RegSol Blog


RegSol Blog Posts

CBI Enforcement Action: Rory O'Connor
July 2020

On 9 June 2020, the Central Bank of Ireland (the Central Bank) reprimanded Mr O’Connor, disqualified him from being a person concerned in the management of a regulated financial service provider for a period of 8 years 4 months, and imposed a fine of €70,000 for his admitted participation in RSAII’s failure to maintain sufficient technical reserves from February 2010 to 30 September 2013 (the Relevant Period). 

This enforcement action against Mr O’Connor follows a separate investigation conducted by the Central Bank in respect of RSAII, at the conclusion of which the Central Bank reprimanded RSAII and imposed a financial penalty of €3.5 million in December 2018.

Click HERE to view full report.

By Judy de Castro - Regulatory Consultant
Central Bank announces updates to Retail Intermediary Authorisation Process on 26 May 2020
July 2020

Submission of Retail Intermediary Applications for Authorisation.

An applicant seeking authorisation or registration as a retail intermediary under:

  • The Investment Intermediaries Act 1995 (as amended) (the IIA);
  • The European Union (Insurance Distribution) Regulations 2018 (the IDR);
  • The Consumer Credit Act 1995 (as amended)(the CCA); and/or
  • The European Union (Consumer Mortgage Credit Agreements) Regulations 2016 (the CMCAR) should submit its application for authorisation or registration in electronic format to the Central Bank via our secure file transfer system.  
Access to this system can be requested via email to RIAuthorisations@centralbank.ie.  

The submission of a hard copy version of the application will no longer be required.


By Judy de Castro - Regulatory Consultant
COVID-19 and Cyber Crime: What to Watch Out For
July 2020

On the 31st of March the EBA published a statement on actions to mitigate financial crime risks in the COVID-19 pandemic. The document discusses from a supervisory level the actions competent authorities should take in urging credit and financial institutions to effectively put in place internal controls and systems to ensure the EU’s financial system is not abused by crime. 

On the 27th of March, Europol published a report on how criminals have adapted to the COVID-19 pandemic. It is based on information Europol receives from the EU Member States on a 24/7 basis and intends to support Member States’ law enforcement authorities in their work. According to the  report, the number of cyber-attacks is significant and expected to increase further. 

Cybercriminals will continue to innovate in the deployment of various malware and ransomware packages themed around the COVID-19 pandemic. They may expand their activities to include other types of online attacks. Cybercriminals are likely to seek to exploit an increasing number of attack vectors as a greater number of employers adopt telework and allow connections to their organisations’ systems.

Our Top 5 Tips:

  1. Update your AML-CTF Risk Assessment and any other relevant policies, internal controls or systems
  2. Train staff
  3. Transaction monitoring calibrated to recognise patterns in areas known to be impacted by COVID-19 but still yielding uncharacteristically large or unchanged profit flows
  4. Ongoing monitoring of impacted industries such as pharmaceutical or medical supply equipment
  5. Risk assess your own IT systems and work from home strategies for resilience against cyber attack

Click HERE to read EBA's statement. 

Click HERE to read the Europol Report:

By Judy de Castro - Regulatory Consultant
EU Commission Urges 8 Member States to Fully Transpose MLD5
July 2020

On 14 May 2020, the European Commission sent a letter of formal notice to Ireland (along with seven other EU member states: Belgium, Czech, Estonia, Ireland, Greece, Luxembourg, Austria, Poland  and the UK) for having only partially transposed the Fifth Anti-Money Laundering Directive EU/2018/843 ("MLD5"). 

The deadline for transposition into national law was 10 January 2020. 

The General Scheme of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2019, which was to implement MLD5 in Ireland, was published in January 2019 but has not yet progressed any further. 

Other than the provisions relating to Beneficial Ownership, Ireland has yet to implement the measures contained in MLD5. 

In the letter of formal notice, the Commission encourages the relevant EU member states to transpose all aspects of MLD5 urgently. 

Without a satisfactory response from the relevant EU member states (a letter of formal notice requests an explanation of the alleged breach of EU law) within four months, the Commission may send a reasoned opinion.


By Judy de Castro - Regulatory Consultant
Data Protection Commission Fines Tusla
July 2020

On the 21st of May 2020, Tusla was issued with a second fine by the Data Protection Commission (DPC) for a breach of data protection rules. 

It relates to a breach notified to the DPC in November 2019 regarding an unauthorised disclosure of sensitive personal data. The disclosure was made to an alleged abuser and the data was subsequently posted on social media.

The fine for the three breaches totalled €75,000.

Under GDPR, a company that breaks privacy laws can be fined up to 4% of global revenue or €20 million, whichever is higher.

By Judy de Castro - Regulatory Consultant
Data Protection Commissioner Issues Draft Decision Against Twitter
July 2020

The Irish Data Protection Commission (DPC) submitted a draft decision on the 22 May to other concerned Supervisory Authorities, in accordance with Article 60 of the GDPR, in relation to an inquiry it has completed into Twitter International Company, a data controller based in Ireland. 

This was initiated by the DPC following receipt of a data breach notification from the controller. The draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. ²Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

This draft decision is one of a number of significant developments in DPC inquiries into “big tech” companies, including WhatsApp Ireland Limited. The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.

By Judy de Castro - Regulatory Consultant

Guidance Note on Cookies and Other Tracking Technologies issued April 2020
July 2020

The DPC will allow a period of six months from the publication of this guidance for controllers to bring their products, including websites and mobile apps, into compliance, after which enforcement action will commence.

As a rule, natural persons may be associated with online identifiers provided by their devices, including cookie identifiers and tags. This may leave traces which combined with other unique identifiers and other information received by servers, may be used to create profiles of those natural persons and identify them, in other words, personal data. 

Analytics cookies are used as a measuring tool for websites, including to provide information on the number of unique visitors and the pages they browse during their visits and in combination with other data may identify a user and require consent. 

For further guidance, please click HERE.

By Judy de Castro - Regulatory Consultant


CBI’s unofficial Consolidation of Consumer Protection Code
July 2020

In March 2020, the CBI consolidated the CPC but with a health warning: Please note that this document available in the link below is an unofficial consolidation of the Consumer Protection Code 2012, as it stood revised from 1 January 2015. 

The document has been prepared by the Central Bank of Ireland for ease of reference only and is not a legal document.

Click HERE to view the document.

By Judy de Castro - Regulatory Consultant
Omnibus Directive: New Protections for Consumer Rights
July 2020

A key part of the EU’s New Deal for Consumers entered into force earlier this year: The Omnibus Directive, which strengthens consumer rights through enhanced enforcement measures and increased transparency requirements.

Key changes introduced by the new Directive are:
  • A requirement for increased transparency online in particular for search result rankings, fake reviews, endorsements and personalised pricing.
  • The extension of consumer rights to “free” digital content and services.
  • Fines and Enforcement powers: fines of up to 4% of the trader’s annual turnover in the Member State (or Member States) where the breach occurred, or EUR 2 million in cases where information on turnover is not available, with individual Member States able to introduce even higher fines
EU Member States have two years to transpose these new rules: national implementation measures must be adopted by 28 November 2021 and in force by 28 May 2022.

By Judy de Castro - Regulatory Consultant
New PII Limits Imposed from June 12th 2020
July 2020

Professional Indemnity Insurance (PII) is seen by the Central Bank of Ireland as a key prudential and consumer protection safeguard. From the 12th of June 2020 the required amount of cover will change.  

This change has come about under COMMISSION DELEGATED REGULATION (EU) 2019/1935.

The new requirements are: €1,300,380 per claim and €1,924,560 in aggregate.

This change applies to intermediaries authorised under both the Insurance Distribution Regulations (IDR) 2018 and the Investment Intermediaries Act 1995.

Brokers should ensure with their PII provider that their PII levels will be amended in line with the new requirements.

Click HERE to read the Brokers Ireland Announcement.

By Judy de Castro - Regulatory Consultant
CCPC: Unfair Terms in Consumer Contracts
July 2020

The Competition and Consumer Protection Commission (CCPC) has produced guidelines to assist businesses in navigating contractual terms outlining potential pitfalls for consumers. 

The unforeseen nature of the COVID-19 situation has brought about unprecedented circumstances and, as a result, businesses may be considering changing the terms and conditions in their standard form contracts, particularly in relation to cancellations, rescheduling and refunds.

The CCPC is concerned that businesses may change or add additional terms and conditions in existing consumer contracts, without advance notification to consumers or an opportunity for them to exit the contract without penalty if they do not wish to accept the business’ proposed change.  

Seeking to bind existing consumers to new or amended terms without the consumer’s agreement, constitutes an unfair commercial practice under the Consumer Protection Act 2007

Click HERE to view the link.

By Judy de Castro - Regulatory Consultant
EDPB Statement on data subject rights in connection to the state of emergency in Member States.
June 2020

The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. 

The statement was issued by the EDPB after the adoption by the Hungarian government of a decree on 4th of May 2020.  As per this decree “ ….. all measures following data subject’s request exercising the rights based on Articles 15 to 22 of the GDPR are suspended until the end of the state of danger….”

The statement outlines that data protection does not impede the fight against the COVID-19 pandemic and Article 23 of the GDPR allows under specific conditions, restrictions by way of  legislative measures, to the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34.  

A restriction must  “… respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, important objectives of general public interest of the Union or of a Member State, in particular public health.”

The EDPB is very clear that “ …even in these exceptional times, the protection of personal data must be upheld in all emergency measures,….”

It is evident that while we deal with this unexpected pandemic the rights enshrined in GDPR must be complied with by data controllers and processors and any restrictions must be limited in their duration and scope. 

The EDPB has issued various statements since the pandemic began and the tone of all of them is that the pandemic does not allow the rights in detailed in the Charter of Fundamental Rights of the European Union and under GDPR to be swept aside in order to tackle COVID-19.

To read the article in full click HERE 

To read all of the EDPBs articles and statements visit HERE


By Éilish Larkin - Regulatory Consultant
ESMA Guidelines - On certain aspects of the MiFID II Compliance Function Requirements
June 2020

The role of the Compliance officer has been that of an independent assurance function that reports to the Board providing balanced impartial advice. Sufficiently resourced with clearly defined roles and responsibilities with access to information and personnel to coordinate the management of compliance risk across the organisation. 

The European Securities and Markets Authority (ESMA), the EU’s securities markets regulator, published the final guidelines on the MiFID II compliance function on June the 5th. These guidelines replace the ESMA guidelines on the same topic issued in 2012 and include updates that clarify the new MiFID II compliance function requirements. 

These guidelines apply from two months of the date of publication of the guidelines on ESMA’s website in all EU official languages.

While the objectives and principles of the compliance function remain unchanged, the obligations have been further strengthened. The guidelines will clarify responsibilities in relation to MiFID II’s product governance requirements, by notably detailing further the reporting obligations of the compliance function. 

The guidelines also provide a comprehensive roadmap for any compliance professional wishing to ensure that their role is effective and a beacon of assurance for their Board and Senior management team.

Worthy to mention for all compliance professionals are:

  • Conducting a regular risk-based assessment, the output to be used to create an effective risk-based compliance monitoring program with the aim of ensuring the firm’s business is conducted in line with its licence, policies, procedures and internal controls
  • Using suitable tools and methodologies for monitoring activities that could be used by the compliance function include (but are not limited to):
    • the use of aggregated risk measurements (for example, risk indicators); 
    • the use of (additional) reports warranting management attention documenting material deviations between actual occurrences and expectations (exceptions report) or situations requiring resolution (issues log);
    • targeted trade surveillance, observation of procedures, desk reviews, interview of relevant staff and/or, where necessary, and at the discretion of the compliance function, of a relevant sample of firm’s clients
  • Reporting on Findings to include a summary of major findings of the review of the policies and procedures, including risks identified in the scope of the compliance function’s monitoring activities;  breaches and deficiencies in the firm’s organisation and compliance process;  the number of complaints received in the period under review if not already reported through other sources. 
  • Promoting a ‘compliance culture’ throughout the firm, which should be supported by senior management. The purpose of the compliance culture is not only to establish the overall environment in which compliance matters are treated, but also to engage staff with the principle of improving investor/consumer protection as well as mitigating systemic risks.

ESMA Guidelines Document can be found HERE

By Judy de Castro - Regulatory Consultant
Business continuity: Property Service Providers
June 2020


The Joint Sector Protocol for Property Services Providers is intended to consolidate practical guidance available on how to safely manage business continuity during the COVID-19 pandemic. 

It relates only to property services providers (PSPs) and the valuation sector and how they can safely engage with clients and members of the public. 

The Document is available HERE

By Judy de Castro - Regulatory Consultant

New PII Limits Imposed from June 12th 2020
June 2020

Professional Indemnity Insurance (PII) is seen by the Central Bank of Ireland as a key prudential and consumer protection safeguard. From the 12th of June 2020 the required amount of cover will change.  

This change has come about under COMMISSION DELEGATED REGULATION (EU) 2019/1935.

The new requirements are: €1,300,380 per claim and €1,924,560 in aggregate.

This change applies to intermediaries authorised under both the Insurance Distribution Regulations (IDR) 2018 and the Investment Intermediaries Act 1995.

Brokers should ensure with their PII provider that their PII levels will be amended in line with the new requirements.

Click HERE to read the Brokers Ireland Announcement

By Éilish Larkin - Regulatory Consultant
Omnibus Directive: New Protections for Consumer Rights
June 2020

A key part of the EU’s New Deal for Consumers entered into force earlier this year: The Omnibus Directive, which strengthens consumer rights through enhanced enforcement measures and increased transparency requirements.

Key changes introduced by the new Directive are:

  • A requirement for increased transparency online in particular for search result rankings, fake reviews, endorsements and personalised pricing.
  • The extension of consumer rights to “free” digital content and services.
  • Fines and Enforcement powers: fines of up to 4% of the trader’s annual turnover in the Member State (or Member States) where the breach occurred, or EUR 2 million in cases where information on turnover is not available, with individual Member States able to introduce even higher fines

EU Member States have two years to transpose these new rules: national implementation measures must be adopted by 28 November 2021 and in force by 28 May 2022.

EU consumer legislation applies to traders targeting consumers in the EU, regardless of the trader’s location. Online traders worldwide will need to use this two-year window to ensure their EU-facing practices comply and mitigate the risk of fines.

By Judy de Castro - Regulatory Consultant
Belgian DPA issues €50,000 fine for DPO’s Conflicting of Roles
June 2020

On 28 April 2020, the Belgian Data Protection Authority (“DPA”), fined a Belgian company €50,000 for breach of article 38 (6) of the GDPR:

“The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests. “

The DPA’s Litigation Chamber found that the DPO was not in a position that is sufficiently free from conflict of interest because the DPO also fulfilled the function of director of audit, risk and compliance.

The Litigation Chamber stated that the administrative fine was not imposed with the intention to terminate the violation, but rather with a view to vigorously enforce the rules of the GDPR. In this respect, the Litigation Chamber specified that, although there was no element showing an intentional infringement, there was serious negligence on the part of the defendant. 

The Article 29 Working Party Guidelines for Data Protection Officers explain that the Data Protection Officer cannot hold a position within the organisation in which he or she has to determine the purposes and means of processing personal data. This is thus an essential conflict of interest. The role of departmental manager is thus inconsistent with the function of DPO who must be able to perform his or her tasks independently. 

The fact that the same person performs the role of data controller for each of the three departments concerned on the one hand, and the function of Data Protection Officer on the other, lacks independence.

By Judy de Castro - Regulatory Consultant
EU Commission urges 8 Member States to fully transpose MLD5
June 2020

On 14 May 2020, the European Commission sent a letter of formal notice to Ireland (along with seven other EU member states: Belgium, Czech, Estonia, Ireland, Greece, Luxembourg, Austria, Poland  and the UK) for having only partially transposed the Fifth Anti-Money Laundering Directive EU/2018/843 ("MLD5"). The deadline for transposition into national law was 10 January 2020. 

The General Scheme of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2019, which was to implement MLD5 in Ireland, was published in January 2019 but has not yet progressed any further. Other than the provisions relating to Beneficial Ownership, Ireland has yet to implement the measures contained in MLD5. 

In the letter of formal notice, the Commission encourages the relevant EU member states to transpose all aspects of MLD5 urgently. Without a satisfactory response from the relevant EU member states (a letter of formal notice requests an explanation of the alleged breach of EU law) within four months, the Commission may send a reasoned opinion. 

This would state the reasons why the Commission believes that the EU member state is in breach of its EU law obligations and forms the basis of the Commission's case in any subsequent infringement court case against the EU member state. A third stage of the process is a referral to the Court of Justice of the EU.

By Judy de Castro - Regulatory Consultant
EDPB Publishes Updated Guidelines on Consent
May 2020

The European Data Protection Board (EDPB) has published updated Guidelines on the 5th of May 2020 on Consent under the GDPR, replacing the previous Article 29 Working Party Consent Guidelines published in April 2018. The purpose of the updated guidelines is to provide clarity on:


  • data subject consent in relation to cookie walls (which are not allowed), and
  • scrolling or swiping through a webpage or similar actions (which does not constitute valid consent). The paragraphs (38-41 and 86) concerning these two issues have been revised and updated, while the rest of the document has been left unchanged, except for editorial changes.

Cookie Walls

The EDPB clarifies that a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent to the use of their data for additional purposes.  In order for consent to be  “freely  given”,  as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment (i.e. device) of a user (so-called cookie walls).

Unambiguous indication of Wishes

The EDPB also confirms that scrolling or swiping through a webpage, or similar user activity, does not constitute clear affirmative action that meets the conditions for valid conscent under the GDPR.

Click HERE to see the document.

By Judy de Castro - Regulatory Consultant
Data Protection Commissioner Issues Draft Decision Against Twitter
May 2020

The Irish Data Protection Commission (DPC) submitted a draft decision on the 22 May to other concerned Supervisory Authorities, in accordance with Article 60 of the GDPR, in relation to an inquiry it has completed into Twitter International Company, a data controller based in Ireland. 

This was initiated by the DPC following receipt of a data breach notification from the controller. The draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

This draft decision is one of a number of significant developments in DPC inquiries into “big tech” companies, including WhatsApp Ireland Limited. The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.

The DPC has also completed the investigation phase of a complaint-based inquiry which focuses on Facebook Ireland’s obligations to establish a lawful basis for personal data processing. This inquiry is now in the decision-making phase at the DPC.

By Judy de Castro - Regulatory Consultant
Data Protection Commission Fines Tulsa
May 2020

On the 21st of May 2020, Tusla was issued with a second fine by the Data Protection Commission (DPC) for a breach of data protection rules. 

The decision was issued to the Child and Family Agency following the completion of an inquiry that began in November 2019 and have 28 days to appeal the decision. 

It relates to a breach notified to the DPC in November 2019 regarding an unauthorised disclosure of sensitive personal data. The disclosure was made to an alleged abuser and the data was subsequently posted on social media.

"As the decision referred to has only just been received, we are not in a position to comment further until we have reflected on all of the matters," Tusla said in a statement.

Earlier this week the Sunday Times revealed that Tusla had become the first body to be fined in Ireland by the DPC for a data protection breach under the stricter rules contained in the General Data Protection Regulation (GDPR).

That case related to three breaches reported in February and March of last year.
One of those cases involved the accidental disclosure of the contact and location data of a mother and child to an alleged abuser.

The fine for the three breaches totalled €75,000.

"Tusla has and continues to engage constructively with the DPC and the public on these matters," it said.

That inquiry was launched by the regulator in January last year and was initiated following a receipt of a data breach notification by the social media platform.

It relates to its compliance with the requirement under Article 33 of the GDPR to notify the DPC of a breach within 72 hours and provide certain information.

Under GDPR, a company that breaks privacy laws can be fined up to 4% of global revenue or €20 million, whichever is higher.

By Judy de Castro - Regulatory Consultant
COVID-19 and Cyber Crime: What to watch out for
May 2020

On the 31st of March the EBA published a statement on actions to mitigate financial crime risks in the COVID-19 pandemic. The document discusses from a supervisory level the actions competent authorities should take in urging credit and financial institutions to effectively put in place internal controls and systems to ensure the EU’s financial system is not abused by crime. 

In identifying emerging trends and typologies, legitimate financial flows are likely to diminish. However, experience from past crises suggests that in many cases, illicit flows will continue regardless perhaps unchanged and it is in those instances, credit and financial institutions should question source of funds and wealth of those transactions and most importantly whether they make economic sense.

For example, there is already some evidence of increased levels of cyber crime, COVID-19-related frauds and scams targeting vulnerable people and companies, of fake fundraising campaigns and of criminal networks selling rationed goods, including PPE at a higher price. Furthermore, as criminals are highly adaptive, new techniques and channels of laundering money are likely to emerge. 

On the 27th of March, Europol published a report on how criminals have adapted to the COVID-19 pandemic. It is based on information Europol receives from the EU Member States on a 24/7 basis and intends to support Member States’ law enforcement authorities in their work. According to the  report, the number of cyber-attacks is significant and expected to increase further. 

Cybercriminals will continue to innovate in the deployment of various malware and ransomware packages themed around the COVID-19 pandemic. They may expand their activities to include other types of online attacks. Cybercriminals are likely to seek to exploit an increasing number of attack vectors as a greater number of employers adopt telework and allow connections to their organisations’ systems.

Our Top 5 Tips:

  1. Update your AML-CTF Risk Assessment and any other relevant policies, internal controls or systems
  2. Train staff
  3. Transaction monitoring calibrated to recognise patterns in areas known to be impacted by COVID-19 but still yielding uncharacteristically large or unchanged profit flows
  4. Ongoing monitoring of impacted industries such as pharmaceutical or medical supply equipment
  5. Risk assess your own IT systems and work from home strategies for resilience against cyber attack

Click HERE to read EBA's statement. 

Click HERE to read the Europol Report:

By Judy de Castro - Regulatory Consultant
FATF Guidance on Digital Identity
May 2020

According to this new document published by the FATF in March 2020, digital payments are growing at an estimated 12.7% annually and are forecast to reach 726 billion transactions annually by 2020. By 2022, an estimated 60% of world GDP will be digitalised. 

The growth in digital financial transactions requires a better understanding of how individuals are being identified and verified in the world of digital financial services and how to risk assess their use. Digital identity (ID) technologies are evolving rapidly, giving rise to a variety of digital ID systems to allow for identity proofing and enrolment per the diagram below. 

Recommendation 10 permits financial institutions to use “documents” as well as “information or data,” when conducting customer identification and verification. Recommendation 10 does not impose any restrictions on the form (documentary/physical or digital) that identity evidence – “source documents, information or data” – can take. 

However it is essential that regulated entities apply a risk-based approach to using digital ID for CDD in order to:

  1. understand the assurance levels of the digital ID system and 
  2. assess whether, given the assurance levels, the ID system is appropriately reliable, independent in light of the ML/TF risks


Potential Risks

Large scale digital ID systems that do not meet appropriate assurance levels pose cybersecurity risks, including allowing cyberattacks aimed at disabling broad swaths of the financial sector, or at disabling the digital ID systems themselves. They also pose major privacy, fraud or other related financial crimes risks, because cybersecurity flaws can result in massive identity theft, compromising individuals’ personal data. 

Risks related to governance, data security and privacy also have an impact on AML/CFT measures. These risks vary in relation to the components of the digital ID system but can be more devastating than breaches associated with traditional ID systems due to the potential scale of the attacks. 

Advances in technology and well-designed identity proofing and authentication processes can help mitigate these risks.

Click HERE to view the document.



By Judy de Castro - Regulatory Consultant
EU Commission’s AML-CTF Action plan
May 2020

On 7 May 2020, the European Commission adopted an action plan for a comprehensive and harmonised EU policy on preventing money laundering and terrorist financing. The action plan is to be founded on six pillars:


  • Pillar One: Effective implementation of existing rules
  • Pillar Two: A single EU rulebook
  • Pillar Three: EU-level supervision
  • Pillar Four: A support and cooperation mechanism for financial intelligence units
  • Pillar Five:  Information exchange to enforce criminal law provisions
  • Pillar Six: A stronger EU AML-CTF Framework


The Commission intends to deliver on all these actions by early 2021. To gather the views of citizens and stakeholders on these measures, the Commission launched a public consultation which will close on 29 July 2020.

The action plan builds on the findings of the anti-money laundering package of 2019, which highlighted serious shortcomings including major divergences in the way rules are applied and enforced by the various EU members states, uneven supervision and limitations in the cooperation among financial intelligence units across the EU.

For those entities under the scope of the AML/CTF framework, or designated persons, the measures to take note of are those set out in Pillars two and three. Pillar two’s main objective to limit divergences in interpretation and application of relevant rules will include provisions laying down a harmonised approach to customer due diligence requirements, a ceiling for large cash payments and reporting obligations. 

Pillar three is about enhanced integration of supervision through an EU body, namely the European Banking Authority (EBA) for direct supervision over designated persons empowered to review internal policies, procedures and controls including documentation on transactions and customers.

Click HERE to view the Action Plan. 


By Judy de Castro - Regulatory Consultant
Enforcement Action - Ulster Bank
May 2020

On 3 March 2020, the Central Bank of Ireland (the Central Bank) reprimanded and fined Ulster Bank (Ireland) DAC (the Firm) €4,600,000 for governance failings relating to regulatory returns that were required under the Mortgage Arrears Resolution Targets (MART) Framework.

The Firm has admitted to these breaches, which took place from 2013 until 2015.

Click HERE to view the full Settlement Agreement


By Judy de Castro - Regulatory Consultant
Fitness & Probity Update
May 2020

The Central Bank of Ireland ("Central Bank") published a ‘Notice of Intention’ on 25 February 2020 which sets out its proposal to:
  1. Introduce three new Pre-Approval Controlled Functions (PCFs):
    1. Chief Information Officer (under the ‘General’ category);
    2. Head of Material Business Line (under the ‘Banking’ category);
    3. Head of Market Risk (under the ‘Banking’ category);
  2. Split PCF-39 Designated Person into six PCF roles aligned to the specific managerial functions.
While not limited to the following circumstances, the Central Bank expects that the Chief Information Officer role would likely apply where: 
  1. The RFSP has a PRISM impact rating of High or Medium High; 
  2. Information Technology is a key enabler or core element of the RFSP’s business model.
The Bank invited comments from stakeholders on this proposal no later than 14 April 2020. 

Read the proposal HERE

By Judy de Castro - Regulatory Consultant
AML 5th Directive Update: Are You Ready?
May 2020

5AMLD was adopted by the European Council in May 2018 and was subsequently published in the Official Journal of the European Union (OJEU) on 19 June 2018.

It is anticipated that 5AMLD will be transposed into Irish law in 2020. The deadline however has now passed (20th January 2020). The purpose behind 5AMLD was to amend and strengthen certain parts of 4AMLD in light of the terrorist attacks carried out across Europe in 2016/2017 and the revelations contained within the Panama papers.

Unlike previous EU Anti-Money Laundering Directives, 5AMLD made amendments to 4AMLD as opposed to repealing and replacing it outright. The Government approved the drafting of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill along the lines of the General Scheme below on 3 January 2019. 

General Scheme Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2019

Intermediaries should have already performed a gap analysis of these changes to ensure that when government form and the new legislation is approved they are compliant.


By Judy de Castro - Regulatory Consultant
EBA Consults on Revised Guidelines on Money Laundering & Terrorist Financing Risk Factors
May 2020

The EBA issued a public consultation on revised money laundering and terrorist financing (ML/TF) risk factors Guidelines as part of a broader communication on AML/CFT issues. This update takes into account changes to the EU Anti Money Laundering and Counter Terrorism Financing (AML/CFT) legal framework and new ML/TF risks, including those identified by the EBA’s implementation reviews. In its revised version, the EBA is proposing key changes, including new guidance on compliance with the provisions on enhanced customer due diligence related to high-risk third countries.

Particular guidance on wealth management risk factors and increasing factors is notable in Guideline 12 where it outlines sections on source of wealth, customer, geographic and transaction risk factors. Establishing the source of wealth and funds; is required where the risk is particularly high and/or where the firm has doubts about the legitimate origin of the funds.

Verifying the source of wealth and funds may be the only adequate risk mitigation tool. The source of funds or wealth can be verified, by reference to for example:

  • an original or certified copy of a recent pay slip; 
  • written confirmation of annual salary signed by an employer; 
  • an original or certified copy of contract of sale of, for example, investments or a company; 
  • written confirmation of sale signed by an advocate or solicitor
The revised Guidelines also provide more details on terrorist financing risk factors and customer due diligence (CDD) measures including on the identification of the beneficial owner, the use of innovative solutions to identify and verify the customers’ identity.

In addition, they set clear regulatory expectations of firms’ business-wide and individual ML/TF risk assessments.

The consultation runs until 06 July 2020.


By Judy de Castro - Regulatory Consultant
Annual Report on Money Laundering 2019
May 2020

The Department of Justice and Equality has published its Annual Report on Money Laundering and Terrorist Financing for 2018.

Member States are required by the Fourth Money Laundering Directive to publish a report on an annual basis providing data on the reporting, investigation and judicial phases of the national AML/CFT regime, including the number of suspicious transaction reports made to the Financial Intelligence Unit and the number of cases investigated, as well as prosecution and conviction rates for ML/TF offences.

The full report is available HERE

The report provides a summary on the CBI’s approach to its supervisory model and the resulting output. In 2018, the Central Bank conducted a total of 72 inspections and issued 259 Risk Evaluation Questionnaires across a variety of institutions. In addition, AMLD conducted 59 AML/CFT Review Meetings with firms in 2018. Throughout 2018, AMLD was also heavily involved in outreach activities such as presentations and seminars.

The frequency and intensity of AML/CFT supervisory engagement for an individual firm is dependent on its ML/TF risk rating. The Minimum Supervisory Engagement model is set out in the table below. For intermediaries, the risk is low and so the inspection cycle is ad hoc:



Regsol previously discussed STR statistics in their blog available HERE

By Judy de Castro - Regulatory Consultant
Launch of the Central Bank's Register of Beneficial Ownership
May 2020

The Central Bank of Ireland has issued correspondence advising that following a decision by the Minister of Finance, the Central Bank will be the state authority delegated with responsibility for establishing and maintaining a central register of beneficial owners in respect of Credit Unions and certain funds (the Register).

These include funds registered under the Irish Collective Asset-management Vehicles Act 2015 (ICAVs) and Unit Trust Schemes registered under the Unit Trust Act, 1990 (Unit Trusts).

It has further been indicated that Common Contractual Funds registered under the Investment Funds, Companies and Limited Partnerships Act, 2005 and Investment Limited Partnerships registered under the Investment Limited Partnerships Act, 1994 will also be included on this register in due course.


By Judy de Castro - Regulatory Consultant
DPC Annual Report 2019
May 2020

Published in February 2020, highlights of the 2019 Annual Report include:
  • 7,215 complaints received in 2019 representing a 75% increase on the total number of complaints (4,113) received in 2018.
  • 5,496 complaints in total were concluded in 2019.
  • 6,069 valid data security breaches were notified representing a 71% increase on the total number of valid data security breaches (3,542) recorded in 2018.
  • Almost 48,500 contacts were received through the DPC’s Information and Assessment Unit, including 22,200 telephone calls and 22,300 emails.
  • On 31 December 2019, the DPC had 70 statutory inquiries on hand, including 49 domestic inquiries.
  • Six statutory inquiries were opened in relation to multinational technology companies’ compliance with the GDPR, bringing the total number of cross-border inquiries to 21.
  • 457 cross-border processing complaints were received by the DPC through the One-Stop-Shop mechanism.
  • 165 new complaints were investigated under S.I. No. 336 of 2011 in respect of various forms of electronic direct marketing: 77 related to email marketing; 81 related to SMS (text message) marketing; and seven related to telephone marketing. Prosecutions were concluded against four entities in respect of a total of nine offences under the E-Privacy Regulations.
  • The DPC published its findings on certain aspects of the Public Services Card (PSC) following a lengthy investigation. The published findings were targeted at two key issues, namely the legal basis under which personal data is processed and transparency. 
  • The DPC carried out an extensive consultation on the processing of children’s personal data, yielding 80 responses. The feedback from the consultation will be used to develop guidance on the processing of children’s personal data, which is a DPC priority for 2020.
  • The DPC received 712 new Data Protection Officer notifications, bringing the total number to 1,596 at year end.
  • Staffing numbers increased from 110 at the end of 2018 to 140 at the end of 2019, including two additional Deputy Commissioners.
By Judy de Castro - Regulatory Consultant
Data Subject Access Requests
May 2020

Do the timelines for responding to GDPR data subject requests still apply where an organisation is temporarily closed or capacity to handle requests is curtailed because of COVID-19? (25 March 2020).

The Data Protection Commission acknowledges the significant impact of the Covid-19 health crisis which may affect organisations’ ability to action GDPR requests from individuals, such as access requests. While the timelines for responding to requests from individuals are set down in law in the GDPR and can’t be changed, the DPC has said that it recognises that unavoidable delays may arise as a direct result of the impacts of COVID-19.

Any organisation experiencing difficulties in responding to requests should, where possible, communicate with the individuals concerned about the handling of their request, including any extension to the period for responding and the reasons for the delay in responding. The GDPR provides for an extension of two months to respond to a request where necessary taking into account the complexity and number of requests.

Organisations experiencing difficulties in actioning requests should also consider whether it is possible to respond to requests in stages. For example, an organisation whose staff are working remotely may have difficulties in accessing hard copy records. In this case, it may be possible to provide the requester with electronic records, with hard copies provided at a later stage. Again, organisations should communicate clearly with the individuals concerned. Organisations may also want to engage with individuals in order to ensure that the request is as specific as possible in relation to the personal data sought.

Where an organisation, due to the impact of COVID-19, cannot respond to a request in full or in part within the statutory timelines, they remain under an obligation to do so and should ensure that the request is actioned as soon as possible. For accountability and transparency purposes, the reasons for not complying with the timelines should be documented by the organisation and clearly communicated to the affected individuals.

While the statutory obligations cannot be waived, should a complaint be made to the DPC, the facts of each case including any organisation specific extenuating circumstances will be fully taken into account.


By Judy de Castro - Regulatory Consultant
DPC Data Protection Tips for Video-Conferencing (3rd April 2020)
May 2020


  • Employees should be using your contracted service providers for work related communications. Ensure you are happy with the privacy and security features of the services you ask them to use. Ad-hoc use of apps or services by individuals should not be encouraged.
  • Try to ensure that employees use work accounts, email addresses, phone numbers, etc., where possible, for work-related video-conferencing, to avoid the unnecessary collection of their personal contact or social media detail.
  • Make sure that clear, understandable, and up-to-date organisational policies and guidelines are provided to those using video-conferencing, so they know what rules to follow and steps to take to minimise data protection risks. This should include information on the controls the services provide and that are available to them to protect their security, data, and communications.
  • Implement, and/or advise employees to implement, appropriate security controls such as access controls (such as multi-factor authentication and strong unique passwords) and limit use and data sharing to what is necessary.
  • Where video-conferencing services need to be used for organisational reasons, have a consistent policy regarding which services are used and how, and offer through VPN or remote network access where possible.
  • Avoid sharing of company data, document locations or hyperlinks in any shared ‘chat’ facility that may be public as these may be processed by the service or device in unsafe ways.
  • Read DPC guidance on Protecting Personal Data When Working Remotely and DPC guidance on data security and make sure the points contained within are made clear to employees.
By Judy de Castro - Regulatory Consultant
DPC Covid-19 Response
May 2020

The DPC remains fully operational. However, telephone helpdesk service will not be available during this time.

The handling of queries on data protection which members of the public and personal data-processing entities wish to raise with the DPC will be via e-mail only to info@dataprotection.ie
 
Complaints relating to data protection matters may still be raised via their webform on the DPC website www.dataprotection.ie

There may be some short delays in handling post.


By Judy de Castro - Regulatory Consultant
CBI Covid-19 Response
May 2020

A consumer hub on the Central Bank website provides useful information to consumers and regulated entities alike on their response to COVID-19. The Central Bank has been working with financial services providers to help provide breathing space for customers who find themselves in financial difficulties due to these exceptional circumstances.

For example, banks and other financial intermediaries have announced that they will introduce three-month payment breaks on mortgages, and personal and business loans for some business and personal customers affected by COVID-19. All of the existing protections for customers who face actual or potential financial difficulties continue to apply. People who may be experiencing particular vulnerabilities as a result of the impact of COVID-19, for example through illness or loss of income, must be provided with whatever reasonable arrangements and/or assistance they need in dealings with regulated entities. All regulated firms should take a consumer-focused approach and to act in their customers’ best interests.

The Central Bank operates the Central Credit Register, which produces credit reports for lenders and borrowers on request. The Central Bank has clarified to lenders that a payment break agreed between a lender and a borrower as a response to COVID-19 is not, in itself, an event that is reportable to the Central Credit and should not be reported as a “missed payment”. Consistent with this guidance, these payment breaks should not be identified specifically on borrowers’ credit reports. The Central Credit Register does not produce a credit score; it simply records the information that is submitted by lenders on a monthly basis. It is factual, impartial information.

The Central Bank has also set out its expectations of how regulated insurance firms should treat their customers in light of the significant economic disruption caused by the COVID-19 public health emergency. The Central Bank has written to the Chairs and CEOs of both life and general insurance firms requiring them to take account of the challenging situation in which many of their customers find themselves and to put forward consumer-focused solutions for insurance payment breaks, policy rebates and claims in light of the emergency.

The Central Bank has also set out its view that, where a claim can be made because a business has closed as a result of a Government direction due to contagious or infectious disease, the recent Government advice to close a business in the context of COVID-19 should be treated as a direction.


By Judy de Castro - Regulatory Consultant
Consumer Protection Outlook Report 2020
May 2020

The Central Bank's Consumer Protection Outlook Report 2020 was published on 9 March 2020. This report sets out the key risks to consumers of financial services. It also sets out the Central Bank's expectations of what  should  be done to minimise these risks. The report also details the Central Bank’s own consumer protection priorities for the year ahead. Key risks highlighted include the following: 


Other Key takeaways include:
  • In 2019, the Central Bank oversaw the return of €74m to consumers arising from errors notified under the Consumer Protection Code
  • Some recurring issues reported by consumers on social media include issues around dissatisfaction with customer service levels, particularly call waiting times on helplines and in-branch queues and a perception that new customers received preferential treatment; IT outages and the inability to access online services; scam and ‘phishing’ text messages advising that accounts had been suspended.
  • Enhance the authorisation process: Challenge firms seeking to relocate from the UK on the credibility of the substance of their proposal in areas such as staffing and decision-making.
  • Culture: CBI expects sustained improvement in culture by focusing on values and conduct that are the building blocks of culture. ‘Desired’ values of firms and their conduct to be reflected in the daily habits and practices of their employees and management, ensuring for example that performance reviews are not based on metrics based on financial performance only.
  • Disclosure: The failure to give clear information to consumers about the benefits, risks and costs of financial products affects a consumer’s ability to make informed decisions. The risk increases when the product is complex or when there are many similar types of product on the market, such as in the case of health insurance. Firms should consider how they can improve communications, sales and marketing material to enable consumers to buy the products and services that they need. 
  • Brexit: The United Kingdom left the European Union on 31 January 2020 after reaching a withdrawal agreement that includes a transition period until the end of the year. The transition period allows further time for financial service providers and consumers to prepare for Brexit. While the full implications remain unclear, Brexit remains a key risk to firms and their customers. The main risk for Irish consumers relates to the likely loss of UK financial service providers’ right to provide services cross-border into Ireland.
For the full report click HERE

By Judy de Castro - Regulatory Consultant
New Consumer Protection Code Addendum in Force
May 2020

New rules which mandate financial intermediaries to disclose commission arrangements came into effect on 31 March 2020.  The requirements, which were published by the Central Bank of Ireland as an addendum to the Consumer Protection Code 2012, will ensure greater transparency for consumers who use intermediaries.

From 31 March 2020, intermediaries must:

  • inform the customer about any commissions received for selling a financial product or service;
  • not describe themselves as "independent" where they receive a commission;
  • post on their website details of all commissions from product producers;
  • not take commission that could be contrary to the best interests of the customer; and
  • not accept free hospitality packages or tickets from financial product or service providers.

For further details on this topic please refer to our blog HERE


By Judy de Castro - Regulatory Consultant
Data Protection: CCTV Footage in Employee Disciplinary
April 2020

The use of CCTV footage in disciplinary investigations was recently considered by the High Court in Doolin v The Data Protection Commissioner. In a decision that will be of interest to HR and data protection professionals, Hyland J considered that CCTV footage can be used by employers for specified purposes including disciplinary procedures provided this purpose is made clear to employees.  

The case highlights, however, that while the purposes specified by an employer have some flexibility in interpretation, they will not be broadly interpreted.

The case arose in the context of a security investigation by Our Lady’s Hospice and Care Services (“OLHCS”) into graffiti on the walls of a staff room – graffiti which could have indicated terrorist activity.  A CCTV camera was located in the premises, beside a sign indicating that “images are recorded for the purposes of health and safety and crime prevention”, and footage from that camera was reviewed.  OLHCS noted from this footage that Mr Doolin had used the break room on a number of occasions when he was not authorised to do so. 

This led to the commencement of a disciplinary process concerning the alleged taking of unauthorised breaks, and Mr Doolin was subsequently sanctioned. Mr Doolin complained to the Data Protection Commissioner about the use of his data in the disciplinary investigation.  In particular, he complained about the “further processing” of the CCTV footage in the context of a disciplinary procedure.  He was unsuccessful in the Circuit Court, and appealed again to the High Court. The High Court upheld Mr Doolin’s complaint.

Further Processing and Incompatible Purposes

The security and disciplinary investigations took place under the pre-GDPR data protection regime, the Data Protection Acts 1988-2003.  Section 2(1)(c) of the 1988 Act contains the purpose limitation principle, i.e. data obtained for one or more specific, explicit and legitimate purpose should not be further processed in a manner incompatible with that purpose or purposes.  

The purposes specified for the processing the CCTV footage were “health and safety and crime prevention”.  The questions of law faced by the High Court were whether the use of information obtained from the CCTV footage in the disciplinary procedure (a) constituted a “further processing” of the CCTV footage and, if so, (b) whether this processing was for purposes incompatible with health and safety and crime prevention.

In the absence of case law on the meaning of “further processing”, the High Court looked to guidance from the European Data Protection Board, formerly the Article 29 Working Party.2 Hyland J discussed the meaning of incompatibility from the guidance.  She noted that legislators intended some flexibility on further processing of personal data and that, while a different purpose is not necessarily an incompatible purpose, this must be assessed on a case by case basis.

While the legislative framework for data protection has changed since this case arose, the principles considered by the High Court remain in place.  The principle of purpose limitation, in particular, continues in Article 5(1)(b) of the GDPR.  The threshold of an “incompatible” purpose for further processing has been retained.

HR and data protection practitioners should note Hyland J’s comments on the need to clearly specify the purposes for which CCTV can be used, and should review their employee Privacy Policy and CCTV signage to ensure that disciplinary processes are clear.

By Judy de Castro - Regulatory Consultant
CBI will Maintain Central Register of Beneficial Owners for Credit Unions and ICAVs
April 2020

The Central Bank issued correspondence advising that following a decision by the Minister of Finance, the Central Bank will be the state authority delegated with responsibility for establishing and maintaining a central register of beneficial owners in respect of Credit Unions and certain funds (the Register). 

These include funds registered under the Irish Collective Asset-management Vehicles Act 2015 (ICAVs) and Unit Trust Schemes registered under the Unit Trust Act, 1990 (Unit Trusts). It has further been indicated that Common Contractual Funds registered under the Investment Funds, Companies and Limited Partnerships Act, 2005 and Investment Limited Partnerships registered under the Investment Limited Partnerships Act, 1994 will also be included on this register in due course.

In accordance with Article 30 of Directive 2015/849 corporate and legal entities should already be maintaining details of their beneficial owners independent of the Register.

Following the Minister’s decision and pursuant to Article 30 of the Fourth EU Anti-Money Laundering Directive (EU 2015/849), as amended by the Fifth EU Anti-Money Laundering Directive (EU 2018/ 843), there will now be two state authorities with delegated responsibility for maintaining central registers of beneficial ownership of corporate and legal entities in Ireland. The register of companies will continue to maintain the register of beneficial ownership of companies and industrial and provident societies, and the Central Bank will have responsibility for maintaining a central register in respect of credit unions and certain funds.

By Judy de Castro - Regulatory Consultant
Central Bank’s Consumer Protection Outlook Report 2020
April 2020

The Central Bank's Consumer Protection Outlook 2020 was published on 9 March 2020. This report sets out the key risks to consumers of financial services. It also sets out the Central Bank's expectations of what regulated financial services providers should do to minimise these risks. The report also details the Central Bank’s own consumer protection priorities for the year ahead.

Cross-sectoral risks identified still include:
  • Lack of consumer focussed culture
  • Poor Governance and Oversight of Outsourcing Arrangements
  • Information Technology and Cyber Risk

You can read the full report HERE.


By Judy de Castro - Regulatory Consultant