CBI Calls on Fintech Firms to Undertake Regulatory Review

On 9 December 2021, the Central Bank of Ireland ("CBI") published a letter addressed to the CEOs of e-money and payment institutions it regulates ("Firms").  Firms are required to attest compliance with safeguarding rules, and any conditions imposed by the CBI, by 31 March 2022.

Enhanced Regulatory Scrutiny

The authorisation and supervision of these Firms is now the responsibility of the CBI's Credit Institutions Supervision Directorate.  This is reflective of what the CBI notes as the "increasingly important role [that these Firms play] in the financial system and in the lives of consumers."

The letter is another example of how this sector has come under increased supervisory scrutiny recently, particularly in light of the growth in the number of Firms, the scale of their businesses and the number of consumers using their services.

The letter sets out the CBI's expectations for the Firms and outlines specific actions for each Firm to take by 31 March 2022.

Supervisory Expectations

Set out below is a summary of the supervisory expectations contained in the letter.

Regulatory Reporting

The CBI highlights the importance of Firms submitting accurate and timely regulatory returns. It expects Firms to be proactive in their communications and notify the CBI as soon as they become aware of any breach of legal or prudential requirements, or any other material or adverse development that may impact on their business.

Material changes

Firms must notify the CBI, at the earliest possible opportunity, where there is an expectation of a material change to the Firm's business model.  The CBI provides two examples of what constitutes a material change: where the Firm is making a substantive change to its service or product offering or materially changing the way in which its service / product offerings are provided; or the Firm’s business projections are forecast to be significantly in excess of that outlined in the authorisation process.  

Safeguarding

The CBI had previously identified safeguarding as one of its areas of focus from a supervisory perspective.  Firms must currently assess their compliance with their safeguarding obligations under the European Union (Payment Services) Regulations 2018 and the European Communities (Electronic Money) Regulations 2011. 

Firms must have robust, board approved, safeguarding risk frameworks which ensure that relevant client funds are appropriately identified, managed and protected daily; including the clear segregation, designation and reconciliation of user balances. 

Financial Resilience

The CBI expects that Firms are able to recover if in difficulty, and if they cannot, they should be resolvable without significant externalities. 

Firms are expected to have an appropriate exit / wind-up strategy which is linked to their business and operational model.

Fitness and Probity

The CBI referred to its earlier industry letters on fitness and probity where it set out its expectations including in relation to initial and ongoing due diligence for candidates proposed to controlled functions, and reporting issues to the CBI. 

Conduct and Culture

The letter reminds Firms that they are required to embed a consumer-focused culture supported by internal systems and controls, including well developed risk management frameworks. 

From a product development perspective, the Central Bank expects Firms to review the risks to consumers of financial services in its Consumer Protection Outlook Report 2021 and take action where appropriate.

Operational Resilience

The CBI expects Firms to be able to respond to, recover, and learn from operational disruptions and published new operational resilience guidelines recently. 

The CBI expects Firms, including those which are part of a larger group, to operate sufficiently on a stand-alone basis to ensure the primacy of the legal entity authorised in Ireland.  This is important for Firms which operate as part of a larger international group and who outsource functions outside Ireland.  Oversight of those functions, and ultimate responsibility (in terms of senior management) must be in Ireland, and the board and senior management remain responsible for ensuring the Firm's compliance with its legal and regulatory obligations.  Boards must also ensure they have the skills and knowledge to understand the risks the Firm faces, and their responsibilities.

Financial Crime

Firms must ensure they have a robust anti-money laundering and countering the financing of terrorism framework in place, based on the Firm's risk assessment (that is specifically focussed on the money laundering and terrorist financing risk arising from the relevant Firm's business model).  

Actions Required

Firms are required to conduct a compliance review and make a formal notification to the CBI by 31 March 2022 confirming that this review has been completed.

As part of this review, each Firm will need to carefully consider their compliance with any firm-specific conditions imposed by the CBI at authorisation, or since, and complete an assessment of their compliance with the safeguarding obligations under the European Union (Payment Services) Regulations 2018 and the European Communities (Electronic Money) Regulations 2011.  

The review should be clearly documented and records kept of any underlying data and information used. Board decisions should be minuted, and a remediation plan must put in place where any issues are identified.  

A report must be produced for the board and it will have to then approve the attestation for the CBI submission.  

How we can Help

Our Financial Services Regulatory team has advised many firms on their safeguarding obligations, and on general compliance with financial services obligations and conditions imposed by the CBI.  

We can guide Firms on the parameters for their review project and assist in completing a gap analysis. We can also prepare or review board reports and facilitate CBI notification filings. We can also work with the business and second line to prepare remediation plans.

Further Information 

Further information on our Irish Financial Services Regulatory Group, and the services we provide is available on our website page and in our FSR and Fintech brochures.

If you would like further information, please liaise with the below or your usual Maples Group contact.