RegSol Blog


RegSol Blog Posts

CBI: Ten Year Ban for CEO of Mortgage Intermediary
August 2020

Proving that ducking and hiding is not a good approach with the Central Bank, Mr Von Geitz was issued with a Prohibition Notice.

On the 16th of July 2020, the Central Bank of Ireland (CBI) published a Prohibition Notice prohibiting Mr Juerg von Geitz from performing any controlled function in all regulated financial   service providers for a period of 10 years from 5th July 2019.

Mr. von Geitz was an Executive Director of The Mortgage Department Limited, which was authorised as a mortgage intermediary under the Consumer Credit Act 1995.  The prohibition arose from the provision of misleading information to the Central Bank on an application for a pre-approval-controlled function (PCF) position at The Mortgage Department Limited.  Mr. von Geitz also failed to cooperate with the investigation conducted by the CBI.

Seana Cunningham, Director of Enforcement and Anti-Money Laundering said: “The Central Bank’s Fitness and Probity Regime seeks to ensure that regulated firms and individuals who work in these firms are committed to high standards of competence, integrity and honesty and are held to account when they fall below these standards.”

Click HERE for more information.



By Éilish Larkin - RegSol Consultant 
Beware the Processing of Third Party Payments: BOI Fined €1.6 M in €106 K Cyber Fraud & for misleading the CBI
August 2020

On the 28th of July the Central Bank of Ireland reprimanded and fined The Governor and Company of the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations). The offender, BOI’s former subsidiary, Bank of Ireland Private Banking Limited (BOIPB) was found to have serious deficiencies which occurred over a decade around third- party payments including: 

  • Inadequate systems and controls to minimise the risk of loss from fraud
  • Inadequate governance, oversight and ongoing review of the systems and control environment
  • Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements
  • Lack of compliance monitoring.

By hijacking the client’s account and using social engineering techniques such as using similar terminology to the client, the Cyberfraudster issued two separate payment instructions to BOI’s subsidiary totalling €106,430. BOI’s subsidiary nevertheless processed these payments, despite the instruction being signed off with an entirely different name than the name of the client. In addition, the following red flags should have been picked up:

  • incorrect telephone details; 
  • the request for a second substantial transfer within two days of an initial substantial transfer in an amount greater than the balance on the Client’s account; 
  • and the remittance of funds to a jurisdiction other than the jurisdiction in which the Client resided.

Aggravating factors include a very serious matter of not reporting the fraud to An Garda Siochana and the Revenue Commissioners and for failing to be open and transparent with the Central Bank in the course of the investigation.  BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments. 

For more on this read the CBI’s full press release HERE


By Judy de Castro - Regulatory Consultant
PSRA: Successful Unlicensed Prosecution by the Property Services Regulatory Authority
August 2020

On 2nd July 2020, Oriel Property Management Limited was convicted at Dundalk District Court of a breach of Section 28 of the Property Services (Regulation) Act 2011, following a prosecution by the Property Services Regulatory Authority (PSRA) for providing property services without a licence. 

Oriel Property Management were fined €2,500 and have to pay the Property Services Regulatory Authority’s costs also.

The PSRA’s Chief Executive, Ms Maeve Hogan, speaking following the court case said, “The PSRA has zero tolerance for property services providers operating without a licence…” 

For the full press release click HERE


By Éilish Larkin - Regulatory Consultant
PSRA: Four- Month Extension Granted
August 2020

The Property Services Regulatory Authority (PSRA) has announced the commencement of S.I. No. 162 of 2020, Property Services (Regulation) Act 2011 (Section 95) (Extension of Licences) Regulations 2020. 

The introduction of these Regulations grants a four- month extension to licences due to expire between 7 May 2020 and 31 August 2020. Granting of the extension of the licence by four months acknowledges the practical difficulties for Licensees in fully complying with licence renewal requirements and therefore, enables the sector to continue to legally trade during the Covid 19 emergency. 

The licence extension will be subject to the availability of the required level of Professional Indemnity Insurance (PII).

See the Statutory Instrument HERE


By Judy de Castro - Regulatory Consultant
Credit Unions in the News
August 2020

On the 17th of July 2020, the Central Bank of Ireland issued a press release regarding the appointment of joint liquidators to Drumcondra and District Credit Union.

In summary:

  • Action taken in the best interests of members and the broader public
  • Full Resolution Report and Affidavit released
  • Deposit Guarantee Scheme has made pay-outs to most eligible depositors
  • The action taken is not related to the exceptional circumstances of COVID-19

For more information please click HERE


By Éilish Larkin - Regulatory Consultant
COVID-19 – Payment Breaks in Credit Union’s Circular issued by the Central Bank of Ireland June 2020
August 2020

The Central Bank of Ireland has been in contact with the boards of all credit unions throughout the pandemic at various times.  The letter in June was regarding payment breaks offered to members who may be experiencing difficulties in paying their loans at this time.

In summary the CBI expects:

  1. Credit unions act in a way that protects the best interests of borrowers.
  2. Credit unions give appropriate support to borrowers who have been affected by COVID-19.
  3. Payment breaks should be a generally available option to affected borrowers, including those borrowers’ already in financial distress. 
  4. Credit unions are operationally ready and prepared to engage with borrowers during, or at expiry of, the payment break in order to identify whether or not the borrower requires further support, and if so, to consider appropriate and sustainable solutions, as soon as possible.
  5. Credit unions are fully transparent and clear to borrowers as to what will happen after the term of the payment break, including setting out the available options to repay the loan and the full costs of the payment break. 
  6. Credit unions have board approved plans to deliver an assessment of all borrowers on payment breaks to ensure that appropriate and sustainable solutions are identified in a timely manner for those borrowers who are not able to return to paying full capital and interest at the end of the payment break. 
  7. The prioritisation of borrower engagement, assessment and determination of an appropriate and sustainable solution should be determined by the risk profile of the borrower.  
  8. The level of distress in the credit unions’ loan books should be prudently considered and be reflected in provisioning levels. 
  9. Sufficiently granular and timely reporting of the take-up of payment breaks across borrower type and sector should be readily available and used to inform key decision-making processes in credit unions.

For the full circular from the Registrar please click HERE


By Éilish Larkin - Regulatory Consultant
Game Changer? The Consumer Insurance Contracts Act 2019
August 2020

On 17 July 2020, the Minister for Finance, Paschal Donohoe T.D., announced that the Consumer Insurance Contracts Act 2019 (the Act) will be commenced in two stages, with some provisions taking effect from 1 September 2020.

To some relief, some of the most burdensome provisions will not take effect until 1 September 2021, giving industry insurers time to prepare. These include a revised duty of disclosure, enhanced rights for consumers on renewal rights and changes to the duties imposed on consumers and insurers on renewal.

All other provisions under the Act will apply from 1 September 2020, including those dealing with:

  • the principle of insurable interest;
  • cooling-off periods and cancellation rights;
  • post-contractual duties;
  • claims-handling duties and related requirements, including specific limitations on deferring property claims payments and proportionate remedies;
  • the replacement of warranties with the concept of "suspensive conditions"; and
  • changes to subrogation and third-party rights. 

The changes introduced by the Act mean that all insurers (life and non-life) operating consumer business in Ireland must review and update all proposal forms, policies and related documentation, as well as the manner in which pre and post-contractual processes operate. 

Insurers, and indeed all market participants impacted including brokers should progress their implementation projects as a matter of urgency. 

The Central Bank of Ireland may, under the power granted to it by Section 5 of the Act, issue a code of practice on the form of a contract of insurance and or any other requirements related to such a contract contained in the Act. It remains to be seen whether this will take the form of a revision of the Central Bank's Consumer Protection Code 2012.

Although these provisions may increase the cost of compliance, RegSol is here to assist in taking the pain out of compliance assurance. Contact us for assistance to ensure you’re ready for regulatory change.


By Judy de Castro - Regulatory Consultant
CBI’s Dear CEO Letter for Investment firms: unregulated activities
August 2020

The Central Bank of Ireland (‘CBI’) has outlined their expectations with respect of the offering of products and services considered to be outside the scope of regulation in their Dear CEO letter to the industry. There is a significant risk they say that clients may misunderstand the protections afforded to them when investing in unregulated products and firms must act “fairly, professionally and in the best interests of their clients at all times.”

The minimum requirements in this regard are:

  • Communication of regulatory status of products/services at every stage of sales process to clients to aid transparency to avoid implying these are regulated where they are not
  • Appropriate disclosures and risk warnings on all materials including for example that compensation schemes are not applicable due to being out of scope of regulation

Affected firms should ensure these requirements are communicated to their Boards and that necessary measures are taken to ensure controls and processes adhere to the CBI’s expectations. 

Click HERE to see the CBI’s Dear CEO Letter in full.


By Judy de Castro - RegSol Consultant
Cross Border Data Transfers: Schrems II Judgement Day- David vs Goliath
August 2020

For those of you that have been following the epic battle between Max Schrems, the Austrian privacy activist and lawyer who is in our view “David” against the “Goliath” that is Facebook,  (within the context of the United States Surveillance Framework), judgement came on the 16th of July. 

This is concerning a complaint brought by Mr Schrems to the Irish Data Protection Commissioner who referred the matter to the European Court of Justice. The matter relates to the transfers of Schrems’ personal data by Facebook Ireland to Facebook Inc. into the US. If you use google analytics, gsuite, Microsoft, twitter, linkedin, etc, chances are EU data subjects’ personal data is flowing to servers in the US under the US Privacy shield and are affected by this. 

In a nutshell the ECJ has declared:  

  • EU-U.S. Privacy Shield invalid (legal mechanism for transferring personal data from the European Economic Area (EEA to US is invalid).
  • Standard Contractual Clauses (SCCs) remain valid but are to be approached with caution. Data transfers based on SCCs need to be assessed on a case-by-case basis to ensure that the overall level of protection in the third country is essentially equivalent to that guaranteed within the EU. Depending on the sensitivity of the personal data to be transferred to the third country, SCCs might not permit the transfer of data. 
  • Binding corporate rules (BCRs) remain valid and provide a framework for companies to transfer data across borders within their own organizations. BCRs set up policies, procedures, guidelines, and practices that satisfy GDPR privacy standards. These must be approved by a relevant member state’s data protection authority (DPA), and in most member states, transfers will still require a “transfer notification” to the DPA.
  • Data Protection Authorities in the EU are to ensure that that they are providing adequate supervision and, if necessary, taking enforcement action where companies are not properly risk assessing their cross-border transfers. 
What should we do now?

  • U.S. and EU companies that relied on the Privacy Shield should consider alternate methods of cross-border data transfer, such as the SCCs or binding corporate rules, or the applicability of the Article 49 derogations. 
  • Immediately re-evaluate data transfers with third parties into third countries under SCCs. Review your record of processing and risk assessments. Monitor further guidance from the EU Commission, the European Data Protection Board (EPDB) and the Data Protection Commission. If you were relying on the Privacy Shield, you need to find other ways to permit data transfers into the United States or should consider locating data processing operations, such as servers, to the European Union. Other methods of cross-border data transfer include the SCC or establishing Binding Corporate Rules (Art. 47 GDPR). 
Problems for the future?

We foresee issues with enforcement. When looking at the United States, should a dispute arise, even if parties agree on a jurisdiction of the courts in the EU, the US is not a signatory to the Hague convention and so can we ever confidently say an EU data subject’s data is protected in the US?


Click HERE to view the judgement.


By Judy de Castro - Regulatory Consultant

ECJ imposes €2m fine on Ireland over AML Directive Delays
August 2020

The European Union’s top court, the European Court of Justice (ECJ) ordered Ireland on the 16th of July to pay a lump sum of €2 million to the European Commission for failing to implement in full regulations aimed to prevent money laundering and terrorist financing within the period prescribed.


Romania was also hit with a fine of €3 million in the judgment.

 

The judgement relates to implementation of directive 2015/849 or the 4th EU AML Directive. Member states are provided with an appropriate lead in time to implement EU regulations. In this case, the Directive required member states to comply with the relevant administrative provisions by 26 June 2017. Ireland implemented most of these provisions more than a year later, in November 2018.


So, on 27 August 2018, the Commission had brought actions against Ireland and Romania before the ECJ for failure to fulfil their obligations. Ireland and Romania had argued that the fines sought by the European Commission were unjustified and disproportionate.


But the court ruled that even though the countries had since complied with the rules, there was an undue delay in fulfilling their obligations.

 

With Ireland already late in transposing directive 2018/853 or the 5th EU AML on the 10th of January of this year, Ireland could expect to pay another hefty fine in due course. The Commission has already issued Ireland with a formal notice.

 

To view the ECJ Press release Click HERE


 

By Judy de Castro - RegSol Consultant


Pandemic Impact – It’s the little things!
August 2020

Here in Roscommon, it is something similar in terms of the roller coaster of emotions mentioned by Judy.  Covid-19 has impacted every aspect of life and changed most experiences.  There is no such thing as a quick trip to the shop for a few bits and pieces.  

Queues (which I associated with Dublin) and hand sanitiser are everywhere, not to mention masks.   Smaller premises have signs on the door limiting the number of customers that can be inside at any one time.  The easing of restrictions has allowed me to meet all the RegSol team last week in person while following all the guidelines.  

In addition to the challenges completing everyday tasks such as shopping there is the added use of technology which brings its own issues.  The advances that have been made mean a lot of people can work remotely and “Zoom calls” are a key part of keeping in touch for business and in personal life.  On the flip side, the pandemic has been a paradise for many scam artists as not everyone is up to speed regarding the dos and don’ts of technology.  

As I settle back into life in the West (having joined RegSol and left Dublin mid pandemic) I look forward to working with the team and meeting new and existing clients in the “new normal”.  The new desk looks out over fields and trees and my washing line, all I need now is some more sunshine!!!


By Éilish Larkin - Regulatory Consultant

Lockdown Blues- Overcoming Division
August 2020

During this COVID-19 Global Emergency, I have felt overwhelmed, exhausted, exasperated, elated, and caught between division and uncertainty. Like a pendulum, I’m longing to jump on a plane to escape to the sea, sun, warmth of the sun on the continent to see my relatives, and then flip-flopping, looking to batten down the hatches on this island and sterilise my door handles, my hands,  my children. 

I want to hug friends and socialise to my heart’s content but then I want to retreat into isolation and social distance. 

This I think is reflected in the division surrounding my village in Malahide. Fingal County Council has recently closed off and pedestrianised New Street, the main artery into the village, where the famed Gibney’s is a household name and many restaurants and cafes adorn the street. 

Locals are at the very least not amused with this closure; and some local businesses have set up a rival Facebook page to “Save Malahide Village” from pedestrianisation. Villagers have posters poking out of windows, doors, shop windows protesting the green initiative. 

Whereas before local social media would chastise those who would not keep their distance, this has now been replaced with jibes and questions of loyalty boiling down to one question : “Are you for the pedestrianisation of New street or are you against it? I think I will batten down the hatch on this one, thanks!


By Judy De Castro - Regulatory Consultant


DPC Regulatory Activity 2018-2020
July 2020

The DPC has published a two year Regulatory Activities report under the GDPR to assess the range of regulatory tasks over the period 25 May 2018 to 25 May 2020.

From 25 May 2018 to 25 May 2020, the DPC:

  • received in excess of 40,000 emails, 36,000 phone calls and 8,000 postal contacts;
  • opened 15,025 cases in support of individuals’ rights;
  • concluded 80% of cases opened (so far); and
  • reduced conclusion times for cases (average days taken to conclude a case or query down by 53% over two years).

Since 25 May 2018, the most frequent GDPR topics for queries and complaints have consistently been: Access Requests; Fair processing; Disclosure; Right to be Forgotten (delisting and/or removal requests); Direct marketing and Data Security. 

Figures indicate that the DPC is dealing with high volumes of cases that are potentially resolvable at a data controller/ Data Protection Officer level.

  • Total breach notifications received between 25 May 2018 and 25 May 2020: 12,437.
  • 93% classified as relating to GDPR (11,567 notifications).
  • Of the 12,437 total recorded breach cases, 94.88% concluded (11,800 cases).

The most frequent cause of breaches reported to the DPC is unauthorised disclosure (80%). Human error are at the root of far more reported breaches than phishing, hacking or lost devices (5.6% collectively). 

Figures indicate that the DPC is dealing with breaches that could be mitigated by more robust technical and organisational measures.

Click HERE to view the full report.

By Judy de Castro - Regulatory Consultant


CBI’s Governor on COVID-19 and Protection of the Consumer
July 2020

On 24th of June the Governor of the Central Bank Gabriel Makhlouf published his reflections on the CBI’s approach to protecting consumers in terms of price stability, resilient financial institutions and 

Codes of Conduct and Culture available HERE to view

By Judy de Castro - Regulatory Consultant

CCPC: Simplified Merger Notification Procedure Regime to Commence on 1 July 2020
July 2020

The introduction of a simplified merger notification procedure is hoped to reduce the time and resources required of businesses, as notifying parties will be exempt from providing certain information when filing mergers or acquisitions which do not raise significant competition concerns. 

The new simplified merger notification procedure will not replace the current procedure, but will facilitate more efficient review of mergers that do not raise competition concerns.

The Simplified Merger Notification Procedure Guidelines provide a detailed overview of the criteria that must be satisfied for a merger or acquisition to fall within the scope of the simplified merger notification procedure. 

They also set out the procedural provisions including: pre-notification discussions, the publication of notice of a notified proposed transaction, and the determination process under the simplified merger notification procedure.

Click HERE to view the guidelines. 


By Judy de Castro - Regulatory Consultant
CBI Enforcement Action: Rory O'Connor
July 2020

On 9 June 2020, the Central Bank of Ireland (the Central Bank) reprimanded Mr O’Connor, disqualified him from being a person concerned in the management of a regulated financial service provider for a period of 8 years 4 months, and imposed a fine of €70,000 for his admitted participation in RSAII’s failure to maintain sufficient technical reserves from February 2010 to 30 September 2013 (the Relevant Period). 

This enforcement action against Mr O’Connor follows a separate investigation conducted by the Central Bank in respect of RSAII, at the conclusion of which the Central Bank reprimanded RSAII and imposed a financial penalty of €3.5 million in December 2018.

Click HERE to view full report.

By Judy de Castro - Regulatory Consultant
Central Bank announces updates to Retail Intermediary Authorisation Process on 26 May 2020
July 2020

Submission of Retail Intermediary Applications for Authorisation.

An applicant seeking authorisation or registration as a retail intermediary under:

  • The Investment Intermediaries Act 1995 (as amended) (the IIA);
  • The European Union (Insurance Distribution) Regulations 2018 (the IDR);
  • The Consumer Credit Act 1995 (as amended)(the CCA); and/or
  • The European Union (Consumer Mortgage Credit Agreements) Regulations 2016 (the CMCAR) should submit its application for authorisation or registration in electronic format to the Central Bank via our secure file transfer system.  
Access to this system can be requested via email to RIAuthorisations@centralbank.ie.  

The submission of a hard copy version of the application will no longer be required.


By Judy de Castro - Regulatory Consultant
COVID-19 and Cyber Crime: What to Watch Out For
July 2020

On the 31st of March the EBA published a statement on actions to mitigate financial crime risks in the COVID-19 pandemic. The document discusses from a supervisory level the actions competent authorities should take in urging credit and financial institutions to effectively put in place internal controls and systems to ensure the EU’s financial system is not abused by crime. 

On the 27th of March, Europol published a report on how criminals have adapted to the COVID-19 pandemic. It is based on information Europol receives from the EU Member States on a 24/7 basis and intends to support Member States’ law enforcement authorities in their work. According to the  report, the number of cyber-attacks is significant and expected to increase further. 

Cybercriminals will continue to innovate in the deployment of various malware and ransomware packages themed around the COVID-19 pandemic. They may expand their activities to include other types of online attacks. Cybercriminals are likely to seek to exploit an increasing number of attack vectors as a greater number of employers adopt telework and allow connections to their organisations’ systems.

Our Top 5 Tips:

  1. Update your AML-CTF Risk Assessment and any other relevant policies, internal controls or systems
  2. Train staff
  3. Transaction monitoring calibrated to recognise patterns in areas known to be impacted by COVID-19 but still yielding uncharacteristically large or unchanged profit flows
  4. Ongoing monitoring of impacted industries such as pharmaceutical or medical supply equipment
  5. Risk assess your own IT systems and work from home strategies for resilience against cyber attack

Click HERE to read EBA's statement. 

Click HERE to read the Europol Report:

By Judy de Castro - Regulatory Consultant
EU Commission Urges 8 Member States to Fully Transpose MLD5
July 2020

On 14 May 2020, the European Commission sent a letter of formal notice to Ireland (along with seven other EU member states: Belgium, Czech, Estonia, Ireland, Greece, Luxembourg, Austria, Poland  and the UK) for having only partially transposed the Fifth Anti-Money Laundering Directive EU/2018/843 ("MLD5"). 

The deadline for transposition into national law was 10 January 2020. 

The General Scheme of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2019, which was to implement MLD5 in Ireland, was published in January 2019 but has not yet progressed any further. 

Other than the provisions relating to Beneficial Ownership, Ireland has yet to implement the measures contained in MLD5. 

In the letter of formal notice, the Commission encourages the relevant EU member states to transpose all aspects of MLD5 urgently. 

Without a satisfactory response from the relevant EU member states (a letter of formal notice requests an explanation of the alleged breach of EU law) within four months, the Commission may send a reasoned opinion.


By Judy de Castro - Regulatory Consultant
Data Protection Commission Fines Tusla
July 2020

On the 21st of May 2020, Tusla was issued with a second fine by the Data Protection Commission (DPC) for a breach of data protection rules. 

It relates to a breach notified to the DPC in November 2019 regarding an unauthorised disclosure of sensitive personal data. The disclosure was made to an alleged abuser and the data was subsequently posted on social media.

The fine for the three breaches totalled €75,000.

Under GDPR, a company that breaks privacy laws can be fined up to 4% of global revenue or €20 million, whichever is higher.

By Judy de Castro - Regulatory Consultant
Data Protection Commissioner Issues Draft Decision Against Twitter
July 2020

The Irish Data Protection Commission (DPC) submitted a draft decision on the 22 May to other concerned Supervisory Authorities, in accordance with Article 60 of the GDPR, in relation to an inquiry it has completed into Twitter International Company, a data controller based in Ireland. 

This was initiated by the DPC following receipt of a data breach notification from the controller. The draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. ²Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

This draft decision is one of a number of significant developments in DPC inquiries into “big tech” companies, including WhatsApp Ireland Limited. The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.

By Judy de Castro - Regulatory Consultant

Guidance Note on Cookies and Other Tracking Technologies issued April 2020
July 2020

The DPC will allow a period of six months from the publication of this guidance for controllers to bring their products, including websites and mobile apps, into compliance, after which enforcement action will commence.

As a rule, natural persons may be associated with online identifiers provided by their devices, including cookie identifiers and tags. This may leave traces which combined with other unique identifiers and other information received by servers, may be used to create profiles of those natural persons and identify them, in other words, personal data. 

Analytics cookies are used as a measuring tool for websites, including to provide information on the number of unique visitors and the pages they browse during their visits and in combination with other data may identify a user and require consent. 

For further guidance, please click HERE.

By Judy de Castro - Regulatory Consultant


CBI’s unofficial Consolidation of Consumer Protection Code
July 2020

In March 2020, the CBI consolidated the CPC but with a health warning: Please note that this document available in the link below is an unofficial consolidation of the Consumer Protection Code 2012, as it stood revised from 1 January 2015. 

The document has been prepared by the Central Bank of Ireland for ease of reference only and is not a legal document.

Click HERE to view the document.

By Judy de Castro - Regulatory Consultant
Omnibus Directive: New Protections for Consumer Rights
July 2020

A key part of the EU’s New Deal for Consumers entered into force earlier this year: The Omnibus Directive, which strengthens consumer rights through enhanced enforcement measures and increased transparency requirements.

Key changes introduced by the new Directive are:
  • A requirement for increased transparency online in particular for search result rankings, fake reviews, endorsements and personalised pricing.
  • The extension of consumer rights to “free” digital content and services.
  • Fines and Enforcement powers: fines of up to 4% of the trader’s annual turnover in the Member State (or Member States) where the breach occurred, or EUR 2 million in cases where information on turnover is not available, with individual Member States able to introduce even higher fines
EU Member States have two years to transpose these new rules: national implementation measures must be adopted by 28 November 2021 and in force by 28 May 2022.

By Judy de Castro - Regulatory Consultant
New PII Limits Imposed from June 12th 2020
July 2020

Professional Indemnity Insurance (PII) is seen by the Central Bank of Ireland as a key prudential and consumer protection safeguard. From the 12th of June 2020 the required amount of cover will change.  

This change has come about under COMMISSION DELEGATED REGULATION (EU) 2019/1935.

The new requirements are: €1,300,380 per claim and €1,924,560 in aggregate.

This change applies to intermediaries authorised under both the Insurance Distribution Regulations (IDR) 2018 and the Investment Intermediaries Act 1995.

Brokers should ensure with their PII provider that their PII levels will be amended in line with the new requirements.

Click HERE to read the Brokers Ireland Announcement.

By Judy de Castro - Regulatory Consultant
CCPC: Unfair Terms in Consumer Contracts
July 2020

The Competition and Consumer Protection Commission (CCPC) has produced guidelines to assist businesses in navigating contractual terms outlining potential pitfalls for consumers. 

The unforeseen nature of the COVID-19 situation has brought about unprecedented circumstances and, as a result, businesses may be considering changing the terms and conditions in their standard form contracts, particularly in relation to cancellations, rescheduling and refunds.

The CCPC is concerned that businesses may change or add additional terms and conditions in existing consumer contracts, without advance notification to consumers or an opportunity for them to exit the contract without penalty if they do not wish to accept the business’ proposed change.  

Seeking to bind existing consumers to new or amended terms without the consumer’s agreement, constitutes an unfair commercial practice under the Consumer Protection Act 2007

Click HERE to view the link.

By Judy de Castro - Regulatory Consultant
EDPB Statement on data subject rights in connection to the state of emergency in Member States.
June 2020

The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. 

The statement was issued by the EDPB after the adoption by the Hungarian government of a decree on 4th of May 2020.  As per this decree “ ….. all measures following data subject’s request exercising the rights based on Articles 15 to 22 of the GDPR are suspended until the end of the state of danger….”

The statement outlines that data protection does not impede the fight against the COVID-19 pandemic and Article 23 of the GDPR allows under specific conditions, restrictions by way of  legislative measures, to the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34.  

A restriction must  “… respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, important objectives of general public interest of the Union or of a Member State, in particular public health.”

The EDPB is very clear that “ …even in these exceptional times, the protection of personal data must be upheld in all emergency measures,….”

It is evident that while we deal with this unexpected pandemic the rights enshrined in GDPR must be complied with by data controllers and processors and any restrictions must be limited in their duration and scope. 

The EDPB has issued various statements since the pandemic began and the tone of all of them is that the pandemic does not allow the rights in detailed in the Charter of Fundamental Rights of the European Union and under GDPR to be swept aside in order to tackle COVID-19.

To read the article in full click HERE 

To read all of the EDPBs articles and statements visit HERE


By Éilish Larkin - Regulatory Consultant
ESMA Guidelines - On certain aspects of the MiFID II Compliance Function Requirements
June 2020

The role of the Compliance officer has been that of an independent assurance function that reports to the Board providing balanced impartial advice. Sufficiently resourced with clearly defined roles and responsibilities with access to information and personnel to coordinate the management of compliance risk across the organisation. 

The European Securities and Markets Authority (ESMA), the EU’s securities markets regulator, published the final guidelines on the MiFID II compliance function on June the 5th. These guidelines replace the ESMA guidelines on the same topic issued in 2012 and include updates that clarify the new MiFID II compliance function requirements. 

These guidelines apply from two months of the date of publication of the guidelines on ESMA’s website in all EU official languages.

While the objectives and principles of the compliance function remain unchanged, the obligations have been further strengthened. The guidelines will clarify responsibilities in relation to MiFID II’s product governance requirements, by notably detailing further the reporting obligations of the compliance function. 

The guidelines also provide a comprehensive roadmap for any compliance professional wishing to ensure that their role is effective and a beacon of assurance for their Board and Senior management team.

Worthy to mention for all compliance professionals are:

  • Conducting a regular risk-based assessment, the output to be used to create an effective risk-based compliance monitoring program with the aim of ensuring the firm’s business is conducted in line with its licence, policies, procedures and internal controls
  • Using suitable tools and methodologies for monitoring activities that could be used by the compliance function include (but are not limited to):
    • the use of aggregated risk measurements (for example, risk indicators); 
    • the use of (additional) reports warranting management attention documenting material deviations between actual occurrences and expectations (exceptions report) or situations requiring resolution (issues log);
    • targeted trade surveillance, observation of procedures, desk reviews, interview of relevant staff and/or, where necessary, and at the discretion of the compliance function, of a relevant sample of firm’s clients
  • Reporting on Findings to include a summary of major findings of the review of the policies and procedures, including risks identified in the scope of the compliance function’s monitoring activities;  breaches and deficiencies in the firm’s organisation and compliance process;  the number of complaints received in the period under review if not already reported through other sources. 
  • Promoting a ‘compliance culture’ throughout the firm, which should be supported by senior management. The purpose of the compliance culture is not only to establish the overall environment in which compliance matters are treated, but also to engage staff with the principle of improving investor/consumer protection as well as mitigating systemic risks.

ESMA Guidelines Document can be found HERE

By Judy de Castro - Regulatory Consultant
Business continuity: Property Service Providers
June 2020


The Joint Sector Protocol for Property Services Providers is intended to consolidate practical guidance available on how to safely manage business continuity during the COVID-19 pandemic. 

It relates only to property services providers (PSPs) and the valuation sector and how they can safely engage with clients and members of the public. 

The Document is available HERE

By Judy de Castro - Regulatory Consultant

New PII Limits Imposed from June 12th 2020
June 2020

Professional Indemnity Insurance (PII) is seen by the Central Bank of Ireland as a key prudential and consumer protection safeguard. From the 12th of June 2020 the required amount of cover will change.  

This change has come about under COMMISSION DELEGATED REGULATION (EU) 2019/1935.

The new requirements are: €1,300,380 per claim and €1,924,560 in aggregate.

This change applies to intermediaries authorised under both the Insurance Distribution Regulations (IDR) 2018 and the Investment Intermediaries Act 1995.

Brokers should ensure with their PII provider that their PII levels will be amended in line with the new requirements.

Click HERE to read the Brokers Ireland Announcement

By Éilish Larkin - Regulatory Consultant
Omnibus Directive: New Protections for Consumer Rights
June 2020

A key part of the EU’s New Deal for Consumers entered into force earlier this year: The Omnibus Directive, which strengthens consumer rights through enhanced enforcement measures and increased transparency requirements.

Key changes introduced by the new Directive are:

  • A requirement for increased transparency online in particular for search result rankings, fake reviews, endorsements and personalised pricing.
  • The extension of consumer rights to “free” digital content and services.
  • Fines and Enforcement powers: fines of up to 4% of the trader’s annual turnover in the Member State (or Member States) where the breach occurred, or EUR 2 million in cases where information on turnover is not available, with individual Member States able to introduce even higher fines

EU Member States have two years to transpose these new rules: national implementation measures must be adopted by 28 November 2021 and in force by 28 May 2022.

EU consumer legislation applies to traders targeting consumers in the EU, regardless of the trader’s location. Online traders worldwide will need to use this two-year window to ensure their EU-facing practices comply and mitigate the risk of fines.

By Judy de Castro - Regulatory Consultant
Belgian DPA issues €50,000 fine for DPO’s Conflicting of Roles
June 2020

On 28 April 2020, the Belgian Data Protection Authority (“DPA”), fined a Belgian company €50,000 for breach of article 38 (6) of the GDPR:

“The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests. “

The DPA’s Litigation Chamber found that the DPO was not in a position that is sufficiently free from conflict of interest because the DPO also fulfilled the function of director of audit, risk and compliance.

The Litigation Chamber stated that the administrative fine was not imposed with the intention to terminate the violation, but rather with a view to vigorously enforce the rules of the GDPR. In this respect, the Litigation Chamber specified that, although there was no element showing an intentional infringement, there was serious negligence on the part of the defendant. 

The Article 29 Working Party Guidelines for Data Protection Officers explain that the Data Protection Officer cannot hold a position within the organisation in which he or she has to determine the purposes and means of processing personal data. This is thus an essential conflict of interest. The role of departmental manager is thus inconsistent with the function of DPO who must be able to perform his or her tasks independently. 

The fact that the same person performs the role of data controller for each of the three departments concerned on the one hand, and the function of Data Protection Officer on the other, lacks independence.

By Judy de Castro - Regulatory Consultant
EU Commission urges 8 Member States to fully transpose MLD5
June 2020

On 14 May 2020, the European Commission sent a letter of formal notice to Ireland (along with seven other EU member states: Belgium, Czech, Estonia, Ireland, Greece, Luxembourg, Austria, Poland  and the UK) for having only partially transposed the Fifth Anti-Money Laundering Directive EU/2018/843 ("MLD5"). The deadline for transposition into national law was 10 January 2020. 

The General Scheme of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2019, which was to implement MLD5 in Ireland, was published in January 2019 but has not yet progressed any further. Other than the provisions relating to Beneficial Ownership, Ireland has yet to implement the measures contained in MLD5. 

In the letter of formal notice, the Commission encourages the relevant EU member states to transpose all aspects of MLD5 urgently. Without a satisfactory response from the relevant EU member states (a letter of formal notice requests an explanation of the alleged breach of EU law) within four months, the Commission may send a reasoned opinion. 

This would state the reasons why the Commission believes that the EU member state is in breach of its EU law obligations and forms the basis of the Commission's case in any subsequent infringement court case against the EU member state. A third stage of the process is a referral to the Court of Justice of the EU.

By Judy de Castro - Regulatory Consultant
EDPB Publishes Updated Guidelines on Consent
May 2020

The European Data Protection Board (EDPB) has published updated Guidelines on the 5th of May 2020 on Consent under the GDPR, replacing the previous Article 29 Working Party Consent Guidelines published in April 2018. The purpose of the updated guidelines is to provide clarity on:


  • data subject consent in relation to cookie walls (which are not allowed), and
  • scrolling or swiping through a webpage or similar actions (which does not constitute valid consent). The paragraphs (38-41 and 86) concerning these two issues have been revised and updated, while the rest of the document has been left unchanged, except for editorial changes.

Cookie Walls

The EDPB clarifies that a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent to the use of their data for additional purposes.  In order for consent to be  “freely  given”,  as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment (i.e. device) of a user (so-called cookie walls).

Unambiguous indication of Wishes

The EDPB also confirms that scrolling or swiping through a webpage, or similar user activity, does not constitute clear affirmative action that meets the conditions for valid conscent under the GDPR.

Click HERE to see the document.

By Judy de Castro - Regulatory Consultant
Data Protection Commissioner Issues Draft Decision Against Twitter
May 2020

The Irish Data Protection Commission (DPC) submitted a draft decision on the 22 May to other concerned Supervisory Authorities, in accordance with Article 60 of the GDPR, in relation to an inquiry it has completed into Twitter International Company, a data controller based in Ireland. 

This was initiated by the DPC following receipt of a data breach notification from the controller. The draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

This draft decision is one of a number of significant developments in DPC inquiries into “big tech” companies, including WhatsApp Ireland Limited. The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.

The DPC has also completed the investigation phase of a complaint-based inquiry which focuses on Facebook Ireland’s obligations to establish a lawful basis for personal data processing. This inquiry is now in the decision-making phase at the DPC.

By Judy de Castro - Regulatory Consultant
Data Protection Commission Fines Tulsa
May 2020

On the 21st of May 2020, Tusla was issued with a second fine by the Data Protection Commission (DPC) for a breach of data protection rules. 

The decision was issued to the Child and Family Agency following the completion of an inquiry that began in November 2019 and have 28 days to appeal the decision. 

It relates to a breach notified to the DPC in November 2019 regarding an unauthorised disclosure of sensitive personal data. The disclosure was made to an alleged abuser and the data was subsequently posted on social media.

"As the decision referred to has only just been received, we are not in a position to comment further until we have reflected on all of the matters," Tusla said in a statement.

Earlier this week the Sunday Times revealed that Tusla had become the first body to be fined in Ireland by the DPC for a data protection breach under the stricter rules contained in the General Data Protection Regulation (GDPR).

That case related to three breaches reported in February and March of last year.
One of those cases involved the accidental disclosure of the contact and location data of a mother and child to an alleged abuser.

The fine for the three breaches totalled €75,000.

"Tusla has and continues to engage constructively with the DPC and the public on these matters," it said.

That inquiry was launched by the regulator in January last year and was initiated following a receipt of a data breach notification by the social media platform.

It relates to its compliance with the requirement under Article 33 of the GDPR to notify the DPC of a breach within 72 hours and provide certain information.

Under GDPR, a company that breaks privacy laws can be fined up to 4% of global revenue or €20 million, whichever is higher.

By Judy de Castro - Regulatory Consultant
COVID-19 and Cyber Crime: What to watch out for
May 2020

On the 31st of March the EBA published a statement on actions to mitigate financial crime risks in the COVID-19 pandemic. The document discusses from a supervisory level the actions competent authorities should take in urging credit and financial institutions to effectively put in place internal controls and systems to ensure the EU’s financial system is not abused by crime. 

In identifying emerging trends and typologies, legitimate financial flows are likely to diminish. However, experience from past crises suggests that in many cases, illicit flows will continue regardless perhaps unchanged and it is in those instances, credit and financial institutions should question source of funds and wealth of those transactions and most importantly whether they make economic sense.

For example, there is already some evidence of increased levels of cyber crime, COVID-19-related frauds and scams targeting vulnerable people and companies, of fake fundraising campaigns and of criminal networks selling rationed goods, including PPE at a higher price. Furthermore, as criminals are highly adaptive, new techniques and channels of laundering money are likely to emerge. 

On the 27th of March, Europol published a report on how criminals have adapted to the COVID-19 pandemic. It is based on information Europol receives from the EU Member States on a 24/7 basis and intends to support Member States’ law enforcement authorities in their work. According to the  report, the number of cyber-attacks is significant and expected to increase further. 

Cybercriminals will continue to innovate in the deployment of various malware and ransomware packages themed around the COVID-19 pandemic. They may expand their activities to include other types of online attacks. Cybercriminals are likely to seek to exploit an increasing number of attack vectors as a greater number of employers adopt telework and allow connections to their organisations’ systems.

Our Top 5 Tips:

  1. Update your AML-CTF Risk Assessment and any other relevant policies, internal controls or systems
  2. Train staff
  3. Transaction monitoring calibrated to recognise patterns in areas known to be impacted by COVID-19 but still yielding uncharacteristically large or unchanged profit flows
  4. Ongoing monitoring of impacted industries such as pharmaceutical or medical supply equipment
  5. Risk assess your own IT systems and work from home strategies for resilience against cyber attack

Click HERE to read EBA's statement. 

Click HERE to read the Europol Report:

By Judy de Castro - Regulatory Consultant
FATF Guidance on Digital Identity
May 2020

According to this new document published by the FATF in March 2020, digital payments are growing at an estimated 12.7% annually and are forecast to reach 726 billion transactions annually by 2020. By 2022, an estimated 60% of world GDP will be digitalised. 

The growth in digital financial transactions requires a better understanding of how individuals are being identified and verified in the world of digital financial services and how to risk assess their use. Digital identity (ID) technologies are evolving rapidly, giving rise to a variety of digital ID systems to allow for identity proofing and enrolment per the diagram below. 

Recommendation 10 permits financial institutions to use “documents” as well as “information or data,” when conducting customer identification and verification. Recommendation 10 does not impose any restrictions on the form (documentary/physical or digital) that identity evidence – “source documents, information or data” – can take. 

However it is essential that regulated entities apply a risk-based approach to using digital ID for CDD in order to:

  1. understand the assurance levels of the digital ID system and 
  2. assess whether, given the assurance levels, the ID system is appropriately reliable, independent in light of the ML/TF risks


Potential Risks

Large scale digital ID systems that do not meet appropriate assurance levels pose cybersecurity risks, including allowing cyberattacks aimed at disabling broad swaths of the financial sector, or at disabling the digital ID systems themselves. They also pose major privacy, fraud or other related financial crimes risks, because cybersecurity flaws can result in massive identity theft, compromising individuals’ personal data. 

Risks related to governance, data security and privacy also have an impact on AML/CFT measures. These risks vary in relation to the components of the digital ID system but can be more devastating than breaches associated with traditional ID systems due to the potential scale of the attacks. 

Advances in technology and well-designed identity proofing and authentication processes can help mitigate these risks.

Click HERE to view the document.



By Judy de Castro - Regulatory Consultant
EU Commission’s AML-CTF Action plan
May 2020

On 7 May 2020, the European Commission adopted an action plan for a comprehensive and harmonised EU policy on preventing money laundering and terrorist financing. The action plan is to be founded on six pillars:


  • Pillar One: Effective implementation of existing rules
  • Pillar Two: A single EU rulebook
  • Pillar Three: EU-level supervision
  • Pillar Four: A support and cooperation mechanism for financial intelligence units
  • Pillar Five:  Information exchange to enforce criminal law provisions
  • Pillar Six: A stronger EU AML-CTF Framework


The Commission intends to deliver on all these actions by early 2021. To gather the views of citizens and stakeholders on these measures, the Commission launched a public consultation which will close on 29 July 2020.

The action plan builds on the findings of the anti-money laundering package of 2019, which highlighted serious shortcomings including major divergences in the way rules are applied and enforced by the various EU members states, uneven supervision and limitations in the cooperation among financial intelligence units across the EU.

For those entities under the scope of the AML/CTF framework, or designated persons, the measures to take note of are those set out in Pillars two and three. Pillar two’s main objective to limit divergences in interpretation and application of relevant rules will include provisions laying down a harmonised approach to customer due diligence requirements, a ceiling for large cash payments and reporting obligations. 

Pillar three is about enhanced integration of supervision through an EU body, namely the European Banking Authority (EBA) for direct supervision over designated persons empowered to review internal policies, procedures and controls including documentation on transactions and customers.

Click HERE to view the Action Plan. 


By Judy de Castro - Regulatory Consultant
Enforcement Action - Ulster Bank
May 2020

On 3 March 2020, the Central Bank of Ireland (the Central Bank) reprimanded and fined Ulster Bank (Ireland) DAC (the Firm) €4,600,000 for governance failings relating to regulatory returns that were required under the Mortgage Arrears Resolution Targets (MART) Framework.

The Firm has admitted to these breaches, which took place from 2013 until 2015.

Click HERE to view the full Settlement Agreement


By Judy de Castro - Regulatory Consultant