Some choice headlines in the papers about Brexit in the past week as we - according to Brexit Ireland's countdown to Brexit clock - just little more than 33 days before 11p.m. (UK time) on Thursday 31st December 2020 when the Brexit transition period ends with no deal on financial services in sight.

This week sees the EU negotiating team returning to London after face-to-face talks came to end more than a week ago after Mr Bariner's team was hit by a case of Covid.  They will be greeted by headiness such as: ​UK dismisses ‘derisory’ EU fishing offer ahead of last-ditch trade talks; 
Europe’s finance sector hits ‘peak uncertainty’ over Brexit; and The City braces for Brexit.

One thing we are still very surprised by is the many in #fintech, #techfin and indeed #finserv (and scarily their advisers) who think that recent news on 'equivalence' deals are applicable to all UK #finserv which passport across the European Union / EEA.

The announcement on Monday 23rd November by the European Commission was simply and specifically about European regulators finalising a late change seeking to avoid chaos in £15tn of derivatives contracts held between UK and EU counterparties. Then on Wednesday 25th, they insisted outposts of EU banks in London would have to trade certain derivatives in the EU.

Back in August 2020 the European Parliament reminded that "Equivalence decisions are a unilateral decision by the Commission. The Commission ultimately exercises its discretion as conferred upon it by the “empowerment” given in EU sectoral legislation.'' BUT MORE IMPORTANTLY "The Commission also enjoys discretion to withdraw equivalence decision. The equivalence frameworks in force do not provide as such specific procedures for monitoring, reviewing or amending equivalence decisions."

There are no equivalence provisions in EU bank, payments nor electronic money directives, and the equivalence provision in MiFiD doesn't apply to retail investment services. See the below table on the 'Role of equivalence in key EU banking and financial services legislation' for confirmation.

The upshot is that if you are a UK authorised payments institution or electronic money intuition, come Thursday 31st December 2020 when your ability to passport across the whole of European Economic Area comes to an end, so too does your business model unless you have obtained an authorisation in an EU/EEA state.  There are are other options available but we'll leave that for another article. 

​If you are a regulated fintech looking for a home post #brexit contact https://complireg.com/authorisations.html.  Read our Fintech Authorisation Guides published jointly by CompliReg and Fintech Ireland on the authorisation process.  And check out the 'Why Ireland for Fintech' brochure.

Why Ireland for your regulated fintech? 

• tax effectiveness
• common law legal system
• similarities to the UK in Irish approach to business
• access to world leading talent in financial services and technology
• reputation of the Central Bank / regulator 
• growing recognition of Ireland as an international fintech hub thanks to the work of the Irish government, its agencies and groups like Fintech Ireland. 

Further reading:

​26 November 2020 - Move to EU or face disruption, City of London is warned

• British financial firms must set up shop in the European Union or expect disruption on January 1st, the European Commission has warned, as it is unlikely to grant the required equivalency permit to ease access to the bloc’s customers by the end of the year.

27 August 2019 - "Third country equivalence in EU banking and financial regulation"

• This briefing provides an insight into the latest developments on equivalence in EU banking and financial regulation both in terms of governance and decision making (Section 1) and in terms of regulatory and supervisory frameworks that governs the access of third countries firms to the internal market (Section 2). The briefing also gives an overview on the possible role of equivalence regimes in the context of Brexit (Section 3) together with Brexit-related supervisory and regulatory issues (Section 4). This briefing is an updated version of a briefing published in April 2018. 

29 July 2019 - Financial services: Commission sets out its equivalence policy with non-EU countries

​12 July 2017 - "Third-country equivalence in EU banking legislation"

• This briefing focuses on the concept of equivalence in EU banking legislation and notably on the difference between “passporting” rights and “third-country equivalence” rights. It gives an overview of existing equivalence clauses in some key EU banking and financial legislation and of equivalence decisions adopted by the European Commission to date.

Today, 17th November 2020, the Central Bank of Ireland released a Dear CEO Letter on "Thematic Inspections of Compliance by Regulated Financial Service Providers with their Obligations under the Fitness and Probity Regime".  Readers are probably aware that the Central Bank issued a previous Dear CEO Letter on 8th April 2019 on "Compliance by Regulated Financial Service Providers with their Obligations under the Fitness and Probity Regime".

If you need assistance with understanding or implementing the requirements, please contact the Team at CompliReg.

• 17th November 2020 Dear CEO Letter 
• 8th April 2019 Dear CEO Letter 

What does the Dear CEO Letter of 17th November 2020 say?

Background:
The Central Bank undertook thematic onsite inspections across a sample of firms in the insurance and banking sectors [Ed- No reference to MiFID, payments, emoney, intermediaries nor the funds industry] in order to assess the level of compliance with the Fintess and Probity (F&P) requirements.   This was on foot of its Dear CEO Letter on the topic of F&P back in April 2019.  The inspections did not examine the fitness and probity of particular individuals, but rather evaluated the processes in place to manage compliance with the requirements of the F&P Regime.

The inspections focused on the following areas:

• Awareness and understanding within firms of their compliance obligations;  
• Initial and ongoing due diligence processes;  
• Oversight and control where Pre-Approval Controlled Function (“PCF”) roles or
• Controlled Function (“CF”) roles have been outsourced; 
• Processes and channels for effective engagement with the Central Bank; and  
• Role of the Compliance Function with regard to the F&P Regime.

The Central Bank towards the end of the letter reminds that the F&P Regime is a cornerstone of the regulatory framework in Ireland, applying not only to individuals but also firms.  Firms must ensure that any individual who is engaged to carry out a CF role has the requisite fitness and probity to do so. 

The Central Bank’s Dear CEO letter of April 2019 emphasised the importance of compliance by firms and identified areas where compliance was inadequate.  As is noted below and in the November 2020 letter, the Central Bank believes that the range of findings from thematic onsite inspections following the April 2009 letter "indicates that many firms do not have due regard to their obligations under the F&P Regime".  The Central Bank is also concerned by the number of firms which did not take action, following the April 2019 letter, to perform a formal ‘gap analysis’ of their  policies, processes and procedures.  Its position seems clear "[i]t is wholly unacceptable that such shortcomings continue to exist in circumstances where the F&P Regime was introduced almost ten years ago."


What did the Central Bank find?:
In summary, the inspections highlighted a number of common issues and shortcomings, resulting in the release of the Dear CEO letter.  The letter sets out key findings and observations from the inspections together with the expectations of the Central Bank, which it believes need to be brought to the attention of the wider financial services industry.  

Helpfully, the Central Bank also set examples of good practices which had been implemented in a number of firms (see Appendix 1 of the Dear CEO Letter November 2020 and set out below).

A significant number of findings were identified in relation to the role of the Board, the conduct of due diligence and the outsourcing of CF roles.  While not all of the issues outlined in the Dear CEO November 2020 letter arose in each firm inspected, the Central Bank reckons that they are representative of the findings across the sample of firms. 

What are the key points arising from the findings?:
(a) role of the Board in the F&P Process:

• the level of awareness by Board members of their fitness and probity obligations was poor. 
• Board appointments were generally not subject to the same level of scrutiny or formality as other PCF/ CF appointments.  There was a notable lack of interview notes and suitability assessments available to support Board appointments, and succession plans generally did not meet expectations and were not used in practice. In a number of cases there was no evidence of Board approval, discussion or challenge of proposed PCF appointments.
• instances of the CEO screening potential Board candidates is inappropriate given the conflict of interest between the respective responsibilities of directors and the executive. 
• it is essential that Board members recognise the importance of the F&P framework and their responsibilities within it, not only for the firm, but also for the Board itself.   The Central Bank expects that the same high standards and rigour be observed and applied to board appointments as to those elsewhere within a firm. [Ed- important to review and include the above into the terms of reference for the Board of Directors and - as appropriate - relevant committees, such as Audit, Risk, Compliance, Remuneration, Nomination committees]

(b) Conducting Due Diligence:

• due diligence was the most consistently weakest area across the majority of firms
• initial and ongoing due diligence undertaken was not sufficiently robust to evidence compliance with the requirements of the F&P Standards.   
• there was a lack of evidence of qualifications, reference checks and suitability searches. 
• shortcomings in ongoing due diligence processes were particularly poor and often limited to an annual self-declaration without any ongoing due diligence screening to check if a change in circumstances had impacted an individual’s F&P. [Ed- Note that shortcoming were also found during the initial due diligence of individuals too]
• in the context of initial due diligence, the Central Bank reminds of the process of PCF application Individual Questionnaires (“IQs”).  These are ultimately endorsed and submitted to the Central Bank by the firm.  The firm must declare in the IQ that it has carried out all necessary due diligence enquiries. It is at this point the firm should disclose all information relevant and potentially relevant to the Central Bank’s assessment of a proposed appointee’s F&P.  Full and frank disclosure is required.  Adverse information in relation to the candidate should be brought to the attention of the Central Bank and the firm should explain why this does not affect the individual’s suitability for the role proposed.  Where a firm has a doubt as to the materiality of a piece of information in this regard, this should be disclosed and explained.  The Central Bank takes non-disclosure seriously, especially where there  is an apparent attempt to mislead.  This may call into question not only the individual’s suitability but also the firm’s decision to propose the individual in question.
• as regards ongoing due diligence, firms have ongoing obligations under Section 21 of the 2010 Act to ensure that they do not allow a person to perform a CF role unless they are “satisfied on reasonable grounds” that the person: (i) complies with the applicable standards of F&P; and (ii) has agreed to abide by those standards.  An annual self-declaration by PCF and CF role holders is the minimum expected. Where a firm becomes aware that there may be concerns regarding the fitness and probity of a person performing a CF role, the Central Bank expects the firm to investigate such concerns and take action as appropriate without delay. 

c) Outsourcing of Roles subject to the F&P Regime
 [Ed- the area of outsourcing is important for large, small, complex and non-complex firms alike]

• where PCF or CF roles are outsourced to unregulated Outsource Service Providers (“OSPs”), the majority of firms had not, as part of their due diligence in appointing CF role holders, obtained the required documentation nor made any inquiries as to the OSP’s process for assessing fitness and probity. In addition, firms did not have a process whereby outsourcing arrangements were analysed to verify whether PCF or CF roles were being performed.  
• firms’ obligations with respect to fitness and probity apply irrespective of whether the PCF or CF role is performed within the firm or outsourced to an unregulated OSP.  Firms are required to have appropriate processes and procedures to ensure compliance in both scenarios.

d) Engagement with the Central Bank

• in the majority of firms the processes related to engagement with the Central Bank on fitness and probity issues, including the IQ submission process, have not been adequately developed, documented or embedded. 
• many firms did not have robust processes in place to identify, escalate  and notify the Central Bank in a timely manner of potential concerns regarding the fitness and probity of a CF or PCF holder.  
• lack of engagement with the Central Bank is also a reflection of the passive approach taken by firms to their ongoing due diligence requirements.   The Central Bank expects firms to be proactive in identifying fitness and probity issues as part of its ongoing due diligence and in reporting as appropriate to the Central Bank without delay. 

e) Role of the Compliance Function

• the majority of firms had compliance frameworks, policies and procedures in place.
• it is clear that many firms are not undertaking robust compliance testing of their fitness and probity processes and procedures. 
• F&P process should be subject to comprehensive oversight by the Compliance Function and periodic independent review by the Internal Audit Function to ensure it is fit for purpose. [Ed- important to review and include the above into the terms of reference for both the compliance and internal audit functions]

 
Conclusion of the Central Bank:

• Central Bank expects that all firms take appropriate action to address the significant issues outlined in this letter and be able to evidence same to the Central Bank, where requested. 
• the November 2020 letter should be read in conjunction with the April 2019 letter, the F&P Standards and the associated fitness and probity guidance.    
• failure by a firm to comply with its ongoing obligations can result in an investigation under the Central Bank’s Administrative Sanctions Procedure, leading to potential sanctions for firms and individuals.  
• the Central Bank will continue to engage with firms to assess the robustness of their application of the F&P Regime and will initiate necessary supervisory responses to any weaknesses identified.  [Ed- there is no reference to any firm subject of the thematic F&P inspection will be subject to enforcement]

Appendix 1: Key Findings Identified by the Thematic Inspections

a) Levels of awareness and understanding of the F&P Regime

Role of the Board / Nomination Committee (“NomCo”) in Fitness and Probity Process

1. The level of awareness of fitness and probity obligations was weak throughout many of the firms, with Board awareness of its obligations particularly poor.

2. Board appointment procedures were generally not subject to the same level of scrutiny or formality as other CF and PCF appointments. In most cases, there was a lack of interview notes or suitability assessments available to support Board appointments.

3. In a number of instances there was no evidence of Board approval of the PCF appointment, Board approval of the appointment took place after approval by the Central Bank and/or there was no evidence of discussion or challenge by Board members of the proposed appointment.

4. Instances of the Chief Executive Officer (“CEO”) screening potential Board candidates were noted in a small number of firms. This is inappropriate given the conflict of interests that arise as between the respective responsibilities of directors and the executive.

5. The quality of succession plans for the Board and executive team generally did not meet expectations. Anumber of these succession plans did not set out the skills, competencies and experience required for the various roles and/or how the proposed successor would demonstrate/acquire those. However, some firms had developed their own Board Skills Matrix, which set out the key areas of experience required. This matrix was used to identify gaps in the combined experience of the Board.
 
Functional Responsibility for the F&P Regime

6. Management of the fitness and probity process varied significantly across the firms. Where there were clear, prescribed roles and responsibilities along with appropriate segregation of duties, the due diligence conducted in these firms was of a higher standard than those without clearly articulated and assigned responsibilities.

7. The quality of policies and procedures in relation to fitness and probity varied from firm to firm. Elements of good practice were observed in the form of ‘How To’ guides, establishment of Fitness & Probity Steering Committees, checklists, and clearly documented roles and responsibilities in relation to the fitness and probity process in the firm. However, good practice was not evident in most firms; the majority had disjointed processes that did not clearly outline the roles and responsibilities of the various functions performing fitness and probity related tasks.

Analysis and Mapping of Roles

8. There were instances where no register of employees performing PCF or CF roles was maintained. In addition, the process of regular review of individuals whose role changed, resulting in their coming within the remit of the F&P Regime, was lacking. Good practices identified included a documented requirement to review the job description when a vacancy arises to determine if the role is CF or PCF in nature, and guidelines setting out the key principles and rationale for the general interpretation of the CFs across the firm.

b) Conducting Due Diligence
Initial Due Diligence

9. In the majority of the firms inspected, the initial due diligence undertaken was not sufficiently robust to evidence compliance with the requirements of the F&P Standards. Issues highlighted by the inspections included: a lack of evidence of academic qualifications; lack of references from previous employers; a notable absence of interview notes across the majority of firms inspected; and no evidence of a documented assessment as to the suitability of the candidate.

10. Issues were also identified in a number of instances with a lack of judgement searches, regulatory searches, directorship searches and adverse media searches, including adverse media searches regarding previous employers that could assist with identifying potential fitness and probity concerns to be examined further.

11. Firms assessed as performing better had defined processes in place for conducting initial due diligence, including documented policies and procedures; an understanding of the allocation of responsibilities among the various functions (e.g. Human Resources, Company Secretary and Compliance Function); performed due diligence searches and conducted and retained interview notes.

Ongoing Due Diligence

12. Under Section 21 of the 2010 Act, firms are required to conduct due diligence on an ongoing basis to ensure that employees performing CFs continue to comply with the F&P Standards.

13. All firms had in place a requirement for each PCF and CF role holder to annually certify their compliance with the F&P Standards and their agreement to abide by the F&P Standards. An annual self-declaration by PCF and CF role holders is the minimum expected by the Central Bank.

14. However, the ongoing due diligence process in most firms is limited to the annual self-declaration. Firms should proactively conduct ongoing due diligence screening of staff to ensure there has been no change in circumstance that may affect the fitness or probity of the individual. In one firm they conducted ongoing due diligence searches on an annual basis for all PCF role holders and on a sample basis for CFs.
 
c) Outsourcing of Roles subject to the F&P Regime
15. Where CF roles are outsourced to unregulated OSPs, the majority of firms had not, as part of their due diligence in appointing CF role holders, obtained the required documentation nor made any inquiries as to the OSP’s process for assessing fitness and probity.

16. Firms did not have a process whereby outsourcing arrangements were analysed to verify whether PCF or CF roles were being performed. This gives rise to the risk that relevant individuals at OSPs may not be identified and subjected to the F&P Standards.

17. In addition to obligations under the Central Bank’s F&P Regime, the Solvency II Regulations impose requirements on insurance firms with respect to the outsourcing of critical or important functions. Under these Regulations, firms are obliged to verify that all staff of the service provider who will be involved in providing the outsourced functions or activities are sufficiently qualified and reliable. There was generally a low awareness of Solvency II obligations in this regard and these had not been included in applicable policies and procedures.
 
d) Engagement with the Central Bank
18. Firms did not have clearly defined procedures covering the various stages of the IQ process including initiation, compilation, completion, review, approval and submission of the IQ application. In addition, there was a lack of clarity in relation to what could be regarded as a material fact for inclusion in the IQ.

19. Firms did not have robust processes in place to identify, escalate and notify an appropriate individual or function, within the firm in a timely manner, of potential concerns regarding the fitness and probity of a CF or PCF holder. Additionally, there was a distinct lack of policies or procedures to support these escalations (i.e. investigation of concerns and the taking of timely action as appropriate) or to ensure timely notification of actions taken to the Central Bank.

20. Overall, the processes related to engagement with the Central Bank on fitness and probity issues, including IQ submission process, have not been adequately developed, documented or embedded.

e) Role of the Compliance Function
21. The majority of firms had compliance frameworks, policies and procedures in place. There was a good understanding of fitness and probity obligations by the Compliance Function in a number of the firms inspected. However, in some cases there was an over reliance placed on the Compliance Function, thereby creating potential key person risk.

22. Many firms are not undertaking robust compliance testing of their fitness and probity processes and procedures. The fitness and probity process should be subject to periodic independent review by the third line of defence.



​If you need assistance with understanding or implementing the requirements, please contact the Team at CompliReg.

• 17th November 2020 Dear CEO Letter 
• 8th April 2019 Dear CEO Letter