FIG Top 5 at 5 - 28/09/2023

1. Central Bank of Ireland Insurance Quarterly Newsletter- September 2023

On 25 September 2023, the Central Bank of Ireland ("Central Bank") published the latest edition of its quarterly Insurance Newsletter ("Newsletter"). The Insurance Quarterly Newsletter is an important communication tool used by the Central Bank to convey news and insights relevant to the insurance sector as well as the Central Bank’s expectations and priorities around existing requirements and views on future developments.

Some key highlights from this edition include:

Reflections on Reserving

The Central Bank explains that against the background of market uncertainty, robust and well-governed processes and practices are the key foundation for reserving exercises. As a result, as part of its ongoing supervisory activities, the Central Bank has placed heightened focus on reserving practices which has identified a number of areas for monitoring and improvement. These include:

• the need for firms to reflect on their own expert judgement framework and consider whether it could be strengthened by the adoption of an expert judgements log;
• in respect of the validation of technical reserves, the Central Bank has observed better practice where firms have reduced the extent of manual processes in reserving, by introducing automation to minimise the operational risk. Explaining that where there is material reliance on manual approaches to reserving, it may warrant further attention as part of the annual validation of technical provisions. The Central Bank also noted that where there is significant use of manual processes within reserving, the capital risk charge for operational risk in the Standard Formula may not fully reflect this risk. As a result, firms may need to consider the buffer that is required for uncertainty due to such operational risks, within its own solvency needs assessment;
• firms are reminded to continue to adopt a sound and prudent approach to rising inflation and encourages firms to quantify the impact of higher-for-longer inflation rates and to communicate this clearly to senior management and the board. Additionally, while inflation continues to be a concern, there will constant need to re-assess whether current methods are appropriate;
• when using external data in non-life reserving the Central Bank recommends following EIOPA's guidelines to understand and assess the basic risk and identifies a number of specific shortcomings which firms should have regard to.

ORSA Feedback Part 1 - Supervision of Climate Change Risk

Based on the Central Bank's review of firms’ ORSAs (received in 2022 and 2023 to date), materiality assessments, and quantitative analysis, it has made a number of observations in respect of the consideration of climate change risks by firms, a key strategic priority for the Central Bank. In particular, the Central Bank provides examples of what it terms "better practice" that it has observed through its engagement with firms and encourages firms to reflect on these points as they seek to develop and strengthen their response to climate change. These address the importance of materiality assessments and the benefit of developing quantitative climate analysis. The Central Bank concludes that while there have been some improvements to firms’ consideration of climate change, there is still more that can be done in this area.

For further details on the Central Bank's feedback statement and its final Guidance for (Re)Insurance Undertakings on Climate Change Risk, please see FIG Top 5 at 5 from 30 March 2023

ORSA Feedback 2 – Strategy and Reinsurance

The Central Bank also focused on two additional points from its recent ORSA review including:

• the linkage between the Business Strategy and Business Plans, and their consideration in the ORSA process; and
• the significant hardening of the international reinsurance market in recent renewal periods.

Regarding the former, the Central Bank recommends that firms clearly demonstrate, that the conclusions from the ORSA process are feeding into the strategic planning process, as well as the strategic decisions made by a firm on an on-going basis. It highlighted a number of observations which should be considered as part of the 2023 ORSA process including that the report should outline the actions done in order to complete the report.

With regard to the later, the Central Bank noted that while most firms considered the risk of reinsurance market hardening in their 2022 ORSAs, the stresses applied were not much more severe than actual experience. As a result, it explains that it expects to see a "more in-depth consideration of this risk" in the 2023 ORSAs. It also provided a number of specific points which firms should have regard to.

Data Ethics within Insurance

The Newsletter explains the context behind the Central Bank's recent work on data ethics within insurance which culminated in its report of the same name. The Central Bank explains that it will continue its work to expand its understanding of the nature and extent of the use of bid data and related technologies in the insurance sector and "will evolve its supervisory and policy approach accordingly".

 For further details on the Central Bank's Report on Data Ethics within Insurance, please see the FIG Top 5 at 5 from 10 August 2023.

EIOPA Statement on Governance in Third Country Branches

The Newsletter stresses the importance of EIOPA's supervisory statement on governance in third country branches and explains that it further supports and elaborates on the Central Bank's own expectations in this regard.  The Central Bank explains that it expects all regulated firms with third country branches to review their current business model in light of the supervisory statement. In particular, it states that firms should prepare an action plan, where necessary, which details the steps and a timeline to ensure compliance with the expectations. Firms should note that the action plan is to be available to the Central Bank for review, if requested.

Insurance Protection Gaps

The Newsletter provides a concise summary of the work which EIOPA has been carrying out to highlight insurance protection gaps since identifying it as a key issue which it will be focusing on in its 2023-2026 strategy. In particular, the Central Bank details EIOPA's Staff Paper on Measures to Address Demand Side Aspects of the Natural Catastrophe Protection Gap, which it published in July of this year and encourages interested stakeholders to provide feedback on the Staff Paper by 05 October 2023.

Product Oversight and Governance – Developments

The Newsletter highlights EIOPA's Peer Review Report on Product Oversight and Governance and the fact that one obligation arose for the Central Bank to create and then present a set of supervisory expectations covering all aspects of POGs which apply to Insurance-Based Investment Products. It did not provide any further detail on when this would happen.

For further details on EIOPA's Peer Review Report, please see Matheson's Insight.

Solvency II Review:

The Newsletter provided an update on the Solvency II Review explaining that the ECON proposal is likely to be adopted by the European Parliament by the end of September 2023 following which all parties will enter into trilogue negotiations.  While it is difficult to say with certainty what the timeline will be going forward, the Central Bank explains that it understands "that there is an ambition for the discussions to conclude by the end of 2023 – with an ultimate implementation date for the reforms to be on 1st January 2026". It does caution however that these dates are subject to change

National Specific Templates - Taxonomy Update

The Newsletter explains that the Central Bank is updating the taxonomy of its National Specific Templates. The updates are not to the information collected but to the underlying data dictionary. The revised taxonomy will be available from early November with the changes taking effect from 31 December 2023.  

2. Governor of the Central Bank of Ireland makes opening statement at the Joint Oireachtas Committee on Finance, Public Expenditure and Reform

On 20 September Gabriel Makhlouf, Governor of the Central Bank of Ireland ("Central Bank") delivered the opening statement at the Joint Oireachtas Committee on Finance, Public Expenditure and Reform, and Taoiseach. His statement addressed:

• the outlook on the current and future Irish economy;
• how the current monetary policy is affecting lending, deposits and consumers; and
• the strength of Irish household in today's economic climate.

Of particular relevance to this audience are the Governor's comments on the Central Bank's work with  mortgage lenders to support customers and the pass through rates for Irish banks. In particular, he noted the measures introduced by firms to support their borrowers including:

• improvements to alarm systems so that when a customer is struggling it is brought to the bank's attention in the hope that they can assist the customer;
• increased resources for aiding customers where those circumstances arise;
• fixed rate alternative repayment arrangement supports options have been announced;
• improvements being made to communications with borrowers, particularly through outreach programmes aimed at specific groups of borrowers;
• introduction of a new system to support borrowers in switching mortgage lenders and increased coordination with MABS and mortgage brokers to enhance how the mortgage market operates for consumers.

While speaking positively about these changes, the Governor explained that the Central Bank will continue to work with firms to promote the borrower support schemes and to push for a fair system for consumers.

3. Irish Times interviews Dominique Laboureix, chair of the Single Resolution Board

On 20 September the Irish Times interviewed the chair of the Single Resolution Boards ("SRB"), Dominique Laboureix. Mr Laboureix discussed the SRB's focus on testing banks' recovery and resolution plans which will include onsite inspections.

Mr Laboureix explained that the resilience of euro-zone banks during the banking events earlier this year, was "not a question of luck", but instead was due to regulatory reforms and toolkits. He stated that since the establishment of the SRB, the resolvability levels of the euro-zone banks had continually increased. However, he also warned of the growing risks to the global banking sector in the form of cyber risks, digital finance, climate change and the macroeconomic outlook.

In the context of Irish banks he stated that "we are comfortable with the Irish banks, in terms of progress made. That doesn't mean that it’s the end of the journey". The SRB has told banks to have targeted levels of junior and senior bonds by the start of next year, which in case of the lender running into difficulty can be "bailed in". In addition, the SRB expects banks to be able to share losses with "bail-in-able" bonds and to have accessible data on liquidity and collateral which can assist in securing emergency central bank funding. Finally, the SRB have stated that banks should be able to set up virtual data rooms quickly to enable authorities to sell on a struggling bank quickly.

Mr Laboureix stressed that while the SRB intended to engage in more consultation with banks, particularly in identifying any potential difficulties, it did not intend to put the industry "in the driving seat" of determining future rules and developments but rather to give them a better chance to explain “potential difficulties”.

He commented that there was currently a lack of political will to establish a euro zone deposit insurance scheme to complete the banking union. He also added that European Stability Mechanism ("ESM") which is intended to provide backstop loans to the SRB, if needed, has also been delayed as Italy has failed to ratify the ESM Treaty.

4. September updates on the European Union's sanctions against Russia

Extension of current sanctions and possible 12^th package of sanctions

On the 13 September 2023 the Council of the European Union ("EU") announced its decision to extend the current EU package of sanctions against Russia for a further 6 months up until 15 March 2024. This extension will maintain the status quo while the 12^th package of sanctions is negotiated and agreed.  While the release date of the next package has not been confirmed it is likely to be mid-October. We also understand that the package might possibly include details of a windfall tax to be placed on frozen Russian central bank assets and the introduction of a ban on imports of Russian diamonds.

European Commission Guidance for EU Operators

On 7 September, the European Commission published a guidance note addressed to European operators to help them in their identification and assessment of possible risks of sanctions circumvention. This was published in response to the numerous and "elaborate schemes" which Russia has been using to avoid EU sanctions. Mairead McGuinness, Commissioner for Financial Services, Financial Stability and Capital Markets Union has that "this practical guidance will help EU exporters spot red flags and cut/reduce the risk of sanctions evasion.” Of particular relevance to financial institutions are the comments in the guidance regarding the need for enhanced vigilance when dealing with the use of correspondent accounts.

5. EBA Guidelines on the use of Remote Consumer Onboarding Solutions under 4MLD

On 22 November 2022, the European Banking Authority ("EBA") published its Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849 (the "Guidelines"). The Guidelines are designed to set common EU standards on the development and implementation of sound, risk-sensitive initial customer due diligence ("CDD") processes in the remote onboarding context and will apply from 2 October 2023.

The European Commission asked the EBA to issue guidelines on the application of anti-money laundering and countering the finance of terrorism ("AML/CFT") rules where customers are on-boarded remotely (such as through mobile apps, or via websites). The demand for remote onboarding options in respect of financial institutions increased significantly in the COVID-19 era and as digitalisation of financial services becomes more widespread, the use of remote customer onboarding solutions is increasing all the time.

The Guidelines ensure that these processes are in line with the applicable AML/CFT legal and data protection frameworks that apply to financial institutions with AML/CFT obligations – and not just fintechs. As with most other EBA guidance, the Guidelines seek to protect the principle of technological neutrality and do not endorse or criticise particular technologies or methods for remote customer onboarding but nonetheless provide very useful regulatory guidance on the adoption of new technologies to support remote onboarding processes.

The Guidelines complement and sit alongside existing AML/CFT guidelines issued by the EBA such as the EBA Risk Factor Guidelines, the EBA Guidelines on the AML/CFT Compliance Officer, and the Revised EBA Guidelines on Outsourcing.

The Guidelines have four clear aims:

• To set out the steps that financial institutions should take when choosing remote onboarding tools,
• To clarify what regulated financial institutions should do to satisfy themselves that the chosen tool is adequate and reliable,
• What needs to be done to ensure that the chosen tool remains adequate and reliable, and
• To ensure that the chosen tool enables the financial institution to comply effectively with their initial CDD obligations.

When do the Guidelines take effect?

The Guidelines will apply from 2 October 2023. The Central Bank of Ireland has confirmed to the EBA that it will comply with the Guidelines in full, which means financial institutions regulated by the Central Bank will need to factor them into their compliance frameworks from that date onwards.

Who are the Guidelines relevant to?

These Guidelines are going to be of critical interest to existing credit and financial institutions that already use remote on-boarding solutions and/or are considering shifting away from face-to-face methods to on-board their customers. We also think the Guidelines will be particularly relevant for financial institutions seeking authorisation for the first time, and for virtual asset service providers seeking to become authorised as crypto-asset service providers under the new Markets in Crypto Assets Regulation.

What changes to existing AML policies and procedures are required – will firms need to make new edits/revisions or create standalone policies for remote onboarding processes?

Yes. The Guidelines are clear in saying that financial institution's policies and procedures should now address a number of key points when using remote onboarding solutions:

• Documenting the pre-implementation assessment of the remote customer onboarding solution, including the scope, steps and record keeping requirements applying to these exercises. This is likely to involve a multi-disciplinary assessment of AML/CTF, information security and data protection considerations for each solution to see if the solution is in fact suitable for the financial institution's needs. The assessment needs to be documented so that it can be later shared with the relevant competent authority (if requested) and provide an audit trail confirming that the assessment conducted was in fact a robust one and informed by the risk profile of the financial institution.
• A general description of the solutions in place to collect, verify and record information throughout the remote customer onboarding process, to include an explanation of the features and functioning of the solution.
• The situations where remote customer onboarding can be used and a description of the categories of customers, products and services that are eligible for remote onboarding. This needs to be justified by way or reference to the outputs of the business-wide risk assessment that the financial institution will have prepared previously.
• To document which steps are fully automatized and which require human-intervention.
• A description of the ongoing monitoring controls and quality assurance testing applied to ensure the remote onboarding solution is working effectively.
• A description of the induction and regular training programs to ensure staff awareness and up-to-date knowledge of the functioning of the remote customer onboarding solution, the associated risks arising, and the relevant policies and procedures aimed at mitigating such risks.
• The procedures to be followed to remedy issues where a risk has materialised, or where errors have been identified that have an impact on the efficiency and effectiveness of the remote customer onboarding solution. These procedures need to be detailed in terms of setting out how the financial institution will review the adequacy of CDD held on file, the approach to re-adjusting the risk-rating associated with a customer (if necessary), and to terminate or restrict business relationships if necessary.

Other key points to note

• The Guidelines give guidance on the use of algorithms and optical character recognition methods to review CDD documents and require financial institutions to ensure these tools capture information accurately and consistently.
• Financial institutions are now expected to be able to define what information and data points during the CDD process are manually entered by the customer, automatically captured from the customer, and which data are sourced from internal or external sources.
• When verifying identity, guidance around ensuring the process is reliable and real-time in nature, such as use of one-time passwords, biometric data collection, phone calls with customers, etc. are encouraged.
• Quality assurance testing is considered critical to ensure the ongoing adequacy and reliability of remote customer onboarding solutions.
• External audits do not replace the responsibility of the financial institution to ensure ongoing effectiveness of any solution it uses.
• Where the remote onboarding solution is adopted via an outsourcing arrangement, it is clear the Guidelines will need to be factored into any vendor due diligence exercise conducted on the outsourcing service provider. This will add an extra degree of complexity to existing outsourcing governance processes.

Do financial institutions need to apply the Guidelines to all existing remote customer onboarding processes? Or only on a go forward basis to newly launched remote onboarding processes?

The EBA Guidelines specifically state that they apply to the adoption of "new" remote customer onboarding solutions but may also be useful in situations where financial institutions conduct a periodic review of their existing remote customer onboarding solutions already in place.

This means that the pre-implementation assessment requirements appear to apply on a go-forward basis only to new onboarding processes adopted from 2 October 2023 and do not necessitate an implementation assessment to be papered for existing solutions already in place.  That being said, that if an existing process undergoes material revision or review after the Guidelines come into effect then the need for a pre-implementation assessment is likely to be merited.

However it is also clear that the Guidelines require a series of material changes to a firm's existing policies and procedures across a number of areas, and these should be progressed in the next annual review process if not sooner.

Matheson's view

Our view is that most financial institutions will not have all of the Guideline's requirements expressly covered off in the requisite level of detail in their existing AML/CTF manuals and other frameworks such as those governing outsourcing, data protection and information security.

It is also quite possible that due diligence reports prepared when a remote onboarding solution was previously being chosen may need a comprehensive refresh at the next periodic review. This may mean any additional risks identified will then have to be embedded into updated risk registers and risk assessments, such as outsourcing risk assessments, operational risk registers, and of course the AML/CTF business-wide risk assessment. This is likely to be a significant body of work for risk and compliance professionals within financial institutions.

It is difficult to avoid the conclusion that a wide-ranging and far-reaching policy and procedural uplift will be required to ensure the new regulatory requirements set down by the Guidelines are fully addressed by financial institutions within their compliance, governance and risk management frameworks.