Payment & e-money update: Central Bank of Ireland reaffirms supervisory expectations
Payment & e-money update: Central Bank of Ireland reaffirms supervisory expectations
Throughout the last 12-months, the Central Bank of Ireland (CBI) has undertaken intense supervision of the payment and electronic money (e-money) sector. This has continued, and has informed, a recently published Dear CEO letter (Dear CEO Letter), the purpose of which is to bring enhanced transparency to the CBI's approach to regulation and supervision of the sector, and to reaffirm the CBI's supervisory expectations.
This engagement follows on from a Dear CEO letter published in December 2021, which provided greater clarity on the CBI's expectations of the sector, together with last year's Consumer Protection Outlook Report (Report), which set out key cross-sectoral risks for consumers. The Dear CEO Letter highlights that, from what the CBI has observed over the last 12-months, the risks identified in the Report are particularly relevant to the payment and e-money sector.
The CBI's expectation is that all firms in the payment and e-money sector should discuss the Dear CEO Letter with their Board, and reflect on the supervisory findings called out. To assist in this discussion, we provide below an overview of the CBI's supervisory approach for this sector, together with its supervisory expectations in five key risk areas, where it has identified deficiencies.
CBI's supervisory approach for the payment and e-money sector
The CBI's approach to the supervision of all financial services sectors, including the payment and e-money sector, is risk-based. The Dear CEO Letter highlights that the consideration of risk is of heightened importance now, given the current complex and uncertain economic environment, and the deterioration of financial stability conditions across the Euro area, including Ireland. The CBI also recognises that, given the rapidly changing financial services landscape, the nature and extent of opportunities and risks in the payment and e-money sector are evolving.
The Dear CEO Letter flags that payment and e-money firms (Firms) can expect supervisory intensity and engagement to increase where the CBI identifies unacceptable or unmanaged risks during the course of its supervisory work. This is already being seen in the market during routine supervisory engagements in this area. Examples of unacceptable risks include: breaches of regulatory requirements, in particular relating to safeguarding and/or deficiencies in a firm's governance, risk management and internal control frameworks. The CBI's response to such risks may include the issuance of a risk mitigation programme, directions and/or enforcement action. Whilst the CBI has to date not used its separate 'skilled persons' review powers perhaps as frequently as other regulators, such as the UK Financial Conduct Authority, these have been used in several areas relevant to Firms, such as governance and risk management frameworks, IT operational resilience and compliance with technical payment services regulatory requirements.
CBI supervisory expectations
A key CBI objective is that users' funds are protected. The Dear CEO Letter sets out the CBI's expectations of Firms in respect of safeguarding, in accordance with requirements under the EU (Payment Services) Regulations 2018 (PSR) and the EC (Electronic Money) Regulations 2011 (EMR), as follows:
to have robust, Board approved, safeguarding risk management frameworks in place which ensure that relevant users' funds are appropriately identified, managed and protected on an ongoing basis - this includes the clear segregation, designation and reconciliation of users' funds held on behalf of customers;
to be proactive in ensuring that the design and operating effectiveness of the firm's safeguarding frameworks is tensed on an ongoing basis;
to notify the CBI immediately of any safeguarding issues identified to take mitigating and corrective measures immediately to ensure that users' funds are safeguarded where, in exceptional circumstances, issues are identified; and
to investigate and remediate on a timely basis the underlying root cause of the safeguarding issue(s).
In addition, this year, the CBI is requiring all Firms that safeguard users' funds to obtain a specific audit of their compliance with safeguarding requirements. The auditor is expected to provide an opinion confirming whether a firm has maintained adequate organisational arrangements to enable it to meet the safeguarding provisions of the PSR/EMR on an ongoing basis. The Dear CEO Letter also sets out the specific areas, at a minimum, that should be subject to review and assurance through this process.
2. Governance, risk management, conduct and culture
The CBI's expectation is that Firms must be well run with cultures that seek to do the right thing for their consumers. The CBI expects Firms to consider their governance, risk management and internal control frameworks, in addition to the composition (both number and skills) of their Board and management team, to ensure they are sufficient to run their business from Ireland, as their licensed jurisdiction.
3. Business model, strategy and financial resilience
The CBI's expectation is that Firms should have robust strategic and capital planning frameworks, which demonstrate that they have a good understanding of the risks that they face, and their potential financial impact. Firms are expected to proactively manage their capital to ensure that they are in a position to meet their own funds (capital) requirements on a stand-alone basis at all times, i.e. sufficient regulatory capital is available to absorb losses, including during stress conditions. Firms are also expected to have an appropriate exit-wind-up strategy, which is linked to their business model and considers, amongst other things, the full return of users' funds in an efficient and timely manner in an exit/wind-up scenario.
The CBI also expects Firms to have Board-approved business strategies in place, supported by robust financial projections. Firms must understand and meet their capital requirements at all times. Furthermore, strong internal controls must be in place, which are subject to regular testing, to ensure the accuracy and integrity of data used by the firm for regulatory reporting purposes, and for strategic and financial planning.
4. Operational resilience and outsourcing
The Dear CEO Letter highlights the importance of IT risk management to Firms, and that ultimate responsibility for a firm's IT risk, strategy and governance rests with the executive management. This includes the adequacy of digital and IT strategies to deliver and support business strategies and plans. The CBI's expectation is that Boards and senior management teams should ensure they themselves have the skills and knowledge to meaningfully understand the risks their firm faces, and the responsibilities they have. This responsibility extends to outsourced activities where the activities are conducted on the firm's behalf by any third party, including any group entity.
The CBI's expectation is that Boards and senior management of Firms review and adopt appropriate measures to strengthen and improve their operational resilience frameworks, in line with the CBI's Cross Industry Guidance on Outsourcing and Cross Industry Guidance on Operational Resilience.
5. Anti-money laundering and countering the financing of terrorism
The Dear CEO Letter highlights that Firms are classified as designated persons under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) (CJA 2010), and sets out the CBI's expectations of Firms, as follows:
The CBI's expectation is for further development of a risk-based approach to ensuring that sufficient controls are put in place to mitigate identified money laundering/terrorist financing (ML/TF) risks. This is required to ensure that there is a more comprehensive understanding as to how the products and services of Firms can be used for ML/TF purposes. Furthermore, the CBI expects AML/CFT controls to be risk sensitive and tailored to the risks identified as part of the ML/TF risk assessment carried out by Firms.
The CBI expects Firms to exercise adequate oversight of agents and distributors that undertake activities on their behalf, whilst conducting an appropriate level of ongoing assurance. The outcome of any testing carried out as part of the oversight of these arrangements should be included in management information prepared for the Board and senior management. The Dear CEO Letter sets out that ultimate responsibility for carrying out customer risk assessments and CDD on the end users of products and services rests with Firms, even where such tasks are being performed by agents and distributors.
E-money derogation and simplified due diligence
The CBI's expectation is that simplified due diligence, under section 33A of the CJA 2010, is carried out only where appropriate to do so. In particular, simplified due diligence should only be carried out where Firms have undertaken a risk assessment of each individual relationship, and to do so is justified on the basis of the lower level of risk presented.
The CBI's expectation is that all Firms should discuss the Dear CEO Letter with their Board, and reflect on the supervisory findings called out. The CBI expects Firms to take proactive measures to ensure robust and appropriate governance and control arrangements are in place.
In particular, Firms should submit the specific audit of compliance with the safeguarding requirements under the PSR/EMR (as outlined above), along with a Board response on the outcome of the audit, to the CBI by 31 July 2023.
The five key risk areas outlined above are areas to which Firms can expect the CBI to be paying close attention moving forward and, in addition to discussion at Board level, should be factored into horizon scanning and regulatory and compliance planning for 2023.