RegSol Blog

RegSol Blog Posts

Investment Firms: CRD V Structural Reform in EU Prudential Rules
October 2019

In April this year, a review of the prudential framework for investment firms for MiFID II was approved under the auspices of building the Capital Markets Union. The purpose of the revised legislation will be to improve investment flows and ensure proportional rules level the playing field among larger institutions and simpler, less risky firms. 

The legislation will aim to provide clarity on equivalence rules for the provision of investment services by third country firms. And most importantly, is an important step towards the completion of the European post crisis regulatory reforms. 

Together, these reforms affect all European banks and investment firms and require significant implementation over a period of multiple years. There will be material changes to the capital and funding needs of firms as well as to their governance, risk management, systems and controls, reporting, recovery and resolution planning and in some cases corporate structures. 

CRD V will update the framework of harmonised rules established in the wake of the financial crisis, the so-called 'Single Rulebook'.

The 'Single Rulebook' ensures that:

  • banks & investment firms have enough capital to cover unexpected losses and are prepared to withstand economic shocks 
  • obliged entities have fewer incentives to take excessive risks.

Some outstanding elements of the reform that are key to ensure a firm’s resilience but have only recently been finalised by global standard setters (i.e. the Basel Committee on Banking Supervision (BCBS) and the Financial Stability Board (FSB)) include: 

  • New Framework for low prudential risk profile investment firms to mitigate comparative weakness of EU investment bank sector through the Investment Firms Directive in 2021
  • ECB Oversight over systemic investment firms or “class 1” firms which consolidated assets exceeding EUR 15 billion and those over EUR30 billion into same supervisory regime for banks
  • Regulation of Financial Holding companies subject to all requirements of the prudential framework as it relates to their consolidated position and Corporate Governance
  • Intermediate Parent Undertaking: requirement for large third country group to be owned by the IPU. This exists where there is at least one subsidiary that is an EU large investment firm within its group and where the parent entity is established in a non- EU country or third country.
  • Branch regulation- introduction of minimum harmonised reporting requirements for EU branches of third country banks and requirement for EU regulators to cooperate to ensure a consolidated approach to supervision

Even though these structural legislative reforms may be delayed, it would be prudent for investment service firms to work through the implications of the new reforms, in that authorisations may need to be prepared together with a restructuring process and corporate governance planning. 

RegSol is here to assist with regulatory impact analysis and can help you manage the impact of regulatory change.

By Judy de Castro - Regulatory Consultant
Google France and the Right to be Forgotten
October 2019

The Right to be Forgotten, a privacy right enshrined in the GDPR regulations which came into force in May last year has been tested in the European Courts. Arising from the French Data Protection Commissioner’s (CNIL) ruling that required Google to apply the right to be forgotten to all searches in all Google domains. CNIL ruled that in order to be effective, delisting was to be carried out on a global scale in a single processing. So, if Google detected a user in Ireland, they wouldn’t be able to see removed results, even if they clicked onto 

Google appealed the ruling sparking a long drawn out battle with Google’s counsel arguing that if French law applied globally, how long would it be until other countries started demanding their laws likewise have global reach….

Last week Tuesday saw the European Court of Justice (ECJ) limiting the provisions of EU law and therefore reducing delisting to search engine operators in the EU which means the right to be forgotten will be seen only on European versions of Google search pages- or, but not on 

The ECJ does require Google to put in measures to discourage EU internet users from finding that information but in practical terms, it seems unrealistic to achieve this. Performing the role of a “sub regulator”, one could argue, Google has had to in the past determine on 850,000 separate requests to remove links to about 3.3 million websites. Now they’ll have arguably greater and almost supervisory-like powers in deciding what personal data is kept in the public domain. 

If you’d like assistance with GDPR Compliance, please contact your RegSol Consultant for assistance.

By Judy de Castro - Regulatory Consultant
Spotlight on Transparency for Financial Brokers: New Insurance Renewal Requirements & New Consumer Protection Code Addendum March 2020
October 2019

In July 2016, the Government established the Cost of Insurance Working Group (CIWG). The objective of the CIWG was to identify and examine the drivers of the cost of motor insurance and to recommend short-, medium- and longer-term measures to address these issues. 

In January 2017, the Report produced by the CIWG on the Cost of Motor Insurance was published by the Department of Finance, which included an Action Plan to implement the identified recommendations.  Coming into force on 1 November 2019, the Non-Life Insurance (Provision of Information) (Renewal of Policy of Insurance) (Amendment) Regulations have been designed to afford greater protection for the consumer in providing more transparency to insurance policyholders, a key theme in the output of the Consultation Paper 114 and to be shortly in force as a result of the amendment regulations. 

In the pursuit of transparency however, are consumers already bombarded with too much information and overloaded arguably with too much choice? The Central Bank and CIWG would argue that this is important to allow consumers to shop around. Let’s evaluate the nature of these changes which can be summarised as follows: 

  • Insurers must provide additional information on the premium breakdown to consumers and must offer a price on all the cover options they offer. It is proposed that insurers will also be required to provide this additional information on the premium breakdown when a person first gets a quote for a policy as well as at renewal notice stage, together with the other information referred to in Regulation 6.
  • Insurers must extend the current renewal notification period from 15 working days to 20 working days to make it easier for motorists to compare pricing when purchasing motor insurance; and
  • an insurer shall, in respect of a policy of private motor insurance to be renewed, include, on the same page as the renewal premium is first set out, the following information:
    • the premium paid in the previous year, or 
    • where applicable, following any mid-term adjustment made to the policy in the previous year— 
      • the provision of an annualised premium figure for the previous year excluding fees or charges applied as a result of that adjustment, and
      • a statement indicating that the annualised premium figure shown may not reflect the actual premium paid in the previous year.

Last week we saw the headlines and radio interviews with the Central Bank of Ireland explaining the new addendum to the Consumer Protection Code (CPC) designed to take into account provisions arising from the EU (Insurance Distribution) Regulations 2018 and “Enhanced Consumer Protection Measures,” following consultation paper CP116 on intermediary inducements. The following parts of the CPC amended and effective from 31 March 2020 are as follows:

  • Chapter 3- Conflicts of Interest- avoiding conflicts of interest by placing consumer’s best interests above the consideration of fees, commissions, rewards or remuneration linked to targets relating to volume and bonus payments linked to business retention 
  • Chapter 4- Provision of Information
    • using the term “Independent” restricted to regulated activities on the basis of a fair analysis of the market AND where the intermediary does not accept and retain any fee, commission or other reward or remuneration where advice is provided in respect of regulated activities. Exceptions are minor and restricted to non- monetary benefits (conference, hospitality, IT Software) and fees paid by a consumer. Note also the amendment to 4.16 A regarding MiFID Article 3 services in using the term “independent”
    • Summary details of all arrangements for any fees, commission, other reward or remuneration paid or provided to intermediary must be made available in its public offices or on its website and brought to the attention of the consumer
  • Chapter 12- Definitions
    • Press release information is available HERE.

If you require assistance with Consumer Protection whether it is training or a compliance review or audit, please contact RegSol.

By Judy De Castro - Regulatory Consultant
New AML Guidelines for the Financial Sector
September 2019

Launched in a private event by the Central Bank on the 6th of September.

Click HERE to view and download the document.
PSD 2 Deadline: Strong Customer Authentication
September 2019

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The SCA requirement comes into force from 14 September 2019. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU (Chip and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement.

Where and How?

Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer: 

(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

The directive defines strong customer authentication essentially as two-factor authentication in Article 4(30): 

an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data

Requirement for Authorisation

You will require authorisation/registration for PSD2 if you provide one of the payment services listed in the schedule to the Payment Services Regulations 2018, unless you are either excluded from the scope of PSD2 or are one of the institutions referred to in Article 1(1) of PSD2. An authorisation/registration under PSD2 is valid in all Member States and allows the payment institution concerned to provide the payment services covered by the authorisation throughout the Union, pursuant to the freedom to provide services or the freedom of establishment.

In advance of submitting an application for authorisation/registration under PSD2, a firm should satisfy itself that its proposed business model requires authorisation/registration.
If you are unsure as to whether your proposed activities require authorisation/registration or if you are unsure as to how you should comply with the authorisation/registration requirements, RegSol can assist.

By Judy de Castro - Regulatory Consultant
Understanding the Public Services Card Data Protection Breach
September 2019

On Friday 16 August, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC). 

The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law. 

The Department of Employment Affairs and Social Protection’s processing of personal data during the issuing of the Public Services Cards for use in transactions between a person and a public body other than the department was found to be unlawful. 

The Data Protection Commissioner also found that blanket retention of personal data also contravened data protection law. This means that personal data held on more than three million card holders must now be deleted. At a cost of about €60 million to roll out, with savings of only €2.5 million in welfare fraud, the card targets social and economically vulnerable people forcing them to trade their personal data for services to which they are entitled.

But why does this matter to you?

Personal data collected by the department included a photo, gender, address, all digitally encoded, as well as the creation of a biometric facial recognition database. 

The risks associated with maintaining data such as fingerprints, retina screening and facial recognition or biometric data (metrics related to human characteristics) have obvious technical security considerations, but consider the encroachment of state authority over human dignity? It is also possible that biometric data may be used in ways for which the individual may not have consented as is the case here, but also it could disclose physiological and/or pathological medical conditions that the person may not even know about. 

For example, fingerprint patterns can be related to chromosomal diseases, iris patterns could reveal vascular diseases, behavioural biometrics could reveal neurological diseases. Excessive perhaps for accessing social welfare payments? Then think about other public bodies that collect your information and may not do a good job of protecting it or deleting it. 

Any organisation subject to data protection law is required to create a database of personal information collected and in this record of processing specifics on what documentation is collected and for what purpose must be detailed. Organisations must consider unintended consequences and understand security measures in place to protect this personal data. They must think about retention periods and note that blanket retention periods are never okay, requesting excessive information and using it for purposes other than initially agreed isn’t okay either.

If you need help with your data protection requirements, contact RegSol for consultancy or enrol on a course on our training website here.

By Judy de Castro - Regulatory Consultant
Brokers and Treatment of Vulnerable Consumers: Practical Considerations
September 2019

Vulnerable Adults often find themselves excluded from mainstream society. Excluded from the community because they are restricted in capacity and cannot read social cues, excluded from social media because they cannot navigate technology, marginalised by society because of their age, illiteracy, disability, physical or mental ill health, they are on the fringes because they do not fit in.

Despite their perceived marginalised status, vulnerable adults are becoming more mainstream and businesses and organisations alike are taking notice:


The OECD Adult Skills Survey shows that 17.9% or about 1 in 6, Irish adults are at or below level 1 on a five-level literacy scale. Ireland ranks 15th out of 24 participating countries. At this level a person may be unable to understand basic written information.

25% or 1 in 4 Irish adults score at or below level 1 for numeracy compared to just over 20% on average across participating countries. This places Ireland even further down the international rankings in 19th place.

42% of Irish adults score at or below level 1 on using technology to solve problems and accomplish tasks (Nala Ireland)

Age: 65 years and over

This age group saw the largest increase in population since 2011, rising by 102,174 to 637,567, a rise of 19.1%.  The census recorded 456 centenarians, an increase of 17.2% on 2011.  

Over half a million or 577,171 in this older age group lived in private households, an increase of 19.6%, while those in nursing homes increased by 1,960 to 22,762. (CSO)


By 2041 the numbers of people in Ireland with dementia will have tripled. In fact, a conservative estimate suggests that by 2041 some 140,000 people will have dementia. (Dementia Ireland)

Mental Health

It is estimated that one in four people will experience some mental health problems in their lifetime. The WHO’s Commission on Social Determinants of Health stated that depressive mental illnesses will be the leading cause of disease in high income countries by 2030. (Mental Health Ireland)

Serious Illness

Every 3 minutes in Ireland someone gets a cancer diagnosis. Incidence of cancer is growing and by 2020, 1 in 2 of us will get a cancer diagnosis in our lifetime.*

  • By 2020, 1 in 2 people in Ireland will develop cancer during their lifetime.*
  • In Ireland more than 40,000 new cases of cancer or related tumours are diagnosed each year. (National Cancer Registry of Ireland (NCRI))

How should brokers treat vulnerable consumers when providing them with financial advice? What accommodation should be made with a consumer presenting with these conditions and how should a Broker proceed to ensure they are acting fairly, professionally and in the best interests of these types of consumers especially if they are subject to financial abuse?

The table below provides some guidance on how to employ resources effectively in acting in the best interests of vulnerable consumers:

If you would like more information on how to effectively implement your consumer protection code requirements or would like to receive Consumer Protection Code training, please contact your consultant/trainer at RegSol.

*1 in 2 by 2020 is a projection based on current data provided by the NCRI. It makes allowances for variables such as aging population, lifestyle and other factors.

By: Judy DeCastro - Regulatory Consultant

Launch of the CRO’s Beneficial Ownership Register
August 2019

In March 2019, the Minister for Finance signed into law Statutory Instrument No 110 of 2019 to establish a Central Register of Beneficial Ownership of Companies and Industrial and Provident Societies (the RBO) - Click HERE to view   

The Registrar of Companies has been appointed as the Registrar of Beneficial Ownership of Companies and Industrial & Provident Societies with effect from 29 July 2019. 

Accordingly, the RBO is now open to accept filings.

Filing of beneficial ownership data can only be made on-line through a portal on the RBO website at There are no paper forms and no filing fees involved. Companies and societies will have until Friday 22 November to file their data with the RBO without being in breach of their statutory duty to file. The RBO will write to each company and Industrial & Provident Society about their filing obligations in the coming days. 

Under Part 3 of the 2019 Regulations, the PPS number of each beneficial owner (who has such a PPS number) must be reported by the company/ industrial and provident society to the Register (but will not be included on the RBO). The Registrar will cross-check that PPS number with the Department of Employment Affairs and Social Protection to ensure that the names match. This is an extra verification step that the Registrar will use to ensure that the information held on the RBO is accurate and that the RBO does not contain duplicate entries. For a beneficial owner who does not have a PPS number, the Registrar has now confirmed that a Form BEN2 (Declaration as to Verification of Identity) will be used to verify that beneficial owner’s identity.

A process has been developed to enable beneficial owners who do not currently have an Irish Personal Public Service Number (PPSN) to file with the RBO. Full details are provided in a specific FAQ on the RBO website –

By: Judy DeCastro - Regulatory Consultant
Levelling the Playing Field: European Central Bank Guidelines on Outsourcing
August 2019

The EBA’s Outsourcing Guidelines currently in force were issued in 2006 and apply only to credit institutions (essentially banks and building societies) and the 2018 Recommendations apply to credit institutions and MiFID investment firms.  This will be changed by the New Outsourcing Guidelines which will apply to payment institutions and e-money institutions as well as credit institutions and MiFID investment firms. The general aim of the New Outsourcing Guidelines is to create a level playing field and harmonise the outsourcing requirements which are set out in separate EU legislation for different types of firms (credit institutions under CRD IV, investment firms under MiFID II, payment institutions and electronic money institutions under PSD2).

The first question to ask is do you have any outsourced any activities/functions and are these critical?

As a general principle, institutions and payment institutions should not consider the following as outsourcing:

  • a function that is legally required to be performed by a service provider, e.g. statutory audit;
  • market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch);
  • global network infrastructures (e.g. Visa, MasterCard);
  • clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members;
  • global financial messaging infrastructures that are subject to oversight by relevant authorities;
  • correspondent banking services; and
  • the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution’s or payment institution’s premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators), goods (e.g. plastic cards, card readers, office supplies, personal computers, furniture) or utilities (e.g. electricity, gas, water, telephone line).

So, then what would constitute outsourcing?

The Central Bank considers outsourcing to be an arrangement of any form between an institution and a third party service provider by which that institution performs a process, a service or an activity on their behalf which could otherwise be undertaken by that institution. When engaging in outsourcing, that outsourcing should not detract from being in a position to demonstrate that its ‘mind and management’ is located in the institution and that it is not delegating responsibility for the operation or management of key functions to a third party.

Once institutions have identified their outsourcing arrangements they will need to perform a risk assessment of materiality to assess whether these are critical and whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorised; the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their resilience and viability. Finally, third party arrangements will require robust contractual arrangements to be put in place to allow for effective oversight and monitoring by the management of those third party services or functions by the institution in question. 

If you need help managing your outsourcing risk,  please contact RegSol for assistance.
Click HERE to view the EBA’s Outsourcing Guidelines

By: Judy DeCastro - Regulatory Consultant
Governance & Internal Audit: Key Take-Aways from Wells Fargo Enforcement Action
August 2019

Wells Fargo Bank International (WFBI) is classified as a Less Significant Institution by the Central Bank’s risk profiling system which uses a rating system based on criteria relating to, amongst other factors, its size, its importance to the economy and the significance of its cross-border activities.

Nevertheless, WFBI was fined a total of €5,880,000, about 1.5% of its operating income (US$340,264,000), for serious failings in its regulatory reporting capability and governance and compliance.

WFBI is required to put in place and maintain robust corporate governance and assurance arrangements, which include the following:

  • a clear organisational structure with well-defined, transparent and consistent lines of responsibility;
  • effective processes to identify, manage, monitor and report the risks they are, or might be, exposed to;
  • adequate internal control mechanisms, including but not limited to—
    • sound administration and accounting procedures, and
    • remuneration policies and practices that are consistent with and promote sound and effective risk management.
    • its management body defines, oversees and is accountable for the implementation of the governance arrangements that ensure effective and prudent management of the institution, including the segregation of duties in the organisation and the prevention of conflicts of interest, and
    • monitors, and periodically assesses, the effectiveness of the institutions governance arrangements and takes appropriate steps to address any deficiencies.

How has the CBI defined ‘corporate governance’?

“Procedures, processes and attitudes according to which an organisation is directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among the different participants in the organisation – such as the Board, managers, shareholders and other stakeholders – and lays down the rules and procedures for decision-making.”

So what does this mean for you?

The Guidelines state that ‘An institution shall develop and maintain a strong and comprehensive internal control framework, including specific independent control functions with appropriate standing to fulfil their mission.’

An internal control framework should:

  • Cover all business units and subsidiaries
  • Ensure effective and efficient operations, while at the same time ensuring:
    • Adequate control of risks
    • Prudent conduct of business
    • Reliability of financial and non-financial information reported
    • Compliance with applicable laws, regulations, supervisory requirements and the internal rules and decisions undertaken by effective internal audit and compliance functions

In conclusion, with the introduction of CBI corporate governance codes for most regulated sectors, this remains an area of continued focus for regulators. It is therefore important for all regulated entities to continuously improve on their governance and assurance arrangements. Unfortunately for WFBI, the board of directors did not monitor and periodically assess the effectiveness of the Firm’s regulatory reporting governance arrangements nor did it take adequate steps to address these deficiencies at the time. Procedural documentation was not subject to review by senior management and internal audit failed to provide independent assurance to the board as there were substantial gaps in the scope, depth and frequency of the internal audit review and testing of the regulatory reporting processes and procedures.

If you need assistance in your assurance testing or monitoring, contact RegSol today for a comprehensive audit of your processes.

Click HERE for the link to CBI Action of Wells Fargo

By: Judy DeCastro - Regulatory Consultant
The Impact of IDR on Price Comparison Websites and introduction of Ancillary Insurance Intermediaries
November 2018

The European Union (Insurance Distribution) Regulations 2018 ('IDR') transposed the Insurance Distribution Directive into Irish law. Replacing the European Union (Insurance Mediation) Regulations 2005 ('IMR'), IDR took effect on 30th September 2018. Read more here
High Cyber-Security Spend ineffective in reducing Data Breach Risk without Training and Cultural changes too
November 2018

The recent General Data Protection Regulation has changed the face of data protection in the EU. Data protection complaints are soaring. By the end of July 2018, just two months after the GDPR came into effect, 1,184 complaints had been made to the Data Protection Commission an average of nearly 600 per month. This figure is significantly up from the 2017 average of 230 per month. This sharp increase in complaints underscores the new era in which companies operate. Read more here