RegSol Blog

RegSol Blog Posts

Enforcement Action - Ulster Bank
May 2020

On 3 March 2020, the Central Bank of Ireland (the Central Bank) reprimanded and fined Ulster Bank (Ireland) DAC (the Firm) €4,600,000 for governance failings relating to regulatory returns that were required under the Mortgage Arrears Resolution Targets (MART) Framework.

The Firm has admitted to these breaches, which took place from 2013 until 2015.

Click HERE to view the full Settlement Agreement

By Judy de Castro - Regulatory Consultant
Fitness & Probity Update
May 2020

The Central Bank of Ireland ("Central Bank") published a ‘Notice of Intention’ on 25 February 2020 which sets out its proposal to:
  1. Introduce three new Pre-Approval Controlled Functions (PCFs):
    1. Chief Information Officer (under the ‘General’ category);
    2. Head of Material Business Line (under the ‘Banking’ category);
    3. Head of Market Risk (under the ‘Banking’ category);
  2. Split PCF-39 Designated Person into six PCF roles aligned to the specific managerial functions.
While not limited to the following circumstances, the Central Bank expects that the Chief Information Officer role would likely apply where: 
  1. The RFSP has a PRISM impact rating of High or Medium High; 
  2. Information Technology is a key enabler or core element of the RFSP’s business model.
The Bank invited comments from stakeholders on this proposal no later than 14 April 2020. 

Read the proposal HERE

By Judy de Castro - Regulatory Consultant
AML 5th Directive Update: Are You Ready?
May 2020

5AMLD was adopted by the European Council in May 2018 and was subsequently published in the Official Journal of the European Union (OJEU) on 19 June 2018.

It is anticipated that 5AMLD will be transposed into Irish law in 2020. The deadline however has now passed (20th January 2020). The purpose behind 5AMLD was to amend and strengthen certain parts of 4AMLD in light of the terrorist attacks carried out across Europe in 2016/2017 and the revelations contained within the Panama papers.

Unlike previous EU Anti-Money Laundering Directives, 5AMLD made amendments to 4AMLD as opposed to repealing and replacing it outright. The Government approved the drafting of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill along the lines of the General Scheme below on 3 January 2019. 

General Scheme Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2019

Intermediaries should have already performed a gap analysis of these changes to ensure that when government form and the new legislation is approved they are compliant.

By Judy de Castro - Regulatory Consultant
EBA Consults on Revised Guidelines on Money Laundering & Terrorist Financing Risk Factors
May 2020

The EBA issued a public consultation on revised money laundering and terrorist financing (ML/TF) risk factors Guidelines as part of a broader communication on AML/CFT issues. This update takes into account changes to the EU Anti Money Laundering and Counter Terrorism Financing (AML/CFT) legal framework and new ML/TF risks, including those identified by the EBA’s implementation reviews. In its revised version, the EBA is proposing key changes, including new guidance on compliance with the provisions on enhanced customer due diligence related to high-risk third countries.

Particular guidance on wealth management risk factors and increasing factors is notable in Guideline 12 where it outlines sections on source of wealth, customer, geographic and transaction risk factors. Establishing the source of wealth and funds; is required where the risk is particularly high and/or where the firm has doubts about the legitimate origin of the funds.

Verifying the source of wealth and funds may be the only adequate risk mitigation tool. The source of funds or wealth can be verified, by reference to for example:

  • an original or certified copy of a recent pay slip; 
  • written confirmation of annual salary signed by an employer; 
  • an original or certified copy of contract of sale of, for example, investments or a company; 
  • written confirmation of sale signed by an advocate or solicitor
The revised Guidelines also provide more details on terrorist financing risk factors and customer due diligence (CDD) measures including on the identification of the beneficial owner, the use of innovative solutions to identify and verify the customers’ identity.

In addition, they set clear regulatory expectations of firms’ business-wide and individual ML/TF risk assessments.

The consultation runs until 06 July 2020.

By Judy de Castro - Regulatory Consultant
Annual Report on Money Laundering 2019
May 2020

The Department of Justice and Equality has published its Annual Report on Money Laundering and Terrorist Financing for 2018.

Member States are required by the Fourth Money Laundering Directive to publish a report on an annual basis providing data on the reporting, investigation and judicial phases of the national AML/CFT regime, including the number of suspicious transaction reports made to the Financial Intelligence Unit and the number of cases investigated, as well as prosecution and conviction rates for ML/TF offences.

The full report is available HERE

The report provides a summary on the CBI’s approach to its supervisory model and the resulting output. In 2018, the Central Bank conducted a total of 72 inspections and issued 259 Risk Evaluation Questionnaires across a variety of institutions. In addition, AMLD conducted 59 AML/CFT Review Meetings with firms in 2018. Throughout 2018, AMLD was also heavily involved in outreach activities such as presentations and seminars.

The frequency and intensity of AML/CFT supervisory engagement for an individual firm is dependent on its ML/TF risk rating. The Minimum Supervisory Engagement model is set out in the table below. For intermediaries, the risk is low and so the inspection cycle is ad hoc:

Regsol previously discussed STR statistics in their blog available HERE

By Judy de Castro - Regulatory Consultant
Launch of the Central Bank's Register of Beneficial Ownership
May 2020

The Central Bank of Ireland has issued correspondence advising that following a decision by the Minister of Finance, the Central Bank will be the state authority delegated with responsibility for establishing and maintaining a central register of beneficial owners in respect of Credit Unions and certain funds (the Register).

These include funds registered under the Irish Collective Asset-management Vehicles Act 2015 (ICAVs) and Unit Trust Schemes registered under the Unit Trust Act, 1990 (Unit Trusts).

It has further been indicated that Common Contractual Funds registered under the Investment Funds, Companies and Limited Partnerships Act, 2005 and Investment Limited Partnerships registered under the Investment Limited Partnerships Act, 1994 will also be included on this register in due course.

By Judy de Castro - Regulatory Consultant
DPC Annual Report 2019
May 2020

Published in February 2020, highlights of the 2019 Annual Report include:
  • 7,215 complaints received in 2019 representing a 75% increase on the total number of complaints (4,113) received in 2018.
  • 5,496 complaints in total were concluded in 2019.
  • 6,069 valid data security breaches were notified representing a 71% increase on the total number of valid data security breaches (3,542) recorded in 2018.
  • Almost 48,500 contacts were received through the DPC’s Information and Assessment Unit, including 22,200 telephone calls and 22,300 emails.
  • On 31 December 2019, the DPC had 70 statutory inquiries on hand, including 49 domestic inquiries.
  • Six statutory inquiries were opened in relation to multinational technology companies’ compliance with the GDPR, bringing the total number of cross-border inquiries to 21.
  • 457 cross-border processing complaints were received by the DPC through the One-Stop-Shop mechanism.
  • 165 new complaints were investigated under S.I. No. 336 of 2011 in respect of various forms of electronic direct marketing: 77 related to email marketing; 81 related to SMS (text message) marketing; and seven related to telephone marketing. Prosecutions were concluded against four entities in respect of a total of nine offences under the E-Privacy Regulations.
  • The DPC published its findings on certain aspects of the Public Services Card (PSC) following a lengthy investigation. The published findings were targeted at two key issues, namely the legal basis under which personal data is processed and transparency. 
  • The DPC carried out an extensive consultation on the processing of children’s personal data, yielding 80 responses. The feedback from the consultation will be used to develop guidance on the processing of children’s personal data, which is a DPC priority for 2020.
  • The DPC received 712 new Data Protection Officer notifications, bringing the total number to 1,596 at year end.
  • Staffing numbers increased from 110 at the end of 2018 to 140 at the end of 2019, including two additional Deputy Commissioners.
By Judy de Castro - Regulatory Consultant
Data Subject Access Requests
May 2020

Do the timelines for responding to GDPR data subject requests still apply where an organisation is temporarily closed or capacity to handle requests is curtailed because of COVID-19? (25 March 2020).

The Data Protection Commission acknowledges the significant impact of the Covid-19 health crisis which may affect organisations’ ability to action GDPR requests from individuals, such as access requests. While the timelines for responding to requests from individuals are set down in law in the GDPR and can’t be changed, the DPC has said that it recognises that unavoidable delays may arise as a direct result of the impacts of COVID-19.

Any organisation experiencing difficulties in responding to requests should, where possible, communicate with the individuals concerned about the handling of their request, including any extension to the period for responding and the reasons for the delay in responding. The GDPR provides for an extension of two months to respond to a request where necessary taking into account the complexity and number of requests.

Organisations experiencing difficulties in actioning requests should also consider whether it is possible to respond to requests in stages. For example, an organisation whose staff are working remotely may have difficulties in accessing hard copy records. In this case, it may be possible to provide the requester with electronic records, with hard copies provided at a later stage. Again, organisations should communicate clearly with the individuals concerned. Organisations may also want to engage with individuals in order to ensure that the request is as specific as possible in relation to the personal data sought.

Where an organisation, due to the impact of COVID-19, cannot respond to a request in full or in part within the statutory timelines, they remain under an obligation to do so and should ensure that the request is actioned as soon as possible. For accountability and transparency purposes, the reasons for not complying with the timelines should be documented by the organisation and clearly communicated to the affected individuals.

While the statutory obligations cannot be waived, should a complaint be made to the DPC, the facts of each case including any organisation specific extenuating circumstances will be fully taken into account.

By Judy de Castro - Regulatory Consultant
DPC Data Protection Tips for Video-Conferencing (3rd April 2020)
May 2020

  • Employees should be using your contracted service providers for work related communications. Ensure you are happy with the privacy and security features of the services you ask them to use. Ad-hoc use of apps or services by individuals should not be encouraged.
  • Try to ensure that employees use work accounts, email addresses, phone numbers, etc., where possible, for work-related video-conferencing, to avoid the unnecessary collection of their personal contact or social media detail.
  • Make sure that clear, understandable, and up-to-date organisational policies and guidelines are provided to those using video-conferencing, so they know what rules to follow and steps to take to minimise data protection risks. This should include information on the controls the services provide and that are available to them to protect their security, data, and communications.
  • Implement, and/or advise employees to implement, appropriate security controls such as access controls (such as multi-factor authentication and strong unique passwords) and limit use and data sharing to what is necessary.
  • Where video-conferencing services need to be used for organisational reasons, have a consistent policy regarding which services are used and how, and offer through VPN or remote network access where possible.
  • Avoid sharing of company data, document locations or hyperlinks in any shared ‘chat’ facility that may be public as these may be processed by the service or device in unsafe ways.
  • Read DPC guidance on Protecting Personal Data When Working Remotely and DPC guidance on data security and make sure the points contained within are made clear to employees.
By Judy de Castro - Regulatory Consultant
DPC Covid-19 Response
May 2020

The DPC remains fully operational. However, telephone helpdesk service will not be available during this time.

The handling of queries on data protection which members of the public and personal data-processing entities wish to raise with the DPC will be via e-mail only to
Complaints relating to data protection matters may still be raised via their webform on the DPC website

There may be some short delays in handling post.

By Judy de Castro - Regulatory Consultant
CBI Covid-19 Response
May 2020

A consumer hub on the Central Bank website provides useful information to consumers and regulated entities alike on their response to COVID-19. The Central Bank has been working with financial services providers to help provide breathing space for customers who find themselves in financial difficulties due to these exceptional circumstances.

For example, banks and other financial intermediaries have announced that they will introduce three-month payment breaks on mortgages, and personal and business loans for some business and personal customers affected by COVID-19. All of the existing protections for customers who face actual or potential financial difficulties continue to apply. People who may be experiencing particular vulnerabilities as a result of the impact of COVID-19, for example through illness or loss of income, must be provided with whatever reasonable arrangements and/or assistance they need in dealings with regulated entities. All regulated firms should take a consumer-focused approach and to act in their customers’ best interests.

The Central Bank operates the Central Credit Register, which produces credit reports for lenders and borrowers on request. The Central Bank has clarified to lenders that a payment break agreed between a lender and a borrower as a response to COVID-19 is not, in itself, an event that is reportable to the Central Credit and should not be reported as a “missed payment”. Consistent with this guidance, these payment breaks should not be identified specifically on borrowers’ credit reports. The Central Credit Register does not produce a credit score; it simply records the information that is submitted by lenders on a monthly basis. It is factual, impartial information.

The Central Bank has also set out its expectations of how regulated insurance firms should treat their customers in light of the significant economic disruption caused by the COVID-19 public health emergency. The Central Bank has written to the Chairs and CEOs of both life and general insurance firms requiring them to take account of the challenging situation in which many of their customers find themselves and to put forward consumer-focused solutions for insurance payment breaks, policy rebates and claims in light of the emergency.

The Central Bank has also set out its view that, where a claim can be made because a business has closed as a result of a Government direction due to contagious or infectious disease, the recent Government advice to close a business in the context of COVID-19 should be treated as a direction.

By Judy de Castro - Regulatory Consultant
Consumer Protection Outlook Report 2020
May 2020

The Central Bank's Consumer Protection Outlook Report 2020 was published on 9 March 2020. This report sets out the key risks to consumers of financial services. It also sets out the Central Bank's expectations of what  should  be done to minimise these risks. The report also details the Central Bank’s own consumer protection priorities for the year ahead. Key risks highlighted include the following: 

Other Key takeaways include:
  • In 2019, the Central Bank oversaw the return of €74m to consumers arising from errors notified under the Consumer Protection Code
  • Some recurring issues reported by consumers on social media include issues around dissatisfaction with customer service levels, particularly call waiting times on helplines and in-branch queues and a perception that new customers received preferential treatment; IT outages and the inability to access online services; scam and ‘phishing’ text messages advising that accounts had been suspended.
  • Enhance the authorisation process: Challenge firms seeking to relocate from the UK on the credibility of the substance of their proposal in areas such as staffing and decision-making.
  • Culture: CBI expects sustained improvement in culture by focusing on values and conduct that are the building blocks of culture. ‘Desired’ values of firms and their conduct to be reflected in the daily habits and practices of their employees and management, ensuring for example that performance reviews are not based on metrics based on financial performance only.
  • Disclosure: The failure to give clear information to consumers about the benefits, risks and costs of financial products affects a consumer’s ability to make informed decisions. The risk increases when the product is complex or when there are many similar types of product on the market, such as in the case of health insurance. Firms should consider how they can improve communications, sales and marketing material to enable consumers to buy the products and services that they need. 
  • Brexit: The United Kingdom left the European Union on 31 January 2020 after reaching a withdrawal agreement that includes a transition period until the end of the year. The transition period allows further time for financial service providers and consumers to prepare for Brexit. While the full implications remain unclear, Brexit remains a key risk to firms and their customers. The main risk for Irish consumers relates to the likely loss of UK financial service providers’ right to provide services cross-border into Ireland.
For the full report click HERE

By Judy de Castro - Regulatory Consultant
New Consumer Protection Code Addendum in Force
May 2020

New rules which mandate financial intermediaries to disclose commission arrangements came into effect on 31 March 2020.  The requirements, which were published by the Central Bank of Ireland as an addendum to the Consumer Protection Code 2012, will ensure greater transparency for consumers who use intermediaries.

From 31 March 2020, intermediaries must:

  • inform the customer about any commissions received for selling a financial product or service;
  • not describe themselves as "independent" where they receive a commission;
  • post on their website details of all commissions from product producers;
  • not take commission that could be contrary to the best interests of the customer; and
  • not accept free hospitality packages or tickets from financial product or service providers.

For further details on this topic please refer to our blog HERE

By Judy de Castro - Regulatory Consultant
Data Protection: CCTV Footage in Employee Disciplinary
April 2020

The use of CCTV footage in disciplinary investigations was recently considered by the High Court in Doolin v The Data Protection Commissioner. In a decision that will be of interest to HR and data protection professionals, Hyland J considered that CCTV footage can be used by employers for specified purposes including disciplinary procedures provided this purpose is made clear to employees.  

The case highlights, however, that while the purposes specified by an employer have some flexibility in interpretation, they will not be broadly interpreted.

The case arose in the context of a security investigation by Our Lady’s Hospice and Care Services (“OLHCS”) into graffiti on the walls of a staff room – graffiti which could have indicated terrorist activity.  A CCTV camera was located in the premises, beside a sign indicating that “images are recorded for the purposes of health and safety and crime prevention”, and footage from that camera was reviewed.  OLHCS noted from this footage that Mr Doolin had used the break room on a number of occasions when he was not authorised to do so. 

This led to the commencement of a disciplinary process concerning the alleged taking of unauthorised breaks, and Mr Doolin was subsequently sanctioned. Mr Doolin complained to the Data Protection Commissioner about the use of his data in the disciplinary investigation.  In particular, he complained about the “further processing” of the CCTV footage in the context of a disciplinary procedure.  He was unsuccessful in the Circuit Court, and appealed again to the High Court. The High Court upheld Mr Doolin’s complaint.

Further Processing and Incompatible Purposes

The security and disciplinary investigations took place under the pre-GDPR data protection regime, the Data Protection Acts 1988-2003.  Section 2(1)(c) of the 1988 Act contains the purpose limitation principle, i.e. data obtained for one or more specific, explicit and legitimate purpose should not be further processed in a manner incompatible with that purpose or purposes.  

The purposes specified for the processing the CCTV footage were “health and safety and crime prevention”.  The questions of law faced by the High Court were whether the use of information obtained from the CCTV footage in the disciplinary procedure (a) constituted a “further processing” of the CCTV footage and, if so, (b) whether this processing was for purposes incompatible with health and safety and crime prevention.

In the absence of case law on the meaning of “further processing”, the High Court looked to guidance from the European Data Protection Board, formerly the Article 29 Working Party.2 Hyland J discussed the meaning of incompatibility from the guidance.  She noted that legislators intended some flexibility on further processing of personal data and that, while a different purpose is not necessarily an incompatible purpose, this must be assessed on a case by case basis.

While the legislative framework for data protection has changed since this case arose, the principles considered by the High Court remain in place.  The principle of purpose limitation, in particular, continues in Article 5(1)(b) of the GDPR.  The threshold of an “incompatible” purpose for further processing has been retained.

HR and data protection practitioners should note Hyland J’s comments on the need to clearly specify the purposes for which CCTV can be used, and should review their employee Privacy Policy and CCTV signage to ensure that disciplinary processes are clear.

By Judy de Castro - Regulatory Consultant
CBI will Maintain Central Register of Beneficial Owners for Credit Unions and ICAVs
April 2020

The Central Bank issued correspondence advising that following a decision by the Minister of Finance, the Central Bank will be the state authority delegated with responsibility for establishing and maintaining a central register of beneficial owners in respect of Credit Unions and certain funds (the Register). 

These include funds registered under the Irish Collective Asset-management Vehicles Act 2015 (ICAVs) and Unit Trust Schemes registered under the Unit Trust Act, 1990 (Unit Trusts). It has further been indicated that Common Contractual Funds registered under the Investment Funds, Companies and Limited Partnerships Act, 2005 and Investment Limited Partnerships registered under the Investment Limited Partnerships Act, 1994 will also be included on this register in due course.

In accordance with Article 30 of Directive 2015/849 corporate and legal entities should already be maintaining details of their beneficial owners independent of the Register.

Following the Minister’s decision and pursuant to Article 30 of the Fourth EU Anti-Money Laundering Directive (EU 2015/849), as amended by the Fifth EU Anti-Money Laundering Directive (EU 2018/ 843), there will now be two state authorities with delegated responsibility for maintaining central registers of beneficial ownership of corporate and legal entities in Ireland. The register of companies will continue to maintain the register of beneficial ownership of companies and industrial and provident societies, and the Central Bank will have responsibility for maintaining a central register in respect of credit unions and certain funds.

By Judy de Castro - Regulatory Consultant
Central Bank’s Consumer Protection Outlook Report 2020
April 2020

The Central Bank's Consumer Protection Outlook 2020 was published on 9 March 2020. This report sets out the key risks to consumers of financial services. It also sets out the Central Bank's expectations of what regulated financial services providers should do to minimise these risks. The report also details the Central Bank’s own consumer protection priorities for the year ahead.

Cross-sectoral risks identified still include:
  • Lack of consumer focussed culture
  • Poor Governance and Oversight of Outsourcing Arrangements
  • Information Technology and Cyber Risk

You can read the full report HERE.

By Judy de Castro - Regulatory Consultant
The Central Bank Proposes New Pre-Approval Controlled Functions
April 2020

On 25th February the Central Bank of Ireland ("CBI") announced via a Notice of Intention that it will introduce three new Pre-Approval Controlled Function ("PCF") roles for Irish regulated financial service providers ("RFSPs") and split an existing PCF role. 

The CBI proposes to:

  • Introduce a new Chief Information Officer (PCF-49) role, which is applicable to all RFSPs, other than Credit Unions;
  • Split the Designated Person (PCF-39) role, which applies to fund management companies, into six separate PCF authorisations reflecting the various constituent CP86 Managerial Function responsibilities of the existing PCF-39 role; and
  • Introduce two additional PCF authorisations for individuals performing certain roles within credit institutions: Head of Material Business Line (PCF-50) and Head of Market Risk (PCF-51).

Comments from stakeholders on this proposal closed on the 26 March 2020.

You can read the full Notice of Intention HERE

By Judy de Castro - Regulatory Consultant
The Central Bank and Covid-19
April 2020

The current pandemic is causing a great shock to both the Irish economy and the worldwide economy.  The effects are wide reaching, ongoing and expected to continue for some time.  The Central Bank has a key role to play in contributing to financial stability in Ireland.  In addition, as the regulator of financial service providers and markets in Ireland, the Central Bank has also to ensure that the best interests of consumers are protected.    

Some of the measures implemented by the Central Bank to tackle the crises include:

  • Increasing the volume of funds that banks can borrow in order to provide credit to firms and households by more than €1 trillion. 
  • Allowing banks to use the capital buffers they have built in recent years to support households and businesses by releasing the Countercyclical Capital Buffer from 1% to 0%. 

As a new joiner to RegSol, writing this from the kitchen table, which is now my desk, I thought it appropriate to highlight the Central Bank’s COVID-19 hub.

The hub contains a series of FAQ (Frequently Asked Questions) documents.  There is a General FAQ link and there are specific FAQ links covering the following areas (a) Consumer, (b) Small and Medium Enterprises and (c) Regulated Firms.  

Here is a sample of questions:

  • I can’t afford to pay my mortgage/loan, what should I do?
  • I’ve had to close my business / cut back on operations because of COVID-19 but my insurance company has declined my request for pay out under my “Business Disruption” policy.  Is that right?
  • How is the Central Bank regulating the financial services industry in the current environment?

The hub provides a central location for information and has links to the most recent Central Bank statements as well as all those of the European Supervisory Authorities and Other Agencies.

It is also very clear that the current situation is being exploited and the Central Bank has noted:

“In the context of COVID-19 there is already evidence of increased levels of certain crimes, for example COVID-19 related frauds and scams targeting vulnerable people. As criminals are highly adaptive it can be anticipated that new techniques and channels for laundering money are likely to emerge…”

To read more click HERE 

Other resources include:

  • The Office of the Revenue Commissioners has an article specifically for SMEs detailed HERE

  • The Local Enterprise Office supports are detailed HERE

  • Reflecting the new trend of working from home the Data Protection Commission issued guidance for video conferencing calls and working safely online in a pandemic, which can be found HERE.

While all our public training courses are cancelled at present, our consultancy services (Authorisation assistance, Policy review and Compliance – as – a – Service etc) are all available.  You can contact us on or visit us at     
Looking forward to working with you.

By Éilish Larkin - Regulatory Consultant
EIOPA Coronavirus Update on Consumers
April 2020

At the start of this month, the European Insurance and Occupational Pensions Authority (EIOPA) issued a statement to insurers and intermediaries, urging them to take steps to mitigate the impact of Coronavirus/COVID-19 on consumers. Read the EIOPA Call to Action HERE.

  • Access to and continuity of insurance services should be considered essential in the context of the outbreak.
  • Insurers and intermediaries are asked to:
  • Provide clear and timely information to consumers on contractual rights;
  • Treat consumers fairly and be explicit in all communications;
  • Inform consumers about contingency measures taken;
  • Continue applying product oversight and governance requirements and, where necessary, carry out a product review; and
  • Consider the interests of consumers and exercise flexibility in how they are treated, where reasonable and practicable.

EIOPA has said that it welcomes initiatives already taken by insurers and intermediaries in recognition of the particular circumstances that consumers find themselves and which may prevent consumers from fulfilling contractual obligations.

However, EIOPA has warned against unfair treatment of consumers as a result of disruption to the market, stating that this represents a risk to the entire sector.

With this statement, EIOPA specifically asks insurers and intermediaries to consider a number of different actions, taking into account developments relating to the Coronavirus/COVID-19 outbreak. 

These include:
  • Providing clear and timely information to consumers;
  • Keeping consumers informed about contingency measures that have been put in place;
  • Continuing to apply product oversight and governance requirements; and
  • Exercising flexibility in the treatment of consumers where reasonable and practical.
Whilst highlighting the need for flexibility in the interest of consumers and for their continued fair treatment, EIOPA also highlights that imposing retroactive coverage of claims not envisaged within contracts could create material solvency risks and ultimately threaten policyholder protection.

This call to action follows the publication of a statement on actions to mitigate the impact of Coronavirus/COVID-19 on the EU insurance sector (click HERE to read); and Recommendations on supervisory flexibility regarding deadlines of supervisory reporting and public disclosure by insurers (click HERE to read).

By Judy de Castro - Regulatory Consultant
Enforcement Action: Ulster Bank (Ireland) DAC fined €4,600,000 by the Central Bank of Ireland
March 2020

The Purpose of Corporate Governance is to build and strengthen:
  • Accountability
  • Credibility
  • Transparency
  • Integrity
  • Trust

Transparency can reinforce sound corporate governance and enable a bank’s stakeholders, supervisors and the general public to judge the effectiveness of its board and senior management. Directors and senior management are thus made more accountable for their actions and performance. Yet, despite being the subject of three previous settlement agreements (all of which included corporate governance failings), Ulster Bank was on 3 March 2020, reprimanded and fined €4,600,000 for more corporate governance failings relating to regulatory returns that were required under the Mortgage Arrears Resolution Targets (MART) Framework.

The three previous settlement enforcement actions taken by the Central Bank were as follows:
  • 2016 - breaches concerning money laundering and terrorist financing
  • 2014 - IT governance failures
  • 2012 - breaches of liquidity and capital requirements
This persistent pattern of behaviour puts into question ethical behaviour at Ulster Bank, given that these failings appear systemic and most likely stem from a dysfunctional culture; responsibility for which ultimately rests with the Board. The Central Bank’s investigation found serious failings in Ulster Bank’s approach to the compilation and submission of its returns.  

These included:
  • Failure to implement effective oversight of the MART return process; and
  • Failure to have in place and maintain procedures, internal controls and reporting arrangements.
Banks were required under the MART Framework to report details on the level of mortgage arrears to the Central Bank on a regular basis. Essential to this requirement was ensuring the integrity of the data submitted to the Central Bank. The Central Bank had informed Ulster Bank of governance failings around the compilation of its MART returns in 2013, and the Firm committed to taking action.  However, it was not until 2015 that the Firm acted to address the issues. The delay in putting remediation plans into action, lack of transparency, and established pattern of problematic behaviour led to this fourth failure in corporate governance at Ulster Bank. The Board and Senior Management may be in the firing line.
For more information click HERE

By Judy de Castro - Regulatory Consultant
Department of Justice STR Statistics 2018
March 2020

The Department of Justice and Equality publish annual reports; the purpose of this is to provide details on Ireland’s response to Money Laundering and Terrorist Financing taking into account: the legislative regime; international dimensions; the regulatory framework; enforcement; and supervisory authorities. Although the Department just recently published the 2018 report at the end of February 2020, we are still awaiting publication of the report for 2019. Figures for 2018 show almost 24,000 suspected cases of money laundering or terrorist financing were reported in 2018 a decrease of almost 2% on the previous year. A smaller number of cases — 23,442 — were reported to Revenue, despite the requirement to notify both the Gardai and Revenue of all suspect activity.

The key takeaways are:

  • The 2018 report indicates that over 80% of cases reported to Revenue concerned tax-related offences.
  • The The quality of the content of STRs submitted since June 2018 has improved following the acquisition of the online STR system GoAML. 
    • It is now mandatory for all reporting entities to register and when reporting specify what the potential criminal indicator is for each STR. This assists in the prioritisation process.
  • Revenue said information generated from such reports had resulted in an additional tax yield of €4.7m.
  • Criminal proceedings resulted in 73 individuals being charged with 284 money laundering offences during 2018. A total of 28 individuals were convicted of 130 money-laundering offences 
    • up from 11 individuals in 2017 —while one person was convicted of two terrorist financing offences.
  • An individual was jailed for two and a half years at Waterford Circuit Criminal Court after pleading guilty to providing and attempting to provide funding for Islamic State.
  • The Criminal Assets Bureau also secured court orders freezing 85 bank accounts and obtained a total of 228 orders over assets valued at €14.4m which were suspected of being the proceeds of crime such as drug-trafficking, fraud, and smuggling.
Rate of Compliance of entities regulated by the AMLCU (Supervision Arm of the Department of Justice)

By way of an example the report provides illustrations of compliance with legislation for certain sectors. The table below shows how Trust Company Service Providers (TCSPs), Private Members Clubs (PMCs) and High Value Goods Dealers (HVGD) have adhered to their compliance obligations:

Legislative Developments

The report also indicated that work on transposing the 5AMLD should be completed by early 2020. The Directive extends the rules on the use of virtual currencies, clarifies the requirements of the beneficial ownership register and clarifies the minimum enhanced due diligence protocol when conducting financial transactions.

To view the report in its entirety click HERE

By Judy de Castro - Regulatory Consultant
BCP & Pandemic Response Plans
March 2020

There is no escaping the media frenzy as we watch the world’s response to a pandemic unfold before our very eyes. We at RegSol express solidarity to those affected and our sympathies go out to all who have suffered losses; but especially to those regions most severely impacted, including China and Italy. 

So, what are the practical implications to businesses particularly those that are regulated by the Central Bank? And what does a response plan actually look like? The Central Bank has issued generic communications to firms stating that all necessary arrangements should be put in place and have commented publicly:

“We are closely monitoring developments related to COVID-19 and continue to assess their impact on the economy and the financial system, as more information becomes available.

We expect regulated firms to have appropriate contingency plans in place to be able to deal with major operational events, should they occur, and we are working with the financial sector to ensure that firms are responding effectively to the evolving situation.”

Being mindful that careful planning requires modelling various scenarios, making adjustments throughout the business continuity life cycle during business as usual and on an annual basis, Business Continuity Management Programmes should have already documented:

  • Risk assessments- site and threat analysis
  • Business Impact analysis (BETH-3- building, equipment, technology, human resources and 3rd parties) 
  • Emergency Response and Crisis Management Plans
  • Business Continuity Strategies & Plans
  • Testing & Desktop Exercises, Denial of Access
  • Scenario Analysis (Pandemic, Severe Weather, Fraud, Cyber attack etc)

Businesses must have determined through business impact analyses their critical processes, critical people, systems, equipment and critical outsourced service providers AND what is required to keep these going under stress of severe events such as power outages, severe weather, inaccessibility to the building, etc.  Above all, safety of customers, staff and suppliers should be paramount when determining steps to mitigate the consequences of these events.

During a Pandemic scenario, Businesses may closely monitor HSE, HPRA, ECDC, WHO communications and assume that critical staff, including critical outsourced service providers may not be available and as such take into account rates of infection to properly assess potential impact and strategically plan via a crisis management or incident response team. 

Key is knowing when to activate plans and how to resource critical operations during potential waves, peaks and troughs of infection levels. Maintaining effective communication of critical staff and outsourced service providers or suppliers overlaid by successfully anticipating people outages due to hospitalisation, confinement, school/creche closures based on a sound business continuity approach will ensure survival of:

  • mass absenteeism which could affect as much as 40% of the workforce (Mitigations: sick leave policy, work from home strategies; infection control supplies, cross training of critical processes, employee assistance programs to deal with loss)
  • changing patterns of consumer demand and;
  • interrupted supply chains. 
The below graph is useful in measuring the duration of the outbreak and calibrating your BCP plans:

By Judy de Castro - Regulatory Consultant
FATF’s Updated Report on Ireland's Progress in Strengthening Measures to Tackle ML & TF
February 2020

Ireland has been in an enhanced follow-up process following the adoption of its mutual evaluation in 2017. In line with the FATF Procedures for mutual evaluations, the country has reported back to the FATF on the action it has taken since then. As a result the FATF has rerated Ireland’s compliance with some key recommendations and released a publication in November 2019.

Some items of note are:

  • Since the MER, Ireland has amended its legislation to address the identified technical deficiencies identified under R.10. This covers requirements related to customer identification and verification measures, and the inclusion of senior managing official under the definition of beneficial owner. However, the specific requirements related to legal persons have not been addressed. In relation to life insurance, the obliged entities are now required to include the beneficiaries of a life insurance policy/contract in the risk assessment when these are legal persons. However, there is no explicit requirement to include beneficiaries of life insurance as a relevant heighten risk factors when they are legal persons or arrangements, although it could be implied. 

  • Ireland’s definition of “PEP” was not consistent with definition of “PEP” in the FATF glossary. Since the MER, Ireland has revised its legislation addressing the identified deficiencies related to the lack of coverage of domestic PEPs, and PEPs of international organisations, including, family members or close associates of these. Additionally, the reference to “residence” in relation to foreign PEPs have been removed, resulting in the coverage of foreign PEPs residing in Ireland. The amended legislation also addresses the deficiency related to the determination of whether a beneficial owner of a customer is a PEP, and to inform senior management prior to payout of policy proceeds. The general obligation to consider filing an STR applies to situations of higher risks involving a PEP

  • Recommendation 15 In Ireland’s MER was highlighted as not having a specific requirement to undertake risk assessments of new products, business practices or technologies, prior to their utilisation. Since the MER, Ireland has conducted ML/TF risk assessments on new products and technologies, including virtual assets, crowdfunding and electronic money. Additionally, Ireland has revised its legislation to require obliged entities to conduct a risk assessment of the products, services, and delivery mechanisms they provide, in order to identify ML/TF risks. However, there is no explicit requirement for the risk assessment to be conducted prior to the introduction of a new product/service/delivery mechanism into the market.

By Judy de Castro - Regulatory Consultant
European Banking Authority’s New Role for 2020: Lead Watchdog on AML/CFT
February 2020

In 2019, the European legislature consolidated the AML/CFT mandates of all three European supervisory authorities within the European Banking Authority. The EBA will lead, coordinate and monitor the AML/CFT efforts of all EU financial services providers and competent authorities. 

The law implementing these powers and this mandate came into effect on 1 January 2020. The European Union (EU) in recent years has introduced a more comprehensive legal framework in the fight against money laundering and terrorist financing. Nevertheless, there has been a constant stream of high profile ML/TF cases involving European banks. 

These scandals, together with findings by international AML/CFT assessment bodies, point to deficiencies in some competent authorities’ approaches to their AML/CFT supervision of banks. The Danske Bank scandal involving its Estonia Branch has been described as the largest money laundering scandal in European history with over €200 billion of suspicious transactions flowing through the European Banking System. Luanda Leaks is the latest to engulf European institutions that facilitated illicit flows originating from a high profile Politically Exposed Person in Angola through to offshore jurisdictions. 

So it is in this light that the approach to combating ML and TF must change. 

And change it has with the publication on the 6th of February of its first Report on competent authorities’ approaches to AML/CFT supervision of banks available HERE 

The EBA has also opened up a public consultation on the 5th of February on revised money laundering and terrorist financing (ML/TF) risk factors Guidelines as part of a broader communication on AML/CFT issues. This update takes into account changes to the EU Anti Money Laundering and Counter Terrorism Financing

(AML/CFT) legal framework and new ML/TF risks, including those identified by the EBA’s implementation reviews. This is available HERE

By Judy de Castro - Regulatory Consultant
Data Protection Commission Raids Facebook Ahead of Valentine's Day
February 2020

Article 35 of the General Data Protection Regulation (“GDPR”) prescribes that a Data Protection Impact Assessment (“DPIA”) shall be conducted by a controller where a type of data processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals. The GDPR also sets out a number of specific instances in which controllers must conduct a DPIA. If required, a DPIA must be completed prior to the commencement of the relevant data processing. 

Despite informing the Data Protection Commission (DPC) of its plans to roll out a new dating platform coinciding with Valentine’s day, the DPC conducted an inspection at Facebook’s offices on the 10th of February seeking further information. The DPC has stated that its concerns arose because Facebook did not provide a DPIA, nor did it provide the DPC with an overview of its decision -making processes with respect to the new dating feature in a timely fashion.

As a result, Facebook Ireland has had to postpone the rollout of the dating feature in Europe. This case highlights the significance of carrying out a DPIA for any new high risk projects under Article 35.

The purpose of the DPIA is to allow the data controller to make informed decisions about the acceptability of data protection risks and communicate effectively with data subjects affected. Interestingly the DPC’s website does note the following:
“If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, you must consult with the Data Protection Commissioner before moving forward with the project.”

Please click HERE for more information:

If you need assistance or would like to learn more about Data Protection, register for DP training or contact our consultants.

By Judy de Castro - Regulatory Consultant
Pensions Auto Enrolment set for 2022
January 2020

The Pensions Auto Enrolment system is a government initiative set to supplement the state pension and prevent the ticking time bomb that is Ireland’s growing ageing population and the decline of workers with private pensions. Latest CSO figures released on the 6th of January 2020 show, that over a third of those without a pension say they cannot afford the additional living expense. 

As the State pension is paid at a flat-rate, rather than earnings-related, workers without retirement savings are exposed to a greater risk of poverty upon retirement. Among those who have no pension, more than half stated their employer did not provide one. The Government, in their Roadmap for Pensions Reform 2018- 2023 plan to launch an “auto- enrolment” pension scheme sometime in 2022 (although previous promises included a launch date for 2020 and then 2021). 

This plan is available by clicking HERE

The new State pension system will come into place based on a “total contributions approach” where a person’s lifetime contribution will more closely match the benefit they receive. It will apply to approx. 585,000 private sector workers, aged between 23 and 60 earning more than €20,000 with their contributions rising until it reaches 6% in the 10th year of contributions. Workers can opt out should they so choose.

As outlined in the Pensions Roadmap the Pensions Authority will seek greater powers of enforcement to secure confidence and gain legitimacy from the Irish consumer in order to ensure governance codes and standards, systems of internal control, fit and proper key function holders, reasonable outsourcing and depositary arrangements, conflict of interest polices, risk management policies and internal audit policies are properly complied with. On the 15th of January, the Pensions Authority in an action taken against the directors of Rock Solution Options Limited were fined

Despite this and as the general election looms, Auto Enrolment looks likely to be postponed yet again. It is however important to mention that its benefits of implementation cannot be underestimated. The UK and New Zealand have already implemented the system with positive outcomes. The UK for instance has seen a dramatic impact on the participation of ethnic minorities and young adults in pension saving. According to the Pensions Regulator in the UK, 84% of 22-29 year olds were in a pension scheme in 2018, compared with just 24% in 2012.

For Employers, despite an existing obligation to facilitate access to a pension, auto enrolment still represents a daunting impact on businesses in terms of additional administrative time and costs to put in place and maintain a pensions scheme. However, for brokers and trustees, this represents a unique opportunity to be service provider of choice for employers and employees alike.

By Judy de Castro - Regulatory Consultant
Property Service Regulatory Authority: First Regulatory Actions
January 2020

The evolution of the Property Service Regulatory Authority from its inception now continues to a series of firsts, includes securing its first injunction of an unlicensed operator and its first prohibition of a licensee to trade.

On Monday, 9 December 2019, the High Court granted to the Property Service Regulatory Authority (PSRA) an injunction preventing Ms Walsh of C E Walsh Limited from providing property services without the appropriate licence. The injunction also prevents Ms Walsh, the company director, from holding herself out as being available to provide property services, or from advertising property services in any way.  Full details of the PSRA’s press release is available here:

The Chief Executive of the PSRA, Ms Maeve Hogan said, “the PSRA has zero tolerance for any property services provider trading without a licence and will take all necessary actions, up to and including legal injunctions to ensure unlicensed operators are prevented from trading and providing their clients with no consumer protection.”  Clients of licensed service providers benefit from important consumer protections such as a thorough complaints investigation mechanism, obligatory professional indemnity insurance, comprehensive regulations on protecting client funds and a Compensation Fund for those who suffer losses as a result of the dishonesty of a licensee.  

The previous month, on Monday, 25 November 2019, the High Court permanently prohibited a former licensee, Mr Breathnach who had traded as Cavan Real Estate Ltd., Dublin Road, Cavan, from reapplying for a property service licence. This is the first occasion that a licensee or a former licensee has been “struck off” the Register of Licensees. The High Court also ordered that Mr Breathnach pay a sum of €50,000 to the Property Services Regulatory Authority and to make an additional payment of €48,492.82 into the Property Services Compensation Fund. The Court gave Mr Breathnach 90 days to make this payment. According to the Irish Times, in court documents, it was stated Mr Breathnach was previously licensed to provide property services but has not held a licence since July 5th, 2017, when his existing licence expired.

After six separate complaints were made against him on dates in February and March 2017, inspectors were appointed by the PSRA to investigate. One complaint, made on behalf of a property management firm, alleged retention of clients’ deposit monies in respect of 18 properties sold in Co Cavan. The five other complaints alleged failure to return five booking deposits

Since its establishment the PSRA has successfully prosecuted rogue operators for unlicensed trading, securing court convictions, fines and costs.  Currently, the Authority is prosecuting three cases of unlicensed trading, which are all before the Courts and are expected to be heard over the coming months. 

By Judy de Castro - Regulatory Consultant
Schrems vs Facebook: Data Transfers outside the EEA
January 2020

To kick off a new year in Data Protection, we assess Austrian Privacy activist Max Schrems’ epic seven- year crusade against Facebook on whether methods used by companies to transfer data are above board. The importance of this decision has a massive impact on banks, carmakers and other international corporations who transfer data to the US and other non-EEA states.

Data controllers who transfer data to the US from the EU have been eagerly following the proceedings in Ireland & Schrems, the key test on the validity of key controls contained within the Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield, for transferring personal data to non-EEA territories in a GDPR compliant manner. Many organisations and service providers require such transfers for procuring cloud services, using online storage systems or carrying out intra group transfers for HR reasons, for instance. The GDPR restricts international transfers of personal data on the basis that non-EEA states have weaker controls increasing the risk that individuals’ data will be compromised and their rights and freedoms damaged.

So, on what basis can companies transfer data to a third country under GDPR?

  1. The European Commission decides that the third country has an adequate level of protection or safeguards in place
  2. The controller or processor has appropriate safeguards so that individual rights can be enforced with recourse to effective legal remedies
  3. A specific derogation applies to the transfer
  4. The Privacy Shield, a self-certification regime for US-based organisations receiving personal data from an EEA entity, is managed by the US Department of Commerce and US public authorities are subject to monitoring and enforcement requirements, as well as agreeing to cooperate with European data protection supervisory authorities.
By Judy de Castro - Regulatory Consultant
What’s the fuss about?

Facebook maintains that SCCs are sufficient and that there is no conflict between US surveillance laws and the EU right to privacy. Schrems argues that the DPC must limit transfers to the US by Facebook, as the rights of EU citizens are not adequately protected in relation to US surveillance laws.

On 19 December 2019 the Attorney General issued an opinion on the 11 questions raised in the Schrems case, in advance of the Court of Justice of the European Union’s (CJEU’s) ruling due in early this year. The CJEU usually follows this opinion which has stated that SCCs are validated and an appropriate method to protect personal data so long as the non- EEA state has a right of action against the data controller and that the data controller or supervisory authority can suspend such transfers where the laws of the non-EEA country conflicts with the SCCs. Less so for the US privacy shield as the Attorney General has cast doubt on its validity.

Potential Business Solutions?

  • Check your data flows and understand the impact to your business
  • Check if Binding corporate rules for intra-group transfers is an alternative
  • Carry out risk assessments to ensure that local laws and practices do not undermine SCCs in place

If you’d like assistance in understanding your obligations under GDPR, contact RegSol today for training or GDPR review of your controls and procedures.

By Judy de Castro - Regulatory Consultant
AML 5th Directive: Update
January 2020

We expect 2020 will bring a host of interesting new developments and much needed clarity around the outcome of Brexit as well as the advent of still more regulatory change, including the expected transposition in full of the 5th EU AML Directive. 

As the European Union (Withdrawal Agreement) Bill 2019-20 weaved its way through the second reading of the UK’s House of Lords on the 13th of January, the UK Parliament had already implemented the European Union’s 5th AML Directive on time on the 10th. 

Ireland, on the other hand, had not and the 10th of January passed without any indication of when draft legislation will be available. AMLD5 introduces a number of key reforms including the expansion of the definition of obliged entities (designated persons in Ireland) to cover virtual currency exchange platforms and custodian wallet providers, art dealers, letting agents and tax advisors within the scope of the regime. 

This does not mean that Irish companies subject to the AML/CTF regime should remain complacent as it remains to be seen what is included in amending legislation. Firms likely to be brought in scope need to ensure they are performing gap-analyses and undertaking implementation projects to address the new requirements. 

If you’d like assistance in understanding your obligations under the 5th AML Directive, please do not hesitate to contact us at  

By Judy de Castro - Regulatory Consultant
New Guide to Sanctions under the Administrative Sanctions Regime
December 2019

The Central Bank of Ireland has launched a new guide to highlight certain aspects of the administrative sanctions procedure. The primary focus is on factors which may aggravate or indeed mitigate the breach(es) being examined.

The Guidance document is broken into two sections, the former addressing general principles to be applied including Proportionality, Totality, Sanction Factors and Comparator Cases. The second section sets out 4 sets of factors in detail:

  • Nature, Seriousness and Impact of the breach
  • Conduct of the Entity after the breach
  • Previous Record of the Entity
  • Other General Factors
Commenting on the new guide at its launch on 21st November 2019, Derville Rowland, Director General, Financial Conduct, noted 130 settlement agreements since 2006 and the increasing level detail within those agreements. She also noted that despite same, firms appear to continue to misunderstand sanctioning factors, some expecting reductions of penalties even after obstructionist approaches to settlement. There is absolutely no doubt that a lack of cooperation is an aggravating factor.  

As Ms Rowland concluded: “Let me be very clear that while the Central Bank absolutely expects firms to prevent wrongdoing in the first place, they can undo some of those wrongs by demonstrating a positive culture in terms of how they deal with regulatory breaches. Or put another way, it is never too late to do the right thing.” 

You can access the Guide by clicking here.

By AnneMarie Whelan - Regulatory Consultant
New Lending Rules for Credit Unions and Enforcement Action against Savvi Credit Union
December 2019

New Rules

The Central Bank of Ireland, as a result of CP125 - Consultation on Potential Changes to the Lending Framework for Credit Unions, has introduced new lending rules to come into effect in January 2020.

The new rules will remove the maturity limits which currently cap long term lending and instead introduces a tiered approach, based on concentration limits, for mortgage and business loans relative to total assets. The relevant tiers are as follows:

  • A combined concentration limit for house and business loans of 7.5 per cent of total assets for all credit unions.
  • A 10 per cent limit, conditional on a credit union satisfying asset size (at least €50 million) and regulatory reserves qualifying criteria and notifying the Central Bank in advance.
  • A 15 per cent limit for credit unions with total assets of at least €100 million, subject to Central Bank approval.

Further proposals in relation to removal of the existing longer term lending maturity limits, new maximum maturity limits for secured and unsecured lending, and the definition for business loans are included in the Feedback Statement to CP125 which is available here

Enforcement Action

Somewhat ironically, in the same month, the Central Bank published its most recent settlement agreement (7th November) within the administrative sanctions regime, it was against a Credit Union and involved breaches of the existing lending rules.

Savvi Credit Union was fined €185,500 and reprimanded for failing to comply with the limits for long term loans and also reimbursing travel expenses to a Director (totalling €28,341 over 4 years), at rates in excess of Civil Service rates. You can read the full settlement agreement here

As we usher in the 2020’s, it is worth noting that the Central Bank of Ireland has consistently issued fines, reprimands and taken enforcement action against Credit Unions on an annual basis since 2012.  Failures vary from mismanagement of internal controls and governance arrangements, fitness and probity to AML breaches. Fines have ranged from €198,000 to as little as €5000 for failures in complying with prudential regulatory returns.

Ringing in the new year should allow for the Credit Union Sector at least the opportunity to provide more loans to support their members with the added Christmas bonus of more local options for the Irish consumer. Let’s hope it doesn’t give rise to another enforcement action.

By Judy De Castro - Regulatory Consultant
AML/CTF Legislation: S.I. No. 578/2019 - European Union (Money Laundering and Terrorist Financing) Regulations 2019
December 2019

We could not say goodbye to 2019 without saying something about AML/CTF regulations and so we will provide you with an update on the AML/CTF regime. On the 22nd of November 2019, the Minister for Justice and Equality for the purposes of giving further effect to the 4th EU AML Directive published SI 578/2019 amending the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. The following changes are notable:

  • A designated person must have proportionate procedures in place to allow their employees or persons in a comparable position to report a contravention of the Act internally through an independent and anonymous channel
  • An obligation of any person performing a management function in or being a beneficial owner of a designated person who is convicted to inform the Central Bank within 30 days on which the person was convicted of a relevant offence
  • An obligation on Member State competent authorities to cooperate and coordinate activities to counter money laundering and terrorist financing

For entities subject to the AML/CTF regime, this will mean updating policies, procedures and implementing new reporting channels. 

Click HERE to access the SI.

If you’d like assistance with getting to grips with AML/CTF, please contact a RegSol consultant today.

By Judy de Castro - Regulatory Consultant

Insurance Costs: Analysis and Commentary
December 2019

The Law Reform Commission published a report on the 11th of December outlines legislative responses that include the introduction of a cap on the amount awarded in damages during personal injuries claims. The Cost of Insurance Working group (CIWG), established in 2016 by the Department of Finance to examine factors contributing to the increasing cost of insurance and to identify measures to reduce this cost had recommended that the Law Reform Commission examine the constitutionality of the proposed cap. 

An additional recommendation from the CIWG included the requirement of the Central Bank under the Central Bank (National Claims Information Database) Act 2018 which commenced on January 2019 to publish an annual report and establish this database. By providing statistical analysis on all insurers selling private motor insurance in Ireland regardless of country of authorisation, the Central Bank’s drive of transparency has as its aim for consumers to have clear information and to make informed decisions. 

This had also resulted in the new regulations being published last month requiring motor insurers to provide a quotation for each policy option available to the customer such as comprehensive, third party fire and theft cover or third party only in addition to extending the renewal notification period from 15 to 20 working days.

Arguably, steering customers away from comprehensive cover may not be in their best interests, even if the goal is to be transparent. And with the heaps of documentation customers are often buried in the detail.

But how effective is the Central Bank’s Report?

Gerry Hassett, Interim CEO of Insurance Ireland has defended the industry stating that, “The data in this report highlights the importance of the cost of claims to the market as it is the largest cost paid by insurers. Insurers have seen a 64% increase in average cost of a claim from 2009-2018 with the lion’s share of this inflation coming from 2013 onwards.” (click here to view Insurance Ireland’s website).

Litigated settlements costing more that €100,000 accounted for 15% of claimants settling through litigation but account for 53% of total litigated costs and involve a number of large settlements. The figure below shows the types of claims per year.

Nevertheless, the cost of premiums has undoubtedly increased for motorists and businesses alike forcing some operators like the Oktoberfest organisers in Dublin’s IFSC to cancel their event citing the cost of insurance. Perhaps the solution to satisfy both market participants and consumers and business is as simple as the law on a free market economy: supply and demand. Get more insurers into the market, support the Gardai in shutting down ghost insurance brokers and provide more choice for consumers. Nevertheless, whilst the debate around insurance claims and the knock- on effect these claims have on insurance premiums is set to continue into 2020, the Central Bank’s pursuit of transparency has certainly achieved one thing- politicians in a scrum for what can only be described as a political football.

If you’re an insurer looking to enter the Irish market and you’re looking for authorisation, contact RegSol for a quote.

By Judy de Castro - Regulatory Consultant

New Rules on Gift Vouchers
December 2019

From 2 December 2019, new legislation is in place which gives consumers more rights when it comes to gift vouchers.

The new legislation, the Consumer Protection (Gift Vouchers) Act 2019, brings a number of changes.
Minimum expiry date of five yearsWhere there is an expiry date on a gift voucher, it should be at least five years.
You should be given the expiry date in a durable form, for example in writing or in an email, and you should also be given the date the gift voucher was bought.
You do not have to use the voucher in one goYou do not have to spend the full value of the voucher in one transaction.
If there is a balance of more than €1 on a gift voucher, the business should refund you the difference in one of the following ways:
–          Cash
–          Electronic transfer (debit/credit card)
–          Another gift voucher (the expiry date will be the same as the original voucher)
It is up to the business which method of refund they use.
More than one gift voucher can be used in one goYou can use more than one voucher at a time. For example, if something costs €100 and you have two €50 vouchers, you can use them both to pay.
A business cannot refuse a gift voucher because it is not in your name, or charge you to change/amend  the name on a gift voucherIf a business requires the name of a person on a gift voucher, and the person’s actual name is different from the name on the voucher, the business can not refuse to accept the voucher, or charge you for changing the name on the voucher.
Not all gift vouchers are covered by this legislation. The following are some of the main ones that are excluded.
Here is a guide to various types of vouchers and whether or not they are covered by the gift vouchers legislation.
Shop voucherA voucher for a particular shop or department store, which is only accepted in those stores nationwide.Covered
Shopping centre gift cardA voucher or gift card for a particular shopping centre, that can only be used within that shopping centre or outlet.Covered
Online voucher for a deal websiteA voucher bought from a discount deal website for a product or service, usually fulfilled by another business.Excluded
One-4-all gift cardsAn Post One-4-all gift cards can be redeemed in a wide range of retailers. These are considered electronic money cards.Excluded
Credit noteIf you return an item to a store and receive a voucher or credit note, it is not considered a gift voucher under the legislation.Excluded
CouponsA coupon you receive from a business directly or through an ad is not considered a gift voucher.Excluded
Loyalty programme vouchersMoney vouchers you receive from a business as part of a loyalty programme you are a member of are not considered gift vouchers.Excluded

Maintenance fees

Some gift cards have maintenance fees of approximately €3 per month which come into effect after a period of time. So if you give someone one of these gift cards worth €40, and they don’t use it for a year, maintenance charges at €3 a month could mean there is only €4 left on it after a year.

Lost vouchers

If you lose a gift voucher, the shop doesn’t have to replace it – it’s just like losing cash.
If the voucher was made out to you specifically and is non-transferable, the shop may be able to issue a new voucher and cancel the original. It may be worth contacting the shop and asking if this is possible.
Remember consumer rights apply to gift cards just like any other item. So if the card is faulty and doesn’t work when you go to use it, you can return it for a replacement or refund.


1. I bought a gift voucher for my husband and it has an expiry date of 12 months does the new five year rule apply?
If you bought the voucher on or after 2 December 2019, the gift voucher must have an expiry date of at least five years starting on the day you bought it.
A gift voucher sold by a business with an expiry date of less than five years will be deemed to have a five year expiry date. Also, the business must inform you of any expiry date on a durable medium, for example, on paper or email.  The paper or email must include:
  • the expiry date of the gift voucher and the date it was bought or
  • state that there is no expiry date, if that’s the case.
2. I bought a gift voucher for my daughter, just looking at it now and I can’t find an expiry date – should it be on the gift voucher?
The expiry date does not have to be printed on the actual gift voucher. However, the business must tell you if an expiry date applies to the gift voucher on a durable medium, for example, on paper or email. The paper or email must include:
  • the expiry date of the gift voucher and the date it was bought, or
  • state that there is no expiry date, if that’s the case.
3. I got a present of a voucher for my 60th It is for a considerable amount of money – do I have to use it in one go?
You do not have to spend the full amount of the gift voucher in one go.  If you only use part of the gift voucher and there is a balance of more than €1 left, the business can refund you in one of the following ways:
  • cash
  • electronic transfer (credit/debit card)
  • gift voucher – the expiry date will be the same as the original gift voucher.
4. I bought a gift voucher a week before the new laws came into place – will these new rules apply?
 The new laws only apply to gift vouchers that were sold on or after the 2 December 2019.
5. I was given a gift voucher for my birthday and the spelling of my name is wrong on the voucher – will there be a fee for amending the name?
No. After 2 December 2019, businesses cannot charge a fee for changing or amending the name on a gift voucher.

Online deal websites

Deal websites are platforms that let you buy vouchers for goods, services or experiences from other businesses, e.g. a mattress, meal or beauty treatment. When buying a voucher on a deal website, you pay the deal website the price and redeem the voucher with a third party business for the good or service. The new gift vouchers legislation does not apply to these type of vouchers.  However, you still have rights when you buy goods and services.

Generally, when you buy something from a deal website and you do not have to go to a third party website to redeem the voucher, you are entering into a contract with that deal website for that item. It is the same as buying an item from any online retailer and the same rights apply. More information about your rights when you buy online is available in our Buying Online section.

However, this can vary between deal websites and items bought so always read the terms and conditions

(information copied from and can be found HERE)
CBI Enforcement Action: Co-mingled Client and Own Funds 
December 2019

BVP Investments Limited fined just €6,000 and reprimanded by the Central Bank of Ireland for holding client assets in breach of its authorisation, is a low impact firm under the Central Bank’s Probability Risk and Impact System of supervision (PRISM). 

BVP’s audited accounts for year ended 31 December 2018 show a turnover of €745,490.  This is a reminder to all low impact firms that the Central Bank has no qualms about issuing fines to small scale firms, proportionate to the firm’s bottom line.

The Firm was authorised under the Investment Intermediaries Act, 1995 (the IIA) on 15 November 2007. Under its IIA authorisation, the Firm is authorised to provide services to ‘’Designated Investment Funds’’. The Firm is explicitly not permitted by the Central Bank to hold client assets. 

BVP’s authorisation contains an explicit condition stating that it is not permitted to hold client money or investment instruments. Immediately after obtaining its authorisation in 2007, and with full knowledge of the condition, BVP began holding and processing client funds through its corporate bank accounts. 

As a consequence of the Firm’s breach, significant amounts of client funds were co-mingled with the Firm’s own funds in the Firm’s corporate bank accounts. Although the investigation found no evidence of misappropriation or loss of client assets by the Firm, their actions placed these client assets at risk of loss, particularly in the event of an insolvency; misuse (inadvertent or otherwise) by the Firm; and delay in identification in their return to clients. 

RegSol provides audit and compliance services that can help you identify issues and prepare you for Central Bank inspections. Please contact us today for a quote.

By Judy de Castro - Regulatory Consultant

Whistleblowing Directive adopted by the EU Council
December 2019

In the wake of the Cambridge Analytica scandal, the former Facebook employee, Christopher Wylie’s disclosures triggered investigations which raised privacy concerns on the unauthorised possession of personal data of millions of Facebook users for targeting digital advertising campaigns. 

Howard Wilkinson, Danske Bank’s former head of trading used the Bank’s internal whistleblowing procedures to report on millions in laundered money being used by a dormant account run by Putin’s cousin. His whistleblowing report made in 2012 was ignored. The Danske Bank money laundering scandal is now the largest in history.

It is within this context that on the 7 October 2019, the EU Council approved the wording of the "Directive of the European Parliament and of the Council on the protection of persons who report breaches of Union law", also known as the Whistleblowing Directive. Member States have two years to implement the Directive into national law.
Whistleblowing allows a person to report or disclose information on breaches identified during the course of their employment. 

This disclosure is protected where it is done in good faith under the Protected Disclosures Act, 2014 and under the Central Bank (Supervision and Enforcement) Act, 2013. The Workplace Relations Commission and/or the courts will determine whether or not a disclosure is a protected disclosure under the legislation. However, it should be noted that the 2014 Act provides that, in such proceedings, all disclosures are presumed to be protected disclosures unless otherwise proven.

The new directive broadens a whistleblower to include the public and private sector and includes former employees or job applicants, self-employed and company shareholders, volunteers and unpaid trainees. The list of potential breaches includes GDPR, consumer protection, environmental protection, money laundering, public and product safety. 

Member states can choose to extend the list of breaches if they so wish
Businesses with at least 50 employees must look to put in place internal and external procedures for reporting breaches and taking remedial actions all whilst guaranteeing the whistleblower’s anonymity and protection against retaliation. 

They must acknowledge receipt of the report within 7 days and provide feedback within 3 months. 
If you would like more information on implementing Whistleblowing Policies and Procedures, contact RegSol for assistance or training on Ethics and other Compliance related matters. 

By Judy de Castro - Regulatory Consultant
Enterprise Risk Management (ERM): A Cornerstone for the CBI’s proposal for Senior Executive Accountability Regime (SEAR)
December 2019

Driving a positive and ethical consumer focused risk culture within an Enterprise Risk Management Framework is the responsibility of the Board, in the first instance, cascaded throughout the entire organisation and reflected from the bottom up. The proposed SEAR regime is based on strengthening clear responsibility and individual accountability by placing obligations on senior individuals who report directly to the Board and heads of critical business areas. These positions should correspond to those who already are PCFs under the Fitness and Probity Regime. 

In scope (initially) are:

  • credit institutions (excluding credit unions);
  • insurance undertakings (excluding reinsurance undertakings, captive (re)insurance undertakings and insurance special purpose vehicles);
  • investment (MiFID) firms that underwrite and/or deal on own account and/or are authorised to hold client monies/assets

SEAR will, over time, be extended to other firms regulated by the Central Bank to ensure proportionality.

What can your firm do to prepare and what does this mean in practical terms?

Whatever phase an organisation is at in ERM implementation, risk culture is a key component. It is the common norms, attitudes and behaviours related to risk awareness, risk taking and management and the controls that shape decision making. 

This is set out in the organisation’s risk appetite, set by the Board, and measured and reported on within the Governance structure. Lack thereof or poor culture leads to misconduct and excessive risk taking, ultimately the driver of financial crises. Key to transforming this is striking a balance between first line sales driven front office and the second line drivers of effective risk management.

CBI Proposals
  1. Approve Conduct Risk Appetite Statements by the Board to drive change
  2. New Business/Product, Sales, Front Office duly incorporated into Risk Governance Structure
  3. Communication strategy around values, compensation, training
  4. Alignment of incentives with risk objectives and enforceable disciplinary action for breaches in rules and misbehaviour.
  5. Risk Control Self Assessments & Collection of data on past events
        Mandatory responsibilities for Senior Executive Functions
        Comprehensive Statements of Responsibilities
        Responsibility Maps

The table above in our view demonstrates that the proposed SEAR regime is strongly aligned to the ERM process. Having a mature ERM framework in place better prepares organisations for regulatory change whilst helping them achieve their strategic business objectives in a positive way that’s good for their employees, stakeholders and their bottom line.
If you would like to partner with RegSol to embed an effective Risk Management Framework in your organisation, please talk to one of our consultants today.

By Judy de Castro - Regulatory Consultant
Investment Firms: CRD V Structural Reform in EU Prudential Rules
October 2019

In April this year, a review of the prudential framework for investment firms for MiFID II was approved under the auspices of building the Capital Markets Union. The purpose of the revised legislation will be to improve investment flows and ensure proportional rules level the playing field among larger institutions and simpler, less risky firms. 

The legislation will aim to provide clarity on equivalence rules for the provision of investment services by third country firms. And most importantly, is an important step towards the completion of the European post crisis regulatory reforms. 

Together, these reforms affect all European banks and investment firms and require significant implementation over a period of multiple years. There will be material changes to the capital and funding needs of firms as well as to their governance, risk management, systems and controls, reporting, recovery and resolution planning and in some cases corporate structures. 

CRD V will update the framework of harmonised rules established in the wake of the financial crisis, the so-called 'Single Rulebook'.

The 'Single Rulebook' ensures that:

  • banks & investment firms have enough capital to cover unexpected losses and are prepared to withstand economic shocks 
  • obliged entities have fewer incentives to take excessive risks.

Some outstanding elements of the reform that are key to ensure a firm’s resilience but have only recently been finalised by global standard setters (i.e. the Basel Committee on Banking Supervision (BCBS) and the Financial Stability Board (FSB)) include: 

  • New Framework for low prudential risk profile investment firms to mitigate comparative weakness of EU investment bank sector through the Investment Firms Directive in 2021
  • ECB Oversight over systemic investment firms or “class 1” firms which consolidated assets exceeding EUR 15 billion and those over EUR30 billion into same supervisory regime for banks
  • Regulation of Financial Holding companies subject to all requirements of the prudential framework as it relates to their consolidated position and Corporate Governance
  • Intermediate Parent Undertaking: requirement for large third country group to be owned by the IPU. This exists where there is at least one subsidiary that is an EU large investment firm within its group and where the parent entity is established in a non- EU country or third country.
  • Branch regulation- introduction of minimum harmonised reporting requirements for EU branches of third country banks and requirement for EU regulators to cooperate to ensure a consolidated approach to supervision

Even though these structural legislative reforms may be delayed, it would be prudent for investment service firms to work through the implications of the new reforms, in that authorisations may need to be prepared together with a restructuring process and corporate governance planning. 

RegSol is here to assist with regulatory impact analysis and can help you manage the impact of regulatory change.

By Judy de Castro - Regulatory Consultant
Google France and the Right to be Forgotten
October 2019

The Right to be Forgotten, a privacy right enshrined in the GDPR regulations which came into force in May last year has been tested in the European Courts. Arising from the French Data Protection Commissioner’s (CNIL) ruling that required Google to apply the right to be forgotten to all searches in all Google domains. CNIL ruled that in order to be effective, delisting was to be carried out on a global scale in a single processing. So, if Google detected a user in Ireland, they wouldn’t be able to see removed results, even if they clicked onto 

Google appealed the ruling sparking a long drawn out battle with Google’s counsel arguing that if French law applied globally, how long would it be until other countries started demanding their laws likewise have global reach….

Last week Tuesday saw the European Court of Justice (ECJ) limiting the provisions of EU law and therefore reducing delisting to search engine operators in the EU which means the right to be forgotten will be seen only on European versions of Google search pages- or, but not on 

The ECJ does require Google to put in measures to discourage EU internet users from finding that information but in practical terms, it seems unrealistic to achieve this. Performing the role of a “sub regulator”, one could argue, Google has had to in the past determine on 850,000 separate requests to remove links to about 3.3 million websites. Now they’ll have arguably greater and almost supervisory-like powers in deciding what personal data is kept in the public domain. 

If you’d like assistance with GDPR Compliance, please contact your RegSol Consultant for assistance.

By Judy de Castro - Regulatory Consultant
Spotlight on Transparency for Financial Brokers: New Insurance Renewal Requirements & New Consumer Protection Code Addendum March 2020
October 2019

In July 2016, the Government established the Cost of Insurance Working Group (CIWG). The objective of the CIWG was to identify and examine the drivers of the cost of motor insurance and to recommend short-, medium- and longer-term measures to address these issues. 

In January 2017, the Report produced by the CIWG on the Cost of Motor Insurance was published by the Department of Finance, which included an Action Plan to implement the identified recommendations.  Coming into force on 1 November 2019, the Non-Life Insurance (Provision of Information) (Renewal of Policy of Insurance) (Amendment) Regulations have been designed to afford greater protection for the consumer in providing more transparency to insurance policyholders, a key theme in the output of the Consultation Paper 114 and to be shortly in force as a result of the amendment regulations. 

In the pursuit of transparency however, are consumers already bombarded with too much information and overloaded arguably with too much choice? The Central Bank and CIWG would argue that this is important to allow consumers to shop around. Let’s evaluate the nature of these changes which can be summarised as follows: 

  • Insurers must provide additional information on the premium breakdown to consumers and must offer a price on all the cover options they offer. It is proposed that insurers will also be required to provide this additional information on the premium breakdown when a person first gets a quote for a policy as well as at renewal notice stage, together with the other information referred to in Regulation 6.
  • Insurers must extend the current renewal notification period from 15 working days to 20 working days to make it easier for motorists to compare pricing when purchasing motor insurance; and
  • an insurer shall, in respect of a policy of private motor insurance to be renewed, include, on the same page as the renewal premium is first set out, the following information:
    • the premium paid in the previous year, or 
    • where applicable, following any mid-term adjustment made to the policy in the previous year— 
      • the provision of an annualised premium figure for the previous year excluding fees or charges applied as a result of that adjustment, and
      • a statement indicating that the annualised premium figure shown may not reflect the actual premium paid in the previous year.

Last week we saw the headlines and radio interviews with the Central Bank of Ireland explaining the new addendum to the Consumer Protection Code (CPC) designed to take into account provisions arising from the EU (Insurance Distribution) Regulations 2018 and “Enhanced Consumer Protection Measures,” following consultation paper CP116 on intermediary inducements. The following parts of the CPC amended and effective from 31 March 2020 are as follows:

  • Chapter 3- Conflicts of Interest- avoiding conflicts of interest by placing consumer’s best interests above the consideration of fees, commissions, rewards or remuneration linked to targets relating to volume and bonus payments linked to business retention 
  • Chapter 4- Provision of Information
    • using the term “Independent” restricted to regulated activities on the basis of a fair analysis of the market AND where the intermediary does not accept and retain any fee, commission or other reward or remuneration where advice is provided in respect of regulated activities. Exceptions are minor and restricted to non- monetary benefits (conference, hospitality, IT Software) and fees paid by a consumer. Note also the amendment to 4.16 A regarding MiFID Article 3 services in using the term “independent”
    • Summary details of all arrangements for any fees, commission, other reward or remuneration paid or provided to intermediary must be made available in its public offices or on its website and brought to the attention of the consumer
  • Chapter 12- Definitions
    • Press release information is available HERE.

If you require assistance with Consumer Protection whether it is training or a compliance review or audit, please contact RegSol.

By Judy De Castro - Regulatory Consultant