FIG Top 5 at 5 - 01/06/2023

1. "The evolving crypto landscape - towards the implementation of MiCA" - Remarks by Gerry Cross, Director of Financial Regulation, Policy & Risk

On 30 May 2023, at Blockchain Ireland Week, Gerry Cross, Director of Financial Regulation, Policy & Risk at the Central Bank of Ireland ("Central Bank") delivered a speech entitled "The evolving crypto landscape - towards the implementation of MiCA". The following is a summary of some of the key messages from the speech:

Ireland as a location for fintech products and services

The Director explained that Ireland has significant advantages when it comes to being a place in which fintech products and services can "emerge, grow and flourish." He provided a number of reasons for this, including:

• a highly developed financial and technological ecosystems;
• a pragmatic, agile and responsive approach to business development;
• a highly educated and young working age population;
• Ireland is well integrated into the wider EU and international markets; and
• the Central Bank is respected for the high quality and effectiveness of its regulatory approach.

Central Bank being open and engaged

The Director confirmed that being open and engaged is a key part of the Central Bank's strategy. He provided the introduction of the Innovation Hub as a prime example of this and explained that

DLT / Blockchain and digital assets now represent the dominant sector for enquiries into the Innovation Hub. Additionally, he confirmed, as had been indicated previously, that the hub is currently being reviewed and that a consultation paper on this area will issue later in the year. 

The use case for crypto

While acknowledging that there are benefits to be gained from crypto, the Director explained that there are still some "important challenges to be overcome and risks to be managed." He stressed that one of those key challenges is achieving greater clarity around the use case for crypto. He outlined a number of questions which underscore the Central Bank's regulatory approach starting point including:

• what does blockchain or cryptotechnology do for users?
• how should the Central Bank think about it and approach it?
• what it is the value that those products or services are seeking to deliver to the consumer and what do users understand in this respect.

The crypto winter

The Director provided a summary of events of the past twelve months in this space, using the recently coined phrase “crypto winter” to describe it. In particular, he mentioned the failure of Signature Bank and Silicon Valley Bank in the United States and the events around TerraUSD, Celsius and FTX. However he stressed that despite these events, the Central Bank remains "as positive towards, and engaged with, technological innovation as we have ever been." He welcomed the publication last week of a consultation paper by IOSCO, the International Organisation of Securities Commissioners which addresses.

A differentiated approach

The Director spent a significant portion of his speech discussing the different purposes and uses for cryptographic techniques and Decentralised Finance ("DeFi"). He focused heavily on “unbacked crypto”, flagging the Central Bank's main concerns around them particularly where they are treated as if they are value-related investments. He welcomed the recent publication of the European Commission’s Retail Investment Package which contains proposals for imposing more liability on social media influencers and on the companies that pay them for promotion of and recommendations for financial products and services. He explained that "this is an approach that could have real value in the context of speculative crypto products heavily promoted to retail customers".

The following are some additional comments worth noting:

• regarding "backed crypto" he explained that where a crypto product purports to be backed by meaningful assets, and where this is reliably and effectively done, there is the potential for meaningful purposes and uses to be developed;
• regarding Tokenisation, he described this as a "really interesting field of current exploration" but cautioned that consideration needs to be had as to how these innovations will interact with current regulatory frameworks; and
• regarding DeFi, he explained how it had been excluded from the scope of the recently agreed Markets in Crypto Asset regulation ("MiCA") as it was believed that greater clarity on how best to regulate DeFi was needed. He flagged however the requirement under MiCA to deliver a report on DeFi 18 months after it goes live. This coupled with the International Organisation of Securities Commissioners decision to establish a dedicated Working Group on the topic are welcome initiatives to gain more detail on how risks posed by DeFi.

MiCA

The Director explained that MiCA represents the first step in regulating crypto and confirms that  the Central Bank, together with the Department of Finance, has been closely involved in MiCA's finalisation. He detailed the key aims of MiCA as they apply to E-Money Tokens, Asset Referenced Tokens and Crypto Asset Service Providers ("CASPs") and highlighted the need for focus on the climate impact of crypto.  Additionally, he outlined the timelines regarding the various implementation periods explaining that the Central Bank is currently engaged with the Department of Finance on the potential transition phase of up to 18 months for CASPs already operating in accordance with applicable law. He explained that the Department of Finance will consult on the exercise of this discretion in due course. 

Area of concern for the Central Bank

The Director concluded his speech by stressing the importance of coordination and consistency across Europe as Member States move to implement MiCA. He stressed that the Central Bank believes that there is a "real risk of sub-optimal outcomes if this is not given the attention that it deserves starting now". He emphasised that there can be no room for "jurisdiction shopping based on actual or perceived differences in approach" to implementation. In this regard he mooted the possibility of a similar mechanism to ESMA's Supervisory Coordination Network established during the Brexit-related migrations to drive consistency, to be considered by the EBA for crypto-related applications during the current period leading up to MiCA implementation. 

2. “Preventing Financial Crime in a Rapidly Changing Environment: A Regulator’s View” - Remarks by Seána Cunningham, Director of Enforcement and Anti-Money Laundering, at European Anti-Financial Crime Summit

On 25 May 2023, Seána Cunningham, Director of Enforcement and Anti-Money Laundering ("AML") at the Central Bank of Ireland ("Central Bank"), delivered a speech entitled "Preventing Financial Crime in a Rapidly Changing Environment: A Regulator's View" at the European Anti-Financial Crime Summit.

At the beginning of her speech the Director identified three ways in which the Central Bank can counter the challenges it faces in the area of financial crime. They include recognising shared goals and valuing collective effort; raising awareness and being vigilant; understanding the changing risks. Her speech addressed each of these topics in turn.

Sharing goals and collective efforts:

The Director explained that responsibility for preventing financial crime, money laundering and terrorist financing involves a wide range of stakeholders such as policy-makers, regulators, law enforcement, financial intelligence, and private sector firms. From the Central Bank's perspective, it plays its part by ensuring that AML regulation is well designed, understood and effectively implemented by firms. It does this through supervision on a risk-based approach that protects the system, its users and the wider economy. Additionally, she detailed the work which the Central Bank does with An Garda Síochána, policy-makers and peers at a domestic level, as well as in Europe and as part of a global network.

The Director emphasised that the Central Bank's primary aim in supervising firms is to drive high standards and ensure effective risk mitigation measures are in place; it is not to spot minor deficiencies or catch firms out. She stressed that by adjusting mind-sets to thinking “we are working collectively towards a shared goal of preventing money laundering and terrorist financing in our society”, we will all be more effective.

Additionally, the Director explained that the wide range of authorities in the AML framework, nationally and internationally, has led to "well documented findings of supervisory fragmentation that challenges the effectiveness of the system", something which criminals have exploited. Against this background, the Director welcomes the EU AML and countering the financing of terrorism ("CFT") Action Plan and the proposed new Anti-Money Laundering Authority which offers an opportunity to drive better coordination, high standards and effective effort across Europe.

Awareness and vigilance:

The Director highlighted the increased prevalence of online and telephone scams which prey on people's vulnerabilities particularly at the moment in the height of the cost of living crisis. While acknowledging that the Central Bank does not have a role in the investigation of fraud, it does have a role in investigating unauthorised providers of financial services. The Director explains that prevention of these crimes can be achieved through communications, raised awareness and education. The Central Bank also coordinates with An Garda Síochána and other agencies in this regard. She concludes that "The ultimate aim of the financial community, it is argued, should be that people are better equipped to recognise, avoid and report frauds for criminal investigation. "

The Director also drew attention to another important area which requires vigilance and that is financial markets activity in Ireland and the risk of market abuse. Market abuse, she explains, fundamentally undermines the efficiency, transparency and integrity of the markets and the financial system. The Director emphasised the importance of  collaboration, reporting and information sharing for regulators and law enforcement agencies in the fight against market abuse.

Changing Risks:

The risks from financial crime are quickly evolving and changing. The Director advised firms that a comprehensive understanding of the money laundering and terrorist financing risks to which their businesses are exposed to is key to the development of an effective AML/CFT risk management framework. In particular, she stressed the importance of firms having the right people in place; the new Preapproval Controlled Function 52 role is reflective of this.

The Director used the financial sanctions against Russia in the aftermath of the invasion of Ukraine as a recent example of changing risks and emphasised the importance of firms and businesses understanding the sanctions regime and the risks associated with not complying with the regulations.

The Director also stressed that the Central Bank and other AML/CFT regulators are also facing rapidly changing risks, particularly in ways in which financial services are provided and how financial markets operate. She confirmed that as a result of this, part of the Central Bank's strategy is to enhance its regulatory and supervisory approach to be more data-driven, intelligence-led and scalable.

3. Other Notable Central Bank Updates

The Central Bank of Ireland publishes its Annual Report 2022 and Annual Performance Statement 2022 - 2023

On 24 May 2023, The Central Bank of Ireland ("Central Bank") published its Annual Report 2022 and Annual Performance Statement 2022 - 2023.

The Annual Report and Annual Performance Statement details the Central Bank's progress in delivering its mandate over the course of 2022. The Governor of the Central Bank on the publication of the Report, explained that he was pleased with the level of progress made particularly given the challenging nature of the year.

The Annual Report and Annual Performance Statement outline some of the Central Bank's key achievements of 2022 including:

• the completion of the Mortgage Measures Framework Review in October 2022 with the announcement of a refreshed framework, including targeted changes to the calibration of the measures;
• deepening stakeholder engagement through a more structured framework, including the inaugural Financial System Conference, which brought together stakeholders from Ireland and across the EU to discuss and debate the driving forces shaping the financial system;
• the launch of the Central Bank's Consumer Protection Code Review discussion paper, leveraging opportunities across a range of channels including digital and social;
• the conclusion of all tracker-related firm investigations;
• the announcement of a new macroprudential policy framework for Irish property funds, introducing new limits on leverage and guidance on liquidity timeframes for Irish property funds in November 2022; and
• continued efforts to strengthen the resilience of firms to climate-related and transition risks by enhancing the Central Bank's supervisory approach. A new hub and spokes model was operationalised within the Central Bank in 2022 for this purpose. The Climate Change Unit forms the hub, and the spokes comprise of the relevant business areas working on climate-related issues.

Looking forward, the Annual Report and Annual Performance Statement states that 2023 will prove to be as testing as 2022 due to the macro-financial environment and the ongoing challenges stemming from Russia's war and the changing shape of global economic relationships. The Central Bank's main objective is to ensure that the financial system operates to support the economy and the interests of the consumers. To achieve this, the Central Bank's key activities include

• the effective implementation of the of the European Central Bank's monetary policy in order to deliver price stability;
• completing the review of the Consumer Protection Code;
• continuing to play a leadership role in global policy development on the regulation of funds;
• launching a review of its Innovation Hub: and
• introducing the new Individual Accountability Framework.

Central Bank of Ireland Safeguarding Notice for Payment and E-Money Firms

As reported in the FIG Top 5 at 5 on 25 January 2023, on 20 January 2023, the Central Bank of Ireland ("Central Bank") issued a Dear CEO Letter ("Dear CEO Letter") to Payment and Electronic-Money ("E-money") firms on its findings and expectations regarding deficiencies identified by the Central Bank in the governance, risk management and control frameworks of some firms in the sector.

Audit confirmation

Due to the number of safeguarding issues identified, the Dear CEO Letter required that all Payment and E-Money firms, which are required to safeguard users’ funds, obtain a specific audit of their compliance with the safeguarding requirements in accordance with what the Central Bank sets out in the Dear CEO Letter and submit same together with a Board response on the outcome of the audit, to the Central Bank by 31 July 2023. The Central Bank subsequently extended the deadline to 31 October 2023 to allow for sufficient time for Chartered Accountants Ireland ("CAI") to develop guidance for their members.

On 25 May 2023, the Central Bank published a Safeguarding Notice for Payment and E-money Firms which clarifies the nature of the specific audit of compliance with the safeguarding requirements as required in the Dear CEO Letter and includes detail of the format the exercise should take. The Safeguarding Notice notes this that format has been agreed with CAI and that CAI will issue guidance to their members on performing these engagements in due course.

The Safeguarding Notice reminds firms that, as previously communicated, the reports should be submitted by each firm to the Central Bank by 31 October 2023.

Central Bank of Ireland publishes results of the Digitalisation in Insurance Survey

On 26 May 2023, the Central Bank of Ireland (the "Central Bank") published the results of its Digitalisation in Insurance Survey ("Survey"). The Survey was issued in October 2022 to a sample of regulated firms across all insurance sectors to gain a better understand the extent to which Irish insurers are using technological innovations as part of their business models and operations, how they are managing digitalisation risks and to identify key opportunities, risks and challenges associated with digitalisation.

Findings

The Central Bank notes that the Survey results indicate that:

• the majority of insurers (who responded to the Survey) are undertaking, or plan to undertake, initiatives to digitalise business models, however, the Irish insurance sector appears to be at a relatively early stage of this process;
• digital maturity appears moderate and somewhat concentrated in more established digital technologies at present;
• an initial focus of digitalisation is on improving the efficiency of processes within the firm;
• firms will continue to digitalise over the next three years at a steady pace with incremental, rather than transformational, change over the period;
• digitalisation may create significant dependencies on the wider group and on third parties. The Central Bank notes that it is important that the risks to critical business services created by these relationships are identified and managed in line with Central Bank guidance;
• digitalisation will give rise to new risks and challenges for firms but may also provide significant opportunities for both firms and consumers; and
• while some good governance and risk management practices were identified, some firms may need to reflect on the appropriateness of their overall approach to the management of digitalisation risks.

Next Steps

The Central Bank notes that increasing digitalisation presents significant opportunities across the insurance sector. However, cautions that these opportunities come with a "responsibility for effective management of the risks associated with digitalisation". The Central Bank acknowledges that the extent of digitalisation may vary significantly from firm to firm, however, notes that "a clear strategy and robust oversight (including at board level) remain of fundamental importance". The Central Bank highlighted in particular:

• the importance of the sustainability of business models over the longer term to be given due consideration by all firms, particularly in the context of increasing digitalisation;
• although examples of sound governance and risk management practices were indicated, some firms may need to reflect on the appropriateness of their overall approach to the management of digitalisation risks, to ensure continued adherence with relevant requirements; and
• where key technologies such as cloud computing and artificial intelligence are facilitated by a relationship with group or other third parties, the risks created by these relationships should be identified and managed in accordance with Central Bank guidance.

The Central Bank notes that it will "continue its work to expand its understanding of the nature and extent of digitalisation in the insurance sector, with the insights from the Survey informing Central Bank supervision".

The Central Bank advised that firms can expect to see an increased focus from supervisors on how insurance business models, governance and risk management will evolve to take account of digitalisation and there will be engagement from the Central Bank in relation to the individual findings of the Survey and, more generally, on key themes arising out of the work.

4. European Commission adopts Retail Investment Package

On 24 May 2023, the European Commission ("Commission") adopted a retail investment package ( "Package") which aims to "empower retail investors to make investment decisions that are aligned with their needs and preferences, ensuring that they are treated fairly and duly protected".

The package is in response to one of the key objectives of the Commission's 2020 Capital Markets Union ("CMU") action plan for a strategy for retail investments in Europe, aimed at ensuring that "retail investors can take full advantage of capital markets and that they are supported by rules that are coherent across all relevant legal instruments".

The package includes a proposal for an Omnibus Directive amending the existing investor protection rules set out in Directive 2009/138/EC ("Solvency II"); Directive (EU) 2016/97 ("Insurance Distribution Directive"); Directive 2014/65/EU ("MiFID II"); Directive 2009/65/EC ("UCITS Directive") and Directive 2011/61/EU ("AIFMD") together with a second proposal for a Regulation amending Regulation (EU) No 1286/2014 ("PRIIPs Regulation").

The Commission notes that the investor protection rules are being updated as the current rules as set out across sector specific legislation can differ and sometimes be inconsistent, which can lead to confusion for retail investors. In addition, the Commission also acknowledges that digitalisation has led to "changes in distribution models and to new forms of marketing for financial instruments towards retail clients".

The Commission's press release outlines that the package includes the following measures to:

• improve the way information is provided to retail investors about investment products and services;
• increase transparency and comparability of costs by requiring the use of a standard presentation and terminology on costs;
• ensure that all retail clients receive at least annually, a clear view of the investment performance of their portfolio; 
• address potential conflicts of interest in the distribution of investment products by banning inducements for "execution-only” sales and ensuring that financial advice is aligned with retail investors' best interests. Stricter safeguards and transparency will also be introduced where inducements are allowed;
• protect retail investors from misleading marketing by ensuring that financial intermediaries are fully responsible for the use (and misuse) of their marketing communication, including where it is made via social media, or via celebrities or other third parties they remunerate or incentivise;
• preserve high standards of professional qualifications for financial advisors;
• empower consumers to make better financial decisions, by encouraging Member States to implement national measures that can support citizens' financial literacy;
• reduce administrative burdens and improve the accessibility of products and services for sophisticated retail investors, by making the eligibility criteria to become a professional investor more proportionate; and
• enhance supervisory cooperation  to ensure that rules are properly and effectively applied in a coherent manner across the EU and to jointly fight fraud and malpractices. 

Other notable investment updates

• ESMA highlights risks arising from investment firms providing unregulated products and services
• European Commission adopts Delegated Regulation containing RTS on Pillar 2 add-ons for investment firms under IFD
• Final ESMA report on market outages

5. Operational Resilience

ESAs launch discussion on criteria for critical ICT third-party service providers and oversight fees

On 26 May 2023, the European Supervisory Authorities (European Banking Authority ("EBA"), European Insurance and Occupational Pensions Authority ("EIOPA") and European Securities and Markets Authority ("ESMA") (together the "ESAs") published a joint Discussion Paper which follows the European Commission’s ("Commission") request for technical advice on the criteria for critical ICT third-party providers ("CTPPs") and the oversight fees to be levied on them under the Digital Operational Resilience Act ("DORA").

The purpose of the Discussion Paper is to consult market participants on the ESAs’ proposals on the specific issues listed in the Commission's call for technical advice. The Discussion Paper is separated into two parts:

• The first part of the Discussion Paper includes proposals covering the criteria to be considered by the ESAs when assessing the critical nature of CTPPs - in particular, a number of relevant quantitative and qualitative indicators for each of the criticality criteria, along with the necessary information to construct such indicators.
  
  The Discussion Paper highlights that these proposals relate to the identification of indicators relevant to assessing criticality and not to the methodology for that assessment. The expected type and total number of CTPPs, the details of the designation procedure as well as the related methodology, are explicitly excluded from the Discussion Paper and will be defined at a later stage in the context of the implementation of the oversight framework.

• The second part includes proposals in relation to the amount of the fees levied on CTPPs and the way in which they are to be paid - in particular the types of expenditure that shall be covered by fees as well as the appropriate method, basis and information for determining the applicable turnover of the CTPPs, which will form the basis of fee calculation. This part also includes input on the fee calculation method and other practical issues regarding the payment of fees.

Next steps

The consultation on the Discussion Paper closes on 23 June 2023. The feedback from the consultation will inform the  ESAs technical advice to Commission which must be provided by 30 September 2023.

IAIS publishes Paper on Insurance Sector Operational Resilience

On 23 May 2023, the International Association of Insurance Supervisors ("IAIS") published its final Issues Paper on Insurance Sector Operational Resilience ("Issues Paper") following consultation in November 2022. The Issues Paper identifies issues impacting operational resilience in the insurance sector and provides examples of how supervisors are approaching these developments, with consideration of lessons learnt during the Covid-19 pandemic.

Recognising that operational resilience is a broad and evolving area, the Issues Paper addresses the following three topics:

• Cyber resilience;
• Third-party outsourcing; and
• Business Continuity Management.

The paper is structured as follows:

• Section 2: provides an overview of the general applicability of the Insurance Core Principles (ICPs) to the topic of operational resilience as well as to the three key sub-topics of focus.
• Sections 3.1 and 3.2: outline overarching issues, focusing in particular on the importance of sound governance to effective operational risk management, and the benefits of information sharing including public/private collaboration.
• Section 3.3: considers challenges associated with assessing the quality of the framework established by an entity to deliver on cyber resilience, including existing tools and metrics available to supervisors.
• Section 3.4: outlines challenges associated with assessing risks arising from concentration as a critical issue, given the increased complexity of the financial sector and the reliance on IT third party outsourcing.
• Section 3.5: sets out the challenges associated with the need for BCM approaches to evolve to meet the realities of today’s environment, including in response to the pandemic.
• Section 4: outlines a number of aspects of the risks related to cyber resilience, IT third-party outsourcing and BCM that may benefit from future consideration or further analysis by insurance supervisors.