RegSol Blog


RegSol Blog Posts

Climate Change Risk highlighted in CBI Insurance Newsletter September 2022
September 2022

On 20th September 2022, the Central Bank of Ireland (“CBI”) published its regular Insurance Newsletter for September 2022.

While the Newsletter is directed at (re)insurers, the CBI’s observations in relation to climate change risk (following a thematic review of a sample of (re)insurer’s Own Risk and Solvency Assessments (“ORSAs”)), the Central Bank has helpfully included a collated list of all CBI publications on Climate Risk to date.

The relevant article also sets out guidance on how any regulated entity can implement climate change risk considerations into business strategies.

The CBI’s three main observations were:
  1. Take a holistic approach to climate change risk to better understand risks to the business, secondary impacts, materiality and areas of further focus;

  2. Consider impacts of climate change to the business model beyond the short term; and

  3. Link climate change risk assessments to strategy, in order to manage or mitigate risks rather than simply monitoring them.
In the ORSAs reviewed, the CBI observed some examples where climate change risk had been integrated into a (re)insurer’s business planning and strategic thinking and identified examples of good practices observed including:
  • Embedding the consideration of climate change risk into risk management processes, e.g. updating risk management policies based on conclusions of assessments carried out;

  • Developing a sustainability strategy to define the (re)insurer’s objectives in respect of climate change; and

  • Identifying potential opportunities that arise and ways to develop business models in the future as a result of climate change. The CBI expects (re)insurers to integrate findings and conclusions from risk and scenario analysis into their future strategy to ensure a sustainable business model, e.g. by updating their risk appetite, setting key performance indicators in respect of climate change risk, etc.
To read the Newsletter in full, please go to the following link:

Insurance Newsletter - September 2022  (centralbank.ie)
New Financial Services and Pensions Ombudsman Appointed
September 2022

The new appointment of Liam Sloyan as the Financial Services and Pensions Ombudsman (FSPO) for a five-year term has been announced, which appointment is effective from 1st December 2022.

The FSPO objective is to act as an independent, impartial, fair and free service that helps resolve complaints from consumers, including small businesses and other organisations, against financial service providers and pension providers.

Mr. Sloyan previous led a number of public bodies such as the Health Insurance Authority, the National Treatment Purchase Fund, and as Regulator of the National Lottery.

Mr. Sloyan’s appointment follows the appointment of former FSPO, Ger Deering, as the Ombudsman and Information Commissioner in February 2022.

Mr. Deering was appointed as Financial Services Ombudsman in April 2015 and subsequently, as Pensions Ombudsman in May 2016. He led the establishment of the Office of the FSPO in January 2018, following the amalgamation of the Financial Services Ombudsman Bureau and the Office of the Pensions Ombudsman.

To read the announcement in full, please go to the following link:

Minister Donohoe appoints Financial Services and Pensions Ombudsman  (www.gov.ie)
Instagram Fined record €405 million for Breach of Children's Data Rights
September 2022

On the 2nd September 2022, Instagram (owned by Meta, formerly known as Facebook), was fined €405 million by the Data Protection Commission (“DPC”) for breaches of the GDPR after a two-year investigation into how the social media platform handles children’s data.

It is the largest fine ever imposed by the DPC and once it has been paid, the money will go to the Irish exchequer. It is also the third fine for a Meta-owned company handed down by the DPC.

The fine, which is the second largest GDPR penalty to ever be handed down (Luxembourg’s data protection authority (CNPD) fined Amazon a record €746 million for non-compliance in July), covers alleged violations stemming from Instagram's default account settings for children ages 13-17.

Recital 38 of the GDPR highlights that where children’s data is used to create user profiles, specific protections should apply since children may be less aware of the risk, consequences and safeguards and their rights in relation to the processing of data.

The breaches concerning Instagram related to:

  1. Teenage users aged 13-17 being allowed to operate ‘business accounts’ on Instagram, which resulted in the publication of their phone numbers and email addresses.

  2. All accounts, including the accounts of teenage users, were set to public by default, unless the user affirmatively changed the privacy settings.

The investigation into the allegations began in October 2020 and the preliminary decision by the DPC was subject to a dispute resolution procedure under Article 65 of the GDPR. After submitting a draft decision for consideration by its peer regulators in the EU, also known as Concerned Supervisory Authorities (“CSAs”), in December 2021, six of them raised objections. The DPC was unable to reach consensus with the CSAs on the subject matter of the objections and it therefore referred the case to the European Data Protection Board (“EDPB”), in line with the Article 65 dispute resolution process of the GDPR.

The EDPB rejected some of the concerns, but upheld objections requiring the DPC to amend its draft decision to include an additional finding of infringement. The DPC's original draft decision had recommended a fine of up to €405m. The final penalty of €405m included a fine of €20m for an additional infringement that the DPC was asked to include.

In addition to these administrative fines, the DPC has also imposed a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of specified remedial actions.

EDPB Chair Andrea Jelinek said: “This is a historic decision. Not just because of the height of the fine - this is the second highest fine since the entry into application of the GDPR - it is also the first EU-wide decision on children’s data protection rights. With this binding decision, the EDPB makes it extra clear that companies targeting children have to be extra careful. Children merit specific protection with regard to their personal data.”

Instagram has indicated it intends to appeal the decision.

For further details on the DPC’s decision, you can click on the following link:

Data Protection Commission announces decision in Instagram Inquiry
Central Bank of Ireland Enforcement Action – Danske Bank reprimanded and fined €1.82m for AML/CFT transaction monitoring failures
September 2022

On 13th September 2022, the Central Bank of Ireland (the “Central Bank”) reprimanded and fined Danske Bank A/S, trading in Ireland as Danske Bank, €1,820,000 pursuant to its Administrative Sanctions Procedure for three breaches of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010, as amended (the “CJA 2010”).

This is the first penalty that the Central Bank has imposed on a financial institution which is incorporated and authorised outside of Ireland, but which operates here as a branch on a passport basis.


Breaches

The three breaches arise from the failure by Danske Bank to ensure that its automated transaction monitoring system monitored the transactions of certain categories of customers of its Irish branch which occurred over a period of almost nine years, between 2010 and 2019.

The three breaches comprised of failures by Danske Bank under the CJA 2010 related to:

  • Transaction Monitoring: Danske Bank failed to ensure that its automated transaction monitoring system monitored the transactions of certain categories of customer for money laundering and terrorist financing risk at its Irish branch for a period of almost nine years.
  • Enhanced Customer Due Diligence: In failing to conduct automated transaction monitoring in respect of certain categories of customers, Danske Bank’s Irish branch did not take into consideration an important part of due diligence i.e. transaction monitoring data, which is necessary to identify and assess money laundering/terrorist financing risks specific to those customers and identify where any consequential additional measures might be required.
  • Anti-money laundering / Countering the Financing of Terrorism policies, procedures and controls: The policies, procedures and controls put in place by Danske Bank did not operate to identify the erroneous exclusion of certain categories of customers from automated transaction monitoring.

Background

The failure arose from historic data filters that were applied within Danske Bank’s automated transaction monitoring system, first implemented in 2005 and rolled out to the Irish branch in 2006. Danske Bank was found to have failed to consider the appropriateness of these historic data filters within the system or make any adjustments to the system to take account of the specific requirements of the CJA 2010 when it came into force in Ireland in 2010. This led to the erroneous exclusion of certain categories of customers from transaction monitoring, including some customers rated by Danske Bank as high and medium risk.

Danske Bank became aware that its automated transaction monitoring system erroneously excluded certain categories of customers in May 2015 but failed to rectify it or notify the Irish branch or the Central Bank of this issue.

It was only in October 2018 when the Irish branch identified the issue that steps were taken to rectify it, but the Central Bank said it was not informed of the issue until February 2019. As a result, the failures to rectify the issue and to notify the Central Bank promptly were considered aggravating factors in the case.


Central Bank on Transaction Monitoring

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham said…“It is imperative that firms implement robust transaction monitoring controls which are appropriate to the money laundering risks present and the size, activities, and complexity of their business. These controls must be applied to all customers, irrespective of their risk rating, as they enable firms to detect unusual transactions or patterns of transactions and where required apply enhanced customer due diligence to determine whether the transactions are suspicious.”

In 2020, the Central Bank had highlighted in its AML Bulletin on Transaction Monitoring the importance of monitoring customer transactions to detect potentially suspicious activity. The Bulletin noted that the CJA 2010 specifies that a designated person must monitor customer transactions in order to identify transactions that may be suspicious in nature, and that the intensity of the monitoring should increase with the complexity and scale of those transactions so that the risk of ML/TF is also factored into the transaction monitoring process.

Therefore, while firms may rely on automated solutions for transaction monitoring, the Danske Bank case reiterates the requirement for firms to ensure it has in place controls, policies and procedures that are compatible with Irish legal requirements and to ensure that their governance framework and risk management measures operate effectively. These should be risk-based and proportionate, informed by firms’ business risk assessment of their ML and TF risk exposure.

Do you have any questions on Transaction Monitoring? Reach out to us at info@regsol.ie for information on our training courses and consultancy services.

To read the Central Bank Enforcement Action Notice in its entirety you can click on the following link:

Public statement relating to Enforcement Action against Danske Bank A/S (centralbank.ie)
DPC Guidance on Data Transfers to 3rd Countries
August 2022

The Data Protection Commissioner (‘DPC’) reminds entities that the transfer of personal data from the EU to controllers and processors located outside the EU in third countries (i.e. any country outside the European Economic Area (‘EEA’)), while necessary for international trade and international co-operation, should not undermine the level of protection of the individuals concerned.

Such transfers to third countries or international organisations should be done in full compliance with Chapter 5 (Articles 44 – 50) of the General Data Protection Regulation (the ‘GDPR’).


Article 45 – Transfers on the basis of an adequacy decision

The DPC notes that the first thing to consider when transferring personal data to a third country is if there is an “adequacy decision” – this is where the European Commission has decided that a third country or an international organisation has an adequate level of data protection taking into account factors such as the laws, respect for human rights and freedoms, national security, data protection rules, the existence of a data protection authority and binding commitments entered into by the country in respect of data protection.

The effect of such an adequacy decision is that personal data can flow from the EEA to that third country without any further safeguard being necessary, effectively meaning the transfer is the same as if it was carried out within the EU.


Article 46 – Transfers subject to appropriate safeguards

Where there is no adequacy decision, the DPC highlights that the GDPR does allow a transfer if the controller or processor has provided “appropriate safeguards”. These safeguards may include:

  1. Standard data protection clauses – these are model data protection clauses that have been approved by the European Commission and contain contractual obligations on the Data Exporter and the Data Importer and rights for the individuals whose personal data is transferred.

  2. Binding corporate rules (‘BCR’) – these rules form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group's EEA entities to the group’s non-EEA entities. There are two types of such rules which can be approved - BCR for Controllers which are used by the group entity to transfer data that they have responsibility for such as employee or supplier data; and BCR for Processors which are used by entities acting as processors for other controllers and are normally added as an addendum to a Service Level Agreement contract.

  3. Approved Codes of Conduct - The use of Codes of Conduct as a transfer tool, under specific circumstances, has been introduced by the GDPR in Article 40(3). While voluntary, they set out specific data protection rules for categories of controllers and processors providing a detailed description of what is the most appropriate, legal and ethical behaviour within a sector.

  4. Approved certification mechanisms - Article 42(2) of the GDPR allows for certification mechanisms by an independent body of a written assurance (a certificate) that the product, service or system in question meets specific requirements, may be developed to demonstrate the existence of appropriate safeguards provided by controllers and processors in third countries which are binding and safeguards data subject rights.
For further information on the Guidance, please see the link below:

Transfers of Personal Data to Third Countries or International Organisations | Data Protection Commissioner
Central Bank (Individual Accountability Framework) Bill 2022
August 2022

The Central Bank (Individual Accountability Framework) Bill 2022 (‘the Bill’) was published on 28th July 2022. Its principal purpose is to confer powers on the Central Bank of Ireland (the ‘CBI”) and provide greater detail on the four pillars of the individual accountability framework (‘IAF’), namely the Senior Executive Accountability Regime; the Conduct Standards; the Fitness and Probity Regime; and the Administrative Sanctions Procedure.

As noted by Gerry Cross, Director of Financial Regulation, on 21st February 2022 in an address to the Compliance Institute: “The Framework is fundamentally about underpinning good conduct and high quality governance and culture within firms. It is about being clear who is responsible for what and ensuring that reasonable steps are taken to fulfil those responsibilities. It is aligned with what will already be sound practices at well-governed and organised firms. The framework is, and our approach to implementation of it will be, firmly founded in proportionality and what is reasonable.”

SEAR

Under the Senior Executive Accountability Regime (‘SEAR’) regulated financial service providers (‘firms’) will be required to set out clearly where the responsibility and decision-making of the firm lies.

The Bill proposes to extend the regulation-making power of the CBI to give effect to SEAR. This will enable the CBI to make regulations in relation to inherent responsibilities and prescribed responsibilities, which relate to pre-approval controlled function (‘PCF’) holders.

This includes a new legal “duty of responsibility” on PCF holders who fall within the scope of SEAR to take “any steps that it is reasonable in the circumstances for the person to take” to ensure the firm does not breach its obligations under financial services legislation. When considering if the relevant individual has discharged their “duty of responsibility”, the CBI will consider all relevant circumstances, examples of which are set out in the Bill include the function of the person and the level of knowledge and experience that a person with such function could reasonably be expected to have. If a contravention of the duty occurs, the individual may be held directly accountable for the breach and be subject to the CBI’s Administrative Sanctions Procedure.

Initially, SEAR is expected to extend only to credit institutions, insurance undertakings (except reinsurance, captive (re)insurance and insurance special purpose vehicles), certain investment firms and any third country branches of those companies.


Conduct Standards

The Bill provides for the introduction of three types of conduct standards for firms and their staff as follows:

• Business Standards (for firms);

• Common Conduct Standards (for individuals); and

• Additional Conduct Standards (for individuals in the most senior roles).


1. Business standards for firms

The Bill (Section 5) provides for a new regulation-making power for the CBI to prescribe business standards within which firms will be obliged to comply to ensure they act in the best interests of customers and of the integrity of the market; act honestly, fairly and professionally; and act with due skill, care and diligence. The business standards will apply to all firms and a breach will be considered a prescribed contravention for purposes of enabling the CBI to enforcement action.


2. Common conduct standards for individuals

The Bill (Section 6) provides for the following individual conduct standards:
  1. Common Conduct Standards: these standards will apply to all persons performing controlled functions (i.e. CF or PCF roles).

  2. Additional Conduct Standards: these standards will apply to more senior persons performing PCF roles or who exercise a significant influence on the conduct of the firm’s affairs, for example, chief executives, executive or non-executive directors, heads of functions. Such persons will need to comply with both the Common Conduct Standards and the Additional Conduct Standards, regardless of whether their role is within the scope of SEAR.

Firms must ensure that they notify any relevant persons of the conduct standards that will be expected of them and that they provide training on these standards. The Bill also provides that the CBI will provide guidelines relating to the notification and training obligations of firms.


Certificate of Compliance with Standards of Fitness and Probity

Part 3 of the Bill strengthens the existing obligations on firms in relation to the fitness and probity of their key personnel. The Bill provides that firms will only allow an individual to perform a CF role if a certificate of compliance with standards of fitness and probity is in force in relation to the person. A certificate can be given only if the firm “is satisfied on reasonable grounds” that the person concerned complies with any standard of fitness and probity in a code issued under Section 50 of the Central Bank Reform Act 2010 Act 2010 Act and the person has agreed in writing to comply with any such standard.

The CBI will have the power to make regulations in relation to the form and content of these certificates, the validity period of a certificate and the firm’s procedures in relation to the giving or revoking of a certificate.


Administrative Sanctions Procedure (‘ASP’)

The Bill also makes a number of amendments to the Central Bank Act 1942 which underpins the ASP:

  1. High Court oversight for the ‘settlement process’ under section 33AR of the 1942 Act (where the firm or individual acknowledges the commission of the prescribed contravention). Therefore, any sanction imposed by the CBI will only have effect if confirmed by the High Court.

  2. The High Court will confirm the decision unless it is satisfied that the CBI “made an error of law” in its decision or that a sanction is manifestly disproportionate.

  3. The Bill provides a list of relevant considerations that the CBI must take into account when determining whether to impose a sanction, what sanction to impose and the level of any monetary penalty to impose including the person’s seniority and level of responsibility in the firm and whether the person’s conduct was intentional, negligent or dishonest.

  4. The Bill replaces the concept of a ‘person concerned in the management of an RFSP’ with the concept of a ‘person performing a controlled function’ with a view to facilitating individual accountability of the relevant individual.

Next steps

The Bill is yet to be enacted and once the legislative process is completed, the CBI will prepare relevant guidelines and regulations to be issued under the Bill. Relevant firms and senior executives should note that the framework will require significant training and having the appropriate processes in place.

RegSol will keep our clients updated on progress of the Bill and any draft guidelines and regulations once published. If you require assistance in planning for SEAR and IAF or assessing your current framework, contact us at info@regsol.ie
New EBA Guidelines on ML/TF risk factors
August 2022

The European Banking Authority (‘EBA’) published revised Guidelines (updated on 8th August 2022) on customer due diligence (‘CDD’) and the factors to be considered when assessing the risk of money laundering (‘ML’) and terrorist financing (‘TF’) under the 4th and 5th Money Laundering Directives (repealing and replacing the 2017 guidelines).

The Guidelines set out the factors to be taken into account by credit and financial institutions when assessing the ML /TF risks associated with their activities and business relationships or with an occasional transaction with a natural or legal person.

The Guidelines also feature guidance on:

  • how financial institutions can adjust their CDD measures to mitigate the ML/TF risk they have identified so as to make them more appropriate and proportionate;
  • the identification of beneficial owners;
  • the use of innovative solutions to identify and verify customers’ identities;
  • how financial institutions should comply with enhanced CDD (‘EDD’) requirements relating to high-risk third countries;
  • new sectoral guidelines for crowdfunding platforms, corporate finance advisory firms, account information service providers, payment initiation services providers, and firms providing currency exchange services;
  • more details on TF risk factors;

The guidance highlights that there is no requirement for financial institutions to discontinue services to entire categories of customers that they associate with higher ML/TF risk (so-called ‘de-risking’). Instead, financial institutions should take steps to effectively manage the ML/TF risks associated with individual business relationships.

To read the EBA Guidelines in their entirety, please see the following link:

Final Report on Guidelines on revised ML TF Risk Factors.pdf (europa.eu)
Protected Disclosures (Amendment) Act 2021
August 2022

On 21st July 2022, the Protected Disclosures (Amendment) Act 2022 (‘Amendment Act’) was signed into law. It has yet to be commenced or ‘take effect’.

The Act updates the Irish Protected Disclosures Act 2014 (‘2014 Act’) and transposes the EU Whistleblowing Directive into Irish law.

Once commenced, the Amendment Act will:
  • Require all organisations with 50 or more employees to have internal channels and procedures for their employees to make protected disclosures. (This changes the current position where only public sector employers are obliged to have such procedures in place.)
  • Initially, the requirement will only apply to private sector employers with 250 or more employees.
  • However, from 17 December 2023, this obligation will be imposed on all private sector employers with 50 or more employees.
  • As it stands, under the 2014 Act, employees, former employees, trainers, independent contractors and agency workers are protected. The Amendment Act, however, extends the scope of the protected disclosures regime to cover volunteers, unpaid trainees, board members, shareholders, members of administrative, management or supervisory bodies and job applicants (where information on a relevant wrongdoing is acquired during the recruitment process or during pre-contractual negotiations).
  • The channels and procedures shall provide for acknowledgement of reports by a designated impartial person, within 7 days, diligent follow-up of the reports received, the provision of feedback to the reporting person within 3 months and communication of the final outcome of any investigations triggered by the report.
  • Reverse the burden of proof for penalisation cases. This means the employer will need to prove that any alleged penalisation was not a direct result of the employee making a protected disclosure.
  • Establish a new Office of the Protected Disclosures Commissioner will be established in the Office of the Ombudsman to support the operation of the new legislation.

Establishing Internal Reporting Channels

Internal reporting channels and procedures may be operated internally by a person or department designated for that purpose or provided externally by an authorised third party.

The channels must be operated in a secure manner that ensures the confidentiality of the reporting person’s identity and any third party mentioned in their report.

Employees must be able to make their report in writing or orally or both.

Organisations who employ less than 250 employees may share resources for receiving and investigating reports which will allow group companies to avoid having to put in place multiple internal reporting channels.


Acknowledgement, Feedback and Follow Up

Strict deadlines for acknowledging receipt, following up and providing feedback are required to be put in place by way of the internal reporting channels and procedures:

  1. Receipt of a protected disclosure must be acknowledged in writing within seven days.

  2. Designate an impartial person who is competent to follow up on reports, will maintain communication with the reporting person and where necessary, will request further information from, and provide feedback to, that reporting person.

  3. The designated person must diligently follow up on the report within three months including carrying out an initial assessment of the accuracy of the allegations made and, where relevant, address the breach reported, including, by way of internal enquiry, investigation, prosecution, action for recovery of funds, or the closure of the procedure.

  4. Feedback must be provided within three months, or six months in duly justified cases, informing the reporting person of the action envisaged or taken as follow-up and the grounds for such follow-up.

  5. Provision of clear and easily accessible information regarding: the procedures for making a protected disclosure, the conditions under which such reports may be accepted and follow-up undertaken, the procedures for making a protected disclosure to the Office of the Protected Disclosures Commissioner

New office of the Protected Disclosures Commissioner

A new Office of the Protected Disclosures Commissioner (‘the Commissioner’) will be established within the Office of the Ombudsman to support the operation of the new legislation. The Commissioner will direct protected disclosures to the most appropriate body when it is unclear which body is responsible and where this body cannot be identified, the Commissioner will be obliged to accept and investigate the protected disclosure itself.

The Commissioner will have extensive powers to carry out their duties. They will have the power to require the production of information and/or or records, books, documents or other things and to require the attendance of any person for this purpose.


Enhancement of protections for workers

The Amendment Act further enhances the protections for workers who suffer penalisation as a result of making a protected disclosure by reversing the burden of proof in civil proceedings, expanding the provision of interim relief to include forms of penalisation other than dismissal, and providing for criminal penalties for penalisation.

The definition of penalisation is significantly expanded by the EU Whistleblowing Directive to include withholding of training, a negative performance assessment or employment reference, harm, including to the person’s reputation, blacklisting, and psychiatric or medical referrals.

The Amendment Act proposes to reverse the burden of proof for proceedings concerning allegations of penalisation for having made a protected disclosure. It also enables workers to seek interim relief from the Circuit Court for penalisation other than dismissal. The Bill provides for a maximum award of compensation in the sum of €15,000 from the Workplace Relations Commission for individuals who are not in receipt of remuneration from the employer with whom they are in a work-based relationship.


New offences

The Amendment Act makes it a criminal offence to:
 
  • hinder or attempt to hinder a worker in making a report;
  • penalise or threaten penalisation or cause or permit any other person to penalise or threaten penalisation;
  • bring vexatious proceedings;
  • breach the duty of confidentiality in section 16 regarding the identity of reporting persons;
  • make a report containing any information that the reporting person knows to be false; or
  • fail to establish, maintain and operate internal reporting channels and procedures.

Penalties

The Amendment Act also provides for very substantial fines (ranging between €75,000 and €250,000 for convictions on indictment) and the possibility of a term of imprisonment not exceeding two years for employers who are found to have committed a criminal offence under the Amendment Act.


Key Takeaways

Although organisations with 50 – 249 employees have until 17th December 2023 to comply with the new legislation, consideration might be given now to have in place or review and enhance existing whistleblowing policies in anticipation of the introduction of the new enhanced regime.

Organisations will also be required to designate the appropriate staff to receive protected disclosures in a secure and confidential manner and provide them with training particularly in relation to the new timelines for acknowledging and following up protected disclosures.

To see learn more on how RegSol can assist your firm in implementing the new Amendment Act, please contact us at info@regsol.ie
Roles & Responsibilities of the AML Compliance Officer – EBA Guidance
July 2022

On 14th June 2022 the EBA published guidance on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer.

Frequently we have seen references to a European wide approach to AML/CFT (Anti Money Laundering / Countering the Financing of Terrorism). The aim of these guidelines is to “….create a common understanding, by competent authorities and credit or financial institutions, of credit or financial institutions’ AML/CFT governance arrangements. A common understanding, which is applied consistently and enforced as necessary, is key to strengthening the EU’s AML/CFT defences.”

The guidelines come into effect from 1st December 2022.

They are very comprehensive, running to 54 pages and they examine in detail the following:
 
  • The role of the management body in its supervisory function and management function in the AML/CFT framework.
  • Identification of the member of the management body responsible for AML/CFT.
  • Identification of a senior manager responsible for AML/CFT where no management body is in place.
  • Tasks and role of the member of the management body or senior manager responsible for AML/CFT.

Section 4.2 looks at the role and responsibilities of the AML/CFT compliance officer from their appointment, the skills and experience they should have in addition to the tasks they must complete and includes reference to outsourcing.

Section 5 has a list of additional documents, a summary of the Views of the Banking Stakeholder Group (‘BSG’) and Feedback on the public consultation and on the opinion of the BSG.

While reference is made to credit and financial institutions in the document, it provides useful information and guidance. As many of our readers will be aware, there is a positive obligation on Designated Persons to have a business wide risk assessment in place which covers all the AML/CFT and financial sanctions which their business may be exposed to. Included in the requirement is a specific reference to publications from the ESAs – European Supervisory Authorities. The EBA European Banking authority is one of these.

While we have provided an overview above, the link to the full document is here:

Guidelines on AMLCFT compliance officers.pdf (europa.eu)

If you require assistance in assessing your AML resourcing or in updating your Business Wide Risk Assessment and/or your AML Policies & Procedures, you can contact us at info@regsol.ie
Intermediary Times June 2022 Issued by the Central Bank
July 2022

The 'Intermediary Times', the Central Bank’s newsletter published twice a year, includes regulatory issues that retail intermediary firms need to be aware of in improving their standards of compliance.

In this latest edition the Central Bank of Ireland covers many items including:

  • Amendments to the list of Pre-Approval Controlled Functions; (also see RegSol’s article here)A new 
  • Legal Entity Identifier requirement for some types of retail intermediaries; (see RegSol’s article here)
  • New features of the Central Bank Portal;
  • Updates relating to the Sustainable Finance Disclosure Regulations (SFDR);
  • An overview of the Consumer Protection Outlook Report 2022; (see RegSol’s article here)
  • Implications for Insurance Intermediaries of the new insurance regulations relating to Differential Pricing; (see RegSol’s article here)
  • Learnings relating to Authorisations and the Fitness and Probity (F&P) Assessment; and
  • Recent Central Bank publications relevant for retail intermediaries:
    • Use of Exempt Ancillary Insurance Intermediaries in the Insurance Sector; and
    • Structured Retail Products. (see RegSol’s article here)

One particular area highlighted by the Central Bank in the newsletter which will be of interest to our intermediary clients is as follows:

Amendments to the list of Pre-Approval Controlled Functions (PCFs)

Firms are reminded for persons performing PCF2B, PCF16 and/or PCF52 before 5th April 2022, an ‘In Situ’ process is available to notify the Central Bank via the PCF In-Situ Return - the Online Reporting System (ONR) whereby an Individual Questionnaire (IQ) is not required - by 30th June 2022 .

Persons proposed for these roles after 5th April 2022 must submit PCF applications via the normal process (i.e. submission of an IQ). Those individuals are now subject to the F&P Standards.

For any assistance in applying to the Central Bank for an authorisation, please feel free to contact us at info@regsol.ie

To read the CBI publication in full, please see the link below:

Intermediary Times June 2022 (centralbank.ie)
Q&A - Price Walking & Differential Pricing Regulations Commencing 1st July 2022
July 2022

Further to our article in May’s edition of the RegSol newsletter (HERE) on the new Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1) (Insurance Requirements) Regulations 20221 (the Regulations) which came into effect on 1st July 2022, the Central Bank have published the Insurance Regulations Q&A which our intermediary clients might find useful to further explain the implications to their business.

As our readers will note, the Regulations, applicable to insurance undertakings and insurance intermediaries, were introduced to benefit consumers and enhance the consumer protection framework. The new requirements impact three key areas:
  1. Pricing: A ban of price walking in home and motor insurance markets - from 1st July 2022, insurance providers cannot charge consumers who are on their second or subsequent renewals a premium that is higher than they would have charged a year one consumer renewing their policy.
  2. Annual Review of pricing practices and policies: Insurance providers are required to review pricing practices and policies for all customers.
  3. Disclosure of additional information to policyholders in relation to automatic renewal arrangements: Insurance providers must notify the customer that the policy will automatically renew if the consumer does not cancel the automatic renewal before a specified date.
The link to the Insurance Q&As can be found here:

Insurance Regulations 2022 - Q+A updated May 2022 (centralbank.ie)
Establishment of the Corporate Enforcement Authority
July 2022

The Corporate Enforcement Authority ("CEA") has been established with effect from 7th July 2022, following the commencement of the Companies (Corporate Enforcement Authority) Act 2021 (the “2021 Act”) on 6th July 2022. 

The CEA will replace the Office of the Director of Corporate Enforcement (“ODCE”) and assumes the ODCE’s powers and functions in the investigation and prosecuting suspected breaches of company law with some changes to reflect the new structure of the body.


The CEA

The CEA’s new functions include encouraging compliance with the Companies Act 2014, investigating suspected offences and non-compliance under the Companies Act, prosecution of summary offences, referring indictable offences to the DPP, as well as being the competent authority to impose sanctions on company directors under the Companies (Statutory Audits) Act 2018.

The key difference between the CEA and the ODCE is the CEA’s establishment as an independent body, as opposed to an office in the Department of Enterprise, Trade and Employment, which will ensure that the CEA has greater autonomy than the ODCE. The CEA will have autonomy to recruit its own staff with necessary specialist expertise (for example, in the areas of financial forensics and data analytics) which will enable the CEA to better investigate complex enforcement cases. 

The 2021 Act also provides that members of An Garda Síochána may be seconded to the CEA. It is also expected that the CEA will be granted additional powers in the future including, the power to conduct surveillance, to obtain search warrants, to compel the provision of passwords for electronic devices and to permit CEA officials to attend suspect interviews.

The 2021 Act also provides for a number of state bodies - An Garda Síochána, the Competition and Consumer Protection Committee, the Registrar of Companies and the Revenue Commissioners - being required to disclose certain information to the CEA relating to the commission of an offence under the Companies Act 2014. Members of the public are also actively encouraged by the CEA to submit complaints and concerns to it where there is an indication of non-compliance with company law.


Conclusion

The establishment of the CEA is an important step in the deterrence of white-collar crime in Ireland and in the promotion of Ireland as a safe haven to carry out business. With the CEA’s increased staffing and resourcing it is likely that increases in the investigation and enforcement of company law breaches will be seen in the near future.
Compliance Institute of Ireland Survey Results on Third Party Cookie Ban
July 2022

Google has announced it proposes to stop the use of third-party cookies in Chrome by the end of 2023, joining a growing list of browsers ditching the notorious tracking technology.

However, a recent survey from Compliance Institute of 144 compliance professionals within Irish organisations throughout the country, has found that although the oncoming changes from Google around the use of third-party cookie data will have implications for almost 9 in 10 businesses, there’s a widespread lack of awareness, with 74% of respondents saying there’s little to no awareness of the issue within their organisation. (See Compliance Institute press release HERE).


What is a cookie?

A cookie is a small text file that may be stored on your computer or mobile device that contains data related to a website you visit. It may allow a website “remember” your actions or preferences over a period of time, or it may contain data related to the function or delivery of the site.


First party and third-party cookies

A cookie set by a website, i.e., the host domain, is a first-party cookie. A third-party cookie is one set by a domain other than the one the user is visiting, i.e., a domain other than the one they can see in their address bar. They are mostly used to track users between websites and display more relevant ads between websites. They also allow website owners to provide certain services, such as live chats.

First-party cookies will still function by default in browsers that block third-party cookies (also in Google Chrome), and they will continue to require consent in most cases, unless the purpose of a cookie is ‘strictly necessary’ to the basic operation of a website.


Consent, consent, consent

As mentioned, the end of third-party cookies does not mean the end of consent.

On the contrary, a firm’s website will still need to ask for and obtain the explicit consent of users before any data is allowed to be stored, on a user’s browser, regardless of what technology is used. The website will still be required to inform its users about whatever technology the firm uses to collect personal data, including its provider, purpose and duration, and to document safely the obtained consents, and to renew them at least annually.

The Data Protection Commission guidance on Cookies and Other Tracking Technologies (here) confirms that “Consent for the setting of cookies must be of the standard defined in the General Data Protection Regulation Article 4(11), which says the ‘consent’ of the data subject means any “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.


Is your firm prepared?

There have been mixed reactions to the proposed Google ban. While it has been welcomed by some commentators believing it is for the greater good of individuals and their privacy, others believe the new arrangements will further increase Google’s dominance in the online marketing area and will cause disruption in the advertising business.

Irrespective of how you view the changes, the Compliance Institute survey highlights that only 12% of Irish firms are “very prepared” for the proposed third-party cookie ban on Chrome. It is therefore vital to be aware of how exactly your firm uses cookies and to be compliant with the Data Protection Commission requirements regarding cookies.

Should your firm require a Data Privacy Check-up or review of outward facing data protection policies, make sure to contact us at info@regsol.ie
Central Bank highlights weaknesses in Virtual Asset Service Providers’ AML/CFT Frameworks
July 2022

On 11th July 2022, the Central Bank issued a bulletin to VASPs outlining its regulatory expectations and highlighting recurring weaknesses it has observed in VASP registration applications to date and their Anti-Money Laundering and Countering the Financing of Terrorism (‘AML/CFT’) Frameworks.

In the vast majority of applications, the Central Bank noted a lack of understanding and compliance with key AML/CFT obligations, in addition to significant control weaknesses, thereby increasing the risk of criminals using their products or services to launder money or finance terrorism.


What are VASPs?

The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (‘CJA 2010’) was amended by The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (‘CJA 2021’) to transpose elements of the Fifth Anti-Money Laundering Directive into Irish law.

Under the CJA 2021, A VASP is defined as a person who, by way of business, carries out one or more of the following activities for, or on behalf of, another person:
  • exchange between virtual assets and fiat currencies;
  • exchange between one or more forms of virtual assets;
  • transfer of virtual assets, that is to say, conduct a transaction on behalf of another person that moves a virtual asset from one virtual asset address or account to another;
  • custodian wallet provider;
  • participation in, and provision of, financial services related to an issuer’s offer or sale of a virtual asset or both.
A virtual asset is defined by the CJA 2021 as a "digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes but does not include digital representations of fiat currencies, securities or other financial assets". Some of most commonly known virtual assets such as Bitcoin, Ethereum and NFTs (non-fungible-tokens) fall within this definition.


Central Bank Requirements

Since 23rd April 2021, a person, or business, providing any of these the services outlined above is considered a VASP and are therefore a “designated person” under the CJA 2010. As such, they are required to comply with the AML/CFT obligations contained under Part 4 of the CJA 2010 as amended.

VASPs are also subject to the following requirements:

1. Registration with the Central Bank for AML/CFT Purposes

All VASPs established in Ireland are required to register with the Central Bank for AML/CFT purposes only.

In order for the Central Bank to approve a VASP's application for AML/CFT registration, the Central Bank must be satisfied that:
  • the VASP’s AML/CFT policies and procedures are effective in combatting the money laundering and terrorist financing risks associated with its business model; and
  • the VASP’s management and beneficial owners are subject to the Central Bank’s fit and proper regime. This regime imposes standards in relation to competence, capability, honesty, ethical behaviour and financial soundness. These requirements apply both at the time of registration of a VASP and on an ongoing basis.
2. On-going AML/CFT Obligations

As designated persons, VASPs are required to comply with AML/CTF obligations on an ongoing basis. This includes obligations relating to carrying out business wide risk assessments, customer due diligence, frequent monitoring of VASP customers and related transactions, filing of suspicious transaction reports, developing and implementing appropriate AML/CTF policies and procedures, maintaining records and ensuring provision of training.


Consequences for non-compliance

It is a criminal offence not to comply with the obligations set out under Part 4 of the CJA 2010 as amended and that a failure to do so may result in a fine, imprisonment or both. Alternatively, a breach of Part 4 of the Act may result in enforcement action under the CBI’s Administrative Sanctions Procedure for Designated Persons under the supervision of the CBI.


Key Issues highlighted in bulletin

The bulletin outlines the key issues and recurring weaknesses identified by the Central Bank during its assessment of VASP registration applications. In that regard, the Central Bank highlighted the following expectations for future VASP applicants in submitting complete and comprehensive applications:

1. Application Phase

The Central Bank expects applicant VASP firms to consider its guidance documents and reminds them of the option to attend a pre-application meeting to assist prospective applicants in answering specific questions about any aspect of the registration process and the completion of the VASP AML/CFT Registration Form.

Assessment Phase
  • Risk Assessment
The VASP’s AML/CFT risk assessment must focus on specific risks arising from a VASP firm's business model and drive that firm's AML/CFT control framework. Robust controls must be implemented to mitigate and manage the identified risks.
  • Policies and Procedures
The VASP should maintain a documented suite of AML/CFT policies and procedures, which are supplemented by guidance and accurately reflect operational practices. The policies and procedures should also demonstrate consideration of and compliance with Irish legal and regulatory requirements.
  • Customer Due Diligence
The VASP is required to know their customers, persons purporting to act on behalf of customers and beneficial owners. VASP firms must also have enhanced due diligence procedures for dealing with politically exposed persons (PEPs).
  • Financial Sanctions
The Central bank expects VASPs to have an effective screening system appropriate to the nature, size and risk of their business. VASP firms must follow clear escalation procedures in the event of a positive match.

  • Outsourcing
Where an Irish registered VASP outsources its AML/CFT functions, a documented agreement (for example, a service level agreement), must clearly define the outsourcing service provider's obligations. The VASP should also maintain evidence of sufficient oversight or be able to provide evidence of assurance testing.
  • Presence in Ireland
The Central Bank expects a physical presence located in Ireland and for there to be at least one employee in a senior management role located physically in Ireland, to act as the contact person for engagement with the Central Bank.


  • Pre-Approval Controlled Function (PCF)
Individual Questionnaires (IQs) for each proposed PCF role holder to be submitted as soon as practical.


How RegSol Can Help

As a leading provider of regulatory compliance solutions to SMEs operating in Ireland, RegSol assists firms applying to the Central Bank for registration/authorisation and in developing effective AML/CFT frameworks.

With a number of VASPs already availing of RegSol CEO, AnneMarie’s expertise, her extensive experience in both advising firms and drafting tailored, compliant AML/CFT business risk assessments and policies and procedures, means she is well placed to guide VASPs through the Central Bank’s registration application process in an efficient and time sensitive manner.

To see how RegSol can assist your firm please contact us at info@regsol.ie
EBA issues guidance on the Role & Responsibilities of the AML Compliance Officer
June 2022

On 14th June 2022 the EBA published guidance on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer.

Frequently we have seen references to a European wide approach to AML/CFT (Anti Money Laundering / Countering the Financing of Terrorism). The aim of these guidelines is to “….create a common understanding, by competent authorities and credit or financial institutions, of credit or financial institutions’ AML/CFT governance arrangements. A common understanding, which is applied consistently and enforced as necessary, is key to strengthening the EU’s AML/CFT defences.”

The guidelines come into effect from 1st December 2022.

They are very comprehensive, running to 54 pages and they examine in detail the following:

  • The role of the management body in its supervisory function and management function in the AML/CFT framework.
  • Identification of the member of the management body responsible for AML/CFT.
  • Identification of a senior manager responsible for AML/CFT where no management body is in place.
  • Tasks and role of the member of the management body or senior manager responsible for AML/CFT.
Section 4.2 looks at the role and responsibilities of the AML/CFT compliance officer from their appointment, the skills and experience they should have in addition to the tasks they must complete and includes reference to outsourcing.

Section 5 has a list of additional documents, a summary of the Views of the Banking Stakeholder Group (‘BSG’) and Feedback on the public consultation and on the opinion of the BSG.

While reference is made to credit and financial institutions in the document, it provides useful information and guidance. As many of our readers will be aware, there is a positive obligation on Designated Persons to have a business wide risk assessment in place which covers all the AML/CFT and financial sanctions which their business may be exposed to. Included in the requirement is a specific reference to publications from the ESAs – European Supervisory Authorities. The EBA European Banking authority is one of these.

While we have provided an overview above, the link to the full document is here:

Guidelines on AMLCFT compliance officers.pdf (europa.eu)
Legal Entity Identifiers for Passporting Retail Intermediaries
June 2022

From 1st July 2022, retail intermediaries that carry out cross border business in an EU Member State are required to have a Legal Entity Identifier (‘LEI’) – in line with EIOPA Guidelines. This applies to retail intermediaries currently availing of an EU passport, and to any retail intermediaries intending to passport in the future.

What is an LEI?

An LEI number is a global reference code which uniquely identifies a legal entity. It is a unique a 20-digit global code which enables every legal entity that is party to a financial transaction to be identified in any jurisdiction. The code is assigned to that legal entity for its entire life although it needs to be renewed on an annual basis.

The identification system was introduced in response to the global financial crisis in the 2000s and the LEI codes allow for unambiguous identification of the legal entities, avoiding inconsistency and ambiguity of identification by national codes or by their name.

How to Obtain LEI / Annual Renewal

Retail intermediaries notifying the Central Bank of Ireland of an intention to passport will be required to provide an LEI as part of the Passport Notification Form.

LEI codes are issued through a Local Operating Unit (‘LOU’) accredited by the Global Legal Entity Identifier Foundation (‘GLEIF’) which is responsible for monitoring LEI data quality. A legal entity is not limited to using a LEI issuer in its own country; instead, it can use the registration services of any LOU that is accredited and qualified to validate LEI registrations within its authorised jurisdiction(s). A list of all LOUs may be found here.

Each legal entity is required to recertify its LEI annually to ensure the data is correct.
Central Bank Publishes Intermediary Times June 2022 Issue
June 2022

The 'Intermediary Times', the Central Bank’s newsletter published twice a year, includes regulatory issues that retail intermediary firms need to be aware of in improving their standards of compliance.

In this latest edition the Central Bank of Ireland covers many items including:

  • Amendments to the list of Pre-Approval Controlled Functions; (also see RegSol’s article here)
  • A new Legal Entity Identifier requirement for some types of retail intermediaries; (see RegSol’s article here)
  • New features of the Central Bank Portal;
  • Updates relating to the Sustainable Finance Disclosure Regulations (SFDR);
  • An overview of the Consumer Protection Outlook Report 2022; (see RegSol’s article here)
  • Implications for Insurance Intermediaries of the new insurance regulations relating to Differential Pricing; (see RegSol’s article here)
  • Learnings relating to Authorisations and the Fitness and Probity (F&P) Assessment; and
  • Recent Central Bank publications relevant for retail intermediaries:

o   Use of Exempt Ancillary Insurance Intermediaries in the Insurance Sector; and

o   Structured Retail Products. (see RegSol’s article here)


Two areas highlighted by the Central Bank in the newsletter which will be of interest to our readers are as follows:

  1. Amendments to the list of Pre-Approval Controlled Functions (PCFs)

Firms are reminded for persons performing PCF2B, PCF16 and/or PCF52 before 5th April 2022, an ‘In Situ’ process is available to notify the Central Bank via the PCF In-Situ Return - the Online Reporting System (ONR) whereby an Individual Questionnaire (IQ) is not required - by 30th June 2022 .

Persons proposed for these roles after 5th April 2022 must submit PCF applications via the normal process (i.e. submission of an IQ). Those individuals are now subject to the F&P Standards.

  
  2. Authorisation of Retail Intermediaries and the Fitness and Probity (F & P) Assessment

The Central Bank notes that when it is processing authorisation applications for retail intermediaries some PCFs proposed by applicant firms are unable to demonstrate how they meet the F&P Standards. In this regard, the Central Bank highlights the two most common issues identified by it, which are:

  • Applicants not meeting the requirements of Minimum Competency Code 2017 (MCC 2017) (where applicable);
  •  Proposed PCFs that do meet the requirements of MCC 2017, but do not meet other aspects of the F&P Standards.
The Central Bank therefore reminds retail intermediary applicants that they are expected to review and familiarise themselves with the F&P Standards, the MCC 2017 and ensure they fully understand how it applies to their firm and ensure that they can demonstrate compliance with it when submitting an application.

For any assistance in applying to the Central Bank for an authorisation, please feel free to contact us at info@regsol.ie

To read the newsletter in full, please see the link below:

Intermediary Times June 2022 (centralbank.ie)

Central Bank seeks to end IBAN discrimination
June 2022

The Central Bank of Ireland has written to, among others, all financial services providers in a bid to end IBAN discrimination and remind firms of their obligations under the Single European Payments Area initiative (‘SEPA’).

This is in response to some firms continuing to refuse to accept non-Irish IBANs (international bank account numbers) - the standard identifier for all SEPA bank accounts - for payments.

The issue of IBAN discrimination has come to a head as hundreds of thousands of customers prepare to switch bank accounts, as KBC and Ulster Bank depart the Irish market. This is because some consumers may opt to switch to a bank that doesn't currently offer an Irish IBAN, such as Revolut.

What is IBAN discrimination?

IBAN discrimination is where a firm (or other entity) refuses to accept a consumer’s SEPA IBAN for euro payments or direct debits. An Irish firm cannot insist consumers open or maintain an Irish bank account for euro transfers.

IBAN discrimination is not permitted under the SEPA regulations.

The Central Bank is concerned that IBAN discrimination creates difficulties for Irish and European consumers and raises barriers to the proper functioning of the payment system.

What is SEPA?

SEPA allows consumers to make cashless euro payments such as direct debits and credit transfers to firms and individuals anywhere within the SEPA area using their IBAN.

So for example, an Irish person with an AIB account should be able to make payments quickly and easily in Germany without having to set up a German bank account, and a German with a German account should be able to do likewise here.

SEPA includes all 27 EU countries, the UK, and eight other European countries (Norway, Monaco, Switzerland, etc.).

It was fully implemented in 2014 in the euro area (and by 2016 in non-euro area SEPA countries).

Key takeaways:
  1. Regulated firms cannot refuse to accept from consumers non-Irish IBANs from within SEPA.
  1. IBAN discrimination is unlikely to impact many of RegSol’s clients. However, clients should be mindful of the Central Bank’s announcement particularly in light of the changing Irish banking scene where consumers will be turning to other banking services that may provide them with non-Irish IBANs. Accordingly, if the payment is legitimate (i.e. from an identified consumer) and within SEPA, the non-Irish IBAN should be accepted by firms.
If you are still in any way concerned as to how IBAN discrimination may affect your business, please feel free to contact us at info@regsol.ie
Q&A - Price Walking & Differential Pricing Regulations Commencing 1st July 2022
June 2022

Further to our article in May’s edition of the RegSol newsletter (HERE) on the new Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1) (Insurance Requirements) Regulations 20221 (the Regulations) which come into effect on 1st July 2022, the Central Bank have published the Insurance Regulations Q&A which our clients might find useful to further explain the implications to their business.

As our readers will note, the Regulations, applicable to insurance undertakings and insurance intermediaries, were introduced to benefit consumers and enhance the consumer protection framework. The new requirements impact three key areas:

  1. Pricing: A ban of price walking in home and motor insurance markets - from 1st July 2022, insurance providers cannot charge consumers who are on their second or subsequent renewals a premium that is higher than they would have charged a year one consumer renewing their policy.
  2. Annual Review of pricing practices and policies: Insurance providers are required to review pricing practices and policies for all customers.
  3. Disclosure of additional information to policyholders in relation to automatic renewal arrangements: Insurance providers must notify the customer that the policy will automatically renew if the consumer does not cancel the automatic renewal before a specified date.

The link to the Insurance Q&As can be found here:

Insurance Regulations 2022 - Q+A updated May 2022 (centralbank.ie)
Central Bank of Ireland Enforcement Action - EBS d.a.c. reprimanded and fined €13,400,000 for regulatory breaches affecting tracker mortgage customers
June 2022

On 22nd June 2022, the Central Bank of Ireland reprimanded and fined EBS d.a.c. trading as EBS (‘EBS’) pursuant to its Administrative Sanctions Procedure for a number of significant failings in the treatment of its tracker mortgage customers. There were 2,830 mortgage accounts affected from August 2004 to June 2020.

“The investigation found that EBS failed in its obligations towards its customers under the Code of Practice for Credit Institutions 2001 and Consumer Protection Codes 2006 – 2012 (together the “CPC”). EBS’s failings caused unacceptable harm and loss to those impacted customers over the course of 16 years. Thousands of customers were overcharged and, at the worst end of the scale, customers lost 84 properties, eight of which were family homes. The actions of EBS had devastating consequences for its customers.”

The key findings from the investigation are that EBS:

  • Failed to properly manage its mortgage services to customers
  • Failed to adequately warn customers of the consequences of their decisions relating to their mortgage
  • Failed to provide clear mortgage documentation to customers
  • Failed to handle customer complaints in a fair and consistent manner

For details of the press release and full Enforcement Notice please see links below:

EBS d.a.c. reprimanded and fined €13,400,000 for regulatory breaches affecting tracker mortgage customers

Enforcement Action EBS d.a.c. reprimanded and fined €13,400,000 by the Central Bank of Ireland
Central Bank of Ireland Enforcement Action – Allied Irish Banks p.l.c. reprimanded and fined €83,300,000 for regulatory breaches affecting tracker mortgage customers
June 2022

On 22nd June 2022, the Central Bank of Ireland reprimanded and fined Allied Irish Banks p.l.c. (‘AIB’) €83,300,000 under its Administrative Sanctions Procedure for a series of significant and long-running failings in the treatment of its tracker mortgage customers. There were 10,015 mortgage accounts affected from August 2004 to March 2022 including in some cases the loss of family homes.

A number of failings were identified by the Central Bank:

  • Failed to consider the entitlements of customers when it withdrew the tracker mortgage product
  • Breached customers’ mortgage contracts, delayed in rectifying the breach, and failed to take immediate and conclusive action to determine for these customers the financial implications of its wrongdoing
  • Wrongfully excluded customers’ mortgage accounts from the TME (Tracker Mortgage Examination)
  • Failed to handle customer complaints in a fair and consistent manner
  • Failed to properly manage its mortgage services to customers
  • Failed to properly implement the TME’s Stop the Harm principles

Each of these items is addressed in more detail in the press release and enforcement notice, links for these are below.

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham said “The Central Bank has imposed a significant fine on AIB in respect of serious and long running failings in meeting its obligations to its tracker mortgage customers. The consequences of AIB’s prolonged failings were serious and included significant financial strain and distress for those affected and their families.”

For the press release from the Central Bank see link: 

Allied Irish Banks p.l.c. reprimanded and fined €83,300,000 for regulatory breaches affecting tracker mortgages 

For the Enforcement Action Notice please see:

Enforcement Action Allied Irish Banks p.l.c. reprimanded and fined €83,300,000 by the Central Bank of Ireland
Central Bank seeks to end IBAN discrimination
June 2022

The Central Bank of Ireland has written to, among others, all financial services providers in a bid to end IBAN discrimination and remind firms of their obligations under the Single European Payments Area initiative (SEPA).

This is in response to some firms continuing to refuse to accept non-Irish IBANs (international bank account numbers) - the standard identifier for all SEPA bank accounts - for payments.

The issue of IBAN discrimination has come to a head as hundreds of thousands of customers prepare to switch bank accounts, as KBC and Ulster Bank depart the Irish market. This is because some consumers may opt to switch to a bank that doesn't currently offer an Irish IBAN, such as Revolut.


What is IBAN discrimination?

IBAN discrimination is where a firm (or other entity) refuses to accept a consumer’s SEPA IBAN for euro payments or direct debits. An Irish firm cannot insist consumers open or maintain an Irish bank account for euro transfers.

IBAN discrimination is not permitted under the SEPA regulations.

The Central Bank is concerned that IBAN discrimination creates difficulties for Irish and European consumers and raises barriers to the proper functioning of the payment system.


What is SEPA?

SEPA allows consumers to make cashless euro payments such as direct debits and credit transfers to firms and individuals anywhere within the SEPA area using their IBAN.

So for example, an Irish person with an AIB account should be able to make payments quickly and easily in Germany without having to set up a German bank account, and a German with a German account should be able to do likewise here.

SEPA includes all 27 EU countries, the UK, and eight other European countries (Norway, Monaco, Switzerland, etc.).

It was fully implemented in 2014 in the euro area (and by 2016 in non-euro area SEPA countries).


Key takeaways:

  • Regulated firms cannot refuse to accept from consumers non-Irish IBANs from within SEPA.
  • IBAN discrimination is unlikely to impact many of RegSol’s clients. However, clients should be mindful of the Central Bank’s announcement particularly in light of the changing Irish banking scene where consumers will be turning to other banking services that may provide them with non-Irish IBANs. Accordingly, if the payment is legitimate (i.e. from an identified consumer) and within SEPA, the non-Irish IBAN should be accepted by firms.

If you are still in any way concerned as to how IBAN discrimination may affect your business, please feel free to contact us at info@regsol.ie
FSPO ‘Overview of Complaints 2021’
May 2022

The FSPO is an independent and impartial service provided for free to resolve complaints made by consumers in respect of regulated financial service providers and pension providers. Complaints made to the FSPO are resolved either through informal mediation or a formal investigation and adjudication process, which concludes with the issuing of a legally binding decision.

The FSPO recently published its report on the Overview of Complaints 2021 (the Report). The Report details the trends in the 4,658 complaints received by the FSPO and in particular, highlights the increase in complaints made to its office about poor customer service from financial service providers.

The Report notes that 23% of complaints made to the FSPO were complaints about poor customer service from financial services providers and further noted that a more responsive service from these providers could avoid the level of complaints from arising.


Insurance

After the banking sector, the second largest category of complaints related to insurance products. Complaints relating to this sector amounted to 27% of all complaints received by the FSPO in 2021. The Report notes that the two categories of insurance products most complained about in 2021 were Motor Insurance and Health, Accident and Dental insurance policies.

The top 5 insurance conducts complained of were as follows:

  • Claim handling – 26% (down from 27% in 2020)
  • Rejection of Claim – 25% (up from 10% in 2020)
  • Customer Service – 15% (up from 4% in 2020)
  • Maladministration – 8% (the same figure as 2019)
  • Refusal to give product/service – 7%

The Report acknowledged that COVID-19 related business interruption claims were exceptionally difficult for many businesses however the Report also noted that the success of the claim is dependent on the cover provided under the policy. The report highlighted the importance of the wording within each policy as this will be determinative of whether a business would be covered for business interruption claims or not. In some of the complaints received, full indemnity was provided, whereas in others, there was none.


Investments

Complaints in relation to investments were the third largest category of complaint received by the FSPO in 2021. Personal pension products represented the largest portion of these complaint types, at 35%, closely followed by online share dealing at 30% of all investment complaints.

The Report also notes the growing complexity of products (e.g. Crypto currency investments) making it increasingly difficult for some consumers to understand precisely who they are dealing with or who they are agreeing a contract with, when they are purchasing financial services or pension products


Outcome

Firms should ensure that they are meeting the highest levels of consumer protection standards, both in terms potential FSPO engagement and complying with the Central Bank of Ireland Consumer Protection Code 2012.

For any queries on how RegSol can support you in ensuring appropriate consumer protection measures and complaints handling procedures are in place in your entity, please contact us at info@regsol.ie



Useful links:
Overview of Complaints 2021 (fspo.ie)
Insurance Company ordered to pay out claim on home insurance policy
May 2022

On 19th May 2022, Llyod’s Insurance Company SA (Llyod’s) was ordered by the High Court to honour a claim on an insurance policy for damage to the roof of a family home.


FSPO decision

Llyod’s had appealed to the High Court against a decision of the Financial Services Ombudsman (FSPO) to uphold a complaint against it over its refusal to pay out on a couple’s claim.

The FSPO had found it was “unreasonable, unjust and improper” for Lloyd’s not to remediate the damage complained of. It therefore ordered the insurer to pay €20,000 to the couple as compensation for the inconvenience caused.


Facts of case

The complainants’ insurance policy covered against structural defects in the property and when issues arose, including pyrite-related damage and damage to the structure of the roof, Lloyd’s paid out over the pyrite, but it did not accept the damage to the roof trusses was covered by the policy.

The refusal was based on the insurer’s assertion that the trusses, which it accepted were structural, had been deflected due to the positioning of a water tank in the attic area which put pressure on them and led to cracking on ceilings and walls. Lloyd’s maintained this constituted damage caused “to” the structure, rather than “in” the structure, which it said placed it beyond the policy remit.


High Court

The High Court noted the high threshold that must be met to set aside decisions of the FSPO in that the court must be satisfied the FSPO made a “serious and significant error” in reaching its conclusions.

Lloyd’s argued the FSPO was, in fact, guilty of serious and significant error in how it interpreted the word “structure” in the policy.

The FSPO however stood over its decision, saying the defect in the trusses, a load bearing part of the roof, comes within the policy definition of structure. The roofing structure, it said, is intended to hold water tanks and should be designed and constructed to carry out that purpose.

Ultimately, the High Court found there was “ample evidence” to conclude the identified defect came within the insurance policy terms. The court decided that a reasonable person interpreting the contract would expect the roof trusses to have been designed and constructed in a way that rendered them fit to bear a water tank load “or at least [...] the ombudsman was entitled to take this view”.

The court was also satisfied with the level of compensation of €20,000 granted by the FSPO to the couple was reasonable.

You can read the full details of the case here:

Llyod's Insurance Company v FSPO (courts.ie)
GDPR is 4 years old!!
May 2022

25th May 2022 marks the fourth anniversary since the General Data Protection Regulation (EU) 2016/679) (GDPR) became law in Ireland and across Europe. This fundamental piece of legislation has dramatically changed the data protection landscape by applying to all organisations that process personal data to comply with the right to data protection.


Data Protection Commissioner (DPC)

In February 2022, the DPC published their annual report (here). Of note to our SME clients is data subject access requests were the most common category of complaint handled by the DPC.

The DPC noted that individuals when requesting access to their data had communicated with the data controller but either did not receive an acknowledgement/response to their request or was dissatisfied with the response issued and as a result, lodged a complaint with the DPC.

On its investigation of these complaints the DPC found that it often transpires that the data controller has either:

(a) not performed an adequate search for the personal data,

(b) has not advised the individual they are withholding data and the exemption they are relying on for same, or

(c) will not respond within the required timeframe to the access request.


The report highlights the need for our clients to have adequate response procedures in place to be in a position to deal with access requests on a timely basis and avoid complaints of this nature arising in the first instance.


The Office of the Ombudsman (Ombudsman)

As many of you will be aware, the Ombudsman examines complaints from people who feel they have been unfairly treated by certain public bodies, for example, government departments, local authorities, the HSE and publicly funded third level education bodies.

With regard to the Ombudsman’s data protection obligations, the Data Protection Act 2018 (Section 60(6)) (Office of the Ombudsman) Regulations 2022 [S.I. No. 221 of 2022] (the Regulations) have been recently published.

The Regulations provide for restrictions on the rights of data subjects for the purposes of the Ombudsman being able to perform certain functions (e.g. the investigation of a complaint against a public body) while also not prejudicing that data subject’s right to data protection conferred by GDPR that may result from such a restriction.

The Ombudsman however is obliged under the Regulations to ensure that any measure used to restrict the rights of a data subject must be of limited scope and applied in a strictly necessary, proportionate and specific manner.

To keep up to date with all the latest developments in this area, please see our list of upcoming training dates here:

RegSol - Public Training Courses
New Central Bank authorisation requirements for Hire-Purchase, PCP, Consumer Hire and Indirect Credit Providers and Services
May 2022

From 16th May 2022, firms providing hire purchase, PCP, consumer hire, indirect credit (e.g. buy-now-pay-later (BNPL) products and services are required to be authorised by the Central Bank of Ireland (CBI).

Firms providing these services will be required to seek authorisation as a Retail Credit Firm (RCF) or as a Credit Servicing Firm (CSF) as appropriate, though firms already operating in the market will be given time to transition.

The new authorisation framework for RCF/CSF follows the enactment of the Consumer Protection (Regulation of Retail Credit and Credit Servicing Firms) Act 2022 (the Act) which requires:

  • Any person carrying on a business of offering hire purchase products or consumer-hire products to consumers, and any other person providing credit directly or indirectly to consumers, to be authorised by the CBI as a RCF (if not already subject to CBI authorisation); and
  • Any person who services such products to be authorised by the CBI as a CSF.

The Act also introduces an interest rate cap of 23% APR on all credit agreements provided to consumers (other than money lending agreements which have a separate regulatory framework). The Act also ensures that all retail credit firms must comply with Section 149 of the Consumer Credit Act 1995 and notify the CBI if they wish to introduce any new charges or increase any charge that has been previously notified to the CBI.


CBI Codes

The Act also enables the CBI to enhance the new authorisation requirements through new rules contained in the Consumer Protection Code 2012, the Minimum Competency Code 2017, and the Minimum Competency Regulations 2017 to ensure consumers are protected by the CBI’s consumer protection framework.


Changes to Consumer Protection Code 2012 (the “CPC”)

A new addendum amending the CPC requires regulated firms to assess the suitability of the product for the consumer and the ability of the borrower to repay the debt over the duration of the credit agreement, to such firms.

The CPC is also amended to include definitions of “BNPL agreement”, “consumer-hire agreement” and “hire-purchase agreement”, as well as other amendments inserted under the Headings of the CPC’s Scope, General Principles and Advertising rules.

The new changes to the CPC are effective from 16th July 2022.


Changes to Minimum Competency Code 2017 (the “MCC”)

The MCC has also been amended by way of an addendum bringing the newly regulated activities within its scope whereby the CBI expects RCF/CSF firms and their staff to meet the necessary minimum competency standards as soon as possible following commencement of the new Act (but no later than four years post-commencement).

These transitional arrangements are also set out by the insertion of Regulation 16A in the Minimum Competency Regulations 2017 i.e. the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Minimum Competency) (Amendment) Regulations 2022 [S.I. No. 234 of 2022].


Transitional Arrangements

RCF/CSF staff are required to meet minimum professional standards (e.g. holding recognised qualifications) and places obligations on the regulated entity, such as agreeing a plan for obtaining a relevant recognised qualification with the person availing of the transitional arrangements and monitoring compliance with those conditions, to ensure all necessary competency standards are met.

For instance, such firms will be required to ensure that a person exercising a controlled function in relation to a new RCF/CSF activity who does not hold a recognised qualification in respect of that function, obtains same by 16th May 2026.


Conclusion

All firms seeking authorisation as a RCF/CSF will be required to demonstrate to the CBI that they are in a position to meet the CBI’s authorisation and standards prior to an authorisation being granted and its supervisory requirements on an on-going basis thereafter.

Do not hesitate to contact RegSol if you are in any doubt whether the activities of your firm fall within the scope of the legislation or compliance with the CBI’s authorisation requirements. Furthermore, we can draft policies and procedures documents to ensure all applicable amendments to the CBI Codes are up-to-date and tailored specifically to your business.

We can be contacted at info@regsol.ie

Useful Links:

Consumer Protection (Regulation of Retail Credit and Credit Servicing Firms) Act 2022 (irishstatutebook.ie)
Consumer Protection Code 2012 Addendum May 2022 (centralbank.ie)
Minimum Competency Code 2017 Addendum May 2022 (centralbank.ie)
Minimum Competency Regulations 2017 (Regulation 16A)

EU Financial Sanctions Regime in Relation to Russia
May 2022

The invasion of Ukraine by Russia has been a human tragedy for the people of Ukraine. It has been shocking and unsettling to see war return to the European continent and brought further uncertainty for the global economy as we exit from the Covid-19 pandemic.

Global developments have brought to the fore the importance of identifying and addressing geopolitical risks for businesses, one of which is restrictive economic measures (“sanctions”) introduced by the EU and other significant trading countries (e.g. US) as an alternative to taking military action.

In the case of the invasion of Ukraine, both the EU and US (and other jurisdictions) have taken significant steps to impose financial sanctions against named individuals and entities connected to Russia.

Financial sanctions are legally binding measures that can be taken against individuals, entities or bodies (the subject), the objective of which is to bring about a change of policy and/or behaviour by the subject. Financial sanctions can emanate from the European Union (through EU Council Regulations and further implemented in Irish Law through statutory instruments) or the United Nations. In general, once a subject has been placed on one of these sanction lists, there is a legal obligation not to transfer funds or to make funds or economic resources available, directly or indirectly, to that subject.

In 2014, the EU originally introduced sanctions in response to Russia’s illegal annexation of Crimea (Council Regulation (EU) No. 833/2014). The regulation has subsequently been amended as significant expansions were made to the sanctions regime since late February when Russia recognised the regions of Donetsk and Luhansk as independent republics and regular additions were made to the list of named Russian individuals and/entities.

While all natural and legal persons in Ireland are obliged to comply with sanctions under EU Regulations as soon as they are adopted, the Central Bank of Ireland (the “CBI”) is responsible for ensuring that regulated entities operating in the financial services sphere in Ireland also comply with financial sanctions.

The CBI also provides frequent financial sanctions updates on its website and this month it communicated EU amendments to the Sanctions Lists on 21st April 2022, 19th April 2022, 13th April 2022 and 8th April 2022.

The CBI also provides guidance to regulated firms regarding international financial sanctions as follows: 
  1. Firms are required to continuously monitor both the European Union Consolidated Financial Sanctions List and the Consolidated UN Security Council Sanctions List to ensure that financial services are not provided to a sanctioned subject.
  2. In the event that a transaction occurs in which there is a breach or suspected breach of sanctions, described as a “hit” by the CBI, a firm must immediately freeze the account(s) and/or stop the transaction(s) and report the "hit" to the CBI using a Sanctions Return Form, available on the CBI website. Before submitting the report to the CBI, firms should take reasonable steps to ensure that the subject identified is the same subject as that listed in the relevant sanctions list.
Due to the unprecedented speed of the issuance of sanctions since the start of the Ukrainian conflict, affected firms should ensure they are aware of the updated position to remain compliant with the continuous developments in this area. Review and/or assurance testing of existing sanctions screening processes is also highly recommended at this point in time.

For further information on international financial sanctions and updates to the EU restrictive measures (sanctions) and UN sanctions lists, see link below to the CBI website:

International Financial Sanctions | Central Bank of Ireland
Data Protection Commission publishes Annual Report for 2021
May 2022

On 24th February, the Data Protection Commission(the “DPC”) published their annual report (here). It details the activities completed in 2021 together with information on the DPC’s Regulatory Strategy for 2022-2027. As with prior reports, there is detailed information on the number of issues they dealt with and details of specific case studies.

In that regard, the PDC noted the most frequent complaints received by individuals included:

Access requests: The DPC noted individual had communicated with the data controller but either did not receive an acknowledgement/response to their request or was dissatisfied with the response issued and as a result lodge a complaint with the DPC.

The DPC found that on investigating these complaints, it often transpires that the data controller has either (a) not performed an adequate search for the personal data (b) has not advised the individual they are withholding data and the exemption they are relying on for same, or (c) will not respond within the required timeframe to the access request.

Cookies Investigations: throughout 2021 the DPC carried out cookies investigations, examining a significant number of websites to assess compliance with the relevant legislation where consent must be obtained for placing any information on a user’s device, or accessing information already stored on their device.

Issues highlighted by the DPC on foot of their investigations included the setting of tracking and advertising cookies without consent, the use of cookie banners that obscured the text of the cookies and privacy notices on websites, and the use of pre-ticked boxes or toggles to signal consent for cookies.

Such continued complaints emphasise the need by intermediaries as Data Controllers to comply with the data protection legislation in a competent and timely manner, particularly in circumstances where individuals are alive to their rights and will seek to enforce them.

Furthermore, the DPC confirmed that investigations and enforcement will continue to be a key element of its activities in 2022 and in the coming years. The DPC however intends to publish more guidance including more regular case studies of issues it has decided and work to support Data Protection Officers in their critical on-the-ground roles within organisations

The DPC also referred to pending pieces of legislation at an EU level, the NIS2 Directive, the Digital Markets Act, the Digital Services Act, the E-Privacy Regulation, the Artificial intelligence Act, and the Data Governance Act, highlighting the ever-evolving nature of data protection.

To keep up to speed with all the latest developments in this area, our Data Protection Full Day webinar takes places on Thursday 26th May 2022. To sign up, please go to the link below:

Data Protection Full Day (2 Half Day Sessions) Tickets, Thu 26 May 2022 at 09:30 | Eventbrite
Insure4Less Teoranta t/a Kerry Insurance Group reprimanded and fined €8,400 by the Central Bank of Ireland for breaches of fitness and probity pre-approval requirements
May 2022

On 1st March 2022, Central Bank reprimanded and imposed a fine of €8,400 on the retail intermediary Insure4Less Teoranta t/a Kerry Insurance Group for breaches of fitness and probity pre-approval requirements.

The firm had breached three of its obligations when it failed to get pre-approval from the CBI for three directors who were appointed in January of 2018. Applications for the approvals were, in fact, only submitted in February of the following year. The CBI only discovered that the appointments had taken place in January of 2020, on foot of its own enquiries. the CBI found that the firm in question failed to obtain the CBI’s prior approval before appointing three individuals to pre-approval controlled function (“PCF”) roles.

The CBI has since approved three individuals for roles in the firm and the CBI confirmed it had now remediated the failings.

For further details of the action, see RegSol article:

Central Bank of Ireland Enforcement Action – Insure4Less Teoranta t/a Kerry Insurance Group fined €8,400.00 and reprimanded for breaches of fitness and probity (“F&P”)
BNY Mellon Fund Services (Ireland) DAC fined €10,780,000 and reprimanded by the Central Bank of Ireland for regulatory breaches relating to outsourcing
May 2022

On 22nd March the Central Bank of Ireland (the “CBI”) imposed one of its largest financial penalties to date fining BNY Mellon Fund Services (Ireland) DAC €10.78m for 16 regulatory breaches relating to the outsourcing of its fund administration activities.

An aggravating factor that led to the large fine was BNY Mellon’s failure to remediate these conduct breaches after they were identified ultimately leading to the CBI imposing a higher penalty.

The case highlights the importance of early engagement with the CBI and taking remedial action as soon as possible after the discovery of a breach. At the outset, firms should fully co-operate with the CBI’s investigations and ensure procedures are in place to minimise the likelihood of re-occurrence. Such active engagement should assist in reducing a firm’s exposure to a fine or sanction being imposed by the CBI and limiting any reputational damage caused.

For full details of the case, see RegSol article:

Central Bank of Ireland Enforcement Action – BNY Mellon Fund Services (Ireland) DAC fined €10,780,000 and reprimanded for breaches relating to outsourcing

New Regulations regarding Pre-Approved Control Functions (PCFs)
May 2022

On 5th April, the Central Bank of Ireland (the “CBI”) published the Central Bank Reform Act 2010 (Sections 20 and 22) (Amendment) Regulations 2022 amending its list of PCFs by creating, removing and reclassifying certain roles on the list.

One change that is likely to be of interest to our clients is the separation of PCF-2 role into PCF-2A and PCF-2B.

The change involves splitting the PCF-2 role into two roles, (i) PCF-2A for the role of non-executive director and (ii) PCF-2B introducing the newly specified role of independent non-executive director (“INED”).

All individuals currently performing the PCF-2 role will automatically be re-designated as a PCF-2A.

Where an individual performing the PCF-2 role is considered independent, the firm will be required to notify the CBI of the designation as PCF-2B by 3rd June 2022.

For those individuals who were in-situ in the PCF2B role as at 5th April 2022, according to a recently published Guidance (Guidance on PCF In-Situ Return 2022 (centralbank.ie)), firms can notify the CBI via the ‘PCF In-Situ Return – 2022 Regulations’ return (the PCF In-Situ Return) by 30th June 2022 as follows:
  • Complete a “PCF In-Situ Return File”, which has been provided by the Central Bank;
  • Upload the file to the Central Bank’s Online Reporting (ONR) System under the ‘PCF In-Situ Return – 2022 Regulations’ option;
  • Provide confirmation that the information is correct selecting the tick box and stating the necessary due diligence has been performed; and
  • Submit the file and confirmation to the CBI via the ONR System.
For more information regarding the changes to the other PCF roles, see the link below to RegSol’s article:

New Regulations regarding Pre-Approved Control Functions (PCFs)
Central Bank Differential Pricing Regulations
May 2022

The Central Bank’s (the “CBI”) ban on differential pricing in the home and private motor insurance will take effect with the implementation of the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Insurance Requirements) Regulations 2022 (the Regulations), on 1st July 2022.

Differential pricing is the practice of charging customers different premiums for reasons other than risk and cost of service. After a comprehensive review conducted by the CBI into the practice, the Regulations introduce key requirements for insurance undertakings and insurance intermediaries when selling motor and home insurance policies to consumers as follows:

  • Price walking: a ban on the practice known as “price walking” in motor and home insurance is effective from 1st July 2022. From that date, insurance undertakings and insurance intermediaries will not be permitted to charge consumers, who are on their second or subsequent renewal of a home or motor insurance policy, a premium higher than they would charge equivalent year one renewal consumers. However, it should be noted that to support competition and switching, new customer discounts will be allowed.
  • Pricing practices and processes: insurance undertakings and insurance intermediaries must carry out an annual review of their home and motor insurance pricing policies and processes to ensure sound practices. Such reviews should confirm that they do not systematically discriminate against consumers based on tenure or systematically exceed the price charged to first time renewal consumers in respect of renewals for longer tenure consumers. A written record of the review is to be maintained and actions taken to review any deficiencies identified.
  • Auto-renewal: from 1st October 2022, insurance undertakings and insurance intermediaries must allow consumers to cancel auto-renewals of non-life insurance policies free of charge at any time during the duration of the policy and inform consumers of that right. This includes written consumer consent for the automatic renewal of insurance contracts.
The CBI also intends to address specific additional problems in relation to complaints resolution, vulnerable customers and customer transparency as part of the overall review of the Consumer Protection Code (“CPC”) due to concerns that firms are not classifying, categorising and recording complaints appropriately. A consultation on the CPC review is expected to be launched in Q4 of this year.

Firms impacted by the above requirements should ensure they familiarise themselves with the Regulations to ensure non-life policy documentation provided to it by an insurance undertaking or intermediary accurately reflects the new position.

Feel free to contact RegSol at info@regsol.ie to discuss any aspect of the Regulations which may impact your firm’s practices and processes.
Central Bank issues Consumer Protection Outlook Report 2022
May 2022

On 14 March 2022, the Central Bank of Ireland (the “CBI”) published its Consumer Protection Outlook Report (HERE). 

This report highlighted five Key Cross Sectoral Risks facing consumers of financial services as follows:

  1. Poor business practices and weak business processes;
  2. Ineffective disclosures to consumers;
  3. The changing operational landscape;
  4. Technology-driven risks to consumer protection; and
  5. The impact of shifting business models.
To mitigate those risks, the CBI expects regulated firms to:

  • Put in place robust product governance and oversight arrangements covering the design, sale and delivery of the product
Firms should be mindful that poor business practices can result in the sale of products with features, charges and risks that do not suit the needs of the consumers who purchase them. For example, the CBI has banned the widespread use of differential pricing in the motor and home insurance markets which led to consumers being charged for their loyalty thereby not necessarily representing the best long-term value for the consumer.
See our article on the New Differential Pricing Regulations HERE.
  • Provide clear information in a timely manner to consumers, disclosing the key information upfront (i.e. risks and benefits, fees and costs)
Firms should ensure that statements of suitability and other disclosures to financial products provided to consumers, both in digital formats and by more traditional communications, are fully compliant with legislative requirements to ensure that consumers are supported in making good decisions about the products.
  • Actively identify and address risks to consumers that may potentially emerge from changes in the landscape within which the firm and/or its consumers are operating
Due to the current low deposit interest rate environment, consumers seeking higher returns on their investments are being offered increasingly complex products, the level of capital protection and risk associated of which may not be fully understood by them. This may make it more difficult for consumers to identify what services and products are, and are not, regulated and who is ultimately providing the financial service in question. The CBI therefore expects firms to clearly define for the consumer between regulated and unregulated products, especially products carrying special risks such as virtual assets.
  • Have comprehensive IT & cybersecurity risk management frameworks to achieve resilience and protect the interests of consumers
Firms must ensure consumers’ needs and interests are to the fore in its considerations when designing and providing financial products digitally and that the product will only be provided to consumers for whom it is suitable. Have effective measures to mitigate the risk of fraud and scams.
  • Proactively assess the risks and consumer impact a commercial decision may pose to new and existing customers, and develop comprehensive action plans to mitigate these risks whilst ensuring that customers understand what changes mean for them.
Although, now more than ever, financial services are being delivered digitally thereby reducing in-person customer service, it is important that consumers can access timely and customer-focused service, including where a consumer needs, or is best served, by an in-person (or virtual) engagement with the firm.
If you require any further information or advice as to how the Report may impact your consumer practices and procedures, do not hesitate to contact us at info@regsol.ie
Implementation of Central Bank’s Outsourcing Guidance
May 2022

In December 2021, the Central Bank of Ireland (the “CBI”) published its Cross Industry Guidance on Outsourcing (the “Guidance”). The Guidance applies on 17th December 2021 to all regulated firms which use outsourcing as part of their business model.

It is accompanied by the CBI’s Feedback Statement providing commentary on industry views and explaining changes made to the Guidance. The Guidance is being introduced to supplement existing sectoral legislation, regulations and guidelines on outsourcing, by setting out the CBI’s expectations of good practice for the effective management of outsourcing risk

The Guidance is intended to assist regulated firms in developing their outsourcing risk management framework to effectively identify, monitor and manage their outsourcing risks. It is applicable proportionately, based on the nature, scale and complexity of each firm's business model and degree to which it engages in outsourcing.

The extent of measures applied should also be informed by the regulated firm’s assessment of whether the outsourced service or activity is deemed critical or important, except where it is highlighted that the requirements should take account of all outsourcing arrangements.

The CBI acknowledges that all measures of the Guidance may not be appropriate for smaller, less complex regulated firms to adopt in full. In those instances, the CBI confirms such firms may decide to adopt different practices to those covered in the Guidance although they must still ensure compliance with the relevant sectoral legislation, regulation and guidelines. Such firms are also expected to be in a position to explain the reason, upon request, for proceeding as they have done to the CBI. The firms must be able to clearly evidence the rationale for their approach and that the approach has been considered and approved by the board or equivalent.

The following are some of the key factors which should be considered when developing frameworks to manage outsourcing risks:

  • Principle of Proportionality: Firms will need to assess and analyse the Guidance with a view to implementing same within their outsourcing frameworks in a proportionate manner.
  • Strategy & Policy for Outsourcing: Firms should document their outsourcing policy in its business strategy, business model, risk appetite and risk management framework.
  • Sensitive Data Risk: To prevent data breaches or unauthorised disclosure of customer, employee or commercially sensitive data, firms need to implement appropriate measures for the storage, management, retention and destruction of this data and to set out these measures in the firm’s outsourcing policy and agreements governing outsourcing arrangements.
  • Sub-outsourcing: Firms must be aware of and have appropriate governance and risk management arrangements in place in respect of sub-outsourcing, especially if same are spread across different physical and geographical locations. Firms should determine their appetite for sub-outsourcing as part of their outsourcing policy and actively manage the associated risks via their contractual arrangements and monitoring and oversight mechanisms.
  • Board Oversight: The responsibility and accountability for effective oversight for all outsourced regulated activities ultimately rests with the board and senior management.
The Guidance also outlines other key aspects such as Disaster Recovery, Business Continuity Management & Exit Strategies, Audit and Access Rights and Concentration Risk, which firms should consider when it comes to their outsourcing activities.

The CBI intends that all firms whose PRISM Impact Rating is Medium Low or above will submit their outsourcing register via a new Online Return on an annual basis. The timing of the first submission is planned for Q2 2022. Low Impact firms may also be asked to submit their outsourcing register on a case-by-case basis by their supervisor.

Outsourcing is a key strategic area of focus for the CBI therefore firms must be aware of and implement the requirements of the Guidance on a proportionate basis when engaging with OSPs. A failure to have effect governance and risk management processes in relation to outsourcing has resulted in a recent CBI enforcement action and a large fine being imposed – see BYN Mellon article below.

BNY Mellon Enforcement Action

If you have any questions on the Guidance and how it impacts your business, please get in touch with us at info@regsol.ie
EU Financial Sanctions Regime in Relation to Russia
April 2022

The invasion of Ukraine by Russia has been a human tragedy for the people of Ukraine. It has been shocking and unsettling to see war return to the European continent and brought further uncertainty for the global economy as we exit from the Covid-19 pandemic.

Global developments have brought to the fore the importance of identifying and addressing geopolitical risks for businesses, one of which is restrictive economic measures (“sanctions”) introduced by the EU and other significant trading countries (e.g. US) as an alternative to taking military action.

In the case of the invasion of Ukraine, both the EU and US (and other jurisdictions) have taken significant steps to impose financial sanctions against named individuals and entities connected to Russia.

Financial sanctions are legally binding measures that can be taken against individuals, entities or bodies (the subject), the objective of which is to bring about a change of policy and/or behaviour by the subject. Financial sanctions can emanate from the European Union (through EU Council Regulations and further implemented in Irish Law through statutory instruments) or the United Nations. In general, once a subject has been placed on one of these sanction lists, there is a legal obligation not to transfer funds or to make funds or economic resources available, directly or indirectly, to that subject.

In 2014, the EU originally introduced sanctions in response to Russia’s illegal annexation of Crimea (Council Regulation (EU) No. 833/2014). The regulation has subsequently been amended as significant expansions were made to the sanctions regime since late February when Russia recognised the regions of Donetsk and Luhansk as independent republics and regular additions were made to the list of named Russian individuals and/entities.

While all natural and legal persons in Ireland are obliged to comply with sanctions under EU Regulations as soon as they are adopted, the Central Bank of Ireland (the “CBI”) is responsible for ensuring that regulated entities operating in the financial services sphere in Ireland also comply with financial sanctions.

The CBI also provides frequent financial sanctions updates on its website and this month it communicated EU amendments to the Sanctions Lists on 21st April 2022, 19th April 2022, 13th April 2022 and 8th April 2022.

The CBI also provides guidance to regulated firms regarding international financial sanctions as follows:

  1. Firms are required to continuously monitor both the European Union Consolidated Financial Sanctions List and the Consolidated UN Security Council Sanctions List to ensure that financial services are not provided to a sanctioned subject.
  2. In the event that a transaction occurs in which there is a breach or suspected breach of sanctions, described as a “hit” by the CBI, a firm must immediately freeze the account(s) and/or stop the transaction(s) and report the "hit" to the CBI using a Sanctions Return Form, available on the CBI website. Before submitting the report to the CBI, firms should take reasonable steps to ensure that the subject identified is the same subject as that listed in the relevant sanctions list.
Due to the unprecedented speed of the issuance of sanctions since the start of the Ukrainian conflict, affected firms should ensure they are aware of the updated position to remain compliant with the continuous developments in this area. Review and/or assurance testing of existing sanctions screening processes is also highly recommended at this point in time.

For further information on international financial sanctions and updates to the EU restrictive measures (sanctions) and UN sanctions lists, see link below to the CBI website:

International Financial Sanctions | Central Bank of Ireland

Data Protection Commission – Conference for SMEs
April 2022

As mentioned in our January newsletter the Data Protection Commission (DPC) is hosting a series of workshops for SMEs in May this year. “Guest speakers will lead bespoke sessions focusing on Breach Mitigation and Risk Assessment; Legal Bases for Personal Data Processing, and meeting the Accountability Obligation with a focus on providing practical, scalable examples of GDPR compliance that will help delegates in their day-to-day work.”

The event will be in Croke Park. SMEs can register for this free event by emailing DPONetwork@dataprotection.ie, with the subject line “ARC Conference Registration” and include their name and the name of their business or organisation.

Data Protection Commission Event Post LinkedIn
New Regulations regarding Pre-Approved Control Functions (PCFs)
April 2022

In September 2021, the Central Bank of Ireland (the “CBI”) issued a Notice of Intention to amend its list of PCFs intending to create, remove and reclassify certain PCF roles. Having invited feedback from industry, on 5th April 2022 the CBI published its Feedback Statement along with the Central Bank Reform Act 2010 (Sections 20 and 22) (Amendment) Regulations 2022 with the list of PCFs revised as follows:

  1. Introduction of PCF-2A – Non-Executive Director;
  2. Introduction of PCF-2B – Independent Non-Executive Director;
  3. Removal of PCF-15 - Head of Compliance with responsibility for AML/CTF legislation;
  4. Introduction of PCF-52 – Head of Anti-Money Laundering and Counter Terrorist Financing (“AML/CTF”);
  5. Expansion of PCF-16 – Branch managers of branches established outside the State (to include managers of non-EEA branches (including the UK));
  6. Removal of PCF-31 – Head of Investment.

Key Takeaways from New Regulations:

Separation of PCF-2 role: PCF-2A and PCF-2B 
The PCF-2 role is separated into two roles, (i) PCF-2A for the role of non-executive director and (ii) PCF-2B introducing the newly specified role of independent non-executive director (“INED”).

All individuals currently performing the PCF-2 role will automatically be re-designated as a PCF-2A.

Where an individual performing the PCF-2 role is considered independent, the regulated financial service provider (“RFSP”) will be required to notify the CBI of the designation as PCF-2B by 3rd June 2022.

Removal of PCF-15 and introduction of PCF-52
The PCF-15 role (Head of Compliance with responsibility for AML/CTF legislation) is removed and a new PCF-52 role is introduced.

There is no obligation to appoint separate individuals to PCF-12 (Head of Compliance) and PCF-52 roles, the same individual can be identified as discharging both functions.

Each RFSP is required to review its functions to determine if a role meets the substance of PCF-52. For a person currently performing PCF-15, the RFSP will be required to notify the CBI as to how that person’s role should now be designated as a PCF-12, PCF-52 or both by 3rd June 2022.

Where an RFSP decides that a PCF-52 role exists, the RFSP must carry out an assessment in accordance with Section 21 of the Central Bank Reform Act 2010 (the “2010 Act”) and submit confirmation of such an assessment to the CBI by 3rd June 2022.

Expansion of PCF-16 
This role is expanded to include managers of non-EEA branches (including the UK) of RFSPs. Affected RFSPs must assess any person currently performing the PCF-16 role in accordance with Section 21 of the 2010 Act and submit confirmation of that assessment to the CBI by 3rd June 2022.

Removal of PCF-31 (Head of Investment)
The role of Head of Investment, PCF-31, is removed as the CBI found there was a duplication of roles where RFSPs were selecting PCF-30 for an individual performing this role. PCF-31 roles will be automatically re-designated as PCF-30 therefore, no further action is required by RFSPs.

For more information see the link below to the CBI website for a copy of the feedback statement and the regulations:

Central Bank of Ireland Announcements

Feedback Statement: Amendments to the List of Pre-Approved Controlled Functions (PCFs)

Amending Regulations 2022 (SI No 169 of 2022)

Central Bank of Ireland issues Insurance Newsletter March 2022
April 2022

This edition of the newsletter spans 12 pages, topics covered include:
  • Crisis in Ukraine – The Central Bank of Ireland’s expectations of firms, Sanctions & Cyber Risk
  • Insurance Insights – Review of Digital Maturity, Use of EAIIs in the Insurance Sector, IMF FSAP Update.

There is also a reminder of the Insurance Arrangements Regulations 2022 which come into effect in July 2022.

As always this is a detailed publication and essential reading for entities in the insurance industry. 

For the full newsletter please see the link below. 

Central Bank of Ireland Insurance Newsletter March 2022
Central Bank Dear CEO letter – MiFID Structured Retail Product Review
April 2022

On 22nd April 2022, the Central Bank of Ireland (the “CBI”) issued a “Dear CEO” letter which outlined its findings of a review identifying issues in the marketing of complex investment products - Structured Retail Products (SRPs) - manufactured and distributed by MiFID investment firms.

The letter comes on foot of the CBI’s Consumer Protection Outlook Report 2022 in which it highlighted a number of risks for consumers including ineffective disclosures on investment products and what it expects regulated firms to do to mitigate those risks.

Due to the current low deposit interest rate environment, retail clients seeking higher returns on their investments are turning to increasingly complex structured products, with intricate features and characteristics that oftentimes they may not fully understand the product or how the return is generated and may misinterpret the level of capital protection and risk associated with their investment.

The subsequent “Dear CEO” letter requires regulated firms to take action to identify a sufficiently granular target market for SRPs and to make improvements in the quality and transparency of disclosures to retail clients of the risks investing in such products.

The letter refers to a number of poor practices and weaknesses identified in firms’ SRP arrangements and controls including examples where firms have failed to:

  1. Identify a sufficiently granular target market.
  2. Adequately consider the use of highly complex features in SRPs being manufactured and distributed to retail clients, which may be difficult for these clients to understand.
  3. Present fair and balanced past performance (back-testing) information, supported by appropriate context and narrative.
  4. Display capital at risk warnings in prominent positions for products where the client’s capital is at risk.
  5. Ensure consistent levels of clarity and comprehensiveness in disclosures.
  6. Disclose adequately the risk and potential impact of restructuring to clients prior to sale.

For relevant MiFID investment firms, due consideration should be given to the contents of the letter and ensure they are continually evaluating the effectiveness of their arrangements and controls in the manufacture and distribution of SRPs to ensure that they are meeting the highest standards of investor protection, which the CBI will have due regard to as part of future supervisory engagements.

You can access the Consumer Protection Outlook Report 2022, press release and Dear CEO letter by clicking the below links:

Consumer Protection Outlook Report 2022 (centralbank.ie)

Central Bank reviews identify issues in marketing of complex investment products

Dear CEO letter - MiFID Structured Retail Product Review (centralbank.ie)


















Revenue Commissioners updates the Beneficial Ownership FAQs
March 2022

As discussed in our February newsletter, beneficial ownership is proving to be a complicated topic. Many regulations have been issued, the most recent ones being in 2021 for the beneficial ownership of trusts. The Revenue Commissioners hold the Central Register of Beneficial Ownership of Trusts.

There is a positive obligation on designated persons to screen against the relevant register and report any discrepancy between the information provided to them (in the course of identifying a customer) and what they obtain from the register. 

This month the Revenue Commissioners updated the register FAQs which you can access here:
Central Register of Beneficial Ownership of Trusts



By: Eilish Larkin - Regulatory Consultant