RegSol Blog Posts
Pensions Auto Enrolment set for 2022January 2020The Pensions Auto Enrolment system is a government initiative set to supplement the state pension and prevent the ticking time bomb that is Ireland’s growing ageing population and the decline of workers with private pensions. Latest CSO figures released on the 6th of January 2020 show, that over a third of those without a pension say they cannot afford the additional living expense.
As the State pension is paid at a flat-rate, rather than earnings-related, workers without retirement savings are exposed to a greater risk of poverty upon retirement. Among those who have no pension, more than half stated their employer did not provide one. The Government, in their Roadmap for Pensions Reform 2018- 2023 plan to launch an “auto- enrolment” pension scheme sometime in 2022 (although previous promises included a launch date for 2020 and then 2021).
This plan is available by clicking HERE
The new State pension system will come into place based on a “total contributions approach” where a person’s lifetime contribution will more closely match the benefit they receive. It will apply to approx. 585,000 private sector workers, aged between 23 and 60 earning more than €20,000 with their contributions rising until it reaches 6% in the 10th year of contributions. Workers can opt out should they so choose.
As outlined in the Pensions Roadmap the Pensions Authority will seek greater powers of enforcement to secure confidence and gain legitimacy from the Irish consumer in order to ensure governance codes and standards, systems of internal control, fit and proper key function holders, reasonable outsourcing and depositary arrangements, conflict of interest polices, risk management policies and internal audit policies are properly complied with. On the 15th of January, the Pensions Authority in an action taken against the directors of Rock Solution Options Limited were fined
Despite this and as the general election looms, Auto Enrolment looks likely to be postponed yet again. It is however important to mention that its benefits of implementation cannot be underestimated. The UK and New Zealand have already implemented the system with positive outcomes. The UK for instance has seen a dramatic impact on the participation of ethnic minorities and young adults in pension saving. According to the Pensions Regulator in the UK, 84% of 22-29 year olds were in a pension scheme in 2018, compared with just 24% in 2012.
For Employers, despite an existing obligation to facilitate access to a pension, auto enrolment still represents a daunting impact on businesses in terms of additional administrative time and costs to put in place and maintain a pensions scheme. However, for brokers and trustees, this represents a unique opportunity to be service provider of choice for employers and employees alike.
By Judy de Castro - Regulatory Consultant
Property Service Regulatory Authority: First Regulatory ActionsJanuary 2020The evolution of the Property Service Regulatory Authority from its inception now continues to a series of firsts, includes securing its first injunction of an unlicensed operator and its first prohibition of a licensee to trade.
On Monday, 9 December 2019, the High Court granted to the Property Service Regulatory Authority (PSRA) an injunction preventing Ms Walsh of C E Walsh Limited from providing property services without the appropriate licence. The injunction also prevents Ms Walsh, the company director, from holding herself out as being available to provide property services, or from advertising property services in any way. Full details of the PSRA’s press release is available here: http://www.psr.ie/en/PSRA/Pages/Speeches
The Chief Executive of the PSRA, Ms Maeve Hogan said, “the PSRA has zero tolerance for any property services provider trading without a licence and will take all necessary actions, up to and including legal injunctions to ensure unlicensed operators are prevented from trading and providing their clients with no consumer protection.” Clients of licensed service providers benefit from important consumer protections such as a thorough complaints investigation mechanism, obligatory professional indemnity insurance, comprehensive regulations on protecting client funds and a Compensation Fund for those who suffer losses as a result of the dishonesty of a licensee.
The previous month, on Monday, 25 November 2019, the High Court permanently prohibited a former licensee, Mr Breathnach who had traded as Cavan Real Estate Ltd., Dublin Road, Cavan, from reapplying for a property service licence. This is the first occasion that a licensee or a former licensee has been “struck off” the Register of Licensees. The High Court also ordered that Mr Breathnach pay a sum of €50,000 to the Property Services Regulatory Authority and to make an additional payment of €48,492.82 into the Property Services Compensation Fund. The Court gave Mr Breathnach 90 days to make this payment. According to the Irish Times, in court documents, it was stated Mr Breathnach was previously licensed to provide property services but has not held a licence since July 5th, 2017, when his existing licence expired.
After six separate complaints were made against him on dates in February and March 2017, inspectors were appointed by the PSRA to investigate. One complaint, made on behalf of a property management firm, alleged retention of clients’ deposit monies in respect of 18 properties sold in Co Cavan. The five other complaints alleged failure to return five booking deposits
Since its establishment the PSRA has successfully prosecuted rogue operators for unlicensed trading, securing court convictions, fines and costs. Currently, the Authority is prosecuting three cases of unlicensed trading, which are all before the Courts and are expected to be heard over the coming months.
By Judy de Castro - Regulatory Consultant
Schrems vs Facebook: Data Transfers outside the EEAJanuary 2020To kick off a new year in Data Protection, we assess Austrian Privacy activist Max Schrems’ epic seven- year crusade against Facebook on whether methods used by companies to transfer data are above board. The importance of this decision has a massive impact on banks, carmakers and other international corporations who transfer data to the US and other non-EEA states.
Data controllers who transfer data to the US from the EU have been eagerly following the proceedings in Ireland & Schrems, the key test on the validity of key controls contained within the Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield, for transferring personal data to non-EEA territories in a GDPR compliant manner. Many organisations and service providers require such transfers for procuring cloud services, using online storage systems or carrying out intra group transfers for HR reasons, for instance. The GDPR restricts international transfers of personal data on the basis that non-EEA states have weaker controls increasing the risk that individuals’ data will be compromised and their rights and freedoms damaged.
So, on what basis can companies transfer data to a third country under GDPR?
By Judy de Castro - Regulatory Consultant
What’s the fuss about?
- The European Commission decides that the third country has an adequate level of protection or safeguards in place
- The controller or processor has appropriate safeguards so that individual rights can be enforced with recourse to effective legal remedies
- A specific derogation applies to the transfer
- The Privacy Shield, a self-certification regime for US-based organisations receiving personal data from an EEA entity, is managed by the US Department of Commerce and US public authorities are subject to monitoring and enforcement requirements, as well as agreeing to cooperate with European data protection supervisory authorities.
Facebook maintains that SCCs are sufficient and that there is no conflict between US surveillance laws and the EU right to privacy. Schrems argues that the DPC must limit transfers to the US by Facebook, as the rights of EU citizens are not adequately protected in relation to US surveillance laws.
On 19 December 2019 the Attorney General issued an opinion on the 11 questions raised in the Schrems case, in advance of the Court of Justice of the European Union’s (CJEU’s) ruling due in early this year. The CJEU usually follows this opinion which has stated that SCCs are validated and an appropriate method to protect personal data so long as the non- EEA state has a right of action against the data controller and that the data controller or supervisory authority can suspend such transfers where the laws of the non-EEA country conflicts with the SCCs. Less so for the US privacy shield as the Attorney General has cast doubt on its validity.
Potential Business Solutions?
If you’d like assistance in understanding your obligations under GDPR, contact RegSol today for training or GDPR review of your controls and procedures.
- Check your data flows and understand the impact to your business
- Check if Binding corporate rules for intra-group transfers is an alternative
- Carry out risk assessments to ensure that local laws and practices do not undermine SCCs in place
By Judy de Castro - Regulatory Consultant
AML 5th Directive: UpdateJanuary 2020
We expect 2020 will bring a host of interesting new developments and much needed clarity around the outcome of Brexit as well as the advent of still more regulatory change, including the expected transposition in full of the 5th EU AML Directive.
As the European Union (Withdrawal Agreement) Bill 2019-20 weaved its way through the second reading of the UK’s House of Lords on the 13th of January, the UK Parliament had already implemented the European Union’s 5th AML Directive on time on the 10th.
Ireland, on the other hand, had not and the 10th of January passed without any indication of when draft legislation will be available. AMLD5 introduces a number of key reforms including the expansion of the definition of obliged entities (designated persons in Ireland) to cover virtual currency exchange platforms and custodian wallet providers, art dealers, letting agents and tax advisors within the scope of the regime.
This does not mean that Irish companies subject to the AML/CTF regime should remain complacent as it remains to be seen what is included in amending legislation. Firms likely to be brought in scope need to ensure they are performing gap-analyses and undertaking implementation projects to address the new requirements.
If you’d like assistance in understanding your obligations under the 5th AML Directive, please do not hesitate to contact us at firstname.lastname@example.org
By Judy de Castro - Regulatory Consultant
New Guide to Sanctions under the Administrative Sanctions RegimeDecember 2019
The Central Bank of Ireland has launched a new guide to highlight certain aspects of the administrative sanctions procedure. The primary focus is on factors which may aggravate or indeed mitigate the breach(es) being examined.
The Guidance document is broken into two sections, the former addressing general principles to be applied including Proportionality, Totality, Sanction Factors and Comparator Cases. The second section sets out 4 sets of factors in detail:
Commenting on the new guide at its launch on 21st November 2019, Derville Rowland, Director General, Financial Conduct, noted 130 settlement agreements since 2006 and the increasing level detail within those agreements. She also noted that despite same, firms appear to continue to misunderstand sanctioning factors, some expecting reductions of penalties even after obstructionist approaches to settlement. There is absolutely no doubt that a lack of cooperation is an aggravating factor.
- Nature, Seriousness and Impact of the breach
- Conduct of the Entity after the breach
- Previous Record of the Entity
- Other General Factors
As Ms Rowland concluded: “Let me be very clear that while the Central Bank absolutely expects firms to prevent wrongdoing in the first place, they can undo some of those wrongs by demonstrating a positive culture in terms of how they deal with regulatory breaches. Or put another way, it is never too late to do the right thing.”
You can access the Guide by clicking here.
By AnneMarie Whelan - Regulatory Consultant
New Lending Rules for Credit Unions and Enforcement Action against Savvi Credit UnionDecember 2019
The Central Bank of Ireland, as a result of CP125 - Consultation on Potential Changes to the Lending Framework for Credit Unions, has introduced new lending rules to come into effect in January 2020.
The new rules will remove the maturity limits which currently cap long term lending and instead introduces a tiered approach, based on concentration limits, for mortgage and business loans relative to total assets. The relevant tiers are as follows:
- A combined concentration limit for house and business loans of 7.5 per cent of total assets for all credit unions.
- A 10 per cent limit, conditional on a credit union satisfying asset size (at least €50 million) and regulatory reserves qualifying criteria and notifying the Central Bank in advance.
- A 15 per cent limit for credit unions with total assets of at least €100 million, subject to Central Bank approval.
Further proposals in relation to removal of the existing longer term lending maturity limits, new maximum maturity limits for secured and unsecured lending, and the definition for business loans are included in the Feedback Statement to CP125 which is available here.
Somewhat ironically, in the same month, the Central Bank published its most recent settlement agreement (7th November) within the administrative sanctions regime, it was against a Credit Union and involved breaches of the existing lending rules.
Savvi Credit Union was fined €185,500 and reprimanded for failing to comply with the limits for long term loans and also reimbursing travel expenses to a Director (totalling €28,341 over 4 years), at rates in excess of Civil Service rates. You can read the full settlement agreement here
As we usher in the 2020’s, it is worth noting that the Central Bank of Ireland has consistently issued fines, reprimands and taken enforcement action against Credit Unions on an annual basis since 2012. Failures vary from mismanagement of internal controls and governance arrangements, fitness and probity to AML breaches. Fines have ranged from €198,000 to as little as €5000 for failures in complying with prudential regulatory returns.
Ringing in the new year should allow for the Credit Union Sector at least the opportunity to provide more loans to support their members with the added Christmas bonus of more local options for the Irish consumer. Let’s hope it doesn’t give rise to another enforcement action.
By Judy De Castro - Regulatory Consultant
AML/CTF Legislation: S.I. No. 578/2019 - European Union (Money Laundering and Terrorist Financing) Regulations 2019December 2019
We could not say goodbye to 2019 without saying something about AML/CTF regulations and so we will provide you with an update on the AML/CTF regime. On the 22nd of November 2019, the Minister for Justice and Equality for the purposes of giving further effect to the 4th EU AML Directive published SI 578/2019 amending the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. The following changes are notable:
- A designated person must have proportionate procedures in place to allow their employees or persons in a comparable position to report a contravention of the Act internally through an independent and anonymous channel
- An obligation of any person performing a management function in or being a beneficial owner of a designated person who is convicted to inform the Central Bank within 30 days on which the person was convicted of a relevant offence
- An obligation on Member State competent authorities to cooperate and coordinate activities to counter money laundering and terrorist financing
For entities subject to the AML/CTF regime, this will mean updating policies, procedures and implementing new reporting channels.
Click HERE to access the SI.
If you’d like assistance with getting to grips with AML/CTF, please contact a RegSol consultant today.
By Judy de Castro - Regulatory Consultant
Insurance Costs: Analysis and CommentaryDecember 2019
The Law Reform Commission published a
report on the 11th of December outlines legislative responses
that include the introduction of a cap on the amount awarded in damages during
personal injuries claims. The Cost of Insurance Working group (CIWG),
established in 2016 by the Department of Finance to examine factors
contributing to the increasing cost of insurance and to identify measures to
reduce this cost had recommended that the Law Reform Commission examine the
constitutionality of the proposed cap.
An additional recommendation from the
CIWG included the requirement of the Central Bank under the Central Bank
(National Claims Information Database) Act 2018 which commenced on January 2019
to publish an annual report and establish this database. By providing
statistical analysis on all insurers selling private motor insurance in Ireland
regardless of country of authorisation, the Central Bank’s drive of
transparency has as its aim for consumers to have clear information and to make
This had also resulted in the new regulations being published
last month requiring motor insurers to provide a quotation for each policy
option available to the customer such as comprehensive, third party fire and
theft cover or third party only in addition to extending the renewal
notification period from 15 to 20 working days.
Arguably, steering customers away from comprehensive cover
may not be in their best interests, even if the goal is to be transparent. And
with the heaps of documentation customers are often buried in the detail.
But how effective is the Central Bank’s Report?
Gerry Hassett, Interim CEO of Insurance Ireland has defended
the industry stating that, “The data in this report highlights the importance
of the cost of claims to the market as it is the largest cost paid by insurers.
Insurers have seen a 64% increase in average cost of a claim from 2009-2018
with the lion’s share of this inflation coming from 2013 onwards.” (click here to view Insurance Ireland’s website).
Litigated settlements costing more that €100,000 accounted
for 15% of claimants settling through litigation but account for 53% of total
litigated costs and involve a number of large settlements. The figure below
shows the types of claims per year.
Nevertheless, the cost of premiums has undoubtedly increased
for motorists and businesses alike forcing some operators like the Oktoberfest
organisers in Dublin’s IFSC to cancel their event citing the cost of insurance.
Perhaps the solution to satisfy both market participants and consumers and
business is as simple as the law on a free market economy: supply and demand.
Get more insurers into the market, support the Gardai in shutting down ghost
insurance brokers and provide more choice for consumers. Nevertheless, whilst
the debate around insurance claims and the knock- on effect these claims have
on insurance premiums is set to continue into 2020, the Central Bank’s pursuit
of transparency has certainly achieved one thing- politicians in a scrum for
what can only be described as a political football.
If you’re an insurer looking to enter the Irish market and
you’re looking for authorisation, contact RegSol for a quote.
By Judy de Castro - Regulatory Consultant
New Rules on Gift VouchersDecember 2019
From 2 December 2019, new legislation is in place which gives consumers more rights when it comes to gift vouchers.
|Minimum expiry date of five years||Where there is an expiry date on a gift voucher, it should be at least five years.|
You should be given the expiry date in a durable form, for example in writing or in an email, and you should also be given the date the gift voucher was bought.
|You do not have to use the voucher in one go||You do not have to spend the full value of the voucher in one transaction.|
If there is a balance of more than €1 on a gift voucher, the business should refund you the difference in one of the following ways:
– Electronic transfer (debit/credit card)
– Another gift voucher (the expiry date will be the same as the original voucher)
It is up to the business which method of refund they use.
|More than one gift voucher can be used in one go||You can use more than one voucher at a time. For example, if something costs €100 and you have two €50 vouchers, you can use them both to pay.|
|A business cannot refuse a gift voucher because it is not in your name, or charge you to change/amend the name on a gift voucher||If a business requires the name of a person on a gift voucher, and the person’s actual name is different from the name on the voucher, the business can not refuse to accept the voucher, or charge you for changing the name on the voucher.|
Not all gift vouchers are covered by this legislation. The following are some of the main ones that are excluded.
Here is a guide to various types of vouchers and whether or not they are covered by the gift vouchers legislation.
|TYPE OF VOUCHER||EXAMPLE||COVERED OR EXCLUDED?|
|Shop voucher||A voucher for a particular shop or department store, which is only accepted in those stores nationwide.||Covered|
|Shopping centre gift card||A voucher or gift card for a particular shopping centre, that can only be used within that shopping centre or outlet.||Covered|
|Online voucher for a deal website||A voucher bought from a discount deal website for a product or service, usually fulfilled by another business.||Excluded|
|One-4-all gift cards||An Post One-4-all gift cards can be redeemed in a wide range of retailers. These are considered electronic money cards.||Excluded|
|Credit note||If you return an item to a store and receive a voucher or credit note, it is not considered a gift voucher under the legislation.||Excluded|
|Coupons||A coupon you receive from a business directly or through an ad is not considered a gift voucher.||Excluded|
|Loyalty programme vouchers||Money vouchers you receive from a business as part of a loyalty programme you are a member of are not considered gift vouchers.||Excluded|
Some gift cards have maintenance fees of approximately €3 per month which come into effect after a period of time. So if you give someone one of these gift cards worth €40, and they don’t use it for a year, maintenance charges at €3 a month could mean there is only €4 left on it after a year.
If you lose a gift voucher, the shop doesn’t have to replace it – it’s just like losing cash.
|DID YOU KNOW?|
|If the voucher was made out to you specifically and is non-transferable, the shop may be able to issue a new voucher and cancel the original. It may be worth contacting the shop and asking if this is possible.|
|Remember consumer rights apply to gift cards just like any other item. So if the card is faulty and doesn’t work when you go to use it, you can return it for a replacement or refund.|
1. I bought a gift voucher for my husband and it has an expiry date of 12 months does the new five year rule apply?
If you bought the voucher on or after 2 December 2019, the gift voucher must have an expiry date of at least five years starting on the day you bought it.
A gift voucher sold by a business with an expiry date of less than five years will be deemed to have a five year expiry date. Also, the business must inform you of any expiry date on a durable medium, for example, on paper or email. The paper or email must include:
- the expiry date of the gift voucher and the date it was bought or
- state that there is no expiry date, if that’s the case.
2. I bought a gift voucher for my daughter, just looking at it now and I can’t find an expiry date – should it be on the gift voucher?
The expiry date does not have to be printed on the actual gift voucher. However, the business must tell you if an expiry date applies to the gift voucher on a durable medium, for example, on paper or email. The paper or email must include:
- the expiry date of the gift voucher and the date it was bought, or
- state that there is no expiry date, if that’s the case.
3. I got a present of a voucher for my 60th It is for a considerable amount of money – do I have to use it in one go?
You do not have to spend the full amount of the gift voucher in one go. If you only use part of the gift voucher and there is a balance of more than €1 left, the business can refund you in one of the following ways:
- electronic transfer (credit/debit card)
- gift voucher – the expiry date will be the same as the original gift voucher.
4. I bought a gift voucher a week before the new laws came into place – will these new rules apply?
The new laws only apply to gift vouchers that were sold on or after the 2 December 2019.
5. I was given a gift voucher for my birthday and the spelling of my name is wrong on the voucher – will there be a fee for amending the name?
No. After 2 December 2019, businesses cannot charge a fee for changing or amending the name on a gift voucher.
Online deal websites
Deal websites are platforms that let you buy vouchers for goods, services or experiences from other businesses, e.g. a mattress, meal or beauty treatment. When buying a voucher on a deal website, you pay the deal website the price and redeem the voucher with a third party business for the good or service. The new gift vouchers legislation does not apply to these type of vouchers. However, you still have rights when you buy goods and services.
Generally, when you buy something from a deal website and you do not have to go to a third party website to redeem the voucher, you are entering into a contract with that deal website for that item. It is the same as buying an item from any online retailer and the same rights apply. More information about your rights when you buy online is available in our Buying Online section.
However, this can vary between deal websites and items bought so always read the terms and conditions
(information copied from CPCC.ie and can be found HERE)
CBI Enforcement Action: Co-mingled Client and Own Funds December 2019BVP Investments Limited fined just €6,000 and reprimanded by the Central Bank of Ireland for holding client assets in breach of its authorisation, is a low impact firm under the Central Bank’s Probability Risk and Impact System of supervision (PRISM).
BVP’s audited accounts for year ended 31 December 2018 show a turnover of €745,490. This is a reminder to all low impact firms that the Central Bank has no qualms about issuing fines to small scale firms, proportionate to the firm’s bottom line.
The Firm was authorised under the Investment Intermediaries Act, 1995 (the IIA) on 15 November 2007. Under its IIA authorisation, the Firm is authorised to provide services to ‘’Designated Investment Funds’’. The Firm is explicitly not permitted by the Central Bank to hold client assets.
BVP’s authorisation contains an explicit condition stating that it is not permitted to hold client money or investment instruments. Immediately after obtaining its authorisation in 2007, and with full knowledge of the condition, BVP began holding and processing client funds through its corporate bank accounts.
As a consequence of the Firm’s breach, significant amounts of client funds were co-mingled with the Firm’s own funds in the Firm’s corporate bank accounts. Although the investigation found no evidence of misappropriation or loss of client assets by the Firm, their actions placed these client assets at risk of loss, particularly in the event of an insolvency; misuse (inadvertent or otherwise) by the Firm; and delay in identification in their return to clients.
RegSol provides audit and compliance services that can help you identify issues and prepare you for Central Bank inspections. Please contact us today for a quote.
By Judy de Castro - Regulatory Consultant
Whistleblowing Directive adopted by the EU CouncilDecember 2019In the wake of the Cambridge Analytica scandal, the former Facebook employee, Christopher Wylie’s disclosures triggered investigations which raised privacy concerns on the unauthorised possession of personal data of millions of Facebook users for targeting digital advertising campaigns.
Howard Wilkinson, Danske Bank’s former head of trading used the Bank’s internal whistleblowing procedures to report on millions in laundered money being used by a dormant account run by Putin’s cousin. His whistleblowing report made in 2012 was ignored. The Danske Bank money laundering scandal is now the largest in history.
It is within this context that on the 7 October 2019, the EU Council approved the wording of the "Directive of the European Parliament and of the Council on the protection of persons who report breaches of Union law", also known as the Whistleblowing Directive. Member States have two years to implement the Directive into national law.
Whistleblowing allows a person to report or disclose information on breaches identified during the course of their employment.
This disclosure is protected where it is done in good faith under the Protected Disclosures Act, 2014 and under the Central Bank (Supervision and Enforcement) Act, 2013. The Workplace Relations Commission and/or the courts will determine whether or not a disclosure is a protected disclosure under the legislation. However, it should be noted that the 2014 Act provides that, in such proceedings, all disclosures are presumed to be protected disclosures unless otherwise proven.
The new directive broadens a whistleblower to include the public and private sector and includes former employees or job applicants, self-employed and company shareholders, volunteers and unpaid trainees. The list of potential breaches includes GDPR, consumer protection, environmental protection, money laundering, public and product safety.
Member states can choose to extend the list of breaches if they so wish
Businesses with at least 50 employees must look to put in place internal and external procedures for reporting breaches and taking remedial actions all whilst guaranteeing the whistleblower’s anonymity and protection against retaliation.
They must acknowledge receipt of the report within 7 days and provide feedback within 3 months.
If you would like more information on implementing Whistleblowing Policies and Procedures, contact RegSol for assistance or training on Ethics and other Compliance related matters.
By Judy de Castro - Regulatory Consultant
Enterprise Risk Management (ERM): A Cornerstone for the CBI’s proposal for Senior Executive Accountability Regime (SEAR)December 2019Driving a positive and ethical consumer focused risk culture within an Enterprise Risk Management Framework is the responsibility of the Board, in the first instance, cascaded throughout the entire organisation and reflected from the bottom up. The proposed SEAR regime is based on strengthening clear responsibility and individual accountability by placing obligations on senior individuals who report directly to the Board and heads of critical business areas. These positions should correspond to those who already are PCFs under the Fitness and Probity Regime.
In scope (initially) are:
- credit institutions (excluding credit unions);
- insurance undertakings (excluding reinsurance undertakings, captive (re)insurance undertakings and insurance special purpose vehicles);
- investment (MiFID) firms that underwrite and/or deal on own account and/or are authorised to hold client monies/assets
SEAR will, over time, be extended to other firms regulated by the Central Bank to ensure proportionality.
What can your firm do to prepare and what does this mean in practical terms?
Whatever phase an organisation is at in ERM implementation, risk culture is a key component. It is the common norms, attitudes and behaviours related to risk awareness, risk taking and management and the controls that shape decision making.
This is set out in the organisation’s risk appetite, set by the Board, and measured and reported on within the Governance structure. Lack thereof or poor culture leads to misconduct and excessive risk taking, ultimately the driver of financial crises. Key to transforming this is striking a balance between first line sales driven front office and the second line drivers of effective risk management.
- Approve Conduct Risk Appetite Statements
by the Board to drive change
- New Business/Product, Sales, Front Office
duly incorporated into Risk Governance Structure
- Communication strategy around values,
- Alignment of incentives with
risk objectives and enforceable disciplinary action for breaches in
rules and misbehaviour.
- Risk Control Self Assessments & Collection of data on past events
Mandatory responsibilities for Senior
Comprehensive Statements of
The table above in our view demonstrates that the
proposed SEAR regime is strongly aligned to the ERM process. Having a mature
ERM framework in place better prepares organisations for regulatory change
whilst helping them achieve their strategic business objectives in a positive
way that’s good for their employees, stakeholders and their bottom line.
you would like to partner with RegSol to embed an effective Risk Management
Framework in your organisation, please talk to one of our consultants today.
By Judy de Castro - Regulatory Consultant
Investment Firms: CRD V Structural Reform in EU Prudential RulesOctober 2019In April this year, a review of the prudential framework for investment firms for MiFID II was approved under the auspices of building the Capital Markets Union. The purpose of the revised legislation will be to improve investment flows and ensure proportional rules level the playing field among larger institutions and simpler, less risky firms.
The legislation will aim to provide clarity on equivalence rules for the provision of investment services by third country firms. And most importantly, is an important step towards the completion of the European post crisis regulatory reforms.
Together, these reforms affect all European banks and investment firms and require significant implementation over a period of multiple years. There will be material changes to the capital and funding needs of firms as well as to their governance, risk management, systems and controls, reporting, recovery and resolution planning and in some cases corporate structures.
CRD V will update the framework of harmonised rules established in the wake of the financial crisis, the so-called 'Single Rulebook'.
The 'Single Rulebook' ensures that:
Some outstanding elements of the reform that are key to ensure a firm’s resilience but have only recently been finalised by global standard setters (i.e. the Basel Committee on Banking Supervision (BCBS) and the Financial Stability Board (FSB)) include:
- banks & investment firms have enough capital to cover unexpected losses and are prepared to withstand economic shocks
- obliged entities have fewer incentives to take excessive risks.
Even though these structural legislative reforms may be delayed, it would be prudent for investment service firms to work through the implications of the new reforms, in that authorisations may need to be prepared together with a restructuring process and corporate governance planning.
- New Framework for low prudential risk profile investment firms to mitigate comparative weakness of EU investment bank sector through the Investment Firms Directive in 2021
- ECB Oversight over systemic investment firms or “class 1” firms which consolidated assets exceeding EUR 15 billion and those over EUR30 billion into same supervisory regime for banks
- Regulation of Financial Holding companies subject to all requirements of the prudential framework as it relates to their consolidated position and Corporate Governance
- Intermediate Parent Undertaking: requirement for large third country group to be owned by the IPU. This exists where there is at least one subsidiary that is an EU large investment firm within its group and where the parent entity is established in a non- EU country or third country.
- Branch regulation- introduction of minimum harmonised reporting requirements for EU branches of third country banks and requirement for EU regulators to cooperate to ensure a consolidated approach to supervision
RegSol is here to assist with regulatory impact analysis and can help you manage the impact of regulatory change.
By Judy de Castro - Regulatory Consultant
Google France and the Right to be ForgottenOctober 2019The Right to be Forgotten, a privacy right enshrined in the GDPR regulations which came into force in May last year has been tested in the European Courts. Arising from the French Data Protection Commissioner’s (CNIL) ruling that required Google to apply the right to be forgotten to all searches in all Google domains. CNIL ruled that in order to be effective, delisting was to be carried out on a global scale in a single processing. So, if Google detected a user in Ireland, they wouldn’t be able to see removed results, even if they clicked onto Google.com.
Google appealed the ruling sparking a long drawn out battle with Google’s counsel arguing that if French law applied globally, how long would it be until other countries started demanding their laws likewise have global reach….
Last week Tuesday saw the European Court of Justice (ECJ) limiting the provisions of EU law and therefore reducing delisting to search engine operators in the EU which means the right to be forgotten will be seen only on European versions of Google search pages- google.fr or google.de, but not on google.com.
The ECJ does require Google to put in measures to discourage EU internet users from finding that information but in practical terms, it seems unrealistic to achieve this. Performing the role of a “sub regulator”, one could argue, Google has had to in the past determine on 850,000 separate requests to remove links to about 3.3 million websites. Now they’ll have arguably greater and almost supervisory-like powers in deciding what personal data is kept in the public domain.
If you’d like assistance with GDPR Compliance, please contact your RegSol Consultant for assistance.
By Judy de Castro - Regulatory Consultant
Spotlight on Transparency for Financial Brokers: New Insurance Renewal Requirements & New Consumer Protection Code Addendum March 2020October 2019In July 2016, the Government established the Cost of Insurance Working Group (CIWG). The objective of the CIWG was to identify and examine the drivers of the cost of motor insurance and to recommend short-, medium- and longer-term measures to address these issues.
In January 2017, the Report produced by the CIWG on the Cost of Motor Insurance was published by the Department of Finance, which included an Action Plan to implement the identified recommendations. Coming into force on 1 November 2019, the Non-Life Insurance (Provision of Information) (Renewal of Policy of Insurance) (Amendment) Regulations have been designed to afford greater protection for the consumer in providing more transparency to insurance policyholders, a key theme in the output of the Consultation Paper 114 and to be shortly in force as a result of the amendment regulations.
In the pursuit of transparency however, are consumers already bombarded with too much information and overloaded arguably with too much choice? The Central Bank and CIWG would argue that this is important to allow consumers to shop around. Let’s evaluate the nature of these changes which can be summarised as follows:
- Insurers must provide additional information on the premium breakdown to consumers and must offer a price on all the cover options they offer. It is proposed that insurers will also be required to provide this additional information on the premium breakdown when a person first gets a quote for a policy as well as at renewal notice stage, together with the other information referred to in Regulation 6.
- Insurers must extend the current renewal notification period from 15 working days to 20 working days to make it easier for motorists to compare pricing when purchasing motor insurance; and
- an insurer shall, in respect of a policy of private motor insurance to be renewed, include, on the same page as the renewal premium is first set out, the following information:
- the premium paid in the previous year, or
- where applicable, following any mid-term adjustment made to the policy in the previous year—
- the provision of an annualised premium figure for the previous year excluding fees or charges applied as a result of that adjustment, and
- a statement indicating that the annualised premium figure shown may not reflect the actual premium paid in the previous year.
Last week we saw the headlines and radio interviews with the Central Bank of Ireland explaining the new addendum to the Consumer Protection Code (CPC) designed to take into account provisions arising from the EU (Insurance Distribution) Regulations 2018 and “Enhanced Consumer Protection Measures,” following consultation paper CP116 on intermediary inducements. The following parts of the CPC amended and effective from 31 March 2020 are as follows:
If you require assistance with Consumer Protection whether it is training or a compliance review or audit, please contact RegSol.
- Chapter 3- Conflicts of Interest- avoiding conflicts of interest by placing consumer’s best interests above the consideration of fees, commissions, rewards or remuneration linked to targets relating to volume and bonus payments linked to business retention
- Chapter 4- Provision of Information
- using the term “Independent” restricted to regulated activities on the basis of a fair analysis of the market AND where the intermediary does not accept and retain any fee, commission or other reward or remuneration where advice is provided in respect of regulated activities. Exceptions are minor and restricted to non- monetary benefits (conference, hospitality, IT Software) and fees paid by a consumer. Note also the amendment to 4.16 A regarding MiFID Article 3 services in using the term “independent”
- Summary details of all arrangements for any fees, commission, other reward or remuneration paid or provided to intermediary must be made available in its public offices or on its website and brought to the attention of the consumer
- Chapter 12- Definitions
- Press release information is available HERE.
By Judy De Castro - Regulatory Consultant
New AML Guidelines for the Financial SectorSeptember 2019Launched in a private event by the Central Bank on the 6th of September.
Click HERE to view and download the document.
PSD 2 Deadline: Strong Customer AuthenticationSeptember 2019Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The SCA requirement comes into force from 14 September 2019. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU (Chip and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement.
Where and How?
Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer:
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
The directive defines strong customer authentication essentially as two-factor authentication in Article 4(30):
an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data
Requirement for Authorisation
You will require authorisation/registration for PSD2 if you provide one of the payment services listed in the schedule to the Payment Services Regulations 2018, unless you are either excluded from the scope of PSD2 or are one of the institutions referred to in Article 1(1) of PSD2. An authorisation/registration under PSD2 is valid in all Member States and allows the payment institution concerned to provide the payment services covered by the authorisation throughout the Union, pursuant to the freedom to provide services or the freedom of establishment.
In advance of submitting an application for authorisation/registration under PSD2, a firm should satisfy itself that its proposed business model requires authorisation/registration.
If you are unsure as to whether your proposed activities require authorisation/registration or if you are unsure as to how you should comply with the authorisation/registration requirements, RegSol can assist.
By Judy de Castro - Regulatory Consultant
Understanding the Public Services Card Data Protection BreachSeptember 2019On Friday 16 August, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC).
The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law.
The Department of Employment Affairs and Social Protection’s processing of personal data during the issuing of the Public Services Cards for use in transactions between a person and a public body other than the department was found to be unlawful.
The Data Protection Commissioner also found that blanket retention of personal data also contravened data protection law. This means that personal data held on more than three million card holders must now be deleted. At a cost of about €60 million to roll out, with savings of only €2.5 million in welfare fraud, the card targets social and economically vulnerable people forcing them to trade their personal data for services to which they are entitled.
But why does this matter to you?
Personal data collected by the department included a photo, gender, address, all digitally encoded, as well as the creation of a biometric facial recognition database.
The risks associated with maintaining data such as fingerprints, retina screening and facial recognition or biometric data (metrics related to human characteristics) have obvious technical security considerations, but consider the encroachment of state authority over human dignity? It is also possible that biometric data may be used in ways for which the individual may not have consented as is the case here, but also it could disclose physiological and/or pathological medical conditions that the person may not even know about.
For example, fingerprint patterns can be related to chromosomal diseases, iris patterns could reveal vascular diseases, behavioural biometrics could reveal neurological diseases. Excessive perhaps for accessing social welfare payments? Then think about other public bodies that collect your information and may not do a good job of protecting it or deleting it.
Any organisation subject to data protection law is required to create a database of personal information collected and in this record of processing specifics on what documentation is collected and for what purpose must be detailed. Organisations must consider unintended consequences and understand security measures in place to protect this personal data. They must think about retention periods and note that blanket retention periods are never okay, requesting excessive information and using it for purposes other than initially agreed isn’t okay either.
If you need help with your data protection requirements, contact RegSol for consultancy or enrol on a course on our training website here.
By Judy de Castro - Regulatory Consultant
Brokers and Treatment of Vulnerable Consumers: Practical ConsiderationsSeptember 2019Vulnerable Adults often find themselves excluded from mainstream society. Excluded from the community because they are restricted in capacity and cannot read social cues, excluded from social media because they cannot navigate technology, marginalised by society because of their age, illiteracy, disability, physical or mental ill health, they are on the fringes because they do not fit in.
Despite their perceived marginalised status, vulnerable adults are becoming more mainstream and businesses and organisations alike are taking notice:
The OECD Adult Skills Survey shows that 17.9% or about 1 in 6, Irish adults are at or below level 1 on a five-level literacy scale. Ireland ranks 15th out of 24 participating countries. At this level a person may be unable to understand basic written information.
25% or 1 in 4 Irish adults score at or below level 1 for numeracy compared to just over 20% on average across participating countries. This places Ireland even further down the international rankings in 19th place.
42% of Irish adults score at or below level 1 on using technology to solve problems and accomplish tasks (Nala Ireland)
Age: 65 years and over
This age group saw the largest increase in population since 2011, rising by 102,174 to 637,567, a rise of 19.1%. The census recorded 456 centenarians, an increase of 17.2% on 2011.
Over half a million or 577,171 in this older age group lived in private households, an increase of 19.6%, while those in nursing homes increased by 1,960 to 22,762. (CSO)
By 2041 the numbers of people in Ireland with dementia will have tripled. In fact, a conservative estimate suggests that by 2041 some 140,000 people will have dementia. (Dementia Ireland)
It is estimated that one in four people will experience some mental health problems in their lifetime. The WHO’s Commission on Social Determinants of Health stated that depressive mental illnesses will be the leading cause of disease in high income countries by 2030. (Mental Health Ireland)
Every 3 minutes in Ireland someone gets a cancer diagnosis. Incidence of cancer is growing and by 2020, 1 in 2 of us will get a cancer diagnosis in our lifetime.*
How should brokers treat vulnerable consumers when providing them with financial advice? What accommodation should be made with a consumer presenting with these conditions and how should a Broker proceed to ensure they are acting fairly, professionally and in the best interests of these types of consumers especially if they are subject to financial abuse?
- By 2020, 1 in 2 people in Ireland will develop cancer during their lifetime.*
- In Ireland more than 40,000 new cases of cancer or related tumours are diagnosed each year. (National Cancer Registry of Ireland (NCRI))
The table below provides some guidance on how to employ resources effectively in acting in the best interests of vulnerable consumers:
If you would like more information on
how to effectively implement your consumer protection code requirements or
would like to receive Consumer Protection Code training, please contact your
consultant/trainer at RegSol.
*1 in 2 by 2020 is a projection based on current data provided by the NCRI. It makes allowances for variables such as aging population, lifestyle and other factors.
By: Judy DeCastro - Regulatory Consultant
Launch of the CRO’s Beneficial Ownership RegisterAugust 2019In March 2019, the Minister for Finance signed into law Statutory Instrument No 110 of 2019 to establish a Central Register of Beneficial Ownership of Companies and Industrial and Provident Societies (the RBO) - Click HERE to view
The Registrar of Companies has been appointed as the Registrar of Beneficial Ownership of Companies and Industrial & Provident Societies with effect from 29 July 2019.
Accordingly, the RBO is now open to accept filings.
Filing of beneficial ownership data can only be made on-line through a portal on the RBO website at www.rbo.gov.ie. There are no paper forms and no filing fees involved. Companies and societies will have until Friday 22 November to file their data with the RBO without being in breach of their statutory duty to file. The RBO will write to each company and Industrial & Provident Society about their filing obligations in the coming days.
BENEFICIAL OWNERS: PPSN
Under Part 3 of the 2019 Regulations, the PPS number of each beneficial owner (who has such a PPS number) must be reported by the company/ industrial and provident society to the Register (but will not be included on the RBO). The Registrar will cross-check that PPS number with the Department of Employment Affairs and Social Protection to ensure that the names match. This is an extra verification step that the Registrar will use to ensure that the information held on the RBO is accurate and that the RBO does not contain duplicate entries. For a beneficial owner who does not have a PPS number, the Registrar has now confirmed that a Form BEN2 (Declaration as to Verification of Identity) will be used to verify that beneficial owner’s identity.
A process has been developed to enable beneficial owners who do not currently have an Irish Personal Public Service Number (PPSN) to file with the RBO. Full details are provided in a specific FAQ on the RBO website – www.rbo.gov.ie.
By: Judy DeCastro - Regulatory Consultant
Levelling the Playing Field: European Central Bank Guidelines on OutsourcingAugust 2019The EBA’s Outsourcing Guidelines currently in force were issued in 2006 and apply only to credit institutions (essentially banks and building societies) and the 2018 Recommendations apply to credit institutions and MiFID investment firms. This will be changed by the New Outsourcing Guidelines which will apply to payment institutions and e-money institutions as well as credit institutions and MiFID investment firms. The general aim of the New Outsourcing Guidelines is to create a level playing field and harmonise the outsourcing requirements which are set out in separate EU legislation for different types of firms (credit institutions under CRD IV, investment firms under MiFID II, payment institutions and electronic money institutions under PSD2).
The first question to ask is do you have any outsourced any activities/functions and are these critical?
As a general principle, institutions and payment institutions should not consider the following as outsourcing:
So, then what would constitute outsourcing?
- a function that is legally required to be performed by a service provider, e.g. statutory audit;
- market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch);
- global network infrastructures (e.g. Visa, MasterCard);
- clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members;
- global financial messaging infrastructures that are subject to oversight by relevant authorities;
- correspondent banking services; and
- the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution’s or payment institution’s premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators), goods (e.g. plastic cards, card readers, office supplies, personal computers, furniture) or utilities (e.g. electricity, gas, water, telephone line).
The Central Bank considers outsourcing to be an arrangement of any form between an institution and a third party service provider by which that institution performs a process, a service or an activity on their behalf which could otherwise be undertaken by that institution. When engaging in outsourcing, that outsourcing should not detract from being in a position to demonstrate that its ‘mind and management’ is located in the institution and that it is not delegating responsibility for the operation or management of key functions to a third party.
Once institutions have identified their outsourcing arrangements they will need to perform a risk assessment of materiality to assess whether these are critical and whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorised; the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their resilience and viability. Finally, third party arrangements will require robust contractual arrangements to be put in place to allow for effective oversight and monitoring by the management of those third party services or functions by the institution in question.
If you need help managing your outsourcing risk, please contact RegSol for assistance.
Click HERE to view the EBA’s Outsourcing Guidelines
By: Judy DeCastro - Regulatory Consultant
Governance & Internal Audit: Key Take-Aways from Wells Fargo Enforcement ActionAugust 2019Wells Fargo Bank International (WFBI) is classified as a Less Significant Institution by the Central Bank’s risk profiling system which uses a rating system based on criteria relating to, amongst other factors, its size, its importance to the economy and the significance of its cross-border activities.
Nevertheless, WFBI was fined a total of €5,880,000, about 1.5% of its operating income (US$340,264,000), for serious failings in its regulatory reporting capability and governance and compliance.
WFBI is required to put in place and maintain robust corporate governance and assurance arrangements, which include the following:
How has the CBI defined ‘corporate governance’?
- a clear organisational structure with well-defined, transparent and consistent lines of responsibility;
- effective processes to identify, manage, monitor and report the risks they are, or might be, exposed to;
- adequate internal control mechanisms, including but not limited to—
- sound administration and accounting procedures, and
- remuneration policies and practices that are consistent with and promote sound and effective risk management.
- its management body defines, oversees and is accountable for the implementation of the governance arrangements that ensure effective and prudent management of the institution, including the segregation of duties in the organisation and the prevention of conflicts of interest, and
- monitors, and periodically assesses, the effectiveness of the institutions governance arrangements and takes appropriate steps to address any deficiencies.
“Procedures, processes and attitudes according to which an organisation is directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among the different participants in the organisation – such as the Board, managers, shareholders and other stakeholders – and lays down the rules and procedures for decision-making.”
So what does this mean for you?
The Guidelines state that ‘An institution shall develop and maintain a strong and comprehensive internal control framework, including specific independent control functions with appropriate standing to fulfil their mission.’
An internal control framework should:
In conclusion, with the introduction of CBI corporate governance codes for most regulated sectors, this remains an area of continued focus for regulators. It is therefore important for all regulated entities to continuously improve on their governance and assurance arrangements. Unfortunately for WFBI, the board of directors did not monitor and periodically assess the effectiveness of the Firm’s regulatory reporting governance arrangements nor did it take adequate steps to address these deficiencies at the time. Procedural documentation was not subject to review by senior management and internal audit failed to provide independent assurance to the board as there were substantial gaps in the scope, depth and frequency of the internal audit review and testing of the regulatory reporting processes and procedures.
- Cover all business units and subsidiaries
- Ensure effective and efficient operations, while at the same time ensuring:
- Adequate control of risks
- Prudent conduct of business
- Reliability of financial and non-financial information reported
- Compliance with applicable laws, regulations, supervisory requirements and the internal rules and decisions undertaken by effective internal audit and compliance functions
If you need assistance in your assurance testing or monitoring, contact RegSol today for a comprehensive audit of your processes.
Click HERE for the link to CBI Action of Wells Fargo
By: Judy DeCastro - Regulatory Consultant
RegSol Spotlight: Letting Agents and General Data Protection RegulationsJuly 2019Landlords and letting agents, as data controllers, are required to comply with General Data Protection Regulations and as such must ensure that the amount of personal information sought from renters is not excessive, is used for the appropriate purposes and is not kept longer than necessary. Personal data must be kept in accordance with 6 principles under the Regulations:
- processed fairly, lawfully and in a transparent manner
- kept for a specified purpose and processed only in ways compatible with its initial given purpose
- kept safe and secure
- kept accurate, complete and up to date
- adequate, relevant and not excessive
- retained for no longer than necessary for specified purpose(s)
Landlords and letting agents who handle personal data from tenants need to understand their responsibilities with respect to consent and that the use of blanket clauses when collecting personal data is no longer appropriate. Consent must be fully informed and freely given to be valid and sought when passed onto third parties for example for reference checking. If consent has not been sought, landlords and letting agents will need to look at how they achieve this going forward and review their contracts with third parties, contractors or suppliers, for example that might involve the sharing of personal data.
Landlords and letting agents should also be cautious with the amount of personal data requested at pre-tenancy stage when assessing applicants. Given the current housing crisis and the sheer volumes of tenancy applications received, landlords and letting agents have used personal data to conduct due diligence on prospective tenant’s capacity to pay rent. The Data Protection Commissioner cautioned for example against the use of PPS numbers during the initial phase of the lettings process and confirmed that there is no statutory basis to use PPS numbers of tenants until the tenant has entered into the agreement and must be registered with Private Residential Tenancies Board. Unsuccessful applications should then be shredded or permanently deleted on an ongoing basis to comply with data retention principles. The Data Protection Commission has noted that it is acceptable that successful tenant’s personal data is kept for the duration of the tenancy.
Personal data is to be kept for the purpose that it was initially obtained. Property letting agent PJ McCann was ordered to take down an online database of tenant reviews about whether rent was paid in full and the condition properties were left upon leaving. The Data Protection Commissioner told the agent they would face a €10,000 fine if they failed to comply with the order.
Landlords and letting agents must integrate GDPR into the lifecycle of their letting process from assessing potential renters right through to the termination of tenancies.
If you’re a landlord or letting agent and would like advice or training on your GDPR compliance obligations, please contact RegSol for immediate assistance.
By Judy DeCastro for RegSol
Criminal Assets Bureau releases Annual Report and highlights Trend ChangesJuly 2019The Criminal Assets Bureau (CAB) was set up in the wake of the murder of journalist Veronica Guerin in 1996. It is tasked with targeting assets obtained directly, or indirectly, from criminal conduct. The agency has the power to seize assets if officers believe they are the proceeds of crime.
On the 26th of June 2019, Minister for Justice Charlie Flanagan published the Criminal Assets Bureau Annual Report for 2018. The 2018 Report highlights the key activities undertaken by the Bureau during the year. During 2018, in excess of €5.6m was returned to the Exchequer as a result of CAB actions, including over €2.272m returned under Proceeds of Crime legislation, €3.097m collected under Revenue legislation and €0.323m recovered in Social Welfare overpayments.
In addition, the Bureau brought 30 new asset seizing proceedings before the High Court in 2018, the highest number of new cases commenced in a single year since its establishment. The value of assets frozen during the year under section 2 of the Proceeds of Crime Act 1996 was €8.393m. Breakdown as follows:
These figures show criminals are shifting
tactic by moving criminal proceeds into jewellery and property, particularly
expensive house renovations and assets that hold their value, such as Rolex
watches. Estate agents and jewellers should be particularly vigilant in this
regard and be aware of their statutory obligations to report suspicious
activity to the Gardai and the Revenue commissioners as soon as practicable.
CAB’s report also highlights that criminals
are using cryptocurrencies to transfer money given its anonymous nature and
ease of transfer and access. CAB’s seizure of the cryptocurrency Ethereum
marked a worldwide first for law enforcement. Additional powers to be granted
to law enforcement under the 5th EU AML directive, most likely to be
transposed on the 10th of January 2020, will allow the likes of the
Garda National Economic Crime Bureau and CAB to obtain addresses and identities
of virtual owners of cryptocurrencies and wallets.
If you require assistance with your AML/CTF
policies and internal control framework to ensure your organisation is ready
for the 5th and 6th EU AML, please contact RegSol.
Click HERE for a copy of CAB’s Annual report
JPMorgan Administration Ireland Fine: A Case of Compliance MismanagementJuly 2019
On the 24th of June 2019, the
Central Bank reprimanded and fined JPMorgan Administration Services (Ireland)
Limited (JPM) €1.6 million.
In March 2014, following a themed inspection with
outsourcing requirements, the Central Bank issued a Risk Mitigation Programme
requiring JPM to take measures to fix issues with its outsourcing arrangements
with third parties.
JPM persistently failed to remediate the root causes of
these failings despite repeated supervisory intervention by the Central Bank.
And yet, someone senior in JPM continued to tell the Central Bank that all was
well and had been fixed, whilst JPM continued to outsource core activities
without supervisory approval. And, despite the establishment of an oversight
and governance committee to regularise these issues, a thinly veiled attempt to
provide assurances to the regulator, nothing changed.
In a way, the enforcement
action against JPM, we would argue, represents a microcosm of scandals that
continue to plague large international financial institutions such as Danske,
ING and Deutsche Bank. Dare we question, why do big institutions continue to
fail in their regulatory obligations as supervisory authorities increase the
regulatory burden for entities large and small? Can internal compliance
departments continue to justify their position that they are not risk owners
and therefore not responsible?
Gatekeepers and frontline staff are overburdened
with operational requirements, targets, customer pressures and bureaucracy
while Senior Management, Compliance and Risk teams “oversee” their colleagues.
Is it time the Central Bank takes a closer look at the Heads of Compliance and
Senior Management and acts on its administrative sanctions programme?
6 prohibition notices issued against individuals for failures in fitness and
probity and the latest Central Bank’s speeches commenting on individual
accountability, perhaps it’s only a matter of time.
Click here for details of the Central
Bank’s enforcement action
By Judy DeCastro for RegSol
Birthday Cake, Google and Data Protection OfficersJune 2019
As Europe voted and Data Protection laws being perceived to be the prerequisite of fair and free democratic elections, Google is facing its first major investigation by its lead Data Protection Supervisory Authority in Europe, the Data Protection Commission (DPC) in Ireland.
Coinciding with the one-year anniversary of Ireland’s implementation of the General Data Protection Regulation (GDPR) into Irish law, the DPC announced it will investigate Google’s alleged unlawful processing of personal data at each stage of its ad-tracking system. The platform which shares behavioural habits of online visitors with hundreds of companies will be scrutinised against GDPR’s relevant provisions of transparency, data minimisation and purpose limitation. The sharing of information is known as a “bid request” and through this process, Google stands accused of failing to protect data against unauthorised access.
The potential financial exposure for a tier 2 penalty means that Google could potentially face a fine of up to 4% of its global annual turnover of the preceding financial year, or an eye watering $5.4 Billion. Under the Data Protection Acts, 2018, once the fine is imposed, Google would have 28 days to pay up or appeal to the High Court. Let them eat cake, indeed!
Helen Dixon, the Data Protection Commissioner, looking back at what can only be deemed a very strategic and eventful year following a successful public awareness campaign, has noted:
“We’re the most rapidly growing data protection authority in the EU.”
Since her appointment in 2014, the DPC’s budget has risen to €15.2 million and over the past 12 months, the new legislation has given rise to a significant increase in workload. According to the DPC’s website:
6,624 complaints were received
5,818 valid data security breaches were notified
48,000 contacts were received through the DPC’s assessment unit
54 investigations were opened- 35 of these domestic, 19 cross border
DPC staff numbers increased from 85 to 137 at the end of May 2019
Current Irish Statutory inquiries into ‘big tech’ multinationals:
WhatsApp (owned by Facebook): 2
Instagram (owned by Facebook): 1
LinkedIn (owned by Microsoft): 1
Yet to issue a fine, what will the next 12 months bring for the DPC and GDPR Compliance? We at RegSol, predict some clarity of GDPR principles, hopefully, as these investigations unfold and are drawn to conclusion. And with a better understanding of this new regulatory landscape, enforcement actions as they relate to compensation and damages awarded will reveal how high the stakes truly are.
The Data Protection Officer (DPO)
With birthday cake, fines and data processing in mind, appointment of a person with responsibility for Data Protection is for most organisations an effective way of mitigating data privacy risk, if only to coordinate responses to data subject requests or coordinate breach reporting.
GDPR formally sets out under Section 4 the designation, position and tasks of the Data Protection Officer. Further, the Data Protection Commissioner had published guidance with respect to the DPO role which comments that:
“The DPO role is an important GDPR innovation and cornerstone of the GDPR’s accountability- based compliance framework.”
Appointment of a DPO is mandatory for the following organisations:
Public bodies (consider private organisations carrying out public tasks)
Data controllers/processors who perform systematic and regular monitoring of data subjects on a large scale
Organisations whose processing involves special category data (medical data for instance) or data relating to criminal convictions and offences on a large scale
Large scale in this context can be interpreted when taking into consideration, the numbers of affected data subjects, the volume of personal data, geographical exposure and the range and duration of the processing of personal data.
As a matter of best practice, all organisations should have documented their rationale as to whether a DPO is required to be nominated. Formally appointing a DPO where it's not mandatory, still brings the role under the full GDPR requirements and standards.
Regardless of whether the GDPR requires organisations to appoint a DPO, data controllers and processors must ensure that their organisations have sufficient staff and resources to discharge their obligations under the GDPR. However, a DPO can help organisations operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in the organisation’s data protection governance structure and to help improve accountability.
Under the GDPR the DPO is afforded statutory protections:
DPO must report to the highest level of management
DPO cannot be dismissed or penalised as a result of performing their duties
DPO must be provided with adequate resources to perform tasks
DPO must be free from influence and conflicts of interest
DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data
BUT the data controller remains accountable for GDPR compliance
Article 37.5 of the GDPR provides that a DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices.
For example, where a data processing activity is particularly complex, or where a large volume or sensitive data is involved (i.e. an internet or insurance company), the DPO may need a higher level of expertise and support.
Bearing in mind that a DPO can be either external or internal, RegSol is here to assist with your GDPR compliance.
by Judy De Castro for RegSol
First Three Enforcement Actions for the Central Bank for 2019June 2019
The Central Bank has imposed fines on three firms for varying offences:
Permanent TSB were fined €21 Million on 30th May for breaches of Consumer Protection and Code of Practice for Credit Institutions
Campbell O’Connor were fined €280,000 on 8th of May for AML/CTF Breaches
Bank of Montreal were fined €1,246,189 on 26th of April for breaches of the Central Bank Act, Licencing Conditions and Capital Requirements Regulations
Record Fine for Permanent TSB
Permanent TSB has admitted 42 separate regulatory breaches of the Code of Practice for Credit Institutions 2001, the Consumer Protection Code 2006 and the Consumer Protection Code 2012, the first of which commenced in August 2004. These breaches broadly occurred in four ways:
1)As a result of PTSB’s failure to warn certain customers about the consequences of decisions relating to their mortgage;
2)Incorrect legal interpretation of contractual terms and conditions: PTSB denied certain customers their enduring contractual right to a tracker mortgage as a result of PTSB’s incorrect interpretation of the extent of certain customers’ contractual entitlements.
3)As a result of PTSB’s operational and systems failings;
4)As a result of a decision by PTSB to deny certain customers their correct tracker rate between 2009 and 2010;
As per the Central Bank’s settlement agreement in this matter:
“This fine is the largest imposed to date by the Central Bank under the Administrative Sanctions Procedure. It reflects the gravity with which the Central Bank views PTSB’s failings and the unacceptable harm PTSB caused to their tracker mortgage customers, from extended periods of significant overcharging to the loss of 12 family homes and 19 buy to let properties. In addition to the reprimand and fine, to date PTSB has also been required to pay €54.3m redress and compensation to its impacted customer accounts prior to and as part of the TME(tracker mortgage examination).”
Enforcement proceedings as a result of the Central Bank’s Tracker Mortgage investigations are pending against other lenders and it is worth noting that PTSB’s staggering penalty may not be record breaking for too long. The Central Bank has the power to fine regulated entities up to €10 million or 10% of their turnover; the €21 million fine for PTSB approximated 5 % of its turnover for 2018.
You can read the full Settlement Agreement here.
Campbell O’Connor & Co Fined for Breaches in AML/CTF
On 8 May 2019, the Central Bank of Ireland imposed a fine of €280,000 on Campbell O'Connor & Company for five breaches of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (the "CJA 2010"). The Central Bank determined that the appropriate fine was €400,000, which was reduced by 30% to €280,000 in accordance with the settlement discount scheme provided for in the Central Bank's Administrative Sanctions Procedure. The Central Bank's investigation into the Firm commenced following a themed supervisory inspection which was part of its ongoing engagement with the investment firm sector.
Breaches identified were as follows, mainly under Section 54:
• Failure to conduct appropriate money laundering/terrorist financing ("ML/TF") risk assessment as it relates to terrorist financing and customer and geographic risk
• Failure to adopt adequate policies and procedures for preventing and detecting ML/TF.
• Failure to monitor and scrutinise customer transactions.
• Failure to provide training to staff on identifying suspicious transactions.
• Failure to ensure that all necessary arrangements were in place with third parties whom the Firm relied on to conduct customer due diligence measures on the Firm's customers.
You can read the full Settlement Agreement here.
Bank of Montreal fined for breach of Banking Licence
On 26 April 2019, the Central Bank reprimanded and imposed a fine on Bank of Montreal Ireland plc for breaching a condition of its banking licence by failing to submit three operational risk returns to the Central Bank, and failing to establish and maintain effective processes and internal controls to ensure compliance with this regulatory reporting condition. The Firm has admitted the breaches in full.
This is the Firm’s second reprimand and fine for deficiencies in regulatory reporting. The Central Bank’s investigation found that the breaches were caused by:
the Firm’s failure to establish and maintain effective processes and controls to ensure the submission of operational risk returns;
an over-reliance on Bank of Montreal group policies;
and the use of an informal process to comply with its obligation to submit operational risk returns.
The Central Bank determined that the appropriate fine was €1,780,269 which was reduced by 30% to €1,246,189 in accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure (“ASP”). Previously, the Central Bank had reprimanded Bank of Montreal in 2014 for three breaches of capital adequacy regulations and fined it € 650,000.
Since 2006 the Central Bank has imposed fines of more than €70m under its administrative sanctions procedure and has made 127 settlements.
You can read the full settlement agreement here.
Judy De Castro for RegSol
Enforcement: CBI Fines Bank of Montreal Ireland LtdMay 2019
On 29th April 2019, the Central Bank of Ireland announced that it had fined Bank of Montreal Ireland Ltd €1,246,189 and reprimanded it for failing to comply with a condition of its authoirsation.
You can read the full Settlement Agreement here
DPC Ruling: No right to a Fada…May 2019
A man being treated for cancer, complained to the Data Protection
Commission that the HSE were failing to record his name correctly as they
refused to include the fadas in his name on his medical records.
After taking 8 months to investigate the complaint, the DPC has
ruled that there is no ‘absolute right’ to have your name spelled correctly –
in this case by including fadas. They emphasised that each case needs to be
looked at individually and depends on the circumstances. The ruling throws up
the limitation of proportionality with respect to the rights to data accuracy
and rectification. The deciding factor here appears to be that the system used
in the particular hospital was not capable of including a fada.
The complainant in this case, Ciarán Ó Cofaigh, was certainly not
happy with the result. He stated that "You often hear of the right to
defend your good name - I don't even have a right to a name." It’s a fair
point, particularly given the fact that data accuracy is enshrined in the
principles of GDPR. It begs the question that if an Irish name is supposed to
have a fada in it for pronunciation and linguistic purposes, can it ever be
said to be accurate without it? From a
data protection perspective, it appears to be.
Our Researcher Killian Flood B.L. has delved into this a bit further and you can read his article here.
New Governor of the CBI AppointedMay 2019
On 1st May the Government signed off on the
appointment of Gabriel Makhlouf, chief economic and financial adviser to the
New Zealand Government, to the position of Governor of the Central Bank of
The vacancy arises as a result of Philip Lane’s
imminent departure to the European Central Bank in June to take up his position
as Chief Economist at Frankfurt.
Mr. Makhlouf has previously worked in the UK
dealing with policy development around domestic and international tax and
welfare. He was also chair of the Committee on Fiscal Affairs (the world’s main
tax rule-making body) at the OECD. He is a current leader of the diversity and
inclusion agenda in New Zealand’s public and private sectors.
Finance Minister Paschal Donohue commented on the
announcement that "I am delighted to nominate a person of Gabriel
Makhlouf’s international calibre for appointment as Governor of our Central
His appointment has
come as a shock to many, not only because he is coming from New Zealand but
because many feel there were more obvious candidates closer to home. One
example highlighted was Sharon Donnery, a current Deputy Governor within the
CBI with a wealth of experience. Given the CBI’s significant focus on diversity
and inclusion, if appointed Ms. Donnery would have been the first female head
of the Bank.
Varadkar was specifically questioned on this and the general surprise around
the appointment but he asserted that the logic was simple – choose the best
candidate. He said "it wasn’t restricted to Ireland, it wasn’t restricted
to any one gender or anyone who was or was not currently working in the Central
Bank so it was done really the way top jobs should be filled.
"There was an
open international advertisement, people submitted their CVs, there was a
shortlist. There were interviews, and the interview panel recommended one name
to Government and that name was accepted by Government."
Mr. Makhlouf is expected to take up the position in
AML: Standard Chartered Settles Case with US RegulatorsMay 2019
On the 9th
April 2019, it was announced that Standard Chartered had agreed to pay $1.1
billion to settle allegations by authorities in the United States and Britain
that it violated money-laundering legislation and acted in breach of economic
The Treasury and
Department of Justice as well as New York State regulators and prosecutors,
said that Standard Chartered had processed hundreds of millions of dollars in
transactions over a number of years from countries subject to financial sanctions.
These included Myanmar, Cuba, Iran, Sudan and Syria.
The bank has also been
hit with a £102m fine by the Financial Conduct Authority (FCA). The FCA found
"serious and sustained shortcomings" in Standard Chartered's
anti-money laundering controls.
The penalties all
arise from investigations that have been ongoing since 2014.
This isn’t the first
case of a large penalty against a European bank caught processing illicit
transactions for sanctioned countries and criminals but rather simply adds to
- In 2012, HSBC agreed to pay $1.9 billion and
to submit to years of heightened scrutiny after the authorities found that the
bank had helped Mexican drug cartels launder money. The operations there have
become the subject of the Netflix documentary series ‘Dirty Money’.
- In 2014, BNP Paribas paid a record sum of nearly $9
billion and pleaded guilty to violating American sanctions against Sudan and
- In 2017, Deutsche Bank was fined $630 million for
helping Russian investors move $10 billion through branches in London, Moscow
and New York.
Data Protection Requires an Empathetic ApproachApril 2019
When it comes to data protection and cybersecurity, companies are relying on ever-more sophisticated and complex mechanisms to combat data breaches. Indeed, there are many good reasons for buying the latest and greatest data protection systems. This article looks at why it is important not to forget the human element.
GDPR grants a right to compensation to data subjects if their data has been mishandled, so it is natural for companies to seek the maximum level of protection available to avoid fines. Similarly, many if not most companies operate in a data-heavy environment, meaning that such fines could be very significant from both a financial and reputational perspective. Moreover, companies may be exposed to data breaches but do not have an internal capacity to understand and mitigate the problem. As a result, companies turn to the most expensive and up-to-date cybersecurity systems in order to compensate for any internal failings within the data protection structure.
However, there is a growing concern in the cybersecurity industry that the data protection solutions on offer to end-users are misdirected. The former chief security officer for Facebook, Alex Stamos, courted controversy in 2017 by stating that “we have a real inability to put ourselves in the shoes of the people we are trying to protect,” and that security professionals need to "have empathy for the people that use the technologies we build.” Isaac Kohen, CTO for Teramind, emphasises that data protection is a user-centric industry and therefore, unsurprisingly, requires a user-centric approach to creating technologies.
Security professionals will generally acknowledge that “users are the weakest link” in the chain of data protection, but why is this? Arguably, it is because users often have to work with systems which they do not fully understand or which are not designed specifically for the problems that they face regularly. The people who are dealing with data protection threats on a daily basis are the employees of a company. Frontline employees are bombarded with phishing attacks and software updates, which are becoming more difficult to recognise as time goes on. It is therefore critical that any technological solution to cybersecurity is easily understood and managed by these employees in the trenches.
Stamos’ point is that security professionals must take an empathetic approach to these employees to understand the challenges which they face in order to design technological solutions which meet the daily needs of these employees. There are clear merits to taking an empathetic approach to data protection solutions. As service providers, it is essential that customers feel that their needs are being looked after and that they are getting value for the often-times expensive technical and structural solutions for which they are paying. This equally applies to companies like RegSol as it does technology companies. The increasing outsourcing of data protection management and the advent of professional Data Protection Officers could potentially lead to the same lack of empathy among professionals in the data protection industry. Professional DPOs will have their time and resources stretched as they take on more work and this will inevitably lead to boiler-plate solutions being offered to their customers.
From our perspective, open communication is vital to understanding the individual concerns and needs of each customer in order to pinpoint the specific action plans which are required to prevent data breaches. Often, customers will employ a data protection consultant because they know very little about their GDPR commitments and preventing data breaches. As a result, it is possible for customers to blindly follow the advice given to them by consultants. However, at RegSol we realise that our clients know far more about their own business than anyone else. As such, we always engage in a collaborative effort in order to appreciate the problems that our clients face and create the best possible data protection system.
This collaborative process is very important in the context of training employees. Different companies will process different types and volumes of data and there can be no “one size fits all” approach for every company. Similarly, the training that management-level employees require will be different to the training that junior employees require because of the natural differences in those positions.
While it may not be immediately obvious to associate empathy with data protection, it is becoming increasingly clear that the only way to provide effective consulting and training services to clients is to adopt an empathetic approach to each businesses’ unique needs. Rather than just simply provide a straightforward policy document and an annual Powerpoint presentation to employees, effective data protection solutions include short, concise messages, interactive challenges and real-time coaching in the event of a mistake.
No data protection solution will ever guarantee that data breaches will not occur, just as no physical security system will guarantee that a premises will not be burgled. However, by undertaking an empathetic approach to employee engagement with data protection, companies can ensure that their employees are well-placed to detect and prevent data breaches. As importantly, we strive to ensure that the biggest risk still facing many firms, 'Human Error', is reduced.
K. Flood for RegSol Ireland
Podcast: At Home with BreffnieApril 2019Our lead regulatory consultant, AnneMarie Whelan, was invited to discuss
all things Anti-Money Laundering and compliance with Buyers' Agent Breffnie
O'Kelly on her regular podcast.
Estate Agents, like all other designated persons, must comply with the whole
range of obligations under the Criminal Justice (Money Laundering and Terrorist
Financing) act 2010 as amended.
You can listen back here.
Diversity and Inclusion: CBI's recent Hot TopicApril 2019
The past number of months have seen a multitude of events and publications through which the Central Bank of Ireland has endeavoured to highlight its approach to diversity and inclusion in the financial services sector. These include the following speeches:
The Central Bank also publishes two reports in this area:
Report on demographics of applicants via the Fitness & Probity regime
Behaviour and Culture in Irish Retail Banks report
What is the main message coming from these events and publications?
On the report on demographics of applicants it was noted “Small improvements in the levels of diversity of senior appointments is welcomed, but much more progress is needed across the financial system”. Somewhat unsurprising given the statistics show:
'approximately four out of five applications for board positions were for men, marginally down on 2017 (82%); and this remained even more imbalanced for the most important Chair of the Board and Chief Executive positions, 84% of which were for men; and
the analysis continues to show a pronounced gender imbalance at board level and in revenue generating roles.'
A lack of gender diversity at senior levels in regulated firms is noted to be a cause for concern in the culture, risk management and decision-making of firms.
Increasing the 'diversity of experience, thought, background and attributes at senior levels' is expressed as being required to:
· 'reduce the likelihood of groupthink;
· reduce overconfidence and improve decision-making;
· enhance culture and improve risk management; and
· increase the level of internal challenge in financial services firms and reduce excessive resistance to external challenge.'
Derville Rowland in her address specifically references studies which have shown greater female representation on boards reduces risk of fraud and balanced teams performed better than single-gender dominated teams.
The Central Bank’s own record is clear in this regard - women make up 50% of the total workforce, 1/3 of the board, nearly 40% of the executive committee and over 40% of the leadership team. Voluntary publication of a Gender Pay Gap Report also highlights a 2.7% difference in favour of men at 1 January 2018, which is far below national and European averages while still acknowledging there's a way to go. (It is interesting to note that the Data Protection Commission also boasts a 50% split between men and women at senior management level.)
What does this mean for regulated entities or applicants for CBI authorisation?
There is a clear expectation that we continue to see greater representation of groups currently under-represented in the financial services sector and particularly more women in senior positions.
The Central Bank is certainly looking closer at the balance of boards in applicant firms and on occasion we have seen explicit requests to consider an additional or alternative candidate for high-level roles to better the balance, particularly from a gender standpoint. As regards existing firms, other than banks, its not clear how the Central Bank will seek to improve sector wide imbalances. It is, however, highly recommended that where positions come up for renewal, particularly at Director level, a full assessment be undertaken as to the level of diversity on the board and while gender is a significant factor int he context of the current statistics, lots of other factors should feed into this process as well including skillsets, education/experience, etc.