Communication to firms seeking authorisation as a Payment Institution (PI) or an Electronic Money Institution (EMI) 10 December 2021

Background
The Central Bank of Ireland’s (‘Central Bank’) statutory “gatekeeper” role is critically important. In assessing applications for authorisation as a PI or an EMI, the Central Bank adopts a robust, structured and risk-based approach that seeks to ensure that only applicants that demonstrate an ability to comply with the authorisation requirements applicable to their proposed business model are authorised.

The authorisation and supervision of firms operating in the PI and EMI sector is an important part of our mandate. This sector has grown substantively over the last number of years. The number of firms authorised by the Central Bank has more than doubled since 2018 and there continues to be a strong authorisation pipeline.

The purpose of this communication is to clearly set out the Central Bank’s expectations for all PI and EMI firms applying for authorisation, and to remind applicant firms of the authorisation principles, approach and the core elements that will be assessed by the Central Bank. In addition, information about the service standards to which the Central Bank operates is set out below.

1. Authorisation Principles
It is the Central Bank’s expectation that firms fully understand the risks arising from their business model and operations and how to mitigate those risks. As a general principle applicable to all firms, both incoming and those firms we currently supervise, the Central Bank expects that firms:
​
a) Have sufficient financial resources, including under a plausible but severe stress;
b) Have sustainable business models;
c) Be well governed, with appropriate cultures, effective risk management and control arrangements in place; and
d) Be able to recover if they get into difficulty, and if they cannot, they should be resolvable in an orderly manner without significant externalities.

From an overarching perspective, through the authorisation process, the Central Bank is seeking to gain assurance in an evidence-based manner that firms have the capabilities to manage risk and the proposed governance, risk and compliance frameworks are therefore sufficient and will operate as described post authorisation. In this regard, firms are expected, in the context of seeking to become a regulated firm, to be fully aware of the Central Bank’s broader financial regulation (prudential and conduct) expectations post authorisation. To this end, firms are expected to proactively and diligently consider regulatory requirements and guidance as well as published communication[1] from the Central Bank to regulated firms in this sector.

​PIs and EMIs firms play an increasingly important role in the financial system and in the lives of consumers. Consequently, the failure of firms to meet their supervisory obligations, including breaches of regulatory requirements can have a significant impact on consumers, who are reliant on the services provided, and/or on the functioning of the broader financial system. Therefore, firms must demonstrate that they have robust internal systems and controls, including well-developed risk management frameworks in place to drive effective behaviour and culture. In this regard, the Central Bank has no tolerance for widespread consumer or investor harm and it is the responsibility of firms to ensure that their business has a consumer-focused culture. From a conduct perspective, the Central Bank expects applicant firms to:


[1] https://complireg.com/blogs--insights/authorisation-guidance-and-supervisory-expectations-for-payment-and-electronic-money-firms-central-bank-of-ireland

• Go beyond consumer protection obligations under law and be proactive and meticulous in ensuring that they do business in a way that protects consumers and investors.
• Ensure that consumer-focused cultures are evident and demonstrable throughout the entire structure. Firms must show evidence of robust oversight and challenge led by the board (in particular over the product/service lifecycle), execute comprehensive training for staff and measure key indicators of the firm’s culture.
• Regularly track and monitor the behaviour and culture in their organisations, and reflect on any shortfalls in the collective understanding of what ‘consumer focus’ actually means for their firm.
• Firms must ensure they have the right structures, processes and systems embedded to support consumer-focused behaviours.

​Further elaboration of the Central Bank’s consumer protection expectations are outlined in the recent publication of the Consumer Protection Outlook 2021

2. The Authorisation Assessment
 
The Central Bank’s assessment takes into consideration the nature, scale, and complexity of a firm’s application both from a point in time and forward looking perspective. Therefore it is recommended that firm’s clearly demonstrate within their application submission how they will own and control the risks to which they are exposed both upon authorisation and in the future in line with their growth plans and ambitions.  In this regard, it is the Central Bank’s expectation that throughout the authorisation process that engagement is robustly led by persons proposed to be performing Pre-Approved Control Functions (‘PCF’) in the firm.

Based on the foregoing and the relevant underpinning legislative requirements and guidelines, the Central Bank authorisation assessment focuses on five distinct areas:

a) Business Model and Financial Resilience: Assessment of the viability and sustainability of the applicant’s business strategy, programme of operations and financial projections for the first three years of operation including underpinning assumptions. This includes an assessment of the firm’s ability to meet capital requirements on an on-going basis including vulnerabilities stemming from enterprise wide risks.
 
b) Governance: Assessment of the local governance framework including the proposed board construct, its terms of reference, suitability of members of the management body and key function holders, management committees and the three lines of defence framework. The Central Bank expects decision-making at Board and Executive level to take place within the State. Non-executive directors on the Board are expected to devote sufficient time to fulfil their duties and to act critically and independently so as to exercise objective and independent judgement.  In the future, the Central Bank will conduct interviews for PCF roles as a core part of the assessment process. The adequacy of local resources will also be specifically assessed including the alignment of same to the management of the key functions and risks of the firm both from a prudential and conduct perspective.
 
c) Risk Management, Operational Resilience and Safeguarding
Assessment of the firm’s articulation of its key prudential and conduct risks and the respective risk management frameworks. Applicant firms should demonstrate comprehensive risk management systems commensurate with the proposed business model of the applicants’ activities are in place.  Applicant firms should coherently describe the key risks inherent in the proposed business activities of the applicant including details on how these risks will be identified, managed, monitored, controlled and mitigated. For the most material risks including; safeguarding, operational and IT risk, outsourcing (including intragroup) capital and credit risk a detailed assessment of the individual policy documents, frameworks and internal control mechanisms will be performed. Such documents should clearly describe the end-to-end operational and risk management process.  Assessment of the firm’s IT risk management policy and framework including procedures for monitoring, handling and following up on security incidents and security related customer complaints is also a key assessment feature.
 
d) Money-Laundering/Terrorist Financing risk
The financial system must be protected from use for money laundering or terrorist financing activities. Protecting the financial system from money laundering and terrorist financing is of the utmost importance to the Central Bank. Firms operating in the PI and EMI sector are classified as a designated person under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) (“CJA 2010”).  As a designated person, firms are subject to the obligations of the CJA 2010, and in particular, the obligations set out in Part 4.  Firms must demonstrate that they invest in and maintain strong AML compliance frameworks to protect the financial system, consumers and the wider public from money laundering and terrorist financing.  One of the Central Bank’s key expectations for an effective AML control framework is that it is based on a money laundering and terrorist financing risk assessment that specifically focusses on the money-laundering and terrorist financing risks arising from the firm’s business model. This risk assessment should drive the firm’s framework such that it ensures there are robust controls in place to mitigate and manage the risks identified through the risk assessment.
 
The Central Bank’s view is that a “tick box” or rules-based approach to risk assessment is not fit for purpose and does not meet regulatory expectations.
​
e) Resolution and Wind Up
Assessment of the measures to be taken by the applicant firm in the event of termination of its payment services (due to insolvency, etc.).  It is expected that where failure arises, the insolvency process can be managed in an orderly fashion without customer detriment. Measures to be reviewed will include, inter alia, an assessment of the firm’s ability to (i) ensure operational continuity by all service providers during the wind-down process, (ii) execute pending payment transactions, (iii) repay outstanding client balances without delay and/or (iv) protect client funds from the claims of other creditors in the event of insolvency.
 
The Central Bank has published service standards in respect of the processing of applications for the Payments Sector. In the context of meeting those standards, the service standard timeframe to which the Central Bank has and remains committed to the assessment phase of the application process is 90 working days.  However, firms should expect that the assessment clock will be paused resulting in a prolonged assessment period where:

​

1. The information provided does not address, in substance and detail, the key assessment areas as outlined under the Authorisation Process section of the Central Bank website.
2. Firms do not comprehensively address, within their applications, the firm specific feedback provided by the Central Bank during the formal assessment phase period.

3. Closing
​
The Central Bank deals with all applications for authorisation in an open, engaged and constructive manner. The Central Bank encourages all firms seeking authorisation to engage at the earliest opportunity regarding it proposed application having fully reflected on the information contained within this communication as well as the broader suite of information available on the Central Bank’s website.

If you require assistance with your Central Bank of Ireland authorisation application, contact Peter Oakes at CompliReg at [email protected]
​

Bank of Ireland (BOI) cops a €24.5mn fine over its information technology service for the reason that "the impact of these breaches meant that had [note: “HAD” not 'did have'] a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services."
 
Today’s announcement by the Central Bank of Ireland (CBI) falls in the week the CBI published its ‘Operational Resilience Finalised Guidance Paper’ arising from CP140 - Cross Industry Guidance on Operational Resilience.
 
Speaking of timing, last week there was a well-publicised outage at Revolut which is seeking authorisation in Ireland as an emoney firm and, as previously raised by its founder, potentially a bank/credit institution authorisation in Ireland.  It has a bank and emoney authorisations in Lithuania.

The case is well worth a read by all regulated financial technology (#fintech) firms focused on emoney and payments and not just banks operating in Ireland.  In particular, the statement should be read and digested by the large pipeline of emoney and payment services applicants.
 
A number of points to call out include:

• “Firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls. These are core parts of a firm’s operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy.” says the CBI.  As noted above, the CBI is due to publish Operational Resilience Finalised Guidance Paper;
• The significance of the fine and the duration of the breaches makes one think about whether under a SEAR regime whether individuals might be in the cross-hairs.  And perhaps they may be under the current Administrative Sanction Procedures relating to a person or persons concerned in the management of a prescribed offence.  If you think that is unlikely, then consider the fact that the CBI is pursuing, via an Inquiry, a person formerly concerned in the management of permanent tsb plc.  Joe Brennan of the Irish Times reported on 10 November 2021 that the person concerned (in that case) is a former chief executive of permanent tsb; [see also SEARHub]
• The CBI found there were failings in the oft touted ‘Three Lines of Defence’ at each line of defence in relation to the bank’s IT service continuity;
• BOI failed to demonstrate an ability to ensure continuity of service in the event of significant IT disruption;
• BOI failed to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to the senior management committees and ultimately the Board; and
• BOI failed to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.

 
In the case of BoI, admitted five contraventions occurring between 2008 and 2019 – quite an extended period. 

• Contravention 1 – Failure to have in place contingency and business continuity plans in relation to IT service continuity.
• Contravention 2 – Failure to have in place and maintain robust governance arrangements, including effective processes to identify, manage, monitor and report the risks that the Firm was exposed to and failure to have adequate internal control mechanisms.
• Contravention 3 – Failure to have in place and maintain robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility.
• Contravention 4 – Failure to adequately develop a clear understanding of the roles, responsibilities, accountabilities and clear interdependencies between third party IT service providers.
• Contravention 5 – Failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation.

Being a INED of several regulated fintechs and financial services firms in Ireland, I thought this point in the publicity statement by the CBI was worth noting.

• "Firms and their boards must have in place robust internal controls to ensure that their IT service continuity frameworks are maintained to a necessary standard. This enforcement outcome highlights the actions the Central Bank will take where firms cannot demonstrate that they are maintaining effective IT service continuity frameworks."

Read the statement issued by the Central Bank of Ireland on 2nd December 2021  below.

​Posted by Peter Oakes, CompliReg. 

Linkedin Post at https://www.linkedin.com/feed/update/urn:li:activity:6872160483626029056/

On 30 November 2021, the Central Bank of Ireland (the Central Bank) reprimanded and fined The Governor and Company of the Bank of Ireland (the Firm or BOI) €24,500,000 pursuant to its Administrative Sanctions Procedure (ASP) for failures to have a robust framework in place to ensure continuity of service for the Firm and its customers in the event of a significant IT disruption. These IT service continuity deficiencies were repeatedly identified from 2008 onwards but due to internal control failings only started to be appropriately recognised and addressed in 2015. The steps taken by the Firm to address the deficiencies were completed by 2019.

The Central Bank has determined the appropriate fine to be €35,000,000, which has been reduced by 30% to €24,500,000 in accordance with the settlement discount scheme provided for in the Central Bank’s ASP.

The Firm has admitted five contraventions1 occurring between 2008 and 2019 including:

• The failure to demonstrate an ability to ensure continuity of service in the event of significant IT disruption;
• The failure to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to the senior management committees and ultimately the Board; and
• The failure to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.

Firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls. These are core parts of a firm’s operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy.
The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said “Today’s banks and financial services firms are wholly dependent on effective, reliable and resilient IT systems. It is vital that firms have a framework in place so that they can ensure continuity of critical IT services and minimise the impact of any significant disruption.

"Without an effective IT service continuity framework, significant IT disruptions, particularly if they were to happen in a bank, could have a very serious impact on millions of customers who rely on ready access to their funds and services to keep their everyday lives and businesses moving.
"From 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity, arising from deficiencies that were repeatedly identified between 2008 and 2015 in third party reports. However, steps to address these deficiencies only commenced in 2015.

"The extent and duration of these breaches were particularly serious given the ‘always on’ nature of the services BOI provides and how pivotal IT is to the entirety of its business operations. The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services. Had BOI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system.
"This case is an example of robust enforcement action where failures expose consumers and the financial system to serious potential risk. The Central Bank expects boards and senior management of firms to implement and operate robust risk and control frameworks which recognise and address risk issues in a timely way as part of an effective risk culture. This is a core element of operational resilience designed to protect consumers and ensure financial stability.”

BACKGROUND
BOI is authorised to carry on banking business in Ireland as a credit institution under Section 9 of the Central Bank Act 1971. BOI is one of the largest banks in Ireland with 169 branches and over 2 million customers. Its principal activities consist of retail and commercial banking. BOI reported total operating income (net of insurance claims) for the year ended 31 December 2020 of €2,645 million.

The European Central Bank (the ECB) is the prudential supervisor of BOI and works closely with the Central Bank as part of the Single Supervisory Mechanism (SSM).2

Under the SSM, the ECB has the power to ask national banking regulators to investigate issues that it has identified, and to take enforcement action where this is merited.

In 2015, BOI’s Internal Audit raised concerns about deficiencies in BOI’s IT service continuity framework. In 2016, BOI commissioned an internal investigation into how the IT service continuity deficiencies had persisted from 2008 to 2015. The resulting report (completed in October 2017), which was provided to the ECB, identified a number of risk management and internal control failings in respect of BOI’s IT service continuity. In addition, the report identified failings relating to BOI’s management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework.

Following consideration of the report, the ECB determined that these issues merited further investigation. The Central Bank’s investigation commenced following a referral3 by the ECB in August 2018.

From 2008, BOI’s internal controls in relation to IT service continuity employed a three lines of defence model, whereby:

• the first line of defence owns and manages the risks;
• the second line of defence is responsible for oversight and challenge of the first line of defence and risk oversight; and
• the third line of defence provides independent assurance.

The Central Bank’s investigation found that there were failings in each line of defence (as detailed further below). The failures in each line of defence culminated in an overall failure of this model in relation to the Firm’s IT service continuity framework.  This is most clearly demonstrated in circumstances where IT service continuity deficiencies were not addressed, despite being repeatedly identified in third party reports, between 2008 and 2015.

The Central Bank’s investigation found that BOI had in place second and third lines of defence which were meant to challenge and oversee the first line business unit responsible for IT service continuity. However, both the second and third lines of defence failed to ensure that the first line business unit was acting on the adverse findings of reports prepared by third parties, which had reviewed BOI’s IT service continuity framework. In addition, the second and third lines of defence failed, independently, to address and escalate the IT service continuity risks to which BOI was exposed.

Ultimately, these internal control failings resulted in deficiencies in the Firm’s IT service continuity framework persisting for a prolonged period. This is particularly serious as the Firm’s reliance on IT was significantly increasing year on year, in common with the sector.

In 2015 the Firm initiated steps to address the deficiencies in both its IT service continuity framework and associated internal controls. The Central Bank acknowledges that the steps taken by the Firm have resulted in an overall improvement in its IT service continuity framework and internal controls. Firms and their boards must have in place robust internal controls to ensure that their IT service continuity frameworks are maintained to a necessary standard. This enforcement outcome highlights the actions the Central Bank will take where firms cannot demonstrate that they are maintaining effective IT service continuity frameworks.

PRESCRIBED CONTRAVENTIONS
The Central Bank’s investigation identified five breaches relating to the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended) (the 1992 Regulations) and European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014) (the Capital Requirements Regulations) as set out below.

Contravention 1 – Failure to have in place contingency and business continuity plans in relation to IT service continuity.
From June 2008 to April 2019, the Firm breached Regulation 16(4)(b) of the 1992 Regulations and Regulation 73(3) of the Capital Requirements Regulations by failing to have in place contingency and business continuity plans with regard to IT service continuity to ensure the Firm’s ability to operate on an ongoing basis and limit losses in the event of severe business disruption. In particular:

• The Firm failed to define its critical services4 or put in place IT runbooks.5
• It was unlikely that the Firm would have been able to successfully failover6 a critical service to a secondary site (in the event a serious incident occurring) within an acceptable timeframe.
• The Firm did not undertake adequate full end-to-end IT service continuity testing.7

Contravention 2 – Failure to have in place and maintain robust governance arrangements, including effective processes to identify, manage, monitor and report the risks that the Firm was exposed to and failure to have adequate internal control mechanisms.
From June 2008 to April 2019 the Firm breached Regulation 16(3) (b) and (c) of the 1992 Regulations and Regulation 61(1) (b) and (c) of the Capital Requirements Regulations by failing to have in place and maintain robust governance arrangements including:

• effective processes to identify, manage, monitor and report IT service continuity risks the Firm was exposed to; and
• adequate internal control mechanisms concerning IT service continuity.

These governance failings led to the Firm’s failure to address the IT service continuity deficiencies as set out in Contravention 1.

The Firm failed to have in place and maintain effective governance arrangements through its three lines of defence model regarding IT service continuity. As a result, deficiencies in the Firm’s IT service continuity framework were identified by third party reports prepared for the Firm but were not managed, escalated and appropriately dealt with by the Firm. This demonstrates a recurring failure that is indicative of poor internal controls and demonstrates an overall failure of the Firm’s three lines of defence model with regard to its IT service continuity framework, which arose due to the following:

• First Line of Defence

The first line of defence (the Firm’s central IT unit responsible for IT service continuity) failed to (i) have in place effective risk management practices and processes, (ii) have in place an effective risk register, and (iii) manage and escalate findings from third party reports.

• Second Line of Defence

The second line of defence failed to provide robust oversight and challenge of the first line of defence. The second line of defence failed to ensure that the first line of defence was adequately identifying, managing and escalating risks. Furthermore, the second line of defence failed to independently (of the first line) manage or monitor IT service continuity risks to which the Firm was exposed.

• Third Line of Defence

The third line of defence failed to understand the gravity of the key IT service continuity risks within the Firm from 2008 to 2015. Additionally the third line of defence failed to provide robust oversight and challenge of the Firm’s first and second lines of defence in relation to the risk management of IT service continuity.

Contravention 3 – Failure to have in place and maintain robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility.
From June 2008 to April 2019 the Firm breached Regulation 16(3)(a) of the 1992 Regulations and Regulation 61(1)(a) of the Capital Requirements Regulations by failing to have in place a clear organisational structure with well-defined, transparent and consistent lines of responsibility in relation to IT service continuity.

In this case, the first line business units were siloed, which resulted in an uncoordinated approach to IT service continuity with no consistent processes or procedures in place for managing and reporting IT service continuity requirements and risks. In addition, there was no well-defined, transparent and consistent second line function with responsibility for overseeing and challenging IT service continuity requirements and risks across the Firm to ensure that they were being adequately managed.

The first line unit responsible for IT service continuity was identifying risks, however, due to the siloed nature of this unit, stakeholders within the Firm had limited or no visibility of these IT service continuity risks. This had the effect of excluding key stakeholders in the Firm from involvement in the assessment of prioritisation decisions regarding IT service continuity, which is a key area of operational risk.

Contravention 4 – Failure to adequately develop a clear understanding of the roles, responsibilities, accountabilities and clear interdependencies between third party IT service providers.
From June 2008 to December 2019 the Firm breached Regulation 16(4)(a) of the 1992 Regulations and Regulation 61(3)(a) of the Capital Requirements Regulations by failing to adequately develop a clear understanding of the roles, responsibilities, accountabilities and interdependencies between different third party IT service providers.

Contravention 5 – Failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation.
The Firm breached Regulation 64(13) of the Capital Requirements Regulations, from 31 March 2014 (when the requirement was introduced) until Q4 2015, by its failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation in respect of IT service continuity, which was a key area of operational risk. Specifically, the findings of third party reports which identified deficiencies with IT service continuity were not made available to the Firm’s management body.

SANCTIONING FACTORS
In deciding the appropriate penalty to impose, the Central Bank had regard to the Outline of the Administrative Sanctions Procedure 2018 and the ASP Sanctions Guidance November 2019.  It considered the need to impose a level of penalty proportionate to the nature, seriousness and impact of the contraventions and the size of the Firm’s operations. The Central Bank also had regard to the need for deterrence. The following particular factors are highlighted in this case:

The Nature, Seriousness and Impact of the Contravention
Duration and frequency of the contravention

• The Firm failed to have an adequate IT service continuity framework and associated internal controls in place over a sustained period from 2008 to 2019, despite the repeated reporting of these IT service continuity framework deficiencies by third parties from 2008 to 2015.

​Serious or systemic weakness of the management systems or internal controls relating to all or part of the business

• The investigation found serious weaknesses in: IT service continuity plans; internal controls; organisational structures and consistent lines of responsibility; appropriate management of the Firm’s third party IT vendors concerning IT service continuity; and reporting to management body of IT service continuity risks.

​

​The impact or potential impact of the contraventions

• IT underpins the delivery of services across the entirety of the Firm’s business operations. In the event of a significant IT disruption, the Firm could potentially have been exposed to significant risk and potentially have been unable to continue to provide critical services, such as payments. This could have caused serious financial and reputational damage to both the Firm and the wider financial system.

​The loss or detriment or risk of loss or detriment caused to consumers or other market users

• While no detriment arose in this case, had a significant IT failure or prolonged outage occurred, given the increasing dependence on online banking, this could have had a very serious impact and could have resulted in customers being denied access to the basic banking services they needed on a day to day basis.

The extent to which the contravention departs from the required standard

• The contraventions represented a serious departure from the required standards expected of the Firm to ensure that in the event of a significant IT incident the Firm could ensure continuity of critical services.

The Conduct of the Regulated Entity after the Contravention
Mitigating:
The following two mitigating factors, indicative of exemplary co-operation and self-reporting on behalf of the Firm, applied in this case:

• the regulated entity proactively and voluntarily provides the Central Bank with the output of any pre-existing internal investigation and/or third party review;
• there has been identification of other contraventions by the regulated entity.

The investigation found that, following concerns that had been raised by its Internal Audit in 2015 about deficiencies in BOI’s IT service continuity framework, BOI commissioned an internal investigation in 2016 (completed in 2017) into how the IT service continuity deficiencies had persisted from 2008 to 2015. The resulting report:

1. was proactively and voluntarily provided to the ECB;
2. identified a number of risk management and internal control failings in respect of BOI’s IT service continuity; and
3. identified a number of additional contraventions relating to BOI’s management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework.

This assisted the Central Bank’s investigation, facilitated the review of documentation, and reduced the time and resources required to complete the investigation.

The Previous Record of the Regulated Entity

Aggravating:

• The Firm has been the subject of four prior enforcement actions.

​
​Other Considerations

• The need to have an appropriate deterrent impact on the Firm and other regulated entities.This enforcement action against the Firm is now concluded.

1. The fine imposed by the Central Bank was imposed under Section 33AQ of the Central Bank Act 1942. The maximum penalty under Section 33AQ is €10,000,000, or an amount equal to 10% of the annual turnover of a regulated financial service provider, whichever is the greater.

2. This is the Central Bank’s 145th settlement under its Administrative Sanctions Procedure, bringing the total fines imposed by the Central Bank to over €191 million.

3. Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts. The penalties are not included in general Central Bank revenue.

4. The fine reflects the application of an early settlement discount of 30%, as per the discount scheme set out in the Central Bank’s Outline of the Administrative Sanctions Procedure 2018 which is here: link.

5. A copy of the ASP Sanctions Guidance November 2019 is available here: link. This guidance provides further information on the application of the sanctioning factors set out in the Outline of the Administrative Sanctions Procedure 2018 and the Inquiry Guidelines prescribed pursuant to section 33BD of the Central Bank Act 1942 (a copy of which is here: link). These documents should be read together.

6. In accordance with the SSM, the Firm became subject to direct supervision in prudential matters by the ECB as of 4 November 2014.

7. The European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended) were in force between 1 January 1993 to 31 March 2014; a copy can be found here: link.

​These were repealed and replaced by the European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014) which are here: link.

8. On 13 September 2016, the Central Bank issued cross-industry guidance in respect of IT and cybersecurity risks that is available for download here: link.

9. The Firm has been the subject of four previous settlement agreements with the Central Bank, as follows:        

• 2012: Breaches of the Assets Covered Securities Act 2001 and Regulation 16 of the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992.
• 2016: Breaches of the Consumer Protection Code 2012.
• 2017: Breaches for non-compliance with the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.
• 2020: Breaches of European Communities (Markets in Financial Instruments) Regulations 2007.

Footnotes
1 Breaches of the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended)) and the European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014).

2 The Firm became subject to direct supervision in prudential matters by the European Central Bank as of 4 November 2014.
3 Pursuant to Articles 4(1) and 18(5) of the SSM Regulation (Council Regulation (EU) No 1024/2013).

4 Critical services are business services that provide a substantial banking or operational activity and are of such importance that any weakness or failure in the provision of these activities could have a significant impact on BOI’s ability to meet its regulatory and legal obligations and/or control over, or continuity of, its services and activities. They could also adversely impact on BOI’s ability to manage risks related to these activities.

5 A runbook describes how the Firm would continue to provide a service should an incident arise. A runbook would also contain procedures to begin, stop, supervise, test and restart a service/system.

6 Failover is a procedure by which a system automatically transfers control to a duplicate system when it detects a fault or failure.

7 End-to-end testing refers to a software testing method that involves testing an application's workflow from beginning to end.

The Cross Industry Guidance on Operational Resilience is built around three pillars of Operational Resilience:

1. Identify and Prepare
2. Respond and Adapt
3. Recover and Learn
   

​
​These three pillars support a holistic approach to the management of operational resilience and related risks and create a feedback loop that fosters the perpetual embedding of lessons learned into a firm’s preparation for operational disruptions.

LinkedIN post at https://www.linkedin.com/posts/peteroakes_operationalresilience-activity-6872218356611723266-rib5

UPDATE 22/04/2022: If below below on suitability requirements is of interest, then you should also look at our post of 22 April 2022 on the Central Bank's review findings on issues in marketing of complex investment products.

This is around minutes 55-57 (around 2:25pm-2:27pm) at ​https://media.heanet.ie/page/0382d466362a4d90b07d8e7d7f27fdd9

Big news today - well big news if you are interested in central banking and digital currencies - with release of the #mBridge project report on the Multi-CBDC prototype which the Bank for International Settlements says has potential for reducing costs and speeding up cross-border payments.

In summary, the mBridge kicked off as an initial experimentation from the Hong Kong and Thailand central banks. The Bank of Thailand and the Hong Kong Monetary Authority (HKMA) were joined by the Digital Currency Institute of the People's Bank of China and the Central Bank of The UAE.

The BIS Innovation Hub found the platform to be an alternative to complexities and inefficiencies of the correspondent banking system and an enabler for the joining up national digital currencies in common interoperable platforms - all performed on a 'clean slate' - an attractive proposition of technology for central banks.

In the words of Benoît Cœuré, Head of the BIS Innovation Hub "The prototype is part of our efforts to design CBDC technology. The project includes experimenting with use cases and trials, balanced with analysis of governance, policy and legal considerations with a focus on cross-border use."

The report is about a prototype of multiple Central Bank Digital Currencies (known as 'mCBDCs') developed by the BIS Innovation Hub and the four central banks.  The report finds demonstrable evidence for the potential of using digital currencies and distributed ledger technology (DLT) to deliver real-time, cheaper and safer cross-border payments and settlements under the mBridge project.
​
The common prototype platform for mCBDC settlements was able to complete international transfers and foreign exchange operations in seconds, as opposed to the several days normally required for any transaction to be completed using the existing network of commercial banks and operate in a 24/7 basis. The cost of such operations to users can also be reduced by up to half, according to the report.

Read more here:

• ​Inthonon-LionRock to mBridge (Building a multi CBDC platform for international payments) - September 2021 
• BIS Press Release
• m-CBDC Project Page 

Using an image with a colour scheme reminiscent of a nearby overseas regulator with a similar senior executive regime, Ireland's Minister of Finance, Paschal Donohoe, has announced that today (27 July 2021) he has received agreement from Cabinet to approve the drafting of the Central Bank (Individual Accountability Framework) Bill, the main purpose of which is to improve accountability in the financial sector.

​What does this mean for regulated firms and individuals particularly senior executives? Read below where you can download both the (i) General Scheme - Central Bank (Individual Accountability Framework) Bill and (ii) Regulatory Impact Assessment - Central Bank (Individual Accountability Framework) Bill.

​If you need to know more, contact the team at CompliReg via the details here.

We will soon be announcing details of our S.E.A.R Hub website.  To find out more, follow Peter Oakes and CompliReg on Linkedin.

There are four main aspects to the proposed Heads along with necessary technical changes to existing legal processes. All of these make up the Individual Accountability Framework.
This draft legislation provides for:

1. The introduction of a Senior Executive Accountability Regime (SEAR), which places obligations on firms and senior individuals within them to set out clearly where responsibility and decision-making lies.

SEAR will apply to those in management roles within:

• Credit institutions (excluding credit unions);
• Insurance undertakings (excluding reinsurance undertakings, captive (re)insurance undertakings and Insurance Special Purpose Vehicles);
• Investment firms which underwrite on a firm commitment basis and/or deal on own account and/or are authorised to hold client monies/assets; and
• Third country branches of the above.

2. The introduction of:

a. Common conduct standards to apply to all persons in controlled function roles;
b. Additional conduct standards for individuals in senior positions; and
c. Business conduct standards for all regulated firms in the financial sector.
The introduction of these conduct standards will give the Central Bank powers to set and impose binding and enforceable obligations on all Regulated Financial Service Providers (RFSPs) and individuals working within them with respect to expected standards of conduct.

3. Enhancements to the Fitness & Probity Regime to ensure the effective operation of and ability of the regime to support the Individual Accountability Framework and the conduct standards for individuals and firms.

4. Breaking the “Participation Link”, which addresses the known deficiency in the legislation which requires the Central Bank to first prove a contravention of financial services legislation against an RFSP before it can take action against an individual.

Sanctions to apply under the Central Bank’s Administrative Sanctions Procedure for breaches of SEAR or Conduct Standards; and Technical amendments to improve existing legislation and clarify certain statutory processes.

The additional powers that will be provided to the Central Bank are significant and, in drafting these Heads, care has been taken to adopt the correct balance between these powers and the protection of individuals’ constitutional rights.

SEAR’s focus is on preventing misbehaviour or mismanagement by senior management. By requiring individual accountability from senior management, supported by enforcement powers, there is an incentive for senior management to comply with financial services law. SEAR also fulfils the purpose of incentivising and assisting regulated firms in strengthening their internal processes through management responsibility maps and clarification of senior management responsibilities.

The adoption of conduct standards across all regulated financial service providers sets out the standards expected of relevant individuals who work in such firms. Given that more junior staff will be in scope of the common conduct standards being introduced, there is a range of safeguards included, so that staff will be aware of what is expected of them.

Ultimately a key challenge will be the rebuilding of trust in the financial sector. The rebuilding of trust will require ongoing cultural and practical change in the banking sector and throughout the financial services industry. The Central Bank (Individual Accountability Framework) Bill will make a significant contribution to bringing about this needed cultural change.
​
It is anticipated that the introduction of the Framework will mean that:

• Customers will benefit from financial service providers that are fully accountable for the level of service and advice they provide;
• Employees of financial institutions will benefit from having greater clarity as to their exact roles and responsibilities and will be empowered to speak up when they see failings;
• Firms and their shareholders will benefit through the creation of real accountability for senior executives; and
• The wider economy and society will benefit from a more stable financial system by reducing the ability of senior decision makers to make risky decisions for which they will be unaccountable and will pay no cost.

Next steps
The Minister for Finance will write to the Chair of the Committee on Finance, Public Expenditure and Reform and the Taoiseach regarding pre-legislative scrutiny. Officials will engage with the Office of the Parliamentary Counsel to the Government to begin drafting the legislation on the basis of the General Scheme published today.

General Scheme - Central Bank (Individual Accountability Framework) Bill

Regulatory Impact Assessment - Central Bank (Individual Accountability Framework) Bill

Coinciding with Minister Donohue's announcement, the Central Bank of Ireland released a statement today (27 July 2021) saying:

"The Central Bank of Ireland welcomes today’s publication of the General Scheme of the Central Bank (Individual Accountability Framework) Bill 2021 by the Department of Finance.
The Central Bank has been actively engaged with the Department of Finance on these proposals and will continue to work with the Department of Finance throughout subsequent stages as the legislation progresses through the Oireachtas to enactment.

Experience has shown that in order for a regulatory framework to work well, it should stimulate strong and effective governance within firms. To achieve this:

• the allocation of responsibilities within firms needs to be transparent, clear and comprehensive; and
• individuals need to know what they are responsible and accountable for, be clear what standards of behaviour are expected of them, and recognise that where their actions fall short of expected standards, they will be held accountable.

​The following four key components of the Individual Accountability Framework (IAF), proposed in the Central Bank’s Behaviour and Culture Report into Irish Retail Banks, set out to achieve these behavioural, cultural and regulatory objectives:

• The Senior Executive Accountability Regime will require firms to set out clearly and comprehensively where responsibility and decision-making lie in order to achieve transparency as to who is accountable for what within firms.
• The enforceable Conduct Standards set out the behaviour expected of firms and their staff, including obligations to conduct themselves with honesty and integrity, to act with due skill, care and diligence, and in the best interest of consumers.
• The Central Bank’s Fitness & Probity Regime will be enhanced and will place a greater onus on firms to proactively certify that certain staff are fit and proper and capable of performing their roles with integrity and competence.
• The Central Bank’s Administrative Sanctions Procedure will be strengthened to ensure that individuals can be pursued directly for their misconduct rather than only where they have participated in a firm’s wrongdoing. The reforms will also provide for greater process efficiency, clarity and administrative consistency to all involved, including those who may be the subject of enforcement action. A continued focus by the Central Bank on proportionality and fair procedures is a key theme of its IAF proposals.

The various separate aspects of the IAF complement each other to achieve the ultimate goals of better outcomes for consumers and a more sustainable financial system by driving higher standards of behaviour for individuals in financial services firms.

The IAF is ultimately about incentivising positive behaviours and promoting an improved culture within firms while strengthening the Central Bank’s enforcement toolkit, particularly with respect to individuals, to allow the Central Bank to more effectively hold to account those that fall below the expected standards.

Once the Bill has been enacted the Central Bank intends to publicly consult on the implementation of the IAF."