The Letter is a follow-up to the Central Bank's December 2021 Dear CEO Letter on its supervisory expectations of the payments and e-money sector (the "2021 letter"). The Letter

• reaffirms the Central Bank's supervisory expectations;
• details the key findings from the Central Bank's supervisory engagements with the sector; and
• outlines a number of actions expected of firms.

Findings

The Central Bank sets out its findings under five key areas:

1. Safeguarding

In the 2021 letter, the Central Bank required all firms to assess their compliance with their safeguarding obligations. The submissions following this assessment to the Central Bank, highlighted that one in four Payment and E-Money firms have self-identified deficiencies in their safeguarding risk management frameworks. The Central Bank noted that the nature and scale of these deficiencies indicates that some firms do not have robust safeguarding arrangements in place.

In general, the Central Bank expects firms to:

• have robust, Board approved, safeguarding risk management frameworks in place;
• be proactive in ensuring that the design and operating effectiveness of the firm’s safeguarding frameworks is tested on an ongoing basis;
• notify the Central Bank immediately of any safeguarding issues identified;
• take mitigating and corrective measures immediately to ensure that users’ funds are safeguarded where issues are identified; and
• investigate and remediate on a timely basis the underlying root cause of the safeguarding issue(s).

Audit confirmation

Due to the number of safeguarding issues identified, the Central Bank is requiring that all Payment and E-Money firms who are required to safeguard users’ funds, obtain a specific audit of their compliance with the safeguarding requirements in accordance with what the Central Bank sets out in the Letter and submit same together with a Board response on the outcome of the audit, to the Central Bank by 31 July 2023.

2. Governance, Risk Management, Conduct and Culture

Some of the Governance, Risk Management, Conduct and Culture issues identified by the Central Bank include:

• governance, risk management and internal control frameworks not consistently aligned to business strategies and business objectives;
• inadequate succession planning;
• inadequate resourcing of the internal audit, risk management and compliance functions;
• a focus on achieving minimum compliance;
• inadequate reporting to the Board; and
• product/service disclosures that are unclear and lack transparency.

The Central Bank expects firms to consider their governance, risk management and internal control frameworks, in addition to the composition of their Board and management team, to ensure they are sufficient to run their business from Ireland.

3. Business Model, Strategy and Financial Resilience

The Central Bank completed a thematic review of business model and strategic risk across a number of firms in the sector during 2022 which identified that some firms in the sector do not have defined or embedded Board approved business strategies in place.

The Central Bank noted that while firms may be reliant on wider group strategic decisions to inform local strategy, it is critical that robust consideration is given to ensuring there is sufficient financial and operational capacity and capability within the firm to execute that strategy. The Central Bank expects firms to have robust strategic and capital planning frameworks which demonstrate that they have a good understanding of the risks that they face and their potential financial impact. The Central Bank expects firms to have Board-approved business strategies in place supported by robust financial projections.

The Central Bank also identified weaknesses in risk reporting practices across the sector with one in five firms having submitted inaccurate regulatory returns to the Central Bank during the previous 12 months.

4. Operational Resilience and Outsourcing

The Central Bank has observed an increasing number of major operational incidents/outages being reported by firms in the sector, with many of those reported as a result of issues with group/third party providers who are critical to supporting the IT infrastructure of firms.

The Central Bank notes that boards and senior management teams must ensure they have the skills and knowledge to meaningfully understand the risks their firm faces and the responsibilities they have, which extend to outsourced activities conducted on the firm’s behalf by any third party, including any group entity. The Central Bank expects Boards and senior management of Payment and E-Money firms to review and adopt appropriate measures to strengthen and improve their operational resilience frameworks in line with the Central Bank's Operational Resilience Guidance.

5. AML/CFT

The Central Bank identified a number of AML/CFT weaknesses including:

• Risk-Based Approach: Some firms in the sector lack maturity in their risk based approach to AML/CFT. A particular area of weakness identified was transaction monitoring controls. The Central Bank notes that AML/CFT controls should be risk sensitive and tailored to the risks identified.
• Distribution Channels: Weaknesses have been identified in relation to the oversight of distributor/agents relationships which often carry out AML/CFT preventive measures, such as customer due diligence ("CDD"), on behalf of firms. The Central Bank notes that, where distributors and agents carry out AML/CFT controls on behalf of firms, it is imperative that this is completed in line with the firms’ own ML/TF risk assessment and AML/CFT policies and procedures. The Central Banks expect firms to exercise adequate oversight of and undertake appropriate assessment of these agents and distributors with the outcome of any testing included in management information for the Board and senior management.
• E-Money Derogation and Simplified Due Diligence: The Central Bank has identified some instances of misapplication of the derogation from CDD for certain e-money products and misinterpretation of provisions for simplified CDD under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. The Central Bank notes that E-Money firms should only avail of the derogation and that simplified due diligence is carried out only in circumstances where it is appropriate to do so.

Actions Required

The Central Bank notes that contents of the Letter are not an exhaustive list of its supervisory findings, and cautions firms not leave aside the identification and management of other potential risks, however, these are the areas to which firms can expect the Central Bank to be paying close attention.

The Central Bank expects all firms in the sector to:

• discuss this letter with their Board, and to reflect on the supervisory findings; and
• progress the completion of a specific audit of compliance with the safeguarding requirements to be submitted to the Central Bank by 31 July 2023.
  

The Credit Services Directive:

• aims to promote a secondary market for non-performing loans;

• lays down a common framework for the sale and management of bank originated non-performing loans which are transferred or sold after 29 December 2023;

• provides for a new EU wide authorisation and regulatory framework for credit servicers to be overseen by national competent authorities and allows such authorised entities to passport credit servicing activities across the EU; and

• makes certain amendments to Directive 2008/48/EC (the "Consumer Credit Directive") and  Directive 2014/17/EU (the "Mortgage Credit Directive").

Consultation

EU Member States are required to adopt and publish the national measures to transpose the provisions of the Credit Services Directive by 29 December 2023. The Credit Services Directive contains a number of discretions which can be exercised by Member States. The consultation is seeking the views of the public on these discretions for transposition into Irish law, posed in the form of ten questions.

The consultation is open for feedback until 28 February 2023.

The Government's Legislation Programme (the "Programme") for the Spring 2023 session was published on 18 January 2023. Within the programme, there are 38 new bills which have been approved by the Cabinet for priority publication and drafting.

Looking specifically to the legal and regulatory proposals in the Programme relevant to the financial services sector (excluding funds), only one new bill has been added to the priority list for Spring 2023, which is the Financial Services and Pensions Ombudsman (Amendment) Bill, which was previously listed under all other legislation in the Autumn 2022 programme. The bill amends the Financial Services and Pensions Ombudsman Act 2017 to take account of the Zalewski ruling and to update elements of the existing act where the Financial Services and Pensions Ombudsman could be viewed as administering justice. The Programme indicates that heads of bill are being prepared. We will monitor the development of this and keep clients updated.

The Programme also reflects legislation which is still making its way through the Houses of the Oireachtas, of cross sectoral interest the most significant is the Central Bank (Individual Accountability Framework) Bill 2022 which is currently at Report Stage in the Dáil, due for imminent consideration. Please monitor our dedicated webpage for updates on this. 

On 25 January 2023, Gabriel Makhlouf, Governor of the Central Bank of Ireland ("Central Bank") delivered an opening statement at the Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach. This statement covered a substantial number of topics including:

• Euro Area Outlook;
• Monetary Policy;
• Domestic Outlook;
• Macro-financial Environment;
• Regulatory Priorities;
• Retail Bank Consolidation; and
• Interest rates and the Irish mortgage market.

Of particular interest to this audience are the Governor's comments on the Central Bank's regulatory priorities. The following is a summary of the key points made:

1. banks and other lenders in particular have a key role to play by:

• providing the lending and deposit services required to support a well-functioning economy;
• supporting customers who may be experiencing difficulties in light of the changed macro-economic environment, including in particular customers in or facing arrears on existing loans; and
• developing and implementing strategies which preserve long term sustainability and firms’ capacity to continue to support the economy through this period and into the future.

2. regulation will continue to be "outcomes-focused" and will follow six principles:

• forward looking;
• connected;
• proportionate;
• predictable;
• transparent; and
• agile.

3. "milestones" in the Central Bank's regulatory work programme this year include:

• consulting and engaging widely on the development of the consumer protection framework and on the operationalisation of the Individual Accountability Framework;
• continuing to progress actions at a domestic and international level on the global systemic risks in the funds sector, as well as enhancing the governance, oversight and investor outcomes in the sector; and
• implementing new EU regulations on digital operational resilience and markets in crypto.

Supervisory priorities were also briefly covered, they include:

• the assessment and management of risks to financial and operational resilience;
• continuing to drive for fair outcomes for consumer and investors;
• overseeing the withdrawal of Ulster Bank and KBC from the Irish market; and
• detecting and sanctioning market abuse.

The Governor also mentioned that the Central Bank will in particular work with the Department of Finance on the next steps from the Retail Banking Review and the recommendations of the IMF’s Financial System Assessment Programme. 

On 24 January 2023, the European Parliament's (the "Parliament") Economic and Monetary Affairs Committee ("ECON") voted to adopt of draft reports on the European Commission's (the "Commission") legislative proposals to amend Directive 2013/36/EU (the "Capital Requirements Directive") and Regulation 2013/575/EU (the "Capital Requirements Regulation").

These proposals form part of the Commission's October 2021 legislative package implementing Basel III Reforms. The proposals aim to ensure that EU banks become more resilient to potential future economic shocks, while contributing to Europe's recovery from the COVID-19 pandemic and the transition to climate neutrality.

The press release highlights the following:

• Capital requirements: The ECON agreed that the “output floor” setting lower limit on the capital requirements calculated by banks using their internal models should be consolidated at the EU level in order to have comparable risk weights and avoid variations in capital levels. A competent authority should be able to address inappropriate distribution of capital among banking groups and propose a capital redistribution.
• Transitional periods: The ECON agreed on transitional arrangements for low risk exposures secured by mortgages on residential property which may be extended but for no longer than four years.
• Environmental risks: The ECON agreed to strengthen reporting and disclosure requirements for environmental, social and governance ("ESG") risks. The European Banking Authority ("EBA") is mandated to assess whether a dedicated prudential treatment of exposures would be warranted. The Commission might adopt a legislative proposal in this regard based on that report.
• Crypto-assets: The ECON want banks to disclose their exposure to crypto-assets and crypto assets services as well as a specific description of their risk management policies related to crypto-assets. The Commission has been invited to submit a legislative proposal by June 2023 on a dedicated prudential treatment for exposures to crypto-assets.
• Governance: The ECON noted that suitability of members of management bodies should be sufficiently diverse and gender-balanced. The ECON also wants to introduce measures to ensure that a key function holder is replaced if that person ceases to comply with suitability criteria.
• Third country branches: New third country branches must not commence their activities in a Member State until the EBA and the third country have concluded a Memorandum of Understanding providing a clear cooperation framework, including exchange of information in on-going supervision, crisis management and resolution.