RegSol Blog


RegSol Blog Posts

Credit Union Levy Regulations
November 2020

The Minister for Finance, Paschal Donohoe TD announced that the Credit Institution Resolution Levy for 2021 will be reduced to 0.0259% of assets (approximately €5 million) and the Credit Union Stabilisation Levy for 2021 will be reduced to 0.0015544% of assets (approximately €300,000).

Collectively the levies of €5.3 million for 2021 will amount to approximately 0.0274% of assets, a reduction of circa 56% from €12 million in 2019 in the context of growing sector assets.

The Credit Union sector had outlined the impact of the levies in its report “The Movement” which was published in July.

Commenting on the ILCU CEO Ed Farrell said, “In relation to the Credit Union Stabilisation Levy, today’s announced reduction by the Minister means credit unions will pay €2.7m less in 2021 than they paid in 2020. Instead of having to pay €3m next year, they will only pay €300,000. This is a significant cost saving for credit unions which will go some way to alleviating the impact of the COVID-19 pandemic on credit union balance sheets. We are delighted that our campaigning for our member credit unions has delivered and we look forward to continuing to work with both Minister Donohoe and Minister Fleming and the Department of Finance on the review of the Policy Framework for Credit Unions announced in the Programme for Government”.


For the government press release click the link below.

Minister Donohoe announces Credit Union Sector Levy Regulations 2020



By Éilish Larkin
Credit Unions - Best Customer Experience for the 6th Year in a Row
November 2020

The CXi survey was conducted by The CX Company, in partnership with Amárach Research, in July/August 2020. A representative cross section of Irish consumers was asked to give feedback on their customer experiences with 150+ companies across ten sectors.

For the 6th year in a row Credit Unions have won the best customer experience. The main theme of the survey this year was front line workers and how they are going above and beyond for their customers in these tough times. Initiatives by credit unions include:

  • Dublin – “Stay local, borrow local campaign” where 27 credit unions grouped together to help local communities support each other during the pandemic.
  • Core Credit Union – cash delivery service for members.
  • Cork – The Lough Credit Union and their loyalty fob scheme.

For more details on the award and the efforts Credit Unions are making for their members in these unprecedented times click HERE



By Éilish Larkin
Central Bank expects lenders to engage with borrowers in financial difficulty
November 2020

The Covid 19 pandemic has impacted on all aspects of life and left no one untouched. For some the impact is minimal for others it has been and continues to be huge. With the reintroduction of level 5 restrictions, many people are no longer able to go to work due to the nature of their employment. Throughout the pandemic, the Central Bank has been very vocal in outlining the conduct it expects of financial service providers, especially lenders dealing with borrowers in difficulty.


At the end of September 2020, Director General Derville Rowland addressed the MABS annual seminar. The speech covered many topics including the stability and soundness of firms, the component parts of financial conduct regulation and Covid and destressed debt. The Director noted “…. given that some borrowers may continue to experience difficulties in returning to loan repayments and require individually tailored supports. In those cases, the Central Bank expects lenders to engage constructively with their customers to ensure appropriate solutions - which can include further forbearance if appropriate to the borrower circumstance - are available.”


With many of the initial payment break agreements coming to an end in the near future the customer first approach of the Central Bank as the Regulator, will hopefully provide some comfort for borrowers in difficulty.


For the full text of the speech click HERE



By Éilish Larkin
Second Motor Insurance Report of the National Claims Information Database Issued
November 2020

The Central Bank of Ireland published on the 3rd of November the second annual Private Motor Insurance Report of the National Claims Information Database (NCID). The Report is being published to improve the overall transparency of the private motor claims environment. As well as providing an analysis of the cost of claims, the cost of premiums, how claims are settled, variance in and components of settlement costs, it is expected that the Report will inform policymaking.

All insures selling private motor insurance in Ireland were required to submit data to the NCID.

Among key points, the Report notes that between 2009 and 2019:

  • The average cost of a claim rose 65% while the frequency of claims fell 45%
  • Cost of claims per policy fell 9% while the average earned premium per policy rose 35%
  • Claims costs were 72% of earned premium between 2009 and 2019
  • 2009 had a loss ratio of 88%; 2019 had a loss ratio of 59%

The new data collected for this report shows us that for claimants who settled injury claims in 2019:

  • 39% settled before Personal Injuries Assessment Board (PIAB)
  • 13% settled directly, after PIAB
  • 14% settled through PIAB
  • 31% settled through litigation, before a court award
  • 2% settled through litigation, with a court award

Of the claimants who settled injury claims through litigation during 2015 to 2019, 85% settled for less than €100K. For these claimants the average compensation was €23,572 and average legal costs were €14,949.

The new data collected for this report shows us that for claimants who settled injury claims in 2019:
  • 39% settled before PIAB
  • 13% settled directly, after PIAB
  • 14% settled through PIAB
  • 31% settled through litigation, before a court award
  • 2% settled through litigation, with a court award
This report lays out the cost of insurance in Ireland for all to see. Those in the industry have laid the root of pricing increases down to an emergent compensation culture, but from the looks of it, the Central Bank is grounding the issue in pricing as the main issue. Overall, premiums are falling, down 9% from the high point in Q2 of 2018:


Click HERE to read the Central Bank Press Release


By Judy de Castro

British Airways – largest ever fine imposed by the UK’s Information Commission Office
November 2020

The UK data protection watchdog, the Information Commissioner’s Office (ICO) has fined British Airways £20m, for failing to protect data that left more than 400,000 of its customers' details the subject of a 2018 cyber-attack. Originally a fine of £183m was mentioned however the impact of Covid-19 on the aviation industry was taken in to account. Despite the drop the fine is the largest imposed to date.

Information Commissioner Elizabeth Denham noted “When organisations take poor decisions around people's personal data, that can have a real impact on people's lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security,"

For the full BBC article click HERE



By Éilish Larkin
Children’s Data: Ireland’s Data Protection Commissioner Launches Inquiry into Facebook/Instagram
November 2020

On the 19th of October, the Data Protection Commissioner issued a press release to announce that it will assess Facebook’s/Instagram’s reliance on certain legal bases to process children’s personal data on Instagram. It will also look at whether adequate protections and restrictions on this platform are appropriate or adequate for children. Account settings and profiles will be examined with respect to Facebook’s responsibility to protect the data protection rights of children as vulnerable persons.


In Ireland, children below the age of 16 (the age of digital consent) cannot give consent to online service providers to process their personal data. If consent to process personal data is requested by the online service provider for the child to access the service, parental consent must be given. Reasonable efforts must be made by the service provider to verify that consent is given by the holder of parental responsibility. Another challenge here is that across the EU there are varying ages of consent, in Spain it is 13, in Austria it is 14. The European Data Protection Board has asked organisations to refrain from creating individual profiles of children and tracking their personal data for marketing and legitimate interests. Guidelines also advise that data processing information addressed to a child should be clear and in plain language.


Facebook/Instagram could face a large fine if found to have broken privacy laws. According to the BBC, Facebook/Instagram what prompted this latest inquiry is that Instagram published email addresses and phone numbers of children under the age when their accounts were switched to a business account.


With a total of 10 inquiries opened in relation to Facebook’s/instagram’s approach to data protection, including glitches where passwords for hundreds of millions of users were stored in readable format on its internal servers last year, we await to see where all these inquiries go.

Click HERE to read more by the DPC

By Judy de Castro


Beneficial Ownership Update: Investment Limited Partnerships (Amendment) Bill 2020
November 2020

The new Bill introduces requirements around beneficial ownership to Investment Limited Partnerships and common contractual funds. The Bill will require the General Partner of an investment limited partnership and the management company of a Common Contractual Fund to establish and maintain a register of beneficial ownership and to submit that information to the Central Bank for inclusion on the Central Bank’s central register of beneficial ownership of certain financial vehicles. A “beneficial owner” means: any individual who

(a) ultimately is entitled to or controls, whether the entitlement or control is direct or indirect, more than a 25% share of the capital or profits of the partnership/CCF or more than 25% of the voting rights in the partnership/CCF, or

(b) otherwise controls the partnership/CCF.

The Bill also provides that the Central Bank can verify PPSN information pertaining to beneficial ownership registers it operates by proposing an amendment to the Social Welfare Consolidation Act 2005.

So, for those of you performing due diligence checks on these structures, update your procedures accordingly.




By Judy de Castro
Transaction Monitoring: Central Bank issues Bulletin
November 2020

The Central Bank of Ireland (CBI) has released a Bulletin to remind regulated entities they supervise that the Act specifies that a designated person must monitor customer transactions. The purpose of this is to identify transactions that may be suspicious in nature. The Central Bank expects that the intensity of monitoring should be in step with the complexity and scale of those transactions so that the risk of ML/TF is also factored in.

The Central Bank therefore expects to see connectivity between a designated person’s Business Wide Risk Assessment, CDD, transaction monitoring, and Suspicious Transaction processes. A designated person should have sufficient and up to date information on file obtained during the CDD process to determine whether transactional activity is suspicious.

Some of the key findings the Central Bank identified are:

  • No triggers for controls to reflect any new risks or potential new risks arising from the disruption caused to the financial system e.g. new threats that have become evident during the COVID-19 pandemic as detailed in FATF’s “COVID-19-related Money Laundering and Terrorist Financing” paper in May
  • Time delays in reviewing and assessing unusual activity resulting in delays in reporting suspicious transactions to the relevant authorities
  • The use of generic monitoring thresholds across varying product, service, or customer types which do not reflect the nuances of expected transaction patterns of those customer/product/service types

The Central Bank expects designated persons to review the Bulletin and update their controls as required. 

Click HERE to view the bulletin.



By Judy de Castro
Focus on Senior Executives: End of the CBI Inquiry into persons concerned with the management of Quinn Insurance Limited (Under Administration), (“QIL”)
October 2020

The story of Quinn Insurance Limited is a long one with many twists and turns. The notice of a Settlement Agreement issued on 3rd September 2020 marks the end of the Central Bank of Ireland, (CBI) inquiry.

In October 2008, the CBI entered into a Settlement Agreement with Quinn Insurance Limited for breaches of its obligations under the Insurance Acts and regulations, including a failure by the firm to notify the CBI prior to providing loans to related companies. The penalty imposed was €3.25 million.

In March 2010 Quinn Insurance Limited went into administration on foot of an application to the High Court by the Central Bank.

In February 2013, the CBI entered into another Settlement Agreement with Quinn Insurance Limited (Under Administration) for further breaches of the Insurance regulations. They included:

· No adequate procedures or controls to manage assets representing its technical reserves. The board of the firm was unaware that its subsidiaries had guaranteed Quinn group debt up to €1.2billion

· The firm had failed to maintain an adequate solvency margin. As at 31.12.2009 the margin was minus 250% a shortfall of €830 million in its assets.

The penalty of €5 million was waived as the company is in administration.

In 2015 the Central Bank started an inquiry into “persons concerned in the management of Quinn Insurance Limited (Under Administration), (“QIL”)”. The investigation concerned a suspected breach of Regulation 10(3) of the European Communities (Non-Life Insurance) Framework Regulations 1994 (S.I. 359/1994), which related to the soundness and adequacy of the administrative and accounting procedures and internal control mechanisms of QIL.

The individuals were named as Mr Liam McCaffrey and Mr Kevin Lunney. They brought a High Court challenge to the investigation and inquiry and this was decided in favour of the Central Bank in 2017.

Once the decision was handed down, the inquiry looked at the guarantees provided by the QIL subsidiaries against loans of the wider Quinn Group without the knowledge of the insurer’s board or investment committee.

As noted in the Irish Times (in an article from 3rd September 2020), “The guarantees undermined the ability of QIL to rely on the subsidiary assets to form part of a reserve of money set aside to meet insurance claims, if necessary…..”

The enquiry has now ended, and settlement agreements have been entered in to by the Central Bank with both Liam McCaffrey (in December 2019) and with Kevin Lunney (in September 2020). No details regarding the terms of the settlement have been published.

From the Settlement Agreements and inquiries, it is very clear that the CBI expects regulated financial service providers to have robust corporate governance procedures in place and that all directors must take their duties and responsibilities very seriously.

Do you have any questions on Directors Duties?

Reach out to us at info@regsol.ie for information on our training courses and consultancy services.

See the settlement agreement notices links below:

Central Bank of Ireland and Liam McCaffrey

Central Bank of Ireland and Kevin Lunney


By Eilish Larkin
Regulatory Consultant
KBC Bank Ireland plc Remanded and Fines €18,314,000 by Central Bank of Ireland for Regulatory Breaches Affecting Tracker Mortgage Customer Accounts
October 2020

Almost as high as Permanent TSB’s €21 million discussed on this blog previously HERE, we had predicted that more was to come with respect to the Central Bank’s Tracker Mortgage investigations.

KBC has admitted to 12 regulatory breaches with respect to for example, the Consumer Protection Code, which were identified during the Central Bank’s investigation. These breaches occurred as a result of the following:
  1. A proactive strategy to convert customers off their tracker rates;
  2. Failure to adequately warn customers entering into interest only or fixed rate periods that they would be unable to return to their tracker rates, at a time when KBC was withdrawing tracker products;
  3. Failure to adequately comply with the Central Bank’s Framework for the TME;
  4. Failure to adequately comply with the Stop the Harm Principles of the TME;
  5. Provision of incorrect information to the Regulator in respect of KBC’s treatment of certain tracker customers; and
  6. Operational & Systems failings.

The Central Bank determined that the appropriate fine was €26,162,857, which was reduced by 30% to €18,314,000 in accordance with the settlement discount scheme and will be paid to the Exchequer. This fine is in addition to the €153,524,363 that KBC has been required to pay to date in redress and compensation and account balance adjustments under the TME to its impacted tracker mortgage customers.

The Central Bank also expressed its dissatisfaction with KBC as highlighted in the following excerpt:

“The Central Bank has imposed a fine at the highest end of its sanctioning powers, reflecting the gravity with which the Central Bank views KBC’s failures. The impact of KBC’s failings on its customers, which related to 3,741 accounts, was devastating and included significant overcharging and the loss of 66 properties. Additionally, KBC’s engagement and co-operation with the Central Bank’s Tracker Mortgage Examination (the “TME”) was deeply unsatisfactory.”

To view the full statement click HERE


By Judy de Castro
Regulatory Consultant
Dear CEO Letter: Thematic Review: Verification of Data Submitted in Retail Intermediaries Annual Returns
October 2020

The Central Bank requires all retail intermediary firms to submit an annual return comprising general, financial, ownership, and conduct of business information. The Dear CEO Letter issued at the end of August 2020 addressed to brokers identified a number of action items to be taken with the submission of Annual Returns:

  1. To strengthen procedures and controls to ensure they are compliant with obligations to submit complete and accurate annual returns in a timely manner.
  2. To discuss this letter at the next Board meeting (or equivalent meeting in the absence of a Board) and record the discussion in the meeting minutes.
  3. To voluntarily revoke authorisations where a firm is not actively using them.
  4. Put in place robust procedures and controls to ensure they are compliant with the obligations attendant to their authorisation, in particular, the requirements to maintain a net positive asset position and prepare audited accounts annually

Click HERE to view the letter.



By Judy de Castro
Regulatory Consultant
Who is the Controller and Who is the Processor?
October 2020

On September 7, 2020, the European Data Protection Board (“EDPB”) released guidelines on the concepts of controller, joint controller and processor in the EU General Data Protection Regulation.

Often a bone of contention amongst those who draft contracts, controllers determine the purposes and means of processing, the why and how of processing, while processors cannot process data without the controller’s instructions.

Contention arises on where the line is drawn on those decisions, since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice.

The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent.

Click HERE to read the guidelines.



By Judy de Castro
Regulatory Consultant
Processing Customer Data for COVID-19 Contact Tracing
October 2020

The Data Protection Commission has published a guide to assist businesses in complying with data protection laws whilst adhering to Covid 19 contract tracing rules. Top tips as follows:

  • Minimise the amount of data you collect – Only collect the details that you need to provide for contact tracing e.g. name, contact number, time and date of attendance.
  • Be transparent with your customers about why you are collecting this data – You and your staff members should be able to explain clearly the purpose for collecting personal data.
  • Store this information carefully - You do not necessarily need to use technology to store this information but if you do decide to keep it electronically, ensure that the system you use is secure and delete the information at regular intervals when it is no longer required.
  • Limit this data to the purpose for which it was collected - In particular, do not use this data for direct marketing purposes or to make contact with customers for any reason.
  • Ensure you delete contact details when you are no longer required to keep them for contact tracing or compliance purposes - The current public health requirement is for a retention period of one month. Schedule deletion and destruction regularly and securely!

Click HERE to view the document.


By Judy de Castro
Regulatory Consultant
Facebook launches High Court challenge to Data Protection Commission's order to suspend EU-US data transfers
October 2020

Regulatory theory is often a balancing act between advocates of regulating by a credible threat of enforcement to ensure changes in behaviour and those who believe that building trust and positive engagement with regulated entities will foster compliance.

The Central Bank of Ireland is active in delivering fines and settlement agreements, but fines alone do not change behaviour. Our Data Protection Commissioner, Helen Dixon during a recent podcast with Heather Sussen at Orrick enthused that regulatory engagement is about building trust and shared values.

This comes as tech giant Facebook battles the Data Protection Commission for the right to transfer our personal data to the United States and continue to rely on Standard Contractual Clauses. This of course refers to the demise of the US Privacy shield previously discussed on our blog site in August available HERE.

Without the US Privacy Shield and Standard Contractual Clauses to rely on, firms may have to seek alternative means of storing and accessing personal data. It remains to be seen if the “carrot or stick” approach encourages them to act.

By Judy de Castro
Regulatory Consultant
EU Policy on High Risk Third Countries
October 2020

Based on Directive (EU) 2015/849, Article 9, the Commission is mandated to identify high risk third countries having strategic deficiencies in their regime on anti-money laundering and counter terrorist financing. The aim is to protect the integrity of the EU Financial System. From the 1st of October note the following additions:

See Table Below:


  High-risk third country

  Date of entry into force

Afghanistan

20 September 2016

The Bahamas

1 October 2020

Barbados

1 October 2020

Botswana

1 October 2020

Cambodia

1 October 2020

Democratic People's Republic of Korea (DPRK)

20 September 2016

Ghana

1 October 2020

Iran

20 September 2016

Iraq

20 September 2016

Jamaica

1 October 2020

Mauritius

1 October 2020

Mongolia

1 October 2020

Myanmar

1 October 2020

Nicaragua

1 October 2020

Pakistan

2 October 2018

Panama

1 October 2020

Syria

20 September 2016

Trinidad and Tobago

14 February 2018

Uganda

20 September 2016

Vanuatu

20 September 2016

Yemen

20 September 2016

Zimbabwe

1 October 2020



Details can be found HERE

 

By Judy de Castro
Regulatory Consultant

Criminal Justice (Money Laundering & Terrorist Financing) (Amendment) Bill 2020
October 2020

Finally, on the 8th of September, the Minister for Justice and Equality set before Dáil Éireann the script of the long awaited 2020 Bill which was meant to transpose into Irish law the EU’s Fifth Anti Money Laundering Directive (5AMLD). That was supposed to happen back in January 2020. The Table below sets out some of the changes, enjoy!!


Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020

To be cited as Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010-2020

Section #

Subject Area

Amendment

33

Beneficial Ownership

Verify identity of Senior Managing Official

35

Beneficial Ownership

Prior to establishment of a business relationship with a customer to which the EU (Beneficial Ownership) Regs apply, a designated person shall ascertain that information concerning the BO of that customer is contained the Central Register (RBO for example)

36A

Transaction Monitoring

In accordance with policies and procedures adopted in accordance with section 54, examine the background and purpose of all transactions that are:
- complex        
- unusually large    
- unusual pattern  
- do not have a lawful or apparent purpose

37

Politically Exposed Persons (PEPs)

Apply measures to a PEP for as long as is reasonably required, taking into account the risk posed by that person and until such time as that person is deemed to pose no risk. Minister of Finance to issue list of functions held by PEPs

38

High Risk Third Country

More defined measures to mitigate risk of a customer established in a high risk third country by obtaining additional information on the customer and beneficial owner:
- on intended nature of business relationship
- source of funds and wealth on customer AND beneficial owner
- information on reasons for intended transactions
- approval of senior management
- enhanced monitoring of the business relationship by increasing number of timing and controls and selection of patterns of transactions that need further examination

42

Suspicious Transaction Reports

FIU Ireland to provide follow up reports to designated persons

51

Tipping off

Protection regarding disclosures between credit/financial institutions, majority owned subsidiaries AND those in 3rd countries in compliance with Group wide policies

60

Competent Authorities

Central Bank of Ireland competent authority for custodian wallet providers

Schedule 4

Higher Risk Factors

-Customer Third Country national applying for residence rights in state in exchange for purchase of property or investment
- non face to face business without relevant safeguards such as electronic identification means
- transactions related to oil, arms, precious metals, tobacco products, cultural artefacts, items of cultural or religious importance, ivory and protected species.



Click HERE for the Bill’s full text

Need help doing your Fifth EU AML Directive gap analysis? Contact RegSol for immediate assistance.

 

By Judy de Castro
Regulatory Consultant

AML Leaks: the FinCEN Files
October 2020

News outlets around the world have been reporting on a data leak involving the US Financial Intelligence Unit, FinCEN. These are the people who combat financial crime in the US and to whom Suspicious Transaction Reports are made. Suspicious Transactions Reports (STRs) are made by Banks and other financial institutions on clients that they may have suspicions about.

More than 2,500 documents on these STRs were leaked to Buzzfeed News and shared with an international consortium of journalists as was the case regarding previous scandals involving the Paradise Papers and Panama Papers. The leaked files shed fresh light on how UK legal entities called limited liability partnerships (LLPs) are playing a massive role in the flow of suspect funds through the global banking system. It has also emerged via the Irish Times that Dublin based firm IOS had facilitated these illicit flows from a rented house in Ranelagh by setting up dozens of UK LLPs connected to various scandals including the Danske Bank Scandal. Danske had allowed over 200 billion Euros worth of suspicious activity to flow through its Estonian branch which has now been shut down, the perpetrator of arguably the largest Financial Crime Scandal in Europe.

The salient point about the latest media frenzy is that banks and financial institutions are being blamed for allowing this activity to take place. Whilst banks can take action and do often deleverage high risk accounts off their books, once a STR is filed, it is up to the Financial intelligence units and law enforcement to act on the intelligence provided.
By Judy de Castro
Regulatory Consultant


Pricing in the Private Motor & Home Insurance Markets - CCPC Issued Preliminary Findings
September 2020

On 17th September 2020, the Competition and Consumer Protection Commission (CCPC) issued preliminary findings against AIG Europe S.A., Allianz PLC, AXA Insurance DAC, Aviva Insurance Limited, FBD Insurance PLC, Brokers Ireland and AA Ireland Limited.

The investigation alleged that these seven insurance providers engaged in anti-competitive cooperation over a 21-month period between 2015 and 2016 that involved the practice of making competitors aware of forthcoming price increases so they can also be encouraged to increase prices thereby ensuring their customers are less likely to move or switch.

The CCPC has stressed that its findings in alleged price signalling are provisional and no conclusion should be drawn at this stage that there has been a breach. However, it is notable that there appears to be a concerted effort to holistically address pricing in the private car and home insurance markets.

For example, the Central Bank of Ireland published a Dear CEO letter on the 8th of September of phase one of their review of differential pricing highlighting a failure by insurers to acknowledge the utilisation of price differentiation within.

The programme for government, agreed in June, pledged to work to “remove dual pricing” from the insurance market and the publication of the Consumer Insurance Contracts legislation also looks to address the imbalance. Defining pricing strategy clearly and balancing customer and commercial outcomes appropriately seems to be the key driver in ensuring a positive outcome for motorists and homeowners in the insurance market. 


If you’re keen on embedding a Consumer Protection Risk Management Framework in your business, or would like training in this regard, contact RegSol.


by Eilish Larkin
Regulatory Consultant
New Technologies Risk Assessment
September 2020

In preparation for Ireland’s AMLD5 readiness, affected firms should have regard to the update to the National Risk Assessment of new and emerging technologies. This document has been undertaken in accordance with Recommendation 15 of the Financial Action Task Force (FATF). The sectors assessed for the purposes of this ‘new technologies’ risk assessment are:
  • virtual currencies/assets,
  • electronic money
  • crowdfunding.
The Department of Finance who publishes these assessments of Ireland’s AML-CTF risks, has given crowdfunding and virtual currencies risk ratings of medium-high, despite new regulations being considered in order to mitigate the associated risks. It is of course the scale of these new technologies and likelihood these are associated with illegal activity that has elevated the risk ratings. For example, as of April 2019, there were an estimated 2.160 different virtual currencies globally. Collectively, these had a total market value of roughly $182 billion (€162 billion).

A recent study by a group of Australian academics has determined that approximately one-quarter of bitcoin users and one-half of bitcoin transactions are associated with illegal activity. Around $72 billion of illegal activity per year involves bitcoin, which is close to the scale of the US and European markets for illegal drugs.

Regarding Terrorist financing risks, these are considered as more likely to arise through the intersection of terrorism and criminality, with organised criminals being assessed as more likely to be aware of, and make use of, this sub-sector. It is assumed that once providers of virtual currencies become obliged entities under AMLD5, the opaqueness of this sector will somewhat dissipate.

Click HERE to read the full document.
Going Back to School
September 2020

For the next couple of months, we hope that our clients and our colleagues are transitioning to some level of normality as our children go back to school. 

For many, September will mark new beginnings, not only for those starting primary or secondary school but school will mean following new rules, new procedures and protocols, not sharing pencils or lunch boxes but keeping a distance and staying in a bubble or a pod. In the world of regulatory compliance these experiences got us thinking about culture, compliance, ethics, and good risk management. 

Similar to a change in procedures following the introduction of new laws or regulations, both scenarios require a clear understanding of what those rules mean, what impact they will have, how to implement them and how to monitor the effectiveness of controls designed to ensure compliance. Filling in forms, ticking boxes and training exercises are all well and good, but are they effective and do they change people’s behaviours and patterns of habit? 

A good culture of compliance requires good and visible leadership by example, positive reinforcement and encouragement through performance management and monitoring and finally the key ingredient is “buy in.” The belief that rules and regulations are enhancing and protecting our companies and our jobs is really what motivates us. 

The classroom may be a changed place but following the rules with conviction is something we will all have to do if we wish to embed changes.

By Judy de Castro
Regulatory Consultant


Credit Unions: What Does the Future Hold?
September 2020

Credit Unions are at the heart of many communities in Ireland both urban and rural.

As per the Irish League of Credit Union’s (ILCU) website there are currently across Ireland (both North and South) 326 Credit Unions, 3.6 million members and savings of €14.8 billion.

The credit union movement has its roots in volunteering with many people giving of their time and efforts to run local credit unions. Despite the voluntary and co-operative aspects, they are subject to the same stringent regulations as entities where making profit is the motivation.

In the July 2020 Report “The Movement” the current situation for credit unions and their future was discussed. The report outlines various aspects of the situation including what credit unions want and makes policy recommendations for government consideration. It is clear change is needed.

Credit union members want the personal touch and local knowledge but also want access to mortgages, small business loans and other financial products. Many credit unions would like to offer further services but due to current regulations are not able to do so.

It seems the current regulatory requirements are strangling the growth and development of credit unions. The 10% capital reserves requirement means “that many credit unions are faced with an ongoing challenge of bolstering their reserves to maintain this reserving level”. Every €1000 of savings a credit union has needs to be matched by €100 in a trading surplus. In the current climate caps on the amount of savings a member can have with their credit union are becoming more common.

The current President of the ILCU, Gerry Thompson stated in a recent interview "I think it's Government's job to recognise the fundamental difference between voluntary, community-based credit unions and banks - and find a proper framework."

As we are mid pandemic and new Government is just in, it is extremely unlikely that we will see any changes to the regulatory environment for 2020. What is clear is there remains a call for change from within the sector and the relationship between credit unions and the central bank will need to continue to evolve.

Click HERE to read the full report.



By Judy de Castro
Regulatory Consultant


Central Bank publishes Business Interruption Insurance Supervisory Framework
September 2020

Since the start of the pandemic there has been focus on business interruption insurance. There have been lots of items in the media regarding claims being made and the difficulties faced by many claimants particularly with respect to the interpretation of business interruption.

In this context on 5th of August 2020, the Central Bank of Ireland published its Business Interruption Supervisory Framework.

In summary:

  • Framework sets out the Central Bank’s expectations of insurance firms in handling COVID-19 related business interruption insurance claims
  • Where customers have an entitlement to claim under a business interruption insurance policy, the Central Bank expects that claims will be processed and paid promptly and fully
  • Where cover and related issues are disputed, the Central Bank expects firms to pay the reasonable costs of customer plaintiffs in agreed test case litigation
  • The Central Bank is aware that in many cases BI insurance policy wording will be clear in relation to customer entitlements concerning COVID-19 related claims. However, where there is a doubt about the meaning of a term, the interpretation most favourable to the customer should prevail.
It is notable that the Central Bank has included within it’s Covid-19 SME information portal a specific FAQ with respect to business interruption. This FAQ sets out that if operations have had to be scaled back because of COVID 19 or business has had to close but the insurance company has declined the claim based on Business disruption clauses. The Central Bank has said:

“Where a claim is made because a business has closed as a result of a Government direction due to contagious or infectious disease, the Central Bank is of the view that the recent Government advice to close a business in the context of COVID-19 should be treated as a direction. This is a view that has also been set out by the Minister for Finance, Public Expenditure and Reform. Firms must ensure that claims are appropriately assessed and where there is insurance cover in place that claims are accepted and paid promptly.”


You can access the FAQ here: Covid-19 Small and Medium Enterprises FAQ

You can access the supervisory framework press release here: 
COVID-19 and Business Interruption Insurance Supervisory Framework


By Judy de Castro
Regulatory Consultant
COVID-19: Data Privacy vs Health and Safety
September 2020

Following the return to work protocols may give you a legal basis for processing health data but appropriate safeguards must be in place.

Data protection does not stand in the way of the provision of healthcare and the management of public health issues; nevertheless there are important considerations which should be taken into account when Employers are handling personal data in these contexts, particularly health and other sensitive data.

Employers should take note of the following:

  • Where acting on the guidance or directions of public health authorities, it is likely that Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 will permit the processing of personal data, including health data, once suitable safeguards are implemented. Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.
  • Employers also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). This obligation together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so. Any data that is processed must be treated in a confidential manner.

For more information click on the links below:

Data Protection - Return to Work Safely Protocol

Statement by the EDPB Chair - Processing Personal Data in the context of the COVID-19 outbreak


By Judy de Castro
Regulatory Consultant

Brexit: Personal Data Transfers
September 2020

Companies need to be aware if they are transferring data to the U.K. that steps need to be taken before the 31st of December to ensure an appropriate legal basis for transfers of data are in place.

Given how much has happened in 2020 especially with Covid-19, you could be forgiven for forgetting about the impending impact of Brexit. Last month, the European Commission published a notice to stakeholders providing an update on personal data transfers after the end of the Brexit transition period on 31 December 2020.

The Notice seeks to keep interested parties informed on the legal considerations concerning transfers of personal data from the EU to the UK after the Brexit Transition Period. After the end of the transition period, any transfer of personal data to the United Kingdom other than that governed by Article 71(1) of the Withdrawal Agreement will not be treated as sharing of data within the Union.

It will need to comply with the relevant Union rules applicable to transfers of personal data to third countries. The European General Data Protection Regulation ("GDPR") prohibits the transfer of personal data from the EEA to non-EEA countries unless certain specific safeguards (contained in Chapter 5 of the GDPR) are applied as the appropriate basis for any transfer.

Such appropriate safeguards include, for example the use of Standard data protection contractual clauses or Binding corporate rules.

Those seeking to transfer personal data from the EEA to the UK after the Brexit Transition Period will need to consider their proposed data flows and understand the basis on which they will seek to validate such transfers.
To view the notice in question click HERE

By Judy de Castro
Regulatory Consultant
Cabinet Approves publication of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020
September 2020

On Aug. 10, the Cabinet approved a bill to transpose the European Union’s Fifth Anti-Money Laundering Directive (AMLD5) into national law, thereby strengthening existing legislation in Ireland.  

Approval from the Cabinet gives Ireland’s Minister for Justice and Equality, Helen McEntee, the go-ahead to publish the new bill. 

AMLD5 first came into force on July 9, 2018, and gave EU member states until January 2020 to incorporate the directive into their respective national laws.

In July, the European Court of Justice had fined Ireland 2 million euros for its delay in bringing the country’s AML and CFT rules into line with the rest of the EU. 

The Bill includes provisions to:
  • improve the safeguards for financial transactions to and from high-risk third countries and sets
  • new limits on the use of anonymous pre-paid cards;
  • bring a number of new ‘designated bodies’ under the existing legislation, this includes virtual currency providers and associated online ‘wallet providers’ for virtual currencies as well as dealers and intermediaries in the art trade;
  • prevents credit and financial institutions from creating anonymous safe-deposit boxes;
  • enhances the customer due diligence (CDD) requirements of the existing legislation;
  • sanctions for credit and financial institutions that do not screen for EU financial sanctions;
  • provides for Ministerial guidance which will clarify domestic “prominent public functions” for Politically Exposed Persons 

If you would like to keep up to date on this topic, details of our AML Update courses are available HERE


By Judy de Castro
Regulatory Consultant
Do you transfer data to U.S. companies?
September 2020

If you use third parties based in the US to process personal data on your behalf, whether it is to store data electronically or for the purposes of client relationship management, take note of where these providers send your clients’ data. 

In cases where third party service providers are US based and store your data in the US, beware of the following:

  • Where providers rely on the EU-U.S. Privacy Shield, this is now invalid (legal mechanism for transferring personal data from the European Economic Area (EEA to US is invalid).
  • Standard Contractual Clauses (SCCs) remain valid but are to be approached with caution. Data transfers based on SCCs need to be assessed on a case-by-case basis to ensure that the overall level of protection in the third country is essentially equivalent to that guaranteed within the EU. Depending on the sensitivity of the personal data to be transferred to the third country, SCCs might not permit the transfer of data. 
  • Binding corporate rules (BCRs) remain valid and provide a framework for companies to transfer data across borders within their own organizations. BCRs set up policies, procedures, guidelines, and practices that satisfy GDPR privacy standards. These must be approved by a relevant member state’s data protection authority (DPA), and in most member states, transfers will still require a “transfer notification” to the DPA.
  • Data Protection Authorities in the EU are to ensure that that they are providing adequate supervision and, if necessary, taking enforcement action where companies are not properly risk assessing their cross-border transfers. 
What should you do now?

  • You should check the privacy policies and or data protection agreements you currently have with U.S. companies.
  • If any of those policies or agreements refer to U.S. Privacy Shield you should contact that company immediately to request clarification and an update on the legal basis for them receiving personal data.
  • If you cannot obtain clarification you must consider using an alternative company to process the relevant personal data.

By Judy de Castro 
Regulatory Consultant
MLRO Update: Revenue STR Reporting to go Online…Finally!
August 2020

Up until now, Designated Persons would have been making their Suspicious Activity Reports online to the Gardai via their online reporting system “FIU GoAML” and then making a separate report to the Revenue Commissioners via post. 

From the 7th of September 2020, Revenue Commissioners will require suspicious activity reports to be submitted online to Revenue, using Revenue‘s Online Service (ROS) only. Revenue will no longer accept hard copy (paper) STRs from that date onwards.

Reporting Entities will continue to submit STRs to both Revenue and An Garda Síochána’s Financial Intelligence Unit (FIU), as dual reporting remains a requirement.

All reporting entities must register with ROS first. 

For further information please click HERE.


By: Judy de Castro

Regulatory Consultant

Beware the Processing of Third Party Payments: BOI Fined €1.6 M in €106 K Cyber Fraud & for misleading the CBI
August 2020

On the 28th of July the Central Bank of Ireland reprimanded and fined The Governor and Company of the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations). The offender, BOI’s former subsidiary, Bank of Ireland Private Banking Limited (BOIPB) was found to have serious deficiencies which occurred over a decade around third- party payments including: 

  • Inadequate systems and controls to minimise the risk of loss from fraud
  • Inadequate governance, oversight and ongoing review of the systems and control environment
  • Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements
  • Lack of compliance monitoring.

By hijacking the client’s account and using social engineering techniques such as using similar terminology to the client, the Cyberfraudster issued two separate payment instructions to BOI’s subsidiary totalling €106,430. BOI’s subsidiary nevertheless processed these payments, despite the instruction being signed off with an entirely different name than the name of the client. In addition, the following red flags should have been picked up:

  • incorrect telephone details; 
  • the request for a second substantial transfer within two days of an initial substantial transfer in an amount greater than the balance on the Client’s account; 
  • and the remittance of funds to a jurisdiction other than the jurisdiction in which the Client resided.

Aggravating factors include a very serious matter of not reporting the fraud to An Garda Siochana and the Revenue Commissioners and for failing to be open and transparent with the Central Bank in the course of the investigation.  BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments. 

For more on this read the CBI’s full press release HERE


By Judy de Castro - Regulatory Consultant
PSRA: Successful Unlicensed Prosecution by the Property Services Regulatory Authority
August 2020

On 2nd July 2020, Oriel Property Management Limited was convicted at Dundalk District Court of a breach of Section 28 of the Property Services (Regulation) Act 2011, following a prosecution by the Property Services Regulatory Authority (PSRA) for providing property services without a licence. 

Oriel Property Management were fined €2,500 and have to pay the Property Services Regulatory Authority’s costs also.

The PSRA’s Chief Executive, Ms Maeve Hogan, speaking following the court case said, “The PSRA has zero tolerance for property services providers operating without a licence…” 

For the full press release click HERE


By Éilish Larkin - Regulatory Consultant
PSRA: Four- Month Extension Granted
August 2020

The Property Services Regulatory Authority (PSRA) has announced the commencement of S.I. No. 162 of 2020, Property Services (Regulation) Act 2011 (Section 95) (Extension of Licences) Regulations 2020. 

The introduction of these Regulations grants a four- month extension to licences due to expire between 7 May 2020 and 31 August 2020. Granting of the extension of the licence by four months acknowledges the practical difficulties for Licensees in fully complying with licence renewal requirements and therefore, enables the sector to continue to legally trade during the Covid 19 emergency. 

The licence extension will be subject to the availability of the required level of Professional Indemnity Insurance (PII).

See the Statutory Instrument HERE


By Judy de Castro - Regulatory Consultant
Credit Unions in the News
August 2020

On the 17th of July 2020, the Central Bank of Ireland issued a press release regarding the appointment of joint liquidators to Drumcondra and District Credit Union.

In summary:

  • Action taken in the best interests of members and the broader public
  • Full Resolution Report and Affidavit released
  • Deposit Guarantee Scheme has made pay-outs to most eligible depositors
  • The action taken is not related to the exceptional circumstances of COVID-19

For more information please click HERE


By Éilish Larkin - Regulatory Consultant
COVID-19 – Payment Breaks in Credit Union’s Circular issued by the Central Bank of Ireland June 2020
August 2020

The Central Bank of Ireland has been in contact with the boards of all credit unions throughout the pandemic at various times.  The letter in June was regarding payment breaks offered to members who may be experiencing difficulties in paying their loans at this time.

In summary the CBI expects:

  1. Credit unions act in a way that protects the best interests of borrowers.
  2. Credit unions give appropriate support to borrowers who have been affected by COVID-19.
  3. Payment breaks should be a generally available option to affected borrowers, including those borrowers’ already in financial distress. 
  4. Credit unions are operationally ready and prepared to engage with borrowers during, or at expiry of, the payment break in order to identify whether or not the borrower requires further support, and if so, to consider appropriate and sustainable solutions, as soon as possible.
  5. Credit unions are fully transparent and clear to borrowers as to what will happen after the term of the payment break, including setting out the available options to repay the loan and the full costs of the payment break. 
  6. Credit unions have board approved plans to deliver an assessment of all borrowers on payment breaks to ensure that appropriate and sustainable solutions are identified in a timely manner for those borrowers who are not able to return to paying full capital and interest at the end of the payment break. 
  7. The prioritisation of borrower engagement, assessment and determination of an appropriate and sustainable solution should be determined by the risk profile of the borrower.  
  8. The level of distress in the credit unions’ loan books should be prudently considered and be reflected in provisioning levels. 
  9. Sufficiently granular and timely reporting of the take-up of payment breaks across borrower type and sector should be readily available and used to inform key decision-making processes in credit unions.

For the full circular from the Registrar please click HERE


By Éilish Larkin - Regulatory Consultant
Game Changer? The Consumer Insurance Contracts Act 2019
August 2020

On 17 July 2020, the Minister for Finance, Paschal Donohoe T.D., announced that the Consumer Insurance Contracts Act 2019 (the Act) will be commenced in two stages, with some provisions taking effect from 1 September 2020.

To some relief, some of the most burdensome provisions will not take effect until 1 September 2021, giving industry insurers time to prepare. These include a revised duty of disclosure, enhanced rights for consumers on renewal rights and changes to the duties imposed on consumers and insurers on renewal.

All other provisions under the Act will apply from 1 September 2020, including those dealing with:

  • the principle of insurable interest;
  • cooling-off periods and cancellation rights;
  • post-contractual duties;
  • claims-handling duties and related requirements, including specific limitations on deferring property claims payments and proportionate remedies;
  • the replacement of warranties with the concept of "suspensive conditions"; and
  • changes to subrogation and third-party rights. 

The changes introduced by the Act mean that all insurers (life and non-life) operating consumer business in Ireland must review and update all proposal forms, policies and related documentation, as well as the manner in which pre and post-contractual processes operate. 

Insurers, and indeed all market participants impacted including brokers should progress their implementation projects as a matter of urgency. 

The Central Bank of Ireland may, under the power granted to it by Section 5 of the Act, issue a code of practice on the form of a contract of insurance and or any other requirements related to such a contract contained in the Act. It remains to be seen whether this will take the form of a revision of the Central Bank's Consumer Protection Code 2012.

Although these provisions may increase the cost of compliance, RegSol is here to assist in taking the pain out of compliance assurance. Contact us for assistance to ensure you’re ready for regulatory change.


By Judy de Castro - Regulatory Consultant
CBI’s Dear CEO Letter for Investment firms: unregulated activities
August 2020

The Central Bank of Ireland (‘CBI’) has outlined their expectations with respect of the offering of products and services considered to be outside the scope of regulation in their Dear CEO letter to the industry. There is a significant risk they say that clients may misunderstand the protections afforded to them when investing in unregulated products and firms must act “fairly, professionally and in the best interests of their clients at all times.”

The minimum requirements in this regard are:

  • Communication of regulatory status of products/services at every stage of sales process to clients to aid transparency to avoid implying these are regulated where they are not
  • Appropriate disclosures and risk warnings on all materials including for example that compensation schemes are not applicable due to being out of scope of regulation

Affected firms should ensure these requirements are communicated to their Boards and that necessary measures are taken to ensure controls and processes adhere to the CBI’s expectations. 

Click HERE to see the CBI’s Dear CEO Letter in full.


By Judy de Castro - RegSol Consultant
Cross Border Data Transfers: Schrems II Judgement Day- David vs Goliath
August 2020

For those of you that have been following the epic battle between Max Schrems, the Austrian privacy activist and lawyer who is in our view “David” against the “Goliath” that is Facebook,  (within the context of the United States Surveillance Framework), judgement came on the 16th of July. 

This is concerning a complaint brought by Mr Schrems to the Irish Data Protection Commissioner who referred the matter to the European Court of Justice. The matter relates to the transfers of Schrems’ personal data by Facebook Ireland to Facebook Inc. into the US. If you use google analytics, gsuite, Microsoft, twitter, linkedin, etc, chances are EU data subjects’ personal data is flowing to servers in the US under the US Privacy shield and are affected by this. 

In a nutshell the ECJ has declared:  

  • EU-U.S. Privacy Shield invalid (legal mechanism for transferring personal data from the European Economic Area (EEA to US is invalid).
  • Standard Contractual Clauses (SCCs) remain valid but are to be approached with caution. Data transfers based on SCCs need to be assessed on a case-by-case basis to ensure that the overall level of protection in the third country is essentially equivalent to that guaranteed within the EU. Depending on the sensitivity of the personal data to be transferred to the third country, SCCs might not permit the transfer of data. 
  • Binding corporate rules (BCRs) remain valid and provide a framework for companies to transfer data across borders within their own organizations. BCRs set up policies, procedures, guidelines, and practices that satisfy GDPR privacy standards. These must be approved by a relevant member state’s data protection authority (DPA), and in most member states, transfers will still require a “transfer notification” to the DPA.
  • Data Protection Authorities in the EU are to ensure that that they are providing adequate supervision and, if necessary, taking enforcement action where companies are not properly risk assessing their cross-border transfers. 
What should we do now?

  • U.S. and EU companies that relied on the Privacy Shield should consider alternate methods of cross-border data transfer, such as the SCCs or binding corporate rules, or the applicability of the Article 49 derogations. 
  • Immediately re-evaluate data transfers with third parties into third countries under SCCs. Review your record of processing and risk assessments. Monitor further guidance from the EU Commission, the European Data Protection Board (EPDB) and the Data Protection Commission. If you were relying on the Privacy Shield, you need to find other ways to permit data transfers into the United States or should consider locating data processing operations, such as servers, to the European Union. Other methods of cross-border data transfer include the SCC or establishing Binding Corporate Rules (Art. 47 GDPR). 
Problems for the future?

We foresee issues with enforcement. When looking at the United States, should a dispute arise, even if parties agree on a jurisdiction of the courts in the EU, the US is not a signatory to the Hague convention and so can we ever confidently say an EU data subject’s data is protected in the US?


Click HERE to view the judgement.


By Judy de Castro - Regulatory Consultant

ECJ imposes €2m fine on Ireland over AML Directive Delays
August 2020

The European Union’s top court, the European Court of Justice (ECJ) ordered Ireland on the 16th of July to pay a lump sum of €2 million to the European Commission for failing to implement in full regulations aimed to prevent money laundering and terrorist financing within the period prescribed.


Romania was also hit with a fine of €3 million in the judgment.

 

The judgement relates to implementation of directive 2015/849 or the 4th EU AML Directive. Member states are provided with an appropriate lead in time to implement EU regulations. In this case, the Directive required member states to comply with the relevant administrative provisions by 26 June 2017. Ireland implemented most of these provisions more than a year later, in November 2018.


So, on 27 August 2018, the Commission had brought actions against Ireland and Romania before the ECJ for failure to fulfil their obligations. Ireland and Romania had argued that the fines sought by the European Commission were unjustified and disproportionate.


But the court ruled that even though the countries had since complied with the rules, there was an undue delay in fulfilling their obligations.

 

With Ireland already late in transposing directive 2018/853 or the 5th EU AML on the 10th of January of this year, Ireland could expect to pay another hefty fine in due course. The Commission has already issued Ireland with a formal notice.

 

To view the ECJ Press release Click HERE


 

By Judy de Castro - RegSol Consultant


Pandemic Impact – It’s the little things!
August 2020

Here in Roscommon, it is something similar in terms of the roller coaster of emotions mentioned by Judy.  Covid-19 has impacted every aspect of life and changed most experiences.  There is no such thing as a quick trip to the shop for a few bits and pieces.  

Queues (which I associated with Dublin) and hand sanitiser are everywhere, not to mention masks.   Smaller premises have signs on the door limiting the number of customers that can be inside at any one time.  The easing of restrictions has allowed me to meet all the RegSol team last week in person while following all the guidelines.  

In addition to the challenges completing everyday tasks such as shopping there is the added use of technology which brings its own issues.  The advances that have been made mean a lot of people can work remotely and “Zoom calls” are a key part of keeping in touch for business and in personal life.  On the flip side, the pandemic has been a paradise for many scam artists as not everyone is up to speed regarding the dos and don’ts of technology.  

As I settle back into life in the West (having joined RegSol and left Dublin mid pandemic) I look forward to working with the team and meeting new and existing clients in the “new normal”.  The new desk looks out over fields and trees and my washing line, all I need now is some more sunshine!!!


By Éilish Larkin - Regulatory Consultant

Lockdown Blues- Overcoming Division
August 2020

During this COVID-19 Global Emergency, I have felt overwhelmed, exhausted, exasperated, elated, and caught between division and uncertainty. Like a pendulum, I’m longing to jump on a plane to escape to the sea, sun, warmth of the sun on the continent to see my relatives, and then flip-flopping, looking to batten down the hatches on this island and sterilise my door handles, my hands,  my children. 

I want to hug friends and socialise to my heart’s content but then I want to retreat into isolation and social distance. 

This I think is reflected in the division surrounding my village in Malahide. Fingal County Council has recently closed off and pedestrianised New Street, the main artery into the village, where the famed Gibney’s is a household name and many restaurants and cafes adorn the street. 

Locals are at the very least not amused with this closure; and some local businesses have set up a rival Facebook page to “Save Malahide Village” from pedestrianisation. Villagers have posters poking out of windows, doors, shop windows protesting the green initiative. 

Whereas before local social media would chastise those who would not keep their distance, this has now been replaced with jibes and questions of loyalty boiling down to one question : “Are you for the pedestrianisation of New street or are you against it? I think I will batten down the hatch on this one, thanks!


By Judy De Castro - Regulatory Consultant


DPC Regulatory Activity 2018-2020
July 2020

The DPC has published a two year Regulatory Activities report under the GDPR to assess the range of regulatory tasks over the period 25 May 2018 to 25 May 2020.

From 25 May 2018 to 25 May 2020, the DPC:

  • received in excess of 40,000 emails, 36,000 phone calls and 8,000 postal contacts;
  • opened 15,025 cases in support of individuals’ rights;
  • concluded 80% of cases opened (so far); and
  • reduced conclusion times for cases (average days taken to conclude a case or query down by 53% over two years).

Since 25 May 2018, the most frequent GDPR topics for queries and complaints have consistently been: Access Requests; Fair processing; Disclosure; Right to be Forgotten (delisting and/or removal requests); Direct marketing and Data Security. 

Figures indicate that the DPC is dealing with high volumes of cases that are potentially resolvable at a data controller/ Data Protection Officer level.

  • Total breach notifications received between 25 May 2018 and 25 May 2020: 12,437.
  • 93% classified as relating to GDPR (11,567 notifications).
  • Of the 12,437 total recorded breach cases, 94.88% concluded (11,800 cases).

The most frequent cause of breaches reported to the DPC is unauthorised disclosure (80%). Human error are at the root of far more reported breaches than phishing, hacking or lost devices (5.6% collectively). 

Figures indicate that the DPC is dealing with breaches that could be mitigated by more robust technical and organisational measures.

Click HERE to view the full report.

By Judy de Castro - Regulatory Consultant


CBI’s Governor on COVID-19 and Protection of the Consumer
July 2020

On 24th of June the Governor of the Central Bank Gabriel Makhlouf published his reflections on the CBI’s approach to protecting consumers in terms of price stability, resilient financial institutions and 

Codes of Conduct and Culture available HERE to view

By Judy de Castro - Regulatory Consultant