RegSol Blog


RegSol Blog Posts

DPC Fines Meta (Facebook, Instagram & WhatsApp) nearly €400 Million for incorrect legal basis relied upon to justify data collection under GDPR
January 2023

On 4th January 2023, the Data Protection Commissioner (the ‘DPC’) announced that it had concluded two inquiries into Meta Platforms Ireland Limited’s (‘Meta’) data processing operations in respect of its Instagram and Facebook services.

Final decisions have now been made by the DPC where it has fined Meta Ireland €210 million and €180 million for breaches of the GDPR relating to its Facebook and Instagram services, respectively. Meta has also been directed to bring its data processing operations into compliance within a period of 3 months.
 

Background

Prior to the introduction of the General Data Protection Regulation (‘GDPR’) on 25th May 2018, Meta changed the legal basis on which it was processing users’ data in its Terms of Services for its Facebook and Instagram users. Previously Meta relied on the consent of its users, but they now sought to rely upon contractual as the legal basis for the majority of its processing operations. All users were asked to select ‘I accept’ to indicate their acceptance of the updated Terms of Service however if users declined, they would no longer be able to access the services.

According to Meta, by selecting ‘I accept’ this created a contract between it and the user. Meta thereby contended that the processing of users’ data for the delivery of its Facebook and Instagram services was necessary for the performance of the contract and this included the provision of personalised services and behavioural advertising. However, objections by an Austrian data subject and a Belgian data subject were raised arguing that by restricting the accessibility to the services resulted in ‘forcing’ the user to consent to the processing of their personal data for behavioural advertising and other personalised services and that this was in breach of the GDPR.


Findings

Draft decisions were prepared by the DPC in which it found against Meta on a lack of transparency, however, the DPC also noted that Meta was not required to rely on consent and in principle, the GDPR did not preclude Meta’s reliance on the contract as a legal basis for processing.

When this draft decision was circulated with other EU privacy regulators, several of them objected to the Irish DPC’s “contract” position.

The matter was referred to the European Data Protection Board (‘EDPB’), which agreed that “contract” could not be relied on as means of personal data procession legitimacy in this case.

Accordingly, the DPC’s final decisions include findings that Meta is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.


WhatsApp

On 19th January 2023, the DPC fined WhatsApp Ireland Limited (‘WhatsApp’), also owned by Meta, €5.5m for breaches of the GDPR similar to its sister companies Facebook and Instagram in trying to unlawfully force users to accept changes to its terms of service. WhatsApp has also been directed to bring its data processing operations into compliance.

The combined nearly €400 million fine brings to more than €1.3 billion the total amount of financial penalties the DPC has levied against Meta and its platforms in the last 16 months. The DPC also has a further 10 separate inquiries still open into Meta and its services.

For further details on the DPC’s decision, please go to the following link:

Data Protection Commission announces conclusion of two inquiries into Meta Ireland | 04/01/2023 | Data Protection Commission

Data Protection Commission announces conclusion of inquiry into WhatsApp | 19/01/2023 | Data Protection Commission

For information about RegSol’s Data Protection training courses, please see our training timetable below or, if you wish to discuss arranging tailored staff training in your firm, please contact us at info@regsol.ie
Rise of the Money Mule in Ireland
January 2023

It is estimated that the most prolific fraud gang in Ireland — the Black Axe crime network - a notorious West African-based criminal organisation formed in the 1970s and now operating world-wide, has stolen or laundered €64 million in Ireland in recent years. While that gang has its origins in Nigeria, it is believed that more than 4,000 people who have used Irish addresses are laundering money for the gang.

The Garda National Economic Crime Bureau’s (GNECB) long-running probe, called Operation Skein, is an ongoing investigation into fraud being committed in Ireland that includes international business email compromise (BEC), invoice redirect fraud and romance scams. The investigation also targets the laundering of the proceeds through Irish accounts.


Money mules

A money mule is a person who transfers illegally obtained money between different payment accounts, very often in different countries, on behalf of others. The money mule receives stolen money into their account, then transfers it to another account, usually overseas, and keep some of the cash for themselves as ‘payment’ or withdraw the cash and pass it on to the money mule recruiter. Fraud gangs need very large numbers of bank accounts, opened into the names of other people, for their unsuspecting victims to send money to. They then quickly disperse that money over a wide network of other mule accounts.

Offers to make quick and easy money by answering seemingly legitimate job adverts or online posts, social media (i.e. Facebook posts on closed groups) and messages sent through instant messaging apps (e.g.: Whatsapp, Viber) are the most common methods of initial contact by the money mule recruiter.

Those aged 18-24 (including unemployed, students and people in economic distress being the most susceptible to the crime) and those over 55 years of age are the most commonly targeted age groups.


BPFI Survey

An Garda Síochána in association with FraudSMART, a fraud awareness initiative led by the Banking & Payments Federation Ireland (‘BPFI’), are advising consumers, particularly young adults, to be alert to the risks and consequences of recruitment as “money mules”.

The warning comes as a new survey commissioned by BPFI as part of its FraudSMART campaign for 2019 shows strong evidence of money mule activity among young people in Ireland.

The FraudSMART research also mirrors new data from BPFI’s member banks, including AIB, Bank of Ireland, KBC, PTSB and Ulster Bank, who collectively had more than 1,600 confirmed cases of money mule activity on customer accounts in 2018, a large proportion of which involved young account holders.

According to the FraudSMART survey more than 40% of 18-24-year-olds are likely or very likely to lodge or transfer money for someone using their own bank account in exchange for keeping some of the money for themselves.


Penalties

Even if money mules may not be aware of, or be involved in, the crimes which generate the money (cybercrime, payment and online fraud, drugs, human trafficking, etc.), they are complicit and acting illegally by recklessly allowing their account to be used to launder the proceeds of crime, helping criminal syndicates move funds easily around the world and remain anonymous.

Penalties include a prison sentence of up to 14 years, a criminal conviction with a lifetime criminal record, extradition to the country where the predicate crime occurred, and not being permitted to open another bank account or secure a mortgage.


Protecting your firm from money mule fraud

It is highly advisable to have robust or review existing AML policies and procedures in place making all staff aware of the potential scams and pitfalls such as:

  • Being caution of unsolicited emails or approaches over social media promising opportunities to make easy money;
  • Being alive to vishing which is a tactic in which people are tricked into revealing financial or personal information to unauthorised people over the phone;
  • Verifying any company that makes an unsolicited offer and check their contact details (address, landline phone number, email address and website) are correct and whether they are registered in Ireland;
  • Ensuring staff are aware not to give the firm’s bank account or any other personal details to anyone unless you know and trust them;
  • And lastly, be mindful of adage, if an opportunity sounds too good to be true, it probably is!

For information about implementing AML policies and procedures in your firm or about our CPD certified training courses in AML and for MLROs, please see our training timetable below or contact us at info@regsol.ie

Central Bank Dear CEO Letter to Payment & E-Money Institutions
January 2023

On 20th January 2023, the Central Bank published a Dear CEO Letter (‘January 2023 Letter’) to payment and electronic money institutions highlighting recent supervisory weaknesses and reaffirming supervisory expectations and actions for these sectors.

The January 2023 Letter follows the December 2021 Dear CEO Letter from the Central Bank to these institutions which it provided greater clarity on its supervisory expectations for the sector. The January 2023 Letter also refers to the Consumer Protection Outlook Report 2022 published in March 2022 which sets out the key cross sectoral risks identified by the Central Bank as the primary drivers of risk for consumers of financial services in Ireland and across the EU today. The Central Bank highlights these risks are particularly relevant to the payment and e-money sector based on what it has observed over the course of 2022.

It also refers to the recent reference in the International Monetary Fund’s (IMF) Technical Note on Oversight of Fintech in Ireland of the payment and e-money sector’s growing importance within the broader fintech sector in Ireland.

The January 2023 Letter sets out actions identified by the Central Bank to remedy deficiencies in five key areas, namely:


  1. Safeguarding,

  2. Governance, risk management, conduct and culture,

  3. Business model, strategy, and financial resilience,

  4. Operational resilience, and

  5. Anti-money laundering and countering terrorist financing.

Safeguarding

The main focus of the January 2023 Letter is safeguarding. In the December 2021 Dear CEO Letter, the Central Bank asked all firms to comprehensively review compliance with the safeguarding requirements set out in the E-Money Regulations or Payment Services Regulations (as appropriate) by 31st March 2022. One quarter of those firms self-identified deficiencies in their safeguarding risk management frameworks, and deficiencies were later identified in other firms.

As a result, the Central Bank sets out its expectations as follows for firms to:

  • Have robust, Board approved, safeguarding risk management frameworks in place which ensure that relevant users’ funds are appropriately identified, managed and protected on an ongoing basis. This includes the clear segregation, designation and reconciliation of users’ funds held on behalf of customer.
  • Be proactive in ensuring that the design and operating effectiveness of the firm’s safeguarding frameworks is tested on an ongoing basis.
  • Notify the Central Bank immediately of any safeguarding issues identified.
  • Take mitigating and corrective measures immediately to ensure that users’ funds are safeguarded where, in exceptional circumstances, issues are identified.
  • Investigate and remediate on a timely basis the underlying root cause of the safeguarding issue(s).

The Central Bank also request all payment institutions and e-money firms who are subject to the safeguarding requirements to commission an audit of their compliance with those requirements from an audit firm which has the necessary specialist skill to audit compliance in this area. Each firm must provide that audit opinion, together with a response from its board to the outcome of that audit, to the Central Bank by 31st July 2023.

Given the 31st July 2023 deadline, the January 2023 Letter should promptly be brought to the attention of the board of any payment institution or electronic money institution and if your particular entity has a query regarding any of the issues highlighted by the Central Bank above, feel free to contact us at info@regsol.ie

To read the January 2023 Letter in full, please follow the link below:

Dear CEO Letter - Supervisory Findings and Expectations for Payment and Electronic Money (E-Money) Firms (centralbank.ie)
RegSol’s Vulnerable Customers Seminar 24th March 2023
January 2023




Are you missing out on engaging with potential clients because your website isn’t fully accessible or your meeting space isn’t physically accessible?

Are you fearful of engaging with clients who have identified vulnerabilities because you don’t know how to navigate those needs or know what reasonable accommodations should be offered?

This half day in-person event is designed to inform, encourage and support Financial Advisors in embracing a thitherto under-served market.

You will learn what the legal and regulatory requirements are but more importantly, how best to support individuals that do require some assistance to ensure your services are truly accessible.

Cost: €100 p/p


* CPD accreditation for this event is sought from the Insurance Institute, Institute of Bankers, LIA and ILCU


AXA Life Europe DAC fined €3,640,000 for failures in Corporate Governance and Risk Management
December 2022

On 8th December 2022, the Central Bank reprimanded and fined AXA Life Europe DAC (AXA) €3.64 million for failures in corporate governance, risk management and handling of conflicts of interest.

The fine relates to three breaches of European insurance regulations by AXA, authorised by the Central Bank in Ireland to carry out life insurance business and who set up a German branch in 2006 on a freedom of establishment basis where it started selling an insurance product known as TwinStar.

The German Federal Financial Supervisory Authority (BaFin) regulated the German branch for conduct of business.

Between 2006 and 2012, AXA sold around 350,000 TwinStar policies, of which approximately 203,000 remain in place.

When the policies first went on sale between 2006 and 2007, there was a reference in the documentation to a Parental Claims Guarantee (PCG) provided by AXA’s parent, AXA SA, to provide AXA with the necessary resources to pay all outstanding German policyholder claim liabilities, if AXA became unable to do so itself. The PCG was provided because AXA, as an Irish-based insurer, could not participate in the insolvency protection scheme for German life insurance companies.

In 2006, BaFin, wrote to AXA’s German branch and told it that the references to the guarantee in some of the documentation inferred a higher level of security than had actually been provided. This was because some policy documentation failed to make clear that the PCG was conditional and could terminate automatically if certain conditions were met.

In early 2018, the sale of AXA was being considered by its parent and as part of this consideration, the Central Bank became aware that policies sold in 2006 and 2007 may not have been updated to disclose the conditional nature of the PCG, despite the letter from BaFin. As a result, the Central Bank commenced an investigation.


Failures

The Central Bank’s investigation found that AXA's risk management systems had failed over a 13-year period, where it had not put in place an effective process to identify, manage, monitor and report the risks in around 30,000 TwinStar policies in not making it clear that the guarantee was conditional, despite the BaFin warning.

The Central Bank also found that AXA did not conduct an adequate assessment of potential conflicts when its board considered the guarantee issues in July 2018 and that between 2015 and 2021, it did not have effective policies and / or procedures established to identify potential sources of conflicts of interest or ensure that directors understood where conflicts of interest could arise and how such conflicts should be addressed if they did arise.


Mitigating factors

The Central Bank, however, was satisfied that AXA made early admissions to the three breaches in the case while also acknowledging that no previous enforcement action had been taken against the regulated entity.

To read the Central Bank Enforcement Action Notice in its entirety, you can click on the following link:

Public statement relating to Enforcement Action against AXA Life Europe DAC (centralbank.ie)
Central Bank Publishes Research on Insurance Engagement and Switching
December 2022

On 1st December 2022 the Central Bank published an Economic Letter, “Engagement, switching, and digital usage in consumer and insurance markets: who does it and why it matters” examining engagement and switching patterns among car and home insurance consumers.

The Letter examines the traits of consumers who find it difficult to look for and buy financial products, including insurance, online.

The Letter highlights factors that may prevent policyholder participation and switching from a comprehensive survey of Irish policyholders as well as behavioural economics. Among its main conclusions are:
 
  • 8 out of 10 car and home insurance consumers engage with their provider on renewal. Around 1 in 4 switch provider.

  • Policyholders are more likely to engage with and/or switch provider if, on renewing their policy, the price increases.

  • Behavioural characteristics play a role in engagement and switching. Specifically, certain consumers may be more likely to stick with the status quo, even when doing so may not be financially beneficial. These consumers are less likely to engage or to switch provider.

  • Perceptions also play a role in consumer behaviour. Around 1 in 4 believe that loyalty to an existing provider will be rewarded. These consumers are significantly less likely to switch.

  • Where consumers believe that they can make significant savings by switching, they will be more likely to do so.

  • Time-poor consumers are less likely to switch their policies.

  • Around 55% use digital information and channels as part of their engagement and switching. However, 1 in 5 policyholders report difficulties in using the internet to search for and purchase financial purchases, including insurance. These consumers tend to be older, lower income, and less educated.

  • Policyholders that are less comfortable with digital channels are more likely to exhibit status quo bias.

The Central Bank expects firms to take into account consumer psychology and insights from behavioural economics to design effective disclosures and consumer protection policies to support consumers in making fully informed decisions.

The Letter also highlights the importance of digital literacy in supporting consumers to engage and switch.

The Central Bank reminds firms of its Consumer Protection Outlook Report which highlights the key cross sectoral risks facing consumers of financial services and the Central Bank’s expectations of firms to avoid these risks materialising.

The Letter also refers and reminds firms of its Dear CEO Letter published in November 2022 detailing its expectations in the context of a more challenging economic outlook characterised by energy-driven inflation and uncertainty – please find RegSol’s article on the Letter here.

If you have a query regarding any of the issues highlighted by the Central Bank above, please contact us at info@regsol.ie
Central Bank FAQs re Ireland Safe Deposit Box, Bank and Payment Accounts Register
December 2022

FAQs - Ireland Safe Deposit Box, Bank and Payment Accounts Register

On 15th December 2022, the Central Bank updated its frequently asked questions (FAQs) in relation to Ireland Safe Deposit Box, Bank and Payment Accounts Register (ISBAR).

ISBAR was recently established and will be administered by the Central Bank to hold information on accounts identifiable by IBAN (including account holders, beneficial owners and signatories), and information on safe deposit box services. The register is established in line with 5th EU AML Directive requirements and is designed to enable Financial Intelligence Unit within An Garda Síochána to search and retrieve information as part of criminal investigations.

Any credit institution established in Ireland, which issues Irish IBAN identifiable accounts, or holds Safe Deposit Boxes on behalf of its customers, is required to provide Bank Account and Safe Deposit Information to ISBAR.

The obligation for credit institutions to provide information will commence once formally notified by the Central Bank to do so in Q1 2023.

Legislation will be enacted at a later date to extend the scope of the reporting obligation to other financial service providers who issue Irish IBANs.

The FAQs cover What is ISBAR, General Reporting Requirements, File Generation and Technical Questions. 

You can read them in full via the following link: ISBAR FAQ | Central Bank of Ireland


Guidance - Beneficial Ownership Register of Certain Financial Vehicles

The Central Bank, who is also responsible for establishing and maintaining the Beneficial Ownership Register of Certain Financial Vehicles (CFV), has recently updated its Guidance in respect of the CFV Register.

The Register aims to deter money laundering and terrorist financing by those that seek to hide their ownership and control of corporate or legal entities by ensuring that the ultimate owners/controllers of Irish Collective Asset-management Vehicles, Credit Unions, Unit Trusts, Investment Limited Partnerships, and Common Contractual Funds are identified, and that this information is readily accessible to law enforcement, regulators and obliged entities.

The Guidance aims to:

(i) provide CFV, their beneficial owners, and members of the public with information in relation to the scope of the Register;

(ii) outline related processes to the submission of data to the Register; and

(iii) provide all interested parties with information in relation to the use and safeguarding of the data provided, under data protection legislation.

To read the Guidance in full, please follow the link below:
Beneficial Ownership Register of Certain Financial Vehicles Guidance  (centralbank.ie)


Consumer Rights Act 2022 Soon to be Commenced
November 2022

The Consumer Rights Act 2022 (the Act’), which has been signed into law on 7th November 2022 and is expected to be commenced soon, is the biggest overhaul of consumer protection in Ireland, strengthening consumer rights, protections and remedies in a range of key areas.

The Act consolidates and modernises Irish consumer rights legislation for the sale of goods and supply of services, ensuring that the updated legislation is more in keeping with the digital age.

In addition to updating the current Irish legislation, the Act will also transpose the following directives aligning the legislation more closely with those applying across the EU:
 
  • Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services (the “Digital Content Directive”);
  • Directive (EU) 2019/771 on certain aspects concerning contracts for the sale of goods (the “Revised Sale of Goods Directive”); and
  • The main provisions of Directive (EU) 2019/2161 on the better enforcement and modernisation of Union consumer protection rules (the “Omnibus Directive”).

What does the Act apply to?

The Act applies to all written and oral contracts (as well as combinations of both) between traders and consumers. (A “trader” means a natural person, or a legal person (such as a company) who is acting for purposes relating to the person’s trade, business, craft or profession, and includes any person acting in the name, or on behalf, of the trader.)

It also applies to contracts implied by the conduct of the parties.

Apart from regulating the sale of goods and services, the Act also extends consumer protections to digital goods and services so that consumers are protected when they use cloud-based services or buy downloadable or streamed goods and services, such as games, films, music and software.


Key Provisions of the Act

  1. Conformity - the contract must conform with certain (i) objective and (ii) subjective requirements as detailed in the Act. In the event of any lack of conformity during the 12 month period after supply, the burden of proof shifts to the trader to prove that the supply of goods/services were in conformity with the contract.

  2. Transparency - the Act strengthens the transparency requirements that apply to contract terms. Traders must ensure that the terms of a contract with consumers are transparent e.g. in plain language, presented clearly, easily available, with novel/onerous terms being brought to consumers' attention and the terms' financial consequences are understandable to an average consumer.

  3. Prohibited notices – under the Act, it will be an offence for a trader to display a notice, publish an advertisement or supply goods bearing, or digital content or a digital service displaying in any form, a representation, or to furnish any document which indicates, that (i) consumers' rights under the Act or (ii) an obligation/liability are/is restricted or excluded other than as permitted by the Act.

  4. Commercial Guarantees – traders are liable for commercial guarantees provided by other guarantors, unless they express the contrary or give their own commercial guarantee.

  5. Unfair Terms – the Act determines that a term is unfair if it causes a significant imbalance in the parties’ rights and obligations to the detriment of the consumer and extends the lists of contract terms which are presumed to be unfair (“grey list”) or are outright prohibited (“blacklist”).

  6. Advanced Trader Compliance - as a means of ensuring that businesses adhere to such enhanced consumer protections, the Act also provides for areas of advanced trader compliance.

  7. Increased Enforcement Powers - increased enforcement powers have been given to authorised bodies including the Competition and Consumer Protection Commission (‘CCPC’). These increased powers allow the CCPC to apply to the courts for declarations or injunctions against businesses who mislead their consumers, or fail to provide them with the adequate remedies or compensation they are entitled to.

  8. Penalties - it is an offence to breach certain provisions in the Act, with secondary liability for officers of a body corporate where it is proved that the offence was committed with their consent, connivance or approval or be attributable to any wilful neglect on their part.
It will be a defence for the person to prove that due diligence was exercised, and all reasonable precautions were taken to avoid the commission of the offence.

A convicted trader will be liable for the costs and expenses of the proceedings and investigation unless the Court believes there are “special and substantial reasons” for not doing so. This is in addition to, and not instead of, any fine or penalty that the Court may impose. A trader may also be ordered, in certain circumstances, to compensate consumers for any loss or damage resulting from the offence. If the Court does grant a compensation order, this may be instead of or in addition to any fine or penalty imposed on the trader.

The Act also amends the European Union (Cooperation Between National Authorities Responsible for the Enforcement of Consumer Protection Laws) Regulations 2020. When this amendment is implemented, these Regulations will specify that, where (i) an offence is committed under specified parts of the Act or certain provisions of the Consumer Protection Act 2007 and (ii) this also constitutes an intra-EU or relevant widespread infringement under those Regulations, then further fines can be imposed of up to 4% of relevant turnover or €2 million, depending on the circumstances.


Key Takeaway

In preparation of the commencement of the Act, firms should assess which aspects of the Act will impact them and make any necessary changes to their relevant documentation, such as business terms and conditions, to ensure they are accurate and not misleading and do not contain unfair terms and advertising. Firms should also review their internal processes to ensure compliance with this new framework.

If you have any queries arising from this article, please contact us at info@regsol.ie
DPC Fines Meta €265 Million for ‘data scraping’ leak
November 2022

On 29th November 2022, the Data Protection Commission (‘DPC’) imposed a fine of €265 million and a range of corrective measures on Meta Platforms Ireland Limited (‘Meta’), data controller of the “Facebook” social media network, for failing to properly protect its data.

The fine relates to a data breach discovered in 2021 whereby personal data of EU Justice Commissioner Didier Reynders, Luxembourg Prime Minister Xavier Bettel and dozens of EU officials were included in a leak of the personal data of 533 million users across 106 countries including phone numbers, Facebook IDs, full names and birthdates that surfaced on a public forum and circulating widely on the web. Facebook subsequently fixed the vulnerability on this feature, where data could be collected by external parties through a process called scraping.

The DPC held Meta failed to comply with the GDPR obligation to ensure privacy "by design and default," meaning it had engineered its products in a way that personal data could leak.

The latest sanction brings the total amount Meta has been fined to roughly €1bn, including €225mn against its messaging service WhatsApp for failing to enforce transparency requirements under EU law, and a €405mn fine against Instagram for failing to protect children’s data.

For further details on the DPC’s decision, please go to the following link:

Data Protection Commission announces decision in Facebook “Data Scraping” Inquiry
28/11/2022 - Data Protection Commission
EBA Guidelines for Remote Customer Onboarding
November 2022

The European Banking Authority (EBA) has published its final Guidelines on the application of anti-money laundering and countering the financing of terrorism (AML/CFT) rules where customers are onboarded remotely.

The EBA are aware that designed persons, as defined under the Irish Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 as amended, have been experiencing a growing demand for remote customer onboarding solutions, especially due to the restrictions on movement caused by the COVID-19 pandemic and that there is not sufficient clarity and convergence about what is, and what is not, allowed in a remote and digital context.

The Guidelines therefore set out the steps credit and financial institutions should take when choosing remote customer onboarding tools and when assessing the adequacy and reliability of such tools, in order to comply effectively with their AML/CFT obligations. The guidelines are technologically neutral and do not prioritise the use of one tool over another.

These guidelines establish common EU standards on the development and implementation of sound, risk-sensitive initial customer due diligence policies, and processes which must be followed when customers are onboarded remotely.

A list indicating considerations which the above-mentioned internal policies and procedures should set out is also provided within the Guidelines and includes:

  • the types of documents that are admissible and the information and authenticity checks that are necessary to identify the customer and verify their identity;
  • the level of human intervention required in the remote verification process;
  • the controls in place to monitor, on an ongoing basis, the correct and appropriate functioning of each remote customer onboarding solution and the effective implementation of the remote customer onboarding policies and procedures; and
  • a description of the induction and regular training programs to ensure staff awareness and up-to-date knowledge of the functioning of the remote customer onboarding solution(s), the associated risks, and of the remote customer onboarding policies and procedures aimed at mitigating such risks.
To see learn more on how RegSol can assist your firm in implementing the EBA’s Guidelines and/or provide tailored AML training relevant to your firm, please do not hesitate to contact us at info@regsol.ie
Mercer Global Investments Management Limited Fined €117,600 for Breaches of UCITS Regulations
November 2022

On 14th November 2022, the Central Bank reprimanded and fined Mercer Global Investments Management Limited (‘MGIM’) €117,600 pursuant to its Administrative Sanctions Procedure (‘ASP’) for six breaches of UCITS investment fund regulations (the ‘UCITS Regulations’).

MGIM, as a UCITS Management Company, was responsible under the UCITS Regulations for ensuring that certain information must be included in prospectuses and key investor information documents (‘KIIDs’) for funds it managed, and that this information should have been kept up to date in order to enable investors to make informed decisions about their investments.

The Central Bank found that, for varying periods between 1st July 2011 and 31st December 2018, the prospectuses and KIIDs for five sub-funds failed to disclose that the sub-funds relied upon an index-tracking strategy or provide the details of the index being tracked.

As a result, MGIM’s failure to comply with these requirements may have resulted in investors not being fully informed of the investment strategy of a particular fund or the risks associated with investment in that fund.

In addition, to ensure effective gatekeeping by the Central Bank in the authorisation of funds, the Central Bank reviews prospectuses (including any supplements to those prospectuses) before authorising a fund. The Central Bank noted the effectiveness of its gatekeeper role ultimately relies on accurate and complete information being submitted by firms seeking fund authorisation, as part of the assessment of their applications and in ongoing supervision.

The Central Bank’s investigation found that MGIM failed in its obligations to both investors and to the Central Bank by not including required information regarding index-tracking strategy in the prospectuses and KIIDs of five investment funds managed by MGIM.


Penalty Decision Factors

In deciding the appropriate penalty to impose, the Central Bank considered the ASP Sanctions Guidance issued in November 2019 and highlighted the following particular factors in this case as:
 
  • The duration of the contraventions, which occurred for varying periods between July 2011 and December 2018.
  • The breaches constituted a significant departure from the standard required of MGIM.
  • MGIM had not previously come to the adverse attention of supervisors or been the subject of previous enforcement action by the Central Bank.
  • MGIM’s co-operation in the Central Bank’s investigation.
To read the Central Bank Enforcement Action Notice in its entirety, you can click on the following link:

Public statement relating to Enforcement Action between the Central Bank of Ireland and Mercer Global Investments Management Limited
Central Bank Dear CEO Letter on Protecting Consumers in a Changing Economic Landscape
November 2022

The Dear CEO Letter issued on 17th November 2022 by the Central Bank expands on the Consumer Protection Outlook Report 2022 and provides further guidance to firms on its expectations in a challenging economic landscape characterised by energy-driven inflation and uncertainty and the responsibility of firms to navigate these challenges in a manner that places the best interests of consumers at the heart of their commercial decision-making.

The Report highlighted five cross-sectoral risk areas facing financial services and set out specific actions to be taken by firms to address these potential risks, namely:

  • Actively identify and address risks to consumers that may potentially emerge from changes in the landscape within which the firm and/or its consumers are operating.
  • Have sufficient operational resilience to manage change without creating risks to consumers.
  • Proactively assess the risks and consumer impact a commercial decision may pose to new and existing customers, and develop comprehensive action plans to mitigate these risks whilst ensuring that customers understand what changes mean for them.
  • Have the customer service capacity and structures in place to meet expected service levels to provide a timely and customer focused service through all channels.
  • Consider the impact of their decisions on vulnerable customers and provide the assistance necessary. This should include specific and effective processes and communication plans to support vulnerable customers.
  • Only design and bring to market products with features, charges, and risks that meet the needs of consumers identified for the product.

Furthermore, the Appendix to the letter the Central Bank highlights a number of items for particular attention which should be incorporated into a firm’s work programme, senior management and board considerations, respective to the financial services that the firm provides.


Affordability and suitability

Firms should:
 
  • Ensure that credit is affordable, including, in the case of mortgage firms, adhering to specific obligations under Provision 5.9 of the Consumer Protection Code to assess affordability based on an interest rate increase (i.e. 2% at a minimum).
  • Prior to the sale of a financial product or during the course of a financial product, firms should pay particular attention to assessing not just the current circumstances of the consumer but how those circumstances could be impacted by the current economic outlook.
  • Identify consumers in vulnerable circumstances, including financial difficulty, and provide appropriate support.
  • Consider the consumer's short and long-term needs when advising on savings and investments, including factoring in anticipated day-to-day costs and unanticipated increases in costs.
  • Have clear procedures for calculating a consumer's capacity for loss.
  • Explain the impact that inflation may have on the performance/value of an investment.

Provision of relevant, clear and timely information

Generally:
 
  • Consumers should be able to make informed decisions, shop around for better value and know the available support. Firms should provide information accordingly, including on websites, business premises and publicly available material.
  • Firms should inform consumers facing difficulties meeting their payment obligations under existing financial products of support available.
  • Changes to terms or conditions, which may impact the cost of a financial service or product, should be clearly explained by Firms to consumers.
  • Firms should use their data to identify and engage with groups of consumers that may benefit from early engagement.

Effective operational capacity

Firms should:
 
  • Be reactive and monitor and manage resources to respond appropriately to consumer needs (e.g. customers requiring credit, facing arrears or in need of swift processing of insurance claims and timely processing of credit applications).
  • Plan and ensure they have the required expert resources to assess individual circumstances and offer appropriate and sustainable solutions to consumers.
  • Staff should be trained appropriately, including knowing protections and supports for borrowers under the various Central Bank codes.
  • Pay attention to operational resilience and provide that payment services to consumers go uninterrupted.

Sales and product governance

Firms should:
 
  • Have robust product governance and oversight arrangements and develop action plans to mitigate such risks.
  • Consider the impact of increasing costs on consumers’ budgets (both to meet premium payments and in the event of an insurable event) in the context of sales and advice on insurance products.
  • Help consumers understand the implications of any reduction in insurance coverage.
  • Engage with consumers to ensure they understand any implications and avoid the cancellation of necessary coverage where customers choose to cancel or reduce insurance coverage due to affordability concerns.
  • Monitor and evaluate the investment products they sell, consider how their risk profile may change in this period of volatility, and seek to mitigate risks to clients accordingly. Relevant factors for consideration in due diligence on products include risk-return profile, liquidity, costs and charges, and any kick-out or trigger features that may alter the nature of an investment product under certain conditions.
If you have a query regarding any of the issues highlighted by the Central Bank above, or in particular, wish to discuss arranging tailored staff training in respect of the Central Bank codes, you can contact us at info@regsol.ie
Cyber-security Awareness e-Learning
November 2022

We are delighted to have partnered with BHConsulting on an innovative cyber-security e-learning course with an Irish perspective, hosted exclusively on the RegSol e-Learning platform (https://training.regsol.ie).

At RegSol, our core competency is compliance and in particular regulatory compliance. So when our clients asked us to provide self-paced cyber-security e-learning alongside our compliance modules, we initially declined. However, it makes a lot of sense for employees to have a single portal where they can complete and review all of their e-learning modules in the same place. 

The benefits for our clients’ compliance managers, HR administrators, and IT teams are also compelling. Our in-house instructional designers have worked extensively with the cyber-security experts at BH Consulting to develop a course that can be rolled out to workforces at large. As with all of our courses, it can be easily tailored to include a firm’s own content e.g. specific links to your policies.

For more details on RegSol e-Learning please see our website here : https://www.regsol.ie/elearning.php

A full list of courses that we provide can be found here : https://www.regsol.ie/cpd/

For more information, to discuss a trial, or to get a quote please contact us at:
info@regsol.ie
+35315394884
Central Bank Highlights Under-Insurance in Home Insurance Market
November 2022

On 22nd September 2022, the Central Bank of Ireland (“Central Bank”) wrote to insurers telling them they must do more to warn customers of the risk of under-insurance in the home insurance market, in light of the impact of inflation on construction costs.

This follows a Thematic Review carried out by the Central Bank, which found that under-insurance in the home insurance market had been steadily increasing over the last five years – from an average of 6.5% of paid claims being under-insured in 2017, up to 16.5% in 2021.

The Central Bank's review of the home insurance market identified shortcomings in two areas:
  • clarity, consistency and timeliness of communication with consumers, and
  • the effectiveness of risk management tools in identifying and assessing risk to consumers.

The Central Bank also outlined its supervisory expectations for all firms that provide home insurance products to consumers to:
  1. Send a clear communication of the risks and examples of the consequences of under-insurance to policyholders, the reasons why this is currently a heightened risk and how policyholders can better estimate an adequate sums insured value, in a stand-alone, written form;

  2. Act honestly, fairly and professionally in the best interests of its customers and the integrity of the market.

  3. Put in place a clear plan to address the points raised in the Dear CEO Letter. The plan must include clear and reasonable timelines for implementation of mitigating actions, with appropriate governance and sign-off. The plan should be submitted to the Central Bank cpnonlife@centralbank.ie by 28 October 2022;

  4. Ensure the board has appropriate oversight of the plan to address the gaps identified, or the actions required.

The Dear CEO Letter can be found here and if you have any queries in how to apply the above Central Bank supervisory expectations to your firm, please contact us at info@regsol.ie
Whistleblowing in Financial Services Webinar 2022
November 2022

Broker’s Ireland will be hosting RegSol’s CEO AnneMarie Whelan to present at their webinar on whistleblowing in the Financial Services sector on Thursday 17th November 2022.

Webinar Details:

All financial service providers are required to have a policy or channel in place that allows employees to raise issues of concern with respect to non-compliance with financial services legislation without fear of retaliation from their employer. In addition, the Protected Disclosures Act 2014, which applies to all employing entities, was recently amended to transpose the European Whistleblowing Directive into Irish law. This webinar looks at the recent key changes to the legislation, the key obligations on employers and their increasing nature relative to the size of employing entity.”

For more details on the webinar and to sign up to attend, please go to the following link:

Whistleblowing in Financial Services Webinar 2022 | Brokers Ireland
Protected Disclosures (Amendment) Act 2021 comes into force on 1st January 2023
October 2022

The Protected Disclosures (Amendment) Act 2022 (the “Amendment Act”) will commence in its entirety on 1st January 2023.

The Act updates the Irish Protected Disclosures Act 2014 (‘2014 Act’) and transposes the EU Whistleblowing Directive into Irish law.

By 1st January 2023, the Amendment Act will have the following effect:

  • All organisations with 250 or more employees will be required to establish formal internal reporting channels for employees to report concerns about wrongdoing in the workplace.
  • The channels and procedures shall provide for acknowledgement of reports by a designated impartial person, within 7 days, diligent follow-up of the reports received, the provision of feedback to the reporting person within 3 months and communication of the final outcome of any investigations triggered by the report.
  • From 17th December 2023, this obligation will be imposed on all private sector employers with 50 or more employees.
  • Presently (under the Protected Disclosures Act 2014), employees, former employees, trainers, independent contractors and agency workers are protected. The Amendment Act, however, extends the scope of the protected disclosures regime to cover volunteers, unpaid trainees, board members, shareholders, members of administrative, management or supervisory bodies and job applicants (where information on a relevant wrongdoing is acquired during the recruitment process or during pre-contractual negotiations).
  • A new Office of the Protected Disclosures Commissioner will be established in the Office of the Ombudsman to support the operation of the new legislation. Mr Ger Deering, the current Financial Services and Pensions Ombudsman, will be the first Protected Disclosures Commissioner.

Establishing Internal Reporting Channels

Internal reporting channels and procedures may be operated internally by a person or department designated for that purpose or provided externally by an authorised third party.

The channels must be operated in a secure manner that ensures the confidentiality of the reporting person’s identity and any third party mentioned in their report.

Employees must be able to make their report in writing or orally or both.

Organisations who employ less than 250 employees may share resources for receiving and investigating reports which will allow group companies to avoid having to put in place multiple internal reporting channels.


Acknowledgement, Feedback and Follow Up

Strict deadlines for acknowledging receipt, following up and providing feedback are required to be put in place by way of the internal reporting channels and procedures:

  1. Receipt of a protected disclosure must be acknowledged in writing within seven days.

  2. Designate an impartial person who is competent to follow up on reports, will maintain communication with the reporting person and where necessary, will request further information from, and provide feedback to, that reporting person.

  3. The designated person must diligently follow up on the report within three months including carrying out an initial assessment of the accuracy of the allegations made and, where relevant, address the breach reported, including, by way of internal enquiry, investigation, prosecution, action for recovery of funds, or the closure of the procedure.

  4. Feedback must be provided within three months, or six months in duly justified cases, informing the reporting person of the action envisaged or taken as follow-up and the grounds for such follow-up.

  5. Provision of clear and easily accessible information regarding: the procedures for making a protected disclosure, the conditions under which such reports may be accepted and follow-up undertaken, the procedures for making a protected disclosure to the Office of the Protected Disclosures Commissioner

New offices of the Protected Disclosures Commissioner

A new Office of the Protected Disclosures Commissioner (‘the Commissioner’) will be established within the Office of the Ombudsman to support the operation of the new legislation. The Commissioner will direct protected disclosures to the most appropriate body when it is unclear which body is responsible and where this body cannot be identified, the Commissioner will be obliged to accept and investigate the protected disclosure itself.

The Commissioner will have extensive powers to carry out their duties. They will have the power to require the production of information and/or or records, books, documents or other things and to require the attendance of any person for this purpose.


Enhancement of protections for workers

The Amendment Act further enhances the protections for workers who suffer penalisation as a result of making a protected disclosure by reversing the burden of proof in civil proceedings, expanding the provision of interim relief to include forms of penalisation other than dismissal, and providing for criminal penalties for penalisation.

The definition of penalisation is significantly expanded by the EU Whistleblowing Directive to include withholding of training, a negative performance assessment or employment reference, harm, including to the person’s reputation, blacklisting, and psychiatric or medical referrals.

The Amendment Act proposes to reverse the burden of proof for proceedings concerning allegations of penalisation for having made a protected disclosure. It also enables workers to seek interim relief from the Circuit Court for penalisation other than dismissal. The Bill provides for a maximum award of compensation in the sum of €15,000 from the Workplace Relations Commission for individuals who are not in receipt of remuneration from the employer with whom they are in a work-based relationship.


New offences

The Amendment Act makes it a criminal offence to:

  • hinder or attempt to hinder a worker in making a report;
  • penalise or threaten penalisation or cause or permit any other person to penalise or threaten penalisation;
  • bring vexatious proceedings;
  • breach the duty of confidentiality in section 16 regarding the identity of reporting persons;
  • make a report containing any information that the reporting person knows to be false; or
  • fail to establish, maintain and operate internal reporting channels and procedures.

Penalties

The Amendment Act also provides for very substantial fines (ranging between €75,000 and €250,000 for convictions on indictment) and the possibility of a term of imprisonment not exceeding two years for employers who are found to have committed a criminal offence under the Amendment Act.


Key Takeaways

Although organisations with 50 – 249 employees have until 17th December 2023 to comply with the new legislation, consideration might be given now to have in place or review and enhance existing whistleblowing policies in anticipation of the introduction of the new enhanced regime.

Firms will also be required to designate the appropriate staff to receive protected disclosures in a secure and confidential manner and provide them with training particularly in relation to the new timelines for acknowledging and following up protected disclosures.

To see learn more on how RegSol can assist your firm in implementing the new Amendment Act, please contact us at info@regsol.ie
Central Bank Intermediary Times – October 2022
October 2022

In this latest edition of the Central Bank’s newsletter the following items are covered of interest to retail intermediaries:

  • Recent developments 
    • Changes to the Fitness & Probity application process and Central Bank Portal
    • Issuing of the 2021 industry funding levy
  • Central Bank publications relevant for retail intermediaries
    • An update on the Consumer Protection Code Review
    • Risk of under-insurance in the home insurance market and the role of insurance intermediaries (see RegSol’s article here)
    • The impact of Covid-19 on operational resilience and implications for customer service
  • Upcoming changes to the voluntary revocation process
  • Reminders on obligations relating to:
    • Changes in qualifying shareholdings
    • Legal Entity Identifiers for passporting retail intermediaries (see RegSol’s article here)
1. Changes to the Fitness & Probity application process

IQs for PCFs

For the submission of all applications to become a holder of a Pre-Approval Controlled Function (PCF) in 2023, Individual Questionnaires (IQs) will no longer be submitted through the Online Reporting System (ONR), but will instead be submitted through the Central Bank Portal (Portal). These changes will go live in Q1 2023 and aim to provide applicants with an enhanced process for submitting applications.


Changes to the Portal

Since 27th June 2022, Portal users have had the ability to link their ONR accounts to their Portal accounts, which allows users to access the returns service via the Portal platform. For those that have not yet taken this action, the Central Bank are requesting those to link their account as soon as possible, as access to the ONR via the old login screen will be removed for all users in 2023.


2. Changes to the Voluntary Revocation Process & Form

The Central Bank is introducing a number of changes to the voluntary revocation form (where a retail intermediary no longer wishes to retain its authorisation/registration) to ensure the firm assesses the impact of revocation on a its customers.


Complaints and Customer Awareness

The Central Bank expects all retail intermediaries applying for voluntary revocation to ensure their clients are not adversely affected by the action, and seek to address any outstanding complaints, where possible, ahead of making an application. Clients should be made aware of the fact that any complaint or claim made after the revocation of an authorisation/registration may not be covered by the firm’s Professional Indemnity Insurance (PII).


PII Cover

The Central Bank’s expectation remains that adequate PII cover is in place and will remain in place at least until the revocation has been granted. Firms also need to ensure that they make adequate provisions for liabilities that may fall due post-revocation, and should consider the use of run-off PII cover, where appropriate. From November 2022, in addition to the pre-existing conditions of revocation, the application form will also seek attestations from the applicant that:
  • PII is in place and will remain in place until the revocation is granted;
  • Where there are unresolved, unsatisfied or undischarged complaints against the applicant, that these have been notified to the applicant’s PII insurer;
  • The applicant will inform its PII insurer of any further complaints and/or potential claims that it is aware of up to the point of revocation; and
  • Where there is a complaint under assessment with the Financial Services and Pensions Ombudsman (FSPO) that the applicant has liaised with the FSPO in respect of the complaint and made adequate provisions for any potential liabilities that may arise from any settlement.

3. Changes to Qualifying Shareholdings – Obligations for Retail Intermediaries

The Central Bank reminds retail intermediaries of their regulatory requirements when engaging in transactions that involve a change in shareholding of the firm.

All Regulated Entities
  • In accordance with the Consumer Protection Code (CPC), where a firm intends to cease operating, merge with another, or to transfer all or part of its regulated activities to another regulated entity it must:
  • Notify the Central Bank immediately;
  • Provide at least two months’ notice to affected consumers to enable them to make alternative arrangements;
  • Ensure all outstanding business is properly completed prior to the transfer, merger or cessation of operations or, alternatively in the case of a transfer or merger, inform the consumer of how continuity of service will be provided following the transfer or merger;
  • In the case of a merger or transfer of regulated activities, inform the consumer that their details are being transferred to the other regulated entity, if that is the case.

Investment Intermediaries (Acquiring Transactions)

In addition to obligations under the CPC, prior approval from the Central Bank is required before a proposed acquiring transaction as defined under the Investment Intermediaries Act 1995 (IIA) can proceed.

Under the IIA an acquiring transaction means ‘any direct or indirect acquisition by a person or more than one person acting in concert of shares or other interest in an authorised investment business firm:

Provided that after the proposed acquisition –

(a) the proportion of voting rights or capital held by the person or persons making the acquiring transaction would reach or exceed a qualifying holding, or

(b) the proportion of voting rights or capital held by the person or persons making the acquiring transaction would reach or exceed 20 per cent, 33 per cent, or 50 per cent.

(c) an authorised investment business firm would become a subsidiary of the acquirer.’



Section 40 of the IIA requires the following:

‘An acquiring transaction shall not proceed until a supervisory authority has informed the authorised investment business firm and the party making the acquiring transaction in writing that it approves of the acquiring transaction or until three months have elapsed during which the supervisory authority has not refused to approve of the acquiring transaction.’


Insurance Intermediaries

While prior Central Bank approval is not required for a change in shareholding for insurance intermediaries, firms should note that Regulation 12 of the Insurance Distribution Regulations 2018 (IDR) sets out the following requirement:

An insurance, reinsurance and ancillary insurance intermediary or, where applicable, an insurance or reinsurance undertaking, shall notify the Bank in writing without undue delay of any material change in the information provided under Regulation 9(8)2.


Therefore, it is a requirement under the IDR for insurance intermediaries to notify the Central Bank, without undue delay, of any material change in shareholdings and any material change in the information provided under Regulation 9(8).

If you have a query regarding any of the issues highlighted by the Central Bank above, contact us at info@regsol.ie

To read the Intermediary Times publication in full, please see the link below:

Intermediary Times October 2022 (centralbank.ie)
BOI Fined Record €100.5m for Tracker Mortgage Failures
October 2022

On 27th September 2022, the Central Bank of Ireland (“Central Bank”) reprimanded and fined The Governor and Company of the Bank of Ireland (“BOI”) €100,520,000 pursuant to its Administrative Sanctions Procedure for a series of significant and long-running failings in respect of almost 16,000 tracker mortgage customer accounts which were impacted between August 2004 and June 2022.

This is the largest fine imposed to date by the Central Bank and is in addition to the more than €186.4m BOI has already paid to impacted customers identified prior to and as part of the Central Bank’s Tracker Mortgage Examination.

BOI admitted in full to 81 separate regulatory breaches.

The Central Bank’s investigation found that BOI failed in its obligations towards its customers under the European Communities (Unfair Terms in Consumer Contracts) Regulations, 1995, the Code of Practice for Credit Institutions, 2001 and the Consumer Protection Codes 2006 and 2012.

BOI’s failures resulted in the loss of 50 properties, including 25 family homes, which the Central Bank believed would have been avoided if BOI had complied with the most basic and fundamental of its consumer protection obligations.

The main findings from the Central Bank’s investigation were that BOI:
  • Provided unclear contractual documents to its tracker customers,
  • Failed to interpret its unclear contractual documents in customers’ best interests,
  • Failed to warn customers about the consequences of decisions relating to their mortgage,
  • Implemented an unfair complaints-handling practice for customers, returning them to a tracker rate only when they queried or complained about their mortgage rate,
  • Had deficient mortgage systems and controls which contributed to a significant number of operational errors,
  • Wrongfully excluded customers from the protections of the Central Bank’s examination of tracker mortgages, including them only after significant challenge by the Central Bank.

BOI is the last of the main retail banks to receive a penalty and reprimand after they denied tracker rates to their customers who were entitled to them when the financial crisis began over a decade ago, or put them on the wrong rates, because the products were starting to cost the lenders money.

Each investigation was concluded by way of settlement, with historic levels of fines imposed on lenders on foot of the Central Bank’s findings, as follows:
  1. May 2019             PTSB             €21m

  2. September 2020   KBC               €18.3m

  3. March 2021          Ulster Bank   €37.7m

  4. June 2022             AIB                €83.3m

To read the Central Bank’s Enforcement Notice against BOI, please go to the following link:

Public statement relating to Enforcement Action against the Governor and company of the Bank of Ireland (centralbank.ie)
Protected Disclosures (Amendment) Act 2021 to commence on 1st January 2023!
October 2022

The Minister for Public Expenditure and Reform yesterday (12th October 2022) signed the commencement order for the Protected Disclosures (Amendment) Act 2022 (the “Amendment Act”) confirming on 1st January 2023 the Amendment Act will commence in its entirety.

By 1st January 2023, the Amendment Act will have the following effect:
 
  • All organisations with 250 or more employees will be required to establish formal internal reporting channels for employees to report concerns about wrongdoing in the workplace.
  • The channels and procedures shall provide for acknowledgement of reports by a designated impartial person, within 7 days, diligent follow-up of the reports received, the provision of feedback to the reporting person within 3 months and communication of the final outcome of any investigations triggered by the report.
  • From 17th December 2023, this obligation will be imposed on all private sector employers with 50 or more employees.
  • Presently (under the Protected Disclosures Act 2014), employees, former employees, trainers, independent contractors and agency workers are protected. The Amendment Act, however, extends the scope of the protected disclosures regime to cover volunteers, unpaid trainees, board members, shareholders, members of administrative, management or supervisory bodies and job applicants (where information on a relevant wrongdoing is acquired during the recruitment process or during pre-contractual negotiations).
  • A new Office of the Protected Disclosures Commissioner will be established in the Office of the Ombudsman to support the operation of the new legislation. Mr Ger Deering, the current Financial Services and Pensions Ombudsman, will be the first Protected Disclosures Commissioner.
For greater insight on how the new Amendment Act may impact your firm, please see our detailed August Blog Post below or do not hesitate to contact us at info@regsol.ie

RegSol - Blog (Protected Disclosures (Amendment) Act 2021)
Climate Change Risk highlighted in CBI Insurance Newsletter September 2022
September 2022

On 20th September 2022, the Central Bank of Ireland (“CBI”) published its regular Insurance Newsletter for September 2022.

While the Newsletter is directed at (re)insurers, the CBI’s observations in relation to climate change risk (following a thematic review of a sample of (re)insurer’s Own Risk and Solvency Assessments (“ORSAs”)), the Central Bank has helpfully included a collated list of all CBI publications on Climate Risk to date.

The relevant article also sets out guidance on how any regulated entity can implement climate change risk considerations into business strategies.

The CBI’s three main observations were:
  1. Take a holistic approach to climate change risk to better understand risks to the business, secondary impacts, materiality and areas of further focus;

  2. Consider impacts of climate change to the business model beyond the short term; and

  3. Link climate change risk assessments to strategy, in order to manage or mitigate risks rather than simply monitoring them.
In the ORSAs reviewed, the CBI observed some examples where climate change risk had been integrated into a (re)insurer’s business planning and strategic thinking and identified examples of good practices observed including:
  • Embedding the consideration of climate change risk into risk management processes, e.g. updating risk management policies based on conclusions of assessments carried out;

  • Developing a sustainability strategy to define the (re)insurer’s objectives in respect of climate change; and

  • Identifying potential opportunities that arise and ways to develop business models in the future as a result of climate change. The CBI expects (re)insurers to integrate findings and conclusions from risk and scenario analysis into their future strategy to ensure a sustainable business model, e.g. by updating their risk appetite, setting key performance indicators in respect of climate change risk, etc.
To read the Newsletter in full, please go to the following link:

Insurance Newsletter - September 2022  (centralbank.ie)
New Financial Services and Pensions Ombudsman Appointed
September 2022

The new appointment of Liam Sloyan as the Financial Services and Pensions Ombudsman (FSPO) for a five-year term has been announced, which appointment is effective from 1st December 2022.

The FSPO objective is to act as an independent, impartial, fair and free service that helps resolve complaints from consumers, including small businesses and other organisations, against financial service providers and pension providers.

Mr. Sloyan previous led a number of public bodies such as the Health Insurance Authority, the National Treatment Purchase Fund, and as Regulator of the National Lottery.

Mr. Sloyan’s appointment follows the appointment of former FSPO, Ger Deering, as the Ombudsman and Information Commissioner in February 2022.

Mr. Deering was appointed as Financial Services Ombudsman in April 2015 and subsequently, as Pensions Ombudsman in May 2016. He led the establishment of the Office of the FSPO in January 2018, following the amalgamation of the Financial Services Ombudsman Bureau and the Office of the Pensions Ombudsman.

To read the announcement in full, please go to the following link:

Minister Donohoe appoints Financial Services and Pensions Ombudsman  (www.gov.ie)
Instagram Fined record €405 million for Breach of Children's Data Rights
September 2022

On the 2nd September 2022, Instagram (owned by Meta, formerly known as Facebook), was fined €405 million by the Data Protection Commission (“DPC”) for breaches of the GDPR after a two-year investigation into how the social media platform handles children’s data.

It is the largest fine ever imposed by the DPC and once it has been paid, the money will go to the Irish exchequer. It is also the third fine for a Meta-owned company handed down by the DPC.

The fine, which is the second largest GDPR penalty to ever be handed down (Luxembourg’s data protection authority (CNPD) fined Amazon a record €746 million for non-compliance in July), covers alleged violations stemming from Instagram's default account settings for children ages 13-17.

Recital 38 of the GDPR highlights that where children’s data is used to create user profiles, specific protections should apply since children may be less aware of the risk, consequences and safeguards and their rights in relation to the processing of data.

The breaches concerning Instagram related to:

  1. Teenage users aged 13-17 being allowed to operate ‘business accounts’ on Instagram, which resulted in the publication of their phone numbers and email addresses.

  2. All accounts, including the accounts of teenage users, were set to public by default, unless the user affirmatively changed the privacy settings.

The investigation into the allegations began in October 2020 and the preliminary decision by the DPC was subject to a dispute resolution procedure under Article 65 of the GDPR. After submitting a draft decision for consideration by its peer regulators in the EU, also known as Concerned Supervisory Authorities (“CSAs”), in December 2021, six of them raised objections. The DPC was unable to reach consensus with the CSAs on the subject matter of the objections and it therefore referred the case to the European Data Protection Board (“EDPB”), in line with the Article 65 dispute resolution process of the GDPR.

The EDPB rejected some of the concerns, but upheld objections requiring the DPC to amend its draft decision to include an additional finding of infringement. The DPC's original draft decision had recommended a fine of up to €405m. The final penalty of €405m included a fine of €20m for an additional infringement that the DPC was asked to include.

In addition to these administrative fines, the DPC has also imposed a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of specified remedial actions.

EDPB Chair Andrea Jelinek said: “This is a historic decision. Not just because of the height of the fine - this is the second highest fine since the entry into application of the GDPR - it is also the first EU-wide decision on children’s data protection rights. With this binding decision, the EDPB makes it extra clear that companies targeting children have to be extra careful. Children merit specific protection with regard to their personal data.”

Instagram has indicated it intends to appeal the decision.

For further details on the DPC’s decision, you can click on the following link:

Data Protection Commission announces decision in Instagram Inquiry
Central Bank of Ireland Enforcement Action – Danske Bank reprimanded and fined €1.82m for AML/CFT transaction monitoring failures
September 2022

On 13th September 2022, the Central Bank of Ireland (the “Central Bank”) reprimanded and fined Danske Bank A/S, trading in Ireland as Danske Bank, €1,820,000 pursuant to its Administrative Sanctions Procedure for three breaches of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010, as amended (the “CJA 2010”).

This is the first penalty that the Central Bank has imposed on a financial institution which is incorporated and authorised outside of Ireland, but which operates here as a branch on a passport basis.


Breaches

The three breaches arise from the failure by Danske Bank to ensure that its automated transaction monitoring system monitored the transactions of certain categories of customers of its Irish branch which occurred over a period of almost nine years, between 2010 and 2019.

The three breaches comprised of failures by Danske Bank under the CJA 2010 related to:

  • Transaction Monitoring: Danske Bank failed to ensure that its automated transaction monitoring system monitored the transactions of certain categories of customer for money laundering and terrorist financing risk at its Irish branch for a period of almost nine years.
  • Enhanced Customer Due Diligence: In failing to conduct automated transaction monitoring in respect of certain categories of customers, Danske Bank’s Irish branch did not take into consideration an important part of due diligence i.e. transaction monitoring data, which is necessary to identify and assess money laundering/terrorist financing risks specific to those customers and identify where any consequential additional measures might be required.
  • Anti-money laundering / Countering the Financing of Terrorism policies, procedures and controls: The policies, procedures and controls put in place by Danske Bank did not operate to identify the erroneous exclusion of certain categories of customers from automated transaction monitoring.

Background

The failure arose from historic data filters that were applied within Danske Bank’s automated transaction monitoring system, first implemented in 2005 and rolled out to the Irish branch in 2006. Danske Bank was found to have failed to consider the appropriateness of these historic data filters within the system or make any adjustments to the system to take account of the specific requirements of the CJA 2010 when it came into force in Ireland in 2010. This led to the erroneous exclusion of certain categories of customers from transaction monitoring, including some customers rated by Danske Bank as high and medium risk.

Danske Bank became aware that its automated transaction monitoring system erroneously excluded certain categories of customers in May 2015 but failed to rectify it or notify the Irish branch or the Central Bank of this issue.

It was only in October 2018 when the Irish branch identified the issue that steps were taken to rectify it, but the Central Bank said it was not informed of the issue until February 2019. As a result, the failures to rectify the issue and to notify the Central Bank promptly were considered aggravating factors in the case.


Central Bank on Transaction Monitoring

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham said…“It is imperative that firms implement robust transaction monitoring controls which are appropriate to the money laundering risks present and the size, activities, and complexity of their business. These controls must be applied to all customers, irrespective of their risk rating, as they enable firms to detect unusual transactions or patterns of transactions and where required apply enhanced customer due diligence to determine whether the transactions are suspicious.”

In 2020, the Central Bank had highlighted in its AML Bulletin on Transaction Monitoring the importance of monitoring customer transactions to detect potentially suspicious activity. The Bulletin noted that the CJA 2010 specifies that a designated person must monitor customer transactions in order to identify transactions that may be suspicious in nature, and that the intensity of the monitoring should increase with the complexity and scale of those transactions so that the risk of ML/TF is also factored into the transaction monitoring process.

Therefore, while firms may rely on automated solutions for transaction monitoring, the Danske Bank case reiterates the requirement for firms to ensure it has in place controls, policies and procedures that are compatible with Irish legal requirements and to ensure that their governance framework and risk management measures operate effectively. These should be risk-based and proportionate, informed by firms’ business risk assessment of their ML and TF risk exposure.

Do you have any questions on Transaction Monitoring? Reach out to us at info@regsol.ie for information on our training courses and consultancy services.

To read the Central Bank Enforcement Action Notice in its entirety you can click on the following link:

Public statement relating to Enforcement Action against Danske Bank A/S (centralbank.ie)
DPC Guidance on Data Transfers to 3rd Countries
August 2022

The Data Protection Commissioner (‘DPC’) reminds entities that the transfer of personal data from the EU to controllers and processors located outside the EU in third countries (i.e. any country outside the European Economic Area (‘EEA’)), while necessary for international trade and international co-operation, should not undermine the level of protection of the individuals concerned.

Such transfers to third countries or international organisations should be done in full compliance with Chapter 5 (Articles 44 – 50) of the General Data Protection Regulation (the ‘GDPR’).


Article 45 – Transfers on the basis of an adequacy decision

The DPC notes that the first thing to consider when transferring personal data to a third country is if there is an “adequacy decision” – this is where the European Commission has decided that a third country or an international organisation has an adequate level of data protection taking into account factors such as the laws, respect for human rights and freedoms, national security, data protection rules, the existence of a data protection authority and binding commitments entered into by the country in respect of data protection.

The effect of such an adequacy decision is that personal data can flow from the EEA to that third country without any further safeguard being necessary, effectively meaning the transfer is the same as if it was carried out within the EU.


Article 46 – Transfers subject to appropriate safeguards

Where there is no adequacy decision, the DPC highlights that the GDPR does allow a transfer if the controller or processor has provided “appropriate safeguards”. These safeguards may include:

  1. Standard data protection clauses – these are model data protection clauses that have been approved by the European Commission and contain contractual obligations on the Data Exporter and the Data Importer and rights for the individuals whose personal data is transferred.

  2. Binding corporate rules (‘BCR’) – these rules form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group's EEA entities to the group’s non-EEA entities. There are two types of such rules which can be approved - BCR for Controllers which are used by the group entity to transfer data that they have responsibility for such as employee or supplier data; and BCR for Processors which are used by entities acting as processors for other controllers and are normally added as an addendum to a Service Level Agreement contract.

  3. Approved Codes of Conduct - The use of Codes of Conduct as a transfer tool, under specific circumstances, has been introduced by the GDPR in Article 40(3). While voluntary, they set out specific data protection rules for categories of controllers and processors providing a detailed description of what is the most appropriate, legal and ethical behaviour within a sector.

  4. Approved certification mechanisms - Article 42(2) of the GDPR allows for certification mechanisms by an independent body of a written assurance (a certificate) that the product, service or system in question meets specific requirements, may be developed to demonstrate the existence of appropriate safeguards provided by controllers and processors in third countries which are binding and safeguards data subject rights.
For further information on the Guidance, please see the link below:

Transfers of Personal Data to Third Countries or International Organisations | Data Protection Commissioner
Central Bank (Individual Accountability Framework) Bill 2022
August 2022

The Central Bank (Individual Accountability Framework) Bill 2022 (‘the Bill’) was published on 28th July 2022. Its principal purpose is to confer powers on the Central Bank of Ireland (the ‘CBI”) and provide greater detail on the four pillars of the individual accountability framework (‘IAF’), namely the Senior Executive Accountability Regime; the Conduct Standards; the Fitness and Probity Regime; and the Administrative Sanctions Procedure.

As noted by Gerry Cross, Director of Financial Regulation, on 21st February 2022 in an address to the Compliance Institute: “The Framework is fundamentally about underpinning good conduct and high quality governance and culture within firms. It is about being clear who is responsible for what and ensuring that reasonable steps are taken to fulfil those responsibilities. It is aligned with what will already be sound practices at well-governed and organised firms. The framework is, and our approach to implementation of it will be, firmly founded in proportionality and what is reasonable.”

SEAR

Under the Senior Executive Accountability Regime (‘SEAR’) regulated financial service providers (‘firms’) will be required to set out clearly where the responsibility and decision-making of the firm lies.

The Bill proposes to extend the regulation-making power of the CBI to give effect to SEAR. This will enable the CBI to make regulations in relation to inherent responsibilities and prescribed responsibilities, which relate to pre-approval controlled function (‘PCF’) holders.

This includes a new legal “duty of responsibility” on PCF holders who fall within the scope of SEAR to take “any steps that it is reasonable in the circumstances for the person to take” to ensure the firm does not breach its obligations under financial services legislation. When considering if the relevant individual has discharged their “duty of responsibility”, the CBI will consider all relevant circumstances, examples of which are set out in the Bill include the function of the person and the level of knowledge and experience that a person with such function could reasonably be expected to have. If a contravention of the duty occurs, the individual may be held directly accountable for the breach and be subject to the CBI’s Administrative Sanctions Procedure.

Initially, SEAR is expected to extend only to credit institutions, insurance undertakings (except reinsurance, captive (re)insurance and insurance special purpose vehicles), certain investment firms and any third country branches of those companies.


Conduct Standards

The Bill provides for the introduction of three types of conduct standards for firms and their staff as follows:

• Business Standards (for firms);

• Common Conduct Standards (for individuals); and

• Additional Conduct Standards (for individuals in the most senior roles).


1. Business standards for firms

The Bill (Section 5) provides for a new regulation-making power for the CBI to prescribe business standards within which firms will be obliged to comply to ensure they act in the best interests of customers and of the integrity of the market; act honestly, fairly and professionally; and act with due skill, care and diligence. The business standards will apply to all firms and a breach will be considered a prescribed contravention for purposes of enabling the CBI to enforcement action.


2. Common conduct standards for individuals

The Bill (Section 6) provides for the following individual conduct standards:
  1. Common Conduct Standards: these standards will apply to all persons performing controlled functions (i.e. CF or PCF roles).

  2. Additional Conduct Standards: these standards will apply to more senior persons performing PCF roles or who exercise a significant influence on the conduct of the firm’s affairs, for example, chief executives, executive or non-executive directors, heads of functions. Such persons will need to comply with both the Common Conduct Standards and the Additional Conduct Standards, regardless of whether their role is within the scope of SEAR.

Firms must ensure that they notify any relevant persons of the conduct standards that will be expected of them and that they provide training on these standards. The Bill also provides that the CBI will provide guidelines relating to the notification and training obligations of firms.


Certificate of Compliance with Standards of Fitness and Probity

Part 3 of the Bill strengthens the existing obligations on firms in relation to the fitness and probity of their key personnel. The Bill provides that firms will only allow an individual to perform a CF role if a certificate of compliance with standards of fitness and probity is in force in relation to the person. A certificate can be given only if the firm “is satisfied on reasonable grounds” that the person concerned complies with any standard of fitness and probity in a code issued under Section 50 of the Central Bank Reform Act 2010 Act 2010 Act and the person has agreed in writing to comply with any such standard.

The CBI will have the power to make regulations in relation to the form and content of these certificates, the validity period of a certificate and the firm’s procedures in relation to the giving or revoking of a certificate.


Administrative Sanctions Procedure (‘ASP’)

The Bill also makes a number of amendments to the Central Bank Act 1942 which underpins the ASP:

  1. High Court oversight for the ‘settlement process’ under section 33AR of the 1942 Act (where the firm or individual acknowledges the commission of the prescribed contravention). Therefore, any sanction imposed by the CBI will only have effect if confirmed by the High Court.

  2. The High Court will confirm the decision unless it is satisfied that the CBI “made an error of law” in its decision or that a sanction is manifestly disproportionate.

  3. The Bill provides a list of relevant considerations that the CBI must take into account when determining whether to impose a sanction, what sanction to impose and the level of any monetary penalty to impose including the person’s seniority and level of responsibility in the firm and whether the person’s conduct was intentional, negligent or dishonest.

  4. The Bill replaces the concept of a ‘person concerned in the management of an RFSP’ with the concept of a ‘person performing a controlled function’ with a view to facilitating individual accountability of the relevant individual.

Next steps

The Bill is yet to be enacted and once the legislative process is completed, the CBI will prepare relevant guidelines and regulations to be issued under the Bill. Relevant firms and senior executives should note that the framework will require significant training and having the appropriate processes in place.

RegSol will keep our clients updated on progress of the Bill and any draft guidelines and regulations once published. If you require assistance in planning for SEAR and IAF or assessing your current framework, contact us at info@regsol.ie
New EBA Guidelines on ML/TF risk factors
August 2022

The European Banking Authority (‘EBA’) published revised Guidelines (updated on 8th August 2022) on customer due diligence (‘CDD’) and the factors to be considered when assessing the risk of money laundering (‘ML’) and terrorist financing (‘TF’) under the 4th and 5th Money Laundering Directives (repealing and replacing the 2017 guidelines).

The Guidelines set out the factors to be taken into account by credit and financial institutions when assessing the ML /TF risks associated with their activities and business relationships or with an occasional transaction with a natural or legal person.

The Guidelines also feature guidance on:

  • how financial institutions can adjust their CDD measures to mitigate the ML/TF risk they have identified so as to make them more appropriate and proportionate;
  • the identification of beneficial owners;
  • the use of innovative solutions to identify and verify customers’ identities;
  • how financial institutions should comply with enhanced CDD (‘EDD’) requirements relating to high-risk third countries;
  • new sectoral guidelines for crowdfunding platforms, corporate finance advisory firms, account information service providers, payment initiation services providers, and firms providing currency exchange services;
  • more details on TF risk factors;

The guidance highlights that there is no requirement for financial institutions to discontinue services to entire categories of customers that they associate with higher ML/TF risk (so-called ‘de-risking’). Instead, financial institutions should take steps to effectively manage the ML/TF risks associated with individual business relationships.

To read the EBA Guidelines in their entirety, please see the following link:

Final Report on Guidelines on revised ML TF Risk Factors.pdf (europa.eu)
Protected Disclosures (Amendment) Act 2021
August 2022

On 21st July 2022, the Protected Disclosures (Amendment) Act 2022 (‘Amendment Act’) was signed into law. It has yet to be commenced or ‘take effect’.

The Act updates the Irish Protected Disclosures Act 2014 (‘2014 Act’) and transposes the EU Whistleblowing Directive into Irish law.

Once commenced, the Amendment Act will:
  • Require all organisations with 50 or more employees to have internal channels and procedures for their employees to make protected disclosures. (This changes the current position where only public sector employers are obliged to have such procedures in place.)
  • Initially, the requirement will only apply to private sector employers with 250 or more employees.
  • However, from 17 December 2023, this obligation will be imposed on all private sector employers with 50 or more employees.
  • As it stands, under the 2014 Act, employees, former employees, trainers, independent contractors and agency workers are protected. The Amendment Act, however, extends the scope of the protected disclosures regime to cover volunteers, unpaid trainees, board members, shareholders, members of administrative, management or supervisory bodies and job applicants (where information on a relevant wrongdoing is acquired during the recruitment process or during pre-contractual negotiations).
  • The channels and procedures shall provide for acknowledgement of reports by a designated impartial person, within 7 days, diligent follow-up of the reports received, the provision of feedback to the reporting person within 3 months and communication of the final outcome of any investigations triggered by the report.
  • Reverse the burden of proof for penalisation cases. This means the employer will need to prove that any alleged penalisation was not a direct result of the employee making a protected disclosure.
  • Establish a new Office of the Protected Disclosures Commissioner will be established in the Office of the Ombudsman to support the operation of the new legislation.

Establishing Internal Reporting Channels

Internal reporting channels and procedures may be operated internally by a person or department designated for that purpose or provided externally by an authorised third party.

The channels must be operated in a secure manner that ensures the confidentiality of the reporting person’s identity and any third party mentioned in their report.

Employees must be able to make their report in writing or orally or both.

Organisations who employ less than 250 employees may share resources for receiving and investigating reports which will allow group companies to avoid having to put in place multiple internal reporting channels.


Acknowledgement, Feedback and Follow Up

Strict deadlines for acknowledging receipt, following up and providing feedback are required to be put in place by way of the internal reporting channels and procedures:

  1. Receipt of a protected disclosure must be acknowledged in writing within seven days.

  2. Designate an impartial person who is competent to follow up on reports, will maintain communication with the reporting person and where necessary, will request further information from, and provide feedback to, that reporting person.

  3. The designated person must diligently follow up on the report within three months including carrying out an initial assessment of the accuracy of the allegations made and, where relevant, address the breach reported, including, by way of internal enquiry, investigation, prosecution, action for recovery of funds, or the closure of the procedure.

  4. Feedback must be provided within three months, or six months in duly justified cases, informing the reporting person of the action envisaged or taken as follow-up and the grounds for such follow-up.

  5. Provision of clear and easily accessible information regarding: the procedures for making a protected disclosure, the conditions under which such reports may be accepted and follow-up undertaken, the procedures for making a protected disclosure to the Office of the Protected Disclosures Commissioner

New office of the Protected Disclosures Commissioner

A new Office of the Protected Disclosures Commissioner (‘the Commissioner’) will be established within the Office of the Ombudsman to support the operation of the new legislation. The Commissioner will direct protected disclosures to the most appropriate body when it is unclear which body is responsible and where this body cannot be identified, the Commissioner will be obliged to accept and investigate the protected disclosure itself.

The Commissioner will have extensive powers to carry out their duties. They will have the power to require the production of information and/or or records, books, documents or other things and to require the attendance of any person for this purpose.


Enhancement of protections for workers

The Amendment Act further enhances the protections for workers who suffer penalisation as a result of making a protected disclosure by reversing the burden of proof in civil proceedings, expanding the provision of interim relief to include forms of penalisation other than dismissal, and providing for criminal penalties for penalisation.

The definition of penalisation is significantly expanded by the EU Whistleblowing Directive to include withholding of training, a negative performance assessment or employment reference, harm, including to the person’s reputation, blacklisting, and psychiatric or medical referrals.

The Amendment Act proposes to reverse the burden of proof for proceedings concerning allegations of penalisation for having made a protected disclosure. It also enables workers to seek interim relief from the Circuit Court for penalisation other than dismissal. The Bill provides for a maximum award of compensation in the sum of €15,000 from the Workplace Relations Commission for individuals who are not in receipt of remuneration from the employer with whom they are in a work-based relationship.


New offences

The Amendment Act makes it a criminal offence to:
 
  • hinder or attempt to hinder a worker in making a report;
  • penalise or threaten penalisation or cause or permit any other person to penalise or threaten penalisation;
  • bring vexatious proceedings;
  • breach the duty of confidentiality in section 16 regarding the identity of reporting persons;
  • make a report containing any information that the reporting person knows to be false; or
  • fail to establish, maintain and operate internal reporting channels and procedures.

Penalties

The Amendment Act also provides for very substantial fines (ranging between €75,000 and €250,000 for convictions on indictment) and the possibility of a term of imprisonment not exceeding two years for employers who are found to have committed a criminal offence under the Amendment Act.


Key Takeaways

Although organisations with 50 – 249 employees have until 17th December 2023 to comply with the new legislation, consideration might be given now to have in place or review and enhance existing whistleblowing policies in anticipation of the introduction of the new enhanced regime.

Organisations will also be required to designate the appropriate staff to receive protected disclosures in a secure and confidential manner and provide them with training particularly in relation to the new timelines for acknowledging and following up protected disclosures.

To see learn more on how RegSol can assist your firm in implementing the new Amendment Act, please contact us at info@regsol.ie
Roles & Responsibilities of the AML Compliance Officer – EBA Guidance
July 2022

On 14th June 2022 the EBA published guidance on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer.

Frequently we have seen references to a European wide approach to AML/CFT (Anti Money Laundering / Countering the Financing of Terrorism). The aim of these guidelines is to “….create a common understanding, by competent authorities and credit or financial institutions, of credit or financial institutions’ AML/CFT governance arrangements. A common understanding, which is applied consistently and enforced as necessary, is key to strengthening the EU’s AML/CFT defences.”

The guidelines come into effect from 1st December 2022.

They are very comprehensive, running to 54 pages and they examine in detail the following:
 
  • The role of the management body in its supervisory function and management function in the AML/CFT framework.
  • Identification of the member of the management body responsible for AML/CFT.
  • Identification of a senior manager responsible for AML/CFT where no management body is in place.
  • Tasks and role of the member of the management body or senior manager responsible for AML/CFT.

Section 4.2 looks at the role and responsibilities of the AML/CFT compliance officer from their appointment, the skills and experience they should have in addition to the tasks they must complete and includes reference to outsourcing.

Section 5 has a list of additional documents, a summary of the Views of the Banking Stakeholder Group (‘BSG’) and Feedback on the public consultation and on the opinion of the BSG.

While reference is made to credit and financial institutions in the document, it provides useful information and guidance. As many of our readers will be aware, there is a positive obligation on Designated Persons to have a business wide risk assessment in place which covers all the AML/CFT and financial sanctions which their business may be exposed to. Included in the requirement is a specific reference to publications from the ESAs – European Supervisory Authorities. The EBA European Banking authority is one of these.

While we have provided an overview above, the link to the full document is here:

Guidelines on AMLCFT compliance officers.pdf (europa.eu)

If you require assistance in assessing your AML resourcing or in updating your Business Wide Risk Assessment and/or your AML Policies & Procedures, you can contact us at info@regsol.ie
Intermediary Times June 2022 Issued by the Central Bank
July 2022

The 'Intermediary Times', the Central Bank’s newsletter published twice a year, includes regulatory issues that retail intermediary firms need to be aware of in improving their standards of compliance.

In this latest edition the Central Bank of Ireland covers many items including:

  • Amendments to the list of Pre-Approval Controlled Functions; (also see RegSol’s article here)A new 
  • Legal Entity Identifier requirement for some types of retail intermediaries; (see RegSol’s article here)
  • New features of the Central Bank Portal;
  • Updates relating to the Sustainable Finance Disclosure Regulations (SFDR);
  • An overview of the Consumer Protection Outlook Report 2022; (see RegSol’s article here)
  • Implications for Insurance Intermediaries of the new insurance regulations relating to Differential Pricing; (see RegSol’s article here)
  • Learnings relating to Authorisations and the Fitness and Probity (F&P) Assessment; and
  • Recent Central Bank publications relevant for retail intermediaries:
    • Use of Exempt Ancillary Insurance Intermediaries in the Insurance Sector; and
    • Structured Retail Products. (see RegSol’s article here)

One particular area highlighted by the Central Bank in the newsletter which will be of interest to our intermediary clients is as follows:

Amendments to the list of Pre-Approval Controlled Functions (PCFs)

Firms are reminded for persons performing PCF2B, PCF16 and/or PCF52 before 5th April 2022, an ‘In Situ’ process is available to notify the Central Bank via the PCF In-Situ Return - the Online Reporting System (ONR) whereby an Individual Questionnaire (IQ) is not required - by 30th June 2022 .

Persons proposed for these roles after 5th April 2022 must submit PCF applications via the normal process (i.e. submission of an IQ). Those individuals are now subject to the F&P Standards.

For any assistance in applying to the Central Bank for an authorisation, please feel free to contact us at info@regsol.ie

To read the CBI publication in full, please see the link below:

Intermediary Times June 2022 (centralbank.ie)
Q&A - Price Walking & Differential Pricing Regulations Commencing 1st July 2022
July 2022

Further to our article in May’s edition of the RegSol newsletter (HERE) on the new Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1) (Insurance Requirements) Regulations 20221 (the Regulations) which came into effect on 1st July 2022, the Central Bank have published the Insurance Regulations Q&A which our intermediary clients might find useful to further explain the implications to their business.

As our readers will note, the Regulations, applicable to insurance undertakings and insurance intermediaries, were introduced to benefit consumers and enhance the consumer protection framework. The new requirements impact three key areas:
  1. Pricing: A ban of price walking in home and motor insurance markets - from 1st July 2022, insurance providers cannot charge consumers who are on their second or subsequent renewals a premium that is higher than they would have charged a year one consumer renewing their policy.
  2. Annual Review of pricing practices and policies: Insurance providers are required to review pricing practices and policies for all customers.
  3. Disclosure of additional information to policyholders in relation to automatic renewal arrangements: Insurance providers must notify the customer that the policy will automatically renew if the consumer does not cancel the automatic renewal before a specified date.
The link to the Insurance Q&As can be found here:

Insurance Regulations 2022 - Q+A updated May 2022 (centralbank.ie)
Establishment of the Corporate Enforcement Authority
July 2022

The Corporate Enforcement Authority ("CEA") has been established with effect from 7th July 2022, following the commencement of the Companies (Corporate Enforcement Authority) Act 2021 (the “2021 Act”) on 6th July 2022. 

The CEA will replace the Office of the Director of Corporate Enforcement (“ODCE”) and assumes the ODCE’s powers and functions in the investigation and prosecuting suspected breaches of company law with some changes to reflect the new structure of the body.


The CEA

The CEA’s new functions include encouraging compliance with the Companies Act 2014, investigating suspected offences and non-compliance under the Companies Act, prosecution of summary offences, referring indictable offences to the DPP, as well as being the competent authority to impose sanctions on company directors under the Companies (Statutory Audits) Act 2018.

The key difference between the CEA and the ODCE is the CEA’s establishment as an independent body, as opposed to an office in the Department of Enterprise, Trade and Employment, which will ensure that the CEA has greater autonomy than the ODCE. The CEA will have autonomy to recruit its own staff with necessary specialist expertise (for example, in the areas of financial forensics and data analytics) which will enable the CEA to better investigate complex enforcement cases. 

The 2021 Act also provides that members of An Garda Síochána may be seconded to the CEA. It is also expected that the CEA will be granted additional powers in the future including, the power to conduct surveillance, to obtain search warrants, to compel the provision of passwords for electronic devices and to permit CEA officials to attend suspect interviews.

The 2021 Act also provides for a number of state bodies - An Garda Síochána, the Competition and Consumer Protection Committee, the Registrar of Companies and the Revenue Commissioners - being required to disclose certain information to the CEA relating to the commission of an offence under the Companies Act 2014. Members of the public are also actively encouraged by the CEA to submit complaints and concerns to it where there is an indication of non-compliance with company law.


Conclusion

The establishment of the CEA is an important step in the deterrence of white-collar crime in Ireland and in the promotion of Ireland as a safe haven to carry out business. With the CEA’s increased staffing and resourcing it is likely that increases in the investigation and enforcement of company law breaches will be seen in the near future.
Compliance Institute of Ireland Survey Results on Third Party Cookie Ban
July 2022

Google has announced it proposes to stop the use of third-party cookies in Chrome by the end of 2023, joining a growing list of browsers ditching the notorious tracking technology.

However, a recent survey from Compliance Institute of 144 compliance professionals within Irish organisations throughout the country, has found that although the oncoming changes from Google around the use of third-party cookie data will have implications for almost 9 in 10 businesses, there’s a widespread lack of awareness, with 74% of respondents saying there’s little to no awareness of the issue within their organisation. (See Compliance Institute press release HERE).


What is a cookie?

A cookie is a small text file that may be stored on your computer or mobile device that contains data related to a website you visit. It may allow a website “remember” your actions or preferences over a period of time, or it may contain data related to the function or delivery of the site.


First party and third-party cookies

A cookie set by a website, i.e., the host domain, is a first-party cookie. A third-party cookie is one set by a domain other than the one the user is visiting, i.e., a domain other than the one they can see in their address bar. They are mostly used to track users between websites and display more relevant ads between websites. They also allow website owners to provide certain services, such as live chats.

First-party cookies will still function by default in browsers that block third-party cookies (also in Google Chrome), and they will continue to require consent in most cases, unless the purpose of a cookie is ‘strictly necessary’ to the basic operation of a website.


Consent, consent, consent

As mentioned, the end of third-party cookies does not mean the end of consent.

On the contrary, a firm’s website will still need to ask for and obtain the explicit consent of users before any data is allowed to be stored, on a user’s browser, regardless of what technology is used. The website will still be required to inform its users about whatever technology the firm uses to collect personal data, including its provider, purpose and duration, and to document safely the obtained consents, and to renew them at least annually.

The Data Protection Commission guidance on Cookies and Other Tracking Technologies (here) confirms that “Consent for the setting of cookies must be of the standard defined in the General Data Protection Regulation Article 4(11), which says the ‘consent’ of the data subject means any “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.


Is your firm prepared?

There have been mixed reactions to the proposed Google ban. While it has been welcomed by some commentators believing it is for the greater good of individuals and their privacy, others believe the new arrangements will further increase Google’s dominance in the online marketing area and will cause disruption in the advertising business.

Irrespective of how you view the changes, the Compliance Institute survey highlights that only 12% of Irish firms are “very prepared” for the proposed third-party cookie ban on Chrome. It is therefore vital to be aware of how exactly your firm uses cookies and to be compliant with the Data Protection Commission requirements regarding cookies.

Should your firm require a Data Privacy Check-up or review of outward facing data protection policies, make sure to contact us at info@regsol.ie
Central Bank highlights weaknesses in Virtual Asset Service Providers’ AML/CFT Frameworks
July 2022

On 11th July 2022, the Central Bank issued a bulletin to VASPs outlining its regulatory expectations and highlighting recurring weaknesses it has observed in VASP registration applications to date and their Anti-Money Laundering and Countering the Financing of Terrorism (‘AML/CFT’) Frameworks.

In the vast majority of applications, the Central Bank noted a lack of understanding and compliance with key AML/CFT obligations, in addition to significant control weaknesses, thereby increasing the risk of criminals using their products or services to launder money or finance terrorism.


What are VASPs?

The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (‘CJA 2010’) was amended by The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (‘CJA 2021’) to transpose elements of the Fifth Anti-Money Laundering Directive into Irish law.

Under the CJA 2021, A VASP is defined as a person who, by way of business, carries out one or more of the following activities for, or on behalf of, another person:
  • exchange between virtual assets and fiat currencies;
  • exchange between one or more forms of virtual assets;
  • transfer of virtual assets, that is to say, conduct a transaction on behalf of another person that moves a virtual asset from one virtual asset address or account to another;
  • custodian wallet provider;
  • participation in, and provision of, financial services related to an issuer’s offer or sale of a virtual asset or both.
A virtual asset is defined by the CJA 2021 as a "digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes but does not include digital representations of fiat currencies, securities or other financial assets". Some of most commonly known virtual assets such as Bitcoin, Ethereum and NFTs (non-fungible-tokens) fall within this definition.


Central Bank Requirements

Since 23rd April 2021, a person, or business, providing any of these the services outlined above is considered a VASP and are therefore a “designated person” under the CJA 2010. As such, they are required to comply with the AML/CFT obligations contained under Part 4 of the CJA 2010 as amended.

VASPs are also subject to the following requirements:

1. Registration with the Central Bank for AML/CFT Purposes

All VASPs established in Ireland are required to register with the Central Bank for AML/CFT purposes only.

In order for the Central Bank to approve a VASP's application for AML/CFT registration, the Central Bank must be satisfied that:
  • the VASP’s AML/CFT policies and procedures are effective in combatting the money laundering and terrorist financing risks associated with its business model; and
  • the VASP’s management and beneficial owners are subject to the Central Bank’s fit and proper regime. This regime imposes standards in relation to competence, capability, honesty, ethical behaviour and financial soundness. These requirements apply both at the time of registration of a VASP and on an ongoing basis.
2. On-going AML/CFT Obligations

As designated persons, VASPs are required to comply with AML/CTF obligations on an ongoing basis. This includes obligations relating to carrying out business wide risk assessments, customer due diligence, frequent monitoring of VASP customers and related transactions, filing of suspicious transaction reports, developing and implementing appropriate AML/CTF policies and procedures, maintaining records and ensuring provision of training.


Consequences for non-compliance

It is a criminal offence not to comply with the obligations set out under Part 4 of the CJA 2010 as amended and that a failure to do so may result in a fine, imprisonment or both. Alternatively, a breach of Part 4 of the Act may result in enforcement action under the CBI’s Administrative Sanctions Procedure for Designated Persons under the supervision of the CBI.


Key Issues highlighted in bulletin

The bulletin outlines the key issues and recurring weaknesses identified by the Central Bank during its assessment of VASP registration applications. In that regard, the Central Bank highlighted the following expectations for future VASP applicants in submitting complete and comprehensive applications:

1. Application Phase

The Central Bank expects applicant VASP firms to consider its guidance documents and reminds them of the option to attend a pre-application meeting to assist prospective applicants in answering specific questions about any aspect of the registration process and the completion of the VASP AML/CFT Registration Form.

Assessment Phase
  • Risk Assessment
The VASP’s AML/CFT risk assessment must focus on specific risks arising from a VASP firm's business model and drive that firm's AML/CFT control framework. Robust controls must be implemented to mitigate and manage the identified risks.
  • Policies and Procedures
The VASP should maintain a documented suite of AML/CFT policies and procedures, which are supplemented by guidance and accurately reflect operational practices. The policies and procedures should also demonstrate consideration of and compliance with Irish legal and regulatory requirements.
  • Customer Due Diligence
The VASP is required to know their customers, persons purporting to act on behalf of customers and beneficial owners. VASP firms must also have enhanced due diligence procedures for dealing with politically exposed persons (PEPs).
  • Financial Sanctions
The Central bank expects VASPs to have an effective screening system appropriate to the nature, size and risk of their business. VASP firms must follow clear escalation procedures in the event of a positive match.

  • Outsourcing
Where an Irish registered VASP outsources its AML/CFT functions, a documented agreement (for example, a service level agreement), must clearly define the outsourcing service provider's obligations. The VASP should also maintain evidence of sufficient oversight or be able to provide evidence of assurance testing.
  • Presence in Ireland
The Central Bank expects a physical presence located in Ireland and for there to be at least one employee in a senior management role located physically in Ireland, to act as the contact person for engagement with the Central Bank.


  • Pre-Approval Controlled Function (PCF)
Individual Questionnaires (IQs) for each proposed PCF role holder to be submitted as soon as practical.


How RegSol Can Help

As a leading provider of regulatory compliance solutions to SMEs operating in Ireland, RegSol assists firms applying to the Central Bank for registration/authorisation and in developing effective AML/CFT frameworks.

With a number of VASPs already availing of RegSol CEO, AnneMarie’s expertise, her extensive experience in both advising firms and drafting tailored, compliant AML/CFT business risk assessments and policies and procedures, means she is well placed to guide VASPs through the Central Bank’s registration application process in an efficient and time sensitive manner.

To see how RegSol can assist your firm please contact us at info@regsol.ie
EBA issues guidance on the Role & Responsibilities of the AML Compliance Officer
June 2022

On 14th June 2022 the EBA published guidance on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer.

Frequently we have seen references to a European wide approach to AML/CFT (Anti Money Laundering / Countering the Financing of Terrorism). The aim of these guidelines is to “….create a common understanding, by competent authorities and credit or financial institutions, of credit or financial institutions’ AML/CFT governance arrangements. A common understanding, which is applied consistently and enforced as necessary, is key to strengthening the EU’s AML/CFT defences.”

The guidelines come into effect from 1st December 2022.

They are very comprehensive, running to 54 pages and they examine in detail the following:

  • The role of the management body in its supervisory function and management function in the AML/CFT framework.
  • Identification of the member of the management body responsible for AML/CFT.
  • Identification of a senior manager responsible for AML/CFT where no management body is in place.
  • Tasks and role of the member of the management body or senior manager responsible for AML/CFT.
Section 4.2 looks at the role and responsibilities of the AML/CFT compliance officer from their appointment, the skills and experience they should have in addition to the tasks they must complete and includes reference to outsourcing.

Section 5 has a list of additional documents, a summary of the Views of the Banking Stakeholder Group (‘BSG’) and Feedback on the public consultation and on the opinion of the BSG.

While reference is made to credit and financial institutions in the document, it provides useful information and guidance. As many of our readers will be aware, there is a positive obligation on Designated Persons to have a business wide risk assessment in place which covers all the AML/CFT and financial sanctions which their business may be exposed to. Included in the requirement is a specific reference to publications from the ESAs – European Supervisory Authorities. The EBA European Banking authority is one of these.

While we have provided an overview above, the link to the full document is here:

Guidelines on AMLCFT compliance officers.pdf (europa.eu)
Legal Entity Identifiers for Passporting Retail Intermediaries
June 2022

From 1st July 2022, retail intermediaries that carry out cross border business in an EU Member State are required to have a Legal Entity Identifier (‘LEI’) – in line with EIOPA Guidelines. This applies to retail intermediaries currently availing of an EU passport, and to any retail intermediaries intending to passport in the future.

What is an LEI?

An LEI number is a global reference code which uniquely identifies a legal entity. It is a unique a 20-digit global code which enables every legal entity that is party to a financial transaction to be identified in any jurisdiction. The code is assigned to that legal entity for its entire life although it needs to be renewed on an annual basis.

The identification system was introduced in response to the global financial crisis in the 2000s and the LEI codes allow for unambiguous identification of the legal entities, avoiding inconsistency and ambiguity of identification by national codes or by their name.

How to Obtain LEI / Annual Renewal

Retail intermediaries notifying the Central Bank of Ireland of an intention to passport will be required to provide an LEI as part of the Passport Notification Form.

LEI codes are issued through a Local Operating Unit (‘LOU’) accredited by the Global Legal Entity Identifier Foundation (‘GLEIF’) which is responsible for monitoring LEI data quality. A legal entity is not limited to using a LEI issuer in its own country; instead, it can use the registration services of any LOU that is accredited and qualified to validate LEI registrations within its authorised jurisdiction(s). A list of all LOUs may be found here.

Each legal entity is required to recertify its LEI annually to ensure the data is correct.
Central Bank Publishes Intermediary Times June 2022 Issue
June 2022

The 'Intermediary Times', the Central Bank’s newsletter published twice a year, includes regulatory issues that retail intermediary firms need to be aware of in improving their standards of compliance.

In this latest edition the Central Bank of Ireland covers many items including:

  • Amendments to the list of Pre-Approval Controlled Functions; (also see RegSol’s article here)
  • A new Legal Entity Identifier requirement for some types of retail intermediaries; (see RegSol’s article here)
  • New features of the Central Bank Portal;
  • Updates relating to the Sustainable Finance Disclosure Regulations (SFDR);
  • An overview of the Consumer Protection Outlook Report 2022; (see RegSol’s article here)
  • Implications for Insurance Intermediaries of the new insurance regulations relating to Differential Pricing; (see RegSol’s article here)
  • Learnings relating to Authorisations and the Fitness and Probity (F&P) Assessment; and
  • Recent Central Bank publications relevant for retail intermediaries:

o   Use of Exempt Ancillary Insurance Intermediaries in the Insurance Sector; and

o   Structured Retail Products. (see RegSol’s article here)


Two areas highlighted by the Central Bank in the newsletter which will be of interest to our readers are as follows:

  1. Amendments to the list of Pre-Approval Controlled Functions (PCFs)

Firms are reminded for persons performing PCF2B, PCF16 and/or PCF52 before 5th April 2022, an ‘In Situ’ process is available to notify the Central Bank via the PCF In-Situ Return - the Online Reporting System (ONR) whereby an Individual Questionnaire (IQ) is not required - by 30th June 2022 .

Persons proposed for these roles after 5th April 2022 must submit PCF applications via the normal process (i.e. submission of an IQ). Those individuals are now subject to the F&P Standards.

  
  2. Authorisation of Retail Intermediaries and the Fitness and Probity (F & P) Assessment

The Central Bank notes that when it is processing authorisation applications for retail intermediaries some PCFs proposed by applicant firms are unable to demonstrate how they meet the F&P Standards. In this regard, the Central Bank highlights the two most common issues identified by it, which are:

  • Applicants not meeting the requirements of Minimum Competency Code 2017 (MCC 2017) (where applicable);
  •  Proposed PCFs that do meet the requirements of MCC 2017, but do not meet other aspects of the F&P Standards.
The Central Bank therefore reminds retail intermediary applicants that they are expected to review and familiarise themselves with the F&P Standards, the MCC 2017 and ensure they fully understand how it applies to their firm and ensure that they can demonstrate compliance with it when submitting an application.

For any assistance in applying to the Central Bank for an authorisation, please feel free to contact us at info@regsol.ie

To read the newsletter in full, please see the link below:

Intermediary Times June 2022 (centralbank.ie)

Central Bank seeks to end IBAN discrimination
June 2022

The Central Bank of Ireland has written to, among others, all financial services providers in a bid to end IBAN discrimination and remind firms of their obligations under the Single European Payments Area initiative (‘SEPA’).

This is in response to some firms continuing to refuse to accept non-Irish IBANs (international bank account numbers) - the standard identifier for all SEPA bank accounts - for payments.

The issue of IBAN discrimination has come to a head as hundreds of thousands of customers prepare to switch bank accounts, as KBC and Ulster Bank depart the Irish market. This is because some consumers may opt to switch to a bank that doesn't currently offer an Irish IBAN, such as Revolut.

What is IBAN discrimination?

IBAN discrimination is where a firm (or other entity) refuses to accept a consumer’s SEPA IBAN for euro payments or direct debits. An Irish firm cannot insist consumers open or maintain an Irish bank account for euro transfers.

IBAN discrimination is not permitted under the SEPA regulations.

The Central Bank is concerned that IBAN discrimination creates difficulties for Irish and European consumers and raises barriers to the proper functioning of the payment system.

What is SEPA?

SEPA allows consumers to make cashless euro payments such as direct debits and credit transfers to firms and individuals anywhere within the SEPA area using their IBAN.

So for example, an Irish person with an AIB account should be able to make payments quickly and easily in Germany without having to set up a German bank account, and a German with a German account should be able to do likewise here.

SEPA includes all 27 EU countries, the UK, and eight other European countries (Norway, Monaco, Switzerland, etc.).

It was fully implemented in 2014 in the euro area (and by 2016 in non-euro area SEPA countries).

Key takeaways:
  1. Regulated firms cannot refuse to accept from consumers non-Irish IBANs from within SEPA.
  1. IBAN discrimination is unlikely to impact many of RegSol’s clients. However, clients should be mindful of the Central Bank’s announcement particularly in light of the changing Irish banking scene where consumers will be turning to other banking services that may provide them with non-Irish IBANs. Accordingly, if the payment is legitimate (i.e. from an identified consumer) and within SEPA, the non-Irish IBAN should be accepted by firms.
If you are still in any way concerned as to how IBAN discrimination may affect your business, please feel free to contact us at info@regsol.ie
Q&A - Price Walking & Differential Pricing Regulations Commencing 1st July 2022
June 2022

Further to our article in May’s edition of the RegSol newsletter (HERE) on the new Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1) (Insurance Requirements) Regulations 20221 (the Regulations) which come into effect on 1st July 2022, the Central Bank have published the Insurance Regulations Q&A which our clients might find useful to further explain the implications to their business.

As our readers will note, the Regulations, applicable to insurance undertakings and insurance intermediaries, were introduced to benefit consumers and enhance the consumer protection framework. The new requirements impact three key areas:

  1. Pricing: A ban of price walking in home and motor insurance markets - from 1st July 2022, insurance providers cannot charge consumers who are on their second or subsequent renewals a premium that is higher than they would have charged a year one consumer renewing their policy.
  2. Annual Review of pricing practices and policies: Insurance providers are required to review pricing practices and policies for all customers.
  3. Disclosure of additional information to policyholders in relation to automatic renewal arrangements: Insurance providers must notify the customer that the policy will automatically renew if the consumer does not cancel the automatic renewal before a specified date.

The link to the Insurance Q&As can be found here:

Insurance Regulations 2022 - Q+A updated May 2022 (centralbank.ie)
Central Bank of Ireland Enforcement Action - EBS d.a.c. reprimanded and fined €13,400,000 for regulatory breaches affecting tracker mortgage customers
June 2022

On 22nd June 2022, the Central Bank of Ireland reprimanded and fined EBS d.a.c. trading as EBS (‘EBS’) pursuant to its Administrative Sanctions Procedure for a number of significant failings in the treatment of its tracker mortgage customers. There were 2,830 mortgage accounts affected from August 2004 to June 2020.

“The investigation found that EBS failed in its obligations towards its customers under the Code of Practice for Credit Institutions 2001 and Consumer Protection Codes 2006 – 2012 (together the “CPC”). EBS’s failings caused unacceptable harm and loss to those impacted customers over the course of 16 years. Thousands of customers were overcharged and, at the worst end of the scale, customers lost 84 properties, eight of which were family homes. The actions of EBS had devastating consequences for its customers.”

The key findings from the investigation are that EBS:

  • Failed to properly manage its mortgage services to customers
  • Failed to adequately warn customers of the consequences of their decisions relating to their mortgage
  • Failed to provide clear mortgage documentation to customers
  • Failed to handle customer complaints in a fair and consistent manner

For details of the press release and full Enforcement Notice please see links below:

EBS d.a.c. reprimanded and fined €13,400,000 for regulatory breaches affecting tracker mortgage customers

Enforcement Action EBS d.a.c. reprimanded and fined €13,400,000 by the Central Bank of Ireland
Central Bank of Ireland Enforcement Action – Allied Irish Banks p.l.c. reprimanded and fined €83,300,000 for regulatory breaches affecting tracker mortgage customers
June 2022

On 22nd June 2022, the Central Bank of Ireland reprimanded and fined Allied Irish Banks p.l.c. (‘AIB’) €83,300,000 under its Administrative Sanctions Procedure for a series of significant and long-running failings in the treatment of its tracker mortgage customers. There were 10,015 mortgage accounts affected from August 2004 to March 2022 including in some cases the loss of family homes.

A number of failings were identified by the Central Bank:

  • Failed to consider the entitlements of customers when it withdrew the tracker mortgage product
  • Breached customers’ mortgage contracts, delayed in rectifying the breach, and failed to take immediate and conclusive action to determine for these customers the financial implications of its wrongdoing
  • Wrongfully excluded customers’ mortgage accounts from the TME (Tracker Mortgage Examination)
  • Failed to handle customer complaints in a fair and consistent manner
  • Failed to properly manage its mortgage services to customers
  • Failed to properly implement the TME’s Stop the Harm principles

Each of these items is addressed in more detail in the press release and enforcement notice, links for these are below.

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham said “The Central Bank has imposed a significant fine on AIB in respect of serious and long running failings in meeting its obligations to its tracker mortgage customers. The consequences of AIB’s prolonged failings were serious and included significant financial strain and distress for those affected and their families.”

For the press release from the Central Bank see link: 

Allied Irish Banks p.l.c. reprimanded and fined €83,300,000 for regulatory breaches affecting tracker mortgages 

For the Enforcement Action Notice please see:

Enforcement Action Allied Irish Banks p.l.c. reprimanded and fined €83,300,000 by the Central Bank of Ireland