Financial Services Regulation
Setting the tone for the year ahead are the Central Bank of Ireland's ("Central Bank") key regulatory and supervisory priorities. Here we capture the significant and broad ranging, ongoing or anticipated developments which the Central Bank will be monitoring or introducing over the course of the year.
Boards and senior management should ensure that each of the priorities relevant to their business, is being considered and addressed by the necessary individuals and teams. Below we consider the publication of the priorities and two specifically named priorities which are of cross sectoral importance and interest to our financial services clients.
Key Themes in Financial Services Regulation
On three separate occasions in January and February this year, the Central Bank of Ireland ("Central Bank") publicly outlined its regulatory and supervisory priorities for 2023. These occasions included:
- on 25 January 2023, in a statement made by Gabriel Makhlouf, Governor of the Central Bank at the Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach;
- in a letter also dated 17 January 2023, addressed to the Minister of Finance, Michael McGrath (published on 25 January 2023) and
- in a Dear CEO Letter dated 16 February 2023, addressed to the CEOs of all Regulated Financial Service Providers ("RFSP") ("Dear CEO Letter").
The Central Bank is clearly making an effort to be transparent with regard to its priorities which is welcomed by Matheson LLP. We have actively communicated with our clients on all three occasions where the priorities have been detailed (please see the FIG Top 5 at 5 from 26 January, 2 February and 23 February for more details). In an ideal world these Central Bank priorities would be published in the final quarter of each year, in line with the approach taken by the European Supervisory Authorities ("ESAs") though we acknowledge that at least some of the Central Bank priorities will be driven by initiatives at EU level. Publishing priorities as early as possible greatly supports RFSPs in their regulatory and governance planning for the year ahead, particularly when it comes to identifying the areas where resources will need to be allocated.
Regarding the priorities themselves, there were no real surprises, much of what was detailed was expected. However, we would point out that the Dear CEO Letter did include one additional priority over and above the list detailed by the Governor and in the letter to the Minister for Finance. That was the inclusion of the provision of a " clear, open and transparent authorisation process". There has been some criticism of the Central Bank in this regard and the inclusion of this priority will be particularly welcomed by industry and other stakeholders.
On 9 March 2023, the Central Bank (Individual Accountability Framework) Act 2023 ("IAF Act 2023") was signed into law by the President Michael D. Higgins, having completed all stages of Dáil Éireann ("Dáil") and Seanad Éireann ("Seanad") on 1 March 2023.
The Minister for Finance, Michael McGrath ("Minister"), having commended the Seanad amendments to the Dáil on 1 March 2023, acknowledged that getting the legislation to this point took "longer than anyone would have liked" but explained that "lengthy engagement with the Office of the Attorney General and the Central Bank" was necessary "to ensure that the legislation is effective and also constitutionally robust".
Regarding commencement, the Minister confirmed that all sections of the legislation would be commenced as soon as possible following enactment, with the exception of Sections 3 – 6 and Section 10 which deal with the Senior Executive Accountability Regimen ("SEAR"), the conduct standards and the certification process. The Minister further advised that these sections would be commenced following completion of the Central Bank of Ireland's ("Central Bank") public consultation on these areas and that it is intended that the legislation, as enacted, would be fully implemented in the current year. Fast forward to 13 March 2023 and the Central Bank has published the relevant consultation paper ("CP153") in which it proposes an altered implementation timeline, in so far as it pertains to the SEAR. CP 153 proposes an implementation date of July 2024 for impacted firms to comply with the SEAR requirements.
Impacted firms and industry groups will welcome this proposed extended implementation timeline, given that for a long time, the Central Bank suggested that little or no delay in implementation would be considered. Additionally as a result of this, we expect that industry groups will no longer look to lobby the Central Bank on this point and instead focus their attention on other issues.
In CP 153, the Central Bank explains that it will also issue guidance and regulations on the Fitness and Probity ("F&P") Investigative Process in March 2023 and confirms that there will be a further consultation paper in the summer on the changes to the Administrative Sanctions Procedures. We would encourage firms to actively engage with these consultation processes and to take the opportunity to convey their views on the proposals and the challenges and difficulties which they anticipate in complying with them.
For further detail on CP153, please refer to the FIG Top 5 at 5 dated 16 March. If you have not subscribed to receive these updates, you can do so here.
For further details on the IAF and SEAR, please refer to our dedicated webpage, which can be found here.
The new Digital Operational Resilience Act (Regulation (EU) 2022/2554) ("DORA") and the supporting directive ( Directive (EU) 2022/2556) entered into force on 16 January 2023. DORA, as a regulation, will be directly effective from 17 January 2025, while the supporting directive must be transposed by the same date. DORA forms part of the European Union's ("EU") Digital Finance Package, which includes, amongst other things, the proposal for a Regulation on Markets in Crypto-assets ("MiCA"), which was discussed in the Autumn 2022 Horizon Tracker.
DORA represents the EU's first legislative framework focusing on digital operational resilience in the financial services sector. Its impact will be felt by most financial services firms. While a 24 month implementation period appears like a considerable length of time for firms to "get their house in order", the extent of the work to be completed in order to be fully compliant should not be underestimated. Additionally, while the Level 1 text is available, the Level 2 measures are yet to be confirmed, so impacted firms will need to monitor the development of these measures as they are proposed and adapted by the European Supervisory Authorities ("ESAs") over the coming 18 months. These measures will focus largely on how the rules will function in practice. We would encourage firms to begin, as with any new piece of legislation, with a gap analysis to identify where changes are needed to their existing frameworks. Many firms can expect that there will be a need for investment in processes, procedures, systems and expertise to ensure effective implementation.
As previously discussed in our Insight "Understanding the interaction between DORA and the Central Bank's Operational Resilience Guidance", many financial services entities are now querying the interplay between DORA and the Central Bank of Ireland's ("Central Bank") Cross Industry Guidance on Operational Resilience (the "Guidance") published in December 2021 (which requires full implementation by December 2023). Anticipating the adoption of DORA, the Central Bank noted in its feedback statement to the consultation paper on the draft Guidance, that same was "in line with international best practice and compatible with and complementary to DORA". Additionally, the Central Bank also committed to "continue to update and align the intended outcomes of our supervisory approach with relevant international operational resilience policy developments as they evolve" and "monitor international developments after the issuance of this Guidance, including any updates to ICT & Cyber Resilience best practices".
Two points arise here. Firstly, on the face of it, any work being carried out by firms in preparation for the 1 December 2023 deadline for compliance with the Guidance, should be compatible and complementary to any work required to demonstrate compliance with corresponding obligations under DORA. Secondly, where this is not the case, the Central Bank will likely update their guidance accordingly. In fact, given the extent of the changes introduced through DORA, additional communications and guidance from the Central Bank could potentially be provided as it looks to the integration of DORA into its own supervisory work. This has been described as one of its key priorities for 2023.