Rather than issuance of specific additional or “new” expectations, it is a re-affirmation of the out regulatory expectations of authorised Payment and E-Money institutions already set out in the December 2021 letter in the same vein. A year on from that letter, it is clear that the CBI believes the industry has a lot more to do.
In a nutshell, if a Payment/E-Money institution’s business is growing, it needs to ensure that its governance, risk management and compliance infrastructure is appropriately commensurate to identify, assess and control the risks facing the institution. It is clear from the CBI’s letter, that this has not been the case in many instances.
Background to the Dear CEO Letter
Payment Institutions and E-Money firms continue to challenge “traditional” financial services firms and are now one of the largest sectors within Ireland’s fintech industry. In particular, there has been a rise in activities being conducted by these firms on a pan-European basis.
Against this backdrop, the CBI’s supervisory activities have revealed significant deficiencies in firms operating in this sector. As such, the CBI have published a “Dear CEO Letter” to reaffirm its expectations of these firms on an on-going basis.
A Summary of the CBI’s Findings and Expectations
Safeguarding
Large numbers of firms cannot demonstrate that they are managing their users’ funds effectively as required under the European Union (Payment Services) Regulations 2018 (“PSR”) and the European Communities (Electronic Money) Regulations 2011 (“EMR”).
The CBI expects firms to have robust risk management frameworks in place and to carry out regular testing. Further, firms must obtain a specific audit of their compliance with the safeguarding requirements under the PSR and EMR.
Governance, Risk Management, Conduct and Culture
In general, the CBI is concerned that there are many firms where business growth is running ahead of their governance, risk management and internal control environment. More specifically, they have concerns around issues including inadequate succession planning, second line resourcing, and board reporting.
The CBI expects firms to ensure their governance, risk management and internal control arrangements are fit for purpose and that their Board and management team are sufficiently skilled to run their businesses from Ireland (i.e. their licenced jurisdiction).
Business Model, Strategy and Financial Resilience
Some firms in the sector do not have defined or embedded Board-approved business strategies in place and approximately one of every five firms in the sector have submitted inaccurate regulatory returns to the CBI during the last 12 months.
In general, the CBI expects firms to ensure that their strategic ambitions do not outpace their risk management frameworks and financial and operational capacity. More particularly, and given the current macroeconomic environment, firms must understand and meet their capital requirements at all times.
Operational Resilience and Outsourcing
An increasing number of major incidents and outages are being reported to the CBI. Many of these are a result of issues with intragroup or third-party providers.
The CBI reminds firms that, notwithstanding the fact that critical IT functions may be outsourced, ultimate responsibility remains with the Board and senior management of the regulated entity who must ensure they have the skills and knowledge to meaningfully understand the risks their firm faces and the responsibilities they have.
Anti-Money Laundering and Countering the Financing of Terrorism
In general, controls in this area are not commensurate with risk levels and particular weaknesses have been identified with regard to the oversight of distributors and agents. Further, the CBI has identified several instances of misapplication of the derogation provision under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.
Firms’ Anti-Money Laundering (AML) controls should be tailored to the risks identified as part of their AML risk assessment and ongoing oversight of agents and distributors is required. Further, derogation and simplified due diligence should only be availed of when appropriate to do so.
Next Steps
In line with the CBI’s expectations, firms should discuss the Dear CEO Letter with their Board as soon as possible. In regard to the safeguarding requirements under the PSR and EMR, firms must submit their compliance audit to the CBI by 31 July 2023.
Our Services and Contacts
Grant Thornton Ireland are well positioned to assist your firm with Payments and E-Money-related queries. We have the experience and expertise to carry out safeguarding compliance audits as outlined in the ‘Dear CEO’ letter.
Our team of regulatory professionals can also provide support with a full fitness check of your firm in comparison to the wider regulatory expectations. From bespoke advice to large-scale projects, our subject matter experts are here to help.
