Ireland as a Location for Payment Institutions 2024

Ireland is home to a substantial number of payment institutions, some home grown, and others drawn to Ireland by its active and growing FinTech sector.

Aside from Ireland’s position as a FinTech hub, there are several advantages to being authorised in Ireland as a payment institution, including:

  • a strong regulatory framework with a credible and experienced regulator, the Central Bank of Ireland (“CBI”) which also promotes innovation through its Innovation Hub;
  • a favourable passporting regime with the ability to passport to other EEA Member States either on a branch or a cross-border services basis;
  • a favourable tax regime, due to a combination of a standard 12.5% corporate tax rate for businesses with revenues less than €750 million per year and an exceptionally extensive and comprehensive set of double tax agreements; and
  • access to a sophisticated financial services ecosystem with a deep pool of staff, managers, professional advisers, regulators and service providers including not only native English speakers but a sizeable international population.

Regulatory Framework

Payment institutions are regulated under the revised Payment Services Directive 2015/2366 (PSD2), as transposed into Irish law by the European Union (Payment Services) Regulations 2018 (“Payment Services Regulations”), and related measures.   

The CBI is responsible for the authorisation, prudential regulation and supervision of payment institutions in Ireland.

Passporting

A payment institution authorised in Ireland can passport to other EEA Member States on either a freedom of services or cross-border establishment basis, subject to the fulfilment of certain notification requirements. A payment institution authorised in another EEA Member State can also passport into Ireland.

A payments business established outside of the EEA, can obtain passporting rights either by establishing itself or a subsidiary in Ireland (or in another EEA Member State) and obtaining authorisation as a payment institution from the CBI (or from the relevant national competent authority in another EEA Member State) or by acquiring an existing authorised payment institution. Where an existing authorised payment institution is acquired, engagement with the CBI is likely to be necessary.

Authorisation Requirements

An entity that wishes to become authorised as a payment institution under Irish law must fulfil a number of requirements. In particular, applicants will be expected to show that they will have substance in Ireland, have a viable business model and be adequately capitalised, have appropriate arrangements in place to run a payment institution and comply with fitness and probity requirements. These concepts are discussed in more detail below.

Authorisation Requirements

Substance

The CBI places considerable emphasis on ensuring that the applicant’s “heart and mind” will be located in Ireland. This essentially means that the CBI will need to be satisfied that the applicant will be properly run in Ireland and that the CBI will be able to supervise it effectively. Among other things, the CBI will expect to see present in Ireland:
•    a senior management team with strength and depth overseen and directed by a strong board with input and challenge from independent directors; and
•    an organisation structure and reporting lines which ensure there is appropriate separation and oversight of all activities.

In terms of residency, the persons who are to fulfil the applicant’s core functions should operate in Ireland and the expectation is that virtually all of the senior personnel will be permanently based in Ireland. An Irish authorised payment institution can outsource/delegate certain activities to entities in other jurisdictions. However, overall responsibility for ensuring compliance with legislative requirements must stay in Ireland. In addition, a payment institution must notify the CBI when it intends to outsource critical or important functions (or when it intends to materially alter its existing outsourcing arrangements for such functions). The Payment Services Regulations set out a number of requirements with which a payment institution must comply when outsourcing “important” operational functions, such as IT systems. The CBI expects an payment institution to comply with the European Banking Authority’s (“EBA”) Guidelines on Outsourcing (available here) as well as the CBI’s Cross-Industry Guidance on Outsourcing (available here), including compliance with specific obligations in relation to the outsourcing of “critical and important” functions.

Capital Requirements

A payment institution must hold initial capital of between at least €20,000 and €125,000 depending on the types of payment services it provides. A payment institution which provides money remittance services (payment service 6) must have a minimum initial capital of €20,000. A payment institution providing payment initiation services (payment service 7) must have a minimum initial capital of €50,000. A payment institution providing payment services 1-5 (i.e. any of the other payment services as set out in the Schedule to the Payment Services Regulations, except account information services which do not have an initial capital requirement where it is the only payment service being applied for) must have a minimum initial capital of €125,000. 

However, these are minimum requirements and the actual amount of initial capital required for each individual firm will be notified to the firm by the CBI as part of the authorisation process and can vary depending on the nature, scale and complexity of the applicant’s business. In most cases, the initial capital that will be required will be higher than the minimum figures set out above. 

The CBI will expect applicants to inject the proposed initial capital into the business prior to drawing down its licence. 

Arrangements

An applicant will need to provide detailed information to the CBI regarding how it intends to function as a payment institution, including details of its: programme of operations; business plan; structural organisation; governance arrangements, internal control mechanisms, business continuity arrangements and procedures for dealing with security incidents.

Governance and Risk Management

An applicant is required to maintain governance arrangements, control mechanisms and procedures that are proportionate and appropriate to its business. This includes having sufficient resources, staff, a risk management framework, IT policies, and data protection policies. Applicants must use the EBA’s tool for calculating the professional indemnity insurance where applicable to them (available here). 

In addition, an applicant must consider the composition (both number and skills) of its board and management team, to ensure they are sufficient to conduct the applicant’s business from Ireland. An applicant’s board has responsibility for setting and overseeing the strategy of the firm, and ensuring that adequate and effective governance, risk management and internal control frameworks are in place. The board should have an appropriate balance of executive, non-executive and independent non-executive directors (“INEDs”). The INEDs must understand the business to a sufficient degree to be able to effectively contribute and provide an independent challenge to the executive directors of the board and be skilled in areas relevant to the applicant’s business such as accounting or risk.

Conduct and Culture

An applicant is expected to have a consumer-focused culture with robust internal systems and controls, including well developed risk management frameworks. The applicant’s approach to engagement with the CBI, such as how long the applicant takes to reply to queries raised by the CBI, will be considered when assessing the firm’s corporate culture. In addition, the applicant will be expected to show that it has considered diversity and inclusion, particularly in forming its board and how the business will assist with the fight against climate change.

In relation to conduct, the applicant must comply with the Central Bank (Individual Accountability Framework) Act 2023 once authorised as a payment institution, which includes compliance by senior role holders with the Common Conduct Standards and the Additional Conduct Standards. The CBI’s expectations on the Individual Accountability Framework are set out in its Guidance on the Individual Accountability Framework (available here). For further information on the Individual Accountability Framework, please see our dedicated information page on our website (available here).
 

Safeguarding

An applicant must have a safeguarding risk framework in place, approved by its board, which ensures that relevant client funds are appropriately identified, managed and protected on a day-to-day basis. Transaction approval authority regarding safeguarding accounts must reside within the Irish applicant entity and not with other group entities or third parties. There must be oversight of this framework by an applicant’s second line of defence (risk and compliance functions) and third line of defence (internal audit).

An applicant should have an independent Internal Audit Charter clearly setting out the roles and responsibilities of the Internal Audit Function which should be directly reported to the board of the applicant. Applicants should also ensure they have appropriate compliance policies in place such as a whistleblowing policy and a conflicts of interest policy.

Business Model, Strategy and Financial Resilience

An applicant is expected to have a capital accretive business model that is viable and sustainable with due regard given to potential firm specific and wider market stress scenarios. The CBI expects plausible projections covering a three-year period and the CBI has a standardised business model template for this which is provided to firms upon application.

While an applicant may operate as part of a larger group and be reliant on group strategic decisions to inform local strategy, there must be sufficient financial (capital and liquidity) and operational (resources, IT systems etc.) capacity and capability within the firm to execute that strategy.

An applicant is expected to have robust strategic and capital planning frameworks which demonstrate that it has a good understanding of risks it faces and potential financial impacts, such that the applicant can proactively manage its capital to ensure that it is in a position to meet own funds (capital) requirements on a stand-alone basis at all times, i.e. sufficient regulatory capital is available to absorb losses, including during stress conditions.

An applicant is expected to have board-approved business strategies in place supported by robust financial projections and must understand and meet its capital requirements at all times. Strong internal controls must be in place, that are subject to regular testing, to ensure the accuracy and integrity of data used by the firm for regulatory reporting purposes, and for strategic and financial planning.

Operational Resilience

The CBI expects an applicant to be able to respond to, recover and learn from operational disruptions. If an applicant is part of a wider group, the CBI will expect the applicant to operate sufficiently on a stand-alone basis to ensure the primacy of the legal entity authorised in Ireland.

An applicant’s board and senior management teams must ensure they have the skills and knowledge to meaningfully understand their responsibilities and risks the firm faces. This responsibility also extends to outsourced activities where the activities are conducted on the firm’s behalf by any third party, including any group entity.

Financial Crime

As a designated firm, a payment institution must comply with the know-your-customer / anti-money laundering (“AML”) obligations set out in the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. An applicant must have a strong AML control framework that specifically focusses on the money laundering and terrorist financing risks arising from the applicant’s business model.

Where distributors and/or agents undertake preventative AML measures and controls, such as customer due diligence (“CDD”), on behalf of a payment institution, these must be completed in line with the payment institution’s own risk assessments and AML policies and procedures. Payment institutions must also exercise adequate oversight of their agents and distributors with an appropriate level of ongoing assurance conducted. Payment institutions must undertake appropriate assessment of their agents and distributors that undertake activities on their behalf. The responsibility for carrying out customer risk assessments and CDD on the end user of the products and services ultimately rests with payment institutions, even where such tasks are being performed by agents and distributors.

Resolution and wind-down

An applicant is expected to have an appropriate exit/wind-down strategy which is linked to its business and operational model and that ensures the return of customer funds as soon as is reasonably practical in an exit/wind-up scenario. An effective wind-down plan would include:

  • governance and escalation processes to be followed during crisis management;
  • a sample of scenarios which could trigger a wind-down;
  • a risk management framework;
  • resources that would be required in the event of a wind-down;
  • plans to assess the impact on, communicate with and mitigate the impact on counterparties, consumers, group companies and the wider market; and
  • a process and timeline for returning users’ funds.

Fitness and Probity

Once an application has entered the assessment phase, the applicant will also need to ensure that all relevant individuals proposed to hold a Pre-Approval Controlled Function (“PCF”) role in the applicant entity (typically board members, senior management, key function holders) complete Fitness and Probity Individual Questionnaires. The CBI expects applicants to have conducted their own due diligence before proposing a candidate for appointment to a PCF role. Where it is proposed for a person to hold more than one PCF role, sufficient information on why this is appropriate should be provided to the CBI. The CBI has confirmed in its “Expectations for Authorisation of Payment and Electronic Money Institutions and Registration of Account Information Service Providers” document (available here) that a proposal for a person to hold three or more PCF roles will not be approved.

The CBI’s fitness and probity requirements are based on Guideline 16 of the “EBA Guidelines on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers” which relates to the “identity and suitability assessment of directors and persons responsible for the management of the payment institution or electronic money institution”.

The CBI has published “Guidance on the Specific Requirements that apply to persons seeking approval for a Pre-Approval Controlled Function role in a Payment Institution or Electronic Money Institution” (available here). All relevant individuals must submit an Individual Questionnaire electronically. However, access to the online Individual Questionnaire only becomes available after an application has been deemed to contain all the key information needed to progress to the assessment phase of the application process.

Authorisation Process

An application for authorisation as a payment institution must be submitted to the CBI.  

All applications for authorisation as a payment institution in Ireland must be submitted using the following form: 

  • Authorisation as an Payment Institution (available here) (except where the firm only intends to provide account information services in which case a different application form should be used (available here)). 

The CBI has also published a Guidance Note on completing authorisation/registration applications under the Payment Services Regulations (available here) and provides information about the regulatory requirements for payment institutions on its website (available here). More recently, the CBI published a document setting out the Central Bank of Ireland Expectations for Authorisation of Payment and Electronic Money Institutions and Registration of Account Information Service Providers (the “CBI Expectations Document”) (available here) which notes: 

“Applicant firms should ensure that all submissions are of an appropriate standard, good quality, and have obtained all necessary approvals prior to submission. Submissions should also be provided in a timely manner.”

The CBI notes that common issues during the authorisation assessment are:

  • inadequate preparation and application completeness;
  • an applicant’s inability to clearly describe the proposed business model or changing its proposed business model during the process;
  • applicants failing to respond to the CBI’s queries in a timely manner;
  • applicants failing to prepare appropriate local risk frameworks; and
  • issues with proposed candidates for PCF roles.

In addition to the application form, an applicant must complete:

  • the Anti-Money Laundering, Counter-Terrorist Financing and Financial Sanctions Pre-Authorisation Risk Evaluation Questionnaire for Payment Institution and Electronic Money Institution Applicants (available here);
  • Qualifying Holder Application Forms (available here) as appropriate; and
  • Fitness and Probity Individual Questionnaires for all PCF roles.

Pre-application bespoke meetings are scheduled between the CBI’s Authorisation Team and potential applicants to provide direction on application requirements and answer any specific questions applicants may have about the application process. The CBI has also stated in its recent CBI Expectations Document that detailed assessment meetings will be held in relation to various areas of the proposal.

Additionally, the CBI encourages potential applicants to engage with the CBI early in relation to the applicant’s business plan and to consider doing so initially via its Innovation Hub (see further information here).

The different stages in the process to obtain authorisation as a payment institution are set out in the table below.

Application Process
Stage 1: Exploratory Stage

Phase 1: Initial meeting and Key Facts Document

Bespoke pre-application meetings are scheduled with all potential applicants to provide direction on application requirements and answer any specific questions applicants may have about the application process, service standards or completing the application form. All applicants will be required to return a ‘Key Facts Document’ to the CBI at least 5 working days prior to the pre-application meeting. The Key Facts Document was updated in April 2024 and is now required to be between 15-20 pages in length. The CBI recommends applicants take into consideration all items discussed during the pre-application meeting prior to submitting an application. The CBI will usually raise any concerns it has at this point but will not provide any legal advice. At this meeting the CBI can:

  • provide greater clarity about the assessment process and the authorisation requirements; and
  • identify any initial issues with the proposal which, if not addressed, would preclude the application from proceeding.

Phase 1: Submitting the Application Form and Acknowledgement

When applying for authorisation, an applicant must provide certain information to the CBI, including details of its:

  • programme of operations setting out a step-by-step description of the payment service mechanism from start to finish; 
  • business plan; 
  • structural organisation;
  • evidence of initial capital; governance arrangements and internal control mechanisms;
  • process for dealing with sensitive payment data; business continuity arrangements;
  • security policy document;
  • AML/Countering the Financing of Terrorism (“CFT”) Internal Control Mechanisms; and
  • identity and suitability assessments for persons with qualifying holdings in the applicant and senior managers.

The CBI aims to acknowledge receipt of an application for authorisation submitted by the applicant within 3 working days of receipt.

Phase 2: Key Information Check and Initial Assessment

The CBI checks that the applicant has submitted all the key information and documentation. The CBI aims to confirm whether or not this is the case, generally within 10 working days of receipt of the application. The CBI also carries out an initial assessment of the application to check whether the applicant is likely to meet the CBI’s expectations. There are two possible outcomes to this initial assessment:

(a) Progression: The CBI will permit the application to proceed to the assessment stage. The CBI will assign a specific case manager as the primary point of contact for the applicant at this stage. The CBI notes that applicants which make “the necessary senior appointments early in the process generally submit a more complete application” and tend to be authorised more quickly; or

(b) Issues have been Identified Precluding Progression: This is where the CBI is of the view that the applicant cannot progress to the assessment stage. The CBI will identify the issues and the applicant will have the opportunity to address these issues which may be via written submissions or meetings (in person or online) with the CBI.

Stage 2: Assessment Stage

Stage 2: Assessment Stage

The CBI assesses the application against the authorisation requirements and issues initial comments to the applicant on its application as well as subsequent comments based on its review of the applicant’s responses. Additional information and detailed assessment meetings may be requested by the CBI. Individuals proposed for Pre-Approval Controlled Function roles are sometimes invited for interview as part of the assessment of their Fitness and Probity for key roles. There are two possible outcomes:

  • Positive Outcome (Minded to Authorise letter): If the applicant has shown it will meet all authorisation requirements, the CBI will issue a Minded to Authorise letter which will include requirements to be addressed prior to authorisation, conditions for post-authorisation, and the proposed level of capital to be held; or
  • Negative Outcome (Minded to Refuse letter): If the CBI is not satisfied with the application, a Minded to Refuse letter will be issued. This letter will include the reason(s) for the proposed decision and specify the period within which the applicant may make submissions in writing to the CBI before a final decision is made.

In 90% of cases, the CBI will complete the assessment phase within 90 working days, although the clock will be paused in certain circumstances, including when queries are raised by the CBI on the application.

Stage 3: Authorisation Decision

Stage 3: Authorisation Decision

The CBI notifies the applicant of the outcome of the assessment process. There are two possible outcomes:

  • Positive Outcome (Letter Granting Authorisation): Subject to the pre-authorisation requirements in the ‘Minded to Authorise’ letter having been addressed, no new adverse information coming to the CBI’s attention in the interim, and agreement from the applicant as to the proposed conditions and capital, a letter granting authorisation will be issued, and the applicant firm will then be able to commence its regulated activities; or
  • Negative Outcome (Letter of Refusal): Where a ‘Minded to Refuse’ letter has issued, the CBI will review any submissions made by the applicant. If the CBI is still not satisfied to approve an application following the review of any submissions to a ‘Minded to Refuse’ letter, it will issue a letter of refusal.

In 90% of cases, the CBI will issue the final letter within 10 business days of receipt of a satisfactory response to matters detailed in the “Minded to Authorise/Register” letter.

Following its authorisation, the payment institution must comply with its ongoing obligations and supervisory requirements under relevant legislation, such as its obligations:

  • to safeguard customers’ funds;
  • to comply with ongoing capital requirements; 
  • under the Payment Service Regulations;
  • to comply with the AML/CFT legislation; and
  • to comply with the Consumer Protection Code 2012 (as amended) (which is currently being revised, as discussed in our briefing available here). 

Authorised payment institutions are expected to, among other things, act honestly, fairly and professionally.

How Can McCann FitzGerald LLP Help?

McCann Fitzgerald LLP is a premier law firm in Ireland and advises on the full range of legal, tax and compliance activities undertaken by payment institutions in Ireland.  We have substantial experience in successfully guiding applicants through the regulatory authorisation process and in helping them to comply with their legal obligations, once established. If you are considering setting up a payment institution authorised under Irish legislation, please contact us for further information as to how we can help.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.