1. Opening Remarks by Director of Consumer Protection at the Central Bank of Ireland, Colm Kincaid, at Oireachtas Committee on Finance, Public Expenditure and Reform, and Taoiseach
On 12 July 2023, Colm Kincaid, Director of Consumer Protection at the Central Bank of Ireland ("Central Bank"), gave a speech at the Oireachtas Committee on Finance, Public Expenditure and Reform and Taoiseach ("Committee") addressing the issue of authorised push payment fraud.
The Role of a Safe, Resilient and Efficient Payment System
At the outset, Mr Kincaid noted that speed and innovation have shaped the payment landscape for consumers and businesses, and Ireland has seen the benefits of these trends and of its integration into the EU payments system under SEPA 1. In order for these systems to function, trust must be maintained to achieve the common goal of the Central Bank and the European Central Bank ("ECB") "to guarantee that people have access to efficient payment solutions that meet their preferences and to ensure that transactions remain safe, underpinning confidence in our currency and the functioning of our economy".
Mr Kincaid acknowledged that legislation, particularly the Payments Services Directive ("PSD2"), supports this goal, by formalising payment security requirements in national law, including strong consumer authentication, and reimbursement for unauthorised payment fraud. This regulatory framework will increase confidence in consumers and businesses, which has already been seen in the increase in digital payment activity.
Enhancing EU Legislation to address Authorised Push Payment Fraud
As digitalisation has grown, fraud has become more sophisticated including the use of social engineering tactics, defrauding consumers into making authorised push payments ("APP"). While liability for unauthorised payment fraud falls on the payment service provider, liability for APP is not set out in the PSD2 Framework. This gap was identified in the European Banking Authority's ("EBA") June 2022 report to the European Commission ("Commission").
In response the Commission proposed to extend liability to cover authorised push payments where:
- An IBAN discrepancy is detected but not notified to the payer; and
- The fraud involved impersonation of a bank employee.
The Central Bank’s regulation of firms under current legislation
Mr Kincaid repeated the Central Bank's expectations on regulated firms, as outlined in the Consumer Protection Outlook Report for 2023 (see FIG Top 5 at 5 of X 2023 for detail), to:
- have effective measures to mitigate the risk of fraud;
- be proactive in identifying and dealing with cases of fraud; and
- engage effectively with consumers who have been the victims of fraud (including taking steps to support victims of APP fraud to retrieve their funds where possible).
He advised that, to the extent consumers' loss from APP fraud arises from a failure in a payment service provider’s own established systems and controls, there will be cases where firms should compensate consumers. The Central Bank is also considering, as part of the ongoing review of the Consumer Protection Code, what policy measures can be introduced to contribute to the protection of consumers in a digital environment these include:
- requirements on the design of digital platforms;
- firms’ systems and controls; and
- on-line security standards.
The Need for Co-ordinated Action
Mr Kincaid emphasised that an industry wide, coordinated approach is needed due to the sophisticated and multi-dimensional nature of APP fraud. Initiatives in France promote sharing and consultation between all relevant parties such as consumer representatives, ombudsmen, law enforcement and regulators. Mr Kincaid would welcome the opportunity for participation of all relevant stakeholders here in the future.
Other measures such as coordinated IBAN checks are also needed to ensure the overall functioning of the system and the protection of customers' interests. Public awareness of fraud should also be a combined effort, as well as Government adopting a national strategy on financial literacy.
Reimbursement and Liability
Mr Kincaid noted that the Central Bank is "clear that firms should take steps to seek to recover funds for consumers, and should compensate consumers to the extent any loss arises from a failure in the firm’s own established systems and controls" and he is supportive of the Commission's proposal to expand reimbursement of APP fraud cases.
Mr Kincaid notes that the question of who should bear the cost of APP fraud if consumers are to be fully reimbursed in all cases is a social policy questions requiring careful consideration and including all parties involved such as communication mechanisms including social media through which APP fraud is carried out.
Discussions between the Committee and the Banking and Payments Federation Ireland ("BPFI") regarding a voluntary reimbursement arrangement, similar to that in the UK, were welcomed by Mr Kincaid, who acknowledged that such an initiative must be properly calibrated. He proposed that such an initiative would be most effective as part of a wider engagement with fraud prevention including actors outside the banking and payment sector. This would also support the development of the proposed shared fraud database which would benefit relevant stakeholders in combatting and preventing fraud across the financial system.
Mr Kincaid noted that cooperation between EU regulatory authorities, State law enforcement and the Central Bank is needed. He welcomed the Commission's proposals to enhance the EU framework and notes the Central Bank stands ready to play its part in any future enhancements the framework at EU or national level.
- In the meantime, he advised that the Central Bank's expectations of regulated firms is to:
- have effective systems in place to identify and prevent fraud;
- support those who fall victim to fraud including APP fraud;
- in cases of APP fraud, to take steps to trace and recover money lost where possible; and
- responsibly compensate consumers where the firm's failure of its established systems and controls has caused the consumer's loss.
2. NCID Mid-Year Data Release Employers' Liability and Public Liability Insurance
On 13 July 2023, the Central Bank of Ireland ("Central Bank") published the National Claims Information Database ("NCID") figures on the cost of insurance claims under employers' liability and public liability for the first half of 2022. These figures include the information on claims that have been settled under the Personal Injury Guidelines ("Guidelines") which came into force in April 2021 and it is the first time a mid-year report has been published.
Overall Findings for H1 2022
- The total cost of settled injury claims fell 12% below the 2015-2019 average ("pre-Covid average");
- 22% of injury claims settled under the Guidelines;
- There was a 25% reduction in the total number of settled claims compared to the pre-Covid average;
- For claims settled directly with the insurer, average costs were 1% lower that the pre-Covid average;
- For claims settled with the Personal Injuries Assessment Board ("PIAB"), they were 20% lower than the pre-Covid average; and
- The average claim cost settled via litigation was 3% higher than the pre-Covid average.
Average Compensation Costs
The average compensation for figures for H1 2022 were:
- Direct: €18,671 compared with €20,126 for the pre-Covid average;
- PIAB: €23,464 compared with €30,772 for the pre-Covid average; and
- Litigated: €51,078 compared with €51,804 for the pre-Covid average
Despite the significant reduction in cases settled directly and through PIAB, the reduction in the overall cost of settled injury claims was only 12%. This was because litigation had a small increase in both the number of claims and average cost of claims and accounted for the majority of claims (71%) and claim costs (89%).
Average length of claim under the Guidelines
- Direct before PIAB: 1.5 years to settle and 66% settled under the Guidelines;
- Through PIAB: 2 years to settle and 85% settled under the Guidelines;
- After PIAB: 2.2 years to settle and 59% settled under the Guidelines; and
- Litigation: 4.8 years to settle claims and 3% settled under the Guidelines.
The Guidelines were used to settle 22% of injury claims in H1 2022. The majority of claimants which settled under the Guidelines were via Direct and PIAB channels, with only 3% of Litigated claims settling under the Guidelines. The Guidelines came into force in April 2021 and the cut-off date for data for this report was 30 June 2022, thus giving little time for Litigated claims to settle.
Impact of the Guidelines on Claim Costs
This comparison has been made against 2020 figures which was the last year where all claims were settled via the Book of Quantum.
- Direct before PIAB: €14,916 - 37% vs 2020
- PIAB: €20,739 – 35% vs 2020
- After PIAB: €17,413 - 54% vs 2020
The Central Bank Report suggests that the data may indicate that the claims settled under the Guidelines are biased towards less severe and complex cases compared to claims settled in 2020.
The Central Bank Report indicates that the Guidelines have not materially impacted on litigated claims due to the longer period of time to conclude a case, and it will take time before the Guidelines will take effect in this Settlement Channel.
Consequently, the Report notes that the overall impact of the Guidelines is limited as Litigated claims represent the largest proportion of total claims and have not been substantively impacted by the Guidelines.
Jennifer Carroll MacNeill, Minister of State for Financial Services, Credit Unions and Insurance welcomed the Mid-Year Data Release and noted that the Guidelines are having a significant impact on claims settled. Minister Carroll MacNeill identified two key takeaways from the Data Release:
- The Guidelines have seen a reduction in between a third and a half of claims, compared to the Book of Quantum, and that the full benefits will be seen as the older cases pass through the litigation process; and
- Claims settled by litigation take longer and cost more than those settled through PIAB. This consistent finding has enabled the Government to develop legislation that strengthens PIAB and increases settlements through PIAB.
Minister Carroll MacNeill also commented that following the recently amendments to the Occupier's Liability Act, to reform the 'duty of care', she has written to the major insurance companies in Ireland about their plans to reflect this legal change. In order to drive competition in the marketplace, she has also contacted international insurance firms regarding their plans to expand into the Irish market.
3. EU Insurance updates
EIOPA publishes paper on methodological principles of insurance stress testing of cyber risks
On 11 July 2023, the European Insurance and Occupational Pensions Authority ("EIOPA") published its fourth discussion paper in its series of papers on methodological principles of insurance stress testing, which focuses on the cyber risk component.
The discussion paper, which takes into account feedback received on the third discussion paper in the series on cyber risk from November 2022, contains theoretical and practical rules to support the design phase of future insurance stress tests focusing on cyber risk.
EIOPA stresses that the paper should be considered a reference guide for the design of future stress tests which focus on cyber risk and should not to be considered to be fully developed technical specifications for a stress test. In addition, EIOPA notes that the scope of the discussion paper does not include the operational resilience testing set out under the Digital Operational Resilience Act ("DORA").
The discussion paper focuses on two key areas:
- Cyber resilience: the capability of an insurance undertaking to sustain the financial effect of an adverse cyber-event: and
- Cyber underwriting risk: the capability of an insurance undertaking to sustain from a capital and solvency perspective the financial impact of the materialisation of an extreme but plausible adverse cyber scenario impacting the insurance coverages contained in the liability portfolios.
Scope and criteria for stress test
EIOPA notes that in determining the scope for a stress test exercise, it must be strictly related to its objective. For example in cyber resilience scenarios, targeting group undertakings may be more useful if the aim is to assess the impact on financial stability, as it will also extend to non-insurance entities within the group. On the other hand for cyber underwriting scenarios, targeting solo undertakings can help analyse the impact on various coverages or lines of business.
A number of criteria should also be considered in addition to the traditional stress test, depending on risk being assessed.
For cyber resilience risk, consideration should be given to factors such as:
- Undertakings engaged in critical functions;
- Exposure to critical ICT third party service providers;
- Potential impact of a cyber-scenario on non-insurance entities of the group providing essential services to the insurance activity; and
- Number of employees as a size based metric.
For cyber underwriting risk, consideration should be given to:
- The type of affirmative cyber insurance market coverage; and
- The existence of silent cyber exposures.
European Parliament's ECON votes to adopt draft reports on proposals amending Solvency II and establishing the IRRD
On 18 July 2023, the European Parliament's Economic and Monetary Affairs Committee ("ECON") published a document on the result of votes on the European Commission's ("Commission") legislative proposals for a:
- Directive to amend Directive 2009/138/EC ("Solvency II") as regards Proportionality, Quality of Supervision, Reporting, Long-term Guarantee Measures, Macro-prudential Tools, Sustainability Risks, Group and Cross-border Supervision (the "Solvency II amending Directive") and
- Directive Establishing a Framework for the Recovery and Resolution of Insurance and Reinsurance Undertakings ("IRRD").
These proposals are in direct response to the Commission’s review of Solvency II.
Solvency II amending Directive
This proposal seeks to make several amendments Solvency II including in relation to, changes to the proportionality principle, macroprudential considerations, climate change considerations, reporting requirements, long term guarantee measures, group and cross-border supervision and updating legislative references.
55 voted in favour of the Solvency II amending Directive with three votes against it and one abstention.
The aim of the proposal is to ensure that insurers and relevant authorities in the EU are better prepared in cases of significant financial distress by requiring insurers to prepare pre-emptive recovery plans and establishing insurance resolution authorities. the identification of the resolution tools which can be used by resolution authorities and requiring these authorities to prepare resolution plans in respect of certain (re)insurance undertakings.
44 voted in favour of establishing a framework for the recovery and resolution of insurance and reinsurance undertakings, with 7 votes against it and 8 abstentions.
4. ESMA Final Report on revised technical standards for passporting
On 11 July 2023, the European Securities and Markets Authority ("ESMA") published its Final Report on revised technical standards ("RTS") and implementing technical standards ("ITS") for passporting under Article 34 of Directive 2014/65/EU (the "Markets in Financial Instruments Directive" or "MiFID II") ("Final Report") following its November 2022 consultation on proposals for the review of the existing RTS and ITS.
The Final Report contains draft technical standards:
- specifying the information to be notified by, inter alia, investment firms wishing to provide cross-border services without the establishment of a branch; and
- establishing standard forms, templates and procedures for the transmission of information in this respect.
Shortcomings regarding the practical implementation of the freedom to provide services ("FPS") under Article 34 of MIFID II were identified and instances were highlighted where improvements to RTS and ITS could be made to help national competent authorities ("NCAs") to fulfil their supervisory objectives.
The consultation proposed a number of changes to the existing RTS and ITS by increasing the information that must be provided by investment firms at the passporting stage including:
- the means of marketing that the investment firm will use in the host State;
- the languages in which the investment firm has established necessary arrangements to deal with complaints from the clients of the Member States in which it provides services;
- the Member States in which the firm will actively use its passport and the categories of target clients; and
- the investment firms internal organisation in relation to the cross-border activities of the firm.
Within the Final Report, ESMA also published a feedback statement to the consultation which summarises ESMA's responses and provides some clarifications to the feedback received from stakeholders. Three of the four responses received to the consultation were supportive of the changes. The fourth opposed it on the basis that it was "a first step to undermine the EU passporting process and to remove the distinction between freedom to provide services and the freedom of establishment". In response ESMA stated that the changes are to bolster the FPS regime, and that they in no way undermine or question the regime or the allocation of supervisory responsibilities. The purpose of the changes are to ensure that the home NCA receives at the passport stage, necessary information to make better decisions on the allocation of its supervisory resources and focus. The home NCA will be able to appropriately supervise investment firms cross-border activity. The passporting notifications are also provided the host NCA so they know which investment firms are targeting clients in their jurisdiction. The allocation of supervisory responsibilities to host and home NCAs is in no way altered.
In accordance with Articles 10 and 15 of Regulation (EU) 1095/2010, the draft technical standards have been submitted to the European Commission ("Commission") for adoption. Further advice and technical guidance will be provided if the Commission decides to proceed with the review.
5. EU Crypto-assets Updates
EBA and ESMA consult on their first set of RTS and ITS under MICA
On 12 July 2023, the European Banking Authority ("EBA") and the European Securities and Markets Authority ("ESMA"), published consultations on their first set of regulatory technical standards ("RTS") and implementing technical standards ("ITS") under the Markets in Crypto-Assets Regulation ("MICA").
The EBA has published three consultation papers:
- The first being on a set of Draft RTS on information to be contained in an application for authorisation to offer to the public and to seek admission to trading of ARTs and draft ITS on standard forms, templates and procedures for the information to be included in the application. The RTS lay down the information requirements to be included when applying for authorisation to offer to the public or admission to trading of ARTs. The draft ITS set out the standard application letter, the application template and clarify the process relating to the assessment of completeness of the application by the competent authority.
- The second on Draft RTS on the detailed content of information necessary to carry out the assessment of a proposed acquisition of qualifying holdings in issuers of ARTs. These RTS clarify the information requirements that are necessary for an assessment of a proposed acquisition of qualifying holdings in issuers of ARTs. This information covers five criteria relating to (a) the reputation of the proposed acquirer, (b) the suitability of any person who will direct the target undertaking, (c) the financial soundness of the proposed acquirer, (d) the sound and prudent management of the target undertaking following the acquisition and (e) suspicion that money laundering of terrorist financing is committed or attempted or that it may increase following the acquisition.
- The final consultation paper contains draft RTS on the requirements, templates and procedures for handling complaints under MiCA: The RTS set out definitions of complaints and complainants, requirements related to the complaints management policy and function, provision of information to holders of ARTs and on templates and recording. In addition they include requirements on the procedure to investigate complaints and to communicate the outcome of the investigations to complainants and specific provisions for complaints handling involving third-party entities.
The consultations are open for feedback until 12 October 2023.
ESMA's consultation package includes five RTS and two ITS under MICA and is the first of three consultation packages.
- RTS on the notification by certain financial entities of their intention to provide crypto-asset services;
- ITS on standard forms, templates and procedures for the notification by certain financial entities of their intention to provide crypto-asset services;
- RTS on authorisation of crypto-asset service providers;
- ITS on standard forms, templates and procedures for authorisation of crypto-asset service providers;
- RTS on complaints handling by crypto-asset service providers;
- RTS on identification, prevention, management and disclosure of conflicts of interest; and
- RTS on the proposed acquisition of a qualifying holding in a crypto-asset service provider.
The package covers the content, forms and templates for notification by certain financial entities, content, forms and templates for the application for authorisation of Crypto Assets Service Providers ("CASPs"), the complaint-handling procedure, the identification, prevention, management and disclosure of conflicts of interest by CASPs and the assessment of intended acquisition of qualifying holdings requirements.
Speaking on publication of the consultation Verena Ross, Chair of ESMA, said that ESMA is "determined to ensure entities involved in crypto-asset related activities understand that the EU is not a place for forum-shopping" and reminded consumers that, "even with the implementation of MiCA, there will be no such thing as a safe crypto-asset.”
The consultation is open for feedback until 20 September 2023. ESMA notes it will consider the feedback received and expects to publish a final report and submit the draft technical standards to the European Commission for endorsement by 30 June 2024 at the latest.
EBA statement encouraging timely preparatory steps towards the application of MiCA to asset-referenced and electronic money tokens
On 12 July 2023, the European Banking Authority ("EBA") published a statement for the attention of financial institutions and other undertakings ("firms") who intend to commence, or have commenced, asset-referenced token ("ART") or electronic money token ("EMT") activities prior the application date of Regulation (EU) 2023/1114 on Markets in Crypto-assets ("MICA").
The MICA provisions relating to ARTs and EMTs will be applicable from 30 June 2024.
The statement is intended to encourage timely preparatory actions by firms prior to the application of MiCA for ARTs and EMTs and includes ‘guiding principles’ for firms carrying out ART/EMT activities to have regard until the application date, including:
- disclosures to, and fair treatment of, potential acquirers and holders of ARTs and EMTs;
- the business model;
- sound governance, including effective risk management;
- reserve, recovery and redemption arrangements; and
- communications with the relevant competent authority.
In additions, accompanying the statement is a template that the EBA encourages firms carrying out or who are intending to carry out, ART/EMT activities to communicate, on a timely basis, to their relevant competent authority.
The EBA also reminds consumers that, prior to the application date of MiCA, consumers do not benefit from the rights and protections set out in MiCA for ARTs and EMTs and directs consumers to the joint-ESA warning on the risks of crypto-assets.