Empty Link Skip to Content

Securities Markets Risk Outlook Report 2023: More of the Same?

For the third year in a row, the Central Bank of Ireland ("Central Bank") has published a Securities and Markets Risk Outlook Report ("Report"). The aim of the Report is, as detailed by Patricia Dunne, Director of Securities and Markets Supervision, to advise "regulated financial service providers, investors and market participants of the key risks and areas of focus for markets supervision" which informs the Central Bank's supervisory engagement for the year ahead.

The Report considers a number of key areas of focus including:

  1. External Risk Environment;
  2. Sustainable Investing;
  3. Market Integrity;
  4. Market Conduct and Risk Management;
  5. Delegation and Outsourcing;
  6. Cybersecurity;
  7. Data Quality; and
  8. Digital Innovation.

Each area of focus is considered in detail by outlining:

  • the Central Bank's observations of what has happened relevant to that area of focus throughout the course of 2022 and the associated risks;
  • its expectations as they pertain to that area of focus/risk (for ease of reference, details of the expectations are set out below); and
  • previously published Central Bank communications and guidance of relevance.

Similarities with last year's report

There are a number of similarities between last year's report ("2022 Report") and this Report. The need to reiterate messages previously delivered and remind firms of communications already issued, some in the very recent past, speaks to the Central Bank's concern around compliance in these areas. In particular the Central Bank focused, yet again on the areas detailed below, and in a number of cases, expanded their positon on them:

  • Market Abuse Regulations – the Report reminded impacted firms of its industry communication on the outcomes of its Market Abuse Regulation ("MAR") thematic review. It explains that deficiencies in impacted firms' surveillance frameworks and governance arrangements, when it comes to the identification and reporting of suspected market abuse, continues to be an issue. This, the Central Bank explains, will be an ongoing area of focus which they will "actively monitor".
    The Central Bank observes in the Report that while the number of Suspicious Transaction and Order Reports ("STORs") which were received in 2022 represented a 100% increase from that of 2019, given the increase in relevant transactions this is still behind expectations. In particular, the Central Bank highlighted the issues around the submission of STORs by trading venues.
    Again, drawing impacted firms attention to the MAR thematic review, the Central Bank observes that ineffective frameworks and controls for the management of inside information and the maintenance of insider lists continue to be prevalent. The Central Bank uses the recent sanctions imposed against Philip Lynch, for breaches of these exact requirements, as evidence of the action which it is willing to take to ensure compliance.
  • Conflicts of interest in particular the need for policies and procedures addressing conflicts of interest. The Central Bank in Case Study 2, details the outcomes of a conduct risk assessment on remuneration and related conflicts of interest at a number of firms subject to Markets in Financial Instruments Directive ("MiFID") rules, which identified a "number of issues of significant concern". Impacted firms are expected to address those issues and any existing deficiencies in their policies, procedures and practices.
  • Sustainable Investment /Financing – given the ongoing importance of this area at a European and domestic level, it was not surprising to see much of the same topics addressed in the Report as had been included in the 2022 Report but with a particular, additional emphasis on disclosure and labelling.
  • Delegation and outsourcing – reiterating that the Central Bank does not differentiate between the two practices and reminds firms of the applicability of the Central Bank's Cross-Industry Guidance on Outsourcing to both. In relation to "non-funds" delegation and outsourcing, the Report focuses on the outsourcing of market abuse surveillance to group entities and the Central Bank's expectations in this regard.
  • Data – in this Report, the Central Bank explains that while there have been improvements in the quality of data being submitted to the Central Bank since the 2022 Report, there remains issues in a number of key areas. The Report reminds impacted firms of the need for data to be "complete, accurate and timely".
    Regarding the stated expectations relevant to data quality, the Report includes an additional expectation over and above that included in the 2022 Report which impacted firms should note. That is to "engage with the Central Bank as soon as possible after any data issues are identified. Failure to do so may warrant supervisory intervention up to and including enforcement action."
  • Crypto-assets – building on the risks posed by crypto-assets which were highlighted in the 2022 Report, the Central Bank reiterated its position regarding the appropriateness of crypto-assets for retail investors and that it was "highly unlikely" to approve proposals for the direct or indirect investment by Undertaking for Collective Investment in Transferable Securities ("UCITS")  or Retail Investor Alternative Investment Fund ("RIAIFs") in crypto-assets. The Central Bank concluded its commentary on crypto-assets confirming that "supporting the implementation and operationalisation of MiCA will be a priority area of focus for the Central Bank".

Other points of note

Digital Operational Resilience Act ("DORA")

The Report describes DORA as an "important regulatory milestone" in the context of the cybersecurity risks. The Central Bank advises securities markets participants to closely monitor the development of DORA. This reference to development, likely refers to the Level 2 measures which are yet to be confirmed. These will be proposed and adapted by the European Supervisory Authorities over the coming 18 months. These measures will focus largely on how the rules will function in practice.  Many firms can expect that there will be a need for investment in processes, procedures, systems and expertise to ensure effective implementation.

Central Bank Expectations

Regarding the expectations detailed in the Report, these highlight to impacted firms what they need to do to effectively "identify, mitigate and manage risks in the context of their particular business activities". Impacted firms should carry out a gap analysis of their current governance structures to ensure these expectations are being met. Where shortcomings are identified, actions should be taken to address them without delay.

Additionally, the Central Bank uses three case studies to demonstrate these expectations, and additional expectations, and special attention should be given to them.

While not specifically requested, we would also recommend impacted firms to update their boards and relevant senior management of the contents of the Report, flag the intention to undertake a gap analysis as detailed above and the plan to rectify any shortcomings should they be identified.

Area of focus Central Bank Expectations (as detailed in the Report)
External Risk Environment - Sanctions

The Central Bank expects Regulated Financial Services Providers ("RFSPs") to:

  • Conduct robust stress testing, updated regularly, to take due account of market dynamics so that all funds are positioned to ensure their liquidity arrangements are sufficient to meet redemptions and margin calls;
  • Ensure that liquidity management tools ("LMTs") are being utilised when needed and that appropriate LMTs are in place;
  • Verify valuations of assets affected by rising interest rates and sanctions; and
  • Have appropriate systems and controls in place to identify relevant sanctioned instruments and individuals to ensure they are compliant with their obligations in relation to financial sanctions.
Sustainable Investing

The Central Bank expects RFSPs to:

  • Ensure they adhere to their regulatory obligations regarding the correct disclosure of sustainability related information in product offerings; and
  • Have robust procedures and policies in place to ensure products marketed as ‘green’ or ‘sustainable’ meet the criteria to be described as such
Market Integrity

The Central Bank expects RFSPs to:

  • Ensure that frameworks for the identification, assessment and reporting of suspected instances of market abuse are sufficiently robust to identify, manage and mitigate emerging risks in what is a rapidly changing market environment;
  • Monitor all orders and trades, including cancelled and amended orders;
  • Submit a STOR to the Central Bank without delay once there is a reasonable suspicion that the relevant conduct could constitute market abuse; and
  • Maintain robust frameworks and associated controls to comply with the provisions in the Market Abuse Regulation concerning inside information.
Market Conduct Risk Management

The Central Bank expects RFSPs to:

  • Develop and embed more robust frameworks for the identification and assessment of market conduct risk inherent to their business;
  • Manage and mitigate emerging risks in what is a rapidly changing geopolitical and economic environment; and
  • Record business telephone and electronic communications including when alternative working arrangements are in place and ensure communications are not taking place through unauthorised channels.
Delegation and Outsourcing

The Central Bank expects RFSPs to have regard to:

  • The Central Bank Cross Industry Guidance on Outsourcing;
  • The requirements of MAR and MiFID, and ensuring that the firm outsourcing activities retains ultimate responsibility for governance and oversight of the delegated activities; and
  • Oversight and continuous monitoring of any digital processes outsourced to third parties.

The Central Bank expects RFSPs to:

  • Note the priorities identified in existing guidance published by the Central Bank on IT and Cybersecurity, Operational Resilience and Outsourcing;
  • Ensure adequate tools and governance frameworks are in place locally to identify, measure, manage, monitor and report ICT/cybersecurity risks;
  • Ensure ICT governance and ICT risk management frameworks are appropriately designed and implemented; and
  • Ensure they have robust ICT/cybersecurity risk management practices in place.
Data Quality

The Central Bank expects RFSPs to:

  • Submit accurate data on a timely basis in line with their obligations;
  • Have appropriate oversight of data reporting from Board level down (including where data reporting is outsourced);
  • Ensure escalation channels are in place to promptly address data reporting issues; and
  • Engage with the Central Bank as soon as possible after any data issues are identified (failure to do so may warrant supervisory intervention up to and including enforcement action.
Digital Innovation

The Central Bank expects Fund Service Providers and Issuers of financial instruments to:

  • Note the requirements of the upcoming Markets in Crypto Assets ("MiCA") Regulation;
  • Be aware that the Central Bank presently considers exposure to crypto assets to be unsuitable for retail investors in line with the joint position of the European Supervisory Authorities; and
  • Ensure that risk frameworks support the identification, mitigation and management of risks arising from the implementation of new technologies.

This article was co-authored by partners Joe Beashel, Louise Dobbyn, Niamh Mulholland and Ian O'Mara and PSL Claire Scannell. Should you have any queries in respect of the above, please do not hesitate to contact any member of Matheson LLP's Financial Institutions Group, or your usual Matheson LLP contact.