Blog Archives

2023 Dear CEO letter re Supervisory Findings and Expectations for Payment and Electronic Money (E-Money) Firms

21/1/2023

Friday 20th January 2023: Central Bank of Ireland (CBI) issued a Dear CEO letter to the fintech industries of electronic money institutions and payments institutions. The purpose is to reaffirm the CBI's supervisory expectations built on its supervisory experiences, both firm specific and sector wide, and enhance transparency around its approach to, and judgements around, regulation and supervision.

If you are looking to get authorised as an electronic money or payments institution in Ireland, contact us. We are working with a number of such applicants and we advise those already authorised on their on-going regulatory obligations, business models and strategy. See our Authorisation Page with links to useful Authorisation Guides.

Busy start to the year with enquiries from UK, Asia and the US continuing to roll in about the benefits, opportunities and challenges of establishing a EEA regulated presence in Ireland, particularly for #emoney and #payments. While Ireland is in the top three of the final round, there remains stiff competition (so to speak) from two other leading jurisdictions.

Thus it was good to see, , as I am sure others will agree, the Central Bank of Ireland most recent Dear CEO letter issued to emoney and payments institutions on Friday 20 January 2023 by Mary-Elizabeth McMunn, Director of Credit Institutions Supervision. It will help provide greater clarity not only to currently authorised emoney and payments firms, but also those in the authorisation pipeline and those thinking of filing in Ireland.

It is a meaty document at 5,168 words across eleven (11) pages. Download a copy of the letter and additional relevant reading material here - https://complireg.com/blogs--insights/2023-dear-ceo-letter-re-supervisory-findings-and-expectations-for-payment-and-electronic-money-e-money-firms

If you wish to get a quick understanding of the letter in terms of your regulatory obligations search the words 'we expect'. You will see those appear eleven (11) times too!

Right now, best to mark in your calendar and work backwards, that an audit opinion on safeguarding, along with a Board response on the outcome of the audit, is to be submitted to the CBI by 31 July 2023. And it is not just a case of ringing your current external auditors and appointing them.

Emoney and payments firms will need to demonstrate that they exercised due skill, care and diligence in selecting and appointing auditors for this purpose; including satisfying themselves that the proposed auditor has, or has access to, appropriate specialist skill in auditing compliance with the safeguarding requirements under the PSR/EMR taking into account the nature, scale and complexity of the firm's business. Let the beauty parades begin. And so it should be the case!
The auditor is to provide an opinion confirming:
"whether the firm has maintained adequate organisational arrangements to enable it to meet the safeguarding provisions of the PSR/EMR on an ongoing basis, with the specific areas, at a minimum, that should be subject to review and assurance by the auditor outlined in Appendix 2 of the Dear CEO Letter.

The purpose of the letter is to reaffirm the CBI's supervisory expectations built on its supervisory experiences, both firm specific and sector wide, and enhance transparency around our approach to, and judgements around, regulation and supervision.

The breakdown of the letter is as follows:

(1) Supervisory Approach for the Payment and E-Money Sector (provides wider and specific context to our supervisory approach).

(2) Supervisory Findings (key findings from supervisory engagements over the last 12 months and actions the CBI expects firms to undertake)
➡ Safeguarding;
➡ Governance, Risk Management, Conduct and Culture;
➡ Business Model, Strategy and Financial Resilience;
➡ Operational Resilience and Outsourcing;
➡ Anti-Money Laundering and Countering the Financing of Terrorism;

♻ Risk-Based Approach,
♻ Distribution Channels,
♻ Electronic Money Derogation and Simplified Due Diligence

(3) Conclusion and Actions Required (CBI's expectation that this letter is provided to and discussed with your Board, and any areas requiring improvement that directly relate to your firm are actioned).

Next Steps:

Get in contact with Peter Oakes / CompliReg. Founded by the CBI's inaugural Director of Enforcement and AML/CFT Supervision & board director of payments, emoney and MiFID companies. Peter is also a former: FSA (now FCA) enforcement lawyer; senior officer (legal) at ASIC; and adviser to the deputy director of banking at SAMA.

Further Reading:

10 December 2021: Authorisation Guidance and Supervisory Expectations for Payment and Electronic Money Firms (Central Bank of Ireland)
09 December 2021: Central Bank of Ireland Dear CEO Letter on Supervisory Expectations for Payment and Electronic Money (E-Money) Firms

0 Comments

Back to Blog

Report on the Peer Review on Authorisation under PSD 2 Released European Banking Authority

11/1/2023

Are you looking for the Report on the Peer review on Authorisation under PSD2 released today by the European Banking Authority? Click here or the image above to download it in PDF format.

If you are struggling with an application for an electronic money or payments institution authorisation in Europe, contact us here and/or complete the Authorisation/Licence Enquiry Form here.

If you are looking at becoming authorised in Ireland as an emoney institution or payments institution check out Fintech Ireland's and CompliReg's authorisation guides here.

What does the EBA peer review say?

The report sets out the findings of the EBA’s peer review on the authorisation of #Payment Institutions (PIs) and #ElectronicMoney Institutions (EMIs). In executive summary format, the report says:

competent authorities (CAs) have largely implemented the Guidelines and, where implemented, the Guidelines have achieved their objective of providing consistency and transparency in the authorisation information that prospective PIs and EMIs have to submit.
some CAs have not fully implemented the Guidelines, in particular in relation to obtaining the full set of information from applicants. This potentially limits the extent to which those CAs can scrutinise applications compared with having the information required under the Guidelines.
significant divergences in the practices of CAs in assessing the information submitted, and the level of scrutiny of those documents varies considerably across CAs.
there are divergent practices in relation to the assessment of business plans and applicants’ governance arrangements and internal control mechanisms. This includes the assessment of directors and persons responsible for the management of PIs and EMIs, and of whether applicants meet the requirement in PSD2 to have their head office in the jurisdiction where they are seeking authorisation and to conduct part of their activities there (‘local substance’).
these deficiencies mean that applicants remain subject to different supervisory expectations as regards the requirements for authorisation as a PI or EMI across the EEA. This gives rise to issues in terms of supervisory level playing field and ‘forum shopping’ and undermines the objectives of the Directive and the Guidelines of establishing a single EU payments market.
all CAs should ensure that applicants have a ‘three lines of defence’ model that includes the functions of risk management, compliance and internal audit, where the nature, scale and complexity of their activities makes this appropriate.
to minimise potential forum shopping and ensure sufficient local substance, all CAs should ensure that applicants are effectively managed and controlled from the jurisdiction in which they seek authorisation, and have close links with that jurisdiction.
all CAs should ensure that applicants are effectively managed and controlled from the jurisdiction in which they seek authorisation, and have close links with that jurisdiction.
significant variations in the resources available and length of the authorisation process
average duration ranges from 4-6 months to 20 months or more. The main reason for delays is the quality of applications and applicants’ timeliness in addressing issues identified. Other reasons identified for these variations across CAs include different timelines set out in national laws and different procedural approaches in the acceptance and assessment of applications.
all CAs are asked to follow-up by reviewing their resources and processes to ensure that they remain adequate to scrutinise applications within a reasonable timescale.

Some good supervisory practices observed by the EBA

Some good supervisory practices observed during the analysis that might be of benefit for other CAs to adopt.

publishing guidance to clarify the requirements CAs expect applicants must meet;
comparing applicants’ forecasts against data from existing similar PIs/EMIs to inform the CAs’ assessment of the plausibility of the financial forecasts;
making use of existing EBA and EBA/ESMA guidelines under the Capital Requirements Directive to assess independence of the internal control functions and suitability of the directors and persons responsible for the management of PIs and EMIs. The report also recommends that, as part of any future review of the Guidelines, the EBA provides more guidance on how the proportionality principle should be applied in assessing the suitability of shareholders having a qualifying holding in an applicant’s capital.

Some recommendations identified by the EBA

The report expands on the recommendations included in the EBA’s response to the European Commission on the review of the PSD2 (EBA/Op/2022/06) and recommends that, as part of its ongoing PSD2 review process, the European Commission:

clarifies the delineation between the different categories of payment services as well as emoney issuance;
clarifies the applicable governance arrangements for PIs and EMIs;
clarifies the criteria that CAs should use in assessing the suitability of directors and persons responsible for the management of PIs and EMIs;
mandates the EBA to develop a common assessment methodology for granting authorisation as a PI or as an EMI; and
clarifies the requirements that applicants must meet in order to ensure sufficient local substance, leveraging on the best practices mentioned this report.

What are the objectives of the EBA report?

The objectives of this report are to:

further strengthen consistency and convergence of the assessment of applications for authorisations of PIs and EMIs across the EEA; and
assess whether the EBA Guidelines have achieved their aim of bringing about consistency and clarity in respect of the information that applicants have to submit as part of an application for authorisation and of contributing to harmonisation in the authorisation process and to a level playing field across the EEA.

This report is also a partial fulfilment of the mandate conferred by the PSD2 on the EBA to review the Guidelines “on a regular basis and in any event at least every 3 years” (Article 5(5) PSD2).

Which competent authorities are in scope?

The peer review was performed by a Peer Review Committee of EBA and CA staff (see Annex 1 for the composition) and covered the CAs from all EU Member States and from two EEA States, as detailed in Annex 2. One EEA CA (IS) was not reviewed because it has only recently implemented the PSD2 and did not receive any application for the authorisation of PIs and EMIs in the period analysed (2019-2021). [CompliReg - not sure if IS is a typo, and should be 'SI' for Slovenia?]

The Self-Assessment model adopted by the EBA

The analysis has been conducted based on the CAs’ responses to a self-assessment questionnaire (SAQ), which covered a three-year period from 1 January 2019 to 31 December 2021. Where necessary, the PRC followed up with the CAs in writing seeking further clarifications and explanations. The PRC also conducted interviews with a subset of 10 CAs (BG, DK, ES, PL, PT, MT, NL, IT, LT and SE) to gain a better understanding of their supervisory practices.

EBA Conclusion on timeliness of the authorisation process

Page 51, para 171 "5. Conclusions and recommendations" sates:

"With regard to the timeliness of the authorisation process, the review found that, while all CAs comply with the requirement in Article 12 PSD2 to take a decision on an application within 3 months from receiving a complete application, the average duration of the authorisation process varies significantly across MS, ranging from 4-6 months to +20 months. The main reason for this is the quality of applications and applicants’ timeliness in addressing the issues identified with the application. The PRC also identified a number of other reasons for these variations in duration across CAs, which include different timelines set out in national law and different procedural approaches adopted by CAs in the acceptance and assessment of applications."

[CompliReg - no doubt, and there is merit here, many firms will struggle with the EBA's finding that "all CAs comply with the requirement in Article 12 PSD2 to take a decision on an application within 3 months from receiving a complete application".]

The constitution of the 'peer review committee'?

The Peer reviews were carried out by ad hoc peer review committees composed of staff from the EBA and members of competent authorities, and chaired by the EBA staff.

This peer review was carried out by:

Co-chairs: Jonathan Overett Somnier Head of Legal and Compliance Unit, EBA and Larisa Tugui Senior Policy Expert, Consumer, Payments and Conduct Unit, EBA
Members: Adrienne Coleton Legal Expert, Legal and Compliance Unit, EBA; Antonio Barzachki Senior Policy Expert, Consumer, Payments and Conduct Unit, EBA; Gabriel Bosch Senior Expert Specialised institutions and procedures, Autorité de contrôle prudentiel et de resolution; Carolin Kopyto Senior Advisor, Directorate ZK (Supervision of Payment Institutions and Crypto Custody Business), BaFin; and Reinout Temmerman Payments Advisor, Surveillance of financial market infrastructures, payment services and cyber risks, National Bank of Belgium

List of Competent Authorities subject to the peer review

AT = Austrian Financial Market Authority
BE = National Bank of Belgium
BG = Bulgarian National Bank
CY = Central Bank of Cyprus
CZ = Czech National Bank
DE = Federal Financial Supervisory Authority (BaFin)
DK = Danish Financial Supervisory Authority
EE = Estonian Financial Supervision and Resolution Authority
EL = Bank of Greece
ES = Bank of Spain
FI = Finnish Financial Supervisory Authority
FR = Prudential Supervisory & Resolution Authority (ACPR)
HR = Croatian National Bank
HU = Central Bank of Hungary
IE = Central Bank of Ireland
IT = Bank of Italy
LI = Financial Market Authority Liechtenstein
LT = Bank of Lithuania
LU = Commission for the Supervision of the Financial Sector (CSSF)
LV = Financial and Capital Market Commission
MT = Malta Financial Services Authority (MFSA)
NL = Dutch Central Bank (DNB)
NO = Financial Supervisory Authority of Norway
PL = Polish Financial Supervision Authority (KNF)
PT = Bank of Portugal
RO = National Bank of Romania
SE = Swedish Financial Supervisory Authority
SI = Bank of Slovenia
SK = National Bank of Slovakia

0 Comments

Blogs & Insights

Author

Archives

Categories

2023 Dear CEO letter re Supervisory Findings and Expectations for Payment and Electronic Money (E-Money) Firms

Report on the Peer Review on Authorisation under PSD 2 Released European Banking Authority

What does the EBA peer review say?

Some good supervisory practices observed by the EBA

Some recommendations identified by the EBA

What are the objectives of the EBA report?

Which competent authorities are in scope?

The Self-Assessment model adopted by the EBA

EBA Conclusion on timeliness of the authorisation process

The constitution of the 'peer review committee'?

List of Competent Authorities subject to the peer review

Blogs & Insights

Author

Archives

Categories

2023 Dear CEO letter re Supervisory Findings and Expectations for Payment and Electronic Money (E-Money) Firms

Report on the Peer Review on Authorisation under PSD 2 Released European Banking Authority

What does the EBA peer review say?

Some good supervisory practices observed by the EBA

Some recommendations identified by the EBA

What are the objectives of the EBA report?

Which competent authorities are in scope?

The Self-Assessment model adopted by the EBA

EBA Conclusion on timeliness of the authorisation process

​The constitution of the 'peer review committee'?

List of Competent Authorities subject to the peer review

The constitution of the 'peer review committee'?