RegSol Blog


RegSol Blog Posts

IAF – Proposed Regulations for Business Standards
April 2024

As previously noted (see RegSol’s blogpost here), while the Common Conduct Standards and the Additional Conduct Standards under the Central Bank (Individual Accountability Framework) Act 2023 became effective on 29th December 2023, the Business Standards were being developed as part of the Central Bank’s review of the Consumer Protection Code 2012.

As the Consumer Protection Code review has moved to Consultation phase and alongside the publication of the proposed Consumer Protection regulations, the Central Bank has also published proposed regulations containing the Business Standards applicable under IAF – ‘CENTRAL BANK REFORM ACT 2010 (SECTION 17A) (STANDARDS FOR BUSINESS) REGULATIONS 20[ ]’.

You can access the proposed Standards for Business Regulations here: Draft Central Bank Reform Act 2010

See RegSol’s CPD training timetable here: www.regsol.ie/cpd for next available sessions on IAF.
Central Bank Launches CP158 - Consumer Protection Code Review
April 2024

On the 7th March 2024, following an extensive engagement exercise with a range of stakeholders, the Central Bank launched Consultation Paper 156 ‘Consultation Paper on the Consumer Protection Code’. The main thrust of CP158 is the replacement of the Code with Conduct of Business Regulations which retain the majority of the existing CPC but also have additions and amalgamate certain other CBI Codes such as the Code of Conduct on Mortgage Arrears.

The full text of the proposed ‘CENTRAL BANK (SUPERVISION AND ENFORCEMENT) ACT 2013 (SECTION 48) (CONDUCT OF BUSINESS) REGULATIONS 20[ ]’ are attached to the Consultation Paper. The consultation period runs for 3 months to the 7th June 2024 and submission can be made via email to codereview@centralbank.ie

This consultation marks phase two of the review project with phase 3 involving implementation of the revised conduct of business rules which the CBI has indicated will likely occur in early 2025.

You can access the full Consultation Paper here: Code Review Consultaion Paper March 2024

You can access the proposed Consumer Protection Regulations here: Central Bank (Supervision and Enforcement) Act 2013

As mentioned above, RegSol is currently compiling a White Paper of changes/additions to the existing consumer protection code requirements which will be circulated to our clients soon.


EU Developments - New AML/CTF Rules Agreed
April 2024

Parts of the new anti-money laundering package, which aims to shield EU citizens and the financial system from money laundering and terrorist financing, have been provisionally agreed by the European Council and the European Parliament.

See our article here for some key points to be aware of including, a Single AML rulebook, Customer Due Diligence measures, Beneficial Ownership and AMLA

In RegSol we have deep specialist knowledge of the industry issues affecting Designated Persons. We are uniquely well-positioned to guide our clients through the challenging times ahead, so please don't hesitate to contact a member of our team to discuss these or any other topics of concern.
Trusting the Gatekeepers AND the Enforcers! Central Bank F&P Process Review in the context of New IAF Powers
April 2024

The Central Bank of Ireland has commissioned an independent Review of its decision-making process with respect to PCF role applicants.

The decision to review its process for applications under the fitness & probity regime for pre-approved control functions came after an IFSAT judgment which was highly critical of the Central Bank’s process in refusing to approve an individual seeking to be appointed to the Board of an Irish Fund. The tribunal chaired by former Supreme Court judge John MacMenamin, categorised the regulator’s decision-making process in the case as “flawed” and found that the appellant (PCF applicant) was “denied fair procedures at every stage of the process”.

See our CEO AnneMarie’s insights and commentary on the Review here.

Fitness & Probity Update – New Controlled Functions
April 2024

There has been a number of developments regarding the Fitness & Probity regime, arising out of the implementation of the Individual Accountability Framework (IAF). See our blogpost on IAF Framework Update here.

Most recently, the CBI published two sets of Regulations to designate Controlled Functions (CFs) and Pre-Approval Controlled Functions for regulated financial service providers (RFSPs) and in-scope holding companies. Both Regulations are effective since 29th December 2023.

New Controlled Functions

Role Holder

CF

Head of Client Asset Oversight (Credit Institutions)

PCF-53

Head of Material Business Line (Insurance Undertakings)

PCF-54

Head of Material Business Line (Investment Firms)

PCF-55

Chairperson of the Board of the Holding Company

HCPCF-1

Director of the Holding Company

HCPCF-2

 

 

A function in a position to exercise a significant influence on the conduct of the affairs of a holding company

HCCF-1

A function which is related to ensuring, controlling, or monitoring compliance by a holding company with its relevant obligations (HCCF-2)

HCCF-2

 To reflect the changes to the PCF and CF roles, the CBI has published an updated list of PCFs and an updated list of CFs, together with two publications notifying of the changes in respect of RFSPs and holding companies.

Compliance Masterclass for Financial Brokers - CPD Day Galway
April 2024

We are hosting a Compliance Masterclass exclusively for Financial Advisors on Thursday 25th April 2024 at the Harbour Hotel, Galway. With the CBI's recent publication of CP158 as part of the Consumer Protection Code Review, IAF certification on the horizon and agreement on the text of the EU AML Regulation imminent, now is a good time to delve into these areas with RegSol’s compliance experts on hand. Leverage our knowledge to get up to date and be assured you're on the right track!

Compliance Masterclass for Financial Advisors - CPD Day GALWAY Tickets, Thu 25 Apr 2024 at 09:00 | Eventbrite






RegSol White Paper on CPC Review
April 2024

The Central Bank of Ireland is conducting a comprehensive review of the Consumer Protection Code 2012.

On 7th March 2024, following an extensive engagement exercise with a range of stakeholders, the Central Bank launched Consultation Paper 158. The main thrust of CP158 is the replacement of the Code with Conduct of Business Regulations, which retain the majority of the existing CPC but also have additions and amalgamate certain other CBI Codes such as, the Code of Conduct on Mortgage Arrears.

As Consumer Protection is one of our core areas of expertise, at RegSol we have been tracking the development of the Consumer Protection Code Review over the past number of years.

As such, we have developed a White Paper designed to support Financial Advisors in reviewing and assessing the potential impact of CP158 on compliance policies and procedures, processes, and/or systems.

Our White Paper will be circulated to our clients shortly setting out a summary of the key changes/additions to the Code and note how many of these discussion themes have translated into specific Regulations within the proposed statutory instrument. We then set out a full regulation by regulation breakdown highlighting material impacts on existing compliance frameworks.

We pride ourselves on being up to date on key regulatory changes and alongside this White Paper, our team of experienced consultants will be delivering timely and relevant CPD training content to accompany our practical guidance.

If your firm requires support in preparing for the Consumer Protection Regulations, please do not hesitate to contact us at info@regsol.ie or 01 539 4884.
IAF – CBI Proposes Regulations for Business Standards
March 2024

As previously noted (see here Individual Accountability Framework Update ), while the Common Conduct Standards and the Additional Conduct Standards under the Central Bank (Individual Accountability Framework) Act 2023 became effective on 29th December 2023, the Business Standards were being developed as part of the Central Bank’s review of the Consumer Protection Code 2012.

As noted separately (LINK FOR ABOVE ARTICLE), the Consumer Protection Code review has moved to Consultation phase and alongside the publication of the proposed Consumer Protection regulations the CBI has also published proposed regulations containing the Business Standards applicable under IAF – ‘CENTRAL BANK REFORM ACT 2010 (SECTION 17A) (STANDARDS FOR BUSINESS) REGULATIONS 20[ ]’.

You can access the proposed Standards for Business Regulations here:

Draft Central Bank Reform Act 2010 Section 17a Regulations
Central Bank of Ireland Launches CP158 – Consumer Protection Code
March 2024

On 7th March 2024, following an extensive engagement exercise with a range of stakeholders, the Central Bank launched Consultation Paper 156 ‘Consultation Paper on the Consumer Protection Code’. The main thrust of CP158 is the replacement of the Code with Conduct of Business Regulations which retain the majority of the existing CPC but also have additions and amalgamate certain other CBI Codes such as the Code of Conduct on Mortgage Arrears.

The full text of the proposed ‘CENTRAL BANK (SUPERVISION AND ENFORCEMENT) ACT 2013 (SECTION 48) (CONDUCT OF BUSINESS) REGULATIONS 20[ ]’ are attached to the Consultation Paper. The consultation period runs for 3 months to the 7th June 2024 and submission can be made via email to codereview@centralbank.ie.

This consultation marks phase two of the review project with phase 3 involving implementation of the revised conduct of business rules which the CBI has indicated will likely occur in early 2025.

You can access the full Consultation Paper here:

CP158 - Consultation Paper on the Consumer Protection Code 

You can access the proposed Consumer Protection Regulations here: 

CENTRAL BANK (SUPERVISION AND ENFORCEMENT) ACT 2013

RegSol is currently compiling a white paper of changes/additions to the existing consumer protection code requirements. To register your interest in receiving this white paper please email info@regsol.ie with subject ‘CPC’.
Central Bank of Ireland Enforcement Action
March 2024

On 27th February 2024, the Central Bank of Ireland (CBI) issued an enforcement action against Goodbody Stockbrokers Unlimited Company (Goodbody) and fined the company €1,225,000 pursuant to the Market Abuse Regulations (MAR).

Goodbody engages in arranging and executing transactions under MAR and breached its obligations under Article 16(2), which requires the effective maintenance of “arrangements, systems and procedures to detect and report suspicious orders and transactions”.

Goodbody breached its obligations in the period July 2016 to January 2022 by failing to establish and maintain effective arrangements, systems and procedures to detect suspicious orders and transactions that could constitute insider dealing, market manipulation or attempted insider dealing or market manipulation. 

The contravention comprised the following failings by Goodbody:
  1. Risk Identification – Goodbody failed to adequately document its approach to the identification of market abuse risk.

  2. Risk Monitoring – Significant gaps were identified in Goodbody’s control environment for market abuse monitoring including gaps in design and operational effectiveness of its trade surveillance.

  3. Governance Arrangements – a number of failings were identified with regard to Goodbody’s governance framework, which undermined the firm’s ability to put in place effective arrangements, systems and procedures to detect and report suspicious orders and transactions.

  4. Third line of defence – Goodbody failed to ensure a clear boundary between the lines of defence at all times.
The Central Bank determined the appropriate fine to be €1,750,000, which was reduced by 30% to €1,225,000 by way of a settlement discount.

The full press release can be found here.
New Regulatory and Supervisory Outlook 2024
February 2024

Central Bank warns of risks coming from payment and e-money sector

The Central Bank of Ireland has today published a new Regulatory and Supervisory Outlook 2024 (RSO) – the first of what will be an annual report setting out the Central Bank’s view on the key trends and risks facing the financial sector, along with the regulatory and supervisory priorities it has set in the context of those risks.

The risk outlook includes its consideration of the global environment within which the financial sector is operating, along with the overarching risk landscape facing the financial system, grouped broadly into the following themes:

a) Risks driven by the macroeconomic and geopolitical environment,

b) Risks driven by the way regulated entities operate and respond to today’s changing world,

c) Risks driven by longer term structural forces at play.

The RSO follows the warning that came in the Governor of the Central Bank’s annual Letter to the Minister for Finance which warned of the heightened risk level associated with both the payment and e-money sector and the investment fund sector.

The Governor said concerns about the payment and e-money sector reflect significant control weaknesses found in firms operating in this market, "where their rates of growth and ambition have outpaced their operational, governance, compliance and risk management capabilities."

"Risks in the funds sector reflect structural vulnerabilities in parts of the sector such as leverage and liquidity mismatches, the impact of market volatility, market conduct risks, and the degree of interconnectedness with the wider financial system and economy"

The Letter also outlines the Central Bank’s financial regulation priorities for 2024 including:
  • Putting in place a revised and modernised Consumer Protection Code (CPC);
  • Implementing the Individual Accountability Framework (IAF) to embed the new standards in regulated entities; and
  • Preparing for the implementation of the Digital Operational Resilience Act (DORA).
If you want to gain a better understanding about the CPC, IAF and DORA, RegSol are running a range of CPD training sessions for 2024. See our timetable here: www.regsol.ie/cpd for next available sessions.
Trusting the Gatekeepers AND the Enforcers!
February 2024

Central Bank F&P Process Review in the context of New IAF Powers

As reported in news media recently (see for example The Irish Times on 15th February 2024) the Central Bank of Ireland has commissioned an independent review of its decision making process with respect to PCF role applicants. This process forms part of its ‘gatekeeper’ function as the financial services regulator.

In this article, RegSol CEO, AnneMarie Whelan BL, looks at this process review in the context of new CBI powers under IAF.

Decision

The decision to review its process for applications under the fitness & probity regime for pre-approved control functions came after an IFSAT judgment which was highly critical of the Central Bank’s process in refusing to approve an individual seeking to be appointed to the Board of an Irish Fund.

The tribunal chaired by former Supreme Court judge John MacMenamin, categorised the regulator’s decision-making process in the case as “flawed” and found that the appellant (PCF applicant) was “denied fair procedures at every stage of the process”.

The tribunal didn’t find that the decision of the Central Bank itself was correct or incorrect but the judgement concludes that “The tribunal is satisfied that taken cumulatively – or even individually – the various procedures adopted by the Central Bank did not comply with the requirements of Constitutional and natural justice; including the necessity for fair notice; the duty to give reasons; and the observance of the principle of audi alterem partem (hear the other side)”.

Unsurprising?

The criticisms contained in the judgment probably don’t come as a huge surprise to those of us who have submitted individual questionnaires or otherwise engaged in the PCF approval process with the Central Bank of Ireland. At RegSol, whether through supporting authorisation applications for new entities, providing guidance to existing entities on change of personnel, or indeed through taking on PCF roles ourselves on an outsourced basis, invariable we see comments and questions come back on IQs that request further detail. Over the years, we have observed a process that often places the onus on the applicant and/or the proposing entity to nearly guess what it is the Central Bank is really asking or looking for when comments or objections are raised in individual applications.

Thankfully, we’ve not seen too many refusals in this context but given the levels of applications withdrawn on an annual basis one wonders if there are more similar cases to the one at hand out there.

Assuring?

It provides some reassurance to see the Central Bank take the criticisms on board and take an immediate decision to independently review the process. This is particularly so in the context of the Individual Accountability Framework and the new enhanced enforcement powers the Central Bank now have to target individuals for breaches of conduct standards.

While the Central Bank’s mission is quite rightly focused on ‘monetary & financial stability’, it’s Vision specifically includes being ‘A trusted organisation that is working towards the public good in a transparent, effective and accountable way’. Fundamentally, if we can’t trust an organisation with respect to processes in place since Fitness & Probity was formally introduced in 2011, it raises concerns with respect to the introduction of new powers, especially enforcement powers, and adds weight to the misgivings we have heard expressed by some current CF role holders.

New Enforcement Processes

Under the existing Fitness & Probity regime, the Central Bank have always had the ability to target persons involved in the management of regulated financial service providers and have, in fact, imposed penalties (including fines and disqualifications) on a number of individuals to date through the Administrative Sanctions Procedure. The difference under IAF however is that there is no longer a need for the link to an entity breach i.e. the Central Bank no longer have to establish that the regulated entity committed a breach first, they can simply target the actions (or inaction) of relevant controlled function role holders.

On the one hand, this absolutely makes it easier for the Central Bank to enforce upon individuals and proposed processes in this regard absolutely merit significant scrutiny. On the other hand, however, the Central Bank has already engaged in a 12 week public consultation on the proposed processes and provided it’s Feedback Statement ( https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp154/feedback-statement-to-cp154.pdf ) . It has also clearly balanced up the need to enforce and the potential impact on individuals by including certain protective measures e.g. where a settlement is agreed and is based on admissions, a High Court order is required to confirm the sanctions imposed. Practical changes include allowing for earlier disclosure of documents to subjects of investigations and the Central Bank has published the methodologies for deciding on monetary penalties.

Going Forward


While the IFSAT decision may add to concerns or perceptions about the Regulator’s approach to senior executives in particular, perhaps it’s better we see the Central Bank take stock now before it embarks on its first enforcement under IAF!Can we help? If you are looking for support in making a PCF application or trying to navigate the new world of IAF feel free to get in touch at info@regsol.ie

Frankfurt for AMLA
February 2024

On Friday 23rd February 2024, it was announced that the European Council and the European Parliament representatives reached an agreement on the seat of the future European authority for Anti-Money Laundering and Countering Terrorist financing (AMLA). 

In this article, RegSol compliance consultant, Laura Kilbane LCI, looks at the timeline for establishment and the knock on impact for the proposed AML Regulations highlighted in last month's newsletter. 

AMLA will be based in Frankfurt, Germany. The body will be fully operational by mid-2025 and will have over 400 staff members. This number is expected to grow to the thousands. The location of the seat will be included in the AMLA Regulation and formally adopted as part of the text.

Nine member states submitted applications to host AMLA: Belgium (Brussels), Germany (Frankfurt), Ireland (Dublin), Spain (Madrid), France (Paris), Italy (Rome), Latvia (Riga), Lithuania (Vilnius) and Austria (Vienna). Frankfurt received a majority of votes on the first round of voting and was chosen to host the agency.

What will AMLA do?

AMLA will increase the effectiveness of the anti-money laundering and countering the financing of terrorism (AML/CFT) framework by establishing an integrated mechanism with national supervisors to ensure obliged entities comply with AML/CFT-related obligations in the financial sector, given the cross-border nature of financial crime. In addition, AMLA will coordinate member state financial intelligence units and play a supporting role in non-financial industries. 

AMLA will directly supervise certain types of credit and financial institutions, including crypto asset service providers, if they are considered high-risk or operate across borders. AMLA will select credit and financial institutions that represent the highest risk to the financial system across member states. The selected obliged entities will be supervised by joint supervisory teams led by AMLA that will carry out assessments and inspections. AMLA will supervise up to 40 groups and entities in the first selection process. Supervision will remain at a national level for all other obliged entities. 

For the non-financial sector, AMLA will have a supporting role, carrying out reviews and investigating possible breaches in the application of the AML/CFT framework. AMLA will have the power to issue non-binding recommendations. National supervisors will be able to voluntarily set up a college for a non-financial entity operating across borders if deemed needed.

What next?

The AMLA is part of a wider package of laws to reform the EUs AML/CTF Framework. The entire package has now been provisionally agreed, so this will now need to be formally adopted by the European Commission and the European Parliament, before it can enter into law. The vote is expected to be held in April.

Once adopted, the AML Regulation will apply from June 2025.

If you want to learn more about how the AML Regulation will impact your firm, RegSol are running a range of AML Training CPD sessions for staff, Directors and MLROs. See our timetable here: www.regsol.ie/cpd for next available sessions. 
Dublin bids to host AMLA
January 2024

Ireland has presented its case for hosting EU’s new Anti-Money Laundering Authority (AMLA) in Dublin before a joint hearing of the European Parliament and EU Council. Dublin is among 9 cities seeking to host AMLA.

Michael McGrath, the finance minister, and Jennifer Caroll MacNeill, the junior finance minister pointed to Dublin’s connectivity, it’s financial services sector and the presence of large technology and fintech firms in the capital, as key reasons to locate the new body in Dublin. “Dublin has the right mix to make sure that AMLA is a success. Ireland has a long record of being a constructive member of the EU in rooms like this,” McGrath said, adding that the government has committed €80 million to help set up the new body.

The authority is being set up to counter money laundering and financial terrorism across the EU and will supervise entities in both the financial services sector and in the non-financial sector. It is hopeful that the body will be fully operational within a year and will start off with an employee base of between 250 – 400. This number is expected to grow to the thousands.

A final decision on the host city for AMLA is expected on February 22nd. More information on Dublin’s bid can be found here.
European Council: New AML/CTF Rules Agreed
January 2024

Parts of the new anti-money laundering package, which aims to shield EU citizens and the financial system from money laundering and terrorist financing, have been provisionally agreed by the European Council and the European Parliament.

The European Commission put forward its package of AML reforms back in 2021. At the time, new regulations were proposed to strengthen EU AML/CTF laws, achieve greater harmonisation and create a common supervisory culture.

Here are some key points to be aware of:

1. A Single AML rulebook

With the publication of the AML single rulebook, businesses may anticipate more precise and understandable guidelines for how to fulfil their AML/CFT requirements. Future technical standards will be added to the relevant rules currently held in 4AMLD and reformed as immediately applicable provisions under the new AML Regulation.

2. The Regulatory reach is expanding

The proposals expand the range of obliged entities to include certain financial and non-financial sector participants. Notable among the new additions are crypto asset service providers (CASPS) and crowdfunding service providers. CASPS must apply CDD measures when carrying out transactions amounting to €1,000 or more.

3. Cash Payments

An EU-wide maximum limit of €10,000 will be set for cash payments, with member states retaining the discretion to impose a lower maximum. Obliged entities will also be required to identify and verify any person who carries out an occasional transaction in cash between €3,000 and €10,000.

4. Customer Due Diligence measures

The draft AML Regulation provides further detail on customer identification and verification practices, including the conditions under which electronic identification can be used. Standard data sets for the identification of natural and legal persons are expected to follow in the form of technical standards.

5. Beneficial Ownership

It looks like the existing 25% beneficial ownership threshold will remain the same, however, there may be potential impact on firms’ beneficial ownership obligations:
  • The concept of control is given additional prominence as an integral element of beneficial ownership, with further clarity provided on the meaning of “control by other means”. Firms will need to ensure their assessments of beneficial ownership properly incorporate the concepts of both ownership and control as defined under the new rules.
  • The Commission’s original proposal indicated that beneficial ownership should be assessed “on every level of ownership”. The Council’s recent press release confirmed that “related rules applicable to multi-layered ownership and control structures are also clarified to make sure hiding behind multiple layers of ownership of companies won’t work anymore”.
  • Information submitted to the central register of beneficial ownership will need to be verified.
  • Real estate registers will need to be accessible to competent authorities through a single access point.
6. AMLA

Working with national supervisors, AMLA will be at the centre of a new, integrated EU supervisory system. It will be very important in terms of oversight, implementation, and creating technical standards. The provisional agreement reached last month indicates that AMLA can supervise up to 40 groups and entities in the first selection process. These will include certain types of credit and financial institutions, including most crypto asset service providers. For all other obliged entities, supervision will remain primarily at national level.



What Next?

Once approved formally by the Parliament and the Council, the final texts will be published in the Official Journal. Firms will need to review these carefully and start thinking about how their AML/CFT (and sanctions) frameworks will need to adapt.

In RegSol we have deep specialist knowledge of the industry issues affecting the sector. We are uniquely well-positioned to guide our clients through the challenging times ahead, so please don't hesitate to contact a member of our team to discuss these or any other topics of concern.
Central Bank of Ireland: Fitness & Probity Update – New Controlled Functions
January 2024

There has been a number of developments regarding the Fitness & Probity regime, arising out of the implementation of the Individual Accountability Framework (IAF). See our blogpost on IAF Framework Update here.

Most recently, the CBI published two sets of Regulations to designate Controlled Functions (CFs) and Pre-Approval Controlled Functions for regulated financial service providers (RFSPs) and in-scope holding companies. Both Regulations are effective since 29th December 2023.

New Controlled Functions

Role Holder

CF

Head of Client Asset Oversight (Credit Institutions)

PCF-53

Head of Material Business Line (Insurance Undertakings)

PCF-54

Head of Material Business Line (Investment Firms)

PCF-55

Chairperson of the Board of the Holding Company

HCPCF-1

Director of the Holding Company

HCPCF-2

 

 

A function in a position to ecercise a significant influence on the consuct of the affairs of a holding company

HCCF-1

A function which is related to ensuring, controlling, or monitoring compliance by a holding company with its relevant obligations (HCCF-2)

HCCF-2


To reflect the changes to the PCF and CF roles, the CBI has published an updated list of PCFs and an updated list of CFs, together with two publications notifying of the changes in respect of RFSPs and holding companies.
Central Bank of Ireland: Notice of Intention to Recognise Sustainability Knowledge in MCC
December 2023

On 24th November 2023, the Central Bank of Ireland (“CBI”) published a notice of intention confirming that it intends to recognise sustainability knowledge and competence as part of the Minimum Competency Code 2017 (“MCC”), with effect from 1st January 2025.

The CBI proposes to:
  • Update competencies for retail financial products under Appendix 3 of the MCC to include competencies relating to sustainability generally for all retail financial products (including insurance products)
  • Incorporate additional amendments to the MCC to reflect the suitability requirements under the Markets in Financial Instruments Directive II (“MIFID II”) and the Insurance Distribution Directive (“IDD”).
  • Recognise sustainability training for CPD purposes where directly relevant to a persons role.
These changes will come into force for anyone selling or providing financial advice or services that incorporate a sustainability element.

Queries are invited to be submitted to the CBI by 5th January 2024.

The full Notice of Intention can be read here.
Central Bank of Ireland: Administrative Sanctions Procedures Guidelines
December 2023

The Central Bank of Ireland (“CBI”) has published updated administrative Sanctions Procedure (“ASP”) Guidelines together with a feedback statement on its Consultation on the draft ASP Guidelines initially issued in June this year.

The enhanced ASP is designed to underpin and support the introduction of the Individual Accountability Framework (“IAF”).

The following key changes have been made to the ASP Guidelines:

  • Roles of the Responsible Authorised Officer (“RAO”) – A new section has been included in the ASP Guidelines to describe the role and responsibilities of the RAO.
  • Confidentiality – the Guidelines provide that the CBI will consider requests to authorise disclosure of confidential information relation to an ongoing ASP investigation on a case by case basis where it is considered reasonably necessary to do so.
  • Legal professional privilege – the guidelines clarify that entry into a disclosure agreement by the subject of an investigation will be on a voluntary basis and cannot be required by the CBI.
  • Use of Information – the guidelines set out a non-exhaustive list of examples in which information gathered by the CBI in the course of an investigation can be used by the CBI in performance of its statutory functions, including:
    • to progress investigations such as the interviewing of witnesses
    • for the preparation of a Draft and Final Investigation Report
    • for the purpose of an inquiry
    • the CBI’s authorisation, supervision, and fitness and probity functions more generally
  • Management of Conflicts of Interest – the guidelines provide additional detail on how conflicts are managed throughout the inquiry process
  • Determination of monetary penalties for individuals – the guidelines clarify that firms and individuals will be provided with information on how any proposed monetary penalty has been calculated and that the subject of an investigation will have an opportunity to engage with the CBI on sanctions as part of the settlement or inquiry process.
Read the full Feedback statement and ASP Guidelines here.
Central Bank of Ireland Enforcement Action
November 2023

The Central Bank of Ireland (CBI) has reprimanded and fined investment fund GlobalReach Multi-Strategy ICAV (the ICAV) €192,500.00 pursuant to the European Union (European Markets Infrastructure) Regulations 2014 (the EMIR Regulations). This is the first monetary penalty imposed on an investment fund by the CBI to date and the first enforcement action of the year 2023.


Breach
The ICAV admitted to failing to report 200,460 derivative trades entered into between January 2018 and May 2020 by one of its sub-funds to a trade repository. The failure of the ICAV to report its sub-funds derivatives constituted a breach of Article 9(1) of EMIR, which provides that counterparties and Central counterparty clearing houses (CCPs) should ensure that details of any derivative contract they enter into, modified or terminated are reported to a registered trade repository no later than the working day following the conclusion, modification or termination of the contract.



Background
In May 2020, the Board of the ICAV and the appointed Management Company were informed by the appointed Investment Manager that there had been a failure to report approximately 21,000 trades. Following an internal investigation in early 2021, they were further notified that there were in excess of 200,000 non-reported trades. As part of a remediation exercise, late reports were submitted to a trade repository registered in accordance with EMIR.

In March 2021, the CBI questioned the late reports. In October 2023, the CBI appointed an assessor to conduct an assessment of the ICAV in respect of this matter. The CBI have confirmed that this enforcement action, including the assessment of the ICAV, is concluded.


Penalty Decision Factors
In deciding the penalty to impose, the CBI considered the following:
  • The extent and duration of the contravention.
  • The failure to report the contravention in 2020 when the Board of the ICAV found out about the failure.
  • The significant departure from the standard required under legislation.
For more information, read the full press release here.
European Commission: Retail Investment Strategy
November 2023

The European Commission (“EC”) has published its Retail Investment Strategy, which aims to empower retail investors to make investment decisions that are aligned with their needs and preferences, ensuring that they are treated fairly and duly protected. The strategy amends the UCITS Directive and the Alternative Investment Funds Managers Directive (“AIFMD”).

The other measures include:

  • New rules aimed at protecting retail investors from misleading marketing communications and practices which emphasise benefits but downplay any potential risks
  • Rules from prohibiting inducements in execution-only cases, strengthening of the best interest principle, new criteria for “acting in the best interests of the client” and improving transparency; and
  • Further measure on financial literacy, investor categorisation, enhanced suitability and appropriateness assessments and measures to increase professional qualifications of financial advisors.

The EC has also proposed to amend the regulation on Packaged Retail and Insurance-Based Investment Products – the PRIIPs Regulation. It will introduce a new section in the PRIIPs key information document (“KID”) titled “product at a glance” to summarise and highlight information on product type, costs, level of risk, recommended holding period and presence of insurance benefit as well as a dedicated section focused on sustainability.

The European Commission invited stakeholders and interested parties to submit their feedback on the proposals until 28 August 2023. The European Commission’s proposals will now need to go through the legislative process with the European Parliament and the Council of the European Union before approval.

More information on the Retail Investment Strategy can be found here.
Central Bank of Ireland: Dear CEO Letter – Thematic Review on the Ongoing Suitability of Long-Term Life Assurance Products
November 2023

The Central Bank of Ireland (‘CBI’) sent a “Dear CEO Letter” titled: “Thematic Review on the Ongoing Suitability of Long-Term Life Assurance Products” to the life assurance industry in August 2023. In the Letter, the CBI detailed its findings following a recent thematic review it conducted on Unit Linked Single Investment Products.

The main objective of the review was to assess and understand processes that exist within life insurers. It also aimed to evaluate the wide life assurance sector to ensure that consumers receive an appropriate level of protection and that their best interests are protected.

The Review comprised of engagement with five of the main domestic life insurers and a sample of intermediaries.

The key findings of the review are:
  1. Distribution Arrangements and Periodic Reviews: Insurers are not assessing their product range often enough to be able to identify when a product becomes less suitable or unsuitable for customers.

  2. Ongoing Responsibilities: there is a risk that where other entities are involved e.g intermediaries; there is a risk that ongoing suitability assessments might be overlooked, may be down to lack of clarity relating to allocating responsibilities.

  3. Continuity of Service: the review found that when an intermediary has exited the market but not sold/transferred its book of business to another intermediary, the ongoing responsibility for their ‘orphaned clients’ is generally taken on by the relevant insurer. The CBI is concerned that this practice could give rise to a reduced level of service provided to those orphaned clients, specifically regarding ensuring the suitability of their products.

  4. Information in Annual Statements: Insurers provide varying levels of information in annual statements to highlight the importance of ensuring the ongoing suitability of long-term products.

  5. Suitability of long-term investment funds: The CBI found that in periods where the returns on certain funds are low, the fees and charges that are still being taken from the value of the investment will further reduce any growth, which could lead to a reduction in the fund value. This has raised concerns about the maturity of some insurers’ Consumer Protection Risk Management frameworks.

  6. Access to information: Although the Review was focused on single premium bonds, the CBI expects that, where possible to do so, consumers are provided with similar access to information relating to all other savings, investment, and pension products. Where it is not possible to provide similar access, the reasons why should be clearly documented, and the decision approved at an appropriate level in the insurance firm. In addition, the CBI expects that any such decision should be reviewed on a periodic basis.

The CBI stated that the industry must do more to demonstrate ongoing suitability of long-term products for consumers, including:
  • Insurers must strengthen their structures and processes to ensure that their consumers needs are considered on an ongoing basis
  • Insurers must be more proactive in encouraging and empowering their consumers to engage with financial services providers on matters related to their long-term products.
In the most recent CBI Intermediary Times, the CBI highlighted certain areas of particular relevance to insurance intermediaries, including informing consumers, as part of the suitability statement, whether the suggested insurance-based investment product (’IBIP’) is likely to require a regular review of their arrangements. This will help intermediaries establish suitable strategies with their consumers to guarantee the products continued suitability.

The full Dear CEO Letter can be read here.
Updated Politically Exposed Persons (PEP) List
November 2023

The European Commission has assembled a single list of prominent public functions of each Member State (indicating the exact functions) which, according to national laws, regulations and administrative provisions, qualify as prominent public functions.

In so far as the EU Member States are concerned, a PEP is anyone holding one of the positions set out in the respective national lists. Anyone holding a position not within those lists does not qualify as a PEP and Enhanced Due Diligence measures would therefore be applicable only to the extent that the business relationship or occasional transaction presents a high risk of ML/FT.

Find the full list on Page 47 here.
Reminder – Outsourcing Register
November 2023

In accordance with the Cross-Industry Guidance on Outsourcing, the CBI expects that regulated financial service providers (RFSPs) establish and maintain an outsourcing register which is required to contain certain specific information regarding outsourcing arrangements. These include:

  • A reference number for each outsourcing arrangement
  • The start date and, if applicable, the next contract renewal data, the end date and/or notice period to be served to the service provider and for the RFSP
  • A brief description of the outsourced function, including the data that is outsourced and whether or not personal data has been transferred or if their processing is outsourced to a service provider;
  • The name, address, corporate registration number and legal entity identifier (LIE) where available and other relevant contact details including the details of its parent company and whether the service provider is regulated;
  • The country where the service is to be performed;
  • Whether or not the outsourced function is considered critical or important and a brief rationale for the categorisation
  • In the case of outsourcing to a cloud service provider, the cloud service provided, the specific nature of the data to be held and the locations where such data will be stored;
  • The date of the most recent assessment of the criticality or importance of the outsourced function.

The CBI has published specific Template Registers and Completion Guidance for specific industry sectors; Banking LSIs, Insurance and Reinsurance, Payment and E-Money Firms and Market Firms. See more information on the CBI website here.

It is worth noting that the template registers are only required to be filed with the CBI by firms which are PRISM rated medium low and above. RFSPs which do not fall into these PRISM categories should still seek to use these templates as a guide to completing their internal register, in order to ensure that they are in a position to provide a report to the CBI should they request it.
Individual Accountability Framework Update
November 2023

The Central Bank of Ireland (CBI) has published its final Guidance, draft Regulations and Feedback Statement with regard to the Individual Accountability Framework (IAF). The documents outline a number of substantive changes to aspects of the IAF, including SEAR, as against the draft Guidance.

The key changes are summarised as follows:
  • The application of SEAR to non-executive directors (NEDs) and independent non-executive directors (INEDs) of in-scope firms will now be deferred by one year until 1st July 2025.
  • The deferral applies to all NED/INEDs, including the Chair of the Board and Chairs of audit, risk, remuneration and/or nomination committees for in-scope firms.
  • SEAR will still apply to all other PCF roles in in-scope firms from 1st July 2024.
  • The Common Conduct Standards will apply to all CFs from 29th December 2023.
  • The Additional Conduct Standards will apply to PCFs from 29th December 2023.
  • The Common Conduct Standards and Additional Conduct Standards will still apply to NEDs and INEDs from 29th December 2023. The Duty of Responsibility (which is part of SEAR) will also apply to all PCFs, including NEDs and INEDs, from 29th December 2023.
  • The Business Standards are being reviewed and updated as part of the CBI’s ongoing review of the Consumer Protection Code 2012. The Business Standards will not therefore be effective until the revised CPC is reviewed and implemented.
  • Periodic reporting - The CBI proposes to limit the extent of mandatory periodic reporting to the CBI. Instead, it is proposed that firms take responsibility for relevant documentation and make it available to the CBI on request.
  • Disciplinary actions - The CBI has removed the additional obligation for a regulated firm to report to the CBI where formal disciplinary action has been concluded against an individual in respect of a breach of the Conduct Standards.
  • Head of Material Business – The CBI confirms the introduction of Head of Material Business line roles for insurance undertakings and investment firms as proposed bringing it in line with the introduction of a new PCF-50 Head of Material Business Line for credit institutions in October 2020. The CBI does not require a firm to create a new PCF role where one did not previously exist or where the size or complexity of a firm’s business does not warrant it; this is for the firm to determine itself.
  • Certification Requirements
The CBI has limited the scope of the enhanced due diligence aspect of the certification requirement to PCFs, CF1s and CF2s. This facilitates self-certification in respect of individuals within the CF3 – CF11 categories.

The feedback statement notes that the Central Bank will undertake a review of the IAF three years after implementation which will include an assessment of the functioning of the framework, how the benefits and costs are being realised in practice, and whether any changes should be introduced.
Central Bank of Ireland: Updates to Fitness and Probity Enforcement Procedures
November 2023

On 21st April 2023, the Central Bank of Ireland (CBI) published an industry letter notifying firms of the updated procedures for fitness and probity investigations, suspensions and prohibitions. The updated procedures apply from 20th April 2023.

Part 3 of the Central Bank Reform Act 2010 has been amended by the Central Bank (Individual Accountability Framework) Act 2023. The amendments, which were commenced by order on 19th April 2023 are summarised below:
  1. Investigation of individuals who formerly performed CF roles: the CBI can now investigate a former controlled function (CF) role holder, provided that they performed the role within the shorter of the following periods: (a) the period since 19th April 22023 and (b) the 6 years before the date on which an investigation is commenced.

  2. Commencement of investigation: a new statutory procedure has been introduced for giving notice of investigations.

  3. Suspension: the limit for the initial duration of a suspension notice has increased from 3 months to 6 months. Suspension notices may now be appealed to the Irish Financial Services Appeals Tribunal. The period for which the High Court may extend a suspension notice has increased from 3 months to 6 months. The CBI may make subsequent applications to the High Court to further extend the suspension notice.

  4. Investigation report: the statutory procedure for investigation reports has been changed to provide for the preparation and service of a draft report followed by a final report.

  5. Discontinuing an investigation: the CBI may discontinue an investigation for reasons to be stated in a notice.

  6. Prohibition Notices: will now only take effect when confirmed by the High Court or agreed in writing.

  7. Varying/revoking prohibition: a new procedure allowing the CBI or the subject to apply to the High Court for an order varying or revoking a prohibition notice.

  8. Regime extended to certain holding companies: the fitness and probity regime (upon CBI issuing regulations) apply to individuals performing certain CF roles in holding companies of certain regulated firms.

  9. Enhanced independence requirements: certain requirements have been introduced to ensure the independence of an investigation and associated decision-making procedures.
The amendments to Part 3 of the 2010 Act have necessitated changes to regulations and guidance. The updated regulations and guidance are:

Central Bank Reform Act 2010 (Procedures Governing Conduct of Investigations) Regulations 2023

Fitness and Probity Investigations, Suspensions and Prohibitions: Guidance 2023


More information can be found at: Investigations and Enforcement
Central Bank Intermediary Times November 2023 Issue
November 2023

The 'Intermediary Times', the Central Bank of Ireland’s (CBI) newsletter published twice a year, includes regulatory issues that retail intermediary firms need to be aware of in improving their standards of compliance.
  • In this edition the newsletter covers many items including:
  • Updates on the Fitness and Probity (F&P) requirements;
  • Professional Indemnity Insurance update;
  • Update on the Consumer Protection Code review;
  • Information on Client Premium Accounts.

1. F&P Requirements Update

Annual Pre-Approval Control Function (PCF) Confirmation

The CBI advise that from Q1 2024, the annual PCF confirmation return will be submitted under the F&P section of the Portal.

In preparation for the return, firms should ensure that all PCF information is up to date; i.e. PCF start dates and PCF resignations have been submitted in a timely manner.

The CBI will publish Guidance on its website in advance of the go live date.


New F&P Application Guidance

The Central Bank reminds firms it released new F&P application Guidance (HERE) which should reviewed to submitting an Individual Questionnaire (IQ) or updating PCF information to find information on the new IQ application form and the expected due diligence firms are required to conduct and guides on how to use the system.


2. Professional Indemnity Insurance (PII) Update

Firms should be aware of the potential upcoming amendments to PII levels.

Minimum PII levels are reviewed every five years by the European Insurance and Occupational Pensions Authority (EIOPA). The current review is underway with proposals sent to the European Commission in June 2023.

Firms are reminded to continue to ensure compliance when the new PII levels are approved. Where there are changes, the CBI it will issue further guidance.


3. Update to Consumer Protection Code Review

The Consumer Protection Code is currently under review with a view to publishing a revised Code.

The next steps in the review will be Public Consultation, where the CBI will seek views from interested stakeholders on the proposed changes to the Code, and Finalisation of the revised framework. Following the public consultation, the CBI will consider the feedback and insights before publishing the final revised Code. A feedback statement will also be published at this time, setting out the rationale for the CBI's approach.


4. Client Premium Accounts

Insurance Intermediaries must have robust procedures and oversight arrangements in place to ensure that monies received in relation to client premiums are segregated from other monies in the firm. The CBI reminds such intermediaries that transactions through Client Premium Accounts (CPAs) should be conducted in accordance with the Consumer Protection Code (CPC):
  • Payments in respect of levies, membership fees, or other transactions not specified in Provision 3.50 of the CPC are not permitted to be made from a CPA;
  • CPAs must be clearly designated ‘Client Premium Account’ to ensure that client premiums are segregated from other monies;
  • A separate CPA must be maintained for both life and non-life insurance business;
  • A CPA must never be overdrawn;
  • Firms are required to carry out, and retain, monthly reconciliations of amounts due to regulated entities; and
  • Firms should ensure that rebates due to consumers are processed correctly and in a timely manner. Where rebates are issued by cheque and not presented for payment within six months, the payment should be returned to the Insurance Undertaking.
To read the CBI publication in full, please see the link below:

Intermediary Times - November 2023 (centralbank.ie)
Central Bank of Ireland: Response to the Funds Sector 2030 Review
October 2023

The Central Bank of Ireland (CBI) has issued a response to the Department of Finance Funds Sector 2030 Review in which they set out five priority areas critical to the future development of the investment funds sector in Ireland:

1) Delivering positive outcomes for the domestic economy and investors
  • Securing investor interests.
  • Ensuring good governance and customer focus in the sector.
  • Enabling investors to access well regulated products that meet their savings and investment needs.
  • Ensuring that funds deliver value for investors.
  • Improving financial literacy and education.
  • Realising the full potential of the sector as a source of alternative financing for the real economy and SMEs.

2) Developing a Macro-Prudential framework for investment funds
  • Monitoring and managing risks to financial stability.
  • Developing a macroprudential framework for investment funds.
  • Engaging with international organisations and other national authorities to coordinate efforts.

3) Maintaining Regulatory Effectiveness
  • Ensuring that the regulatory framework remains up to date and effective.
  • Identifying important sectoral features and trends and developing appropriate policy and regulatory responses (delegation/sectoral change).
  • Supporting international policy and development and sharing our expertise and knowledge.

4) Sustainable Finance
  • Supporting new product development and innovation.
  • Ensuring the delivery of high quality ESG products.
  • Supporting the sector’s contribution to carbon neutrality.
  • Protecting investors against greenwashing.

5) Digital Transformation
  • Encouragement and support for innovators and innovative products and services.
  • Supporting efforts to develop new use cases for digitisation and tokenisation.
  • Managing emerging risks.

Read the full response here.
Data Protection Commissioner: Airbnb Ireland UC Reprimand
October 2023

On 14th September 2023, the Data Protection Commissioner (DPC) adopted a decision in relation to a complaint against Airbnb Ireland UC. The DPC launched its enquiry on 7th October 2022 following a complaint that Airbnb did not properly comply with its obligations under the GDPR. The Complainant alleged:

  1. Airbnb did not properly comply with his erasure request

  2. Airbnb unlawfully retained his personal data

  3. Airbnb did not comply with the data minimisation principle; and

  4. Airbnb failed to comply with that principles of transparency and provision of information.

Airbnb responded to the data subject’s request to erase his data, requesting verification of his identity, and then confirmed that the personal data would be deleted unless it was permitted or required to retain the data. Airbnb did not further update the data subject in respect of his erasure request. Airbnb retained the data subject’s data on the advice of legal counsel, following an alleged serious incident at an Airbnb listing that was the subject of a police investigation and legal proceedings.

Airbnb stated that it retained the complainant’s data on the basis of legitimate interests of those involved in or connected with the underlying police investigation and legal proceedings. In its decision, the DPC was satisfied that Airbnb validly relied on Article 6(1)(f) as the lawful basis for the retention of the complainant’s data, Airbnb did not infringe on Article 17(1) when it restricted the complainants right of erasure of his personal data and that Airbnb’s retention of the personal data did not infringe the principle of data minimisation in Article 5(1)(c).

However, the DPC did find that Airbnb infringed Article 12(4) with respect to the handling of the complainant’s erasure request by failing to inform him without delay and at the latest within one month of receipt of the request the reasons for not acting on it and the possibility of lodging a complaint with a supervisory authority.

The full decision can be read here.
Competition (Amendment) Act 2022
September 2023

On 27th September 2023, the Competition (Amendment) Act 2022 will largely come into operation. The Amendment Act increases the Irish merger control and competition law powers of the Competition and Consumer Protection Commission (“CCPC”). The commencement order was signed by the Minister for Enterprise, Trade and Employment on 13 September 2023 and the Amendment Act will enter into operation on 27 September 2023 (excluding Section 26).

The main changes introduced by the Amendment Act include:
  • increased merger control powers for the CCPC (such as the statutory ability to call in unnotified ‘sub-threshold’ transactions, the ability to impose interim measures on notified deals and, in certain cases, the ability to unwind anti-competitive transactions)

  • new powers for the CCPC including EU and Irish competition law administrative and enforcement powers

  • changes to criminal law sanctions, including a new offence of bid-rigging, increased fines and new standards of proof for competition law breaches

  • a new distinct offence of ‘bid-rigging’

  • increased dawn raid powers for the CCPC

  • increased surveillance powers for the CCPC

Ahead of the commencement date, the CCPC have issued a set of policies, procedures and guidelines which provide guidance on how the new regime will operate. These published policies will take effect from 27 September 2023.

    • mandatory notifiable transactions.
    • those which are voluntarily notified either pre- or post-implementation.
    • those which are neither mandatorily notifiable not voluntarily notified but which are “called in” by the CCPC.
The full amendment act can be found HERE.
Data Protection Commission Outcome of Prosecution proceedings for marketing offenses
September 2023

On 11th September 2023, the Data Protection Commissioner (“DPC”) announced the outcome of the prosecution proceedings against Chill Insurance Limited, Hidden Hearing Limited, The Multiple Sclerosis Society of Ireland and Vodafone Ireland Limited.

The DPC noted that the Dublin Metropolitan District Court had identified the following violations in contravention of Regulation 13 of Statutory Instrument 336 of 2011:

· Chill Insurance pleaded guilty to two charges related to sending to one individual one unsolicited marketing SMS without consent and without a valid opt-out.

· Hidden Hearing pleased guilty to four changes related to sending of unsolicited marketing SMS and telephone calls to four individuals without consent.

· The Multiple Sclerosis Society of Ireland pleased guilty to one charge related to the sending of an unsolicited marketing email to one individual without consent.

· Vodafone Ireland pleaded guilty to one charge related to the sending of an unsolicited marketing email to one individual without consent.

The Court applied the Probation of Offenders Act 1907 on the basis of a charitable donation of €500 each to Little Flower Penny Dinners. Furthermore, the Court also convicted Vodafone Ireland on the one charge, and it imposed a further fine of €500 to be paid within three months.

You can read the full press release HERE.


On 20th September 2023, the Data Protection Commissioner (“DPC”) announced the outcome of the prosecution proceedings against Alpha Wealth Limited, a Financial Advisory Company.

The DPC noted that Alpha Wealth Limited pleaded guilty to two charges in violation of Regulation 13 of Statutory Instrument 336 of 2011 (E-Privacy Regulations) for the sending of unsolicited marketing email communications to two individuals without consent, in January 2023. The Company previously received warnings from the DPC in 2022 following an investigation of a previous complaint regarding unsolicited marketing emails sent to one of the individuals concerned.

The Court applied the Probation of Offenders Act 1907 on condition that Alpha Wealth donates €500 to each individual concerned by 18th October. Failing compliance with that Order, it would convict the defendant and apply a fine of €1,000.

You can read the full press release HERE.


Data Protection Commissioner TikTok Fine
September 2023

On 15th September 2023, the Data Protection Commissioner (“DPC”} published its final decision regarding its inquiry into TikTok’s data processing practices involving children’s data. The social media platform was fined €345 million for shortcomings in adequately protecting children and their personal data, while using the platform.

The EDPB adopted a binding decision on the matter on August 2, 2023 (in accordance with the Article 65 GDPR dispute resolution mechanism) after consulting with its supervisory counterparts in other EU Member States following an investigation into the platform between July 31, 2020, and December 31, 2020. The DPC adopted its final conclusion in response to this EDPB ruling, stating its major findings of non-compliance with several GDPR rules as follows:

· profile settings for child user accounts on the TikTok platform were set to ‘public’ by default, meaning anyone (on or off the platform) could view the content posted by the child user;

· the ‘Family Pairing’ setting allowed an adult user (who could not be verified as the parent or guardian of the child) to pair their account to a child’s account. This allowed the adult user to enable direct messages for children above the age of 16, which posed several possible risks to child users;

· the ‘public by default’ setting on children’s accounts posed several significant risks to children aged under 13 who gained access to the platform;

· TikTok failed to provide sufficient transparency information to children who use the platform; and

· TikTok implemented ‘dark patterns’ by nudging users towards choosing more privacy-intrusive options during the registration process, and when posting videos.

In addition to the administrative fine, the DPC has issued a reprimand and an order requiring TikTok to bring its processing into compliance within a period of three months from 1st September 2023. TikTok has disagreed with aspects of the decision, mentioning that the settings and features of the platform condemned by the DPC in its decision had been updated to enhance protection of child users, even before the DPC’s investigation commenced.

The full press release can be read HERE.
EIOPA Cyber Insurance Survey for SMEs
September 2023

On 20th September 2023, the European Insurance and Occupational Pensions Authority (“EIOPA”) has launched a survey on access to cyber insurance by small and medium-sized enterprises (“SMEs”) to better understand the challenges SMEs face in protecting themselves against cyber risks and assess the level of access to cyber insurance.

The survey will collect information on the size and type of business of the companies surveyed, the level of awareness of cyber risks in relation to their business, the availability, affordability and understanding of cyber insurance products. It will also highlight SMEs’ experience and perceptions of cyber insurance, including whether they have considered taking out a policy, the factors that influenced their decision (not to) take out cover and potential barriers to taking out cover.

SMEs are invited to take part until 20th March 2024. Access the survey HERE.
Data Protection Commission Inquiries
August 2023

1) Inquiry Concerning the Department of Health – June 2023

The Data Protection Commission (“DPC”) has imposed a fine of €22,500 on the Department of Health (“DoH”) after completing an inquiry into certain aspects of it’s processing of personal data in 29 litigation files.

The DPCs statutory inquiry was commenced following public allegations in 2021 that the DoH had unlawfully collected and processed personal data about plaintiffs and their families in the context of litigation surrounding the plaintiff special education needs.

The DPC concluded that the DoH did not infringe Data Protection law by seeking information about the services that were being provided to plaintiffs, however, the DoH did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families. The DoH had no lawful basis for processing such data, and also did so in breach of the data minimisation principle.

The DPC imposed the fine of €22,500 for the DoH's infringements of Articles 5(1)(c) (data minimisation principle), 6(1) and 9(1) (lawful basis requirements), 6(4) GDPR (further compatible processing requirements). The DPC also issued a reprimand on the DoH in respect of these infringements, as well as for infringements of Articles 5(1)(c) and 32(1) (security obligations) and 14 (transparency obligations). In addition, the DPC imposed a ban on the DoH processing the excessive personal data and special category data in the litigation files in question for the purposes of determining an appropriate time to settle a case.

For more information, the full decision can be found HERE.


2) Inquiry concerning Airbnb Ireland – June 2023

The DPC has published the final decision, issued on 21st June 2023 in which it imposed a reprimand and corrective measures on Airbnb Ireland UC for violations of the GDPR. The SDPC commences its inquiry following a complaint that Airbnb Ireland had unlawfully requested a copy of the complainants ID to verify their identify, which had not previously been requested by Airbnb. Initial attempts by the complainant to verify their identify had been rejected by Airbnb as the ID provided did not meet their criteria. The complaint contented that this went against the principles of data minimisation and that Airbnb also failed to comply with the principles of transparency and provision of information.

Following its investigation, the DPC found that Airbnb’s retention of a copy of the complainants ID following successful completion of the verification process infringed the principles of data minimisation under Article 5(1)(c) and the principle of storage limitation under Article 5(1)(e). the DPC also found that the continued processing and retention of partially redacted and out of date IDs that had been deemed inadequate or insufficient to verify the identify of the complainant infringed the same principles.

In light of these infringements, the DPC issued a reprimand to Airbnb Ireland. In addition, the DPC made the following orders against Airbnb Ireland to remedy the infringements identified and to prevent similar infringements occurring in the future:

Delete from all of its systems and records the redacted and out of date copies of the complaints IDs
Delete from all of its systems and records the IDs that the complaint uploaded
Revise its internal policies and procedures concerning user verification to endure that

    a. Once the identify of data subjects has been verified to Airbnb Ireland satisfaction, discontinue the         practice of retaining improperly redacted and/or out of date IDs which may be submitted by data            subjects as part of the identify verification process; and

    b. The period for which valid or fraudulent or illegitimate IDs submitted by data subjects as part of            the identity verification process are stored is limited to a strict minimum period.

For more information, the full decision can be found HERE.
Department of Finance - MiCA: Consultation Opened on National Discretions
August 2023

On 9th August 2023, the Department of Finance (“DoF”) launched a public consultation on the exercise of certain national discretions contained in the EU Markets in Crypto-Assets Regulation (“MiCA”). The DoF is consulting on how Irish law should address transitional arrangements for existing Virtual Asset Service Providers (“VASPs”) already providing services in accordance with Irelands domestic regulatory framework.

Thile MiCA was enacted in June 2023, the new framework and obligations that it creates will mostly take effect during 2024. Read our previous blogpost on MiCA here. As an EU regulation, MiCA has direct effect in EU member states, however it does leave certain matters to each member state’s discretion and Ireland’s decision on those matters will need to be implemented through national legislation; thus the DoF’s current consultation.

The DoF is consulting on the following four discretions:

  1. Public Disclosure of Inside Information (Article 88(3))

  2. Administrative Penalties and Administrative Measures (Article 111(1))

  3. Transition Period for Existing Crypto-Asset Service Providers (Article 143)

  4. Simplified Authorisation Application for existing CASPs (Article 143(6))

This consultation represents an opportunity for participants, especially existing VASPs, to have their say on the shaping of some important policy and legislative issues. The consultation closes on 15th September 2023. 

Read the full Consultation here.
Central Bank of Ireland: Product Oversight and Governance (“POG”) Thematic Review
August 2023

A thematic inspection of product oversight and governance was undertaken by the Central Bank of Ireland in the latter half of 2022. The inspection included a selection of six non-life insurance undertakings to assess the current level of controls, processes and systems in place relating to POG arrangements. The inspection focused on five key control areas:
  1. POG policies & procedures

  2. Underwriting controls

  3. Post implementation reviews

  4. Risk management oversight; and

  5. Board oversight

Key themes identified:

  1. Board Oversight

    The inspection found that there wasn’t always strong Board oversight of all new products and material changes to existing products. The CBI notes that Boards should have sign-off role for new products and material product changes.

  2. Risk Management

    The CBI found that the risk function’s role in POG arrangements to be lacking in some instances. The CBI stated that the POG process should be meaningful and a control that is integrated with both the emerging risk and Own Risk Solvency (“ORSA”) process.

  3. Policy Wording

    The CBI outlined its expectation that firms ensure sufficient resources and attention are provided to ensure any potential detriment to the firm and the customer is identified and mitigated without delay and also have in place a plan of ongoing policy wording reviews.

  4. Protection Gaps

    The CBI found that while undertakings in general are aware of the EIOPA recent Supervisory Statement and the requirements within, these requirements need to be reinforced to ensure that the POG process considers both prudential and consumer considerations.

The CBI also outlined various good practices which firms should consider embedding into their own POG arrangements such as the CRO having a ‘gatekeeper’ role with responsibility for considering materiality of product changes, having at least one member of the Board with general insurance background and a detailed understanding of products, establishing a customer forum and dedicated wordings committees, implementing a schedule of product reviews and manual wordings, to name a few.

The CBI concluded that:
  • To ensure they have a complete awareness of their exposures in connection to the products they offer, many undertakings need to take additional steps to guarantee they have reliable procedures and controls, as well as technical expertise to advise on and challenge.
Central Bank of Ireland: Dear Chairperson Letter on Trading Venue Compliance with Requirements under MAR
August 2023

The CBI has published a letter, dated 26th July 2023 addressed to trading venue operators, outlining the findings of the CBI’s thematic inspection of operators’ market surveillance arrangements and their compliance with the Market Abuse Regulation (“MAR”).

The inspection identified several failings concerning the effectiveness of market surveillance arrangements:

  1. Governance, MI Reporting and Training: Boards, Senior Management Teams and Second Line of Defence were unable to demonstrate the necessary level of understanding, accountability and ownership with regards to surveillance systems. MI was not sufficiently detailed to evidence adequate escalation of issues and specific surveillance training was not provided in a formal basis to all staff, including Board members.

  2. Prevention, Detection and Assurance: Trading Venues do not have sufficiently effective procedures, systems and staff in place to effectively prevent, monitor, detect and identify market abuse issues. Gaps were identified to relation to real time surveillance, resources, and controls.

  3. Suspicious Transaction Order Reports (“STORs”): The number of STORs received by the CBI from Trading Venues have decreased substantially since 2018. This does not reflect the quantity of transactions has increased and the number of overall STPRs received by the CBI has increased. Issues identified during the inspection include Compliance officers having no formal role in relation to the production and review of STORs and no internally set deadlines to ensure timely STOR submission.

The CBI requires that the Chairpersons take responsibility for the findings in the letter, ensuring that it is discussed, minuted, and actioned. The CBI requires trading venues to immediately commence a review of the trade surveillance arrangements.

The full letter can be read HERE
Central Bank of Ireland: Engagement Update on Consumer Protection Code Review
August 2023

On 31st July 2023, the CBI published an engagement update following on from its discussion paper published in October 2022, on the review of the Consumer Protection Code 2012. The CBI has conducted a six month engagement programme across a wide array of stakeholder which included round tables, bilateral meetings, industry events, public surveys and written stakeholder submissions.

From the feedback sought, five themes have emerged:

  1. Digitalisation: New technologies have provided greater opportunities for customers, but firms must ensure that the needs of all customers continue to be met.

  2. Vulnerable Customers: firms need to be able to identify actual or potential vulnerability characteristics and support customers through changing life events.

  3. Transparency: standardised and clear disclosure requirements need to be provided to accurately inform customers, ensuing that information provided is not excessive.

  4. Financial Literacy: improved financial education can aid customers a number of key financial areas.

  5. Regulatory status: it must be clear if firms and products are not regulated by the CBI. The availability of unregulated products by regulated firms creates confusion for customers.

The CBI intends to introduce a revised and modernised Consumer Protection Code 2024, which wil include consolidating existing riles with he Code of Conduct on Mortgage Arrears (“CCMA”). It plans to consult on the Code in December 2023.

Following adoption of the revised Code in 2024, work on further enhancements to the Code will be undertaken over the course of 2024, with additional Regulations planned for 2025.

The full Engagement Update can be read HERE
Central Bank of Ireland Discussion Paper on Macroprudential Policy for Investment Funds
July 2023

On 18th July 2023, the Central Bank of Ireland (“CBI”) published a Discussion Paper seeking views on a new macroprudential policy framework for investment funds (“DP11”). It aims to advance ongoing European discussions on how a macroprudential perspective in the regulation of the funds sector could be achieved. It discusses important factors to take into account when creating and implementing such a framework.

A macroprudential framework for the funds sector would adopt a systemic viewpoint and seek to make sure that this expanding area of the financial industry is more stress-resistant and less likely to magnify negative shocks. As a result, the sector would be better prepared to contribute as a dependable source of funding, supporting larger-scale economic activities.

The Central Bank is seeking feedback from stakeholders on a number of issues raised in the discussion paper to inform further analysis and policy work in this area via an online survey which will run until 15 November 2023.

The full Discussion Paper can be found here.
Central Bank of Ireland: Dear CEO Letter to High-Cost Credit Providers
July 2023

On 30th June 2023, the Central Bank of Ireland (“CBI”) issued a Dear CEO Letter to High-Cost Credit Providers (“HCCPs”). The aim of the letter was to give an insight into the findings from CBI supervisory engagements with HCPPs and to set out their expectations in relation to HCCPs compliance with their AML/CFT & Financial Sanction obligations.

The CBI highlighted a lack of compliance with legislative obligations in the following areas:

  • HCCPs have not adequately considered their obligations under the CJA 2010 and therefore have not ensured that their business operations and control frameworks are compliant;
  • Some HCCPs have not undertaken a business wide risk assessment (“BWRA”) and therefore are not in a position to identify their ML/TF;
  • Some HCCPs have not sufficiently tailored the BWRA and/or AML/CFT policies and procedures to the business model, limiting their ability to implement an appropriate control framework;
  • Many HCCPs were unable to demonstrate compliance with a number of obligations under the CJA 2010, including adequate customer due diligence, ongoing monitoring and suspicious transaction reporting.

Further points noted by the CBI in the letter include:

  • The importance of complying with all relevant obligations under the CJA 202, regardless of size or structure of the entity.
  • Many HCCPs did not have documented AML/CFT frameworks or AML/CFT policies and procedures in place,
  • The CBI outlined their concern regarding the level of deficiencies it has observed in relation to the responses via the Risk Evaluation Questionnaire (“REQ”).
  • The CBI reminded HCCPs of their obligation to provide accurate, complete and timely information when requested to do so by the CBI.

All HCCPs are required to review the findings and expectations in the letter and where gaps/weaknesses are identified by the HCCP, they are required to take steps to remediate the identified gaps/weaknesses in a timely manner.

The full Dear CEO Letter can be accessed here.
Central Bank of Ireland Consultation Paper seeking views on enhanced enforcement process
June 2023

On 22nd June, the Central Bank of Ireland (“CBI”) launched a 12 week consultation (“CP154”) on enhancements to the Administrative Sanctions Procedure (“ASP”). The purpose of CP154 is to seek views on the revised procedures in the ASP following the introduction of changes under the Individual Accountability Framework (“IAF”) and to provide guidance in an open and clear manner as to how the CBI proposes to operate these revised procedures.

The IAF was signed into law on 9th March 2023. The Act introduces several changes to the ASP under Part IIC of the Central Bank Act 1942. The strengthened ASP is designed to underpin and support the introduction of IAF and in particular, the Senior Executive Accountability Regime (“SEAR”) and conduct standards for firms and individuals.

This follows CP153 on the Enhanced governance, performance, and accountability in financial services, which closed on 13th June which included regulatory guidance and draft regulations supplementing the IAF. Read our blogpost on CP153 here.

The Consultation will remain open from 22nd June to 14th September. When submitting a response via email, the CBI asks that respondents include the following subject heading in their email “Consultation Paper 154 on the ASP Guidelines under the Individual Accountability Framework” and address their response to ASPconsultation2023@centralbank.ie. The CBI will then review all feedback received on the Consultation and prepare a Feedback statement for publication online. `View the full press release and consultation paper here.