RegSol Blog


RegSol Blog Posts

Enforcement Action: Ulster Bank (Ireland) DAC fined €4,600,000 by the Central Bank of Ireland
March 2020

The Purpose of Corporate Governance is to build and strengthen:
  • Accountability
  • Credibility
  • Transparency
  • Integrity
  • Trust

Transparency can reinforce sound corporate governance and enable a bank’s stakeholders, supervisors and the general public to judge the effectiveness of its board and senior management. Directors and senior management are thus made more accountable for their actions and performance. Yet, despite being the subject of three previous settlement agreements (all of which included corporate governance failings), Ulster Bank was on 3 March 2020, reprimanded and fined €4,600,000 for more corporate governance failings relating to regulatory returns that were required under the Mortgage Arrears Resolution Targets (MART) Framework.

The three previous settlement enforcement actions taken by the Central Bank were as follows:
  • 2016 - breaches concerning money laundering and terrorist financing
  • 2014 - IT governance failures
  • 2012 - breaches of liquidity and capital requirements

This persistent pattern of behaviour puts into question ethical behaviour at Ulster Bank, given that these failings appear systemic and most likely stem from a dysfunctional culture; responsibility for which ultimately rests with the Board. The Central Bank’s investigation found serious failings in Ulster Bank’s approach to the compilation and submission of its returns.  

These included:
  • Failure to implement effective oversight of the MART return process; and
  • Failure to have in place and maintain procedures, internal controls and reporting arrangements.

Banks were required under the MART Framework to report details on the level of mortgage arrears to the Central Bank on a regular basis. Essential to this requirement was ensuring the integrity of the data submitted to the Central Bank. The Central Bank had informed Ulster Bank of governance failings around the compilation of its MART returns in 2013, and the Firm committed to taking action.  However, it was not until 2015 that the Firm acted to address the issues. The delay in putting remediation plans into action, lack of transparency, and established pattern of problematic behaviour led to this fourth failure in corporate governance at Ulster Bank. The Board and Senior Management may be in the firing line.
For more information click HERE

By Judy de Castro - Regulatory Consultant
Department of Justice STR Statistics 2018
March 2020

The Department of Justice and Equality publish annual reports; the purpose of this is to provide details on Ireland’s response to Money Laundering and Terrorist Financing taking into account: the legislative regime; international dimensions; the regulatory framework; enforcement; and supervisory authorities. Although the Department just recently published the 2018 report at the end of February 2020, we are still awaiting publication of the report for 2019. Figures for 2018 show almost 24,000 suspected cases of money laundering or terrorist financing were reported in 2018 a decrease of almost 2% on the previous year. A smaller number of cases — 23,442 — were reported to Revenue, despite the requirement to notify both the Gardai and Revenue of all suspect activity.

The key takeaways are:

  • The 2018 report indicates that over 80% of cases reported to Revenue concerned tax-related offences.
  • The The quality of the content of STRs submitted since June 2018 has improved following the acquisition of the online STR system GoAML. 
    • It is now mandatory for all reporting entities to register and when reporting specify what the potential criminal indicator is for each STR. This assists in the prioritisation process.
  • Revenue said information generated from such reports had resulted in an additional tax yield of €4.7m.
  • Criminal proceedings resulted in 73 individuals being charged with 284 money laundering offences during 2018. A total of 28 individuals were convicted of 130 money-laundering offences 
    • up from 11 individuals in 2017 —while one person was convicted of two terrorist financing offences.
  • An individual was jailed for two and a half years at Waterford Circuit Criminal Court after pleading guilty to providing and attempting to provide funding for Islamic State.
  • The Criminal Assets Bureau also secured court orders freezing 85 bank accounts and obtained a total of 228 orders over assets valued at €14.4m which were suspected of being the proceeds of crime such as drug-trafficking, fraud, and smuggling.
Rate of Compliance of entities regulated by the AMLCU (Supervision Arm of the Department of Justice)

By way of an example the report provides illustrations of compliance with legislation for certain sectors. The table below shows how Trust Company Service Providers (TCSPs), Private Members Clubs (PMCs) and High Value Goods Dealers (HVGD) have adhered to their compliance obligations:


Legislative Developments

The report also indicated that work on transposing the 5AMLD should be completed by early 2020. The Directive extends the rules on the use of virtual currencies, clarifies the requirements of the beneficial ownership register and clarifies the minimum enhanced due diligence protocol when conducting financial transactions.

To view the report in its entirety click HERE


By Judy de Castro - Regulatory Consultant
BCP & Pandemic Response Plans
March 2020

There is no escaping the media frenzy as we watch the world’s response to a pandemic unfold before our very eyes. We at RegSol express solidarity to those affected and our sympathies go out to all who have suffered losses; but especially to those regions most severely impacted, including China and Italy. 

So, what are the practical implications to businesses particularly those that are regulated by the Central Bank? And what does a response plan actually look like? The Central Bank has issued generic communications to firms stating that all necessary arrangements should be put in place and have commented publicly:

“We are closely monitoring developments related to COVID-19 and continue to assess their impact on the economy and the financial system, as more information becomes available.

We expect regulated firms to have appropriate contingency plans in place to be able to deal with major operational events, should they occur, and we are working with the financial sector to ensure that firms are responding effectively to the evolving situation.”

Being mindful that careful planning requires modelling various scenarios, making adjustments throughout the business continuity life cycle during business as usual and on an annual basis, Business Continuity Management Programmes should have already documented:

  • Risk assessments- site and threat analysis
  • Business Impact analysis (BETH-3- building, equipment, technology, human resources and 3rd parties) 
  • Emergency Response and Crisis Management Plans
  • Business Continuity Strategies & Plans
  • Testing & Desktop Exercises, Denial of Access
  • Scenario Analysis (Pandemic, Severe Weather, Fraud, Cyber attack etc)


Businesses must have determined through business impact analyses their critical processes, critical people, systems, equipment and critical outsourced service providers AND what is required to keep these going under stress of severe events such as power outages, severe weather, inaccessibility to the building, etc.  Above all, safety of customers, staff and suppliers should be paramount when determining steps to mitigate the consequences of these events.

During a Pandemic scenario, Businesses may closely monitor HSE, HPRA, ECDC, WHO communications and assume that critical staff, including critical outsourced service providers may not be available and as such take into account rates of infection to properly assess potential impact and strategically plan via a crisis management or incident response team. 

Key is knowing when to activate plans and how to resource critical operations during potential waves, peaks and troughs of infection levels. Maintaining effective communication of critical staff and outsourced service providers or suppliers overlaid by successfully anticipating people outages due to hospitalisation, confinement, school/creche closures based on a sound business continuity approach will ensure survival of:

  • mass absenteeism which could affect as much as 40% of the workforce (Mitigations: sick leave policy, work from home strategies; infection control supplies, cross training of critical processes, employee assistance programs to deal with loss)
  • changing patterns of consumer demand and;
  • interrupted supply chains. 
The below graph is useful in measuring the duration of the outbreak and calibrating your BCP plans:



By Judy de Castro - Regulatory Consultant
FATF’s Updated Report on Ireland's Progress in Strengthening Measures to Tackle ML & TF
February 2020

Ireland has been in an enhanced follow-up process following the adoption of its mutual evaluation in 2017. In line with the FATF Procedures for mutual evaluations, the country has reported back to the FATF on the action it has taken since then. As a result the FATF has rerated Ireland’s compliance with some key recommendations and released a publication in November 2019.

Some items of note are:

  • Since the MER, Ireland has amended its legislation to address the identified technical deficiencies identified under R.10. This covers requirements related to customer identification and verification measures, and the inclusion of senior managing official under the definition of beneficial owner. However, the specific requirements related to legal persons have not been addressed. In relation to life insurance, the obliged entities are now required to include the beneficiaries of a life insurance policy/contract in the risk assessment when these are legal persons. However, there is no explicit requirement to include beneficiaries of life insurance as a relevant heighten risk factors when they are legal persons or arrangements, although it could be implied. 


  • Ireland’s definition of “PEP” was not consistent with definition of “PEP” in the FATF glossary. Since the MER, Ireland has revised its legislation addressing the identified deficiencies related to the lack of coverage of domestic PEPs, and PEPs of international organisations, including, family members or close associates of these. Additionally, the reference to “residence” in relation to foreign PEPs have been removed, resulting in the coverage of foreign PEPs residing in Ireland. The amended legislation also addresses the deficiency related to the determination of whether a beneficial owner of a customer is a PEP, and to inform senior management prior to payout of policy proceeds. The general obligation to consider filing an STR applies to situations of higher risks involving a PEP


  • Recommendation 15 In Ireland’s MER was highlighted as not having a specific requirement to undertake risk assessments of new products, business practices or technologies, prior to their utilisation. Since the MER, Ireland has conducted ML/TF risk assessments on new products and technologies, including virtual assets, crowdfunding and electronic money. Additionally, Ireland has revised its legislation to require obliged entities to conduct a risk assessment of the products, services, and delivery mechanisms they provide, in order to identify ML/TF risks. However, there is no explicit requirement for the risk assessment to be conducted prior to the introduction of a new product/service/delivery mechanism into the market.


By Judy de Castro - Regulatory Consultant
European Banking Authority’s New Role for 2020: Lead Watchdog on AML/CFT
February 2020

In 2019, the European legislature consolidated the AML/CFT mandates of all three European supervisory authorities within the European Banking Authority. The EBA will lead, coordinate and monitor the AML/CFT efforts of all EU financial services providers and competent authorities. 

The law implementing these powers and this mandate came into effect on 1 January 2020. The European Union (EU) in recent years has introduced a more comprehensive legal framework in the fight against money laundering and terrorist financing. Nevertheless, there has been a constant stream of high profile ML/TF cases involving European banks. 

These scandals, together with findings by international AML/CFT assessment bodies, point to deficiencies in some competent authorities’ approaches to their AML/CFT supervision of banks. The Danske Bank scandal involving its Estonia Branch has been described as the largest money laundering scandal in European history with over €200 billion of suspicious transactions flowing through the European Banking System. Luanda Leaks is the latest to engulf European institutions that facilitated illicit flows originating from a high profile Politically Exposed Person in Angola through to offshore jurisdictions. 

So it is in this light that the approach to combating ML and TF must change. 

And change it has with the publication on the 6th of February of its first Report on competent authorities’ approaches to AML/CFT supervision of banks available HERE 

The EBA has also opened up a public consultation on the 5th of February on revised money laundering and terrorist financing (ML/TF) risk factors Guidelines as part of a broader communication on AML/CFT issues. This update takes into account changes to the EU Anti Money Laundering and Counter Terrorism Financing

(AML/CFT) legal framework and new ML/TF risks, including those identified by the EBA’s implementation reviews. This is available HERE


By Judy de Castro - Regulatory Consultant
Data Protection Commission Raids Facebook Ahead of Valentine's Day
February 2020

Article 35 of the General Data Protection Regulation (“GDPR”) prescribes that a Data Protection Impact Assessment (“DPIA”) shall be conducted by a controller where a type of data processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals. The GDPR also sets out a number of specific instances in which controllers must conduct a DPIA. If required, a DPIA must be completed prior to the commencement of the relevant data processing. 

Despite informing the Data Protection Commission (DPC) of its plans to roll out a new dating platform coinciding with Valentine’s day, the DPC conducted an inspection at Facebook’s offices on the 10th of February seeking further information. The DPC has stated that its concerns arose because Facebook did not provide a DPIA, nor did it provide the DPC with an overview of its decision -making processes with respect to the new dating feature in a timely fashion.

As a result, Facebook Ireland has had to postpone the rollout of the dating feature in Europe. This case highlights the significance of carrying out a DPIA for any new high risk projects under Article 35.

The purpose of the DPIA is to allow the data controller to make informed decisions about the acceptability of data protection risks and communicate effectively with data subjects affected. Interestingly the DPC’s website does note the following:
“If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, you must consult with the Data Protection Commissioner before moving forward with the project.”

Please click HERE for more information:

If you need assistance or would like to learn more about Data Protection, register for DP training or contact our consultants.

By Judy de Castro - Regulatory Consultant
Pensions Auto Enrolment set for 2022
January 2020

The Pensions Auto Enrolment system is a government initiative set to supplement the state pension and prevent the ticking time bomb that is Ireland’s growing ageing population and the decline of workers with private pensions. Latest CSO figures released on the 6th of January 2020 show, that over a third of those without a pension say they cannot afford the additional living expense. 

As the State pension is paid at a flat-rate, rather than earnings-related, workers without retirement savings are exposed to a greater risk of poverty upon retirement. Among those who have no pension, more than half stated their employer did not provide one. The Government, in their Roadmap for Pensions Reform 2018- 2023 plan to launch an “auto- enrolment” pension scheme sometime in 2022 (although previous promises included a launch date for 2020 and then 2021). 

This plan is available by clicking HERE


The new State pension system will come into place based on a “total contributions approach” where a person’s lifetime contribution will more closely match the benefit they receive. It will apply to approx. 585,000 private sector workers, aged between 23 and 60 earning more than €20,000 with their contributions rising until it reaches 6% in the 10th year of contributions. Workers can opt out should they so choose.

As outlined in the Pensions Roadmap the Pensions Authority will seek greater powers of enforcement to secure confidence and gain legitimacy from the Irish consumer in order to ensure governance codes and standards, systems of internal control, fit and proper key function holders, reasonable outsourcing and depositary arrangements, conflict of interest polices, risk management policies and internal audit policies are properly complied with. On the 15th of January, the Pensions Authority in an action taken against the directors of Rock Solution Options Limited were fined

Despite this and as the general election looms, Auto Enrolment looks likely to be postponed yet again. It is however important to mention that its benefits of implementation cannot be underestimated. The UK and New Zealand have already implemented the system with positive outcomes. The UK for instance has seen a dramatic impact on the participation of ethnic minorities and young adults in pension saving. According to the Pensions Regulator in the UK, 84% of 22-29 year olds were in a pension scheme in 2018, compared with just 24% in 2012.

For Employers, despite an existing obligation to facilitate access to a pension, auto enrolment still represents a daunting impact on businesses in terms of additional administrative time and costs to put in place and maintain a pensions scheme. However, for brokers and trustees, this represents a unique opportunity to be service provider of choice for employers and employees alike.

By Judy de Castro - Regulatory Consultant
Property Service Regulatory Authority: First Regulatory Actions
January 2020

The evolution of the Property Service Regulatory Authority from its inception now continues to a series of firsts, includes securing its first injunction of an unlicensed operator and its first prohibition of a licensee to trade.

On Monday, 9 December 2019, the High Court granted to the Property Service Regulatory Authority (PSRA) an injunction preventing Ms Walsh of C E Walsh Limited from providing property services without the appropriate licence. The injunction also prevents Ms Walsh, the company director, from holding herself out as being available to provide property services, or from advertising property services in any way.  Full details of the PSRA’s press release is available here: http://www.psr.ie/en/PSRA/Pages/Speeches

The Chief Executive of the PSRA, Ms Maeve Hogan said, “the PSRA has zero tolerance for any property services provider trading without a licence and will take all necessary actions, up to and including legal injunctions to ensure unlicensed operators are prevented from trading and providing their clients with no consumer protection.”  Clients of licensed service providers benefit from important consumer protections such as a thorough complaints investigation mechanism, obligatory professional indemnity insurance, comprehensive regulations on protecting client funds and a Compensation Fund for those who suffer losses as a result of the dishonesty of a licensee.  

The previous month, on Monday, 25 November 2019, the High Court permanently prohibited a former licensee, Mr Breathnach who had traded as Cavan Real Estate Ltd., Dublin Road, Cavan, from reapplying for a property service licence. This is the first occasion that a licensee or a former licensee has been “struck off” the Register of Licensees. The High Court also ordered that Mr Breathnach pay a sum of €50,000 to the Property Services Regulatory Authority and to make an additional payment of €48,492.82 into the Property Services Compensation Fund. The Court gave Mr Breathnach 90 days to make this payment. According to the Irish Times, in court documents, it was stated Mr Breathnach was previously licensed to provide property services but has not held a licence since July 5th, 2017, when his existing licence expired.

After six separate complaints were made against him on dates in February and March 2017, inspectors were appointed by the PSRA to investigate. One complaint, made on behalf of a property management firm, alleged retention of clients’ deposit monies in respect of 18 properties sold in Co Cavan. The five other complaints alleged failure to return five booking deposits

Since its establishment the PSRA has successfully prosecuted rogue operators for unlicensed trading, securing court convictions, fines and costs.  Currently, the Authority is prosecuting three cases of unlicensed trading, which are all before the Courts and are expected to be heard over the coming months. 

By Judy de Castro - Regulatory Consultant
Schrems vs Facebook: Data Transfers outside the EEA
January 2020

To kick off a new year in Data Protection, we assess Austrian Privacy activist Max Schrems’ epic seven- year crusade against Facebook on whether methods used by companies to transfer data are above board. The importance of this decision has a massive impact on banks, carmakers and other international corporations who transfer data to the US and other non-EEA states.

Data controllers who transfer data to the US from the EU have been eagerly following the proceedings in Ireland & Schrems, the key test on the validity of key controls contained within the Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield, for transferring personal data to non-EEA territories in a GDPR compliant manner. Many organisations and service providers require such transfers for procuring cloud services, using online storage systems or carrying out intra group transfers for HR reasons, for instance. The GDPR restricts international transfers of personal data on the basis that non-EEA states have weaker controls increasing the risk that individuals’ data will be compromised and their rights and freedoms damaged.

So, on what basis can companies transfer data to a third country under GDPR?


  1. The European Commission decides that the third country has an adequate level of protection or safeguards in place
  2. The controller or processor has appropriate safeguards so that individual rights can be enforced with recourse to effective legal remedies
  3. A specific derogation applies to the transfer
  4. The Privacy Shield, a self-certification regime for US-based organisations receiving personal data from an EEA entity, is managed by the US Department of Commerce and US public authorities are subject to monitoring and enforcement requirements, as well as agreeing to cooperate with European data protection supervisory authorities.
By Judy de Castro - Regulatory Consultant
What’s the fuss about?

Facebook maintains that SCCs are sufficient and that there is no conflict between US surveillance laws and the EU right to privacy. Schrems argues that the DPC must limit transfers to the US by Facebook, as the rights of EU citizens are not adequately protected in relation to US surveillance laws.

On 19 December 2019 the Attorney General issued an opinion on the 11 questions raised in the Schrems case, in advance of the Court of Justice of the European Union’s (CJEU’s) ruling due in early this year. The CJEU usually follows this opinion which has stated that SCCs are validated and an appropriate method to protect personal data so long as the non- EEA state has a right of action against the data controller and that the data controller or supervisory authority can suspend such transfers where the laws of the non-EEA country conflicts with the SCCs. Less so for the US privacy shield as the Attorney General has cast doubt on its validity.

Potential Business Solutions?


  • Check your data flows and understand the impact to your business
  • Check if Binding corporate rules for intra-group transfers is an alternative
  • Carry out risk assessments to ensure that local laws and practices do not undermine SCCs in place

If you’d like assistance in understanding your obligations under GDPR, contact RegSol today for training or GDPR review of your controls and procedures.

By Judy de Castro - Regulatory Consultant
AML 5th Directive: Update
January 2020

We expect 2020 will bring a host of interesting new developments and much needed clarity around the outcome of Brexit as well as the advent of still more regulatory change, including the expected transposition in full of the 5th EU AML Directive. 

As the European Union (Withdrawal Agreement) Bill 2019-20 weaved its way through the second reading of the UK’s House of Lords on the 13th of January, the UK Parliament had already implemented the European Union’s 5th AML Directive on time on the 10th. 

Ireland, on the other hand, had not and the 10th of January passed without any indication of when draft legislation will be available. AMLD5 introduces a number of key reforms including the expansion of the definition of obliged entities (designated persons in Ireland) to cover virtual currency exchange platforms and custodian wallet providers, art dealers, letting agents and tax advisors within the scope of the regime. 

This does not mean that Irish companies subject to the AML/CTF regime should remain complacent as it remains to be seen what is included in amending legislation. Firms likely to be brought in scope need to ensure they are performing gap-analyses and undertaking implementation projects to address the new requirements. 

If you’d like assistance in understanding your obligations under the 5th AML Directive, please do not hesitate to contact us at info@regsol.ie  

By Judy de Castro - Regulatory Consultant
New Guide to Sanctions under the Administrative Sanctions Regime
December 2019


The Central Bank of Ireland has launched a new guide to highlight certain aspects of the administrative sanctions procedure. The primary focus is on factors which may aggravate or indeed mitigate the breach(es) being examined.

The Guidance document is broken into two sections, the former addressing general principles to be applied including Proportionality, Totality, Sanction Factors and Comparator Cases. The second section sets out 4 sets of factors in detail:


  • Nature, Seriousness and Impact of the breach
  • Conduct of the Entity after the breach
  • Previous Record of the Entity
  • Other General Factors
Commenting on the new guide at its launch on 21st November 2019, Derville Rowland, Director General, Financial Conduct, noted 130 settlement agreements since 2006 and the increasing level detail within those agreements. She also noted that despite same, firms appear to continue to misunderstand sanctioning factors, some expecting reductions of penalties even after obstructionist approaches to settlement. There is absolutely no doubt that a lack of cooperation is an aggravating factor.  

As Ms Rowland concluded: “Let me be very clear that while the Central Bank absolutely expects firms to prevent wrongdoing in the first place, they can undo some of those wrongs by demonstrating a positive culture in terms of how they deal with regulatory breaches. Or put another way, it is never too late to do the right thing.” 


You can access the Guide by clicking here.

By AnneMarie Whelan - Regulatory Consultant
New Lending Rules for Credit Unions and Enforcement Action against Savvi Credit Union
December 2019


New Rules

The Central Bank of Ireland, as a result of CP125 - Consultation on Potential Changes to the Lending Framework for Credit Unions, has introduced new lending rules to come into effect in January 2020.

The new rules will remove the maturity limits which currently cap long term lending and instead introduces a tiered approach, based on concentration limits, for mortgage and business loans relative to total assets. The relevant tiers are as follows:


  • A combined concentration limit for house and business loans of 7.5 per cent of total assets for all credit unions.
  • A 10 per cent limit, conditional on a credit union satisfying asset size (at least €50 million) and regulatory reserves qualifying criteria and notifying the Central Bank in advance.
  • A 15 per cent limit for credit unions with total assets of at least €100 million, subject to Central Bank approval.

Further proposals in relation to removal of the existing longer term lending maturity limits, new maximum maturity limits for secured and unsecured lending, and the definition for business loans are included in the Feedback Statement to CP125 which is available here

Enforcement Action

Somewhat ironically, in the same month, the Central Bank published its most recent settlement agreement (7th November) within the administrative sanctions regime, it was against a Credit Union and involved breaches of the existing lending rules.

Savvi Credit Union was fined €185,500 and reprimanded for failing to comply with the limits for long term loans and also reimbursing travel expenses to a Director (totalling €28,341 over 4 years), at rates in excess of Civil Service rates. You can read the full settlement agreement here

As we usher in the 2020’s, it is worth noting that the Central Bank of Ireland has consistently issued fines, reprimands and taken enforcement action against Credit Unions on an annual basis since 2012.  Failures vary from mismanagement of internal controls and governance arrangements, fitness and probity to AML breaches. Fines have ranged from €198,000 to as little as €5000 for failures in complying with prudential regulatory returns.

Ringing in the new year should allow for the Credit Union Sector at least the opportunity to provide more loans to support their members with the added Christmas bonus of more local options for the Irish consumer. Let’s hope it doesn’t give rise to another enforcement action.

By Judy De Castro - Regulatory Consultant
AML/CTF Legislation: S.I. No. 578/2019 - European Union (Money Laundering and Terrorist Financing) Regulations 2019
December 2019


We could not say goodbye to 2019 without saying something about AML/CTF regulations and so we will provide you with an update on the AML/CTF regime. On the 22nd of November 2019, the Minister for Justice and Equality for the purposes of giving further effect to the 4th EU AML Directive published SI 578/2019 amending the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. The following changes are notable:


  • A designated person must have proportionate procedures in place to allow their employees or persons in a comparable position to report a contravention of the Act internally through an independent and anonymous channel
  • An obligation of any person performing a management function in or being a beneficial owner of a designated person who is convicted to inform the Central Bank within 30 days on which the person was convicted of a relevant offence
  • An obligation on Member State competent authorities to cooperate and coordinate activities to counter money laundering and terrorist financing

For entities subject to the AML/CTF regime, this will mean updating policies, procedures and implementing new reporting channels. 

Click HERE to access the SI.


If you’d like assistance with getting to grips with AML/CTF, please contact a RegSol consultant today.

By Judy de Castro - Regulatory Consultant

Insurance Costs: Analysis and Commentary
December 2019


The Law Reform Commission published a report on the 11th of December outlines legislative responses that include the introduction of a cap on the amount awarded in damages during personal injuries claims. The Cost of Insurance Working group (CIWG), established in 2016 by the Department of Finance to examine factors contributing to the increasing cost of insurance and to identify measures to reduce this cost had recommended that the Law Reform Commission examine the constitutionality of the proposed cap. 

An additional recommendation from the CIWG included the requirement of the Central Bank under the Central Bank (National Claims Information Database) Act 2018 which commenced on January 2019 to publish an annual report and establish this database. By providing statistical analysis on all insurers selling private motor insurance in Ireland regardless of country of authorisation, the Central Bank’s drive of transparency has as its aim for consumers to have clear information and to make informed decisions. 

This had also resulted in the new regulations being published last month requiring motor insurers to provide a quotation for each policy option available to the customer such as comprehensive, third party fire and theft cover or third party only in addition to extending the renewal notification period from 15 to 20 working days.

Arguably, steering customers away from comprehensive cover may not be in their best interests, even if the goal is to be transparent. And with the heaps of documentation customers are often buried in the detail.

But how effective is the Central Bank’s Report?

Gerry Hassett, Interim CEO of Insurance Ireland has defended the industry stating that, “The data in this report highlights the importance of the cost of claims to the market as it is the largest cost paid by insurers. Insurers have seen a 64% increase in average cost of a claim from 2009-2018 with the lion’s share of this inflation coming from 2013 onwards.” (click here to view Insurance Ireland’s website).

Litigated settlements costing more that €100,000 accounted for 15% of claimants settling through litigation but account for 53% of total litigated costs and involve a number of large settlements. The figure below shows the types of claims per year.


Nevertheless, the cost of premiums has undoubtedly increased for motorists and businesses alike forcing some operators like the Oktoberfest organisers in Dublin’s IFSC to cancel their event citing the cost of insurance. Perhaps the solution to satisfy both market participants and consumers and business is as simple as the law on a free market economy: supply and demand. Get more insurers into the market, support the Gardai in shutting down ghost insurance brokers and provide more choice for consumers. Nevertheless, whilst the debate around insurance claims and the knock- on effect these claims have on insurance premiums is set to continue into 2020, the Central Bank’s pursuit of transparency has certainly achieved one thing- politicians in a scrum for what can only be described as a political football.

If you’re an insurer looking to enter the Irish market and you’re looking for authorisation, contact RegSol for a quote.

By Judy de Castro - Regulatory Consultant

New Rules on Gift Vouchers
December 2019

From 2 December 2019, new legislation is in place which gives consumers more rights when it comes to gift vouchers.

The new legislation, the Consumer Protection (Gift Vouchers) Act 2019, brings a number of changes.
Minimum expiry date of five yearsWhere there is an expiry date on a gift voucher, it should be at least five years.
You should be given the expiry date in a durable form, for example in writing or in an email, and you should also be given the date the gift voucher was bought.
You do not have to use the voucher in one goYou do not have to spend the full value of the voucher in one transaction.
If there is a balance of more than €1 on a gift voucher, the business should refund you the difference in one of the following ways:
–          Cash
–          Electronic transfer (debit/credit card)
–          Another gift voucher (the expiry date will be the same as the original voucher)
It is up to the business which method of refund they use.
More than one gift voucher can be used in one goYou can use more than one voucher at a time. For example, if something costs €100 and you have two €50 vouchers, you can use them both to pay.
A business cannot refuse a gift voucher because it is not in your name, or charge you to change/amend  the name on a gift voucherIf a business requires the name of a person on a gift voucher, and the person’s actual name is different from the name on the voucher, the business can not refuse to accept the voucher, or charge you for changing the name on the voucher.
Not all gift vouchers are covered by this legislation. The following are some of the main ones that are excluded.
Here is a guide to various types of vouchers and whether or not they are covered by the gift vouchers legislation.
TYPE OF VOUCHEREXAMPLECOVERED OR EXCLUDED?
Shop voucherA voucher for a particular shop or department store, which is only accepted in those stores nationwide.Covered
Shopping centre gift cardA voucher or gift card for a particular shopping centre, that can only be used within that shopping centre or outlet.Covered
Online voucher for a deal websiteA voucher bought from a discount deal website for a product or service, usually fulfilled by another business.Excluded
One-4-all gift cardsAn Post One-4-all gift cards can be redeemed in a wide range of retailers. These are considered electronic money cards.Excluded
Credit noteIf you return an item to a store and receive a voucher or credit note, it is not considered a gift voucher under the legislation.Excluded
CouponsA coupon you receive from a business directly or through an ad is not considered a gift voucher.Excluded
Loyalty programme vouchersMoney vouchers you receive from a business as part of a loyalty programme you are a member of are not considered gift vouchers.Excluded

Maintenance fees

Some gift cards have maintenance fees of approximately €3 per month which come into effect after a period of time. So if you give someone one of these gift cards worth €40, and they don’t use it for a year, maintenance charges at €3 a month could mean there is only €4 left on it after a year.

Lost vouchers

If you lose a gift voucher, the shop doesn’t have to replace it – it’s just like losing cash.
DID YOU KNOW?
If the voucher was made out to you specifically and is non-transferable, the shop may be able to issue a new voucher and cancel the original. It may be worth contacting the shop and asking if this is possible.
TOP TIP
Remember consumer rights apply to gift cards just like any other item. So if the card is faulty and doesn’t work when you go to use it, you can return it for a replacement or refund.

Examples

1. I bought a gift voucher for my husband and it has an expiry date of 12 months does the new five year rule apply?
If you bought the voucher on or after 2 December 2019, the gift voucher must have an expiry date of at least five years starting on the day you bought it.
A gift voucher sold by a business with an expiry date of less than five years will be deemed to have a five year expiry date. Also, the business must inform you of any expiry date on a durable medium, for example, on paper or email.  The paper or email must include:
  • the expiry date of the gift voucher and the date it was bought or
  • state that there is no expiry date, if that’s the case.
2. I bought a gift voucher for my daughter, just looking at it now and I can’t find an expiry date – should it be on the gift voucher?
The expiry date does not have to be printed on the actual gift voucher. However, the business must tell you if an expiry date applies to the gift voucher on a durable medium, for example, on paper or email. The paper or email must include:
  • the expiry date of the gift voucher and the date it was bought, or
  • state that there is no expiry date, if that’s the case.
3. I got a present of a voucher for my 60th It is for a considerable amount of money – do I have to use it in one go?
You do not have to spend the full amount of the gift voucher in one go.  If you only use part of the gift voucher and there is a balance of more than €1 left, the business can refund you in one of the following ways:
  • cash
  • electronic transfer (credit/debit card)
  • gift voucher – the expiry date will be the same as the original gift voucher.
4. I bought a gift voucher a week before the new laws came into place – will these new rules apply?
 The new laws only apply to gift vouchers that were sold on or after the 2 December 2019.
5. I was given a gift voucher for my birthday and the spelling of my name is wrong on the voucher – will there be a fee for amending the name?
No. After 2 December 2019, businesses cannot charge a fee for changing or amending the name on a gift voucher.

Online deal websites

Deal websites are platforms that let you buy vouchers for goods, services or experiences from other businesses, e.g. a mattress, meal or beauty treatment. When buying a voucher on a deal website, you pay the deal website the price and redeem the voucher with a third party business for the good or service. The new gift vouchers legislation does not apply to these type of vouchers.  However, you still have rights when you buy goods and services.


Generally, when you buy something from a deal website and you do not have to go to a third party website to redeem the voucher, you are entering into a contract with that deal website for that item. It is the same as buying an item from any online retailer and the same rights apply. More information about your rights when you buy online is available in our Buying Online section.


However, this can vary between deal websites and items bought so always read the terms and conditions

(information copied from CPCC.ie and can be found HERE)
CBI Enforcement Action: Co-mingled Client and Own Funds 
December 2019

BVP Investments Limited fined just €6,000 and reprimanded by the Central Bank of Ireland for holding client assets in breach of its authorisation, is a low impact firm under the Central Bank’s Probability Risk and Impact System of supervision (PRISM). 

BVP’s audited accounts for year ended 31 December 2018 show a turnover of €745,490.  This is a reminder to all low impact firms that the Central Bank has no qualms about issuing fines to small scale firms, proportionate to the firm’s bottom line.

The Firm was authorised under the Investment Intermediaries Act, 1995 (the IIA) on 15 November 2007. Under its IIA authorisation, the Firm is authorised to provide services to ‘’Designated Investment Funds’’. The Firm is explicitly not permitted by the Central Bank to hold client assets. 

BVP’s authorisation contains an explicit condition stating that it is not permitted to hold client money or investment instruments. Immediately after obtaining its authorisation in 2007, and with full knowledge of the condition, BVP began holding and processing client funds through its corporate bank accounts. 

As a consequence of the Firm’s breach, significant amounts of client funds were co-mingled with the Firm’s own funds in the Firm’s corporate bank accounts. Although the investigation found no evidence of misappropriation or loss of client assets by the Firm, their actions placed these client assets at risk of loss, particularly in the event of an insolvency; misuse (inadvertent or otherwise) by the Firm; and delay in identification in their return to clients. 

RegSol provides audit and compliance services that can help you identify issues and prepare you for Central Bank inspections. Please contact us today for a quote.

By Judy de Castro - Regulatory Consultant



Whistleblowing Directive adopted by the EU Council
December 2019

In the wake of the Cambridge Analytica scandal, the former Facebook employee, Christopher Wylie’s disclosures triggered investigations which raised privacy concerns on the unauthorised possession of personal data of millions of Facebook users for targeting digital advertising campaigns. 

Howard Wilkinson, Danske Bank’s former head of trading used the Bank’s internal whistleblowing procedures to report on millions in laundered money being used by a dormant account run by Putin’s cousin. His whistleblowing report made in 2012 was ignored. The Danske Bank money laundering scandal is now the largest in history.

It is within this context that on the 7 October 2019, the EU Council approved the wording of the "Directive of the European Parliament and of the Council on the protection of persons who report breaches of Union law", also known as the Whistleblowing Directive. Member States have two years to implement the Directive into national law.
Whistleblowing allows a person to report or disclose information on breaches identified during the course of their employment. 

This disclosure is protected where it is done in good faith under the Protected Disclosures Act, 2014 and under the Central Bank (Supervision and Enforcement) Act, 2013. The Workplace Relations Commission and/or the courts will determine whether or not a disclosure is a protected disclosure under the legislation. However, it should be noted that the 2014 Act provides that, in such proceedings, all disclosures are presumed to be protected disclosures unless otherwise proven.

The new directive broadens a whistleblower to include the public and private sector and includes former employees or job applicants, self-employed and company shareholders, volunteers and unpaid trainees. The list of potential breaches includes GDPR, consumer protection, environmental protection, money laundering, public and product safety. 

Member states can choose to extend the list of breaches if they so wish
Businesses with at least 50 employees must look to put in place internal and external procedures for reporting breaches and taking remedial actions all whilst guaranteeing the whistleblower’s anonymity and protection against retaliation. 

They must acknowledge receipt of the report within 7 days and provide feedback within 3 months. 
If you would like more information on implementing Whistleblowing Policies and Procedures, contact RegSol for assistance or training on Ethics and other Compliance related matters. 

By Judy de Castro - Regulatory Consultant
Enterprise Risk Management (ERM): A Cornerstone for the CBI’s proposal for Senior Executive Accountability Regime (SEAR)
December 2019

Driving a positive and ethical consumer focused risk culture within an Enterprise Risk Management Framework is the responsibility of the Board, in the first instance, cascaded throughout the entire organisation and reflected from the bottom up. The proposed SEAR regime is based on strengthening clear responsibility and individual accountability by placing obligations on senior individuals who report directly to the Board and heads of critical business areas. These positions should correspond to those who already are PCFs under the Fitness and Probity Regime. 

In scope (initially) are:

  • credit institutions (excluding credit unions);
  • insurance undertakings (excluding reinsurance undertakings, captive (re)insurance undertakings and insurance special purpose vehicles);
  • investment (MiFID) firms that underwrite and/or deal on own account and/or are authorised to hold client monies/assets


SEAR will, over time, be extended to other firms regulated by the Central Bank to ensure proportionality.

What can your firm do to prepare and what does this mean in practical terms?

Whatever phase an organisation is at in ERM implementation, risk culture is a key component. It is the common norms, attitudes and behaviours related to risk awareness, risk taking and management and the controls that shape decision making. 

This is set out in the organisation’s risk appetite, set by the Board, and measured and reported on within the Governance structure. Lack thereof or poor culture leads to misconduct and excessive risk taking, ultimately the driver of financial crises. Key to transforming this is striking a balance between first line sales driven front office and the second line drivers of effective risk management.

ERM
CBI Proposals
  1. Approve Conduct Risk Appetite Statements by the Board to drive change
  2. New Business/Product, Sales, Front Office duly incorporated into Risk Governance Structure
  3. Communication strategy around values, compensation, training
  4. Alignment of incentives with risk objectives and enforceable disciplinary action for breaches in rules and misbehaviour.
  5. Risk Control Self Assessments & Collection of data on past events
        Mandatory responsibilities for Senior Executive Functions
        Comprehensive Statements of Responsibilities
        Responsibility Maps


The table above in our view demonstrates that the proposed SEAR regime is strongly aligned to the ERM process. Having a mature ERM framework in place better prepares organisations for regulatory change whilst helping them achieve their strategic business objectives in a positive way that’s good for their employees, stakeholders and their bottom line.
If you would like to partner with RegSol to embed an effective Risk Management Framework in your organisation, please talk to one of our consultants today.

By Judy de Castro - Regulatory Consultant
Investment Firms: CRD V Structural Reform in EU Prudential Rules
October 2019

In April this year, a review of the prudential framework for investment firms for MiFID II was approved under the auspices of building the Capital Markets Union. The purpose of the revised legislation will be to improve investment flows and ensure proportional rules level the playing field among larger institutions and simpler, less risky firms. 

The legislation will aim to provide clarity on equivalence rules for the provision of investment services by third country firms. And most importantly, is an important step towards the completion of the European post crisis regulatory reforms. 

Together, these reforms affect all European banks and investment firms and require significant implementation over a period of multiple years. There will be material changes to the capital and funding needs of firms as well as to their governance, risk management, systems and controls, reporting, recovery and resolution planning and in some cases corporate structures. 

CRD V will update the framework of harmonised rules established in the wake of the financial crisis, the so-called 'Single Rulebook'.

The 'Single Rulebook' ensures that:

  • banks & investment firms have enough capital to cover unexpected losses and are prepared to withstand economic shocks 
  • obliged entities have fewer incentives to take excessive risks.

Some outstanding elements of the reform that are key to ensure a firm’s resilience but have only recently been finalised by global standard setters (i.e. the Basel Committee on Banking Supervision (BCBS) and the Financial Stability Board (FSB)) include: 


  • New Framework for low prudential risk profile investment firms to mitigate comparative weakness of EU investment bank sector through the Investment Firms Directive in 2021
  • ECB Oversight over systemic investment firms or “class 1” firms which consolidated assets exceeding EUR 15 billion and those over EUR30 billion into same supervisory regime for banks
  • Regulation of Financial Holding companies subject to all requirements of the prudential framework as it relates to their consolidated position and Corporate Governance
  • Intermediate Parent Undertaking: requirement for large third country group to be owned by the IPU. This exists where there is at least one subsidiary that is an EU large investment firm within its group and where the parent entity is established in a non- EU country or third country.
  • Branch regulation- introduction of minimum harmonised reporting requirements for EU branches of third country banks and requirement for EU regulators to cooperate to ensure a consolidated approach to supervision

Even though these structural legislative reforms may be delayed, it would be prudent for investment service firms to work through the implications of the new reforms, in that authorisations may need to be prepared together with a restructuring process and corporate governance planning. 

RegSol is here to assist with regulatory impact analysis and can help you manage the impact of regulatory change.

By Judy de Castro - Regulatory Consultant
Google France and the Right to be Forgotten
October 2019

The Right to be Forgotten, a privacy right enshrined in the GDPR regulations which came into force in May last year has been tested in the European Courts. Arising from the French Data Protection Commissioner’s (CNIL) ruling that required Google to apply the right to be forgotten to all searches in all Google domains. CNIL ruled that in order to be effective, delisting was to be carried out on a global scale in a single processing. So, if Google detected a user in Ireland, they wouldn’t be able to see removed results, even if they clicked onto Google.com. 

Google appealed the ruling sparking a long drawn out battle with Google’s counsel arguing that if French law applied globally, how long would it be until other countries started demanding their laws likewise have global reach….

Last week Tuesday saw the European Court of Justice (ECJ) limiting the provisions of EU law and therefore reducing delisting to search engine operators in the EU which means the right to be forgotten will be seen only on European versions of Google search pages- google.fr or google.de, but not on google.com. 

The ECJ does require Google to put in measures to discourage EU internet users from finding that information but in practical terms, it seems unrealistic to achieve this. Performing the role of a “sub regulator”, one could argue, Google has had to in the past determine on 850,000 separate requests to remove links to about 3.3 million websites. Now they’ll have arguably greater and almost supervisory-like powers in deciding what personal data is kept in the public domain. 

If you’d like assistance with GDPR Compliance, please contact your RegSol Consultant for assistance.

By Judy de Castro - Regulatory Consultant
Spotlight on Transparency for Financial Brokers: New Insurance Renewal Requirements & New Consumer Protection Code Addendum March 2020
October 2019

In July 2016, the Government established the Cost of Insurance Working Group (CIWG). The objective of the CIWG was to identify and examine the drivers of the cost of motor insurance and to recommend short-, medium- and longer-term measures to address these issues. 

In January 2017, the Report produced by the CIWG on the Cost of Motor Insurance was published by the Department of Finance, which included an Action Plan to implement the identified recommendations.  Coming into force on 1 November 2019, the Non-Life Insurance (Provision of Information) (Renewal of Policy of Insurance) (Amendment) Regulations have been designed to afford greater protection for the consumer in providing more transparency to insurance policyholders, a key theme in the output of the Consultation Paper 114 and to be shortly in force as a result of the amendment regulations. 

In the pursuit of transparency however, are consumers already bombarded with too much information and overloaded arguably with too much choice? The Central Bank and CIWG would argue that this is important to allow consumers to shop around. Let’s evaluate the nature of these changes which can be summarised as follows: 


  • Insurers must provide additional information on the premium breakdown to consumers and must offer a price on all the cover options they offer. It is proposed that insurers will also be required to provide this additional information on the premium breakdown when a person first gets a quote for a policy as well as at renewal notice stage, together with the other information referred to in Regulation 6.
  • Insurers must extend the current renewal notification period from 15 working days to 20 working days to make it easier for motorists to compare pricing when purchasing motor insurance; and
  • an insurer shall, in respect of a policy of private motor insurance to be renewed, include, on the same page as the renewal premium is first set out, the following information:
    • the premium paid in the previous year, or 
    • where applicable, following any mid-term adjustment made to the policy in the previous year— 
      • the provision of an annualised premium figure for the previous year excluding fees or charges applied as a result of that adjustment, and
      • a statement indicating that the annualised premium figure shown may not reflect the actual premium paid in the previous year.


Last week we saw the headlines and radio interviews with the Central Bank of Ireland explaining the new addendum to the Consumer Protection Code (CPC) designed to take into account provisions arising from the EU (Insurance Distribution) Regulations 2018 and “Enhanced Consumer Protection Measures,” following consultation paper CP116 on intermediary inducements. The following parts of the CPC amended and effective from 31 March 2020 are as follows:


  • Chapter 3- Conflicts of Interest- avoiding conflicts of interest by placing consumer’s best interests above the consideration of fees, commissions, rewards or remuneration linked to targets relating to volume and bonus payments linked to business retention 
  • Chapter 4- Provision of Information
    • using the term “Independent” restricted to regulated activities on the basis of a fair analysis of the market AND where the intermediary does not accept and retain any fee, commission or other reward or remuneration where advice is provided in respect of regulated activities. Exceptions are minor and restricted to non- monetary benefits (conference, hospitality, IT Software) and fees paid by a consumer. Note also the amendment to 4.16 A regarding MiFID Article 3 services in using the term “independent”
    • Summary details of all arrangements for any fees, commission, other reward or remuneration paid or provided to intermediary must be made available in its public offices or on its website and brought to the attention of the consumer
  • Chapter 12- Definitions
    • Press release information is available HERE.

If you require assistance with Consumer Protection whether it is training or a compliance review or audit, please contact RegSol.

By Judy De Castro - Regulatory Consultant
New AML Guidelines for the Financial Sector
September 2019

Launched in a private event by the Central Bank on the 6th of September.

Click HERE to view and download the document.
PSD 2 Deadline: Strong Customer Authentication
September 2019

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The SCA requirement comes into force from 14 September 2019. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU (Chip and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement.

Where and How?

Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer: 

(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

The directive defines strong customer authentication essentially as two-factor authentication in Article 4(30): 

an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data

Requirement for Authorisation

You will require authorisation/registration for PSD2 if you provide one of the payment services listed in the schedule to the Payment Services Regulations 2018, unless you are either excluded from the scope of PSD2 or are one of the institutions referred to in Article 1(1) of PSD2. An authorisation/registration under PSD2 is valid in all Member States and allows the payment institution concerned to provide the payment services covered by the authorisation throughout the Union, pursuant to the freedom to provide services or the freedom of establishment.

In advance of submitting an application for authorisation/registration under PSD2, a firm should satisfy itself that its proposed business model requires authorisation/registration.
If you are unsure as to whether your proposed activities require authorisation/registration or if you are unsure as to how you should comply with the authorisation/registration requirements, RegSol can assist.

By Judy de Castro - Regulatory Consultant
Understanding the Public Services Card Data Protection Breach
September 2019

On Friday 16 August, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC). 

The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law. 

The Department of Employment Affairs and Social Protection’s processing of personal data during the issuing of the Public Services Cards for use in transactions between a person and a public body other than the department was found to be unlawful. 

The Data Protection Commissioner also found that blanket retention of personal data also contravened data protection law. This means that personal data held on more than three million card holders must now be deleted. At a cost of about €60 million to roll out, with savings of only €2.5 million in welfare fraud, the card targets social and economically vulnerable people forcing them to trade their personal data for services to which they are entitled.

But why does this matter to you?

Personal data collected by the department included a photo, gender, address, all digitally encoded, as well as the creation of a biometric facial recognition database. 

The risks associated with maintaining data such as fingerprints, retina screening and facial recognition or biometric data (metrics related to human characteristics) have obvious technical security considerations, but consider the encroachment of state authority over human dignity? It is also possible that biometric data may be used in ways for which the individual may not have consented as is the case here, but also it could disclose physiological and/or pathological medical conditions that the person may not even know about. 

For example, fingerprint patterns can be related to chromosomal diseases, iris patterns could reveal vascular diseases, behavioural biometrics could reveal neurological diseases. Excessive perhaps for accessing social welfare payments? Then think about other public bodies that collect your information and may not do a good job of protecting it or deleting it. 

Any organisation subject to data protection law is required to create a database of personal information collected and in this record of processing specifics on what documentation is collected and for what purpose must be detailed. Organisations must consider unintended consequences and understand security measures in place to protect this personal data. They must think about retention periods and note that blanket retention periods are never okay, requesting excessive information and using it for purposes other than initially agreed isn’t okay either.

If you need help with your data protection requirements, contact RegSol for consultancy or enrol on a course on our training website here.

By Judy de Castro - Regulatory Consultant
Brokers and Treatment of Vulnerable Consumers: Practical Considerations
September 2019

Vulnerable Adults often find themselves excluded from mainstream society. Excluded from the community because they are restricted in capacity and cannot read social cues, excluded from social media because they cannot navigate technology, marginalised by society because of their age, illiteracy, disability, physical or mental ill health, they are on the fringes because they do not fit in.

Despite their perceived marginalised status, vulnerable adults are becoming more mainstream and businesses and organisations alike are taking notice:

Literacy

The OECD Adult Skills Survey shows that 17.9% or about 1 in 6, Irish adults are at or below level 1 on a five-level literacy scale. Ireland ranks 15th out of 24 participating countries. At this level a person may be unable to understand basic written information.

25% or 1 in 4 Irish adults score at or below level 1 for numeracy compared to just over 20% on average across participating countries. This places Ireland even further down the international rankings in 19th place.

42% of Irish adults score at or below level 1 on using technology to solve problems and accomplish tasks (Nala Ireland)

Age: 65 years and over

This age group saw the largest increase in population since 2011, rising by 102,174 to 637,567, a rise of 19.1%.  The census recorded 456 centenarians, an increase of 17.2% on 2011.  

Over half a million or 577,171 in this older age group lived in private households, an increase of 19.6%, while those in nursing homes increased by 1,960 to 22,762. (CSO)

Dementia

By 2041 the numbers of people in Ireland with dementia will have tripled. In fact, a conservative estimate suggests that by 2041 some 140,000 people will have dementia. (Dementia Ireland)

Mental Health

It is estimated that one in four people will experience some mental health problems in their lifetime. The WHO’s Commission on Social Determinants of Health stated that depressive mental illnesses will be the leading cause of disease in high income countries by 2030. (Mental Health Ireland)

Serious Illness

Every 3 minutes in Ireland someone gets a cancer diagnosis. Incidence of cancer is growing and by 2020, 1 in 2 of us will get a cancer diagnosis in our lifetime.*


  • By 2020, 1 in 2 people in Ireland will develop cancer during their lifetime.*
  • In Ireland more than 40,000 new cases of cancer or related tumours are diagnosed each year. (National Cancer Registry of Ireland (NCRI))

How should brokers treat vulnerable consumers when providing them with financial advice? What accommodation should be made with a consumer presenting with these conditions and how should a Broker proceed to ensure they are acting fairly, professionally and in the best interests of these types of consumers especially if they are subject to financial abuse?

The table below provides some guidance on how to employ resources effectively in acting in the best interests of vulnerable consumers:




If you would like more information on how to effectively implement your consumer protection code requirements or would like to receive Consumer Protection Code training, please contact your consultant/trainer at RegSol.


*1 in 2 by 2020 is a projection based on current data provided by the NCRI. It makes allowances for variables such as aging population, lifestyle and other factors.

By: Judy DeCastro - Regulatory Consultant

Launch of the CRO’s Beneficial Ownership Register
August 2019

In March 2019, the Minister for Finance signed into law Statutory Instrument No 110 of 2019 to establish a Central Register of Beneficial Ownership of Companies and Industrial and Provident Societies (the RBO) - Click HERE to view   

The Registrar of Companies has been appointed as the Registrar of Beneficial Ownership of Companies and Industrial & Provident Societies with effect from 29 July 2019. 

Accordingly, the RBO is now open to accept filings.

Filing of beneficial ownership data can only be made on-line through a portal on the RBO website at www.rbo.gov.ie. There are no paper forms and no filing fees involved. Companies and societies will have until Friday 22 November to file their data with the RBO without being in breach of their statutory duty to file. The RBO will write to each company and Industrial & Provident Society about their filing obligations in the coming days. 
   
BENEFICIAL OWNERS: PPSN

Under Part 3 of the 2019 Regulations, the PPS number of each beneficial owner (who has such a PPS number) must be reported by the company/ industrial and provident society to the Register (but will not be included on the RBO). The Registrar will cross-check that PPS number with the Department of Employment Affairs and Social Protection to ensure that the names match. This is an extra verification step that the Registrar will use to ensure that the information held on the RBO is accurate and that the RBO does not contain duplicate entries. For a beneficial owner who does not have a PPS number, the Registrar has now confirmed that a Form BEN2 (Declaration as to Verification of Identity) will be used to verify that beneficial owner’s identity.

A process has been developed to enable beneficial owners who do not currently have an Irish Personal Public Service Number (PPSN) to file with the RBO. Full details are provided in a specific FAQ on the RBO website – www.rbo.gov.ie.

By: Judy DeCastro - Regulatory Consultant
Levelling the Playing Field: European Central Bank Guidelines on Outsourcing
August 2019

The EBA’s Outsourcing Guidelines currently in force were issued in 2006 and apply only to credit institutions (essentially banks and building societies) and the 2018 Recommendations apply to credit institutions and MiFID investment firms.  This will be changed by the New Outsourcing Guidelines which will apply to payment institutions and e-money institutions as well as credit institutions and MiFID investment firms. The general aim of the New Outsourcing Guidelines is to create a level playing field and harmonise the outsourcing requirements which are set out in separate EU legislation for different types of firms (credit institutions under CRD IV, investment firms under MiFID II, payment institutions and electronic money institutions under PSD2).

The first question to ask is do you have any outsourced any activities/functions and are these critical?

As a general principle, institutions and payment institutions should not consider the following as outsourcing:

  • a function that is legally required to be performed by a service provider, e.g. statutory audit;
  • market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch);
  • global network infrastructures (e.g. Visa, MasterCard);
  • clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members;
  • global financial messaging infrastructures that are subject to oversight by relevant authorities;
  • correspondent banking services; and
  • the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution’s or payment institution’s premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators), goods (e.g. plastic cards, card readers, office supplies, personal computers, furniture) or utilities (e.g. electricity, gas, water, telephone line).

So, then what would constitute outsourcing?

The Central Bank considers outsourcing to be an arrangement of any form between an institution and a third party service provider by which that institution performs a process, a service or an activity on their behalf which could otherwise be undertaken by that institution. When engaging in outsourcing, that outsourcing should not detract from being in a position to demonstrate that its ‘mind and management’ is located in the institution and that it is not delegating responsibility for the operation or management of key functions to a third party.

Once institutions have identified their outsourcing arrangements they will need to perform a risk assessment of materiality to assess whether these are critical and whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorised; the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their resilience and viability. Finally, third party arrangements will require robust contractual arrangements to be put in place to allow for effective oversight and monitoring by the management of those third party services or functions by the institution in question. 

If you need help managing your outsourcing risk,  please contact RegSol for assistance.
Click HERE to view the EBA’s Outsourcing Guidelines

By: Judy DeCastro - Regulatory Consultant
Governance & Internal Audit: Key Take-Aways from Wells Fargo Enforcement Action
August 2019

Wells Fargo Bank International (WFBI) is classified as a Less Significant Institution by the Central Bank’s risk profiling system which uses a rating system based on criteria relating to, amongst other factors, its size, its importance to the economy and the significance of its cross-border activities.

Nevertheless, WFBI was fined a total of €5,880,000, about 1.5% of its operating income (US$340,264,000), for serious failings in its regulatory reporting capability and governance and compliance.

WFBI is required to put in place and maintain robust corporate governance and assurance arrangements, which include the following:

  • a clear organisational structure with well-defined, transparent and consistent lines of responsibility;
  • effective processes to identify, manage, monitor and report the risks they are, or might be, exposed to;
  • adequate internal control mechanisms, including but not limited to—
    • sound administration and accounting procedures, and
    • remuneration policies and practices that are consistent with and promote sound and effective risk management.
    • its management body defines, oversees and is accountable for the implementation of the governance arrangements that ensure effective and prudent management of the institution, including the segregation of duties in the organisation and the prevention of conflicts of interest, and
    • monitors, and periodically assesses, the effectiveness of the institutions governance arrangements and takes appropriate steps to address any deficiencies.

How has the CBI defined ‘corporate governance’?

“Procedures, processes and attitudes according to which an organisation is directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among the different participants in the organisation – such as the Board, managers, shareholders and other stakeholders – and lays down the rules and procedures for decision-making.”

So what does this mean for you?

The Guidelines state that ‘An institution shall develop and maintain a strong and comprehensive internal control framework, including specific independent control functions with appropriate standing to fulfil their mission.’

An internal control framework should:

  • Cover all business units and subsidiaries
  • Ensure effective and efficient operations, while at the same time ensuring:
    • Adequate control of risks
    • Prudent conduct of business
    • Reliability of financial and non-financial information reported
    • Compliance with applicable laws, regulations, supervisory requirements and the internal rules and decisions undertaken by effective internal audit and compliance functions

In conclusion, with the introduction of CBI corporate governance codes for most regulated sectors, this remains an area of continued focus for regulators. It is therefore important for all regulated entities to continuously improve on their governance and assurance arrangements. Unfortunately for WFBI, the board of directors did not monitor and periodically assess the effectiveness of the Firm’s regulatory reporting governance arrangements nor did it take adequate steps to address these deficiencies at the time. Procedural documentation was not subject to review by senior management and internal audit failed to provide independent assurance to the board as there were substantial gaps in the scope, depth and frequency of the internal audit review and testing of the regulatory reporting processes and procedures.

If you need assistance in your assurance testing or monitoring, contact RegSol today for a comprehensive audit of your processes.

Click HERE for the link to CBI Action of Wells Fargo

By: Judy DeCastro - Regulatory Consultant
RegSol Spotlight: Letting Agents and General Data Protection Regulations
July 2019

Landlords and letting agents, as data controllers, are required to comply with General Data Protection Regulations and as such must ensure that the amount of personal information sought from renters is not excessive, is used for the appropriate purposes and is not kept longer than necessary. Personal data must be kept in accordance with 6 principles under the Regulations:

  1. processed fairly, lawfully and in a transparent manner
  2. kept for a specified purpose and processed only in ways compatible with its initial given purpose
  3. kept safe and secure
  4. kept accurate, complete and up to date
  5. adequate, relevant and not excessive
  6. retained for no longer than necessary for specified purpose(s)

Landlords and letting agents who handle personal data from tenants need to understand their responsibilities with respect to consent and that the use of blanket clauses when collecting personal data is no longer appropriate. Consent must be fully informed and freely given to be valid and sought when passed onto third parties for example for reference checking. If consent has not been sought, landlords and letting agents will need to look at how they achieve this going forward and review their contracts with third parties, contractors or suppliers, for example that might involve the sharing of personal data. 

Landlords and letting agents should also be cautious with the amount of personal data requested at pre-tenancy stage when assessing applicants. Given the current housing crisis and the sheer volumes of tenancy applications received, landlords and letting agents have used personal data to conduct due diligence on prospective tenant’s capacity to pay rent. The Data Protection Commissioner cautioned for example against the use of PPS numbers during the initial phase of the lettings process and confirmed that there is no statutory basis to use PPS numbers of tenants until the tenant has entered into the agreement and must be registered with Private Residential Tenancies Board. Unsuccessful applications should then be shredded or permanently deleted on an ongoing basis to comply with data retention principles. The Data Protection Commission has noted that it is acceptable that successful tenant’s personal data is kept for the duration of the tenancy. 


Personal data is to be kept for the purpose that it was initially obtained. Property letting agent PJ McCann was ordered to take down an online database of tenant reviews about whether rent was paid in full and the condition properties were left upon leaving. The Data Protection Commissioner told the agent they would face a €10,000 fine if they failed to comply with the order.


Landlords and letting agents must integrate GDPR into the lifecycle of their letting process from assessing potential renters right through to the termination of tenancies. 


If you’re a landlord or letting agent and would like advice or training on your GDPR compliance obligations, please contact RegSol for immediate assistance.


By Judy DeCastro for RegSol

Criminal Assets Bureau releases Annual Report and highlights Trend Changes
July 2019

The Criminal Assets Bureau (CAB) was set up in the wake of the murder of journalist Veronica Guerin in 1996. It is tasked with targeting assets obtained directly, or indirectly, from criminal conduct. The agency has the power to seize assets if officers believe they are the proceeds of crime.

On the 26th of June 2019, Minister for Justice Charlie Flanagan published the Criminal Assets Bureau Annual Report for 2018. The 2018 Report highlights the key activities undertaken by the Bureau during the year. During 2018, in excess of €5.6m was returned to the Exchequer as a result of CAB actions, including over €2.272m returned under Proceeds of Crime legislation, €3.097m collected under Revenue legislation and €0.323m recovered in Social Welfare overpayments. 

In addition, the Bureau brought 30 new asset seizing proceedings before the High Court in 2018, the highest number of new cases commenced in a single year since its establishment.  The value of assets frozen during the year under section 2 of the Proceeds of Crime Act 1996 was €8.393m. Breakdown as follows:



These figures show criminals are shifting tactic by moving criminal proceeds into jewellery and property, particularly expensive house renovations and assets that hold their value, such as Rolex watches. Estate agents and jewellers should be particularly vigilant in this regard and be aware of their statutory obligations to report suspicious activity to the Gardai and the Revenue commissioners as soon as practicable.

CAB’s report also highlights that criminals are using cryptocurrencies to transfer money given its anonymous nature and ease of transfer and access. CAB’s seizure of the cryptocurrency Ethereum marked a worldwide first for law enforcement. Additional powers to be granted to law enforcement under the 5th EU AML directive, most likely to be transposed on the 10th of January 2020, will allow the likes of the Garda National Economic Crime Bureau and CAB to obtain addresses and identities of virtual owners of cryptocurrencies and wallets.

If you require assistance with your AML/CTF policies and internal control framework to ensure your organisation is ready for the 5th and 6th EU AML, please contact RegSol.

Click HERE for a copy of CAB’s Annual report in full.

JPMorgan Administration Ireland Fine: A Case of Compliance Mismanagement
July 2019

On the 24th of June 2019, the Central Bank reprimanded and fined JPMorgan Administration Services (Ireland) Limited (JPM) €1.6 million. 

In March 2014, following a themed inspection with outsourcing requirements, the Central Bank issued a Risk Mitigation Programme requiring JPM to take measures to fix issues with its outsourcing arrangements with third parties. 

JPM persistently failed to remediate the root causes of these failings despite repeated supervisory intervention by the Central Bank. And yet, someone senior in JPM continued to tell the Central Bank that all was well and had been fixed, whilst JPM continued to outsource core activities without supervisory approval. And, despite the establishment of an oversight and governance committee to regularise these issues, a thinly veiled attempt to provide assurances to the regulator, nothing changed. 

In a way, the enforcement action against JPM, we would argue, represents a microcosm of scandals that continue to plague large international financial institutions such as Danske, ING and Deutsche Bank. Dare we question, why do big institutions continue to fail in their regulatory obligations as supervisory authorities increase the regulatory burden for entities large and small? Can internal compliance departments continue to justify their position that they are not risk owners and therefore not responsible? 

Gatekeepers and frontline staff are overburdened with operational requirements, targets, customer pressures and bureaucracy while Senior Management, Compliance and Risk teams “oversee” their colleagues. Is it time the Central Bank takes a closer look at the Heads of Compliance and Senior Management and acts on its administrative sanctions programme? 

With only 6 prohibition notices issued against individuals for failures in fitness and probity and the latest Central Bank’s speeches commenting on individual accountability, perhaps it’s only a matter of time.


Click here for details of the Central Bank’s enforcement action

By Judy DeCastro for RegSol
Birthday Cake, Google and Data Protection Officers
June 2019

As Europe voted and Data Protection laws being perceived to be the prerequisite of fair and free democratic elections, Google is facing its first major investigation by its lead Data Protection Supervisory Authority in Europe, the Data Protection Commission (DPC) in Ireland.
Coinciding with the one-year anniversary of Ireland’s implementation of the General Data Protection Regulation (GDPR) into Irish law, the DPC announced it will investigate Google’s alleged unlawful processing of personal data at each stage of its ad-tracking system. The platform which shares behavioural habits of online visitors with hundreds of companies will be scrutinised against GDPR’s relevant provisions of transparency, data minimisation and purpose limitation. The sharing of information is known as a “bid request” and through this process, Google stands accused of failing to protect data against unauthorised access.  
The potential financial exposure for a tier 2 penalty means that Google could potentially face a fine of up to 4% of its global annual turnover of the preceding financial year, or an eye watering $5.4 Billion. Under the Data Protection Acts, 2018, once the fine is imposed, Google would have 28 days to pay up or appeal to the High Court. Let them eat cake, indeed!


Helen Dixon, the Data Protection Commissioner, looking back at what can only be deemed a very strategic and eventful year following a successful public awareness campaign, has noted:
“We’re the most rapidly growing data protection authority in the EU.”
Since her appointment in 2014, the DPC’s budget has risen to €15.2 million and over the past 12 months, the new legislation has given rise to a significant increase in workload. According to the DPC’s website:
  • 6,624 complaints were received
  • 5,818 valid data security breaches were notified
  • 48,000 contacts were received through the DPC’s assessment unit
  • 54 investigations were opened- 35 of these domestic, 19 cross border
  • DPC staff numbers increased from 85 to 137 at the end of May 2019
Current Irish Statutory inquiries into ‘big tech’ multinationals: 
Facebook: 8 
Twitter: 3 
WhatsApp (owned by Facebook): 2 
Apple: 2 
Google: 1 
Instagram (owned by Facebook): 1 
LinkedIn (owned by Microsoft): 1 
Quantcast: 1 
TOTAL: 19

Yet to issue a fine, what will the next 12 months bring for the DPC and GDPR Compliance? We at RegSol, predict some clarity of GDPR principles, hopefully, as these investigations unfold and are drawn to conclusion. And with a better understanding of this new regulatory landscape, enforcement actions as they relate to compensation and damages awarded will reveal how high the stakes truly are.


https://pbs.twimg.com/media/D7LC7AlWsAEHahW.jpg:large
The Data Protection Officer (DPO)
With birthday cake, fines and data processing in mind, appointment of a person with responsibility for Data Protection is for most organisations an effective way of mitigating data privacy risk, if only to coordinate responses to data subject requests or coordinate breach reporting.
GDPR formally sets out under Section 4 the designation, position and tasks of the Data Protection Officer. Further, the Data Protection Commissioner had published guidance with respect to the DPO role which comments that:
“The DPO role is an important GDPR innovation and cornerstone of the GDPR’s accountability- based compliance framework.”
Appointment of a DPO is mandatory for the following organisations:
  • Public bodies (consider private organisations carrying out public tasks)
  • Data controllers/processors who perform systematic and regular monitoring of data subjects on a large scale
  • Organisations whose processing involves special category data (medical data for instance) or data relating to criminal convictions and offences on a large scale
Large scale in this context can be interpreted when taking into consideration, the numbers of affected data subjects, the volume of personal data, geographical exposure and the range and duration of the processing of personal data.
As a matter of best practice, all organisations should have documented their rationale as to whether a DPO is required to be nominated.  Formally appointing a DPO where it's not mandatory,  still brings the role under the full GDPR requirements and standards.
Regardless of whether the GDPR requires organisations to appoint a DPO, data controllers and processors must ensure that their organisations have sufficient staff and resources to discharge their obligations under the GDPR. However, a DPO can help organisations operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in the organisation’s data protection governance structure and to help improve accountability.
Under the GDPR the DPO is afforded statutory protections:
  • DPO must report to the highest level of management
  • DPO cannot be dismissed or penalised as a result of performing their duties
  • DPO must be provided with adequate resources to perform tasks
  • DPO must be free from influence and conflicts of interest
  • DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data
  • BUT the data controller remains accountable for GDPR compliance
Article 37.5 of the GDPR provides that a DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices.
For example, where a data processing activity is particularly complex, or where a large volume or sensitive data is involved (i.e. an internet or insurance company), the DPO may need a higher level of expertise and support.

Bearing in mind that a DPO can be either external or internal, RegSol is here to assist with your GDPR compliance.
by Judy De Castro for RegSol
First Three Enforcement Actions for the Central Bank for 2019
June 2019

The Central Bank has imposed fines on three firms for varying offences:


  • Permanent TSB were fined €21 Million on 30th May for breaches of Consumer Protection and Code of Practice for Credit Institutions
  • Campbell O’Connor were fined €280,000 on 8th of May for AML/CTF Breaches
  • Bank of Montreal were fined €1,246,189 on 26th of April for breaches of the Central Bank Act, Licencing Conditions and Capital Requirements Regulations

Record Fine for Permanent TSB


Permanent TSB has admitted 42 separate regulatory breaches of the Code of Practice for Credit Institutions 2001, the Consumer Protection Code 2006 and the Consumer Protection Code 2012, the first of which commenced in August 2004. These breaches broadly occurred in four ways:
1)As a result of PTSB’s failure to warn certain customers about the consequences of decisions relating to their mortgage;
2)Incorrect legal interpretation of contractual terms and conditions: PTSB denied certain customers their enduring contractual right to a tracker mortgage as a result of PTSB’s incorrect interpretation of the extent of certain customers’ contractual entitlements.
3)As a result of PTSB’s operational and systems failings;
4)As a result of a decision by PTSB to deny certain customers their correct tracker rate between 2009 and 2010;

As per the Central Bank’s settlement agreement in this matter:
“This fine is the largest imposed to date by the Central Bank under the Administrative Sanctions Procedure. It reflects the gravity with which the Central Bank views PTSB’s failings and the unacceptable harm PTSB caused to their tracker mortgage customers, from extended periods of significant overcharging to the loss of 12 family homes and 19 buy to let properties. In addition to the reprimand and fine, to date PTSB has also been required to pay €54.3m redress and compensation to its impacted customer accounts prior to and as part of the TME(tracker mortgage examination).”

Enforcement proceedings as a result of the Central Bank’s Tracker Mortgage investigations are pending against other lenders and it is worth noting that PTSB’s staggering penalty may not be record breaking for too long. The Central Bank has the power to fine regulated entities up to €10 million or 10% of their turnover; the €21 million fine for PTSB approximated 5 % of its turnover for 2018.

You can read the full Settlement Agreement here.

Campbell O’Connor & Co Fined for Breaches in AML/CTF

On 8 May 2019, the Central Bank of Ireland imposed a fine of €280,000 on Campbell O'Connor & Company for five breaches of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (the "CJA 2010").  The Central Bank determined that the appropriate fine was €400,000, which was reduced by 30% to €280,000 in accordance with the settlement discount scheme provided for in the Central Bank's Administrative Sanctions Procedure. The Central Bank's investigation into the Firm commenced following a themed supervisory inspection which was part of its ongoing engagement with the investment firm sector.

Breaches identified were as follows, mainly under Section 54:
• Failure to conduct appropriate money laundering/terrorist financing ("ML/TF") risk assessment as it relates to terrorist financing and customer and  geographic risk
• Failure to adopt adequate policies and procedures for preventing and detecting ML/TF.
• Failure to monitor and scrutinise customer transactions.
• Failure to provide training to staff on identifying suspicious transactions.
• Failure to ensure that all necessary arrangements were in place with third parties whom the Firm relied on to conduct customer due diligence measures on the Firm's customers.

You can read the full Settlement Agreement here.


Bank of Montreal fined for breach of Banking Licence

On 26 April 2019, the Central Bank reprimanded and imposed a fine on Bank of Montreal Ireland plc for breaching a condition of its banking licence by failing to submit three operational risk returns to the Central Bank, and failing to establish and maintain effective processes and internal controls to ensure compliance with this regulatory reporting condition. The Firm has admitted the breaches in full.

This is the Firm’s second reprimand and fine for deficiencies in regulatory reporting. The Central Bank’s investigation found that the breaches were caused by:
  • the Firm’s failure to establish and maintain effective processes and controls to ensure the submission of operational risk returns;
  • an over-reliance on Bank of Montreal group policies;
  • and  the use of an informal process to comply with its obligation to submit operational risk returns.

The Central Bank determined that the appropriate fine was €1,780,269 which was reduced by 30% to €1,246,189 in accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure (“ASP”). Previously, the Central Bank had reprimanded Bank of Montreal in 2014 for three breaches of capital adequacy regulations and fined it  € 650,000.

Since 2006 the Central Bank has imposed fines of more than €70m under its administrative sanctions procedure and has made 127 settlements.

You can read the full settlement agreement here.

Judy De Castro for RegSol
Enforcement: CBI Fines Bank of Montreal Ireland Ltd
May 2019

On 29th April 2019, the Central Bank of Ireland announced that it had fined Bank of Montreal Ireland Ltd €1,246,189 and reprimanded it for failing to comply with a condition of its authoirsation.

You can read the full Settlement Agreement here
DPC Ruling: No right to a Fada…
May 2019


A man being treated for cancer, complained to the Data Protection Commission that the HSE were failing to record his name correctly as they refused to include the fadas in his name on his medical records.

After taking 8 months to investigate the complaint, the DPC has ruled that there is no ‘absolute right’ to have your name spelled correctly – in this case by including fadas. They emphasised that each case needs to be looked at individually and depends on the circumstances. The ruling throws up the limitation of proportionality with respect to the rights to data accuracy and rectification. The deciding factor here appears to be that the system used in the particular hospital was not capable of including a fada.  

The complainant in this case, Ciarán Ó Cofaigh, was certainly not happy with the result. He stated that "You often hear of the right to defend your good name - I don't even have a right to a name." It’s a fair point, particularly given the fact that data accuracy is enshrined in the principles of GDPR. It begs the question that if an Irish name is supposed to have a fada in it for pronunciation and linguistic purposes, can it ever be said to be accurate without it?  From a data protection perspective, it appears to be.

Our Researcher Killian Flood B.L. has delved into this a bit further and you can read his article here.
New Governor of the CBI Appointed
May 2019


On 1st May the Government signed off on the appointment of Gabriel Makhlouf, chief economic and financial adviser to the New Zealand Government, to the position of Governor of the Central Bank of Ireland.

The vacancy arises as a result of Philip Lane’s imminent departure to the European Central Bank in June to take up his position as Chief Economist at Frankfurt.
Mr. Makhlouf has previously worked in the UK dealing with policy development around domestic and international tax and welfare. He was also chair of the Committee on Fiscal Affairs (the world’s main tax rule-making body) at the OECD. He is a current leader of the diversity and inclusion agenda in New Zealand’s public and private sectors.

Finance Minister Paschal Donohue commented on the announcement that "I am delighted to nominate a person of Gabriel Makhlouf’s international calibre for appointment as Governor of our Central Bank."
His appointment has come as a shock to many, not only because he is coming from New Zealand but because many feel there were more obvious candidates closer to home. One example highlighted was Sharon Donnery, a current Deputy Governor within the CBI with a wealth of experience. Given the CBI’s significant focus on diversity and inclusion, if appointed Ms. Donnery would have been the first female head of the Bank.
Taoiseach Leo Varadkar was specifically questioned on this and the general surprise around the appointment but he asserted that the logic was simple – choose the best candidate. He said "it wasn’t restricted to Ireland, it wasn’t restricted to any one gender or anyone who was or was not currently working in the Central Bank so it was done really the way top jobs should be filled.
"There was an open international advertisement, people submitted their CVs, there was a shortlist. There were interviews, and the interview panel recommended one name to Government and that name was accepted by Government."
Mr. Makhlouf is expected to take up the position in September.

AML: Standard Chartered Settles Case with US Regulators
May 2019


On the 9th April 2019, it was announced that Standard Chartered had agreed to pay $1.1 billion to settle allegations by authorities in the United States and Britain that it violated money-laundering legislation and acted in breach of economic sanctions.

The Treasury and Department of Justice as well as New York State regulators and prosecutors, said that Standard Chartered had processed hundreds of millions of dollars in transactions over a number of years from countries subject to financial sanctions. These included Myanmar, Cuba, Iran, Sudan and Syria.
The bank has also been hit with a £102m fine by the Financial Conduct Authority (FCA). The FCA found "serious and sustained shortcomings" in Standard Chartered's anti-money laundering controls.
The penalties all arise from investigations that have been ongoing since 2014.

This isn’t the first case of a large penalty against a European bank caught processing illicit transactions for sanctioned countries and criminals but rather simply adds to the list:
  • In 2012, HSBC agreed to pay $1.9 billion and to submit to years of heightened scrutiny after the authorities found that the bank had helped Mexican drug cartels launder money. The operations there have become the subject of the Netflix documentary series ‘Dirty Money’.
  • In 2014, BNP Paribas paid a record sum of nearly $9 billion and pleaded guilty to violating American sanctions against Sudan and other countries.
  • In 2017, Deutsche Bank was fined $630 million for helping Russian investors move $10 billion through branches in London, Moscow and New York.


Data Protection Requires an Empathetic Approach
April 2019

When it comes to data protection and cybersecurity, companies are relying on ever-more sophisticated and complex mechanisms to combat data breaches. Indeed, there are many good reasons for buying the latest and greatest data protection systems. This article looks at why it is important not to forget the human element.

GDPR grants a right to compensation to data subjects if their data has been mishandled, so it is natural for companies to seek the maximum level of protection available to avoid fines. Similarly, many if not most companies operate in a data-heavy environment, meaning that such fines could be very significant from both a financial and reputational perspective. Moreover, companies may be exposed to data breaches but do not have an internal capacity to understand and mitigate the problem. As a result, companies turn to the most expensive and up-to-date cybersecurity systems in order to compensate for any internal failings within the data protection structure.

However, there is a growing concern in the cybersecurity industry that the data protection solutions on offer to end-users are misdirected. The former chief security officer for Facebook, Alex Stamos, courted controversy in 2017 by stating that “we have a real inability to put ourselves in the shoes of the people we are trying to protect,” and that security professionals need to "have empathy for the people that use the technologies we build.” Isaac Kohen, CTO for Teramind, emphasises that data protection is a user-centric industry and therefore, unsurprisingly, requires a user-centric approach to creating technologies.

Security professionals will generally acknowledge that “users are the weakest link” in the chain of data protection, but why is this? Arguably, it is because users often have to work with systems which they do not fully understand or which are not designed specifically for the problems that they face regularly. The people who are dealing with data protection threats on a daily basis are the employees of a company. Frontline employees are bombarded with phishing attacks and software updates, which are becoming more difficult to recognise as time goes on. It is therefore critical that any technological solution to cybersecurity is easily understood and managed by these employees in the trenches.

Stamos’ point is that security professionals must take an empathetic approach to these employees to understand the challenges which they face in order to design technological solutions which meet the daily needs of these employees. There are clear merits to taking an empathetic approach to data protection solutions. As service providers, it is essential that customers feel that their needs are being looked after and that they are getting value for the often-times expensive technical and structural solutions for which they are paying. This equally applies to companies like RegSol as it does technology companies. The increasing outsourcing of data protection management and the advent of professional Data Protection Officers could potentially lead to the same lack of empathy among professionals in the data protection industry. Professional DPOs will have their time and resources stretched as they take on more work and this will inevitably lead to boiler-plate solutions being offered to their customers.

From our perspective, open communication is vital to understanding the individual concerns and needs of each customer in order to pinpoint the specific action plans which are required to prevent data breaches. Often, customers will employ a data protection consultant because they know very little about their GDPR commitments and preventing data breaches. As a result, it is possible for customers to blindly follow the advice given to them by consultants. However, at RegSol we realise that our clients know far more about their own business than anyone else. As such, we always engage in a collaborative effort in order to appreciate the problems that our clients face and create the best possible data protection system.

This collaborative process is very important in the context of training employees. Different companies will process different types and volumes of data and there can be no “one size fits all” approach for every company. Similarly, the training that management-level employees require will be different to the training that junior employees require because of the natural differences in those positions.

While it may not be immediately obvious to associate empathy with data protection, it is becoming increasingly clear that the only way to provide effective consulting and training services to clients is to adopt an empathetic approach to each businesses’ unique needs. Rather than just simply provide a straightforward policy document and an annual Powerpoint presentation to employees, effective data protection solutions include short, concise messages, interactive challenges and real-time coaching in the event of a mistake.

No data protection solution will ever guarantee that data breaches will not occur, just as no physical security system will guarantee that a premises will not be burgled. However, by undertaking an empathetic approach to employee engagement with data protection, companies can ensure that their employees are well-placed to detect and prevent data breaches. As importantly, we strive to ensure that the biggest risk still facing many firms, 'Human Error', is reduced.

K. Flood for RegSol Ireland
Podcast: At Home with Breffnie
April 2019

Our lead regulatory consultant, AnneMarie Whelan, was invited to discuss all things Anti-Money Laundering and compliance with Buyers' Agent Breffnie O'Kelly on her regular podcast.

Estate Agents, like all other designated persons, must comply with the whole range of obligations under the Criminal Justice (Money Laundering and Terrorist Financing) act 2010 as amended.

You can listen back here.   
Diversity and Inclusion: CBI's recent Hot Topic
April 2019

The past number of months have seen a multitude of events and publications through which the Central Bank of Ireland has endeavoured to highlight its approach to diversity and inclusion in the financial services sector. These include the following speeches:





The Central Bank also publishes two reports in this area:

Report on demographics of applicants via the Fitness & Probity regime
Behaviour and Culture in Irish Retail Banks report
What is the main message coming from these events and publications?

On the report on demographics of applicants it was noted “Small improvements in the levels of diversity of senior appointments is welcomed, but much more progress is needed across the financial system”. Somewhat unsurprising given the statistics show:

'approximately four out of five applications for board positions were for men, marginally down on 2017 (82%); and this remained even more imbalanced for the most important Chair of the Board and Chief Executive positions, 84% of which were for men; and
the analysis continues to show a pronounced gender imbalance at board level and in revenue generating roles.'
A lack of gender diversity at senior levels in regulated firms is noted to be a cause for concern in the culture, risk management and decision-making of firms.

Increasing the 'diversity of experience, thought, background and attributes at senior levels' is expressed as being required to:

·        'reduce the likelihood of groupthink;

·        reduce overconfidence and improve decision-making;

·        enhance culture and improve risk management; and

·        increase the level of internal challenge in financial services firms and reduce excessive resistance to external challenge.'

Derville Rowland in her address specifically references studies which have shown greater female representation on boards reduces risk of fraud and balanced teams performed better than single-gender dominated teams.

The Central Bank’s own record is clear in this regard - women make up 50% of the total workforce, 1/3 of the board, nearly 40% of the executive committee and over 40% of the leadership team. Voluntary publication of a Gender Pay Gap Report also highlights a 2.7% difference in favour of men at 1 January 2018, which is far below national and European averages while still acknowledging there's a way to go. (It is interesting to note that the Data Protection Commission also boasts a 50% split between men and women at senior management level.)

What does this mean for regulated entities or applicants for CBI authorisation?

There is a clear expectation that we continue to see greater representation of groups currently under-represented in the financial services sector and particularly more women in senior positions.

The Central Bank is certainly looking closer at the balance of boards in applicant firms and on occasion we have seen explicit requests to consider an additional or alternative candidate for high-level roles to better the balance, particularly from a gender standpoint. As regards existing firms, other than banks, its not clear how the Central Bank will seek to improve sector wide imbalances. It is, however, highly recommended that where positions come up for renewal, particularly at Director level, a full assessment be undertaken as to the level of diversity on the board and while gender is a significant factor int he context of the current statistics, lots of other factors should feed into this process as well including skillsets, education/experience, etc.