Empty Link Skip to Content

Financial Services Regulation

Setting the tone for the year ahead are the Central Bank of Ireland's ("Central Bank") key regulatory and supervisory priorities. Here we capture the significant and broad ranging, ongoing or anticipated developments which the Central Bank will be monitoring or introducing over the course of the year.

Boards and senior management should ensure that each of the priorities relevant to their business, is being considered and addressed by the necessary individuals and teams. Below we consider the publication of the priorities and two specifically named priorities which are of cross sectoral importance and interest to our financial services clients. 

Key Themes in Financial Services Regulation

Central Bank of Ireland – Key Regulatory and Supervisory Priorities for 2023

On three separate occasions in January and February this year, the Central Bank of Ireland ("Central Bank") publicly outlined its regulatory and supervisory priorities for 2023. These occasions included:

  1. on 25 January 2023, in a statement made by Gabriel Makhlouf, Governor of the Central Bank at the Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach;
  2. in a letter also dated 17 January 2023, addressed to the Minister of Finance, Michael McGrath (published on 25 January 2023) and
  3. in a Dear CEO Letter dated 16 February 2023, addressed to the CEOs of all Regulated Financial Service Providers ("RFSP") ("Dear CEO Letter").

The Central Bank is clearly making an effort to be transparent with regard to its priorities which is welcomed by Matheson LLP.  We have actively communicated with our clients on all three occasions where the priorities have been detailed (please see the FIG Top 5 at 5 from 26 January, 2 February and 23 February for more details). In an ideal world these Central Bank priorities would be published in the final quarter of each year, in line with the approach taken by the European Supervisory Authorities ("ESAs") though we acknowledge that at least some of the Central Bank priorities will be driven by initiatives at EU level. Publishing priorities as early as possible greatly supports RFSPs in their regulatory and governance planning for the year ahead, particularly when it comes to identifying the areas where resources will need to be allocated.

Regarding the priorities themselves, there were no real surprises, much of what was detailed was expected. However, we would point out that the Dear CEO Letter did include one additional priority over and above the list detailed by the Governor and in the letter to the Minister for Finance. That was the inclusion of the provision of a " clear, open and transparent authorisation process". There has been some criticism of the Central Bank in this regard and the inclusion of this priority will be particularly welcomed by industry and other stakeholders.

The Central Bank (Individual Accountability Framework) Act 2023 - ready, steady go.

On 9 March 2023, the Central Bank (Individual Accountability Framework) Act 2023 ("IAF Act 2023") was signed into law by the President Michael D. Higgins, having completed all stages of Dáil Éireann ("Dáil") and Seanad Éireann ("Seanad") on 1 March 2023.

The Minister for Finance, Michael McGrath ("Minister"), having commended the Seanad amendments to the Dáil on 1 March 2023, acknowledged that getting the legislation to this point took "longer than anyone would have liked" but explained that "lengthy engagement with the Office of the Attorney General and the Central Bank" was necessary "to ensure that the legislation is effective and also constitutionally robust". 

Regarding commencement, the Minister confirmed that all sections of the legislation would be commenced as soon as possible following enactment, with the exception of Sections 3 – 6 and Section 10 which deal with the Senior Executive Accountability Regimen ("SEAR"), the conduct standards and the certification process. The Minister further advised that these sections would be commenced following completion of the Central Bank of Ireland's ("Central Bank") public consultation on these areas and that it is intended that the legislation, as enacted, would be fully implemented in the current year.  Fast forward to 13 March 2023 and the Central Bank has published the relevant consultation paper ("CP153") in which it proposes an altered implementation timeline, in so far as it pertains to the SEAR. CP 153 proposes an implementation date of July 2024 for impacted firms to comply with the SEAR requirements.

Impacted firms and industry groups will welcome this proposed extended implementation timeline, given that for a long time, the Central Bank suggested that little or no delay in implementation would be considered. Additionally as a result of this, we expect that industry groups will no longer look to lobby the Central Bank on this point and instead focus their attention on other issues.

In CP 153, the Central Bank explains that it will also issue guidance and regulations on the Fitness and Probity ("F&P") Investigative Process in March 2023 and confirms that there will be a further consultation paper in the summer on the changes to the Administrative Sanctions Procedures.  We would encourage firms to actively engage with these consultation processes and to take the opportunity to convey their views on the proposals and the challenges and difficulties which they anticipate in complying with them.

For further detail on CP153, please refer to the FIG Top 5 at 5 dated 16 March. If you have not subscribed to receive these updates, you can do so here.

For further details on the IAF and SEAR, please refer to our dedicated webpage, which can be found here.

 

 


 

    Digital Operational Resilience Act

    The new Digital Operational Resilience Act (Regulation (EU) 2022/2554) ("DORA") and the supporting directive ( Directive (EU) 2022/2556) entered into force on 16 January 2023. DORA, as a regulation, will be directly effective from 17 January 2025, while the supporting directive must be transposed by the same date. DORA forms part of the European Union's ("EU") Digital Finance Package, which includes, amongst other things, the proposal for a Regulation on Markets in Crypto-assets ("MiCA"), which was discussed in the Autumn 2022 Horizon Tracker.

    DORA represents the EU's first legislative framework focusing on digital operational resilience in the financial services sector. Its impact will be felt by most financial services firms. While a 24 month implementation period appears like a considerable length of time for firms to "get their house in order", the extent of the work to be completed in order to be fully compliant should not be underestimated. Additionally, while the Level 1 text is available, the Level 2 measures are yet to be confirmed, so impacted firms will need to monitor the development of these measures as they are proposed and adapted by the European Supervisory Authorities ("ESAs") over the coming 18 months. These measures will focus largely on how the rules will function in practice.  We would encourage firms to begin, as with any new piece of legislation, with a gap analysis to identify where changes are needed to their existing frameworks. Many firms can expect that there will be a need for investment in processes, procedures, systems and expertise to ensure effective implementation.

    As previously discussed in our Insight "Understanding the interaction between DORA and the Central Bank's Operational Resilience Guidance", many financial services entities are now querying the interplay between DORA and the Central Bank of Ireland's ("Central Bank") Cross Industry Guidance on Operational Resilience (the "Guidance") published in December 2021 (which requires full implementation by December 2023). Anticipating the adoption of DORA, the Central Bank noted in its feedback statement to the consultation paper on the draft Guidance, that same was "in line with international best practice and compatible with and complementary to DORA". Additionally, the Central Bank also committed to "continue to update and align the intended outcomes of our supervisory approach with relevant international operational resilience policy developments as they evolve" and "monitor international developments after the issuance of this Guidance, including any updates to ICT & Cyber Resilience best practices".

    Two points arise here. Firstly, on the face of it, any work being carried out by firms in preparation for the 1 December 2023 deadline for compliance with the Guidance, should be compatible and complementary to any work required to demonstrate compliance with corresponding obligations under DORA.  Secondly, where this is not the case, the Central Bank will likely update their guidance accordingly. In fact, given the extent of the changes introduced through DORA, additional communications and guidance from the Central Bank could potentially be provided as it looks to the integration of DORA into its own supervisory work. This has been described as one of its key priorities for 2023.

     

    Explore the Horizon Tracker

    FIG Top 5 at 5 - 26/01/2023

    Feb 2, 2023, 12:14 PM
    Title : FIG Top 5 at 5 - 26/01/2023
    Filter services i ds :
    Engagement Time : 7
    Insight Type : Article
    Insight Date : Jan 26, 2023, 00:00 AM

    1. Central Bank of Ireland - Dear CEO Letter on its Supervisory Findings and Expectations for Payment and E-Money Firms

    On 20 January 2023, the Central Bank of Ireland (the "Central Bank") issued a Dear CEO Letter (the "Letter") to Payment and Electronic-Money ("E-money") firms on its findings and expectations following what it describes as a period of intense supervision of the sector over the last 12 months, on the basis of significant deficiencies identified by the Central Bank in the governance, risk management and control frameworks of some firms in the sector.

    The Letter is a follow-up to the Central Bank's December 2021 Dear CEO Letter on its supervisory expectations of the payments and e-money sector (the "2021 letter"). The Letter

    • reaffirms the Central Bank's supervisory expectations;
    • details the key findings from the Central Bank's supervisory engagements with the sector; and
    • outlines a number of actions expected of firms.

    Findings

    The Central Bank sets out its findings under five key areas:

    1. Safeguarding

    In the 2021 letter, the Central Bank required all firms to assess their compliance with their safeguarding obligations. The submissions following this assessment to the Central Bank, highlighted that one in four Payment and E-Money firms have self-identified deficiencies in their safeguarding risk management frameworks. The Central Bank noted that the nature and scale of these deficiencies indicates that some firms do not have robust safeguarding arrangements in place.

    In general, the Central Bank expects firms to:

    • have robust, Board approved, safeguarding risk management frameworks in place;
    • be proactive in ensuring that the design and operating effectiveness of the firm’s safeguarding frameworks is tested on an ongoing basis;
    • notify the Central Bank immediately of any safeguarding issues identified;
    • take mitigating and corrective measures immediately to ensure that users’ funds are safeguarded where issues are identified; and
    • investigate and remediate on a timely basis the underlying root cause of the safeguarding issue(s).

    Audit confirmation

    Due to the number of safeguarding issues identified, the Central Bank is requiring that all Payment and E-Money firms who are required to safeguard users’ funds, obtain a specific audit of their compliance with the safeguarding requirements in accordance with what the Central Bank sets out in the Letter and submit same together with a Board response on the outcome of the audit, to the Central Bank by 31 July 2023.

    2. Governance, Risk Management, Conduct and Culture

    Some of the Governance, Risk Management, Conduct and Culture issues identified by the Central Bank include:

    • governance, risk management and internal control frameworks not consistently aligned to business strategies and business objectives;
    • inadequate succession planning;
    • inadequate resourcing of the internal audit, risk management and compliance functions;
    • a focus on achieving minimum compliance;
    • inadequate reporting to the Board; and
    • product/service disclosures that are unclear and lack transparency.

    The Central Bank expects firms to consider their governance, risk management and internal control frameworks, in addition to the composition of their Board and management team, to ensure they are sufficient to run their business from Ireland.

    3. Business Model, Strategy and Financial Resilience

    The Central Bank completed a thematic review of business model and strategic risk across a number of firms in the sector during 2022 which identified that some firms in the sector do not have defined or embedded Board approved business strategies in place.

    The Central Bank noted that while firms may be reliant on wider group strategic decisions to inform local strategy, it is critical that robust consideration is given to ensuring there is sufficient financial and operational capacity and capability within the firm to execute that strategy. The Central Bank expects firms to have robust strategic and capital planning frameworks which demonstrate that they have a good understanding of the risks that they face and their potential financial impact. The Central Bank expects firms to have Board-approved business strategies in place supported by robust financial projections.

    The Central Bank also identified weaknesses in risk reporting practices across the sector with one in five firms having submitted inaccurate regulatory returns to the Central Bank during the previous 12 months.

    4. Operational Resilience and Outsourcing

    The Central Bank has observed an increasing number of major operational incidents/outages being reported by firms in the sector, with many of those reported as a result of issues with group/third party providers who are critical to supporting the IT infrastructure of firms.

    The Central Bank notes that boards and senior management teams must ensure they have the skills and knowledge to meaningfully understand the risks their firm faces and the responsibilities they have, which extend to outsourced activities conducted on the firm’s behalf by any third party, including any group entity. The Central Bank expects Boards and senior management of Payment and E-Money firms to review and adopt appropriate measures to strengthen and improve their operational resilience frameworks in line with the Central Bank's Operational Resilience Guidance.

    5. AML/CFT

    The Central Bank identified a number of AML/CFT weaknesses including:

    • Risk-Based Approach: Some firms in the sector lack maturity in their risk based approach to AML/CFT. A particular area of weakness identified was transaction monitoring controls. The Central Bank notes that AML/CFT controls should be risk sensitive and tailored to the risks identified.
    • Distribution Channels: Weaknesses have been identified in relation to the oversight of distributor/agents relationships which often carry out AML/CFT preventive measures, such as customer due diligence ("CDD"), on behalf of firms. The Central Bank notes that, where distributors and agents carry out AML/CFT controls on behalf of firms, it is imperative that this is completed in line with the firms’ own ML/TF risk assessment and AML/CFT policies and procedures. The Central Banks expect firms to exercise adequate oversight of and undertake appropriate assessment of these agents and distributors with the outcome of any testing included in management information for the Board and senior management.
    • E-Money Derogation and Simplified Due Diligence: The Central Bank has identified some instances of misapplication of the derogation from CDD for certain e-money products and misinterpretation of provisions for simplified CDD under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. The Central Bank notes that E-Money firms should only avail of the derogation and that simplified due diligence is carried out only in circumstances where it is appropriate to do so.

    Actions Required

    The Central Bank notes that contents of the Letter are not an exhaustive list of its supervisory findings, and cautions firms not leave aside the identification and management of other potential risks, however, these are the areas to which firms can expect the Central Bank to be paying close attention.

    The Central Bank expects all firms in the sector to:

    • discuss this letter with their Board, and to reflect on the supervisory findings; and
    • progress the completion of a specific audit of compliance with the safeguarding requirements to be submitted to the Central Bank by 31 July 2023.

    2. Department of Finance publishes consultation on the transposition of the Credit Servicers Directive Public

    On 24 January 2023, the Department of Finance published a public consultation on the transposition of Directive (EU) 2021/2167 (the "Credit Servicers Directive").

    The Credit Services Directive:

    • aims to promote a secondary market for non-performing loans;
    • lays down a common framework for the sale and management of bank originated non-performing loans which are transferred or sold after 29 December 2023;
    • provides for a new EU wide authorisation and regulatory framework for credit servicers to be overseen by national competent authorities and allows such authorised entities to passport credit servicing activities across the EU; and
    • makes certain amendments to Directive 2008/48/EC (the "Consumer Credit Directive") and  Directive 2014/17/EU (the "Mortgage Credit Directive").

    Consultation

    EU Member States are required to adopt and publish the national measures to transpose the provisions of the Credit Services Directive by 29 December 2023. The Credit Services Directive contains a number of discretions which can be exercised by Member States. The consultation is seeking the views of the public on these discretions for transposition into Irish law, posed in the form of ten questions.

    The consultation is open for feedback until 28 February 2023.

    Speaking on publication of the consultation, the Minister for Finance Michael McGrath said: “This directive aims to develop a secondary market for non-performing loans. It lays down a common European framework for the transfer and management of bank originated non-performing loans which are transferred or sold after 29 December 2023, while at the same time safeguarding borrowers’ rights. The public consultation process on the credit servicers’ directive process will run until 28 February 2023. Submissions received in response to this consultation will be taken into consideration when taking decisions on the discretions contained within the directive when transposing the provisions of the directive into Irish law.”

    3. Spring 2023 Legislation Programme published

    The Government's Legislation Programme (the "Programme") for the Spring 2023 session was published on 18 January 2023. Within the programme, there are 38 new bills which have been approved by the Cabinet for priority publication and drafting.

    Looking specifically to the legal and regulatory proposals in the Programme relevant to the financial services sector (excluding funds), only one new bill has been added to the priority list for Spring 2023, which is the Financial Services and Pensions Ombudsman (Amendment) Bill, which was previously listed under all other legislation in the Autumn 2022 programme. The bill amends the Financial Services and Pensions Ombudsman Act 2017 to take account of the Zalewski ruling and to update elements of the existing act where the Financial Services and Pensions Ombudsman could be viewed as administering justice. The Programme indicates that heads of bill are being prepared. We will monitor the development of this and keep clients updated.

    The Programme also reflects legislation which is still making its way through the Houses of the Oireachtas, of cross sectoral interest the most significant is the Central Bank (Individual Accountability Framework) Bill 2022 which is currently at Report Stage in the Dáil, due for imminent consideration. Please monitor our dedicated webpage for updates on this.

    4. Central Bank of Ireland's regulatory and supervisory priorities for 2023

    On 25 January, Gabriel Makhlouf, Governor of the Central Bank of Ireland ("Central Bank") delivered an opening statement at the Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach. This statement covered a substantial number of topics including:

    • Euro Area Outlook;
    • Monetary Policy;
    • Domestic Outlook;
    • Macro-financial Environment;
    • Regulatory Priorities;
    • Retail Bank Consolidation; and
    • Interest rates and the Irish mortgage market.

    Of particular interest to this audience are the Governor's comments on the Central Bank's regulatory priorities. The following is a summary of the key points made:

    1. banks and other lenders in particular have a key role to play by:

    • providing the lending and deposit services required to support a well-functioning economy;
    • supporting customers who may be experiencing difficulties in light of the changed macro-economic environment, including in particular customers in or facing arrears on existing loans; and
    • developing and implementing strategies which preserve long term sustainability and firms’ capacity to continue to support the economy through this period and into the future.

    2. regulation will continue to be "outcomes-focused" and will follow six principles:

    • forward looking;
    • connected;
    • proportionate;
    • predictable;
    • transparent; and
    • agile.

    3. "milestones" in the Central Bank's regulatory work programme this year include:

    • consulting and engaging widely on the development of the consumer protection framework and on the operationalisation of the Individual Accountability Framework;
    • continuing to progress actions at a domestic and international level on the global systemic risks in the funds sector, as well as enhancing the governance, oversight and investor outcomes in the sector; and
    • implementing new EU regulations on digital operational resilience and markets in crypto.

    Supervisory priorities were also briefly covered, they include:

    • the assessment and management of risks to financial and operational resilience;
    • continuing to drive for fair outcomes for consumer and investors;
    • overseeing the withdrawal of Ulster Bank and KBC from the Irish market; and
    • detecting and sanctioning market abuse.

    The Governor also mentioned that the Central Bank will in particular work with the Department of Finance on the next steps from the Retail Banking Review and the recommendations of the IMF’s Financial System Assessment Programme.

    5. European Parliament's Economic and Monetary Affairs Committee votes on CRR III and CRD VI

    On 24 January 2023, the European Parliament's (the "Parliament") Economic and Monetary Affairs Committee ("ECON") voted to adopt of draft reports on the European Commission's (the "Commission") legislative proposals to amend Directive 2013/36/EU (the "Capital Requirements Directive") and Regulation 2013/575/EU (the "Capital Requirements Regulation").

    These proposals form part of the Commission's October 2021 legislative package implementing Basel III Reforms. The proposals aim to ensure that EU banks become more resilient to potential future economic shocks, while contributing to Europe's recovery from the COVID-19 pandemic and the transition to climate neutrality.

    The press release highlights the following:

    • Capital requirements: The ECON agreed that the “output floor” setting lower limit on the capital requirements calculated by banks using their internal models should be consolidated at the EU level in order to have comparable risk weights and avoid variations in capital levels. A competent authority should be able to address inappropriate distribution of capital among banking groups and propose a capital redistribution.
    • Transitional periods: The ECON agreed on transitional arrangements for low risk exposures secured by mortgages on residential property which may be extended but for no longer than four years.
    • Environmental risks: The ECON agreed to strengthen reporting and disclosure requirements for environmental, social and governance ("ESG") risks. The European Banking Authority ("EBA") is mandated to assess whether a dedicated prudential treatment of exposures would be warranted. The Commission might adopt a legislative proposal in this regard based on that report.
    • Crypto-assets: The ECON want banks to disclose their exposure to crypto-assets and crypto assets services as well as a specific description of their risk management policies related to crypto-assets. The Commission has been invited to submit a legislative proposal by June 2023 on a dedicated prudential treatment for exposures to crypto-assets.
    • Governance: The ECON noted that suitability of members of management bodies should be sufficiently diverse and gender-balanced. The ECON also wants to introduce measures to ensure that a key function holder is replaced if that person ceases to comply with suitability criteria.
    • Third country branches: New third country branches must not commence their activities in a Member State until the EBA and the third country have concluded a Memorandum of Understanding providing a clear cooperation framework, including exchange of information in on-going supervision, crisis management and resolution.
    HoldingImage_558x245_Blue HoldingImage_450x200_Red
    Authors :
    Co Authors
    Services :
    Related Insights

    The Latest Financial Regulation Developments

    Read the Full Report