RegSol Blog

RegSol Blog Posts

Section 35 The Companies (Corporate Enforcement Authority) Act 2021 Commencement of section 888A of the Companies Act 2014
May 2023

With effect from 23rd April 2023, there is a new requirement to furnish Personal Public Service (“PPS”) number or Verified Identity Number (“VIN”) when filing the following forms with the Companies Registration Office (“CRO”):
  • Form A1 – incorporation of a new company
  • Form B1 – annual return
  • Form B10 / B69 – notifying a change of director

The requirement protects both the integrity of the registration of businesses and the misuse of director identities.

The CRO will verify the director's first name, surname, date of birth and PPS number submitted by crosschecking the information against data held by the Department of Social Protection (“DSP”).

PPS numbers, RBO numbers and VINs will not be accessible on the public register.

In accordance with Section 888A(2) of Companies Act 2014, any person who, without just cause, fails to comply shall be guilty of a Category 4 offence which can result in a fine of up to €5,000.
Central Bank of Ireland Updated Fitness & Probity process for Individual Questionnaires
May 2023

In March 2023, the Central Bank updated its Individual Questionnaire (“IQ”) which must be submitted by any person seeking approval from the Central Bank to perform a PCF Function under the Fitness & probity Regime. It also published draft guidance on a new process for the submission of IQs via the Central Bank Portal, which is applicable from 20th April.

A PDF version of the updated IQ can be accessed here.

The Central Bank’s guidance on the submission of the IQ can be accessed here.
European Commission Markets in Crypto-Assets Regulation
May 2023

The European Commission introduced in September 2020 a proposal for a regulation on Markets in Crypto-Assets (MiCA) as part of its digital finance strategy.

MiCA will apply across the European Union without any need for national implementation laws. This approach is in line with consumer protection and ensuring effective and harmonised access to the innovative crypto-assets markets across the single market. The MiCA regulation has four essential objectives:
  • Ensuring legal certainty by establishing a sound legal framework for crypto-assets in its scope that are not covered by existing financial services legislation;
  • Supporting innovation and fair competition in order to promote the development of crypto-assets by instituting a safe and proportionate framework;
  • Protecting consumers, investors and market integrity in consideration of the risks associated with crypto-assets; and
  • Ensuring financial stability, with the inclusion of safeguards to address potential risks to financial stability.

MiCA will be phased in across the EU in two parts – the first part will deal with stablecoins which will become applicable within 12 months’ time (around Q2 2024), while the second part will address Crypto Asset Service Providers (CASPs) which will apply within 18 months (around Q4 2024)

Crypto-Assets in Scope of MiCA

A majority of crypto–assets which are not already governed by other regulations, such as security tokens and central bank digital currencies, shall fall into the scope of MiCA:
  • E-money tokens
  • Asset-referenced tokens
  • Utility tokens

Crypto-assets, other than e-money tokens or asset-referenced tokens, offered to the public are also in scope of the regulation, underlining the objective to have a broad scope.

Who will be caught by the legislation?

Crypto-Asset Service Providers (“CASPs”) are defined in MiCA as “any person whose occupation or business is the provision of one or more crypto-asset services to third parties on a professional basis.” The European legislators have opted for the term ‘Crypto’ as opposed to ‘Virtual’ which is used both in Ireland and internationally by the Financial Action Task Force (“FATF”).

Under MiCA, the definition of crypto-asset services is such that a business providing at least one of the following activities, may be classed as a CASP:

  • exchanging crypto assets and fiat currency (e.g. using Euro to buy Bitcoin);
  • exchanging one class of crypto assets for another (e.g. using Bitcoin to buy Ethereum);
  • the custody and administration of crypto-assets on behalf of third parties;
  • the operation of a trading platform for crypto-assets;
  • the execution of orders for crypto-assets on behalf of third parties;
  • the placing of crypto-assets;
  • the reception and transmission of orders for crypto assets on behalf of third parties; and
  • providing advice on crypto-assets.
The final category encapsulates the broad nature of MiCA as ‘providing advice’ and could be construed as a catch all for any operator in this space. These categories also go a lot further than the existing definition of a Virtual Asset Service Provider (“VASP”) under the Irish Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021.

Obligations of issuers of crypto-assets under MiCA

  1. The publication of a whitepaper having some similarities with prospectuses published under the prospectus regulation

  2. The necessity to be authorised to issue crypto-assets

  3. Compliance with certain prudential rules when marketing crypto assets; and

  4. The obligation to act honestly, fairly and professionally vis-à-vis crypto-asset holders, in particular in relation to conflict management and prevention or maintenance of security access protocols.

The applicable regime depends on several elements considering notably the type of crypto-asset offered and the amount of the offered.

Read the recent European Council Press Release here.
Data Protection Commission: Meta Fine of €1.2 billion
May 2023

On 22nd May 2023, the Data Protection Commission (“DPC”) announced that it had issued its decision (dated 12 May 2023) in which it fined Meta Platforms Ireland Limited €1.2 billion for breach of Article 46(1) of the General Data Protection Regulation (GDPR) relating to its delivery of its Facebook service.

Background to the decision

The DPC launched an investigation into Meta in August 2020. After conducting its investigation, the DPC released its draft decision in which it determined that Meta’s data transfers to its US equivalent, Meta Platforms, Inc., were done in violation of Article 46(1) of the GDPR and that those transfers should be stopped. 

In this regard, the transfers were made in accordance with a transfer and processing agreement between Meta and its US counterpart, which included a Transfer Impact Assessment (“TIA”), noting a record of safeguards Meta and/or its US counterpart had in place to safeguard transfers, among other things. The agreement also incorporated the 2021 Standard Contractual clauses (“SCCs”) of the European Commission.

Against this background, the DPC's draft decision was then submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (CSAs), pursuant to a cooperation procedure mandated by Article 60 of the GDPR. After failing to reach a consensus under the cooperation procedure, the DPC referred objections by the CSAs to its draft decision to the European Data Protection Board (EDPB) for determination pursuant to the dispute resolution mechanism under Article 65 of the GDPR.

Findings of the DPC

The DPC found Meta in breach of Article 46(1) og the GDPR in relation to its transfer of personal data to the US, following the deliver of the Court of Justice of the European Union’s (“CJEU”) judgement in Schrems II case. In particular, while the transfers took place on the basis of the updated 2021 SCCs, along with additional supplementary measures implemented by Meta, the arrangements were not sufficient to address the risks to fundamental rights and freedoms of data subjects identified by the CJEU in the Schrems II case.

More specifically, the DPC specified that:

  • US law does not provide a level of protection that is equivalent to that provided by EU law
  • Neither the 2010 SCCs, nor the 2021 SCCs, could compensate for the inadequate protection provided by US law
  • The measures set out in Meta’s record of safeguards that form part of the TIA that are presented as supplemental to the measures for which provision is made in the 2010 SCCs and/or 2021 SCCs, do not compensate for the inadequate protection provided by US law; and
  • It is not open to Meta to rely on the derogations provided for in Article 49(1) of the GDPR when making the data transfers.


On the basis of the EDPB's decision of April 13, 2023, the DPC exercised the following corrective powers against Meta for its breach of Article 46(1) of the GDPR:
  • a fine of €1.2 billion;
  • an order, under Article 58(2)(d) of the GDPR, to bring its processing operations into compliance with Chapter V of the GDPR, by way of ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC's decision to Meta; and
  • an order, under Article 58(2)(j) of the GDPR, to suspend future transfers of personal data to the US within the period of five months from the date of notification of the DPC's decision to Meta.
In response to the DPC's decision, Meta noted that it will be appealing the DPC's decision and will seek a stay with the courts to pause the implementation of applicable deadlines under the same.

You can read the press release here, and Meta’s response here.
Data Protection Commission New Guidance: The Records of Processing Activities (RoPA)
April 2023

On 21st April, the Data Protection Commission published new guidance on the Records of Processing Activities (RoPA). Article 30 of the General Data Protection Regulation (GDPR) requires Data Controllers to maintain a RoPA. Article 30 prescribes the information the records must contain and controllers and processors must be able to provide such records to the DPC on request. 

The Guidance is designed to assist controllers with compliance with Article 30 of the GDPR.

The full Guidance can be found at:

Records of Processing Activities (RoPA) under Article 30 GDPR
Central Bank of Ireland Industry Letter on costs and fees to fund managers
April 2023

On 24th March 2023, the Central Bank of Ireland (“the CBI”) published an industry letter on the 2021 Common Supervisory Action (“CSA”) on costs and fees of UCITs. The letter outlines the CBI’s findings from the CSA and supervisory expectations and key actions for fund managers.

AIF managers should be aware that while the CSA concentrated on the costs and fees of UCITS, the CBI expects that AIFMs will also take the findings and actions in the Letter into account with respect to the costs and fees charged to AIFs.

Scope of the CSA

The CBI undertook the review as part of a European-wide CSA established by ESMA. The CBI assessed UCITS management companies and self-managed investment companies (“Firms”)’s compliance with relevant cost-related provisions in the UCITS framework.

The CSA examined whether Firms, when charging costs to the fund/unitholders:
  • comply in practice with the cost-related disclosure provisions set out in UCITS legislation;
  • act honestly and fairly in conducting their business activities and do so with due skill, care and diligence and in the best interests of their underlying investors; and
  • do not charge investors with undue costs.

CBI Findings

The CBI found several flaws in how funds cost and fee structures were established, which, according to the CBI, raises the likelihood of unfair expenses being imposed on investors. The CBI highlights that while defining the cost and charge structure, firms must consider their duty to act in the best interests of investors, supported by rules and procedures and monitoring from senior management.

Supervisory Expectations

  1. Policies and procedures on costs and fees

    The CBI expects that all Firms have structured and formalised pricing policies and procedures in place, with clear oversight and approval from senior management., enabling the transparent identification and measurement of all costs charged to a fund.

  2. Periodic review of costs and fees

    The CBI expects that all costs are reviewed annually, taking into account the investment objective and strategy of a fund, the target and actual level of performance achieved and the role and responsibilities of service providers. the viability and competitiveness of a fund should be considered as part of the costs review.

  3. Design and oversight of fee structure

    The CBI found that there was an over-reliance by Firms on the assessments made by delegate investment managers for determining the pricing structure of the funds, with limited engagement in the process by some Firms. The CBI requires Firms to have clear policies and procedures for the design, oversight and regular review of the costs and fees structures, to ensure they are operating effectively and in the best interests of investors.

  4. Efficient portfolio management (“EPM”)

    The CBI expects that all fee arrangements regarding securities lending programmes are compliant with ESMA’s expectations and are clearly disclosed within a fund prospectus or supplements as well as being captured in the policies and procedures of a Firm.

  5. Fixed Operating expense (“FOE”) models

    The CBI expects that in cases where a FOE model is being used to give investors protection and certainty about the fees being incurred, those investors should be fully aware of all costs and the model should be calibrated so that any difference is minimised and that investors are not charged excessive costs.

    The CBI also expects that FOE models should be reviewed as part of the annual costs and fees review. The CBI acknowledges that this will be an area of focus un its future supervisory engagements.

  6. Non discretionary investment advisor charge

    The CBI expects that the investment advisor's position will be complementary to the investment managers and non-discretionary in nature. Firms must make sure that the pricing arrangements for non-discretionary advisors are reasonable for the services being rendered.  The CBI expects managers of both UCITS and AIFs to conduct a gap analysis against the findings and expectations detailed in the Letter and where appropriate, put in a place a plan by the end of Q3 2023 to address any deficiencies identified.

The full Letter can be found at:
Industry Letter on Common Supervisory Action on the supervision of Costs and Fees of UCITS

Central Bank of Ireland Updates to Fitness and Probity Enforcement Procedures
April 2023

On 21st April 2023, The Central Bank of Ireland (‘CBI’) published an Industry letter notifying firms of the updated procedures for fitness and probity investigations, suspensions and prohibitions. The updated procedures apply from 20th April 2023.

Part 3 of the Central Bank Reform Act 2010 has been amended by the Central Bank (Individual Accountability Framework) Act 2023. The amendments, which were commenced by order on 19th April 2023 are summarised below:

  1. Investigation of individuals who formerly performed CF roles: the central bank can now investigate a former controlled function (CF) role holder, provided that they performed the role within the shorter of the following periods: (a) the period since 19th April 22023 and (b) the 6 years before the date on which an investigation is commenced.

  2. Commencement of investigation: a new statutory procedure has been introduced for giving notice of investigations.

  3. Suspension: the limit for the initial duration of s suspension notice has increased from 3 months to 6 months. Suspension notices may now be appealed to the Irish Financial Services Appeals Tribunal. The period for which the High Court may extend a suspension notice has increased from 3 months to 6 months. The CBI may make subsequent applications to the High Court to further extend the suspension notice.

  4. Investigation report: the statutory procedure for investigation reports has been changed to provide for the preparation and service of a draft report followed by a final report.

  5. Discontinuing an investigation: the CBI may discontinue an investigation for reasons to be stated in a notice.

  6. Prohibition Notices: will now only take effect when confirmed by the High Court or agreed in writing.

  7. Varying/revoking prohibition: a new procedure allowing the CBI or the subject to apply to the High Court for an order varying or revoking a prohibition notice.

  8. Regime extended to certain holding companies: the fitness and probity regime (upon CBI issuing regulations) apply to individuals performing certain CF roles in holding companies of certain regulated firms.

  9. Enhanced independence requirements: certain requirements have been introduced to ensure the independence of an investigation and associated decision-making procedures.

The amendments to Part 3 of the 2010 Act have necessitated changes to regulations and guidance. The updated regulations and guidance are:

Central Bank Reform Act 2010 (Procedures Governing Conduct of Investigations) Regulations 2023

Fitness and Probity Investigations, Suspensions and Prohibitions: Guidance 2023

More information can be found at:
RegSol’s Vulnerable Customers’ Seminar
March 2023

The RegSol team would like to give a massive thank you to all of those who attended our Seminar on Friday 24th March 2023 - 'Vulnerable Customers: Who cares about Accessibility in Financial Services?'

We would also like to thank our wonderful MC Bernard Jackman, our amazing Special Guest Joanne O'Riordan, our CEO AnneMarie Whelan, and our unbelievably informative speaker Kyran O'Mahoney from Inclusion and Accessibility Labs (IA Labs). From the feedback we received, this event was a great success! We are thrilled to have hosted an event with such an ethical topic.

Attendees can expect the presentation and update on CPD within the coming days.
To anyone who missed out, we will be announcing the scheduling of a live screening of the event recording as a CPD Event shortly. If you are interested, please email to be included on the invitation list.

Central Bank of Ireland: Consumer Protection Outlook Report 2023
March 2023

The Central Bank of Ireland (‘CBI’) have published the Consumer Protection Outlook Report 2023. The report outlines the five key drivers of consumer risk in Ireland, in this changing and challenging economic environment.

These risk drivers reflect the feedback and engagement that the CBI has undertaken with various stakeholders over the last year which has been incorporated into their annual risk assessment. The five Key Drivers of Consumer Risks and associated CBI expectations of firms are:

1) The changing operational landscape
  • Actively identify and address risks to consumers that may emerge from change in the landscape within which the firm and/or its consumers are operating
  • Engage with financial innovation to address the needs and interests of consumers
  • Have sufficient operational resilience to manage change
  • Clearly distinguish between regulated and unregulated services for the consumer, particularly when they are being offered in the same digital space.

2) Poor business practices and weak business processes
  • Place the best interests of consumers at the heard of commercial decisions
  • Implement robust governance and oversight arrangements for the design, sale and delivery of the product
  • Comply with suitability requirements
  • Monitor products to ensure it is performing as intended and remains suitable for the target market
  • Ensure proper resources are deployed to deliver a high quality service

3) Ineffective disclosures to consumers
  • Provide clear information promptly, to consumers, disclosing key information upfront
  • Support consumers by ensuing information is provided in a way that can be easily understood
  • Ensure that statements of suitability and other disclosures are fully compliant with legislative requirements
  • Ensure disclosure is as clear on digital media as with more traditional methods
  • Avoid Greenwashing by producing disclosure documents that are clear and full compliant with legislative requirements
  • Disclose exclusions to financial products effectively at the outset, to support consumers in making good decisions

4) Technology-driven risks to consumer protection;
  • Have well defined and comprehensive IT and cybersecurity risk management frameworks, supported by sufficient resources
  • Make sure that the interests of the consumer are the firm's top priorities when designing and distributing financial products digitally, and that the product will only be made available to suitable consumers
  • Have effective measures to mitigate the risk of fraud and scams and be proactive in identifying and dealing with cases
  • Demonstratable oversight of delegated or outsourced arrangements and evidence that associated risks are appropriately considered and managed

5) The impact of shifting business models
  • Consider the impact of decisions on vulnerable customers and implement effective processes and communication plans
  • Proactively assess and mitigate the risks and consumer impact of commercial decisions whilst ensuring that customers understand that changes mean for them
  • Have sufficient customer service capacity and structures
  • Only design and bring to market products that meet the needs of identified target market

The CBI have anchored on these risks for their work in 2023 and beyond, which means that regulated firms can focus on making long-term sustainable improvements. The report also includes a description of key bodies of work to be delivered by the CBI with respect to the Key Drivers of Consumer Risk.

The full Report can be found at:

Central Bank of Ireland Consumer Protection Outlook Report 2023
Individual Accountability Framework Consultation Paper (CP153)
March 2023

Following the enactment of the Central Bank (Individual Accountability Framework) Bill 2022 on 9th March, the CBI has launched a three-month consultation (CP153) on key aspects of the implementation of the Individual Accountability Framework (IAF). This includes the publication of draft Regulations and guidance.

The draft regulations and guidance seeks to provide clarity in terms of the Central Bank’s expectations for the implementation of three aspects of the framework: the Senior Executive Accountability Framework (SEAR), the Conduct Standards and certain aspects of the enhancements to the Fitness & Probity Regime.

The following implementation timeline is proposed:

  • Conduct standards including accountability of senior individuals to apply from 31st December 2023
  • Fitness & Probity Regime – Certification and inclusion of Holding Companies to apply from 31st December 2023
  • Allocation of responsibilities and decision making to apply to in-scope firms from 1st July 2024
The consultation will remain open until 13th June 2023. The full Consultation Paper can be found here:

Consultation Paper 153: enhanced Governance and performance and accountability in financial services
Central Bank of Ireland Portal Update
March 2023

The Central Bank of Ireland Portal will be enhanced to simplify the process for submitting applications to become a Pre-Approval Controlled function holder. Applicants will submit individual questionnaires via the Portal instead of the Online Reporting System starting from April 24, 2023. If you are not already a Portal user, you should register now. 

An overview of the changes to the system is provided below:

New F&P Application Process (Central Bank of Ireland)

Central Bank Dear CEO letter – MiFID Structured Retail Product Review - Supervisory Guidance
March 2023

On 3rd March 2023, the Central Bank of Ireland (the “CBI”) published further Supervisory Guidance following the “Dear CEO” of April 2022, which outlined its findings of a review identifying issues in the marketing of complex investment products - Structured Retail Products (SRPs) - manufactured and distributed by MiFID investment firms.

The Supervisory Guidance supplements this letter and provides clarification to firms on how the warnings on use of a decrement index should appear, and the presentation of back-testing.

    1. Use of decrement index – appearance of prominent wording 

In April 2022, it was determined that one area of complexity was the use of decrement indices (where a fixed dividend is periodically subtracted from the underlying index and which can act as a "downward drag" on performance where it is higher than the actual dividend paid, and in particular where the index falls below its initial level).

Last week's letter clarifies that the prominent warning must appear (in a separate text box) "on the front cover of the marketing material or brochure and on the page on which the decrement index is described in further detail". The letter provides two sample warnings (one for the front page and one for the page that describes the index in more detail).

Firms should also keep in mind that, in cases where the SRP uses a fixed dividend deduction in the form of a fixed-point value (rather than a percentage), this "drag on performance" will be accelerated if the index drops below its initial level and that a sustained decline in markets will accelerate the decline in the value of the index.

    2. Presentation of back-testing/overlapping simulations for ‘capital at risk’ SRPs

The Central Bank noted that if a firm uses past performance representations covering periods of positive client outcomes, that may not accurately reflect the likelihood of a client suffering a capital loss in the future. The Central Bank is concerned with ensuring that the presentation of historical data is not misleading.

The Central Bank wants firms to avoid using a large number of overlapping simulations that show little, if any, capital losses as that has the potential to mislead clients about the likelihood of experiencing a capital loss. This is because using such a large number of overlapping simulations that show little, if any, capital losses could mislead clients about the likelihood of experiencing a capital loss given the largely positive market conditions in recent years.

The full Letter can be found through the link below:
MiFID Structured Retail Product Review – Supervisory Guidance (Central Bank of Ireland)
FSPO Levy Regulations
February 2023

The Financial Services and Pensions Ombudsman (‘FSPO’) resolves complaints from consumers, small businesses and other organisations, against financial service providers and pension providers.

On 20th January 2023, the Financial Services and Pensions Ombudsman Act 2017 [Financial Services and Pensions Ombudsman Council] Financial Services Industry Levy Regulations 2023 (‘the Regulations’)were signed (here).

The Regulations came into operation on 1st February 2023.

The Regulations require that each financial service provider is liable to pay an annual levy in relation to the services provided by the FSPO to the finance industry.

The levy payable by each type of financial service provider for the year ended 31st December 2023 is to be calculated by reference to the criteria in each category under the Schedule to these Regulations.

In order to ensure an equitable distribution of the levy among financial service providers, on an annual basis an exercise is carried out to ensure that the proportion of the levy applicable to each category of financial service provider reflects the volume of complaints received by the FSPO in the previous three-year period.

The Regulations also provide for the collection and recovery of the levy and provide for certain obligations in respect of self-assessment and record keeping by financial service providers.

For more information regarding the levy, the FSPO has issued a helpful guidance which can be found at the following link:

The Financial Services and Pensions Ombudsman Levy Report 2023
Central Bank Dear CEO Letter on Financial Regulation Priorities for 2023
February 2023

On 16th February 2023, the Central Bank issued a Dear CEO Letter setting out its key regulation and supervision priorities for 2023.

The Letter first highlights the challenging macro-financial environment and the risks facing the financial system and global markets, which were also highlighted in the Central Bank’s most recent Financial Stability Review. The Central Bank expects the Irish economy will continue to experience positive (although lower) growth in 2023 and notes that it is facing increased downside risks given the size of the energy and inflation shock and the slowdown in the global economy. The Central Bank confirms that this economic context will be central to their regulatory focus in 2023 to ensure the financial system and firms operate to support the interests of consumers and users as they cope with those risks and challenges.

The Letter then identifies the Central Bank’s key 2023 regulatory and supervisory priorities as follows:

  1. Authorisations 
    The Central Bank aims to provide a clear, open and transparent authorisation process through active and constructive engagement with industry and other stakeholders. It is focused on creating the regulatory context in which the potential benefits of innovation for consumers, investors, businesses and society can be realised, while the risks are effectively managed and mitigated.

  2. Operational Resilience
    The Central Bank will be assessing and managing risks to the financial and operational resilience of firms. This includes the potential decline in asset quality arising from prevailing inflationary pressures, lingering effects from the pandemic and a slowdown in the UK economy.

  3. Non- Banking Sector 

    Actions on the systemic risks generated by non-banks will be progressed, in particular by advancing a macro-prudential framework for non-banks and improvements to legislative frameworks and investor protections in the investment fund sector.

  4. Banking Sector 

    The Central Bank will continue to oversee the consolidation of the Irish banking sector and associated programme of account migration, implement new credit supervision mandates and continue to monitor for emerging risks in relation to distressed debt, investor protection and product governance.

  5. Engagement 

    The Central Bank will continue to consult and engage on regulatory developments under the Consumer Protection Framework and Individual Accountability Framework leading to enhancements in existing and new regulations.

  6. Credit Unions 

    Changes will be implemented to credit union regulations/guidance arising from the Department of Finance-led Policy Framework Review, including through engaging with sectoral stakeholders.

  7. Innovation 

    The Central Bank will consult on its approach to innovation that will include an exploration of new ways of engagement with innovators and their products.

  8. AML & Sanctions 

    There will be ongoing focus and vigilance around the integrity of the financial system and preventing misuse through detecting and sanctioning market abuse, supervising firms’ compliance with Anti-Money Laundering/Combating the Financing of Terrorism obligations and administering and enforcing financial sanctions (working closely with An Garda Síochána and other relevant bodies in all these areas). 

    The Central Bank will also be ensuring that the EU’s Anti-Money Laundering Action Plan, including the establishment of a single supervisory authority (the Anti-Money Laundering Authority (AMLA)), results in a consistent and robust EU-wide framework.

  9. EU Regulation 

    The Central Bank will be contributing to progressing European regulation, particularly the review of the Payment Services Directive (PSD2) and the functioning of open banking, as well as implementing new EU regulations on digital operational resilience (DORA) and markets in crypto assets (MiCA).

  10. ESG 

    The Central Bank will be aiming to strengthen the resilience of the financial system to climate change risks and its ability to support the transition to a climate-neutral economy, along with implementing the EU’s Sustainable Finance Disclosures Regulation.
If your firm has a query regarding any of the key priorities highlighted by the Central Bank above, feel free to contact us at

To read the Dear CEO Letter in full, please follow the link below:
Dear CEO Letter - Central Bank's key regulation and supervision priorities for 2023
DPC Fines Meta (Facebook, Instagram & WhatsApp) nearly €400 Million for incorrect legal basis relied upon to justify data collection under GDPR
January 2023

On 4th January 2023, the Data Protection Commissioner (the ‘DPC’) announced that it had concluded two inquiries into Meta Platforms Ireland Limited’s (‘Meta’) data processing operations in respect of its Instagram and Facebook services.

Final decisions have now been made by the DPC where it has fined Meta Ireland €210 million and €180 million for breaches of the GDPR relating to its Facebook and Instagram services, respectively. Meta has also been directed to bring its data processing operations into compliance within a period of 3 months.


Prior to the introduction of the General Data Protection Regulation (‘GDPR’) on 25th May 2018, Meta changed the legal basis on which it was processing users’ data in its Terms of Services for its Facebook and Instagram users. Previously Meta relied on the consent of its users, but they now sought to rely upon contractual as the legal basis for the majority of its processing operations. All users were asked to select ‘I accept’ to indicate their acceptance of the updated Terms of Service however if users declined, they would no longer be able to access the services.

According to Meta, by selecting ‘I accept’ this created a contract between it and the user. Meta thereby contended that the processing of users’ data for the delivery of its Facebook and Instagram services was necessary for the performance of the contract and this included the provision of personalised services and behavioural advertising. However, objections by an Austrian data subject and a Belgian data subject were raised arguing that by restricting the accessibility to the services resulted in ‘forcing’ the user to consent to the processing of their personal data for behavioural advertising and other personalised services and that this was in breach of the GDPR.


Draft decisions were prepared by the DPC in which it found against Meta on a lack of transparency, however, the DPC also noted that Meta was not required to rely on consent and in principle, the GDPR did not preclude Meta’s reliance on the contract as a legal basis for processing.

When this draft decision was circulated with other EU privacy regulators, several of them objected to the Irish DPC’s “contract” position.

The matter was referred to the European Data Protection Board (‘EDPB’), which agreed that “contract” could not be relied on as means of personal data procession legitimacy in this case.

Accordingly, the DPC’s final decisions include findings that Meta is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.


On 19th January 2023, the DPC fined WhatsApp Ireland Limited (‘WhatsApp’), also owned by Meta, €5.5m for breaches of the GDPR similar to its sister companies Facebook and Instagram in trying to unlawfully force users to accept changes to its terms of service. WhatsApp has also been directed to bring its data processing operations into compliance.

The combined nearly €400 million fine brings to more than €1.3 billion the total amount of financial penalties the DPC has levied against Meta and its platforms in the last 16 months. The DPC also has a further 10 separate inquiries still open into Meta and its services.

For further details on the DPC’s decision, please go to the following link:

Data Protection Commission announces conclusion of two inquiries into Meta Ireland | 04/01/2023 | Data Protection Commission

Data Protection Commission announces conclusion of inquiry into WhatsApp | 19/01/2023 | Data Protection Commission

For information about RegSol’s Data Protection training courses, please see our training timetable below or, if you wish to discuss arranging tailored staff training in your firm, please contact us at
Rise of the Money Mule in Ireland
January 2023

It is estimated that the most prolific fraud gang in Ireland — the Black Axe crime network - a notorious West African-based criminal organisation formed in the 1970s and now operating world-wide, has stolen or laundered €64 million in Ireland in recent years. While that gang has its origins in Nigeria, it is believed that more than 4,000 people who have used Irish addresses are laundering money for the gang.

The Garda National Economic Crime Bureau’s (GNECB) long-running probe, called Operation Skein, is an ongoing investigation into fraud being committed in Ireland that includes international business email compromise (BEC), invoice redirect fraud and romance scams. The investigation also targets the laundering of the proceeds through Irish accounts.

Money mules

A money mule is a person who transfers illegally obtained money between different payment accounts, very often in different countries, on behalf of others. The money mule receives stolen money into their account, then transfers it to another account, usually overseas, and keep some of the cash for themselves as ‘payment’ or withdraw the cash and pass it on to the money mule recruiter. Fraud gangs need very large numbers of bank accounts, opened into the names of other people, for their unsuspecting victims to send money to. They then quickly disperse that money over a wide network of other mule accounts.

Offers to make quick and easy money by answering seemingly legitimate job adverts or online posts, social media (i.e. Facebook posts on closed groups) and messages sent through instant messaging apps (e.g.: Whatsapp, Viber) are the most common methods of initial contact by the money mule recruiter.

Those aged 18-24 (including unemployed, students and people in economic distress being the most susceptible to the crime) and those over 55 years of age are the most commonly targeted age groups.

BPFI Survey

An Garda Síochána in association with FraudSMART, a fraud awareness initiative led by the Banking & Payments Federation Ireland (‘BPFI’), are advising consumers, particularly young adults, to be alert to the risks and consequences of recruitment as “money mules”.

The warning comes as a new survey commissioned by BPFI as part of its FraudSMART campaign for 2019 shows strong evidence of money mule activity among young people in Ireland.

The FraudSMART research also mirrors new data from BPFI’s member banks, including AIB, Bank of Ireland, KBC, PTSB and Ulster Bank, who collectively had more than 1,600 confirmed cases of money mule activity on customer accounts in 2018, a large proportion of which involved young account holders.

According to the FraudSMART survey more than 40% of 18-24-year-olds are likely or very likely to lodge or transfer money for someone using their own bank account in exchange for keeping some of the money for themselves.


Even if money mules may not be aware of, or be involved in, the crimes which generate the money (cybercrime, payment and online fraud, drugs, human trafficking, etc.), they are complicit and acting illegally by recklessly allowing their account to be used to launder the proceeds of crime, helping criminal syndicates move funds easily around the world and remain anonymous.

Penalties include a prison sentence of up to 14 years, a criminal conviction with a lifetime criminal record, extradition to the country where the predicate crime occurred, and not being permitted to open another bank account or secure a mortgage.

Protecting your firm from money mule fraud

It is highly advisable to have robust or review existing AML policies and procedures in place making all staff aware of the potential scams and pitfalls such as:

  • Being caution of unsolicited emails or approaches over social media promising opportunities to make easy money;
  • Being alive to vishing which is a tactic in which people are tricked into revealing financial or personal information to unauthorised people over the phone;
  • Verifying any company that makes an unsolicited offer and check their contact details (address, landline phone number, email address and website) are correct and whether they are registered in Ireland;
  • Ensuring staff are aware not to give the firm’s bank account or any other personal details to anyone unless you know and trust them;
  • And lastly, be mindful of adage, if an opportunity sounds too good to be true, it probably is!

For information about implementing AML policies and procedures in your firm or about our CPD certified training courses in AML and for MLROs, please see our training timetable below or contact us at

Central Bank Dear CEO Letter to Payment & E-Money Institutions
January 2023

On 20th January 2023, the Central Bank published a Dear CEO Letter (‘January 2023 Letter’) to payment and electronic money institutions highlighting recent supervisory weaknesses and reaffirming supervisory expectations and actions for these sectors.

The January 2023 Letter follows the December 2021 Dear CEO Letter from the Central Bank to these institutions which it provided greater clarity on its supervisory expectations for the sector. The January 2023 Letter also refers to the Consumer Protection Outlook Report 2022 published in March 2022 which sets out the key cross sectoral risks identified by the Central Bank as the primary drivers of risk for consumers of financial services in Ireland and across the EU today. The Central Bank highlights these risks are particularly relevant to the payment and e-money sector based on what it has observed over the course of 2022.

It also refers to the recent reference in the International Monetary Fund’s (IMF) Technical Note on Oversight of Fintech in Ireland of the payment and e-money sector’s growing importance within the broader fintech sector in Ireland.

The January 2023 Letter sets out actions identified by the Central Bank to remedy deficiencies in five key areas, namely:

  1. Safeguarding,

  2. Governance, risk management, conduct and culture,

  3. Business model, strategy, and financial resilience,

  4. Operational resilience, and

  5. Anti-money laundering and countering terrorist financing.


The main focus of the January 2023 Letter is safeguarding. In the December 2021 Dear CEO Letter, the Central Bank asked all firms to comprehensively review compliance with the safeguarding requirements set out in the E-Money Regulations or Payment Services Regulations (as appropriate) by 31st March 2022. One quarter of those firms self-identified deficiencies in their safeguarding risk management frameworks, and deficiencies were later identified in other firms.

As a result, the Central Bank sets out its expectations as follows for firms to:

  • Have robust, Board approved, safeguarding risk management frameworks in place which ensure that relevant users’ funds are appropriately identified, managed and protected on an ongoing basis. This includes the clear segregation, designation and reconciliation of users’ funds held on behalf of customer.
  • Be proactive in ensuring that the design and operating effectiveness of the firm’s safeguarding frameworks is tested on an ongoing basis.
  • Notify the Central Bank immediately of any safeguarding issues identified.
  • Take mitigating and corrective measures immediately to ensure that users’ funds are safeguarded where, in exceptional circumstances, issues are identified.
  • Investigate and remediate on a timely basis the underlying root cause of the safeguarding issue(s).

The Central Bank also request all payment institutions and e-money firms who are subject to the safeguarding requirements to commission an audit of their compliance with those requirements from an audit firm which has the necessary specialist skill to audit compliance in this area. Each firm must provide that audit opinion, together with a response from its board to the outcome of that audit, to the Central Bank by 31st July 2023.

Given the 31st July 2023 deadline, the January 2023 Letter should promptly be brought to the attention of the board of any payment institution or electronic money institution and if your particular entity has a query regarding any of the issues highlighted by the Central Bank above, feel free to contact us at

To read the January 2023 Letter in full, please follow the link below:

Dear CEO Letter - Supervisory Findings and Expectations for Payment and Electronic Money (E-Money) Firms (
RegSol’s Vulnerable Customers Seminar 24th March 2023
January 2023

Are you missing out on engaging with potential clients because your website isn’t fully accessible or your meeting space isn’t physically accessible?

Are you fearful of engaging with clients who have identified vulnerabilities because you don’t know how to navigate those needs or know what reasonable accommodations should be offered?

This half day in-person event is designed to inform, encourage and support Financial Advisors in embracing a thitherto under-served market.

You will learn what the legal and regulatory requirements are but more importantly, how best to support individuals that do require some assistance to ensure your services are truly accessible.

Cost: €100 p/p

* CPD accreditation for this event is sought from the Insurance Institute, Institute of Bankers, LIA and ILCU

AXA Life Europe DAC fined €3,640,000 for failures in Corporate Governance and Risk Management
December 2022

On 8th December 2022, the Central Bank reprimanded and fined AXA Life Europe DAC (AXA) €3.64 million for failures in corporate governance, risk management and handling of conflicts of interest.

The fine relates to three breaches of European insurance regulations by AXA, authorised by the Central Bank in Ireland to carry out life insurance business and who set up a German branch in 2006 on a freedom of establishment basis where it started selling an insurance product known as TwinStar.

The German Federal Financial Supervisory Authority (BaFin) regulated the German branch for conduct of business.

Between 2006 and 2012, AXA sold around 350,000 TwinStar policies, of which approximately 203,000 remain in place.

When the policies first went on sale between 2006 and 2007, there was a reference in the documentation to a Parental Claims Guarantee (PCG) provided by AXA’s parent, AXA SA, to provide AXA with the necessary resources to pay all outstanding German policyholder claim liabilities, if AXA became unable to do so itself. The PCG was provided because AXA, as an Irish-based insurer, could not participate in the insolvency protection scheme for German life insurance companies.

In 2006, BaFin, wrote to AXA’s German branch and told it that the references to the guarantee in some of the documentation inferred a higher level of security than had actually been provided. This was because some policy documentation failed to make clear that the PCG was conditional and could terminate automatically if certain conditions were met.

In early 2018, the sale of AXA was being considered by its parent and as part of this consideration, the Central Bank became aware that policies sold in 2006 and 2007 may not have been updated to disclose the conditional nature of the PCG, despite the letter from BaFin. As a result, the Central Bank commenced an investigation.


The Central Bank’s investigation found that AXA's risk management systems had failed over a 13-year period, where it had not put in place an effective process to identify, manage, monitor and report the risks in around 30,000 TwinStar policies in not making it clear that the guarantee was conditional, despite the BaFin warning.

The Central Bank also found that AXA did not conduct an adequate assessment of potential conflicts when its board considered the guarantee issues in July 2018 and that between 2015 and 2021, it did not have effective policies and / or procedures established to identify potential sources of conflicts of interest or ensure that directors understood where conflicts of interest could arise and how such conflicts should be addressed if they did arise.

Mitigating factors

The Central Bank, however, was satisfied that AXA made early admissions to the three breaches in the case while also acknowledging that no previous enforcement action had been taken against the regulated entity.

To read the Central Bank Enforcement Action Notice in its entirety, you can click on the following link:

Public statement relating to Enforcement Action against AXA Life Europe DAC (
Central Bank Publishes Research on Insurance Engagement and Switching
December 2022

On 1st December 2022 the Central Bank published an Economic Letter, “Engagement, switching, and digital usage in consumer and insurance markets: who does it and why it matters” examining engagement and switching patterns among car and home insurance consumers.

The Letter examines the traits of consumers who find it difficult to look for and buy financial products, including insurance, online.

The Letter highlights factors that may prevent policyholder participation and switching from a comprehensive survey of Irish policyholders as well as behavioural economics. Among its main conclusions are:
  • 8 out of 10 car and home insurance consumers engage with their provider on renewal. Around 1 in 4 switch provider.

  • Policyholders are more likely to engage with and/or switch provider if, on renewing their policy, the price increases.

  • Behavioural characteristics play a role in engagement and switching. Specifically, certain consumers may be more likely to stick with the status quo, even when doing so may not be financially beneficial. These consumers are less likely to engage or to switch provider.

  • Perceptions also play a role in consumer behaviour. Around 1 in 4 believe that loyalty to an existing provider will be rewarded. These consumers are significantly less likely to switch.

  • Where consumers believe that they can make significant savings by switching, they will be more likely to do so.

  • Time-poor consumers are less likely to switch their policies.

  • Around 55% use digital information and channels as part of their engagement and switching. However, 1 in 5 policyholders report difficulties in using the internet to search for and purchase financial purchases, including insurance. These consumers tend to be older, lower income, and less educated.

  • Policyholders that are less comfortable with digital channels are more likely to exhibit status quo bias.

The Central Bank expects firms to take into account consumer psychology and insights from behavioural economics to design effective disclosures and consumer protection policies to support consumers in making fully informed decisions.

The Letter also highlights the importance of digital literacy in supporting consumers to engage and switch.

The Central Bank reminds firms of its Consumer Protection Outlook Report which highlights the key cross sectoral risks facing consumers of financial services and the Central Bank’s expectations of firms to avoid these risks materialising.

The Letter also refers and reminds firms of its Dear CEO Letter published in November 2022 detailing its expectations in the context of a more challenging economic outlook characterised by energy-driven inflation and uncertainty – please find RegSol’s article on the Letter here.

If you have a query regarding any of the issues highlighted by the Central Bank above, please contact us at
Central Bank FAQs re Ireland Safe Deposit Box, Bank and Payment Accounts Register
December 2022

FAQs - Ireland Safe Deposit Box, Bank and Payment Accounts Register

On 15th December 2022, the Central Bank updated its frequently asked questions (FAQs) in relation to Ireland Safe Deposit Box, Bank and Payment Accounts Register (ISBAR).

ISBAR was recently established and will be administered by the Central Bank to hold information on accounts identifiable by IBAN (including account holders, beneficial owners and signatories), and information on safe deposit box services. The register is established in line with 5th EU AML Directive requirements and is designed to enable Financial Intelligence Unit within An Garda Síochána to search and retrieve information as part of criminal investigations.

Any credit institution established in Ireland, which issues Irish IBAN identifiable accounts, or holds Safe Deposit Boxes on behalf of its customers, is required to provide Bank Account and Safe Deposit Information to ISBAR.

The obligation for credit institutions to provide information will commence once formally notified by the Central Bank to do so in Q1 2023.

Legislation will be enacted at a later date to extend the scope of the reporting obligation to other financial service providers who issue Irish IBANs.

The FAQs cover What is ISBAR, General Reporting Requirements, File Generation and Technical Questions. 

You can read them in full via the following link: ISBAR FAQ | Central Bank of Ireland

Guidance - Beneficial Ownership Register of Certain Financial Vehicles

The Central Bank, who is also responsible for establishing and maintaining the Beneficial Ownership Register of Certain Financial Vehicles (CFV), has recently updated its Guidance in respect of the CFV Register.

The Register aims to deter money laundering and terrorist financing by those that seek to hide their ownership and control of corporate or legal entities by ensuring that the ultimate owners/controllers of Irish Collective Asset-management Vehicles, Credit Unions, Unit Trusts, Investment Limited Partnerships, and Common Contractual Funds are identified, and that this information is readily accessible to law enforcement, regulators and obliged entities.

The Guidance aims to:

(i) provide CFV, their beneficial owners, and members of the public with information in relation to the scope of the Register;

(ii) outline related processes to the submission of data to the Register; and

(iii) provide all interested parties with information in relation to the use and safeguarding of the data provided, under data protection legislation.

To read the Guidance in full, please follow the link below:
Beneficial Ownership Register of Certain Financial Vehicles Guidance  (

Consumer Rights Act 2022 Soon to be Commenced
November 2022

The Consumer Rights Act 2022 (the Act’), which has been signed into law on 7th November 2022 and is expected to be commenced soon, is the biggest overhaul of consumer protection in Ireland, strengthening consumer rights, protections and remedies in a range of key areas.

The Act consolidates and modernises Irish consumer rights legislation for the sale of goods and supply of services, ensuring that the updated legislation is more in keeping with the digital age.

In addition to updating the current Irish legislation, the Act will also transpose the following directives aligning the legislation more closely with those applying across the EU:
  • Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services (the “Digital Content Directive”);
  • Directive (EU) 2019/771 on certain aspects concerning contracts for the sale of goods (the “Revised Sale of Goods Directive”); and
  • The main provisions of Directive (EU) 2019/2161 on the better enforcement and modernisation of Union consumer protection rules (the “Omnibus Directive”).

What does the Act apply to?

The Act applies to all written and oral contracts (as well as combinations of both) between traders and consumers. (A “trader” means a natural person, or a legal person (such as a company) who is acting for purposes relating to the person’s trade, business, craft or profession, and includes any person acting in the name, or on behalf, of the trader.)

It also applies to contracts implied by the conduct of the parties.

Apart from regulating the sale of goods and services, the Act also extends consumer protections to digital goods and services so that consumers are protected when they use cloud-based services or buy downloadable or streamed goods and services, such as games, films, music and software.

Key Provisions of the Act

  1. Conformity - the contract must conform with certain (i) objective and (ii) subjective requirements as detailed in the Act. In the event of any lack of conformity during the 12 month period after supply, the burden of proof shifts to the trader to prove that the supply of goods/services were in conformity with the contract.

  2. Transparency - the Act strengthens the transparency requirements that apply to contract terms. Traders must ensure that the terms of a contract with consumers are transparent e.g. in plain language, presented clearly, easily available, with novel/onerous terms being brought to consumers' attention and the terms' financial consequences are understandable to an average consumer.

  3. Prohibited notices – under the Act, it will be an offence for a trader to display a notice, publish an advertisement or supply goods bearing, or digital content or a digital service displaying in any form, a representation, or to furnish any document which indicates, that (i) consumers' rights under the Act or (ii) an obligation/liability are/is restricted or excluded other than as permitted by the Act.

  4. Commercial Guarantees – traders are liable for commercial guarantees provided by other guarantors, unless they express the contrary or give their own commercial guarantee.

  5. Unfair Terms – the Act determines that a term is unfair if it causes a significant imbalance in the parties’ rights and obligations to the detriment of the consumer and extends the lists of contract terms which are presumed to be unfair (“grey list”) or are outright prohibited (“blacklist”).

  6. Advanced Trader Compliance - as a means of ensuring that businesses adhere to such enhanced consumer protections, the Act also provides for areas of advanced trader compliance.

  7. Increased Enforcement Powers - increased enforcement powers have been given to authorised bodies including the Competition and Consumer Protection Commission (‘CCPC’). These increased powers allow the CCPC to apply to the courts for declarations or injunctions against businesses who mislead their consumers, or fail to provide them with the adequate remedies or compensation they are entitled to.

  8. Penalties - it is an offence to breach certain provisions in the Act, with secondary liability for officers of a body corporate where it is proved that the offence was committed with their consent, connivance or approval or be attributable to any wilful neglect on their part.
It will be a defence for the person to prove that due diligence was exercised, and all reasonable precautions were taken to avoid the commission of the offence.

A convicted trader will be liable for the costs and expenses of the proceedings and investigation unless the Court believes there are “special and substantial reasons” for not doing so. This is in addition to, and not instead of, any fine or penalty that the Court may impose. A trader may also be ordered, in certain circumstances, to compensate consumers for any loss or damage resulting from the offence. If the Court does grant a compensation order, this may be instead of or in addition to any fine or penalty imposed on the trader.

The Act also amends the European Union (Cooperation Between National Authorities Responsible for the Enforcement of Consumer Protection Laws) Regulations 2020. When this amendment is implemented, these Regulations will specify that, where (i) an offence is committed under specified parts of the Act or certain provisions of the Consumer Protection Act 2007 and (ii) this also constitutes an intra-EU or relevant widespread infringement under those Regulations, then further fines can be imposed of up to 4% of relevant turnover or €2 million, depending on the circumstances.

Key Takeaway

In preparation of the commencement of the Act, firms should assess which aspects of the Act will impact them and make any necessary changes to their relevant documentation, such as business terms and conditions, to ensure they are accurate and not misleading and do not contain unfair terms and advertising. Firms should also review their internal processes to ensure compliance with this new framework.

If you have any queries arising from this article, please contact us at
DPC Fines Meta €265 Million for ‘data scraping’ leak
November 2022

On 29th November 2022, the Data Protection Commission (‘DPC’) imposed a fine of €265 million and a range of corrective measures on Meta Platforms Ireland Limited (‘Meta’), data controller of the “Facebook” social media network, for failing to properly protect its data.

The fine relates to a data breach discovered in 2021 whereby personal data of EU Justice Commissioner Didier Reynders, Luxembourg Prime Minister Xavier Bettel and dozens of EU officials were included in a leak of the personal data of 533 million users across 106 countries including phone numbers, Facebook IDs, full names and birthdates that surfaced on a public forum and circulating widely on the web. Facebook subsequently fixed the vulnerability on this feature, where data could be collected by external parties through a process called scraping.

The DPC held Meta failed to comply with the GDPR obligation to ensure privacy "by design and default," meaning it had engineered its products in a way that personal data could leak.

The latest sanction brings the total amount Meta has been fined to roughly €1bn, including €225mn against its messaging service WhatsApp for failing to enforce transparency requirements under EU law, and a €405mn fine against Instagram for failing to protect children’s data.

For further details on the DPC’s decision, please go to the following link:

Data Protection Commission announces decision in Facebook “Data Scraping” Inquiry
28/11/2022 - Data Protection Commission
EBA Guidelines for Remote Customer Onboarding
November 2022

The European Banking Authority (EBA) has published its final Guidelines on the application of anti-money laundering and countering the financing of terrorism (AML/CFT) rules where customers are onboarded remotely.

The EBA are aware that designed persons, as defined under the Irish Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 as amended, have been experiencing a growing demand for remote customer onboarding solutions, especially due to the restrictions on movement caused by the COVID-19 pandemic and that there is not sufficient clarity and convergence about what is, and what is not, allowed in a remote and digital context.

The Guidelines therefore set out the steps credit and financial institutions should take when choosing remote customer onboarding tools and when assessing the adequacy and reliability of such tools, in order to comply effectively with their AML/CFT obligations. The guidelines are technologically neutral and do not prioritise the use of one tool over another.

These guidelines establish common EU standards on the development and implementation of sound, risk-sensitive initial customer due diligence policies, and processes which must be followed when customers are onboarded remotely.

A list indicating considerations which the above-mentioned internal policies and procedures should set out is also provided within the Guidelines and includes:

  • the types of documents that are admissible and the information and authenticity checks that are necessary to identify the customer and verify their identity;
  • the level of human intervention required in the remote verification process;
  • the controls in place to monitor, on an ongoing basis, the correct and appropriate functioning of each remote customer onboarding solution and the effective implementation of the remote customer onboarding policies and procedures; and
  • a description of the induction and regular training programs to ensure staff awareness and up-to-date knowledge of the functioning of the remote customer onboarding solution(s), the associated risks, and of the remote customer onboarding policies and procedures aimed at mitigating such risks.
To see learn more on how RegSol can assist your firm in implementing the EBA’s Guidelines and/or provide tailored AML training relevant to your firm, please do not hesitate to contact us at
Mercer Global Investments Management Limited Fined €117,600 for Breaches of UCITS Regulations
November 2022

On 14th November 2022, the Central Bank reprimanded and fined Mercer Global Investments Management Limited (‘MGIM’) €117,600 pursuant to its Administrative Sanctions Procedure (‘ASP’) for six breaches of UCITS investment fund regulations (the ‘UCITS Regulations’).

MGIM, as a UCITS Management Company, was responsible under the UCITS Regulations for ensuring that certain information must be included in prospectuses and key investor information documents (‘KIIDs’) for funds it managed, and that this information should have been kept up to date in order to enable investors to make informed decisions about their investments.

The Central Bank found that, for varying periods between 1st July 2011 and 31st December 2018, the prospectuses and KIIDs for five sub-funds failed to disclose that the sub-funds relied upon an index-tracking strategy or provide the details of the index being tracked.

As a result, MGIM’s failure to comply with these requirements may have resulted in investors not being fully informed of the investment strategy of a particular fund or the risks associated with investment in that fund.

In addition, to ensure effective gatekeeping by the Central Bank in the authorisation of funds, the Central Bank reviews prospectuses (including any supplements to those prospectuses) before authorising a fund. The Central Bank noted the effectiveness of its gatekeeper role ultimately relies on accurate and complete information being submitted by firms seeking fund authorisation, as part of the assessment of their applications and in ongoing supervision.

The Central Bank’s investigation found that MGIM failed in its obligations to both investors and to the Central Bank by not including required information regarding index-tracking strategy in the prospectuses and KIIDs of five investment funds managed by MGIM.

Penalty Decision Factors

In deciding the appropriate penalty to impose, the Central Bank considered the ASP Sanctions Guidance issued in November 2019 and highlighted the following particular factors in this case as:
  • The duration of the contraventions, which occurred for varying periods between July 2011 and December 2018.
  • The breaches constituted a significant departure from the standard required of MGIM.
  • MGIM had not previously come to the adverse attention of supervisors or been the subject of previous enforcement action by the Central Bank.
  • MGIM’s co-operation in the Central Bank’s investigation.
To read the Central Bank Enforcement Action Notice in its entirety, you can click on the following link:

Public statement relating to Enforcement Action between the Central Bank of Ireland and Mercer Global Investments Management Limited
Central Bank Dear CEO Letter on Protecting Consumers in a Changing Economic Landscape
November 2022

The Dear CEO Letter issued on 17th November 2022 by the Central Bank expands on the Consumer Protection Outlook Report 2022 and provides further guidance to firms on its expectations in a challenging economic landscape characterised by energy-driven inflation and uncertainty and the responsibility of firms to navigate these challenges in a manner that places the best interests of consumers at the heart of their commercial decision-making.

The Report highlighted five cross-sectoral risk areas facing financial services and set out specific actions to be taken by firms to address these potential risks, namely:

  • Actively identify and address risks to consumers that may potentially emerge from changes in the landscape within which the firm and/or its consumers are operating.
  • Have sufficient operational resilience to manage change without creating risks to consumers.
  • Proactively assess the risks and consumer impact a commercial decision may pose to new and existing customers, and develop comprehensive action plans to mitigate these risks whilst ensuring that customers understand what changes mean for them.
  • Have the customer service capacity and structures in place to meet expected service levels to provide a timely and customer focused service through all channels.
  • Consider the impact of their decisions on vulnerable customers and provide the assistance necessary. This should include specific and effective processes and communication plans to support vulnerable customers.
  • Only design and bring to market products with features, charges, and risks that meet the needs of consumers identified for the product.

Furthermore, the Appendix to the letter the Central Bank highlights a number of items for particular attention which should be incorporated into a firm’s work programme, senior management and board considerations, respective to the financial services that the firm provides.

Affordability and suitability

Firms should:
  • Ensure that credit is affordable, including, in the case of mortgage firms, adhering to specific obligations under Provision 5.9 of the Consumer Protection Code to assess affordability based on an interest rate increase (i.e. 2% at a minimum).
  • Prior to the sale of a financial product or during the course of a financial product, firms should pay particular attention to assessing not just the current circumstances of the consumer but how those circumstances could be impacted by the current economic outlook.
  • Identify consumers in vulnerable circumstances, including financial difficulty, and provide appropriate support.
  • Consider the consumer's short and long-term needs when advising on savings and investments, including factoring in anticipated day-to-day costs and unanticipated increases in costs.
  • Have clear procedures for calculating a consumer's capacity for loss.
  • Explain the impact that inflation may have on the performance/value of an investment.

Provision of relevant, clear and timely information

  • Consumers should be able to make informed decisions, shop around for better value and know the available support. Firms should provide information accordingly, including on websites, business premises and publicly available material.
  • Firms should inform consumers facing difficulties meeting their payment obligations under existing financial products of support available.
  • Changes to terms or conditions, which may impact the cost of a financial service or product, should be clearly explained by Firms to consumers.
  • Firms should use their data to identify and engage with groups of consumers that may benefit from early engagement.

Effective operational capacity

Firms should:
  • Be reactive and monitor and manage resources to respond appropriately to consumer needs (e.g. customers requiring credit, facing arrears or in need of swift processing of insurance claims and timely processing of credit applications).
  • Plan and ensure they have the required expert resources to assess individual circumstances and offer appropriate and sustainable solutions to consumers.
  • Staff should be trained appropriately, including knowing protections and supports for borrowers under the various Central Bank codes.
  • Pay attention to operational resilience and provide that payment services to consumers go uninterrupted.

Sales and product governance

Firms should:
  • Have robust product governance and oversight arrangements and develop action plans to mitigate such risks.
  • Consider the impact of increasing costs on consumers’ budgets (both to meet premium payments and in the event of an insurable event) in the context of sales and advice on insurance products.
  • Help consumers understand the implications of any reduction in insurance coverage.
  • Engage with consumers to ensure they understand any implications and avoid the cancellation of necessary coverage where customers choose to cancel or reduce insurance coverage due to affordability concerns.
  • Monitor and evaluate the investment products they sell, consider how their risk profile may change in this period of volatility, and seek to mitigate risks to clients accordingly. Relevant factors for consideration in due diligence on products include risk-return profile, liquidity, costs and charges, and any kick-out or trigger features that may alter the nature of an investment product under certain conditions.
If you have a query regarding any of the issues highlighted by the Central Bank above, or in particular, wish to discuss arranging tailored staff training in respect of the Central Bank codes, you can contact us at
Cyber-security Awareness e-Learning
November 2022

We are delighted to have partnered with BHConsulting on an innovative cyber-security e-learning course with an Irish perspective, hosted exclusively on the RegSol e-Learning platform (

At RegSol, our core competency is compliance and in particular regulatory compliance. So when our clients asked us to provide self-paced cyber-security e-learning alongside our compliance modules, we initially declined. However, it makes a lot of sense for employees to have a single portal where they can complete and review all of their e-learning modules in the same place. 

The benefits for our clients’ compliance managers, HR administrators, and IT teams are also compelling. Our in-house instructional designers have worked extensively with the cyber-security experts at BH Consulting to develop a course that can be rolled out to workforces at large. As with all of our courses, it can be easily tailored to include a firm’s own content e.g. specific links to your policies.

For more details on RegSol e-Learning please see our website here :

A full list of courses that we provide can be found here :

For more information, to discuss a trial, or to get a quote please contact us at:
Central Bank Highlights Under-Insurance in Home Insurance Market
November 2022

On 22nd September 2022, the Central Bank of Ireland (“Central Bank”) wrote to insurers telling them they must do more to warn customers of the risk of under-insurance in the home insurance market, in light of the impact of inflation on construction costs.

This follows a Thematic Review carried out by the Central Bank, which found that under-insurance in the home insurance market had been steadily increasing over the last five years – from an average of 6.5% of paid claims being under-insured in 2017, up to 16.5% in 2021.

The Central Bank's review of the home insurance market identified shortcomings in two areas:
  • clarity, consistency and timeliness of communication with consumers, and
  • the effectiveness of risk management tools in identifying and assessing risk to consumers.

The Central Bank also outlined its supervisory expectations for all firms that provide home insurance products to consumers to:
  1. Send a clear communication of the risks and examples of the consequences of under-insurance to policyholders, the reasons why this is currently a heightened risk and how policyholders can better estimate an adequate sums insured value, in a stand-alone, written form;

  2. Act honestly, fairly and professionally in the best interests of its customers and the integrity of the market.

  3. Put in place a clear plan to address the points raised in the Dear CEO Letter. The plan must include clear and reasonable timelines for implementation of mitigating actions, with appropriate governance and sign-off. The plan should be submitted to the Central Bank by 28 October 2022;

  4. Ensure the board has appropriate oversight of the plan to address the gaps identified, or the actions required.

The Dear CEO Letter can be found here and if you have any queries in how to apply the above Central Bank supervisory expectations to your firm, please contact us at
Whistleblowing in Financial Services Webinar 2022
November 2022

Broker’s Ireland will be hosting RegSol’s CEO AnneMarie Whelan to present at their webinar on whistleblowing in the Financial Services sector on Thursday 17th November 2022.

Webinar Details:

All financial service providers are required to have a policy or channel in place that allows employees to raise issues of concern with respect to non-compliance with financial services legislation without fear of retaliation from their employer. In addition, the Protected Disclosures Act 2014, which applies to all employing entities, was recently amended to transpose the European Whistleblowing Directive into Irish law. This webinar looks at the recent key changes to the legislation, the key obligations on employers and their increasing nature relative to the size of employing entity.”

For more details on the webinar and to sign up to attend, please go to the following link:

Whistleblowing in Financial Services Webinar 2022 | Brokers Ireland
Protected Disclosures (Amendment) Act 2021 comes into force on 1st January 2023
October 2022

The Protected Disclosures (Amendment) Act 2022 (the “Amendment Act”) will commence in its entirety on 1st January 2023.

The Act updates the Irish Protected Disclosures Act 2014 (‘2014 Act’) and transposes the EU Whistleblowing Directive into Irish law.

By 1st January 2023, the Amendment Act will have the following effect:

  • All organisations with 250 or more employees will be required to establish formal internal reporting channels for employees to report concerns about wrongdoing in the workplace.
  • The channels and procedures shall provide for acknowledgement of reports by a designated impartial person, within 7 days, diligent follow-up of the reports received, the provision of feedback to the reporting person within 3 months and communication of the final outcome of any investigations triggered by the report.
  • From 17th December 2023, this obligation will be imposed on all private sector employers with 50 or more employees.
  • Presently (under the Protected Disclosures Act 2014), employees, former employees, trainers, independent contractors and agency workers are protected. The Amendment Act, however, extends the scope of the protected disclosures regime to cover volunteers, unpaid trainees, board members, shareholders, members of administrative, management or supervisory bodies and job applicants (where information on a relevant wrongdoing is acquired during the recruitment process or during pre-contractual negotiations).
  • A new Office of the Protected Disclosures Commissioner will be established in the Office of the Ombudsman to support the operation of the new legislation. Mr Ger Deering, the current Financial Services and Pensions Ombudsman, will be the first Protected Disclosures Commissioner.

Establishing Internal Reporting Channels

Internal reporting channels and procedures may be operated internally by a person or department designated for that purpose or provided externally by an authorised third party.

The channels must be operated in a secure manner that ensures the confidentiality of the reporting person’s identity and any third party mentioned in their report.

Employees must be able to make their report in writing or orally or both.

Organisations who employ less than 250 employees may share resources for receiving and investigating reports which will allow group companies to avoid having to put in place multiple internal reporting channels.

Acknowledgement, Feedback and Follow Up

Strict deadlines for acknowledging receipt, following up and providing feedback are required to be put in place by way of the internal reporting channels and procedures:

  1. Receipt of a protected disclosure must be acknowledged in writing within seven days.

  2. Designate an impartial person who is competent to follow up on reports, will maintain communication with the reporting person and where necessary, will request further information from, and provide feedback to, that reporting person.

  3. The designated person must diligently follow up on the report within three months including carrying out an initial assessment of the accuracy of the allegations made and, where relevant, address the breach reported, including, by way of internal enquiry, investigation, prosecution, action for recovery of funds, or the closure of the procedure.

  4. Feedback must be provided within three months, or six months in duly justified cases, informing the reporting person of the action envisaged or taken as follow-up and the grounds for such follow-up.

  5. Provision of clear and easily accessible information regarding: the procedures for making a protected disclosure, the conditions under which such reports may be accepted and follow-up undertaken, the procedures for making a protected disclosure to the Office of the Protected Disclosures Commissioner

New offices of the Protected Disclosures Commissioner

A new Office of the Protected Disclosures Commissioner (‘the Commissioner’) will be established within the Office of the Ombudsman to support the operation of the new legislation. The Commissioner will direct protected disclosures to the most appropriate body when it is unclear which body is responsible and where this body cannot be identified, the Commissioner will be obliged to accept and investigate the protected disclosure itself.

The Commissioner will have extensive powers to carry out their duties. They will have the power to require the production of information and/or or records, books, documents or other things and to require the attendance of any person for this purpose.

Enhancement of protections for workers

The Amendment Act further enhances the protections for workers who suffer penalisation as a result of making a protected disclosure by reversing the burden of proof in civil proceedings, expanding the provision of interim relief to include forms of penalisation other than dismissal, and providing for criminal penalties for penalisation.

The definition of penalisation is significantly expanded by the EU Whistleblowing Directive to include withholding of training, a negative performance assessment or employment reference, harm, including to the person’s reputation, blacklisting, and psychiatric or medical referrals.

The Amendment Act proposes to reverse the burden of proof for proceedings concerning allegations of penalisation for having made a protected disclosure. It also enables workers to seek interim relief from the Circuit Court for penalisation other than dismissal. The Bill provides for a maximum award of compensation in the sum of €15,000 from the Workplace Relations Commission for individuals who are not in receipt of remuneration from the employer with whom they are in a work-based relationship.

New offences

The Amendment Act makes it a criminal offence to:

  • hinder or attempt to hinder a worker in making a report;
  • penalise or threaten penalisation or cause or permit any other person to penalise or threaten penalisation;
  • bring vexatious proceedings;
  • breach the duty of confidentiality in section 16 regarding the identity of reporting persons;
  • make a report containing any information that the reporting person knows to be false; or
  • fail to establish, maintain and operate internal reporting channels and procedures.


The Amendment Act also provides for very substantial fines (ranging between €75,000 and €250,000 for convictions on indictment) and the possibility of a term of imprisonment not exceeding two years for employers who are found to have committed a criminal offence under the Amendment Act.

Key Takeaways

Although organisations with 50 – 249 employees have until 17th December 2023 to comply with the new legislation, consideration might be given now to have in place or review and enhance existing whistleblowing policies in anticipation of the introduction of the new enhanced regime.

Firms will also be required to designate the appropriate staff to receive protected disclosures in a secure and confidential manner and provide them with training particularly in relation to the new timelines for acknowledging and following up protected disclosures.

To see learn more on how RegSol can assist your firm in implementing the new Amendment Act, please contact us at
Central Bank Intermediary Times – October 2022
October 2022

In this latest edition of the Central Bank’s newsletter the following items are covered of interest to retail intermediaries:

  • Recent developments 
    • Changes to the Fitness & Probity application process and Central Bank Portal
    • Issuing of the 2021 industry funding levy
  • Central Bank publications relevant for retail intermediaries
    • An update on the Consumer Protection Code Review
    • Risk of under-insurance in the home insurance market and the role of insurance intermediaries (see RegSol’s article here)
    • The impact of Covid-19 on operational resilience and implications for customer service
  • Upcoming changes to the voluntary revocation process
  • Reminders on obligations relating to:
    • Changes in qualifying shareholdings
    • Legal Entity Identifiers for passporting retail intermediaries (see RegSol’s article here)
1. Changes to the Fitness & Probity application process

IQs for PCFs

For the submission of all applications to become a holder of a Pre-Approval Controlled Function (PCF) in 2023, Individual Questionnaires (IQs) will no longer be submitted through the Online Reporting System (ONR), but will instead be submitted through the Central Bank Portal (Portal). These changes will go live in Q1 2023 and aim to provide applicants with an enhanced process for submitting applications.

Changes to the Portal

Since 27th June 2022, Portal users have had the ability to link their ONR accounts to their Portal accounts, which allows users to access the returns service via the Portal platform. For those that have not yet taken this action, the Central Bank are requesting those to link their account as soon as possible, as access to the ONR via the old login screen will be removed for all users in 2023.

2. Changes to the Voluntary Revocation Process & Form

The Central Bank is introducing a number of changes to the voluntary revocation form (where a retail intermediary no longer wishes to retain its authorisation/registration) to ensure the firm assesses the impact of revocation on a its customers.

Complaints and Customer Awareness

The Central Bank expects all retail intermediaries applying for voluntary revocation to ensure their clients are not adversely affected by the action, and seek to address any outstanding complaints, where possible, ahead of making an application. Clients should be made aware of the fact that any complaint or claim made after the revocation of an authorisation/registration may not be covered by the firm’s Professional Indemnity Insurance (PII).

PII Cover

The Central Bank’s expectation remains that adequate PII cover is in place and will remain in place at least until the revocation has been granted. Firms also need to ensure that they make adequate provisions for liabilities that may fall due post-revocation, and should consider the use of run-off PII cover, where appropriate. From November 2022, in addition to the pre-existing conditions of revocation, the application form will also seek attestations from the applicant that:
  • PII is in place and will remain in place until the revocation is granted;
  • Where there are unresolved, unsatisfied or undischarged complaints against the applicant, that these have been notified to the applicant’s PII insurer;
  • The applicant will inform its PII insurer of any further complaints and/or potential claims that it is aware of up to the point of revocation; and
  • Where there is a complaint under assessment with the Financial Services and Pensions Ombudsman (FSPO) that the applicant has liaised with the FSPO in respect of the complaint and made adequate provisions for any potential liabilities that may arise from any settlement.

3. Changes to Qualifying Shareholdings – Obligations for Retail Intermediaries

The Central Bank reminds retail intermediaries of their regulatory requirements when engaging in transactions that involve a change in shareholding of the firm.

All Regulated Entities
  • In accordance with the Consumer Protection Code (CPC), where a firm intends to cease operating, merge with another, or to transfer all or part of its regulated activities to another regulated entity it must:
  • Notify the Central Bank immediately;
  • Provide at least two months’ notice to affected consumers to enable them to make alternative arrangements;
  • Ensure all outstanding business is properly completed prior to the transfer, merger or cessation of operations or, alternatively in the case of a transfer or merger, inform the consumer of how continuity of service will be provided following the transfer or merger;
  • In the case of a merger or transfer of regulated activities, inform the consumer that their details are being transferred to the other regulated entity, if that is the case.

Investment Intermediaries (Acquiring Transactions)

In addition to obligations under the CPC, prior approval from the Central Bank is required before a proposed acquiring transaction as defined under the Investment Intermediaries Act 1995 (IIA) can proceed.

Under the IIA an acquiring transaction means ‘any direct or indirect acquisition by a person or more than one person acting in concert of shares or other interest in an authorised investment business firm:

Provided that after the proposed acquisition –

(a) the proportion of voting rights or capital held by the person or persons making the acquiring transaction would reach or exceed a qualifying holding, or

(b) the proportion of voting rights or capital held by the person or persons making the acquiring transaction would reach or exceed 20 per cent, 33 per cent, or 50 per cent.

(c) an authorised investment business firm would become a subsidiary of the acquirer.’

Section 40 of the IIA requires the following:

‘An acquiring transaction shall not proceed until a supervisory authority has informed the authorised investment business firm and the party making the acquiring transaction in writing that it approves of the acquiring transaction or until three months have elapsed during which the supervisory authority has not refused to approve of the acquiring transaction.’

Insurance Intermediaries

While prior Central Bank approval is not required for a change in shareholding for insurance intermediaries, firms should note that Regulation 12 of the Insurance Distribution Regulations 2018 (IDR) sets out the following requirement:

An insurance, reinsurance and ancillary insurance intermediary or, where applicable, an insurance or reinsurance undertaking, shall notify the Bank in writing without undue delay of any material change in the information provided under Regulation 9(8)2.

Therefore, it is a requirement under the IDR for insurance intermediaries to notify the Central Bank, without undue delay, of any material change in shareholdings and any material change in the information provided under Regulation 9(8).

If you have a query regarding any of the issues highlighted by the Central Bank above, contact us at

To read the Intermediary Times publication in full, please see the link below:

Intermediary Times October 2022 (
BOI Fined Record €100.5m for Tracker Mortgage Failures
October 2022

On 27th September 2022, the Central Bank of Ireland (“Central Bank”) reprimanded and fined The Governor and Company of the Bank of Ireland (“BOI”) €100,520,000 pursuant to its Administrative Sanctions Procedure for a series of significant and long-running failings in respect of almost 16,000 tracker mortgage customer accounts which were impacted between August 2004 and June 2022.

This is the largest fine imposed to date by the Central Bank and is in addition to the more than €186.4m BOI has already paid to impacted customers identified prior to and as part of the Central Bank’s Tracker Mortgage Examination.

BOI admitted in full to 81 separate regulatory breaches.

The Central Bank’s investigation found that BOI failed in its obligations towards its customers under the European Communities (Unfair Terms in Consumer Contracts) Regulations, 1995, the Code of Practice for Credit Institutions, 2001 and the Consumer Protection Codes 2006 and 2012.

BOI’s failures resulted in the loss of 50 properties, including 25 family homes, which the Central Bank believed would have been avoided if BOI had complied with the most basic and fundamental of its consumer protection obligations.

The main findings from the Central Bank’s investigation were that BOI:
  • Provided unclear contractual documents to its tracker customers,
  • Failed to interpret its unclear contractual documents in customers’ best interests,
  • Failed to warn customers about the consequences of decisions relating to their mortgage,
  • Implemented an unfair complaints-handling practice for customers, returning them to a tracker rate only when they queried or complained about their mortgage rate,
  • Had deficient mortgage systems and controls which contributed to a significant number of operational errors,
  • Wrongfully excluded customers from the protections of the Central Bank’s examination of tracker mortgages, including them only after significant challenge by the Central Bank.

BOI is the last of the main retail banks to receive a penalty and reprimand after they denied tracker rates to their customers who were entitled to them when the financial crisis began over a decade ago, or put them on the wrong rates, because the products were starting to cost the lenders money.

Each investigation was concluded by way of settlement, with historic levels of fines imposed on lenders on foot of the Central Bank’s findings, as follows:
  1. May 2019             PTSB             €21m

  2. September 2020   KBC               €18.3m

  3. March 2021          Ulster Bank   €37.7m

  4. June 2022             AIB                €83.3m

To read the Central Bank’s Enforcement Notice against BOI, please go to the following link:

Public statement relating to Enforcement Action against the Governor and company of the Bank of Ireland (
Protected Disclosures (Amendment) Act 2021 to commence on 1st January 2023!
October 2022

The Minister for Public Expenditure and Reform yesterday (12th October 2022) signed the commencement order for the Protected Disclosures (Amendment) Act 2022 (the “Amendment Act”) confirming on 1st January 2023 the Amendment Act will commence in its entirety.

By 1st January 2023, the Amendment Act will have the following effect:
  • All organisations with 250 or more employees will be required to establish formal internal reporting channels for employees to report concerns about wrongdoing in the workplace.
  • The channels and procedures shall provide for acknowledgement of reports by a designated impartial person, within 7 days, diligent follow-up of the reports received, the provision of feedback to the reporting person within 3 months and communication of the final outcome of any investigations triggered by the report.
  • From 17th December 2023, this obligation will be imposed on all private sector employers with 50 or more employees.
  • Presently (under the Protected Disclosures Act 2014), employees, former employees, trainers, independent contractors and agency workers are protected. The Amendment Act, however, extends the scope of the protected disclosures regime to cover volunteers, unpaid trainees, board members, shareholders, members of administrative, management or supervisory bodies and job applicants (where information on a relevant wrongdoing is acquired during the recruitment process or during pre-contractual negotiations).
  • A new Office of the Protected Disclosures Commissioner will be established in the Office of the Ombudsman to support the operation of the new legislation. Mr Ger Deering, the current Financial Services and Pensions Ombudsman, will be the first Protected Disclosures Commissioner.
For greater insight on how the new Amendment Act may impact your firm, please see our detailed August Blog Post below or do not hesitate to contact us at

RegSol - Blog (Protected Disclosures (Amendment) Act 2021)
Climate Change Risk highlighted in CBI Insurance Newsletter September 2022
September 2022

On 20th September 2022, the Central Bank of Ireland (“CBI”) published its regular Insurance Newsletter for September 2022.

While the Newsletter is directed at (re)insurers, the CBI’s observations in relation to climate change risk (following a thematic review of a sample of (re)insurer’s Own Risk and Solvency Assessments (“ORSAs”)), the Central Bank has helpfully included a collated list of all CBI publications on Climate Risk to date.

The relevant article also sets out guidance on how any regulated entity can implement climate change risk considerations into business strategies.

The CBI’s three main observations were:
  1. Take a holistic approach to climate change risk to better understand risks to the business, secondary impacts, materiality and areas of further focus;

  2. Consider impacts of climate change to the business model beyond the short term; and

  3. Link climate change risk assessments to strategy, in order to manage or mitigate risks rather than simply monitoring them.
In the ORSAs reviewed, the CBI observed some examples where climate change risk had been integrated into a (re)insurer’s business planning and strategic thinking and identified examples of good practices observed including:
  • Embedding the consideration of climate change risk into risk management processes, e.g. updating risk management policies based on conclusions of assessments carried out;

  • Developing a sustainability strategy to define the (re)insurer’s objectives in respect of climate change; and

  • Identifying potential opportunities that arise and ways to develop business models in the future as a result of climate change. The CBI expects (re)insurers to integrate findings and conclusions from risk and scenario analysis into their future strategy to ensure a sustainable business model, e.g. by updating their risk appetite, setting key performance indicators in respect of climate change risk, etc.
To read the Newsletter in full, please go to the following link:

Insurance Newsletter - September 2022  (
New Financial Services and Pensions Ombudsman Appointed
September 2022

The new appointment of Liam Sloyan as the Financial Services and Pensions Ombudsman (FSPO) for a five-year term has been announced, which appointment is effective from 1st December 2022.

The FSPO objective is to act as an independent, impartial, fair and free service that helps resolve complaints from consumers, including small businesses and other organisations, against financial service providers and pension providers.

Mr. Sloyan previous led a number of public bodies such as the Health Insurance Authority, the National Treatment Purchase Fund, and as Regulator of the National Lottery.

Mr. Sloyan’s appointment follows the appointment of former FSPO, Ger Deering, as the Ombudsman and Information Commissioner in February 2022.

Mr. Deering was appointed as Financial Services Ombudsman in April 2015 and subsequently, as Pensions Ombudsman in May 2016. He led the establishment of the Office of the FSPO in January 2018, following the amalgamation of the Financial Services Ombudsman Bureau and the Office of the Pensions Ombudsman.

To read the announcement in full, please go to the following link:

Minister Donohoe appoints Financial Services and Pensions Ombudsman  (
Instagram Fined record €405 million for Breach of Children's Data Rights
September 2022

On the 2nd September 2022, Instagram (owned by Meta, formerly known as Facebook), was fined €405 million by the Data Protection Commission (“DPC”) for breaches of the GDPR after a two-year investigation into how the social media platform handles children’s data.

It is the largest fine ever imposed by the DPC and once it has been paid, the money will go to the Irish exchequer. It is also the third fine for a Meta-owned company handed down by the DPC.

The fine, which is the second largest GDPR penalty to ever be handed down (Luxembourg’s data protection authority (CNPD) fined Amazon a record €746 million for non-compliance in July), covers alleged violations stemming from Instagram's default account settings for children ages 13-17.

Recital 38 of the GDPR highlights that where children’s data is used to create user profiles, specific protections should apply since children may be less aware of the risk, consequences and safeguards and their rights in relation to the processing of data.

The breaches concerning Instagram related to:

  1. Teenage users aged 13-17 being allowed to operate ‘business accounts’ on Instagram, which resulted in the publication of their phone numbers and email addresses.

  2. All accounts, including the accounts of teenage users, were set to public by default, unless the user affirmatively changed the privacy settings.

The investigation into the allegations began in October 2020 and the preliminary decision by the DPC was subject to a dispute resolution procedure under Article 65 of the GDPR. After submitting a draft decision for consideration by its peer regulators in the EU, also known as Concerned Supervisory Authorities (“CSAs”), in December 2021, six of them raised objections. The DPC was unable to reach consensus with the CSAs on the subject matter of the objections and it therefore referred the case to the European Data Protection Board (“EDPB”), in line with the Article 65 dispute resolution process of the GDPR.

The EDPB rejected some of the concerns, but upheld objections requiring the DPC to amend its draft decision to include an additional finding of infringement. The DPC's original draft decision had recommended a fine of up to €405m. The final penalty of €405m included a fine of €20m for an additional infringement that the DPC was asked to include.

In addition to these administrative fines, the DPC has also imposed a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of specified remedial actions.

EDPB Chair Andrea Jelinek said: “This is a historic decision. Not just because of the height of the fine - this is the second highest fine since the entry into application of the GDPR - it is also the first EU-wide decision on children’s data protection rights. With this binding decision, the EDPB makes it extra clear that companies targeting children have to be extra careful. Children merit specific protection with regard to their personal data.”

Instagram has indicated it intends to appeal the decision.

For further details on the DPC’s decision, you can click on the following link:

Data Protection Commission announces decision in Instagram Inquiry
Central Bank of Ireland Enforcement Action – Danske Bank reprimanded and fined €1.82m for AML/CFT transaction monitoring failures
September 2022

On 13th September 2022, the Central Bank of Ireland (the “Central Bank”) reprimanded and fined Danske Bank A/S, trading in Ireland as Danske Bank, €1,820,000 pursuant to its Administrative Sanctions Procedure for three breaches of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010, as amended (the “CJA 2010”).

This is the first penalty that the Central Bank has imposed on a financial institution which is incorporated and authorised outside of Ireland, but which operates here as a branch on a passport basis.


The three breaches arise from the failure by Danske Bank to ensure that its automated transaction monitoring system monitored the transactions of certain categories of customers of its Irish branch which occurred over a period of almost nine years, between 2010 and 2019.

The three breaches comprised of failures by Danske Bank under the CJA 2010 related to:

  • Transaction Monitoring: Danske Bank failed to ensure that its automated transaction monitoring system monitored the transactions of certain categories of customer for money laundering and terrorist financing risk at its Irish branch for a period of almost nine years.
  • Enhanced Customer Due Diligence: In failing to conduct automated transaction monitoring in respect of certain categories of customers, Danske Bank’s Irish branch did not take into consideration an important part of due diligence i.e. transaction monitoring data, which is necessary to identify and assess money laundering/terrorist financing risks specific to those customers and identify where any consequential additional measures might be required.
  • Anti-money laundering / Countering the Financing of Terrorism policies, procedures and controls: The policies, procedures and controls put in place by Danske Bank did not operate to identify the erroneous exclusion of certain categories of customers from automated transaction monitoring.


The failure arose from historic data filters that were applied within Danske Bank’s automated transaction monitoring system, first implemented in 2005 and rolled out to the Irish branch in 2006. Danske Bank was found to have failed to consider the appropriateness of these historic data filters within the system or make any adjustments to the system to take account of the specific requirements of the CJA 2010 when it came into force in Ireland in 2010. This led to the erroneous exclusion of certain categories of customers from transaction monitoring, including some customers rated by Danske Bank as high and medium risk.

Danske Bank became aware that its automated transaction monitoring system erroneously excluded certain categories of customers in May 2015 but failed to rectify it or notify the Irish branch or the Central Bank of this issue.

It was only in October 2018 when the Irish branch identified the issue that steps were taken to rectify it, but the Central Bank said it was not informed of the issue until February 2019. As a result, the failures to rectify the issue and to notify the Central Bank promptly were considered aggravating factors in the case.

Central Bank on Transaction Monitoring

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham said…“It is imperative that firms implement robust transaction monitoring controls which are appropriate to the money laundering risks present and the size, activities, and complexity of their business. These controls must be applied to all customers, irrespective of their risk rating, as they enable firms to detect unusual transactions or patterns of transactions and where required apply enhanced customer due diligence to determine whether the transactions are suspicious.”

In 2020, the Central Bank had highlighted in its AML Bulletin on Transaction Monitoring the importance of monitoring customer transactions to detect potentially suspicious activity. The Bulletin noted that the CJA 2010 specifies that a designated person must monitor customer transactions in order to identify transactions that may be suspicious in nature, and that the intensity of the monitoring should increase with the complexity and scale of those transactions so that the risk of ML/TF is also factored into the transaction monitoring process.

Therefore, while firms may rely on automated solutions for transaction monitoring, the Danske Bank case reiterates the requirement for firms to ensure it has in place controls, policies and procedures that are compatible with Irish legal requirements and to ensure that their governance framework and risk management measures operate effectively. These should be risk-based and proportionate, informed by firms’ business risk assessment of their ML and TF risk exposure.

Do you have any questions on Transaction Monitoring? Reach out to us at for information on our training courses and consultancy services.

To read the Central Bank Enforcement Action Notice in its entirety you can click on the following link:

Public statement relating to Enforcement Action against Danske Bank A/S (
DPC Guidance on Data Transfers to 3rd Countries
August 2022

The Data Protection Commissioner (‘DPC’) reminds entities that the transfer of personal data from the EU to controllers and processors located outside the EU in third countries (i.e. any country outside the European Economic Area (‘EEA’)), while necessary for international trade and international co-operation, should not undermine the level of protection of the individuals concerned.

Such transfers to third countries or international organisations should be done in full compliance with Chapter 5 (Articles 44 – 50) of the General Data Protection Regulation (the ‘GDPR’).

Article 45 – Transfers on the basis of an adequacy decision

The DPC notes that the first thing to consider when transferring personal data to a third country is if there is an “adequacy decision” – this is where the European Commission has decided that a third country or an international organisation has an adequate level of data protection taking into account factors such as the laws, respect for human rights and freedoms, national security, data protection rules, the existence of a data protection authority and binding commitments entered into by the country in respect of data protection.

The effect of such an adequacy decision is that personal data can flow from the EEA to that third country without any further safeguard being necessary, effectively meaning the transfer is the same as if it was carried out within the EU.

Article 46 – Transfers subject to appropriate safeguards

Where there is no adequacy decision, the DPC highlights that the GDPR does allow a transfer if the controller or processor has provided “appropriate safeguards”. These safeguards may include:

  1. Standard data protection clauses – these are model data protection clauses that have been approved by the European Commission and contain contractual obligations on the Data Exporter and the Data Importer and rights for the individuals whose personal data is transferred.

  2. Binding corporate rules (‘BCR’) – these rules form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group's EEA entities to the group’s non-EEA entities. There are two types of such rules which can be approved - BCR for Controllers which are used by the group entity to transfer data that they have responsibility for such as employee or supplier data; and BCR for Processors which are used by entities acting as processors for other controllers and are normally added as an addendum to a Service Level Agreement contract.

  3. Approved Codes of Conduct - The use of Codes of Conduct as a transfer tool, under specific circumstances, has been introduced by the GDPR in Article 40(3). While voluntary, they set out specific data protection rules for categories of controllers and processors providing a detailed description of what is the most appropriate, legal and ethical behaviour within a sector.

  4. Approved certification mechanisms - Article 42(2) of the GDPR allows for certification mechanisms by an independent body of a written assurance (a certificate) that the product, service or system in question meets specific requirements, may be developed to demonstrate the existence of appropriate safeguards provided by controllers and processors in third countries which are binding and safeguards data subject rights.
For further information on the Guidance, please see the link below:

Transfers of Personal Data to Third Countries or International Organisations | Data Protection Commissioner
Central Bank (Individual Accountability Framework) Bill 2022
August 2022

The Central Bank (Individual Accountability Framework) Bill 2022 (‘the Bill’) was published on 28th July 2022. Its principal purpose is to confer powers on the Central Bank of Ireland (the ‘CBI”) and provide greater detail on the four pillars of the individual accountability framework (‘IAF’), namely the Senior Executive Accountability Regime; the Conduct Standards; the Fitness and Probity Regime; and the Administrative Sanctions Procedure.

As noted by Gerry Cross, Director of Financial Regulation, on 21st February 2022 in an address to the Compliance Institute: “The Framework is fundamentally about underpinning good conduct and high quality governance and culture within firms. It is about being clear who is responsible for what and ensuring that reasonable steps are taken to fulfil those responsibilities. It is aligned with what will already be sound practices at well-governed and organised firms. The framework is, and our approach to implementation of it will be, firmly founded in proportionality and what is reasonable.”


Under the Senior Executive Accountability Regime (‘SEAR’) regulated financial service providers (‘firms’) will be required to set out clearly where the responsibility and decision-making of the firm lies.

The Bill proposes to extend the regulation-making power of the CBI to give effect to SEAR. This will enable the CBI to make regulations in relation to inherent responsibilities and prescribed responsibilities, which relate to pre-approval controlled function (‘PCF’) holders.

This includes a new legal “duty of responsibility” on PCF holders who fall within the scope of SEAR to take “any steps that it is reasonable in the circumstances for the person to take” to ensure the firm does not breach its obligations under financial services legislation. When considering if the relevant individual has discharged their “duty of responsibility”, the CBI will consider all relevant circumstances, examples of which are set out in the Bill include the function of the person and the level of knowledge and experience that a person with such function could reasonably be expected to have. If a contravention of the duty occurs, the individual may be held directly accountable for the breach and be subject to the CBI’s Administrative Sanctions Procedure.

Initially, SEAR is expected to extend only to credit institutions, insurance undertakings (except reinsurance, captive (re)insurance and insurance special purpose vehicles), certain investment firms and any third country branches of those companies.

Conduct Standards

The Bill provides for the introduction of three types of conduct standards for firms and their staff as follows:

• Business Standards (for firms);

• Common Conduct Standards (for individuals); and

• Additional Conduct Standards (for individuals in the most senior roles).

1. Business standards for firms

The Bill (Section 5) provides for a new regulation-making power for the CBI to prescribe business standards within which firms will be obliged to comply to ensure they act in the best interests of customers and of the integrity of the market; act honestly, fairly and professionally; and act with due skill, care and diligence. The business standards will apply to all firms and a breach will be considered a prescribed contravention for purposes of enabling the CBI to enforcement action.

2. Common conduct standards for individuals

The Bill (Section 6) provides for the following individual conduct standards:
  1. Common Conduct Standards: these standards will apply to all persons performing controlled functions (i.e. CF or PCF roles).

  2. Additional Conduct Standards: these standards will apply to more senior persons performing PCF roles or who exercise a significant influence on the conduct of the firm’s affairs, for example, chief executives, executive or non-executive directors, heads of functions. Such persons will need to comply with both the Common Conduct Standards and the Additional Conduct Standards, regardless of whether their role is within the scope of SEAR.

Firms must ensure that they notify any relevant persons of the conduct standards that will be expected of them and that they provide training on these standards. The Bill also provides that the CBI will provide guidelines relating to the notification and training obligations of firms.

Certificate of Compliance with Standards of Fitness and Probity

Part 3 of the Bill strengthens the existing obligations on firms in relation to the fitness and probity of their key personnel. The Bill provides that firms will only allow an individual to perform a CF role if a certificate of compliance with standards of fitness and probity is in force in relation to the person. A certificate can be given only if the firm “is satisfied on reasonable grounds” that the person concerned complies with any standard of fitness and probity in a code issued under Section 50 of the Central Bank Reform Act 2010 Act 2010 Act and the person has agreed in writing to comply with any such standard.

The CBI will have the power to make regulations in relation to the form and content of these certificates, the validity period of a certificate and the firm’s procedures in relation to the giving or revoking of a certificate.

Administrative Sanctions Procedure (‘ASP’)

The Bill also makes a number of amendments to the Central Bank Act 1942 which underpins the ASP:

  1. High Court oversight for the ‘settlement process’ under section 33AR of the 1942 Act (where the firm or individual acknowledges the commission of the prescribed contravention). Therefore, any sanction imposed by the CBI will only have effect if confirmed by the High Court.

  2. The High Court will confirm the decision unless it is satisfied that the CBI “made an error of law” in its decision or that a sanction is manifestly disproportionate.

  3. The Bill provides a list of relevant considerations that the CBI must take into account when determining whether to impose a sanction, what sanction to impose and the level of any monetary penalty to impose including the person’s seniority and level of responsibility in the firm and whether the person’s conduct was intentional, negligent or dishonest.

  4. The Bill replaces the concept of a ‘person concerned in the management of an RFSP’ with the concept of a ‘person performing a controlled function’ with a view to facilitating individual accountability of the relevant individual.

Next steps

The Bill is yet to be enacted and once the legislative process is completed, the CBI will prepare relevant guidelines and regulations to be issued under the Bill. Relevant firms and senior executives should note that the framework will require significant training and having the appropriate processes in place.

RegSol will keep our clients updated on progress of the Bill and any draft guidelines and regulations once published. If you require assistance in planning for SEAR and IAF or assessing your current framework, contact us at
New EBA Guidelines on ML/TF risk factors
August 2022

The European Banking Authority (‘EBA’) published revised Guidelines (updated on 8th August 2022) on customer due diligence (‘CDD’) and the factors to be considered when assessing the risk of money laundering (‘ML’) and terrorist financing (‘TF’) under the 4th and 5th Money Laundering Directives (repealing and replacing the 2017 guidelines).

The Guidelines set out the factors to be taken into account by credit and financial institutions when assessing the ML /TF risks associated with their activities and business relationships or with an occasional transaction with a natural or legal person.

The Guidelines also feature guidance on:

  • how financial institutions can adjust their CDD measures to mitigate the ML/TF risk they have identified so as to make them more appropriate and proportionate;
  • the identification of beneficial owners;
  • the use of innovative solutions to identify and verify customers’ identities;
  • how financial institutions should comply with enhanced CDD (‘EDD’) requirements relating to high-risk third countries;
  • new sectoral guidelines for crowdfunding platforms, corporate finance advisory firms, account information service providers, payment initiation services providers, and firms providing currency exchange services;
  • more details on TF risk factors;

The guidance highlights that there is no requirement for financial institutions to discontinue services to entire categories of customers that they associate with higher ML/TF risk (so-called ‘de-risking’). Instead, financial institutions should take steps to effectively manage the ML/TF risks associated with individual business relationships.

To read the EBA Guidelines in their entirety, please see the following link:

Final Report on Guidelines on revised ML TF Risk Factors.pdf (