Irish FinTech Regulation Focus 2023 - Six Key Areas

The Central Bank of Ireland ("Central Bank") authorises and supervises firms operating in the payment and e-money sector in Ireland and is cognisant that this is becoming an increasingly important sector within the broader Irish FinTech market. 

This sector continues to see significant growth: there are more authorised firms, a greater number of consumers are accessing the services offered by these firms and a higher amount of funds are safeguarded as a consequence.

Through its engagement with firms and industry representative bodies, the Central Bank communicates its regulatory expectations and indicates areas where it will focus its supervisory attention. 

Set out below are six key areas that will be the Central Bank's focus in 2023:

1. Safeguarding

The protection of users' funds is viewed by the Central Bank as one of its most important objectives.  Its supervisory engagement during 2022 revealed that one in four payment and e-money firms have deficiencies in their safeguarding risk management frameworks.

On 20 January 2023, the Central Bank engaged with individual firms to ensure appropriate remedial action was being taken and it emphasised in a "Dear CEO" letter its no-tolerance policy for weaknesses in safeguarding arrangements.  As a result of this letter, all payment and e-money firms required to safeguard users' funds are obligated to obtain an audit opinion confirming the firm maintains adequate organisational arrangement in compliance with the European Communities (Electronic Money) Regulations 2011 as amended ("E-Money Regulations") and the European Union (Payment Services) Regulations 2018 as amended ("Payment Services Regulations") as applicable to their business models.

The audit opinion must be submitted to the Central Bank by 31 July 2023.

2. Financial Resilience

The Central Bank highlighted that one in five payment and e-money firms submitted inaccurate regulatory returns in 2022 and stressed the importance of firms understanding and meeting their regulatory capital requirements.

Firms are expected to have robust processes to maintain and manage their minimum regulatory capital on a stand-alone basis at all times.  This includes being able to absorb losses, including those that may occur during stressed market conditions.

Firms must also have appropriate wind-up procedures, including a process for the full return of users' funds efficiently in an exit / wind-up scenario.

3. Anti-Money Laundering

In its review of firms' anti-money laundering and countering the financing of terrorism ("AML / CFT") frameworks, the Central Bank found that the risk-based approach of some firms "lacks maturity" and, as a result, controls are not robust enough.

The Central Bank indicated that AML / CFT controls should be risk sensitive and tailored to the specific risks applicable to the firm's business.  In many cases this will require the firm to strengthen its transaction monitoring controls to detect suspicious activity more effectively.

Another area of weakness highlighted related to firms using agents and distributors to undertake customer due diligence without an appropriate level of ongoing assurance and testing. 

The Central Bank was also critical of firms misusing the e-money derogation in section 33A of the Criminal Justice Act 2010 (as amended). 

As AML / CFT continues to be an area of high regulatory focus, it is imperative that firms ensure their frameworks are vigorous and aligned with legal and regulatory requirements. 

4. Governance and Culture

The Central Bank is wary of instances where firms experience significant and fast business growth without the governance, risk management and internal control frameworks developing correspondingly.

Firms are required to embed a consumer-focused culture supported by internal systems and controls, including appropriate and well-developed risk management frameworks.  Firms should consider having a detailed succession plan for the board and senior management positions.  Firms should also critically assess their resource levels for their compliance, risk management and internal audit functions.

The introduction of the regime supporting the Central Bank (Individual Accountability 
Framework) Act 2023 (and the regulations and guidance proposed in the Central Bank's Consultation Paper 153) will see a significant increase in focus from the Central Bank with regard to individual responsibility and accountability for regulated firms (noting that e-money and payment firms will not be in scope for Phase 1 of the Senior Executive Accountability Regime).  

For more information see our update on key steps to take in advance of the introduction of SEAR and IAF.

5. Outsourcing 

All regulated firms are expected to maintain an outsourcing register, in accordance with the Central Bank's 2021 Cross-Industry Guidance on Outsourcing.  Additionally, firms rated Medium Low or higher (on the Central Bank's PRISM rating) must submit their outsourcing register to the Central Bank.

The Central Bank has developed a template outsourcing register and issued guidance for payment and e-money firms.  It has also stressed the importance of appropriate oversight of outsourced activity by a firm's board and senior management in the FinTech sector.

For further information, see our previous update: CP138: Central Bank of Ireland Publishes Cross-Industry Outsourcing Guidance. 

6. Operational Resilience

The Central Bank has consistently stated it expects boards and senior management of payment and e-money firms to review and adopt appropriate measures to strengthen and improve their operational resilience frameworks.

Due to the heavy reliance on technology in the payments and e-money sector, firms are expected to have appropriate measures in place to ensure their operational resilience frameworks are aligned with the Central Bank's 2021 Cross Industry Guidance on Operational Resilience.

Related to this, on 16 January 2023 the Digital Operational Resilience Act Regulation (EU) 2022/2554 and associated directive ("DORA"), came into force.  DORA creates a harmonised European regulatory framework to strengthen the financial sector's resilience to information and communication technology disruptions and threats.  DORA will apply to a range of regulated firms (not just payment and emoney firms) and other critical providers to such firms.  DORA comes into effect on 17 January 2025. 

For further information, see our previous updates: CP140: Central Bank of Ireland Publishes Operational Resilience Guidance and DORA: New EU Operational Resilience Regime for the Financial Sector. 

How We Can Help

With a depth of experience, our dedicated Financial Services Regulatory team supports clients across all regulated sectors in managing regulatory change, drafting policies, procedures and customer documentation, negotiating outsourcing arrangements, assessing corporate governance structures and guiding clients through engagements with the Central Bank on authorisation applications to supervisory and PRISM engagements (including interview preparation) and the administrative sanctions procedure. 

Further Information 

Further information on our Irish Financial Services Regulatory Group and the services we provide is available on our website and in our FSR and FinTech brochures.  If you would like further information, please liaise with your usual Maples Group contact or the persons below.