In its letter, which focused on areas that are consistently at the forefront of the Central Bank’s supervisory agenda (namely governance and risk management, conduct and culture, safeguarding customer funds, sustainable business models and financial resilience, operational resilience, anti-money laundering and counter terrorist financing (AML/CFT), and orderly resolution/wind-up), the Central Bank:

  • summarised its supervisory expectations of those firms (noting that supervisory responsibility for those firms has recently moved to the Central Bank’s Credit Institutions Supervision Directorate);
  • asked the CEO of each firm to bring the letter to the attention of the firm’s board of directors (the Board); and
  • set out the actions that it expects the Boards and senior management of those firms to take to ensure compliance with their regulatory requirements and authorisation conditions.


Comprehensively review safeguarding requirements and authorisation conditions by 31 March 2022
Each CEO, together with the Board of the firm, must comprehensively assess the firm’s compliance with the safeguarding provisions of the European Communities (Electronic Money) Regulations 2011 (E-Money Regulations) (in the case of e-money institutions) and the European Union (Payment Services) Regulations 2018 (Payment Services Regulations) (in the case of payment institutions).
The assessment must also look at the firm’s compliance with its conditions of authorisation.
Confirm completion of the review to the Central Bank by 31 March 2022 The firm’s Board must oversee the review, and consider both the conclusions of the review and any remediation issues arising from it.
The firm’s Board must confirm to the Central Bank by 31 March 2022 that the review has been carried out and concluded.
Approve a remediation plan for any issues identified by the review If issues are identified during the review, a Board-approved remediation plan must be put in place that ensures the timely resolution of any issues identified.


Supervisory Expectations

To meet the supervisory expectations set out by the Central Bank in its Dear CEO letter, the Board of each payment institution and e-money institution must be satisfied as to how the firm manages certain key priority areas.

Governance and Risk Management Each firm should assess:

  • Governance and Control: Whether its governance and control arrangements are proportionate and appropriate when examined by reference to the E-Money Regulations/the Payment Services Regulations.
  • Board: Whether its Board is fully functioning; whether the Board takes responsibility for the effective and prudent oversight of the firm, its strategy, its governance, its risk management framework, and its internal controls.
  • Fitness and Probity: Whether the firm is fully aware of its obligations under the Central Bank’s Fitness and Probity (F&P) regime. The importance of ongoing assessments, due diligence and strong succession planning was emphasised by the Central Bank, and it drew firms’ attention to its previous F&P-related Dear CEO letters (read our briefings on those letters here and  here).
Conduct and Culture Culture and conduct are at the heart of the Central Bank’s supervisory agenda, and at the core of its proposed new Individual Accountability Framework (see the Financial Regulation: Individual Accountability and SEAR section of our website for our detailed analysis of the proposed framework).
Each firm should:

  • Culture: Ensure that it has strong internal systems, controls and standards that underpin a consumer-focused culture.
  • Managing risks to consumers: Examine its standards by reference to the Central Bank’s Consumer Protection Outlook Report 2021 (the 2021 Report), which identified key risks to consumers of financial services, including:
    • the absence of a consumer-focused culture;
    • ineffective disclosure;
    • unfair practices and behavioural vulnerability;
    • risks from technology; and
    • mis-selling and inadequate suitability assessments.
  • Central Bank Expectations: Ensure that, in addition to reviewing its governance and operations in light of the Dear CEO letter, it also assesses the firm’s compliance with the expectations set out in the 2021 Report.
  • Disclosure and Suitability: Note the emphasis placed by the Central Bank on risk disclosure and suitability assessments, from a consumer protection perspective, in the recent Dear CEO letter.
Safeguarding The importance attached by the Central Bank to safeguarding customer funds is clear from its requirement that e-money institutions and payment institutions review compliance with the applicable legal and regulatory framework by 31 March 2022 (considered at the start of this briefing).
Each firm should also check:

  • Frameworks: Whether it has a robust, Board-approved, safeguarding risk framework in place to ensure the identification, protection and management of client funds on a daily basis.
  • Client Funds: Whether there is clear segregation, designation and reconciliation of client balances (and whether the Board seeks regular assurances on this point).
  • Oversight: Whether the second and third lines of defence (risk and compliance, and internal audit) carry out independent oversight effectively.
Business Model and Financial Resilience Each firm should examine:

  • Models: Whether its business model is viable and sustainable.
  • Resources: Whether it has sufficient financial resources to support its current and future plans.
  • Funds: Whether it has sufficient regulatory capital to absorb losses and whether it meets its ‘own funds’ requirements at all times.
  • Returns: Whether its regulatory returns are timely and accurate.
  • Notifications: Whether it promptly and proactively notifies the Central Bank of:
    • any breaches of legal or prudential requirements, and of developments that could have a material impact on its business; and
    • likely material changes to its business model (e.g. material changes to services or product offerings, or business projections that differ from those discussed as part of the firm’s authorisation process).  The Central Bank expects a detailed risk assessment, signed off by the Board, to accompany a notification of a material change to a firm’s business model.

The Central Bank reiterated in the Dear CEO Letter that it does “not expect to see firms’ business ambitions running ahead of their control environment”.

Operational Resilience Each firm should ensure that:

  • Frameworks: Its risk and control framework operates effectively.
  • Expecting the unexpected: It is prepared for unforeseen operational disruptions.
  • Independence: It operates “sufficiently on a stand-alone basis to ensure the primacy of the legal entity authorised [by the Central Bank]”.

Echoing its expectations regarding governance (see above), the Central Bank also expects responsibility for IT and cyber risk strategy, and any outsourced activities, to rest with the firm’s Board.

AML/CFT Each firm must ensure that its AML/CFT risk assessment focuses on risks specific to the firm’s business model, is not merely a ‘tick-the-box’ exercise, and does not reflect a generic rules-based approach.
Resolution/Wind-Up Each firm should ensure that it has an appropriate exit/wind-up strategy that is linked to its business and operational model, and focuses on the prompt return of customer funds.
The Central Bank highlighted the importance of a firm ensuring, if it fails, that the ensuing insolvency process is capable of being managed “in an orderly fashion without customer detriment”.



There is significant breadth to the areas of focus identified by the Central Bank, with almost the entire waterfront of key regulatory requirements applicable to a payment institution and e-money institution being covered.
The particular and immediate focus on safeguarding makes sense given the very significant impact on customers if a firm’s safeguarding arrangements fail.  It is clear that the Central Bank expects a firm’s Board to take ultimately responsibility for this issue and for all of the other areas of focus identified by the Central Bank.


Our Financial Regulation Group advises on a wide variety of EU and Irish regulatory and compliance matters relevant to the financial services industry.  It acts for a wide range of Irish and international credit institutions, investment firms, e-money institutions, payment institutions, asset managers, non-bank lenders and other financial institutions.
Our market-leading Financial Regulation: Investigation and Enforcement Group advises and supports clients on a wide range of financial regulatory investigations and enforcement issues.  It advises and supports financial institutions and individuals who require deep specialist knowledge of the financial services regulatory environment and experience in managing complex contentious regulatory matters.