regulation and supervision of payment institutions in Ireland.

Passporting and Third Country Firms

A payment institution authorised in Ireland can passport to other EEA Member States on either a services or cross-border establishment basis, subject to the fulfilment of certain notification requirements. A payment institution authorised in another EEA Member State can also passport into Ireland.

A payments business established outside the EEA, can obtain passporting rights either by establishing itself or a subsidiary in Ireland (or in another EEA Member State) and obtaining authorisation as a payment institution from the CBI (or from the relevant national competent authority in another EEA Member State) or by acquiring an existing authorised payment institution.

Authorisation Requirements

An entity that wishes to become authorised as a payment institution under Irish law must fulfil a number of requirements. In particular, the entity will be expected to show that it has substance in Ireland, is adequately capitalised, has appropriate arrangements in place to run a payment institution and complies with fitness and probity requirements.

Substance

The CBI places considerable emphasis on ensuring that an applicant’s “heart and mind” will be located in Ireland. This essentially means that the CBI will need to be satisfied that the applicant will be properly run in Ireland and that the CBI will be able to supervise it effectively. Among other things, the CBI will expect to see present in Ireland:

  • a senior management team with strength and depth overseen and directed by a strong board; and
  • an organisation structure and reporting lines which ensure there is appropriate separation and oversight of all activities.

In terms of residency, the personnel who are to fulfil the applicant’s core functions should operate out of Ireland and the expectation is that virtually all of the senior personnel will be permanently based in Ireland.

An Irish authorised payment institution can outsource/delegate activities to entities in other jurisdictions. However, overall responsibility for ensuring compliance with legislative requirements must stay in Ireland. In addition, a payment institution must notify the CBI when it intends to outsource operational functions of payment services. Moreover, the Payment Services Regulations set out a number of requirements with which a payment institution must comply when outsourcing “important” operational functions, such as IT systems. The CBI expects a payment institution to comply with the EBA’s Guidelines on Outsourcing, as well as the CBI’s Cross-Industry Guidance on Outsourcing.

Capital Requirements

A payment institution must hold initial capital of at least between €20,000 and €125,000 depending on the types of payment services it provides. The actual amount of initial capital required for each individual firm will be notified to the firm as a part of the authorisation process and can vary depending on the nature, scale and complexity of the applicant’s business.

Arrangements

An applicant will need to provide detailed information to the CBI regarding how it intends to function as a payment institution, including details of its: programme of operations; business plan; structural organisation; governance arrangements and internal control mechanisms; and business continuity arrangements procedure for dealing with security incidents.

Governance and Risk Management

An applicant is required to maintain governance arrangements, control mechanisms and procedures that are proportionate and appropriate to their business. In addition, an applicant must consider the composition (both number and skills) of their board and management team, to ensure they are sufficient to run their business from Ireland. An applicant’s board has responsibility for setting and overseeing the strategy of the firm, and ensuring that adequate and effective governance, risk management and internal control frameworks are in place.

Conduct and Culture

An applicant is expected to have a consumer-focused culture with robust internal systems and controls, including well developed risk management frameworks.

Safeguarding

An applicant must have a safeguarding risk framework in place, approved by its Board, which ensures that relevant client funds are appropriately identified, managed and protected on a day-to-day basis. There must be oversight of this framework by an applicant’s second line of defence (risk and compliance functions) and third line of defence (internal audit). In 2023, an external audit of safeguarding requirements is required for payment firms who safeguard users’ funds. While this audit is just for 2023, depending on the outcome of the audit, it is possible that similar audits may be required in the future.

Business Model, Strategy and Financial Resilience

An applicant is expected to have a capital accretive business model that is viable and sustainable with due regard given to potential firm specific and wider market stress scenarios.

While an applicant may operate as part of a larger group, and be reliant on group strategic decisions to inform local strategy, there must be sufficient financial (capital and liquidity) and operational (resources, IT systems etc.) capacity and capability within the firm to execute that strategy.

An applicant is expected to have robust strategic and capital planning frameworks which demonstrate that they have a good understanding of the risks that they face and their potential financial impact, such that they can proactively manage their capital to ensure that they are in a position to meet their own funds (capital) requirements on a stand-alone basis at all times, i.e. sufficient regulatory capital is available to absorb losses, including during stress conditions.

An applicant is expected to have board-approved business strategies in place supported by robust financial projections, and must understand and meet their capital requirements at all times. Strong internal controls must be in place, that are subject to regular testing, to ensure the accuracy and integrity of data used by the firm for regulatory reporting purposes, and for strategic and financial planning.

Operational Resilience

The CBI expects an applicant to be able to respond to, recover and learn from operational disruptions. If an applicant is part of a wider group, the CBI will expect the applicant to operate sufficiently on a stand-alone basis to ensure the primacy of the legal entity authorised in Ireland.

An applicant’s board and senior management teams must ensure they themselves have the skills and knowledge to meaningfully understand the risks their firm faces and the responsibilities they have. This responsibility also extends to outsourced activities where the activities are conducted on the firm’s behalf by any third party, including any group entity.

Financial Crime

As a designated firm, a payment institution must comply with the know-your-customer / anti-money laundering (AML) obligations set out in the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. An applicant must have a strong anti-money laundering control framework that   specifically focusses on the money laundering and terrorist financing risks arising from the applicant’s business model.

Where distributors and/or agents undertake AML preventative measures and controls, such as customer due diligence (CDD), on behalf of a payment firm, this must be completed in line with the payment firm’s own risk assessments and AML policies and procedures. Payment firms must also exercise adequate oversight of their agents and distributors with an appropriate level of ongoing assurance conducted. Payment firms must undertake appropriate assessment of their agents and distributors that undertake activities on their behalf. The responsibility for carrying out customer risk assessments and CDD on the end user of the products and services ultimately rests with payment firms, even where such tasks are being performed by agents and distributors.

Resolution and wind-up

An applicant is expected to have an appropriate exit/wind-up strategy which is linked to their business and operational model that ensures the return of customer funds as soon as is reasonably practical in an exit/wind-up scenario.

Fitness and Probity

Once an application is submitted, the applicant will also need to ensure that all relevant individuals proposed to hold a Pre-Approval Controlled Function (“PCF”) role (typically board members, senior management, key function holders) complete Fitness and Probity Individual Questionnaires.

The CBI’s fitness and probity requirements are based on Guideline 16 of the “EBA Guidelines on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers” which relates to the “identity and suitability assessment of directors and persons responsible for the management of the payment institution or electronic money institution”. The CBI has published Guidance on the Specific Requirements that apply to persons seeking approval for a Pre-Approval Controlled Function role in a Payment Institution or Electronic Money Institution (here).

All relevant individuals must submit an Individual Questionnaire electronically; however, access to the online Individual Questionnaire only becomes available after an application has been deemed to contain all the key information needed to progress to the assessment phase of the application process.

Authorisation Process

An application for authorisation as a payment institution must be submitted to the CBI. According to the CBI, it:

seeks to process each application as expeditiously as possible while meeting its obligation to operate a rigorous and effective gatekeeper function. It aims to ensure that the application process is facilitative and accessible from the perspective of applicants and, importantly, that applicants have clarity with regard to the process, its requirements and timelines.

The CBI has also published a Guidance Note on completing an authorisation application under the Payment Services Regulations (here).

All applications for authorisation as a payment institution in Ireland must be submitted using the following form: Authorisation as an Payment Institution (here) (except where the firm only intends to provide account information services in which case a different application form should be used (here)). In addition, an applicant must complete:

  • the Anti-Money Laundering, Counter-Terrorist Financing and Financial Sanctions Pre-Authorisation Risk Evaluation Questionnaire for Payment Institution and Electronic Money Institution Applicants (here);
  • Qualifying Holder Application Forms (here) as appropriate; and
  • Fitness and Probity Individual Questionnaires for all PCF roles.

There are five stages to the authorisation process for a payment institution following a pre-application meeting, and once the applicant has submitted a completed Application Form and relevant accompanying documentation.

These stages are set out below and also apply to applicants applying for registration as account information service providers.

 

Application Process

Pre-application meeting

A preliminary meeting with the CBI is scheduled with all potential applicants to address specific questions regarding the application process, service standards or completing the application form.  

All applicants will be required to return a ‘Key Facts Document’ at least 5 working days prior to the pre-application meeting. The CBI recommends applicants take into consideration all items discussed during the pre-application meeting prior to submitting an application.

Stage 1: Submitting the Application Form and Acknowledgement

This is the first formal stage in the application process. When applying for authorisation, an applicant must provide certain information to the CBI, including details of its: programme of operations; business plan; structural organisation; evidence of initial capital;   governance arrangements and internal control mechanisms; process for dealing with sensitive payment data; business continuity arrangement; security policy document; AML/CFT Internal Control Mechanisms; and identity and suitability assessments for persons with qualifying holdings in the applicant and senior managers.

The CBI will acknowledge receipt of an application for authorisation/registration submitted by the applicant within 3 working days of receipt.

Stage 2: Key Information Check

The CBI checks that the applicant has submitted all the key information and documentation and confirms whether or not this is the case within 10 working days of receipt of the application. If the application is lacking any key information, the CBI will identify this information and the applicant can then decide to resubmit. Any subsequent application will be considered a new application and the application process commences again.

Stage 3: Assessment

The CBI assesses the application against the authorisation requirements and issues initial comments to the applicant on its application as well as subsequent comments based on its review of the applicant’s responses. The CBI has committed to a 90 working day assessment phase, however, this period will be paused in certain circumstances, for example should the CBI request further information, which is likely.

Stage 4: Notification of Assessment

The CBI notifies the applicant of the outcome of the assessment process. Where the assessment is favourable, the CBI will notify the applicant that it proposes to authorise. This letter will also specify any specific conditions the CBI proposes to impose on the authorisation itself once granted, along with the reasons for these conditions. Applicants will have the opportunity to make representations regarding these conditions before the CBI makes its decision.

If the CBI is not satisfied that it should authorise the applicant on the basis of the assessment, it will set out the areas to be addressed. The applicant has the right to respond to any issues raised by the CBI in its notification and the CBI will assess any responses made before notifying the applicant of its decision in Stage 5 of the process.

Stage 5: Notification of Decision

Where the CBI intends to authorise the applicant, it aims to notify the applicant of its decision within 10 working days of any pre-conditions to authorisation being satisfied. In a case where the CBI is minded to refuse the application, the CBI will notify the applicant of the proposed grounds for refusal and the next steps in that process. These steps will include an opportunity for the applicant to make submissions in response to the proposed refusal.


How Can McCann FitzGerald LLP Help?

McCann Fitzgerald LLP is a premier law firm in Ireland and advises on the full range of legal, tax and compliance activities undertaken by payment institutions in Ireland. We have substantial experience in successfully guiding applicants through the regulatory authorisation process and in helping them to comply with their legal obligations, once established. If you are considering setting up a payment institution authorised under Irish legislation, please contact us for further information as to how we can help.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.