RegSol Blog


RegSol Blog Posts

New Technologies Risk Assessment
September 2020

In preparation for Ireland’s AMLD5 readiness, affected firms should have regard to the update to the National Risk Assessment of new and emerging technologies. This document has been undertaken in accordance with Recommendation 15 of the Financial Action Task Force (FATF). The sectors assessed for the purposes of this ‘new technologies’ risk assessment are:
  • virtual currencies/assets,
  • electronic money
  • crowdfunding.
The Department of Finance who publishes these assessments of Ireland’s AML-CTF risks, has given crowdfunding and virtual currencies risk ratings of medium-high, despite new regulations being considered in order to mitigate the associated risks. It is of course the scale of these new technologies and likelihood these are associated with illegal activity that has elevated the risk ratings. For example, as of April 2019, there were an estimated 2.160 different virtual currencies globally. Collectively, these had a total market value of roughly $182 billion (€162 billion).

A recent study by a group of Australian academics has determined that approximately one-quarter of bitcoin users and one-half of bitcoin transactions are associated with illegal activity. Around $72 billion of illegal activity per year involves bitcoin, which is close to the scale of the US and European markets for illegal drugs.

Regarding Terrorist financing risks, these are considered as more likely to arise through the intersection of terrorism and criminality, with organised criminals being assessed as more likely to be aware of, and make use of, this sub-sector. It is assumed that once providers of virtual currencies become obliged entities under AMLD5, the opaqueness of this sector will somewhat dissipate.

Click HERE to read the full document.
Going Back to School
September 2020

For the next couple of months, we hope that our clients and our colleagues are transitioning to some level of normality as our children go back to school. 

For many, September will mark new beginnings, not only for those starting primary or secondary school but school will mean following new rules, new procedures and protocols, not sharing pencils or lunch boxes but keeping a distance and staying in a bubble or a pod. In the world of regulatory compliance these experiences got us thinking about culture, compliance, ethics, and good risk management. 

Similar to a change in procedures following the introduction of new laws or regulations, both scenarios require a clear understanding of what those rules mean, what impact they will have, how to implement them and how to monitor the effectiveness of controls designed to ensure compliance. Filling in forms, ticking boxes and training exercises are all well and good, but are they effective and do they change people’s behaviours and patterns of habit? 

A good culture of compliance requires good and visible leadership by example, positive reinforcement and encouragement through performance management and monitoring and finally the key ingredient is “buy in.” The belief that rules and regulations are enhancing and protecting our companies and our jobs is really what motivates us. 

The classroom may be a changed place but following the rules with conviction is something we will all have to do if we wish to embed changes.

By Judy de Castro
Regulatory Consultant


Credit Unions: What Does the Future Hold?
September 2020

Credit Unions are at the heart of many communities in Ireland both urban and rural.

As per the Irish League of Credit Union’s (ILCU) website there are currently across Ireland (both North and South) 326 Credit Unions, 3.6 million members and savings of €14.8 billion.

The credit union movement has its roots in volunteering with many people giving of their time and efforts to run local credit unions. Despite the voluntary and co-operative aspects, they are subject to the same stringent regulations as entities where making profit is the motivation.

In the July 2020 Report “The Movement” the current situation for credit unions and their future was discussed. The report outlines various aspects of the situation including what credit unions want and makes policy recommendations for government consideration. It is clear change is needed.

Credit union members want the personal touch and local knowledge but also want access to mortgages, small business loans and other financial products. Many credit unions would like to offer further services but due to current regulations are not able to do so.

It seems the current regulatory requirements are strangling the growth and development of credit unions. The 10% capital reserves requirement means “that many credit unions are faced with an ongoing challenge of bolstering their reserves to maintain this reserving level”. Every €1000 of savings a credit union has needs to be matched by €100 in a trading surplus. In the current climate caps on the amount of savings a member can have with their credit union are becoming more common.

The current President of the ILCU, Gerry Thompson stated in a recent interview "I think it's Government's job to recognise the fundamental difference between voluntary, community-based credit unions and banks - and find a proper framework."

As we are mid pandemic and new Government is just in, it is extremely unlikely that we will see any changes to the regulatory environment for 2020. What is clear is there remains a call for change from within the sector and the relationship between credit unions and the central bank will need to continue to evolve.

Click HERE to read the full report.



By Judy de Castro
Regulatory Consultant


Central Bank publishes Business Interruption Insurance Supervisory Framework
September 2020

Since the start of the pandemic there has been focus on business interruption insurance. There have been lots of items in the media regarding claims being made and the difficulties faced by many claimants particularly with respect to the interpretation of business interruption.

In this context on 5th of August 2020, the Central Bank of Ireland published its Business Interruption Supervisory Framework.

In summary:

  • Framework sets out the Central Bank’s expectations of insurance firms in handling COVID-19 related business interruption insurance claims
  • Where customers have an entitlement to claim under a business interruption insurance policy, the Central Bank expects that claims will be processed and paid promptly and fully
  • Where cover and related issues are disputed, the Central Bank expects firms to pay the reasonable costs of customer plaintiffs in agreed test case litigation
  • The Central Bank is aware that in many cases BI insurance policy wording will be clear in relation to customer entitlements concerning COVID-19 related claims. However, where there is a doubt about the meaning of a term, the interpretation most favourable to the customer should prevail.
It is notable that the Central Bank has included within it’s Covid-19 SME information portal a specific FAQ with respect to business interruption. This FAQ sets out that if operations have had to be scaled back because of COVID 19 or business has had to close but the insurance company has declined the claim based on Business disruption clauses. The Central Bank has said:

“Where a claim is made because a business has closed as a result of a Government direction due to contagious or infectious disease, the Central Bank is of the view that the recent Government advice to close a business in the context of COVID-19 should be treated as a direction. This is a view that has also been set out by the Minister for Finance, Public Expenditure and Reform. Firms must ensure that claims are appropriately assessed and where there is insurance cover in place that claims are accepted and paid promptly.”


You can access the FAQ here: Covid-19 Small and Medium Enterprises FAQ

You can access the supervisory framework press release here: 
COVID-19 and Business Interruption Insurance Supervisory Framework


By Judy de Castro
Regulatory Consultant
COVID-19: Data Privacy vs Health and Safety
September 2020

Following the return to work protocols may give you a legal basis for processing health data but appropriate safeguards must be in place.

Data protection does not stand in the way of the provision of healthcare and the management of public health issues; nevertheless there are important considerations which should be taken into account when Employers are handling personal data in these contexts, particularly health and other sensitive data.

Employers should take note of the following:

  • Where acting on the guidance or directions of public health authorities, it is likely that Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 will permit the processing of personal data, including health data, once suitable safeguards are implemented. Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.
  • Employers also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). This obligation together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so. Any data that is processed must be treated in a confidential manner.

For more information click on the links below:

Data Protection - Return to Work Safely Protocol

Statement by the EDPB Chair - Processing Personal Data in the context of the COVID-19 outbreak


By Judy de Castro
Regulatory Consultant

Brexit: Personal Data Transfers
September 2020

Companies need to be aware if they are transferring data to the U.K. that steps need to be taken before the 31st of December to ensure an appropriate legal basis for transfers of data are in place.

Given how much has happened in 2020 especially with Covid-19, you could be forgiven for forgetting about the impending impact of Brexit. Last month, the European Commission published a notice to stakeholders providing an update on personal data transfers after the end of the Brexit transition period on 31 December 2020.

The Notice seeks to keep interested parties informed on the legal considerations concerning transfers of personal data from the EU to the UK after the Brexit Transition Period. After the end of the transition period, any transfer of personal data to the United Kingdom other than that governed by Article 71(1) of the Withdrawal Agreement will not be treated as sharing of data within the Union.

It will need to comply with the relevant Union rules applicable to transfers of personal data to third countries. The European General Data Protection Regulation ("GDPR") prohibits the transfer of personal data from the EEA to non-EEA countries unless certain specific safeguards (contained in Chapter 5 of the GDPR) are applied as the appropriate basis for any transfer.

Such appropriate safeguards include, for example the use of Standard data protection contractual clauses or Binding corporate rules.

Those seeking to transfer personal data from the EEA to the UK after the Brexit Transition Period will need to consider their proposed data flows and understand the basis on which they will seek to validate such transfers.
To view the notice in question click HERE

By Judy de Castro
Regulatory Consultant
Cabinet Approves publication of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020
September 2020

On Aug. 10, the Cabinet approved a bill to transpose the European Union’s Fifth Anti-Money Laundering Directive (AMLD5) into national law, thereby strengthening existing legislation in Ireland.  

Approval from the Cabinet gives Ireland’s Minister for Justice and Equality, Helen McEntee, the go-ahead to publish the new bill. 

AMLD5 first came into force on July 9, 2018, and gave EU member states until January 2020 to incorporate the directive into their respective national laws.

In July, the European Court of Justice had fined Ireland 2 million euros for its delay in bringing the country’s AML and CFT rules into line with the rest of the EU. 

The Bill includes provisions to:
  • improve the safeguards for financial transactions to and from high-risk third countries and sets
  • new limits on the use of anonymous pre-paid cards;
  • bring a number of new ‘designated bodies’ under the existing legislation, this includes virtual currency providers and associated online ‘wallet providers’ for virtual currencies as well as dealers and intermediaries in the art trade;
  • prevents credit and financial institutions from creating anonymous safe-deposit boxes;
  • enhances the customer due diligence (CDD) requirements of the existing legislation;
  • sanctions for credit and financial institutions that do not screen for EU financial sanctions;
  • provides for Ministerial guidance which will clarify domestic “prominent public functions” for Politically Exposed Persons 

If you would like to keep up to date on this topic, details of our AML Update courses are available HERE


By Judy de Castro
Regulatory Consultant
Do you transfer data to U.S. companies?
September 2020

If you use third parties based in the US to process personal data on your behalf, whether it is to store data electronically or for the purposes of client relationship management, take note of where these providers send your clients’ data. 

In cases where third party service providers are US based and store your data in the US, beware of the following:

  • Where providers rely on the EU-U.S. Privacy Shield, this is now invalid (legal mechanism for transferring personal data from the European Economic Area (EEA to US is invalid).
  • Standard Contractual Clauses (SCCs) remain valid but are to be approached with caution. Data transfers based on SCCs need to be assessed on a case-by-case basis to ensure that the overall level of protection in the third country is essentially equivalent to that guaranteed within the EU. Depending on the sensitivity of the personal data to be transferred to the third country, SCCs might not permit the transfer of data. 
  • Binding corporate rules (BCRs) remain valid and provide a framework for companies to transfer data across borders within their own organizations. BCRs set up policies, procedures, guidelines, and practices that satisfy GDPR privacy standards. These must be approved by a relevant member state’s data protection authority (DPA), and in most member states, transfers will still require a “transfer notification” to the DPA.
  • Data Protection Authorities in the EU are to ensure that that they are providing adequate supervision and, if necessary, taking enforcement action where companies are not properly risk assessing their cross-border transfers. 
What should you do now?

  • You should check the privacy policies and or data protection agreements you currently have with U.S. companies.
  • If any of those policies or agreements refer to U.S. Privacy Shield you should contact that company immediately to request clarification and an update on the legal basis for them receiving personal data.
  • If you cannot obtain clarification you must consider using an alternative company to process the relevant personal data.

By Judy de Castro 
Regulatory Consultant
MLRO Update: Revenue STR Reporting to go Online…Finally!
August 2020

Up until now, Designated Persons would have been making their Suspicious Activity Reports online to the Gardai via their online reporting system “FIU GoAML” and then making a separate report to the Revenue Commissioners via post. 

From the 7th of September 2020, Revenue Commissioners will require suspicious activity reports to be submitted online to Revenue, using Revenue‘s Online Service (ROS) only. Revenue will no longer accept hard copy (paper) STRs from that date onwards.

Reporting Entities will continue to submit STRs to both Revenue and An Garda Síochána’s Financial Intelligence Unit (FIU), as dual reporting remains a requirement.

All reporting entities must register with ROS first. 

For further information please click HERE.


By: Judy de Castro

Regulatory Consultant

Beware the Processing of Third Party Payments: BOI Fined €1.6 M in €106 K Cyber Fraud & for misleading the CBI
August 2020

On the 28th of July the Central Bank of Ireland reprimanded and fined The Governor and Company of the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations). The offender, BOI’s former subsidiary, Bank of Ireland Private Banking Limited (BOIPB) was found to have serious deficiencies which occurred over a decade around third- party payments including: 

  • Inadequate systems and controls to minimise the risk of loss from fraud
  • Inadequate governance, oversight and ongoing review of the systems and control environment
  • Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements
  • Lack of compliance monitoring.

By hijacking the client’s account and using social engineering techniques such as using similar terminology to the client, the Cyberfraudster issued two separate payment instructions to BOI’s subsidiary totalling €106,430. BOI’s subsidiary nevertheless processed these payments, despite the instruction being signed off with an entirely different name than the name of the client. In addition, the following red flags should have been picked up:

  • incorrect telephone details; 
  • the request for a second substantial transfer within two days of an initial substantial transfer in an amount greater than the balance on the Client’s account; 
  • and the remittance of funds to a jurisdiction other than the jurisdiction in which the Client resided.

Aggravating factors include a very serious matter of not reporting the fraud to An Garda Siochana and the Revenue Commissioners and for failing to be open and transparent with the Central Bank in the course of the investigation.  BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments. 

For more on this read the CBI’s full press release HERE


By Judy de Castro - Regulatory Consultant
PSRA: Successful Unlicensed Prosecution by the Property Services Regulatory Authority
August 2020

On 2nd July 2020, Oriel Property Management Limited was convicted at Dundalk District Court of a breach of Section 28 of the Property Services (Regulation) Act 2011, following a prosecution by the Property Services Regulatory Authority (PSRA) for providing property services without a licence. 

Oriel Property Management were fined €2,500 and have to pay the Property Services Regulatory Authority’s costs also.

The PSRA’s Chief Executive, Ms Maeve Hogan, speaking following the court case said, “The PSRA has zero tolerance for property services providers operating without a licence…” 

For the full press release click HERE


By Éilish Larkin - Regulatory Consultant
PSRA: Four- Month Extension Granted
August 2020

The Property Services Regulatory Authority (PSRA) has announced the commencement of S.I. No. 162 of 2020, Property Services (Regulation) Act 2011 (Section 95) (Extension of Licences) Regulations 2020. 

The introduction of these Regulations grants a four- month extension to licences due to expire between 7 May 2020 and 31 August 2020. Granting of the extension of the licence by four months acknowledges the practical difficulties for Licensees in fully complying with licence renewal requirements and therefore, enables the sector to continue to legally trade during the Covid 19 emergency. 

The licence extension will be subject to the availability of the required level of Professional Indemnity Insurance (PII).

See the Statutory Instrument HERE


By Judy de Castro - Regulatory Consultant
Credit Unions in the News
August 2020

On the 17th of July 2020, the Central Bank of Ireland issued a press release regarding the appointment of joint liquidators to Drumcondra and District Credit Union.

In summary:

  • Action taken in the best interests of members and the broader public
  • Full Resolution Report and Affidavit released
  • Deposit Guarantee Scheme has made pay-outs to most eligible depositors
  • The action taken is not related to the exceptional circumstances of COVID-19

For more information please click HERE


By Éilish Larkin - Regulatory Consultant
COVID-19 – Payment Breaks in Credit Union’s Circular issued by the Central Bank of Ireland June 2020
August 2020

The Central Bank of Ireland has been in contact with the boards of all credit unions throughout the pandemic at various times.  The letter in June was regarding payment breaks offered to members who may be experiencing difficulties in paying their loans at this time.

In summary the CBI expects:

  1. Credit unions act in a way that protects the best interests of borrowers.
  2. Credit unions give appropriate support to borrowers who have been affected by COVID-19.
  3. Payment breaks should be a generally available option to affected borrowers, including those borrowers’ already in financial distress. 
  4. Credit unions are operationally ready and prepared to engage with borrowers during, or at expiry of, the payment break in order to identify whether or not the borrower requires further support, and if so, to consider appropriate and sustainable solutions, as soon as possible.
  5. Credit unions are fully transparent and clear to borrowers as to what will happen after the term of the payment break, including setting out the available options to repay the loan and the full costs of the payment break. 
  6. Credit unions have board approved plans to deliver an assessment of all borrowers on payment breaks to ensure that appropriate and sustainable solutions are identified in a timely manner for those borrowers who are not able to return to paying full capital and interest at the end of the payment break. 
  7. The prioritisation of borrower engagement, assessment and determination of an appropriate and sustainable solution should be determined by the risk profile of the borrower.  
  8. The level of distress in the credit unions’ loan books should be prudently considered and be reflected in provisioning levels. 
  9. Sufficiently granular and timely reporting of the take-up of payment breaks across borrower type and sector should be readily available and used to inform key decision-making processes in credit unions.

For the full circular from the Registrar please click HERE


By Éilish Larkin - Regulatory Consultant
Game Changer? The Consumer Insurance Contracts Act 2019
August 2020

On 17 July 2020, the Minister for Finance, Paschal Donohoe T.D., announced that the Consumer Insurance Contracts Act 2019 (the Act) will be commenced in two stages, with some provisions taking effect from 1 September 2020.

To some relief, some of the most burdensome provisions will not take effect until 1 September 2021, giving industry insurers time to prepare. These include a revised duty of disclosure, enhanced rights for consumers on renewal rights and changes to the duties imposed on consumers and insurers on renewal.

All other provisions under the Act will apply from 1 September 2020, including those dealing with:

  • the principle of insurable interest;
  • cooling-off periods and cancellation rights;
  • post-contractual duties;
  • claims-handling duties and related requirements, including specific limitations on deferring property claims payments and proportionate remedies;
  • the replacement of warranties with the concept of "suspensive conditions"; and
  • changes to subrogation and third-party rights. 

The changes introduced by the Act mean that all insurers (life and non-life) operating consumer business in Ireland must review and update all proposal forms, policies and related documentation, as well as the manner in which pre and post-contractual processes operate. 

Insurers, and indeed all market participants impacted including brokers should progress their implementation projects as a matter of urgency. 

The Central Bank of Ireland may, under the power granted to it by Section 5 of the Act, issue a code of practice on the form of a contract of insurance and or any other requirements related to such a contract contained in the Act. It remains to be seen whether this will take the form of a revision of the Central Bank's Consumer Protection Code 2012.

Although these provisions may increase the cost of compliance, RegSol is here to assist in taking the pain out of compliance assurance. Contact us for assistance to ensure you’re ready for regulatory change.


By Judy de Castro - Regulatory Consultant
CBI’s Dear CEO Letter for Investment firms: unregulated activities
August 2020

The Central Bank of Ireland (‘CBI’) has outlined their expectations with respect of the offering of products and services considered to be outside the scope of regulation in their Dear CEO letter to the industry. There is a significant risk they say that clients may misunderstand the protections afforded to them when investing in unregulated products and firms must act “fairly, professionally and in the best interests of their clients at all times.”

The minimum requirements in this regard are:

  • Communication of regulatory status of products/services at every stage of sales process to clients to aid transparency to avoid implying these are regulated where they are not
  • Appropriate disclosures and risk warnings on all materials including for example that compensation schemes are not applicable due to being out of scope of regulation

Affected firms should ensure these requirements are communicated to their Boards and that necessary measures are taken to ensure controls and processes adhere to the CBI’s expectations. 

Click HERE to see the CBI’s Dear CEO Letter in full.


By Judy de Castro - RegSol Consultant
Cross Border Data Transfers: Schrems II Judgement Day- David vs Goliath
August 2020

For those of you that have been following the epic battle between Max Schrems, the Austrian privacy activist and lawyer who is in our view “David” against the “Goliath” that is Facebook,  (within the context of the United States Surveillance Framework), judgement came on the 16th of July. 

This is concerning a complaint brought by Mr Schrems to the Irish Data Protection Commissioner who referred the matter to the European Court of Justice. The matter relates to the transfers of Schrems’ personal data by Facebook Ireland to Facebook Inc. into the US. If you use google analytics, gsuite, Microsoft, twitter, linkedin, etc, chances are EU data subjects’ personal data is flowing to servers in the US under the US Privacy shield and are affected by this. 

In a nutshell the ECJ has declared:  

  • EU-U.S. Privacy Shield invalid (legal mechanism for transferring personal data from the European Economic Area (EEA to US is invalid).
  • Standard Contractual Clauses (SCCs) remain valid but are to be approached with caution. Data transfers based on SCCs need to be assessed on a case-by-case basis to ensure that the overall level of protection in the third country is essentially equivalent to that guaranteed within the EU. Depending on the sensitivity of the personal data to be transferred to the third country, SCCs might not permit the transfer of data. 
  • Binding corporate rules (BCRs) remain valid and provide a framework for companies to transfer data across borders within their own organizations. BCRs set up policies, procedures, guidelines, and practices that satisfy GDPR privacy standards. These must be approved by a relevant member state’s data protection authority (DPA), and in most member states, transfers will still require a “transfer notification” to the DPA.
  • Data Protection Authorities in the EU are to ensure that that they are providing adequate supervision and, if necessary, taking enforcement action where companies are not properly risk assessing their cross-border transfers. 
What should we do now?

  • U.S. and EU companies that relied on the Privacy Shield should consider alternate methods of cross-border data transfer, such as the SCCs or binding corporate rules, or the applicability of the Article 49 derogations. 
  • Immediately re-evaluate data transfers with third parties into third countries under SCCs. Review your record of processing and risk assessments. Monitor further guidance from the EU Commission, the European Data Protection Board (EPDB) and the Data Protection Commission. If you were relying on the Privacy Shield, you need to find other ways to permit data transfers into the United States or should consider locating data processing operations, such as servers, to the European Union. Other methods of cross-border data transfer include the SCC or establishing Binding Corporate Rules (Art. 47 GDPR). 
Problems for the future?

We foresee issues with enforcement. When looking at the United States, should a dispute arise, even if parties agree on a jurisdiction of the courts in the EU, the US is not a signatory to the Hague convention and so can we ever confidently say an EU data subject’s data is protected in the US?


Click HERE to view the judgement.


By Judy de Castro - Regulatory Consultant

ECJ imposes €2m fine on Ireland over AML Directive Delays
August 2020

The European Union’s top court, the European Court of Justice (ECJ) ordered Ireland on the 16th of July to pay a lump sum of €2 million to the European Commission for failing to implement in full regulations aimed to prevent money laundering and terrorist financing within the period prescribed.


Romania was also hit with a fine of €3 million in the judgment.

 

The judgement relates to implementation of directive 2015/849 or the 4th EU AML Directive. Member states are provided with an appropriate lead in time to implement EU regulations. In this case, the Directive required member states to comply with the relevant administrative provisions by 26 June 2017. Ireland implemented most of these provisions more than a year later, in November 2018.


So, on 27 August 2018, the Commission had brought actions against Ireland and Romania before the ECJ for failure to fulfil their obligations. Ireland and Romania had argued that the fines sought by the European Commission were unjustified and disproportionate.


But the court ruled that even though the countries had since complied with the rules, there was an undue delay in fulfilling their obligations.

 

With Ireland already late in transposing directive 2018/853 or the 5th EU AML on the 10th of January of this year, Ireland could expect to pay another hefty fine in due course. The Commission has already issued Ireland with a formal notice.

 

To view the ECJ Press release Click HERE


 

By Judy de Castro - RegSol Consultant


Pandemic Impact – It’s the little things!
August 2020

Here in Roscommon, it is something similar in terms of the roller coaster of emotions mentioned by Judy.  Covid-19 has impacted every aspect of life and changed most experiences.  There is no such thing as a quick trip to the shop for a few bits and pieces.  

Queues (which I associated with Dublin) and hand sanitiser are everywhere, not to mention masks.   Smaller premises have signs on the door limiting the number of customers that can be inside at any one time.  The easing of restrictions has allowed me to meet all the RegSol team last week in person while following all the guidelines.  

In addition to the challenges completing everyday tasks such as shopping there is the added use of technology which brings its own issues.  The advances that have been made mean a lot of people can work remotely and “Zoom calls” are a key part of keeping in touch for business and in personal life.  On the flip side, the pandemic has been a paradise for many scam artists as not everyone is up to speed regarding the dos and don’ts of technology.  

As I settle back into life in the West (having joined RegSol and left Dublin mid pandemic) I look forward to working with the team and meeting new and existing clients in the “new normal”.  The new desk looks out over fields and trees and my washing line, all I need now is some more sunshine!!!


By Éilish Larkin - Regulatory Consultant

Lockdown Blues- Overcoming Division
August 2020

During this COVID-19 Global Emergency, I have felt overwhelmed, exhausted, exasperated, elated, and caught between division and uncertainty. Like a pendulum, I’m longing to jump on a plane to escape to the sea, sun, warmth of the sun on the continent to see my relatives, and then flip-flopping, looking to batten down the hatches on this island and sterilise my door handles, my hands,  my children. 

I want to hug friends and socialise to my heart’s content but then I want to retreat into isolation and social distance. 

This I think is reflected in the division surrounding my village in Malahide. Fingal County Council has recently closed off and pedestrianised New Street, the main artery into the village, where the famed Gibney’s is a household name and many restaurants and cafes adorn the street. 

Locals are at the very least not amused with this closure; and some local businesses have set up a rival Facebook page to “Save Malahide Village” from pedestrianisation. Villagers have posters poking out of windows, doors, shop windows protesting the green initiative. 

Whereas before local social media would chastise those who would not keep their distance, this has now been replaced with jibes and questions of loyalty boiling down to one question : “Are you for the pedestrianisation of New street or are you against it? I think I will batten down the hatch on this one, thanks!


By Judy De Castro - Regulatory Consultant


DPC Regulatory Activity 2018-2020
July 2020

The DPC has published a two year Regulatory Activities report under the GDPR to assess the range of regulatory tasks over the period 25 May 2018 to 25 May 2020.

From 25 May 2018 to 25 May 2020, the DPC:

  • received in excess of 40,000 emails, 36,000 phone calls and 8,000 postal contacts;
  • opened 15,025 cases in support of individuals’ rights;
  • concluded 80% of cases opened (so far); and
  • reduced conclusion times for cases (average days taken to conclude a case or query down by 53% over two years).

Since 25 May 2018, the most frequent GDPR topics for queries and complaints have consistently been: Access Requests; Fair processing; Disclosure; Right to be Forgotten (delisting and/or removal requests); Direct marketing and Data Security. 

Figures indicate that the DPC is dealing with high volumes of cases that are potentially resolvable at a data controller/ Data Protection Officer level.

  • Total breach notifications received between 25 May 2018 and 25 May 2020: 12,437.
  • 93% classified as relating to GDPR (11,567 notifications).
  • Of the 12,437 total recorded breach cases, 94.88% concluded (11,800 cases).

The most frequent cause of breaches reported to the DPC is unauthorised disclosure (80%). Human error are at the root of far more reported breaches than phishing, hacking or lost devices (5.6% collectively). 

Figures indicate that the DPC is dealing with breaches that could be mitigated by more robust technical and organisational measures.

Click HERE to view the full report.

By Judy de Castro - Regulatory Consultant


CBI’s Governor on COVID-19 and Protection of the Consumer
July 2020

On 24th of June the Governor of the Central Bank Gabriel Makhlouf published his reflections on the CBI’s approach to protecting consumers in terms of price stability, resilient financial institutions and 

Codes of Conduct and Culture available HERE to view

By Judy de Castro - Regulatory Consultant

CCPC: Simplified Merger Notification Procedure Regime to Commence on 1 July 2020
July 2020

The introduction of a simplified merger notification procedure is hoped to reduce the time and resources required of businesses, as notifying parties will be exempt from providing certain information when filing mergers or acquisitions which do not raise significant competition concerns. 

The new simplified merger notification procedure will not replace the current procedure, but will facilitate more efficient review of mergers that do not raise competition concerns.

The Simplified Merger Notification Procedure Guidelines provide a detailed overview of the criteria that must be satisfied for a merger or acquisition to fall within the scope of the simplified merger notification procedure. 

They also set out the procedural provisions including: pre-notification discussions, the publication of notice of a notified proposed transaction, and the determination process under the simplified merger notification procedure.

Click HERE to view the guidelines. 


By Judy de Castro - Regulatory Consultant
CBI Enforcement Action: Rory O'Connor
July 2020

On 9 June 2020, the Central Bank of Ireland (the Central Bank) reprimanded Mr O’Connor, disqualified him from being a person concerned in the management of a regulated financial service provider for a period of 8 years 4 months, and imposed a fine of €70,000 for his admitted participation in RSAII’s failure to maintain sufficient technical reserves from February 2010 to 30 September 2013 (the Relevant Period). 

This enforcement action against Mr O’Connor follows a separate investigation conducted by the Central Bank in respect of RSAII, at the conclusion of which the Central Bank reprimanded RSAII and imposed a financial penalty of €3.5 million in December 2018.

Click HERE to view full report.

By Judy de Castro - Regulatory Consultant
Central Bank announces updates to Retail Intermediary Authorisation Process on 26 May 2020
July 2020

Submission of Retail Intermediary Applications for Authorisation.

An applicant seeking authorisation or registration as a retail intermediary under:

  • The Investment Intermediaries Act 1995 (as amended) (the IIA);
  • The European Union (Insurance Distribution) Regulations 2018 (the IDR);
  • The Consumer Credit Act 1995 (as amended)(the CCA); and/or
  • The European Union (Consumer Mortgage Credit Agreements) Regulations 2016 (the CMCAR) should submit its application for authorisation or registration in electronic format to the Central Bank via our secure file transfer system.  
Access to this system can be requested via email to RIAuthorisations@centralbank.ie.  

The submission of a hard copy version of the application will no longer be required.


By Judy de Castro - Regulatory Consultant
COVID-19 and Cyber Crime: What to Watch Out For
July 2020

On the 31st of March the EBA published a statement on actions to mitigate financial crime risks in the COVID-19 pandemic. The document discusses from a supervisory level the actions competent authorities should take in urging credit and financial institutions to effectively put in place internal controls and systems to ensure the EU’s financial system is not abused by crime. 

On the 27th of March, Europol published a report on how criminals have adapted to the COVID-19 pandemic. It is based on information Europol receives from the EU Member States on a 24/7 basis and intends to support Member States’ law enforcement authorities in their work. According to the  report, the number of cyber-attacks is significant and expected to increase further. 

Cybercriminals will continue to innovate in the deployment of various malware and ransomware packages themed around the COVID-19 pandemic. They may expand their activities to include other types of online attacks. Cybercriminals are likely to seek to exploit an increasing number of attack vectors as a greater number of employers adopt telework and allow connections to their organisations’ systems.

Our Top 5 Tips:

  1. Update your AML-CTF Risk Assessment and any other relevant policies, internal controls or systems
  2. Train staff
  3. Transaction monitoring calibrated to recognise patterns in areas known to be impacted by COVID-19 but still yielding uncharacteristically large or unchanged profit flows
  4. Ongoing monitoring of impacted industries such as pharmaceutical or medical supply equipment
  5. Risk assess your own IT systems and work from home strategies for resilience against cyber attack

Click HERE to read EBA's statement. 

Click HERE to read the Europol Report:

By Judy de Castro - Regulatory Consultant
EU Commission Urges 8 Member States to Fully Transpose MLD5
July 2020

On 14 May 2020, the European Commission sent a letter of formal notice to Ireland (along with seven other EU member states: Belgium, Czech, Estonia, Ireland, Greece, Luxembourg, Austria, Poland  and the UK) for having only partially transposed the Fifth Anti-Money Laundering Directive EU/2018/843 ("MLD5"). 

The deadline for transposition into national law was 10 January 2020. 

The General Scheme of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2019, which was to implement MLD5 in Ireland, was published in January 2019 but has not yet progressed any further. 

Other than the provisions relating to Beneficial Ownership, Ireland has yet to implement the measures contained in MLD5. 

In the letter of formal notice, the Commission encourages the relevant EU member states to transpose all aspects of MLD5 urgently. 

Without a satisfactory response from the relevant EU member states (a letter of formal notice requests an explanation of the alleged breach of EU law) within four months, the Commission may send a reasoned opinion.


By Judy de Castro - Regulatory Consultant
Data Protection Commission Fines Tusla
July 2020

On the 21st of May 2020, Tusla was issued with a second fine by the Data Protection Commission (DPC) for a breach of data protection rules. 

It relates to a breach notified to the DPC in November 2019 regarding an unauthorised disclosure of sensitive personal data. The disclosure was made to an alleged abuser and the data was subsequently posted on social media.

The fine for the three breaches totalled €75,000.

Under GDPR, a company that breaks privacy laws can be fined up to 4% of global revenue or €20 million, whichever is higher.

By Judy de Castro - Regulatory Consultant
Data Protection Commissioner Issues Draft Decision Against Twitter
July 2020

The Irish Data Protection Commission (DPC) submitted a draft decision on the 22 May to other concerned Supervisory Authorities, in accordance with Article 60 of the GDPR, in relation to an inquiry it has completed into Twitter International Company, a data controller based in Ireland. 

This was initiated by the DPC following receipt of a data breach notification from the controller. The draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. ²Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

This draft decision is one of a number of significant developments in DPC inquiries into “big tech” companies, including WhatsApp Ireland Limited. The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.

By Judy de Castro - Regulatory Consultant

Guidance Note on Cookies and Other Tracking Technologies issued April 2020
July 2020

The DPC will allow a period of six months from the publication of this guidance for controllers to bring their products, including websites and mobile apps, into compliance, after which enforcement action will commence.

As a rule, natural persons may be associated with online identifiers provided by their devices, including cookie identifiers and tags. This may leave traces which combined with other unique identifiers and other information received by servers, may be used to create profiles of those natural persons and identify them, in other words, personal data. 

Analytics cookies are used as a measuring tool for websites, including to provide information on the number of unique visitors and the pages they browse during their visits and in combination with other data may identify a user and require consent. 

For further guidance, please click HERE.

By Judy de Castro - Regulatory Consultant


CBI’s unofficial Consolidation of Consumer Protection Code
July 2020

In March 2020, the CBI consolidated the CPC but with a health warning: Please note that this document available in the link below is an unofficial consolidation of the Consumer Protection Code 2012, as it stood revised from 1 January 2015. 

The document has been prepared by the Central Bank of Ireland for ease of reference only and is not a legal document.

Click HERE to view the document.

By Judy de Castro - Regulatory Consultant
Omnibus Directive: New Protections for Consumer Rights
July 2020

A key part of the EU’s New Deal for Consumers entered into force earlier this year: The Omnibus Directive, which strengthens consumer rights through enhanced enforcement measures and increased transparency requirements.

Key changes introduced by the new Directive are:
  • A requirement for increased transparency online in particular for search result rankings, fake reviews, endorsements and personalised pricing.
  • The extension of consumer rights to “free” digital content and services.
  • Fines and Enforcement powers: fines of up to 4% of the trader’s annual turnover in the Member State (or Member States) where the breach occurred, or EUR 2 million in cases where information on turnover is not available, with individual Member States able to introduce even higher fines
EU Member States have two years to transpose these new rules: national implementation measures must be adopted by 28 November 2021 and in force by 28 May 2022.

By Judy de Castro - Regulatory Consultant
New PII Limits Imposed from June 12th 2020
July 2020

Professional Indemnity Insurance (PII) is seen by the Central Bank of Ireland as a key prudential and consumer protection safeguard. From the 12th of June 2020 the required amount of cover will change.  

This change has come about under COMMISSION DELEGATED REGULATION (EU) 2019/1935.

The new requirements are: €1,300,380 per claim and €1,924,560 in aggregate.

This change applies to intermediaries authorised under both the Insurance Distribution Regulations (IDR) 2018 and the Investment Intermediaries Act 1995.

Brokers should ensure with their PII provider that their PII levels will be amended in line with the new requirements.

Click HERE to read the Brokers Ireland Announcement.

By Judy de Castro - Regulatory Consultant
CCPC: Unfair Terms in Consumer Contracts
July 2020

The Competition and Consumer Protection Commission (CCPC) has produced guidelines to assist businesses in navigating contractual terms outlining potential pitfalls for consumers. 

The unforeseen nature of the COVID-19 situation has brought about unprecedented circumstances and, as a result, businesses may be considering changing the terms and conditions in their standard form contracts, particularly in relation to cancellations, rescheduling and refunds.

The CCPC is concerned that businesses may change or add additional terms and conditions in existing consumer contracts, without advance notification to consumers or an opportunity for them to exit the contract without penalty if they do not wish to accept the business’ proposed change.  

Seeking to bind existing consumers to new or amended terms without the consumer’s agreement, constitutes an unfair commercial practice under the Consumer Protection Act 2007

Click HERE to view the link.

By Judy de Castro - Regulatory Consultant
EDPB Statement on data subject rights in connection to the state of emergency in Member States.
June 2020

The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. 

The statement was issued by the EDPB after the adoption by the Hungarian government of a decree on 4th of May 2020.  As per this decree “ ….. all measures following data subject’s request exercising the rights based on Articles 15 to 22 of the GDPR are suspended until the end of the state of danger….”

The statement outlines that data protection does not impede the fight against the COVID-19 pandemic and Article 23 of the GDPR allows under specific conditions, restrictions by way of  legislative measures, to the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34.  

A restriction must  “… respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, important objectives of general public interest of the Union or of a Member State, in particular public health.”

The EDPB is very clear that “ …even in these exceptional times, the protection of personal data must be upheld in all emergency measures,….”

It is evident that while we deal with this unexpected pandemic the rights enshrined in GDPR must be complied with by data controllers and processors and any restrictions must be limited in their duration and scope. 

The EDPB has issued various statements since the pandemic began and the tone of all of them is that the pandemic does not allow the rights in detailed in the Charter of Fundamental Rights of the European Union and under GDPR to be swept aside in order to tackle COVID-19.

To read the article in full click HERE 

To read all of the EDPBs articles and statements visit HERE


By Éilish Larkin - Regulatory Consultant
ESMA Guidelines - On certain aspects of the MiFID II Compliance Function Requirements
June 2020

The role of the Compliance officer has been that of an independent assurance function that reports to the Board providing balanced impartial advice. Sufficiently resourced with clearly defined roles and responsibilities with access to information and personnel to coordinate the management of compliance risk across the organisation. 

The European Securities and Markets Authority (ESMA), the EU’s securities markets regulator, published the final guidelines on the MiFID II compliance function on June the 5th. These guidelines replace the ESMA guidelines on the same topic issued in 2012 and include updates that clarify the new MiFID II compliance function requirements. 

These guidelines apply from two months of the date of publication of the guidelines on ESMA’s website in all EU official languages.

While the objectives and principles of the compliance function remain unchanged, the obligations have been further strengthened. The guidelines will clarify responsibilities in relation to MiFID II’s product governance requirements, by notably detailing further the reporting obligations of the compliance function. 

The guidelines also provide a comprehensive roadmap for any compliance professional wishing to ensure that their role is effective and a beacon of assurance for their Board and Senior management team.

Worthy to mention for all compliance professionals are:

  • Conducting a regular risk-based assessment, the output to be used to create an effective risk-based compliance monitoring program with the aim of ensuring the firm’s business is conducted in line with its licence, policies, procedures and internal controls
  • Using suitable tools and methodologies for monitoring activities that could be used by the compliance function include (but are not limited to):
    • the use of aggregated risk measurements (for example, risk indicators); 
    • the use of (additional) reports warranting management attention documenting material deviations between actual occurrences and expectations (exceptions report) or situations requiring resolution (issues log);
    • targeted trade surveillance, observation of procedures, desk reviews, interview of relevant staff and/or, where necessary, and at the discretion of the compliance function, of a relevant sample of firm’s clients
  • Reporting on Findings to include a summary of major findings of the review of the policies and procedures, including risks identified in the scope of the compliance function’s monitoring activities;  breaches and deficiencies in the firm’s organisation and compliance process;  the number of complaints received in the period under review if not already reported through other sources. 
  • Promoting a ‘compliance culture’ throughout the firm, which should be supported by senior management. The purpose of the compliance culture is not only to establish the overall environment in which compliance matters are treated, but also to engage staff with the principle of improving investor/consumer protection as well as mitigating systemic risks.

ESMA Guidelines Document can be found HERE

By Judy de Castro - Regulatory Consultant
Business continuity: Property Service Providers
June 2020


The Joint Sector Protocol for Property Services Providers is intended to consolidate practical guidance available on how to safely manage business continuity during the COVID-19 pandemic. 

It relates only to property services providers (PSPs) and the valuation sector and how they can safely engage with clients and members of the public. 

The Document is available HERE

By Judy de Castro - Regulatory Consultant

New PII Limits Imposed from June 12th 2020
June 2020

Professional Indemnity Insurance (PII) is seen by the Central Bank of Ireland as a key prudential and consumer protection safeguard. From the 12th of June 2020 the required amount of cover will change.  

This change has come about under COMMISSION DELEGATED REGULATION (EU) 2019/1935.

The new requirements are: €1,300,380 per claim and €1,924,560 in aggregate.

This change applies to intermediaries authorised under both the Insurance Distribution Regulations (IDR) 2018 and the Investment Intermediaries Act 1995.

Brokers should ensure with their PII provider that their PII levels will be amended in line with the new requirements.

Click HERE to read the Brokers Ireland Announcement

By Éilish Larkin - Regulatory Consultant
Omnibus Directive: New Protections for Consumer Rights
June 2020

A key part of the EU’s New Deal for Consumers entered into force earlier this year: The Omnibus Directive, which strengthens consumer rights through enhanced enforcement measures and increased transparency requirements.

Key changes introduced by the new Directive are:

  • A requirement for increased transparency online in particular for search result rankings, fake reviews, endorsements and personalised pricing.
  • The extension of consumer rights to “free” digital content and services.
  • Fines and Enforcement powers: fines of up to 4% of the trader’s annual turnover in the Member State (or Member States) where the breach occurred, or EUR 2 million in cases where information on turnover is not available, with individual Member States able to introduce even higher fines

EU Member States have two years to transpose these new rules: national implementation measures must be adopted by 28 November 2021 and in force by 28 May 2022.

EU consumer legislation applies to traders targeting consumers in the EU, regardless of the trader’s location. Online traders worldwide will need to use this two-year window to ensure their EU-facing practices comply and mitigate the risk of fines.

By Judy de Castro - Regulatory Consultant
Belgian DPA issues €50,000 fine for DPO’s Conflicting of Roles
June 2020

On 28 April 2020, the Belgian Data Protection Authority (“DPA”), fined a Belgian company €50,000 for breach of article 38 (6) of the GDPR:

“The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests. “

The DPA’s Litigation Chamber found that the DPO was not in a position that is sufficiently free from conflict of interest because the DPO also fulfilled the function of director of audit, risk and compliance.

The Litigation Chamber stated that the administrative fine was not imposed with the intention to terminate the violation, but rather with a view to vigorously enforce the rules of the GDPR. In this respect, the Litigation Chamber specified that, although there was no element showing an intentional infringement, there was serious negligence on the part of the defendant. 

The Article 29 Working Party Guidelines for Data Protection Officers explain that the Data Protection Officer cannot hold a position within the organisation in which he or she has to determine the purposes and means of processing personal data. This is thus an essential conflict of interest. The role of departmental manager is thus inconsistent with the function of DPO who must be able to perform his or her tasks independently. 

The fact that the same person performs the role of data controller for each of the three departments concerned on the one hand, and the function of Data Protection Officer on the other, lacks independence.

By Judy de Castro - Regulatory Consultant