​ 
Welcome to the first edition (version 1) of Fintech UK's and CompliReg's (a leader provider of fintech consulting services to crypto asset firms) registered Cryptoasset Firms.

There are 27 UK registered Cryptoasset firms appearing on the UK's Financial Conduct Authority's (FCA) website as at Monday 20th December 2021.

The first of these firms were registered in 2020.  According to the UK FCA's records, the first registered Cryptoasset firm was Archax on 18 August 2020.  The most recent to be registered is Altalix (today!).  While four (4) firms were registered in 2020, 2021 has seen a flurry of activity and especially in the last quarter of 2021 when 16 firms (so far) received their Cryptoasset registration from the FCA - that is whopping 60% of the total pool of registered firms.  We are looking forward to seeing how many more will be registered before the end of the year.

As we continue to Map registered Cryptoasset firms, expect to see certain logos appear more than once as several brands will be registering several Cryptoasset firms for different purposes, such as - for example - services for (1) trading and (2) custody. 

According to other records at the FCA, there are 37 firms Cryptoasset firms with Temporary Registration.  Following a quick look through that list, it seems that some of those firms may now appear on the list of registered Cryptoasset firms - so the FCA may need to revisit both lists to check there is no double counting. 

Worryingly, there are 218 (thereabouts) unregistered cryptoasset business listed on the UK FCA's website that appear, to the FCA, to be carrying on cryptoasset activity, that are not registered with the FCA for anti-money laundering purposes.  And that is not a complete list of all unregistered cryptoasset businesses operating in the UK.

Fintech UK is looking to partner with registered / regulated (or soon to be) cryptoasset firms on building out a cryptoasset section on our website.  If you are senior executive at a UK registered cryptoasset firm, please contact us at the details here to discuss the proposed project.  Also happy to hear from senior executives at business which support crypto firms on the proposed project. Note that a search on the words "Fintech UK" on google returns our website as the #1 or #2 organic search result.  A compelling reason to partner with us.

If you are are crypto firm seeking regulatory advice or director services, please contact CompliReg for assistance at the details appearing here and check out its VASP registration and other authorisation services here.

Hope you like the Map!

This post also appears at:

• ​https://fintechuk.com/news/uk-registered-cryptoasset-map-by-fintech-uk-complireg-v10​
• https://www.linkedin.com/posts/peteroakes_cryptoasset-cryptoasset-moneylaundering-activity-6878800276321554433-SZpd 

This post is a follow up post to last week's one  (8 December 2021) where we released data on the Top 5 European Union member states for electronic money institution (EMI) authorisations. You can find those posts here - CompliReg blog here and Linkedin post here. 

​Which are the Top 5 European Union member states for #paymentinstitutions (#API) authorisations? Read on, you may be surprised. #fintechfunfacts #fintechfriday

This post is a follow up to last week's one (8 December 2021) when CompliReg released data on the Top 5 European Union member states for electronic money institution (EMI) authorisations. You can find those posts at CompliReg https://lnkd.in/eimmnhup & Linkedin https://lnkd.in/e_JwinjJ.

There are 774 APIs authorised in the European Economic Area.*

Following the United Kingdom's exit from the European Union, the crown for the home of the largest number of APIs lands on the head of Germany (9.7%) followed by The Netherlands (9.3%), France (9.2%), Spain (7.8%) with Sweden (7.2%) rounding out the Top 5. Lithuania, the undisputed leader of EMI authorisations, came in at 8th place at 6.2%. 

Given that EMIs can provide payment services too, I don’t think Lithuania will be viewing today’s release as anything but positive for its overall ecosystem.

We will publish data combining both #EMIs and #APIs very shortly in order to give a more holistic picture of where the majority of these #fintech firms are authorised in the #EEA. That post will arguably provide the final word on Europe’s top spot for the highest number of such authorisations.

Had the UK not left the European Union, it would be the undisputed king of #payment firms, just as it would have been for #emoney institutions.

Let us know if this information is interesting and your thoughts. Are you surprised by the split? Did you expect Sweden to make the Top 5? Are you surprised that when it comes to authorised #paymentservices firms, the EMI leader board is not replicated?

And of course, if you need assistance with your fintech authorisation, please get in contact (that's the advertisement piece!). CompliReg supports:

* https://lnkd.in/eqiNpFdZ
* https://FintechMalta.com,
* https://FintechIreland.com,
* https://FintechCyprus.com,
* https://FintechUK.com

and soon a new Fintech France website!


* Data based on European Banking Authority records published 8th December 2021.

Linkedin Post here  - https://www.linkedin.com/posts/peteroakes_paymentinstitutions-api-fintechfunfacts-activity-6877591088606007296-N9xp 

Communication to firms seeking authorisation as a Payment Institution (PI) or an Electronic Money Institution (EMI) 10 December 2021

Background
The Central Bank of Ireland’s (‘Central Bank’) statutory “gatekeeper” role is critically important. In assessing applications for authorisation as a PI or an EMI, the Central Bank adopts a robust, structured and risk-based approach that seeks to ensure that only applicants that demonstrate an ability to comply with the authorisation requirements applicable to their proposed business model are authorised.

The authorisation and supervision of firms operating in the PI and EMI sector is an important part of our mandate. This sector has grown substantively over the last number of years. The number of firms authorised by the Central Bank has more than doubled since 2018 and there continues to be a strong authorisation pipeline.

The purpose of this communication is to clearly set out the Central Bank’s expectations for all PI and EMI firms applying for authorisation, and to remind applicant firms of the authorisation principles, approach and the core elements that will be assessed by the Central Bank. In addition, information about the service standards to which the Central Bank operates is set out below.

1. Authorisation Principles
It is the Central Bank’s expectation that firms fully understand the risks arising from their business model and operations and how to mitigate those risks. As a general principle applicable to all firms, both incoming and those firms we currently supervise, the Central Bank expects that firms:
​
a) Have sufficient financial resources, including under a plausible but severe stress;
b) Have sustainable business models;
c) Be well governed, with appropriate cultures, effective risk management and control arrangements in place; and
d) Be able to recover if they get into difficulty, and if they cannot, they should be resolvable in an orderly manner without significant externalities.

From an overarching perspective, through the authorisation process, the Central Bank is seeking to gain assurance in an evidence-based manner that firms have the capabilities to manage risk and the proposed governance, risk and compliance frameworks are therefore sufficient and will operate as described post authorisation. In this regard, firms are expected, in the context of seeking to become a regulated firm, to be fully aware of the Central Bank’s broader financial regulation (prudential and conduct) expectations post authorisation. To this end, firms are expected to proactively and diligently consider regulatory requirements and guidance as well as published communication[1] from the Central Bank to regulated firms in this sector.

​PIs and EMIs firms play an increasingly important role in the financial system and in the lives of consumers. Consequently, the failure of firms to meet their supervisory obligations, including breaches of regulatory requirements can have a significant impact on consumers, who are reliant on the services provided, and/or on the functioning of the broader financial system. Therefore, firms must demonstrate that they have robust internal systems and controls, including well-developed risk management frameworks in place to drive effective behaviour and culture. In this regard, the Central Bank has no tolerance for widespread consumer or investor harm and it is the responsibility of firms to ensure that their business has a consumer-focused culture. From a conduct perspective, the Central Bank expects applicant firms to:


[1] https://complireg.com/blogs--insights/authorisation-guidance-and-supervisory-expectations-for-payment-and-electronic-money-firms-central-bank-of-ireland

• Go beyond consumer protection obligations under law and be proactive and meticulous in ensuring that they do business in a way that protects consumers and investors.
• Ensure that consumer-focused cultures are evident and demonstrable throughout the entire structure. Firms must show evidence of robust oversight and challenge led by the board (in particular over the product/service lifecycle), execute comprehensive training for staff and measure key indicators of the firm’s culture.
• Regularly track and monitor the behaviour and culture in their organisations, and reflect on any shortfalls in the collective understanding of what ‘consumer focus’ actually means for their firm.
• Firms must ensure they have the right structures, processes and systems embedded to support consumer-focused behaviours.

​Further elaboration of the Central Bank’s consumer protection expectations are outlined in the recent publication of the Consumer Protection Outlook 2021

2. The Authorisation Assessment
 
The Central Bank’s assessment takes into consideration the nature, scale, and complexity of a firm’s application both from a point in time and forward looking perspective. Therefore it is recommended that firm’s clearly demonstrate within their application submission how they will own and control the risks to which they are exposed both upon authorisation and in the future in line with their growth plans and ambitions.  In this regard, it is the Central Bank’s expectation that throughout the authorisation process that engagement is robustly led by persons proposed to be performing Pre-Approved Control Functions (‘PCF’) in the firm.

Based on the foregoing and the relevant underpinning legislative requirements and guidelines, the Central Bank authorisation assessment focuses on five distinct areas:

a) Business Model and Financial Resilience: Assessment of the viability and sustainability of the applicant’s business strategy, programme of operations and financial projections for the first three years of operation including underpinning assumptions. This includes an assessment of the firm’s ability to meet capital requirements on an on-going basis including vulnerabilities stemming from enterprise wide risks.
 
b) Governance: Assessment of the local governance framework including the proposed board construct, its terms of reference, suitability of members of the management body and key function holders, management committees and the three lines of defence framework. The Central Bank expects decision-making at Board and Executive level to take place within the State. Non-executive directors on the Board are expected to devote sufficient time to fulfil their duties and to act critically and independently so as to exercise objective and independent judgement.  In the future, the Central Bank will conduct interviews for PCF roles as a core part of the assessment process. The adequacy of local resources will also be specifically assessed including the alignment of same to the management of the key functions and risks of the firm both from a prudential and conduct perspective.
 
c) Risk Management, Operational Resilience and Safeguarding
Assessment of the firm’s articulation of its key prudential and conduct risks and the respective risk management frameworks. Applicant firms should demonstrate comprehensive risk management systems commensurate with the proposed business model of the applicants’ activities are in place.  Applicant firms should coherently describe the key risks inherent in the proposed business activities of the applicant including details on how these risks will be identified, managed, monitored, controlled and mitigated. For the most material risks including; safeguarding, operational and IT risk, outsourcing (including intragroup) capital and credit risk a detailed assessment of the individual policy documents, frameworks and internal control mechanisms will be performed. Such documents should clearly describe the end-to-end operational and risk management process.  Assessment of the firm’s IT risk management policy and framework including procedures for monitoring, handling and following up on security incidents and security related customer complaints is also a key assessment feature.
 
d) Money-Laundering/Terrorist Financing risk
The financial system must be protected from use for money laundering or terrorist financing activities. Protecting the financial system from money laundering and terrorist financing is of the utmost importance to the Central Bank. Firms operating in the PI and EMI sector are classified as a designated person under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) (“CJA 2010”).  As a designated person, firms are subject to the obligations of the CJA 2010, and in particular, the obligations set out in Part 4.  Firms must demonstrate that they invest in and maintain strong AML compliance frameworks to protect the financial system, consumers and the wider public from money laundering and terrorist financing.  One of the Central Bank’s key expectations for an effective AML control framework is that it is based on a money laundering and terrorist financing risk assessment that specifically focusses on the money-laundering and terrorist financing risks arising from the firm’s business model. This risk assessment should drive the firm’s framework such that it ensures there are robust controls in place to mitigate and manage the risks identified through the risk assessment.
 
The Central Bank’s view is that a “tick box” or rules-based approach to risk assessment is not fit for purpose and does not meet regulatory expectations.
​
e) Resolution and Wind Up
Assessment of the measures to be taken by the applicant firm in the event of termination of its payment services (due to insolvency, etc.).  It is expected that where failure arises, the insolvency process can be managed in an orderly fashion without customer detriment. Measures to be reviewed will include, inter alia, an assessment of the firm’s ability to (i) ensure operational continuity by all service providers during the wind-down process, (ii) execute pending payment transactions, (iii) repay outstanding client balances without delay and/or (iv) protect client funds from the claims of other creditors in the event of insolvency.
 
The Central Bank has published service standards in respect of the processing of applications for the Payments Sector. In the context of meeting those standards, the service standard timeframe to which the Central Bank has and remains committed to the assessment phase of the application process is 90 working days.  However, firms should expect that the assessment clock will be paused resulting in a prolonged assessment period where:

​

1. The information provided does not address, in substance and detail, the key assessment areas as outlined under the Authorisation Process section of the Central Bank website.
2. Firms do not comprehensively address, within their applications, the firm specific feedback provided by the Central Bank during the formal assessment phase period.

3. Closing
​
The Central Bank deals with all applications for authorisation in an open, engaged and constructive manner. The Central Bank encourages all firms seeking authorisation to engage at the earliest opportunity regarding it proposed application having fully reflected on the information contained within this communication as well as the broader suite of information available on the Central Bank’s website.

If you require assistance with your Central Bank of Ireland authorisation application, contact Peter Oakes at CompliReg at [email protected]
​

Bank of Ireland (BOI) cops a €24.5mn fine over its information technology service for the reason that "the impact of these breaches meant that had [note: “HAD” not 'did have'] a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services."
 
Today’s announcement by the Central Bank of Ireland (CBI) falls in the week the CBI published its ‘Operational Resilience Finalised Guidance Paper’ arising from CP140 - Cross Industry Guidance on Operational Resilience.
 
Speaking of timing, last week there was a well-publicised outage at Revolut which is seeking authorisation in Ireland as an emoney firm and, as previously raised by its founder, potentially a bank/credit institution authorisation in Ireland.  It has a bank and emoney authorisations in Lithuania.

The case is well worth a read by all regulated financial technology (#fintech) firms focused on emoney and payments and not just banks operating in Ireland.  In particular, the statement should be read and digested by the large pipeline of emoney and payment services applicants.
 
A number of points to call out include:

• “Firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls. These are core parts of a firm’s operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy.” says the CBI.  As noted above, the CBI is due to publish Operational Resilience Finalised Guidance Paper;
• The significance of the fine and the duration of the breaches makes one think about whether under a SEAR regime whether individuals might be in the cross-hairs.  And perhaps they may be under the current Administrative Sanction Procedures relating to a person or persons concerned in the management of a prescribed offence.  If you think that is unlikely, then consider the fact that the CBI is pursuing, via an Inquiry, a person formerly concerned in the management of permanent tsb plc.  Joe Brennan of the Irish Times reported on 10 November 2021 that the person concerned (in that case) is a former chief executive of permanent tsb; [see also SEARHub]
• The CBI found there were failings in the oft touted ‘Three Lines of Defence’ at each line of defence in relation to the bank’s IT service continuity;
• BOI failed to demonstrate an ability to ensure continuity of service in the event of significant IT disruption;
• BOI failed to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to the senior management committees and ultimately the Board; and
• BOI failed to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.

 
In the case of BoI, admitted five contraventions occurring between 2008 and 2019 – quite an extended period. 

• Contravention 1 – Failure to have in place contingency and business continuity plans in relation to IT service continuity.
• Contravention 2 – Failure to have in place and maintain robust governance arrangements, including effective processes to identify, manage, monitor and report the risks that the Firm was exposed to and failure to have adequate internal control mechanisms.
• Contravention 3 – Failure to have in place and maintain robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility.
• Contravention 4 – Failure to adequately develop a clear understanding of the roles, responsibilities, accountabilities and clear interdependencies between third party IT service providers.
• Contravention 5 – Failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation.

Being a INED of several regulated fintechs and financial services firms in Ireland, I thought this point in the publicity statement by the CBI was worth noting.

• "Firms and their boards must have in place robust internal controls to ensure that their IT service continuity frameworks are maintained to a necessary standard. This enforcement outcome highlights the actions the Central Bank will take where firms cannot demonstrate that they are maintaining effective IT service continuity frameworks."

Read the statement issued by the Central Bank of Ireland on 2nd December 2021  below.

​Posted by Peter Oakes, CompliReg. 

Linkedin Post at https://www.linkedin.com/feed/update/urn:li:activity:6872160483626029056/

On 30 November 2021, the Central Bank of Ireland (the Central Bank) reprimanded and fined The Governor and Company of the Bank of Ireland (the Firm or BOI) €24,500,000 pursuant to its Administrative Sanctions Procedure (ASP) for failures to have a robust framework in place to ensure continuity of service for the Firm and its customers in the event of a significant IT disruption. These IT service continuity deficiencies were repeatedly identified from 2008 onwards but due to internal control failings only started to be appropriately recognised and addressed in 2015. The steps taken by the Firm to address the deficiencies were completed by 2019.

The Central Bank has determined the appropriate fine to be €35,000,000, which has been reduced by 30% to €24,500,000 in accordance with the settlement discount scheme provided for in the Central Bank’s ASP.

The Firm has admitted five contraventions1 occurring between 2008 and 2019 including:

• The failure to demonstrate an ability to ensure continuity of service in the event of significant IT disruption;
• The failure to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to the senior management committees and ultimately the Board; and
• The failure to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.

Firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls. These are core parts of a firm’s operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy.
The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said “Today’s banks and financial services firms are wholly dependent on effective, reliable and resilient IT systems. It is vital that firms have a framework in place so that they can ensure continuity of critical IT services and minimise the impact of any significant disruption.

"Without an effective IT service continuity framework, significant IT disruptions, particularly if they were to happen in a bank, could have a very serious impact on millions of customers who rely on ready access to their funds and services to keep their everyday lives and businesses moving.
"From 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity, arising from deficiencies that were repeatedly identified between 2008 and 2015 in third party reports. However, steps to address these deficiencies only commenced in 2015.

"The extent and duration of these breaches were particularly serious given the ‘always on’ nature of the services BOI provides and how pivotal IT is to the entirety of its business operations. The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services. Had BOI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system.
"This case is an example of robust enforcement action where failures expose consumers and the financial system to serious potential risk. The Central Bank expects boards and senior management of firms to implement and operate robust risk and control frameworks which recognise and address risk issues in a timely way as part of an effective risk culture. This is a core element of operational resilience designed to protect consumers and ensure financial stability.”

BACKGROUND
BOI is authorised to carry on banking business in Ireland as a credit institution under Section 9 of the Central Bank Act 1971. BOI is one of the largest banks in Ireland with 169 branches and over 2 million customers. Its principal activities consist of retail and commercial banking. BOI reported total operating income (net of insurance claims) for the year ended 31 December 2020 of €2,645 million.

The European Central Bank (the ECB) is the prudential supervisor of BOI and works closely with the Central Bank as part of the Single Supervisory Mechanism (SSM).2

Under the SSM, the ECB has the power to ask national banking regulators to investigate issues that it has identified, and to take enforcement action where this is merited.

In 2015, BOI’s Internal Audit raised concerns about deficiencies in BOI’s IT service continuity framework. In 2016, BOI commissioned an internal investigation into how the IT service continuity deficiencies had persisted from 2008 to 2015. The resulting report (completed in October 2017), which was provided to the ECB, identified a number of risk management and internal control failings in respect of BOI’s IT service continuity. In addition, the report identified failings relating to BOI’s management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework.

Following consideration of the report, the ECB determined that these issues merited further investigation. The Central Bank’s investigation commenced following a referral3 by the ECB in August 2018.

From 2008, BOI’s internal controls in relation to IT service continuity employed a three lines of defence model, whereby:

• the first line of defence owns and manages the risks;
• the second line of defence is responsible for oversight and challenge of the first line of defence and risk oversight; and
• the third line of defence provides independent assurance.

The Central Bank’s investigation found that there were failings in each line of defence (as detailed further below). The failures in each line of defence culminated in an overall failure of this model in relation to the Firm’s IT service continuity framework.  This is most clearly demonstrated in circumstances where IT service continuity deficiencies were not addressed, despite being repeatedly identified in third party reports, between 2008 and 2015.

The Central Bank’s investigation found that BOI had in place second and third lines of defence which were meant to challenge and oversee the first line business unit responsible for IT service continuity. However, both the second and third lines of defence failed to ensure that the first line business unit was acting on the adverse findings of reports prepared by third parties, which had reviewed BOI’s IT service continuity framework. In addition, the second and third lines of defence failed, independently, to address and escalate the IT service continuity risks to which BOI was exposed.

Ultimately, these internal control failings resulted in deficiencies in the Firm’s IT service continuity framework persisting for a prolonged period. This is particularly serious as the Firm’s reliance on IT was significantly increasing year on year, in common with the sector.

In 2015 the Firm initiated steps to address the deficiencies in both its IT service continuity framework and associated internal controls. The Central Bank acknowledges that the steps taken by the Firm have resulted in an overall improvement in its IT service continuity framework and internal controls. Firms and their boards must have in place robust internal controls to ensure that their IT service continuity frameworks are maintained to a necessary standard. This enforcement outcome highlights the actions the Central Bank will take where firms cannot demonstrate that they are maintaining effective IT service continuity frameworks.

PRESCRIBED CONTRAVENTIONS
The Central Bank’s investigation identified five breaches relating to the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended) (the 1992 Regulations) and European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014) (the Capital Requirements Regulations) as set out below.

Contravention 1 – Failure to have in place contingency and business continuity plans in relation to IT service continuity.
From June 2008 to April 2019, the Firm breached Regulation 16(4)(b) of the 1992 Regulations and Regulation 73(3) of the Capital Requirements Regulations by failing to have in place contingency and business continuity plans with regard to IT service continuity to ensure the Firm’s ability to operate on an ongoing basis and limit losses in the event of severe business disruption. In particular:

• The Firm failed to define its critical services4 or put in place IT runbooks.5
• It was unlikely that the Firm would have been able to successfully failover6 a critical service to a secondary site (in the event a serious incident occurring) within an acceptable timeframe.
• The Firm did not undertake adequate full end-to-end IT service continuity testing.7

Contravention 2 – Failure to have in place and maintain robust governance arrangements, including effective processes to identify, manage, monitor and report the risks that the Firm was exposed to and failure to have adequate internal control mechanisms.
From June 2008 to April 2019 the Firm breached Regulation 16(3) (b) and (c) of the 1992 Regulations and Regulation 61(1) (b) and (c) of the Capital Requirements Regulations by failing to have in place and maintain robust governance arrangements including:

• effective processes to identify, manage, monitor and report IT service continuity risks the Firm was exposed to; and
• adequate internal control mechanisms concerning IT service continuity.

These governance failings led to the Firm’s failure to address the IT service continuity deficiencies as set out in Contravention 1.

The Firm failed to have in place and maintain effective governance arrangements through its three lines of defence model regarding IT service continuity. As a result, deficiencies in the Firm’s IT service continuity framework were identified by third party reports prepared for the Firm but were not managed, escalated and appropriately dealt with by the Firm. This demonstrates a recurring failure that is indicative of poor internal controls and demonstrates an overall failure of the Firm’s three lines of defence model with regard to its IT service continuity framework, which arose due to the following:

• First Line of Defence

The first line of defence (the Firm’s central IT unit responsible for IT service continuity) failed to (i) have in place effective risk management practices and processes, (ii) have in place an effective risk register, and (iii) manage and escalate findings from third party reports.

• Second Line of Defence

The second line of defence failed to provide robust oversight and challenge of the first line of defence. The second line of defence failed to ensure that the first line of defence was adequately identifying, managing and escalating risks. Furthermore, the second line of defence failed to independently (of the first line) manage or monitor IT service continuity risks to which the Firm was exposed.

• Third Line of Defence

The third line of defence failed to understand the gravity of the key IT service continuity risks within the Firm from 2008 to 2015. Additionally the third line of defence failed to provide robust oversight and challenge of the Firm’s first and second lines of defence in relation to the risk management of IT service continuity.

Contravention 3 – Failure to have in place and maintain robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility.
From June 2008 to April 2019 the Firm breached Regulation 16(3)(a) of the 1992 Regulations and Regulation 61(1)(a) of the Capital Requirements Regulations by failing to have in place a clear organisational structure with well-defined, transparent and consistent lines of responsibility in relation to IT service continuity.

In this case, the first line business units were siloed, which resulted in an uncoordinated approach to IT service continuity with no consistent processes or procedures in place for managing and reporting IT service continuity requirements and risks. In addition, there was no well-defined, transparent and consistent second line function with responsibility for overseeing and challenging IT service continuity requirements and risks across the Firm to ensure that they were being adequately managed.

The first line unit responsible for IT service continuity was identifying risks, however, due to the siloed nature of this unit, stakeholders within the Firm had limited or no visibility of these IT service continuity risks. This had the effect of excluding key stakeholders in the Firm from involvement in the assessment of prioritisation decisions regarding IT service continuity, which is a key area of operational risk.

Contravention 4 – Failure to adequately develop a clear understanding of the roles, responsibilities, accountabilities and clear interdependencies between third party IT service providers.
From June 2008 to December 2019 the Firm breached Regulation 16(4)(a) of the 1992 Regulations and Regulation 61(3)(a) of the Capital Requirements Regulations by failing to adequately develop a clear understanding of the roles, responsibilities, accountabilities and interdependencies between different third party IT service providers.

Contravention 5 – Failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation.
The Firm breached Regulation 64(13) of the Capital Requirements Regulations, from 31 March 2014 (when the requirement was introduced) until Q4 2015, by its failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation in respect of IT service continuity, which was a key area of operational risk. Specifically, the findings of third party reports which identified deficiencies with IT service continuity were not made available to the Firm’s management body.

SANCTIONING FACTORS
In deciding the appropriate penalty to impose, the Central Bank had regard to the Outline of the Administrative Sanctions Procedure 2018 and the ASP Sanctions Guidance November 2019.  It considered the need to impose a level of penalty proportionate to the nature, seriousness and impact of the contraventions and the size of the Firm’s operations. The Central Bank also had regard to the need for deterrence. The following particular factors are highlighted in this case:

The Nature, Seriousness and Impact of the Contravention
Duration and frequency of the contravention

• The Firm failed to have an adequate IT service continuity framework and associated internal controls in place over a sustained period from 2008 to 2019, despite the repeated reporting of these IT service continuity framework deficiencies by third parties from 2008 to 2015.

​Serious or systemic weakness of the management systems or internal controls relating to all or part of the business

• The investigation found serious weaknesses in: IT service continuity plans; internal controls; organisational structures and consistent lines of responsibility; appropriate management of the Firm’s third party IT vendors concerning IT service continuity; and reporting to management body of IT service continuity risks.

​

​The impact or potential impact of the contraventions

• IT underpins the delivery of services across the entirety of the Firm’s business operations. In the event of a significant IT disruption, the Firm could potentially have been exposed to significant risk and potentially have been unable to continue to provide critical services, such as payments. This could have caused serious financial and reputational damage to both the Firm and the wider financial system.

​The loss or detriment or risk of loss or detriment caused to consumers or other market users

• While no detriment arose in this case, had a significant IT failure or prolonged outage occurred, given the increasing dependence on online banking, this could have had a very serious impact and could have resulted in customers being denied access to the basic banking services they needed on a day to day basis.

The extent to which the contravention departs from the required standard

• The contraventions represented a serious departure from the required standards expected of the Firm to ensure that in the event of a significant IT incident the Firm could ensure continuity of critical services.

The Conduct of the Regulated Entity after the Contravention
Mitigating:
The following two mitigating factors, indicative of exemplary co-operation and self-reporting on behalf of the Firm, applied in this case:

• the regulated entity proactively and voluntarily provides the Central Bank with the output of any pre-existing internal investigation and/or third party review;
• there has been identification of other contraventions by the regulated entity.

The investigation found that, following concerns that had been raised by its Internal Audit in 2015 about deficiencies in BOI’s IT service continuity framework, BOI commissioned an internal investigation in 2016 (completed in 2017) into how the IT service continuity deficiencies had persisted from 2008 to 2015. The resulting report:

1. was proactively and voluntarily provided to the ECB;
2. identified a number of risk management and internal control failings in respect of BOI’s IT service continuity; and
3. identified a number of additional contraventions relating to BOI’s management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework.

This assisted the Central Bank’s investigation, facilitated the review of documentation, and reduced the time and resources required to complete the investigation.

The Previous Record of the Regulated Entity

Aggravating:

• The Firm has been the subject of four prior enforcement actions.

​
​Other Considerations

• The need to have an appropriate deterrent impact on the Firm and other regulated entities.This enforcement action against the Firm is now concluded.

1. The fine imposed by the Central Bank was imposed under Section 33AQ of the Central Bank Act 1942. The maximum penalty under Section 33AQ is €10,000,000, or an amount equal to 10% of the annual turnover of a regulated financial service provider, whichever is the greater.

2. This is the Central Bank’s 145th settlement under its Administrative Sanctions Procedure, bringing the total fines imposed by the Central Bank to over €191 million.

3. Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts. The penalties are not included in general Central Bank revenue.

4. The fine reflects the application of an early settlement discount of 30%, as per the discount scheme set out in the Central Bank’s Outline of the Administrative Sanctions Procedure 2018 which is here: link.

5. A copy of the ASP Sanctions Guidance November 2019 is available here: link. This guidance provides further information on the application of the sanctioning factors set out in the Outline of the Administrative Sanctions Procedure 2018 and the Inquiry Guidelines prescribed pursuant to section 33BD of the Central Bank Act 1942 (a copy of which is here: link). These documents should be read together.

6. In accordance with the SSM, the Firm became subject to direct supervision in prudential matters by the ECB as of 4 November 2014.

7. The European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended) were in force between 1 January 1993 to 31 March 2014; a copy can be found here: link.

​These were repealed and replaced by the European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014) which are here: link.

8. On 13 September 2016, the Central Bank issued cross-industry guidance in respect of IT and cybersecurity risks that is available for download here: link.

9. The Firm has been the subject of four previous settlement agreements with the Central Bank, as follows:        

• 2012: Breaches of the Assets Covered Securities Act 2001 and Regulation 16 of the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992.
• 2016: Breaches of the Consumer Protection Code 2012.
• 2017: Breaches for non-compliance with the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.
• 2020: Breaches of European Communities (Markets in Financial Instruments) Regulations 2007.

Footnotes
1 Breaches of the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended)) and the European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014).

2 The Firm became subject to direct supervision in prudential matters by the European Central Bank as of 4 November 2014.
3 Pursuant to Articles 4(1) and 18(5) of the SSM Regulation (Council Regulation (EU) No 1024/2013).

4 Critical services are business services that provide a substantial banking or operational activity and are of such importance that any weakness or failure in the provision of these activities could have a significant impact on BOI’s ability to meet its regulatory and legal obligations and/or control over, or continuity of, its services and activities. They could also adversely impact on BOI’s ability to manage risks related to these activities.

5 A runbook describes how the Firm would continue to provide a service should an incident arise. A runbook would also contain procedures to begin, stop, supervise, test and restart a service/system.

6 Failover is a procedure by which a system automatically transfers control to a duplicate system when it detects a fault or failure.

7 End-to-end testing refers to a software testing method that involves testing an application's workflow from beginning to end.