RegSol Blog

RegSol Blog Posts

Enforcement Action: Central Bank issues Prohibition Notice to Mr. James Cumiskey under the Fitness and Probity Regime
May 2021

Effective from July 2020, Mr. Cumiskey is prohibited from carrying out a Controlled Function (CF) or Pre-approval Controlled Function (PCF) in any regulated financial services firm for an indefinite period.

The Central Bank’s investigation discovered that between January 2018 and August 2018, Mr. Cumiskey induced people to give him deposits they had saved for a mortgage on the basis that Mr. Cumiskey required the deposit to process their mortgage applications. 

 Neither Mr Cumiskey nor his firm (European Mortgage Call Centre Limited) were authorised as a mortgage intermediary, yet mortgage services were advertised on the company website. It also emerged as during the investigation that Mr. Cumiskey had outstanding debts and was not managing his own financial affairs in a sound and prudent manner as required by the Fitness and Probity Standards.

This action, in addition to the letters issued by the CBI to all regulated firms in April 2019 and November 2020 highlights the importance of the Fitness and Probity regime and the obligations that it places on firms and their management and staff.

Can you demonstrate to the Central Bank of Ireland how you are complying with these requirements?

See attached for details: CBI Press Release May 2021

By Eilish Larkin
Regulatory Consultant
Enforcement Action: Ulster Bank Ireland DAC
May 2021

The Central Bank of Ireland (CBI) fined Ulster Bank Ireland DAC €37,774,520 for regulatory breaches that affected tracker mortgage customers.

There were 49 separate regulatory breaches of the European Communities (Unfair Terms in Consumer Contracts) Regulations 1995, Code of Practice for Credit Institutions 2001, the Consumer Protection Code 2006, and the Consumer Protection Code 2012.

The CBI highlighted specific failings as below:
  1. Failing to disclose to impacted tracker customers all the consequences of fixing their interest rates,
  2. Devising and implementing a deliberate strategy not to provide certain customers with their correct tracker mortgage entitlement unless they complained,
  3. Failing to adequately implement the TME’s Stop the Harm principles to protect all potentially impacted tracker customers from further detriment,
  4. Failing to ensure that its operational systems and controls were sufficient to ensure that its customers were provided with their correct tracker mortgage entitlements.
Seána Cunningham, Director of Enforcement and Anti-Money Laundering at the CBI stated “At the heart of this enforcement action is the avoidable harm caused by UBID to its tracker customers. Over an extensive period, UBID denied customers their tracker mortgage entitlements in relation to 5,940 mortgage accounts, resulting in significant and widespread overcharging. 

At the most serious end of the detriment caused to UBID’s customers, 43 properties were lost, 29 of which were family homes, as a direct consequence of UBID’s actions.”

The Settlement Agreement notice is lengthy, and the CBI highlighted a number of aggravating factors in the case – very notable is Ulster Bank Ireland DAC has been subject to 4 previous Enforcement Actions.

Central Bank of Ireland's Enforcement Action on Ulster Bank DAC

By Eilish Larkin
Regulatory Consultant

April 2021 - Commencement of the Criminal Justice (Money Laundering and Terrorist Financing) Amendment Act 2021
May 2021

The long-awaited Commencement Order (S.I. No. 188 of 2021) was signed, and the provision of the Criminal Justice (Money Laundering and Terrorist Financing) Amendment Act 2021 are now in force. This transposed the requirement of the 5th EU Anti-Money Laundering Directive into Irish law.

We have covered the key provisions in previous Regsol articles – please see the link below.

5 AMLD Legislation Progressing through the Seanad

By Eilish Larkin
Regulatory Consultant
Brexit and the Impact on Brokers
April 2021

Insurance intermediaries in the EU including Ireland must only use insurance and re insurance services of other EU registered firms.

Under the Withdrawal of the United Kingdom from the European Union (Consequential Provisions) Act 2019, UK insurers and intermediaries that do not wish to be established in Ireland or other EU member state, will be provided with a run-off regime. This will allow them to continue to fulfil contractual obligations to their Irish customers for a three-year timeframe after the transition period ends. After this, they will not be able to write new insurance contracts or renew existing ones.

For Irish intermediaries that have UK clients, the intermediaries need to have registered with the Financial Conduct Authority’s (FCA) UK Temporary Permissions regime (TPR) while they proceed with a full application to the FCA. If Irish intermediaries do not wish to get authorised by the FCA they are subject to the Financial Service Contracts Regime (FSCR). This regime allows that contracts written pre 31.12.2020 can continue to be serviced but no new business can be written.

It is vital that all intermediaries ensure that they deal with insurance undertakings and firms that have the correct authorisations on place to cover risks for their policyholders wherever they are based.

Brokers Ireland: Dealing with UK Clients Post Brexit

Brokers Ireland: Impact of Brexit on Irish Brokers with Clients Based in the UK  

By Eilish Larkin - Regulatory Consultant

EBA (European Banking Authority) issues documents on AML
March 2021

1. Opinion of the EBA on the risks of money laundering and terrorist financing affecting the European Union’s financial sector.

Article 6(5) of Directive (EU) 2015/8491 requires the EBA to issue an Opinion on the risks of money laundering and terrorist financing (ML/TF) affecting the European Union’s financial sector every two years. This document is the is the third Opinion on these risks issued so far. The European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA) were closely involved in the process.

The risks highlighted are listed below:
  • Risks associated with virtual currencies.
  • Risks associated with the provision of financial products and services through FinTech firms.
  • Risks arising from weaknesses in CFT systems and controls.
  • Risks arising from de-risking.
  • Risks arising from supervisory divergence.
  • Risks associated with crowdfunding platforms.
  • Risks arising from divergent approaches to tackling tax-related crimes.
  • Risks arising from the COVID-19 pandemic.

In addition to these, sector specific analysis is provided.

EBA Document: Opinion of the European Banking Authority

2. Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions.

The ML/TF Risk Factors Guidelines are issued as per Articles 17 and 18(4) of Directive (EU) 2015/849.

The guidelines were created to support firms’ AML/CFT compliance efforts and enhance the ability of the EU’s financial sector effectively to deter and detect ML/TF. The most recent version (dated 1st March 2021) has been updated as regards:

  • business-wide and individual ML/TF risk assessments;
  • customer due diligence measures including on the beneficial owner;
  • terrorist financing risk factors; and
  • new guidance on emerging risks, such as the use of innovative solutions for CDD purposes.

As with previous versions the Guidelines are divided into two parts:

Title I is generic and applies to all firms.

“It is designed to equip firms with the tools they need to make informed, risk-based decisions when identifying, assessing and managing ML/TF risk associated with individual business relationships or occasional transactions.”

Title II is sector-specific and complements the generic guidelines in Title I.

“It sets out risk factors that are of particular importance in certain of those sectors and provides guidance on the risk-sensitive application of Customer Due Diligence measures by firms in those sectors.”

The anti-money laundering and counter terrorist financing area is one that is ever evolving. The pace of change must keep up with the new and varied methods that criminals devise to infiltrate the financial services system. These EBA publications give information and insight that will be of use to designated persons/relevant regulated financial services providers.

EBA Document: Final Report

AnneMarie Whlen
Regulatory Consultant
"Credit union sustainability: the role of risk management, in sector restructuring and business model change" Registrar of Credit Unions Patrick Casey
March 2021

The Registrar of Credit Unions, Patrick Casey addressed the Credit Union Managers Association’s Spring Conference. In his speech Mr Casey covered key aspects of 2020 and then outlined the Central Bank’s vision for the Credit Union sector in 2021.

It was stated “Our vision for the sector remains: “Strong Credit Unions in Safe Hands”, where we see:
  • ‘Strong Credit Unions’ as being financially strong and resilient, enabled by sustainable, member-focussed business models, underpinned by effective governance, risk management and operational frameworks, and where they can be resolved when they get into difficulty; and
  • Credit unions are ‘in Safe Hands’ when they are effectively governed, professionally managed and staffed by competent, capable people, who take ownership of and prudently manage current and emerging risks.”

The vision for the sector will be implemented by the adoptions of four strategic priorities. These are:

A. Effective and Proportionate Supervision – The Central Bank expects credit unions to have core prudential foundations including strong governance and robust risk management.
B. Managing disruptive change – Business model innovation, restructuring, climate change and the advances in technology were considered here.
C. Tailored and Proportionate Regulation – the focus here will be on the effective implementation of recent regulatory framework enhancements.
D. Sector Engagement - In 2021, there will be continued extensive two-way communication and engagement with individual credit unions and sector stakeholders.

It is clear the Central Bank is focused on having a strong, viable and vibrant Credit Union sector. The vision as outlined will provide challenges and opportunities for the sector. As Credit Unions won the Best Customer Experience Award for the sixth consecutive year in 2020 as per the CXi Report, no doubt they will rise to these challenges.

For the full address click HERE

AnneMarie Whelan
Regulatory Consultant
AML: UK Financial Conduct Authority (FCA) commences proceedings against NatWest.
March 2021

The Financial Conduct Authority, (FCA), has started proceedings against the state-owned NatWest for allegedly failing to prevent money laundering. This is the first criminal prosecution taken by the Regulator under the Money Laundering Regulations 2007 and also the first prosecution under these regulations against a bank.

Under the regulations firms are required to determine, conduct, and demonstrate risk sensitive due diligence and ongoing monitoring of its relationships with its customers for the purposes of preventing money laundering.

The FCA alleges that NatWest did not monitor and properly scrutinise transactions on a corporate customer account which was collecting large cash deposits. Between November 2011 and October 2016, it is believed that £365m was paid into the account, including £264m in cash.

If NatWest is found guilty of breaching the anti-money laundering rules it could face unlimited fines.

NatWest is due to appear in court on the 14th of April 2021 to respond to the charges.

For the full article click HERE

AnneMarie Whelan
Regulatory Consultant
The Central Bank sets out its priorities for Consumer and Investor Protection in 2021
March 2021

Director General, Financial Conduct, Derville Rowland, outlined the Central Bank’s priorities regarding consumer and investor protection. Topics listed were:
  • the review of the Consumer Protection Code;
  •  insurance issues focused on differential pricing and business interruption;
  • distressed debt;
  • managing liquidity risk in funds during periods of market volatility;
  • strengthening policy in capital markets union and sustainable finance; and
  • enforcement and anti-money laundering priorities.


As part of their efforts to assist consumers who find themselves in financial difficulty, the CBI has issued a Consultation Paper on the Standard Financial Statement.   This form is a key part of many lenders Mortgage Arrears Resolution Process (MARP) and is used to gather information on the borrower’s financial situation.  The Consultation Paper is split in to two parts and interested parties are required to give their feedback on the proposed changes and questions posed in the paper by 20th April 2021.

The CBI continues to pursue cases against individuals and firms as part of the Administrative Sanctions Procedure and the Fitness and Probity regime.  The importance of protecting customers is very clear: 

“Time and time again, I and colleagues in the Central Bank have told senior leaders in firms: consumer and investor protection begins with the firms themselves. Firms are responsible for selling their customers products that meet their needs both now and into the future. Firms must have effective cultures and set the right standards.”

For the full speech click HERE

AnneMarie Whelan
Regulatory Consultant
CP138 - Consultation on Cross-Industry Guidance on Outsourcing
March 2021

The Central Bank of Ireland’s, (CBI), Strategic Plan 2019-2021 sets out its mission, vison, and mandate. The mission of the CBI is to serve the public interest by safeguarding monetary and financial stability. The CBI works to ensure that the financial system operates in the best interests of consumers and the wider economy. Managing outsourcing risk is seen as essential by the CBI from both a prudential and conduct perspective. 

When companies outsource activities, they create a dependency on a third party. This dependency could influence operational activities and the quality of products or services delivered to consumers. Both national and European regulators and supervisors have examined this area and there have been numerous publications on the topic, sample listed below:

  • European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on Outsourcing to Cloud Service Providers (EIOPA-BoS-20-002);
  • European Securities and Markets Authority ESMA 50-157-2403 Guidelines on Outsourcing to Cloud Service Providers (Final - December 2020); and
  • Financial Stability Board (FSB) Discussion Paper - Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships.

The CBI recognises that many firms rely on outsourced service providers both intragroup entities and third-party ones. The purpose of the guidance is to “assist regulated firms in developing their outsourcing risk management frameworks so as to effectively, identify, monitor and manage their outsourcing risks.”

The deadline for providing comments to the CBI is 26th July 2021.

For the Consultation Paper and link to the Guidance please see: Consultation Paper CP138

AnneMarie Whelan
Regulatory Consultant

Central Bank of Ireland Enforcement Action – J&E Davy fined €4,130,000 and reprimanded for regulatory breaches arising from personal account dealing.
March 2021

On the 1st of March 2021, the Central Bank reprimanded and fined J&E Davy €4,130,000.00 for four breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations) that occurred between July 2014 and May 2016.

The Central Bank’s investigation centred on a transaction which was concluded by a group of 16 Davy employees in a personal capacity with a Davy client. Among the 16 Davy employees was a group of senior executives. In permitting the transaction Davy prioritised the opportunity for its employees to make a personal financial gain ahead of their regulatory obligations in the areas of conflicts of interest and personal account dealing.

Failings were found in the following areas:

  1. Conflict of Interest identification and management.
  2. Personal account dealing framework.
  3. Ensuring the compliance function can discharge its role properly.

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham said: “This case serves as an important reminder that conflicts of interest are an inherent risk to all regulated entities. When not properly managed, they pose a risk to investors and diminish market integrity. Where investment firms permit employees to engage in personal account dealing - i.e., to trade for themselves rather than for a client – the risk of conflicts of interest arising is heightened.”

The National Treasury Management Agency, (NTMA), revoked the appointment of Davy Stockbrokers as a primary dealer in government bonds.

On the 9th of March, Director General, Financial Conduct, Derville Rowland addressed the Joint Oireachtas Committee on Finance, Public Expenditure and Reform. In her speech Ms. Rowland made reference to a number of issues including Covid 19, business interruption insurance and the Davy reprimand and fine and said “Robust enforcement action is a critical component of our work to protect consumers and investors. It is a key part of the regulatory and supervisory toolkit. Enforcement action supports and runs alongside other supervisory interventions to help drive the remediation of risks and issues in the governance, risk management and control frameworks of the firms we supervise.”

Given this enforcement action is against the regulated entity, but the actions involved were clearly perpetrated by individual staff members, a lot of people will be wondering if there will be any personal accountability. Derville Rowland did confirm to the Oireachtas Finance Committee her office had had "tentative engagement" with An Garda Socháina and the Office of the Director of Corporate Enforcement (ODCE) over its Davy investigation but it remains to be seen if further action will be taken by any enforcement body. What has become clear is that the full capabilities of the CBI’s regulatory ‘toolkit’ are being tested and delays on introducing a SEAR type regime may be hindering their efforts.

The fallout:

Following the enforcement action, 3 senior members of the Davy management team have resigned their positions - CEO Brian McKiernan, deputy chairman Kyran McLoughlin and head of bonds Barry Nangle.

The firm was placed up for sale on the 11th March with speculation that Bank of Ireland could be set to reacquire the firm – AIB having just confirmed on 2nd March that it had agreed to buy Goodbody. The whole case has raised further questions around implications for the entire stockbroking market in Ireland.

Most recently an international professional services firm, Alvarez & Marsal, has been appointed by Davy to examine staff trading over the past seven years as part of a review of matters arising from the Central Bank action.

There is no doubt that the effects of the settlement action and the ongoing investigations will be felt for some time to come. The events that gave rise to the enforcement action will remind many of actions taken during the last financial crises. The Central Bank in its action has reiterated the importance of regulated financial service providers putting customers interests before their own.

AnneMarie Whelan
Regulatory Consultant
Central Bank of Ireland Enforcement Action – Keystone Insurance Limited
February 2021

On the 26th January 2021, the Central Bank reprimanded and fined Keystone Insurance Limited €41,385 for six breaches of the Consumer Protection Code from 2012 to 2017.

Keystone is a retail intermediary that operates in the commercial insurance market and is regulated under the European Union (Insurance Distribution) Regulations 2018.

The breaches included:

  • Overcharging: Customers were charged for placing insurance, processing mid-term adjustments and processing cancellations of insurance policies, in excess of the maximum fees allowed to be charged under Keystone’s Terms of Business.  62 customers were overcharged a total of €9,964.36 over a five-year period. These customers have been fully reimbursed by Keystone. 
  • Provision of unclear communications to customers: Out of 265 invoices reviewed, the Central Bank found that communication of applicable fees in 190 cases was unclear, in that the firm failed to bring fees to the attention of the customers. The information was on the invoices in small print at the bottom of the invoices.
  • Failure to have adequate systems and controls: There were inadequate systems and controls in place to facilitate Keystone meeting its regulatory obligations on communications.  

An aggravating factor in the investigation was that Keystone provided the Central Bank with incomplete and unclear responses to requests for information.  

Seána Cunningham, The Central Bank’s Director of Enforcement and Anti-Money Laundering said:

“The Central Bank expects that all regulated firms should have adequate processes, systems and controls in place to ensure compliance with the Code, ensure staff are trained on the Code’s provisions, regularly check that they are in compliance with the Code and ensure that any failures that may occur are identified and rectified early”. 

Click HERE to view the notice.

By Eilish Larkin
Compliance Consultant
SFDR – The three European Supervisory Authorities publish Final Report and Draft Regulatory Technical Standards (RTS) on the disclosures required.
February 2021

The Sustainable Finance Disclosure Regulation (SFDR) comes into effect on 10th March 2021. It aims to provide greater transparency on sustainability related disclosures.

In our January newsletter we noted that the Department of Finance was seeking submissions from interested parties in relation to the exercise of the national discretion in Article 17 of Regulation (EU) 2019/2088. Member States are given discretion as to whether to exempt financial advisers which employ fewer than three persons or to apply the Regulation to these entities.

The regulation applies to financial products listed below and extends to their product manufacturers and their financial advisers who are located in the EU:
  • Portfolio managed by credit institutions or investment firms.
  • Alternative investment funds (AIFs) and UCITs
  • Insurance-based investment products (IBIPs)
  • Pension products, Workplace pensions products regulated under the IORP directive and PEPP.

The final report and draft RTS will provide welcome guidance to many in advance of next week’s deadline.

See HERE for more information.

Eilish Larkin
Compliance Consultant
CP136 Consultation on Enhancing our Engagement with Stakeholders
February 2021

This paper invites submissions from parties by 11th of May 2021 in relation to how the Central Bank of Ireland can enhance the methods by which it engages with its stakeholders.

The Central Bank would like to increase their transparency with stakeholders and to build a listening organisation. The paper notes “COVID-19 has created some new opportunities to reach out to business and community representatives across the country, to meet the Central Bank’s stated aim of ensuring its relevance to and engagement with individuals and organisations based throughout Ireland.”

Who are the stakeholders? They include: the government, other state agencies, the European Supervisory authorities, civil society, consumer representatives, regulated firms, industry representative groups and business representatives.

The are 4 proposals in the paper:
  1. To build on existing arrangements (Civil Society Roundtable and Consumer Advisory Group) and improve engagement with consumers and users of financial services.
  2. Formalise the existing industry roundtables by hosting a senior level, cross-sectoral industry stakeholder forum.
  3. Provide an opportunity for the Central Bank to engage with industry, civil society, consumer, and business representatives at the same time, it is proposed that the Central Bank will host a public Financial System Conference in 2022.
  4. To enhance our engagement with business and “real economy” representatives.
Each proposal together with a list of questions and details on how to make a submission can be found by clicking HERE.

By Eilish Larkin
Compliance Consultant
Swedish Privacy Authority finds Police unlawfully used facial recognition app.
February 2021

The Swedish Authority for Privacy Protection (IMY) launched an investigation when reports appeared in the media that the Swedish Police Authority had used a facial recognition app.

A fine of SEK 2,500,000 (Approx. €250,000.00) was imposed and the police must conduct further training and education of employees to ensure that personal data is not processed in breach of data protection rules and regulations.

The IMY found that the police had not satisfied its obligations as a data controller with regards to the use of Clearview AI and that they failed to demonstrate that the processing of data was in line with the Criminal Data Act.

Click HERE to read the full article.

By Eilish Larkin
Compliance Consultant
Anti-Money Laundering Compliance Unit (AMLCU) Department of Justice - Annual report published on 9th February 2021.
February 2021

The 2019 annual report was prepared by the Anti-Money Laundering Compliance Unit (AMLCU) of the Department of Justice under section 65 of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 as amended. 

The AMLCU is responsible for supervising those designated persons that are not subject to supervision by another competent authority. The AMLCU supervises:

  • Dealers in High Value Goods,
  • Trust or Company Service Providers (TCSPs) not otherwise supervised by the Central Bank or prescribed accounting bodies;
  • Notaries,
  • Tax Advisors and External Accountants (not within the remit of prescribed accountancy bodies),
  • Private Members’ Clubs and
  • Gambling service providers (Tote, online gambling, retail gambling)
474 onsite inspections were carried out in 2019 by the AMLCU.

The AMLCU can issue directions to comply to Designated Persons and they can make Competent Authority Reports (CARs) to the Financial Intelligence Unit within An Garda Síochána and to the Revenue Commissioners. In 2019 the AMLCU issued 22 directions to High Value Goods Dealers and submitted 321 CARs to FIU Ireland on GoAML (online reporting system) and copied them to Revenue.

The report provides detailed information on the approach the Department of Justice takes and, on their efforts, to engage with the relevant Designated Persons.

Click HERE for the full report.

By Eilish Larkin
Compliance Consultant
5AMLD Legislation progressing through the Seanad. Transposition imminent.
February 2021

5th EU Directive key changes:

  • Crypto currencies/virtual currencies and Letting Agents obliged entities
  • Traders in art (galleries and auction houses) obliged entities for transactions over €10,000
  • Greater powers for Financial Intelligence Units: transparency of financial transactions
  • Centralised Beneficial Ownership Registers interconnected
  • Clarification of PEPs: Member states to produce official lists

For more information on the changes the transposing bill will bring please click HERE to see previous articles from RegSol.

By Eilish Larkin
Regulatory Consultant

European Securities and Markets Authority issued a reminder to firms on the MiFID II reverse solicitation rules
January 2021

ESMA issued the reminder on discovering some attempts by firms to avoid the MiFID rules and the protections they offer. As per Article 42 of MiFID II, where a retail client or professional client, established or situated in the Union initiates at its own exclusive initiative the provision of an investment service or activity by a third-country firm, the third country firm is not subject to the requirements under Article 39 of MiFID II.

ESMA has previously provided guidance to firms on the application of the MiFID II in these situations and outlined how the concept of a client initiating “at its own exclusive initiative the provision of an investment service or activity by a third-country firm” included in Article 42 of MiFID II should be applied.

The statement noted in particular:
  • “the provision of investment services in the EU without proper authorisation in accordance with the EU and the national law applicable in Member States exposes service providers to the risk of administrative or criminal proceedings, for the application of relevant sanctions,
  • when using the services of investment service providers which are not properly authorised in accordance with EU and Member States’ law, investors may lose protections granted to them under EU relevant rules, including coverage under the investor compensation schemes in accordance with Directive 97/9/EC.”

For the full statement see:

ESMA Reminds Firms of the MiFID II rules on Reverse Solicitation


By: Eilish Larkin
CP135 – Consultation on Competent Authority Discretions in the Investment Firms Directive and the Investment Firms Regulation
January 2021

The consultation paper outlines the proposed approach the Central Bank of Ireland will take regarding provisions contained within the Investment Firms Directive (IFD) and the Investment Firms Regulation, in situations where the competent authority can or must exercise its discretion. This will apply to MiFID investment firms following the entry into force of the IFD/ IFR. The IFD and IFR were adopted by the Council of the EU on 23 October 2019 and were published in the Official Journal of the European Union on 5 December 2019 and entered into force on 25 December 2019. The IFD and the IFR are applicable from 26 June 2021.

As outlined in the consultation the aims of the new legislation are to:

  • ensure more proportionate rules and better supervision for all investment firms across capital, liquidity and other risk management requirements.
  • ensure a level-playing field between large and systemic financial institutions: investment firms that carry out bank-like activities and pose similar risks to credit institutions will be subject to the same rules and supervision as credit institutions.

Deadline for submissions is March 2021. For more information including a link to the full consultation paper see:

CP135 - Consultation on Competent Authority Discretions in the Investment Firms Directive and the Investment Firms Regulation

By: Eilish Larkin
Sustainability Related Disclosures and National Discretion regarding Article 17 of Regulation (EU) 2019/2088
January 2021

Should financial advisers who employ less than 3 people be exempt from these? Have your say by 29th of Jan 2021.

In December 2019 the Introduction Regulation (EU) 2019/2088 on Sustainability-related Disclosures in the Financial Sector (“SFDR” or “SF Disclosures Regulation”), came into force. It was amended by the Regulation on the establishment of a framework to facilitate sustainable investment (Taxonomy Regulation). The SFDR will apply generally from 10 March 2021, with certain obligations taking effect later.

The scope of the SFDR is extremely broad. It covers a large range of financial products and “financial market participants” (FMPs). It applies to FMPs across all sectors – fund managers, pension providers, insurance-based investment product providers, MiFID investment firms and credit institutions.

The Regulation also applies to “financial advisers”, including certain insurance intermediaries and providers of investment advice. The SFDR introduces additional disclosure requirements and creates sustainability disclosure obligations for manufacturers of financial products and financial advisers toward end-investors.

The Department of Finance has invited interested parties to make submissions in relation to the exercise of the national discretion in Article 17 of Regulation (EU) 2019/2088. Member States are given discretion as to whether to exempt financial advisers which employ fewer than three persons or to apply the Regulation to these entities.

The consultation period will run to 5pm, 29th January 2021.

Public Consultation on the exercise of the national discretion in Article 17 of Regulation (EU) 2019/2088

By: Elish Larkin
Dear CEO Letter from CBI regarding low level of compliance with Anti-Money Laundering and Terrorist Financing obligations addressed to Schedule 2 firms
January 2021

On the 16th Dec 2020, the CBI published the results of their supervisory engagements with Schedule 2 firms regarding their obligations under the Criminal Justice Act 2010 as amended.

The results show an overall lack of compliance across all areas of the AML/CFT control framework. Poor understanding of the requirements from Board and senior management levels, including at those firms who outsourced their AML/CFT and FS activities to third parties were also noted.

A number of failings across Schedule 2 Firms, were identified:
  • Board Oversight and Governance - failure to demonstrate Boards had taken responsibility for the implementation and ongoing oversight of AML/CFT and FS in a number of firms.
  • Money Laundering/Terrorist Financing Risk Assessment - lack of ongoing and comprehensive assessment and documentation of ML/TF risks that are specific to each firm’s consumers and business activities.
  • Anti-Money Laundering/Counter Financing of Terrorism Policies and Procedures - failure to put in place and implement firm-specific AML/CFT and FS policies and procedures, and failure to review and update these on an ongoing basis.

Director of Enforcement & Anti-Money Laundering, Seána Cunningham said: “The Central Bank expects all firms to be alert to the risks that money laundering and criminal financial activities may pose to their customers and business, and the wider integrity of the Irish financial system.

This requires CEOs and Boards to have in-depth knowledge and understanding of their Anti-Money Laundering and Counter Financing of Terrorism obligations. It is also essential to have the necessary control framework in place to ensure protection of their business and customers.”

Schedule 2 firms were required to register with the Central Bank of Ireland under s.106 of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010 with effect from November 2018 in line with the transposition of the 4th EU AML Directive. It is noted that the current process of transposing the 5th EU AML Directive includes a similar requirement for Virtual Asset Service providers (virtual currency wallet holders, etc.) to register with the CBI so these firms should also take note.

Central Bank publishes “Dear CEO” letter to Schedule 2 firms on low level of compliance with Anti-Money Laundering and Counter Financing of Terrorism obligations

By: Judy de Castro
Anti-Money Laundering: Couple sentenced over Money Laundering
January 2021

A couple last month was sentenced at the Special Criminal Court for laundering almost €500,000 through five bank accounts over five years for the Kinahan Organised crime group.

A convicted drug dealer used two of his own bank accounts and three accounts belonging to his partner and the mother of his child. Through a search financial documentation showing the lodgements over a 5-year period indicated that 52 k was spent on airline tickets in three years. 

Both parties were in receipt of employment income or social welfare but lodged over 342k more than their legitimate income. 

This illustrates how vital obtaining information on the source of funds and wealth and undertaking transaction monitoring is for uncovering suspicious activity.

Couple sentenced over money laundering for Kinahans (

By: Judy de Castro
Data Protection Commission (DPC) Guidance on Transfers of Personal Data from Ireland to the UK at the end of the Transition Period (11pm 31st December 2020)
January 2021

The Data Protection Commission in Ireland issued the below update regarding the transfer of personal data from Ireland to the UK once Brexit came into effect.

In short, the transfers may continue for now. For the full text of the update see link below:

Guidance on Transfers of Personal Data from Ireland to the UK at the end of the Transition Period (11pm on 31 December 2020) | Data Protection Commissioner

By: Elish Larkin
Data Protection Commission (DPC) calls for submissions regarding data processing for children, deadline for submissions is 31.03.2021
January 2021

The Data Protection Commission (DPC) has drafted The Fundamentals for a Child-Oriented Approach to Data Processing. These have been drawn up to ensure there are improvements in standards of data processing regarding children’s data and introduce child-specific data protection interpretative principles.

There are also recommended measures that are designed to improve the level of protection afforded to children against the data processing risks. The Fundamentals have been informed by the output of the two-streamed public consultation which the DPC ran during the first half of 2019.

All interested parties have until 31st of March 2021 to make their submissions. Submissions may be made via email or post.

For full details see link:

Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing

By: Eilish Larkin
DPC’s €450K Fine on Twitter: Too little?
December 2020

The Data Protection Commission (DPC) has today announced a conclusion to a GDPR investigation it conducted into Twitter International Company. This decision put an end to an investigation dating back from January 2019 following the identification of a bug that meant that some private messages on twitter from android phone users could be publicly viewed. 

The DPC’s draft decision was the first to go through the GDPR’s dispute resolution process under Article 60 and the first Draft Decision in a big tech case on which all EU supervisory authorities were consulted. In accordance with Article 65(6), where a number of other European Supervisory authorities raise objections in relation to the Irish DPC’s draft decision, and the Irish DPC is of the opinion the objections are not relevant, the matter is referred to the European Data Protection Board (EDPB)’s consistency mechanism. 

The DPC’s final decision is then based on the EDPB’s and must be adopted without undue delay and at the latest by one month after the EDPB has notified its Decision to the DPC.


Stemming from a breach notification from Twitter last year, the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC (within 72 hours) and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as “an effective, proportionate and dissuasive measure.”

Putting this into context, Twitter has 187 million daily users with a 6.48% share of the European Social Media market. Users document their thoughts in “tweets”, which at the time of writing, are limited to 280 characters in the English language. Twitter was recently found to be the 45th most visited website in the world. In terms of the Breach, Twitter informed the Commission that, as far as they can identify, between 5 September 2017 and 11 January 2019, 88,726 EU and EEA users were affected by this bug. 

Twitter confirmed that it dates the bug to 4 November 2014, but it also confirmed that they can only identify users affected from 5 September 2017. In this regard, it is possible that more users were impacted by the Breach. As such, the German, Austrian and Italian Supervisory Authorities would have expected the fine to be greater up to €22 million.

GDPR, which came into effect in May 2018, allows the DPC to fine companies up to 4% of their global turnover of the previous year or €20 million, whichever is greater, for contraventions of these regulations. Due regard is to be given to the nature, gravity and duration of the infringement.

Perhaps Max Schrems, a privacy activist who recently tweeted in response to Twitter’s fine, puts it best: “0.016% of their revenue, in other words, they need 1.5 hours to make that amount in revenue and pay the fine.” As for being a dissuasive and proportionate measure, the extent of this fine may certainly not act as a deterrent.

More information is available here: The European Data Protection Board has published the Article 65 decision and the final decision on its website HERE.

The DPC has published details on twitter available HERE

By Judy de Castro
CP133 - Consultation Paper on Enhancements to the Central Bank Client Asset Requirements as Contained in the Central Bank Investment Firms Regulations
December 2020

On the 3rd December 2020, the CBI opened a consultation and invited electronic submissions by email to by 10 March 2021.

The key elements of the proposals include:

  • Extending the scope and application of the CAR to include credit institutions undertaking MiFID investment business;
  • Introducing new requirements regarding client disclosure and consent, including enhancements applicable to investment firms that have obtained client consent to the use of client financial instruments and investment firms providing prime brokerage services;
  • Introducing new CAR guidance to clarify the Central Bank’s expectations as to how client funds should be segregated;
  • Introducing new requirements, and placing some existing CAR guidance on a legislative footing, in relation to the performance of reconciliations and the treatment of client asset discrepancies and reconciliation differences, and shortfalls and excesses; and
  • Introducing new requirements and CAR guidance on the contents of the Client Asset Management Plan (the CAMP).

The proposed amended rues are fully set out and a 12 month implementation period is envisaged post-publication of any new rules.

The full Consultation Paper is available HERE.

By Judy de Castro
“Dear CEO letter” on Fitness and Probity
December 2020

A recent Central Bank review has found weaknesses regarding compliance with the Fitness and Probity regime (F&P Regime).

The F&P regime was introduced under the Central Bank Reform Act 2010. The regime protects consumers by requiring that persons who occupy senior functions within regulated firms meet the Central Bank of Ireland’s Fitness and Probity Standards. Under these standards people in senior positions are required to be competent and capable, ethical, act with integrity and be financially sound.

Some of the issues discovered include:

  • Level of awareness by Board members of their fitness and probity obligations was poor
  • Lack of due diligence being conducted regarding the outsourcing of Pre-Approval Controlled Functions/Controlled Functions
  • Lack of registers being kept of employees performing PCF or CF roles.

Deputy Governor Ed Sibley said: “The F&P Regime is a cornerstone of the regulatory framework in Ireland. The Central Bank will not authorise firms, and will not approve persons to perform senior functions in regulated firms, where they do not meet our Fitness and Probity Standards and further noted “It is wholly unacceptable that such shortcomings continue to exist in circumstances where the F&P Regime was introduced almost ten years ago. The Central Bank will continue to engage with firms to assess the robustness of their application of the F&P Regime and will initiate necessary supervisory responses to any weaknesses identified.”

For the full text of the CBI press release (which has a link to the Dear CEO letter) – see below:

Central Bank inspection finds weaknesses in firms’ compliance with Fitness & Probity Regime

By Judy de Castro
International Transfers of Personal Data to Third Countries: What to do
December 2020

The European Court of Justice had struck down the US Privacy Shield earlier this year, thereby making personal data transfers to the US and Non EEA countries under this agreement unlawful. This left another option open to transfer data internationally- the European Commission- Standard Contractual Clauses (“SCCs”). SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR. However, the ECJ ruled that use of the SCCs alone did not automatically ensure an adequate level of data protection for GDPR purposes and that “supplementary measures” may be required. This was a significant change and one that created confusion and concern for many companies, large and small. On November 10, 2020, the European Data Protection Board released its Recommendations to help manage the situation and we’ve outlined key points to help you navigate the document, a link is attached below:

  • First and foremost, identify whether you make international transfers of data, including any onward transfers. Records of processing (Article 30 GDPR records) can be useful to tracking where your data goes from automated storage and cloud providers to marketing tools.
  • Check where the data transfers go to. Check if there are third countries that you may send data to that are not deemed adequate by the European Commission and then identify the transfer mechanisms you are relying on to allow data to be transferred (SCCs or Binding Corporate Rules for example).
  • Assess whether the protections in place to transfer data internationally is effective. Companies must consider whether the controls they have in place provide an effective level of protection for personal data in practice, by establishing a level of protection in the third country that is essentially equivalent to that guaranteed in the EEA.
  • Adopt Supplementary Measures, where necessary. These measures can be contractual, technical or organizational in nature.

European Data Protection Board Recommendations Document

By: Judy de Castro

2020 AML Bill Update: Key Committee Stage Amendments
December 2020

The much awaited and late Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020 (“the Bill”) has completed the third stage in Dail Eireann, and it is our anticipation that a commencement order enacting the legislation will be signed in the New Year. RegSol previously discussed the Bill in October (available HERE).

To help you navigate some of the nuances of committee stage amendments, we have prepared a summary on virtual asset service providers and express trusts:

Virtual asset service providers:

  • Under the Amended Bill, obligations will be imposed on a wider range of virtual asset service providers (“VASPs”) than those previously identified. For example, a change in terminology from ‘virtual currency’ to ‘virtual assets’ extends to VASPS that exchange, transfer and provide custody between assets and currencies. It also extends to those that participate in, and provide, financial services related to an issuer’s offer or sale of a virtual asset or both.
  • The holder of a VASP registration shall include a statement on relevant material that it is registered and supervised by the Bank for anti-money laundering and countering the financing of terrorism purposes only.
  • FATF recommends that five categories of VASP be supervised rather than the two specified in the fifth AML directive. Measures include for example fitness and probity requirements for senior management and beneficial owners.

Beneficial Ownership -Express Trusts:

Occupation pension schemes, employee share schemes and the Haemophilia HIV Trust have been excluded from the requirement to register. A specific definition of "beneficial owner" for amateur sports bodies and unincorporated charities has been included so that only the trustees, committee, governing body or individuals in control of the trust will have to register rather than every member of a club or every individual who donates to or is assisted by a charity.

By Judy de Castro

Credit Union Levy Regulations
November 2020

The Minister for Finance, Paschal Donohoe TD announced that the Credit Institution Resolution Levy for 2021 will be reduced to 0.0259% of assets (approximately €5 million) and the Credit Union Stabilisation Levy for 2021 will be reduced to 0.0015544% of assets (approximately €300,000).

Collectively the levies of €5.3 million for 2021 will amount to approximately 0.0274% of assets, a reduction of circa 56% from €12 million in 2019 in the context of growing sector assets.

The Credit Union sector had outlined the impact of the levies in its report “The Movement” which was published in July.

Commenting on the ILCU CEO Ed Farrell said, “In relation to the Credit Union Stabilisation Levy, today’s announced reduction by the Minister means credit unions will pay €2.7m less in 2021 than they paid in 2020. Instead of having to pay €3m next year, they will only pay €300,000. This is a significant cost saving for credit unions which will go some way to alleviating the impact of the COVID-19 pandemic on credit union balance sheets. We are delighted that our campaigning for our member credit unions has delivered and we look forward to continuing to work with both Minister Donohoe and Minister Fleming and the Department of Finance on the review of the Policy Framework for Credit Unions announced in the Programme for Government”.

For the government press release click the link below.

Minister Donohoe announces Credit Union Sector Levy Regulations 2020

By Éilish Larkin
Credit Unions - Best Customer Experience for the 6th Year in a Row
November 2020

The CXi survey was conducted by The CX Company, in partnership with Amárach Research, in July/August 2020. A representative cross section of Irish consumers was asked to give feedback on their customer experiences with 150+ companies across ten sectors.

For the 6th year in a row Credit Unions have won the best customer experience. The main theme of the survey this year was front line workers and how they are going above and beyond for their customers in these tough times. Initiatives by credit unions include:

  • Dublin – “Stay local, borrow local campaign” where 27 credit unions grouped together to help local communities support each other during the pandemic.
  • Core Credit Union – cash delivery service for members.
  • Cork – The Lough Credit Union and their loyalty fob scheme.

For more details on the award and the efforts Credit Unions are making for their members in these unprecedented times click HERE

By Éilish Larkin
Central Bank expects lenders to engage with borrowers in financial difficulty
November 2020

The Covid 19 pandemic has impacted on all aspects of life and left no one untouched. For some the impact is minimal for others it has been and continues to be huge. With the reintroduction of level 5 restrictions, many people are no longer able to go to work due to the nature of their employment. Throughout the pandemic, the Central Bank has been very vocal in outlining the conduct it expects of financial service providers, especially lenders dealing with borrowers in difficulty.

At the end of September 2020, Director General Derville Rowland addressed the MABS annual seminar. The speech covered many topics including the stability and soundness of firms, the component parts of financial conduct regulation and Covid and destressed debt. The Director noted “…. given that some borrowers may continue to experience difficulties in returning to loan repayments and require individually tailored supports. In those cases, the Central Bank expects lenders to engage constructively with their customers to ensure appropriate solutions - which can include further forbearance if appropriate to the borrower circumstance - are available.”

With many of the initial payment break agreements coming to an end in the near future the customer first approach of the Central Bank as the Regulator, will hopefully provide some comfort for borrowers in difficulty.

For the full text of the speech click HERE

By Éilish Larkin
Second Motor Insurance Report of the National Claims Information Database Issued
November 2020

The Central Bank of Ireland published on the 3rd of November the second annual Private Motor Insurance Report of the National Claims Information Database (NCID). The Report is being published to improve the overall transparency of the private motor claims environment. As well as providing an analysis of the cost of claims, the cost of premiums, how claims are settled, variance in and components of settlement costs, it is expected that the Report will inform policymaking.

All insures selling private motor insurance in Ireland were required to submit data to the NCID.

Among key points, the Report notes that between 2009 and 2019:

  • The average cost of a claim rose 65% while the frequency of claims fell 45%
  • Cost of claims per policy fell 9% while the average earned premium per policy rose 35%
  • Claims costs were 72% of earned premium between 2009 and 2019
  • 2009 had a loss ratio of 88%; 2019 had a loss ratio of 59%

The new data collected for this report shows us that for claimants who settled injury claims in 2019:

  • 39% settled before Personal Injuries Assessment Board (PIAB)
  • 13% settled directly, after PIAB
  • 14% settled through PIAB
  • 31% settled through litigation, before a court award
  • 2% settled through litigation, with a court award

Of the claimants who settled injury claims through litigation during 2015 to 2019, 85% settled for less than €100K. For these claimants the average compensation was €23,572 and average legal costs were €14,949.

The new data collected for this report shows us that for claimants who settled injury claims in 2019:
  • 39% settled before PIAB
  • 13% settled directly, after PIAB
  • 14% settled through PIAB
  • 31% settled through litigation, before a court award
  • 2% settled through litigation, with a court award
This report lays out the cost of insurance in Ireland for all to see. Those in the industry have laid the root of pricing increases down to an emergent compensation culture, but from the looks of it, the Central Bank is grounding the issue in pricing as the main issue. Overall, premiums are falling, down 9% from the high point in Q2 of 2018:

Click HERE to read the Central Bank Press Release

By Judy de Castro

British Airways – largest ever fine imposed by the UK’s Information Commission Office
November 2020

The UK data protection watchdog, the Information Commissioner’s Office (ICO) has fined British Airways £20m, for failing to protect data that left more than 400,000 of its customers' details the subject of a 2018 cyber-attack. Originally a fine of £183m was mentioned however the impact of Covid-19 on the aviation industry was taken in to account. Despite the drop the fine is the largest imposed to date.

Information Commissioner Elizabeth Denham noted “When organisations take poor decisions around people's personal data, that can have a real impact on people's lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security,"

For the full BBC article click HERE

By Éilish Larkin
Children’s Data: Ireland’s Data Protection Commissioner Launches Inquiry into Facebook/Instagram
November 2020

On the 19th of October, the Data Protection Commissioner issued a press release to announce that it will assess Facebook’s/Instagram’s reliance on certain legal bases to process children’s personal data on Instagram. It will also look at whether adequate protections and restrictions on this platform are appropriate or adequate for children. Account settings and profiles will be examined with respect to Facebook’s responsibility to protect the data protection rights of children as vulnerable persons.

In Ireland, children below the age of 16 (the age of digital consent) cannot give consent to online service providers to process their personal data. If consent to process personal data is requested by the online service provider for the child to access the service, parental consent must be given. Reasonable efforts must be made by the service provider to verify that consent is given by the holder of parental responsibility. Another challenge here is that across the EU there are varying ages of consent, in Spain it is 13, in Austria it is 14. The European Data Protection Board has asked organisations to refrain from creating individual profiles of children and tracking their personal data for marketing and legitimate interests. Guidelines also advise that data processing information addressed to a child should be clear and in plain language.

Facebook/Instagram could face a large fine if found to have broken privacy laws. According to the BBC, Facebook/Instagram what prompted this latest inquiry is that Instagram published email addresses and phone numbers of children under the age when their accounts were switched to a business account.

With a total of 10 inquiries opened in relation to Facebook’s/instagram’s approach to data protection, including glitches where passwords for hundreds of millions of users were stored in readable format on its internal servers last year, we await to see where all these inquiries go.

Click HERE to read more by the DPC

By Judy de Castro

Beneficial Ownership Update: Investment Limited Partnerships (Amendment) Bill 2020
November 2020

The new Bill introduces requirements around beneficial ownership to Investment Limited Partnerships and common contractual funds. The Bill will require the General Partner of an investment limited partnership and the management company of a Common Contractual Fund to establish and maintain a register of beneficial ownership and to submit that information to the Central Bank for inclusion on the Central Bank’s central register of beneficial ownership of certain financial vehicles. A “beneficial owner” means: any individual who

(a) ultimately is entitled to or controls, whether the entitlement or control is direct or indirect, more than a 25% share of the capital or profits of the partnership/CCF or more than 25% of the voting rights in the partnership/CCF, or

(b) otherwise controls the partnership/CCF.

The Bill also provides that the Central Bank can verify PPSN information pertaining to beneficial ownership registers it operates by proposing an amendment to the Social Welfare Consolidation Act 2005.

So, for those of you performing due diligence checks on these structures, update your procedures accordingly.

By Judy de Castro
Transaction Monitoring: Central Bank issues Bulletin
November 2020

The Central Bank of Ireland (CBI) has released a Bulletin to remind regulated entities they supervise that the Act specifies that a designated person must monitor customer transactions. The purpose of this is to identify transactions that may be suspicious in nature. The Central Bank expects that the intensity of monitoring should be in step with the complexity and scale of those transactions so that the risk of ML/TF is also factored in.

The Central Bank therefore expects to see connectivity between a designated person’s Business Wide Risk Assessment, CDD, transaction monitoring, and Suspicious Transaction processes. A designated person should have sufficient and up to date information on file obtained during the CDD process to determine whether transactional activity is suspicious.

Some of the key findings the Central Bank identified are:

  • No triggers for controls to reflect any new risks or potential new risks arising from the disruption caused to the financial system e.g. new threats that have become evident during the COVID-19 pandemic as detailed in FATF’s “COVID-19-related Money Laundering and Terrorist Financing” paper in May
  • Time delays in reviewing and assessing unusual activity resulting in delays in reporting suspicious transactions to the relevant authorities
  • The use of generic monitoring thresholds across varying product, service, or customer types which do not reflect the nuances of expected transaction patterns of those customer/product/service types

The Central Bank expects designated persons to review the Bulletin and update their controls as required. 

Click HERE to view the bulletin.

By Judy de Castro
Focus on Senior Executives: End of the CBI Inquiry into persons concerned with the management of Quinn Insurance Limited (Under Administration), (“QIL”)
October 2020

The story of Quinn Insurance Limited is a long one with many twists and turns. The notice of a Settlement Agreement issued on 3rd September 2020 marks the end of the Central Bank of Ireland, (CBI) inquiry.

In October 2008, the CBI entered into a Settlement Agreement with Quinn Insurance Limited for breaches of its obligations under the Insurance Acts and regulations, including a failure by the firm to notify the CBI prior to providing loans to related companies. The penalty imposed was €3.25 million.

In March 2010 Quinn Insurance Limited went into administration on foot of an application to the High Court by the Central Bank.

In February 2013, the CBI entered into another Settlement Agreement with Quinn Insurance Limited (Under Administration) for further breaches of the Insurance regulations. They included:

· No adequate procedures or controls to manage assets representing its technical reserves. The board of the firm was unaware that its subsidiaries had guaranteed Quinn group debt up to €1.2billion

· The firm had failed to maintain an adequate solvency margin. As at 31.12.2009 the margin was minus 250% a shortfall of €830 million in its assets.

The penalty of €5 million was waived as the company is in administration.

In 2015 the Central Bank started an inquiry into “persons concerned in the management of Quinn Insurance Limited (Under Administration), (“QIL”)”. The investigation concerned a suspected breach of Regulation 10(3) of the European Communities (Non-Life Insurance) Framework Regulations 1994 (S.I. 359/1994), which related to the soundness and adequacy of the administrative and accounting procedures and internal control mechanisms of QIL.

The individuals were named as Mr Liam McCaffrey and Mr Kevin Lunney. They brought a High Court challenge to the investigation and inquiry and this was decided in favour of the Central Bank in 2017.

Once the decision was handed down, the inquiry looked at the guarantees provided by the QIL subsidiaries against loans of the wider Quinn Group without the knowledge of the insurer’s board or investment committee.

As noted in the Irish Times (in an article from 3rd September 2020), “The guarantees undermined the ability of QIL to rely on the subsidiary assets to form part of a reserve of money set aside to meet insurance claims, if necessary…..”

The enquiry has now ended, and settlement agreements have been entered in to by the Central Bank with both Liam McCaffrey (in December 2019) and with Kevin Lunney (in September 2020). No details regarding the terms of the settlement have been published.

From the Settlement Agreements and inquiries, it is very clear that the CBI expects regulated financial service providers to have robust corporate governance procedures in place and that all directors must take their duties and responsibilities very seriously.

Do you have any questions on Directors Duties?

Reach out to us at for information on our training courses and consultancy services.

See the settlement agreement notices links below:

Central Bank of Ireland and Liam McCaffrey

Central Bank of Ireland and Kevin Lunney

By Eilish Larkin
Regulatory Consultant
KBC Bank Ireland plc Remanded and Fines €18,314,000 by Central Bank of Ireland for Regulatory Breaches Affecting Tracker Mortgage Customer Accounts
October 2020

Almost as high as Permanent TSB’s €21 million discussed on this blog previously HERE, we had predicted that more was to come with respect to the Central Bank’s Tracker Mortgage investigations.

KBC has admitted to 12 regulatory breaches with respect to for example, the Consumer Protection Code, which were identified during the Central Bank’s investigation. These breaches occurred as a result of the following:
  1. A proactive strategy to convert customers off their tracker rates;
  2. Failure to adequately warn customers entering into interest only or fixed rate periods that they would be unable to return to their tracker rates, at a time when KBC was withdrawing tracker products;
  3. Failure to adequately comply with the Central Bank’s Framework for the TME;
  4. Failure to adequately comply with the Stop the Harm Principles of the TME;
  5. Provision of incorrect information to the Regulator in respect of KBC’s treatment of certain tracker customers; and
  6. Operational & Systems failings.

The Central Bank determined that the appropriate fine was €26,162,857, which was reduced by 30% to €18,314,000 in accordance with the settlement discount scheme and will be paid to the Exchequer. This fine is in addition to the €153,524,363 that KBC has been required to pay to date in redress and compensation and account balance adjustments under the TME to its impacted tracker mortgage customers.

The Central Bank also expressed its dissatisfaction with KBC as highlighted in the following excerpt:

“The Central Bank has imposed a fine at the highest end of its sanctioning powers, reflecting the gravity with which the Central Bank views KBC’s failures. The impact of KBC’s failings on its customers, which related to 3,741 accounts, was devastating and included significant overcharging and the loss of 66 properties. Additionally, KBC’s engagement and co-operation with the Central Bank’s Tracker Mortgage Examination (the “TME”) was deeply unsatisfactory.”

To view the full statement click HERE

By Judy de Castro
Regulatory Consultant
Dear CEO Letter: Thematic Review: Verification of Data Submitted in Retail Intermediaries Annual Returns
October 2020

The Central Bank requires all retail intermediary firms to submit an annual return comprising general, financial, ownership, and conduct of business information. The Dear CEO Letter issued at the end of August 2020 addressed to brokers identified a number of action items to be taken with the submission of Annual Returns:

  1. To strengthen procedures and controls to ensure they are compliant with obligations to submit complete and accurate annual returns in a timely manner.
  2. To discuss this letter at the next Board meeting (or equivalent meeting in the absence of a Board) and record the discussion in the meeting minutes.
  3. To voluntarily revoke authorisations where a firm is not actively using them.
  4. Put in place robust procedures and controls to ensure they are compliant with the obligations attendant to their authorisation, in particular, the requirements to maintain a net positive asset position and prepare audited accounts annually

Click HERE to view the letter.

By Judy de Castro
Regulatory Consultant
Who is the Controller and Who is the Processor?
October 2020

On September 7, 2020, the European Data Protection Board (“EDPB”) released guidelines on the concepts of controller, joint controller and processor in the EU General Data Protection Regulation.

Often a bone of contention amongst those who draft contracts, controllers determine the purposes and means of processing, the why and how of processing, while processors cannot process data without the controller’s instructions.

Contention arises on where the line is drawn on those decisions, since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice.

The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent.

Click HERE to read the guidelines.

By Judy de Castro
Regulatory Consultant