Clari5 Market Insights


Central Bank of Ireland

Central Bank of Ireland Supervisory Findings and Expectations for Payment and Electronic Money Firms, 20 January 2023

By when must Financial Institutions (FIs) comply with the mandate?

The audit opinion, along with a Board response on the outcome of the audit, should be submitted to the Central Bank by 31 July 2023.

Why has CBI issued the new mandate?

CBI issued this mandate to bring enhanced transparency to its approach to regulation and supervision of the sector, and to reaffirm its supervisory expectations. This mandate is a follow up from a Dear CEO letter published in December 2021, which provided greater clarity on the CBI’s expectations of the sector, together with Consumer Protection Outlook Report published in 2022, which had set out key cross-sectoral risks for consumers.

The published Dear CEO Letter from 2023 highlights that from the CBI’s observation of the supervisory activities in the past 12 months, the risks identified in the Consumer Protection Outlook Report are particularly regarding the payment and e-money sector. The Letter contains the supervisory findings which are expected to be discussed by the board of every payment and e-money sector firm. Along with that, they need to reflect on the supervisory findings and actions to be taken mentioned in the report.

Highlights of the mandate

The latest Dear CEO Letter sets out key findings in five areas: safeguarding; governance, risk management, conduct and culture; business model, strategy and financial resilience; operational resilience and outsourcing; and AML / CFT.

The CBI has observed that 1 in every 4 Payment and E-Money firms have self-identified deficiencies in their safeguarding risk management frameworks. To mitigate these deficiencies, CBI expects firms to:

a. Have robust, Board approved, safeguarding risk management frameworks in place which ensure that relevant users’ funds are appropriately identified, managed, and protected on an ongoing basis. This includes the clear segregation, designation and reconciliation of users’ funds held on behalf of customer.

b. Be proactive in ensuring that the design and operating effectiveness of the firm’s safeguarding frameworks is tested on an ongoing basis.

c. Notify the Central Bank immediately of any safeguarding issues identified.

d. Take mitigating and corrective measures immediately to ensure that users’ funds are safeguarded where, in exceptional circumstances, issues are identified.

e. Investigate and remediate on a timely basis the underlying root cause of the safeguarding issue(s).

Additionally, CBI also expects audit firms to carry out a specific audit of the Payment and E-money firms’ compliance with the safeguarding requirements under the PSR / EMR regulations. The auditor is expected to provide an opinion confirming whether a firm has maintained adequate organizational arrangements to enable it to meet the safeguarding provisions of the PSR / EMR on an ongoing basis. The audit opinion, along with a Board response on the outcome of the audit, should be submitted to the Central Bank by 31 July 2023.

Governance, Risk Management, Conduct and Culture
CBI expects firms to consider their governance, risk management and internal control frameworks, in addition to the composition (both number and skills) of their board and management team, to ensure they are sufficient to run their business from Ireland, as their licensed jurisdiction.

Business Model, Strategy and Financial Resilience
CBI expects firms to have robust strategic and capital planning frameworks which demonstrate that they have a good understanding of the risks that they face and their potential financial impact. Firms must proactively manage their capital to ensure that they are able to always meet their own funds requirements on a stand-alone basis. Firms should have an appropriate exit / wind-up strategy as well. It is also expected that firms have board-approved business strategies in place supported by robust financial projections, and firms must have good data and timely and accurate management information.

Operational Resilience and Outsourcing
The CBI highlights that boards and senior management teams must ensure that they have the skills and knowledge to meaningfully understand the risks their firm faces and the responsibilities they have, including risks in respect of outsourced activities. The CBI expects that they review and adopt appropriate measures to strengthen and improve their operational resilience frameworks in line with the Cross Industry Guidance on Operational Resilience and Cross Industry Guidance on Outsourcing.

Anti-money Laundering and Countering the Financing of Terrorism
The CBI states that firms are classified as ‘Designated Persons’ for the purposes of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 and, as such, are subject to obligations under this Act.

Therefore, the CBI expects from these firms:

  • A Risk-based Approach: AML / CFT risk controls, such as transaction monitoring controls for suspicious transactions and activity, alert creation, and reporting, should be risk-sensitive and tailored to the risks identified in a firm’s ML / TF assessment. A further development of a risk-based approach is required to understand how the products and services of the firm can be used for ML / TF purposes.

  • Distribution Channels: The CBI expects that firms exercise adequate oversight of their agents and distributors who conduct AML / CFT preventive measures, such as customer risk assessments and customer due diligence (CDD), on behalf of firms. The oversight must be conducted with an appropriate level of ongoing assurance.

  • Electronic Money Derogation and Simplified Due Diligence: The CBI expects that simplified due diligence is carried out only where appropriate to do so and where the firm has carried out a risk assessment of each individual relationship, and to do so is justified based on the lower level of risk presented.

Actions Required

Firms should submit the specific audit of compliance with the safeguarding requirements under the PSR / EMR (as outlined above), along with a board response on the outcome of the audit, to the CBI by 31 July 2023.

How Clari5 helps Ireland’s FIs quickly comply with CBI’s mandate

Need More Information?