E-money firms and payment institutions: Latest Central Bank Dear CEO Letter requires audit of compliance with safeguarding requirements
While seeking to ensure that its approach to supervising payment institutions and e-money firms remains “risk-based, data-driven, intelligence-led and outcomes-focused“, and following a 12-month period “of intense supervision of the sector…on the basis of the significant deficiencies identified in the governance, risk management and control frameworks” of some of those firms, the Central Bank has followed its December 2021 Dear CEO Letter to those firms with a January 2023 Dear CEO Letter.
The latest Dear CEO Letter sets out key findings in five areas: safeguarding; governance, risk management, conduct and culture; business model, strategy and financial resilience; operational resilience and outsourcing; and AML/CFT.
Safeguarding and requirement to audit compliance
The main focus is on safeguarding. In the December 2021 Dear CEO Letter, the Central Bank asked all firms to comprehensively review compliance with the safeguarding requirements set out in the E-Money Regulations or Payment Services Regulations (as appropriate) by 31 March 2022. One quarter of those firms self-identified deficiencies in their safeguarding risk management frameworks, and deficiencies were later identified in other firms. The Central Bank has now asked all payment institutions and e-money firms who are subject to the safeguarding requirements to commission an audit of their compliance with those requirements from an audit firm which has the necessary specialist skill to audit compliance in this area. Each firm must provide that audit opinion, together with a response from its board to the outcome of that audit, to the Central Bank by 31 July 2023. Appendix 1 to the latest letter sets out deficiencies identified by the Central Bank in firms’ approaches to safeguarding, and Appendix 2 sets out areas that need to be reviewed as part of the audit.
Other takeaways from the January 2023 Dear CEO Letter
While the Central Bank acknowledges in the letter that some firms engage with them early on material changes to business models, it continues to see a ‘tick-the-box’ approach to regulatory compliance, with inaccuracies appearing in the regulatory returns filed last year by approx. 20% of firms.
Other Central Bank expectations outlined in the letter include:
- Governance, Risk Management, Conduct and Culture: risk management frameworks need to be better aligned with business strategies and objectives (the Central Bank continues to see instances of firms’ ambitions outpacing their frameworks and capacity); better succession planning; better resourcing of internal audit, risk management, and compliance functions; better product/service-level disclosures.
- Business Model, Strategy, Financial Resilience: improved strategic and capital planning frameworks to ensure sufficient regulatory capital to absorb losses; appropriate exit/wind-up strategies; more accurate regulatory returns.
- Operational Resilience, Outsourcing: appropriate skills and knowledge at board and senior management level regarding the IT risks faced by firms; review and adoption (by boards and senior management) of measures to improve operational resilience frameworks.
- AML/CFT: improved transaction monitoring: improved CDD on distributors and agents; use of the simplified CDD derogation for e-money only where all relevant criteria are met (e.g. it cannot be used where the customer is a PEP or based in a high-risk third country).
There is significant cross-over between the areas highlighted by the Central Bank in December 2021 and January 2023, particular in the areas of safeguarding, governance, operational resilience and AML. The continuing emphasis on safeguarding makes sense given the very significant impact on customers if a firm’s safeguarding arrangements fail. It is clear that the Central Bank expects a firm’s board to take ultimately responsibility for this issue and for all of the other areas of focus identified by the Central Bank.
For a reminder of the points highlighted in the December 2021 Dear CEO letter, read our December 2021 insights here: E-Money Institutions and Payment Institutions: Central Bank confirms its supervisory expectations
Our Financial Regulation Group advises on a wide variety of EU and Irish regulatory and compliance matters relevant to the financial services industry. It acts for a wide range of Irish and international credit institutions, investment firms, e-money institutions, payment institutions, asset managers, non-bank lenders and other financial institutions.
Our market-leading Financial Regulation: Investigation and Enforcement Group advises and supports clients on a wide range of financial regulatory investigations and enforcement issues. It advises and supports financial institutions and individuals who require deep specialist knowledge of the financial services regulatory environment and experience in managing complex contentious regulatory matters.