CBI issued this mandate to bring enhanced transparency to its approach to regulation and supervision of the sector, and to reaffirm its supervisory expectations. This mandate is a follow up from a Dear CEO letter published in December 2021, which provided greater clarity on the CBI’s expectations of the sector, together with Consumer Protection Outlook Report published in 2022, which had set out key cross-sectoral risks for consumers.
The published Dear CEO Letter from 2023 highlights that from the CBI’s observation of the supervisory activities in the past 12 months, the risks identified in the Consumer Protection Outlook Report are particularly regarding the payment and e-money sector. The Letter contains the supervisory findings which are expected to be discussed by the board of every payment and e-money sector firm. Along with that, they need to reflect on the supervisory findings and actions to be taken mentioned in the report.
The latest Dear CEO Letter sets out key findings in five areas: safeguarding; governance, risk management, conduct and culture; business model, strategy and financial resilience; operational resilience and outsourcing; and AML / CFT.
The CBI has observed that 1 in every 4 Payment and E-Money firms have self-identified deficiencies in their safeguarding risk management frameworks. To mitigate these deficiencies, CBI expects firms to:
a. Have robust, Board approved, safeguarding risk management frameworks in place which ensure that relevant users’ funds are appropriately identified, managed, and protected on an ongoing basis. This includes the clear segregation, designation and reconciliation of users’ funds held on behalf of customer.
b. Be proactive in ensuring that the design and operating effectiveness of the firm’s safeguarding frameworks is tested on an ongoing basis.
c. Notify the Central Bank immediately of any safeguarding issues identified.
d. Take mitigating and corrective measures immediately to ensure that users’ funds are safeguarded where, in exceptional circumstances, issues are identified.
e. Investigate and remediate on a timely basis the underlying root cause of the safeguarding issue(s).
Additionally, CBI also expects audit firms to carry out a specific audit of the Payment and E-money firms’ compliance with the safeguarding requirements under the PSR / EMR regulations. The auditor is expected to provide an opinion confirming whether a firm has maintained adequate organizational arrangements to enable it to meet the safeguarding provisions of the PSR / EMR on an ongoing basis. The audit opinion, along with a Board response on the outcome of the audit, should be submitted to the Central Bank by 31 July 2023.
Governance, Risk Management, Conduct and Culture
CBI expects firms to consider their governance, risk management and internal control frameworks, in addition to the composition (both number and skills) of their board and management team, to ensure they are sufficient to run their business from Ireland, as their licensed jurisdiction.
Business Model, Strategy and Financial Resilience
CBI expects firms to have robust strategic and capital planning frameworks which demonstrate that they have a good understanding of the risks that they face and their potential financial impact. Firms must proactively manage their capital to ensure that they are able to always meet their own funds requirements on a stand-alone basis. Firms should have an appropriate exit / wind-up strategy as well. It is also expected that firms have board-approved business strategies in place supported by robust financial projections, and firms must have good data and timely and accurate management information.
Operational Resilience and Outsourcing
The CBI highlights that boards and senior management teams must ensure that they have the skills and knowledge to meaningfully understand the risks their firm faces and the responsibilities they have, including risks in respect of outsourced activities. The CBI expects that they review and adopt appropriate measures to strengthen and improve their operational resilience frameworks in line with the Cross Industry Guidance on Operational Resilience and Cross Industry Guidance on Outsourcing.
Anti-money Laundering and Countering the Financing of Terrorism
The CBI states that firms are classified as ‘Designated Persons’ for the purposes of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 and, as such, are subject to obligations under this Act.
Therefore, the CBI expects from these firms:
Firms should submit the specific audit of compliance with the safeguarding requirements under the PSR / EMR (as outlined above), along with a board response on the outcome of the audit, to the CBI by 31 July 2023.