CBI Calls on Fintech Firms to Undertake Regulatory Review
14 Dec 2021
Enhanced Regulatory Scrutiny
The authorisation and supervision of these Firms is now the responsibility of the CBI's Credit Institutions Supervision Directorate. This is reflective of what the CBI notes as the "increasingly important role [that these Firms play] in the financial system and in the lives of consumers."
The letter is another example of how this sector has come under increased supervisory scrutiny recently, particularly in light of the growth in the number of Firms, the scale of their businesses and the number of consumers using their services.
The letter sets out the CBI's expectations for the Firms and outlines specific actions for each Firm to take by 31 March 2022.
Set out below is a summary of the supervisory expectations contained in the letter.
The CBI highlights the importance of Firms submitting accurate and timely regulatory returns. It expects Firms to be proactive in their communications and notify the CBI as soon as they become aware of any breach of legal or prudential requirements, or any other material or adverse development that may impact on their business.
Firms must notify the CBI, at the earliest possible opportunity, where there is an expectation of a material change to the Firm's business model. The CBI provides two examples of what constitutes a material change: where the Firm is making a substantive change to its service or product offering or materially changing the way in which its service / product offerings are provided; or the Firm’s business projections are forecast to be significantly in excess of that outlined in the authorisation process.
The CBI had previously identified safeguarding as one of its areas of focus from a supervisory perspective. Firms must currently assess their compliance with their safeguarding obligations under the European Union (Payment Services) Regulations 2018 and the European Communities (Electronic Money) Regulations 2011.
Firms must have robust, board approved, safeguarding risk frameworks which ensure that relevant client funds are appropriately identified, managed and protected daily; including the clear segregation, designation and reconciliation of user balances.
The CBI expects that Firms are able to recover if in difficulty, and if they cannot, they should be resolvable without significant externalities.
Firms are expected to have an appropriate exit / wind-up strategy which is linked to their business and operational model.
Fitness and Probity
The CBI referred to its earlier industry letters on fitness and probity where it set out its expectations including in relation to initial and ongoing due diligence for candidates proposed to controlled functions, and reporting issues to the CBI.
Conduct and Culture
The letter reminds Firms that they are required to embed a consumer-focused culture supported by internal systems and controls, including well developed risk management frameworks.
From a product development perspective, the Central Bank expects Firms to review the risks to consumers of financial services in its Consumer Protection Outlook Report 2021 and take action where appropriate.
The CBI expects Firms to be able to respond to, recover, and learn from operational disruptions and published new operational resilience guidelines recently.
The CBI expects Firms, including those which are part of a larger group, to operate sufficiently on a stand-alone basis to ensure the primacy of the legal entity authorised in Ireland. This is important for Firms which operate as part of a larger international group and who outsource functions outside Ireland. Oversight of those functions, and ultimate responsibility (in terms of senior management) must be in Ireland, and the board and senior management remain responsible for ensuring the Firm's compliance with its legal and regulatory obligations. Boards must also ensure they have the skills and knowledge to understand the risks the Firm faces, and their responsibilities.
Firms must ensure they have a robust anti-money laundering and countering the financing of terrorism framework in place, based on the Firm's risk assessment (that is specifically focussed on the money laundering and terrorist financing risk arising from the relevant Firm's business model).
Firms are required to conduct a compliance review and make a formal notification to the CBI by 31 March 2022 confirming that this review has been completed.
As part of this review, each Firm will need to carefully consider their compliance with any firm-specific conditions imposed by the CBI at authorisation, or since, and complete an assessment of their compliance with the safeguarding obligations under the European Union (Payment Services) Regulations 2018 and the European Communities (Electronic Money) Regulations 2011.
The review should be clearly documented and records kept of any underlying data and information used. Board decisions should be minuted, and a remediation plan must put in place where any issues are identified.
A report must be produced for the board and it will have to then approve the attestation for the CBI submission.
How we can Help
Our Financial Services Regulatory team has advised many firms on their safeguarding obligations, and on general compliance with financial services obligations and conditions imposed by the CBI.
We can guide Firms on the parameters for their review project and assist in completing a gap analysis. We can also prepare or review board reports and facilitate CBI notification filings. We can also work with the business and second line to prepare remediation plans.
Further information on our Irish Financial Services Regulatory Group, and the services we provide is available on our website page and in our FSR and Fintech brochures.
If you would like further information, please liaise with the below or your usual Maples Group contact.
Our Financial Services Regulatory group in Ireland comprises of leading lawyers and experienced industry professionals with a wealth of experience in advising clients on regulatory requirements and how to manage regulatory risk within their business. Our highly technical team deliver pragmatic and solutions-focused advice to our clients.
T: +353 1 619 2023
T: +353 1 619 2125
T: +353 1 619 2122
Senior Regulatory Executive Dublin
T: +353 1 619 2158