Navigating a Successful Irish CASP Authorisation Application

Below is a snapshot of the key take-aways and some practical tips to ensure a smooth passage through the CBI’s gatekeeping process.

Rules for High-Quality Applications

• Accurate and complete – supply up-to-date and fully reconciled data, avoid incomplete information and plug any gaps before submission.
• Clear – explain the business model in plain English and flag any evolving information.
• Well-informed – reference the latest legislative, regulatory and sectoral legal requirements. Put in place the necessary arrangements and documentation to comply with regulations post-approval.
• Open and cooperative – be transparent, respond promptly, avoid legalese and volunteer any information the CBI might reasonably expect.
• Forward-looking – address credible forecasts, stress scenarios and any future permission changes. Ensure that adequate time and resources are available to provide supporting information throughout the application.
• Application Mindset – approach authorisation as proof you can remain compliant post-approval, not just a hurdle to clear.

Expectations

The CBI has set out the following as a non-exhaustive guide to consider when making applications. Additionally, the CBI has outlined challenges it has faced in this regard and has stressed that depending on the nature, scale and complexity of proposals, additional information may be requested during the authorisation process which is commensurate with the nature and scale of business activities.

• Customer Focus – clearly demonstrate that customer interests, in particular in retail facing business models, is at the centre of a firm’s application.
• Business Model Viability – present a clear strategy (typically, of 3 years) showing sustainability to generate credible returns, including under base and stressed scenarios, with particular focus on financial resilience in events of significant volatility in the crypto market.
• Substance & Resourcing – demonstrate an appropriate level of substance and autonomy in Ireland. Evidence that management of key risks and key decision-making sits in Ireland. The firm must be led by a local crypto-competent executive and the board should include at least two INEDs and an independent chair.
• Custody and Safeguarding of Client Assets – evidence strong segregation and prompt access to reserve assets to meet redemption demands and protect client assets. A Head of Client Asset Oversight must be appointed.
• Governance – adopt effective governance arrangements, including: (a) appropriate and resourced compliance and internal control arrangements; (b) a risk identification framework (including measures which enable local management of material risks); and (c) an appropriate culture.
• Outsourcing – retain ultimate responsibility for the management and operation of key functions, comply with CBI cross-industry Outsourcing Guidance and show contingency plans for service disruptions.
• Operational Resilience – ensure compliance with the CBI’s cross-industry Operational Resilience Guidance and ensure continuity of services, including Distributed Ledger Technology and Blockchain. Display credible plans to recover critical business services after disruption (with a focus on minimising impact and protecting customers) and, if irrecoverable, plans for exiting the market in an orderly fashion. Firms are in scope of the Digital Operational Resilience Act and must evidence effective ICT management frameworks.
• Capital – maintain robust capital, governance and planning systems, in accordance with relevant sectoral requirements. Substantiate adequate and timely sources of funding and demonstrate reliable access to sufficient capital under a plausible but severe stress scenario.
• Compliance – embed a forward-looking compliance monitoring programme which assesses risks and compliance with legal and regulatory obligations.
• Ownership Transparency – chart the full ownership structure, up to, and including ultimate beneficial owners.
• Wind-down – prepare a detailed wind-down plan to exit the market (for both normal and stressed events), which minimises client detriment and details the safe return of relevant assets.
• AML / CFT – demonstrate strong risk management practices and internal controls which ensure compliance with the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 and applicable guidance. Firms must know who their customers are, how they are funding their crypto activities and ensure these funds are not emanating from criminal activities.
• Identification and Management of Conflicts of Interest – proactively identify and remedy any conflicts of interest in a timely manner so that no risks are posed to customer interests.

Practical Tips

• Engage early – a pre-application meeting can reduce later information requests and shorten overall timelines. The CBI has flagged this as a challenge which can lead to long delays.
• Build an “authorisation pack” – consolidate board minutes, policies, financial models and group service agreements so they are ready on day one.
• Resource now, not later – hire Irish-based control-function heads before filing and note that the CBI has little patience for “to-be-hired” placeholders. The CBI has noted the lack of substantive presence and adequate staffing for both pre-approval controlled functions (“PCF”) and non-PCF roles in the jurisdiction has been a challenge for applicants.
• Stress-test the model – the CBI will do this and it is better to identify pressure points internally at the outset.
• Keep it live – treat the submission as a living document and update forecasts and governance artefacts if circumstances change during the process.
• Expect appropriate levels of challenge – the CBI’s risk-based approach means deeper dives for novel or higher-impact propositions so budget time for granular follow-up.

Conclusion

The new guidance reinforces the CBI’s determination to admit only firms that can demonstrate robust consumer focus, sustainable economics, strong local substance and forward-looking risk management from day one.

Authorisation timelines remain dependant on (a) the nature, scale and complexity of the firm’s proposals, (b) the completeness and quality of the application and (c) the responsiveness of the firm to comments and questions during the assessment process and the quality of those responses.

Firms that invest early in detailed, well-thought-out applications, supported by appropriately resourced Irish operations, are most likely to achieve a swift and successful authorisation outcome.

How Maples Group Can Help

We have successfully guided many clients through the CBI’s authorisation process across all industry sectors.

We have a good understanding of how best to map proposed services to regulatory permissions, ensure permissions are broad enough to cover planned operations in the first 12 to 18 months post-authorisation and how to clearly demonstrate and document a robust model in the application documents filed with the CBI to make the process as smooth and efficient as possible.

Further information on our Irish Financial Services Regulatory Group and the services we provide is available on our website and in our FSR and FinTech brochures.

If you would like further information, please liaise with your usual Maples Group contact or the persons on this page.

---

¹Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets.