If below post on the marketing of complex investment products is of interest, then you should also look at our post of 1 December 2021 on the Central Bank's review findings on firms providing investment services.  The Central Bank's found that there is a  need to improve suitability assessments.

Central Bank reviews identify issues in marketing of complex investment products

• Retail investment market shifting towards increasingly complex products.
• Review identified a number of poor practices and weaknesses in firms, which increase risks to investors.
• Firms required to take specific actions to ensure investors are protected.

 
The Central Bank of Ireland has written to MiFID investment firms, outlining the findings from a series of targeted reviews of Structured Retail Products (SRPs). These reviews examined SRPs manufactured and distributed by investment firms in the MiFID investment sector. A number of areas were identified where further action is needed by firms to ensure their governance and oversight of SRPs keeps pace with an increasingly complex retail investment market, so that investors are appropriately protected.
 
The reviews found a number of poor practices and weaknesses in firms’ processes, which increase risks to investors. This includes failure by firms to consider potential difficulties investors may have in understanding the complex features involved in some SRPs; failing to present past performance information in a fair and balanced manner; and not including prominent capital at risk warnings in marketing materials.
 
Director of Consumer Protection, Colm Kincaid, said: “The retail investment market is changing rapidly, with an increasing shift away from traditional, capital protected products to more complex, capital at risk products. As complexity increases, so too do the risks to investors and the responsibilities regulated firms have to protect those investors’ best interests. Our recently published Outlook Report highlighted a number of risks for consumers from changing business practices and ineffective disclosures on investment products, as well as what we expect regulated firms to do to deal with those risks. The work we are publishing today builds on that Report.
 
“We carried out these reviews because we want to see that regulated firms meet high standards in how they design, manufacture and distribute complex investment products to retail investors. In particular, we want to see that complex investment products are designed with real investment needs in mind, that they are targeted only at investors with those needs and that the risks are properly explained. We are requiring firms to take action to improve their performance on each of these fronts, as well as highlighting good practices which we want to see emulated across the sector.”
 
The letter requires regulated firms to take action to identify a sufficiently granular target market for SRPs and to drive improvements in the quality and transparency of disclosures to investors of the risks relating to these products. In particular:

• Given the increasingly complex nature of SRPs, it is essential that the assessment of the target market is done in a proportionate manner, one that considers the nature and complexity of the product. The more complex the SRP, the more onerous and granular the target market assessment must be.
• Where complex features are proposed, firms must consider if they are appropriate for the retail market and whether they are likely to be understood by the target market. The approval of the use of such features should be subject to robust governance and challenge to ensure they are justified and in clients’ best interests and this should be clearly documented.
• Where past performance (back-testing) information is presented, it must be fair and balanced, supported by clear narrative and context, and must not diminish the potential likelihood of capital loss. Care must be taken to avoid presenting an overly-optimistic or unbalanced picture of the likely investor outcomes.
• Capital at Risk warnings must be in a prominent location in all marketing communications and advertisements.
• In the case of complex products such as SRPs, special care is needed when designing and presenting marketing information to ensure that individual statements, as well as the tone and overall content when read together, remains clear, fair and not misleading. In particular, care must be taken to avoid presenting an overly-optimistic or unbalanced picture of the likely investor outcomes.
• The risk that a product may be restructured must be disclosed to clients prior to sale.

 
The Central Bank expects firms to adhere to high standards of investor protection, acting in the best interests of investors at all times.  We continue to monitor developments in the retail investment market, and the findings of these reviews and the expectations set out in today’s letter will be considered as part of future supervisory engagements.
 
ENDS
Notes to Editors

• The Markets in Financial Instruments Directive (MiFID II) governs the provision of investment services in financial instruments. It applies to investment firms, wealth managers, broker dealers, product manufacturers, and credit institutions authorised to carry out MiFID activities.
• MiFID II Regulation 32(1)  requires firms that manufacture financial instruments to ensure those instruments are designed to meet the needs of an identified target market of end clients.
• MiFID II Regulation 32(3) requires firms to ensure that all information addressed to clients is fair, clear and not misleading.
• MiFID II Regulation 32(6) requires firms to ensure that information on financial instruments includes appropriate warnings of the risks associated with investing in those instruments.
• MiFID II Commission Delegated Regulation Article 48 (1) requires that, where providing clients with information about financial instruments, firms should include information regarding the functioning and performance in different market conditions, including both positive and negative conditions.

Source: Central Bank of Ireland, 22 April 2022

This blog by Peter Oakes, Founder of Fintech Ireland and CompliReg.  Peter qualified as a lawyer in Australia, the UK and Ireland.  He is a director of a number of regulated innovative fintech and adviser to fintech and crypto firms and their professional service providers. Contact him here and follow him on Linkedin and Twitter (Fintech Ireland Twitter). 

A summary of this material appears at Linkedin here 

The first Irish regulated funds to take exposure to crypto-assets have been approved by the Central Bank of Ireland (CBI).

The funds, both Qualifying Investor AIFs (QIAIF), will obtain indirect exposure to Bitcoin, by acquiring cash-settled Bitcoin Futures traded on the Chicago Mercantile Exchange (CME). Before you get too excited looking to by some of the digital asset via the QIAIFs note that this channel of exposure is RESTRICTED TO PROFESSIONAL INVESTORS. [NB: As recently as March 2022 the the Central Bank has issued a warning on the risks of investing in crypto assets].  We have provided further details about the regulatory crypto investing landscape in Ireland under 'Further Reading' below.
 
Last month the CBI informed industry bodies that it had approved in principle at least one QIAIF with a low level of exposure to cash settled Bitcoin futures traded on the CME.
 
The two unnamed QIAIFs are the first type of such funds to provide indirect crypto exposure and approved by the CBI.
 
If you want your existing QIAIFs or you wish to establish a new QIAIF to obtain exposure to crypto assets, get in touch (details above).  I am asked on a regular basis by institutional investors and professional investors how they can get exposure to cryptocurrencies and other digitalassets via regulated products. Unless you are able to gain direct exposure via a virtual asset service provider (VASP), the Irish QIAIF model (non-UCITS) might be your avenue. Note however that the CBI has said it is highly unlikely to approve a UCITS proposing any exposure (either direct or indirect) to crypto assets. Thus retail investors wanting crypto exposure in Ireland need to turn to VASPs/Exchanges direct.

Through Fintech Ireland, CompliReg and the industry experts network, we know the lawyers, ManCos and depositories / custodians who can assist institutional/professional firms and funds promoters looking to gain exposure to the crypto markets.  Further, if you are seeking a registration as a virtual service asset provider or authorisation as a MiFID, emoney institution or payments institution to provide services to  institutional, professional and retail clients, check out our Authorisation Page.

Further reading:

• ID1145 - Central Bank of Ireland 44th Edition (20 December 2021) of the Central Bank AIFMD Q&A

​Question. Can a RIAIF or a QIAIF invest either directly or indirectly in crypto-assets?

Answer. Crypto-assets are generally considered to be private digital assets that depend primarily on cryptography and distributed ledger or similar technology. However, the nature and characteristics of crypto-assets vary considerably. For example, crypto-assets that are tokenised traditional assets (whose value is linked to an underlying traditional asset or a pool of traditional assets (such as financial instruments or commodities)) may have a different risk profile when compared to other crypto-assets that are based on an intangible or non-traditional underlying. For the purposes of this Q&A “crypto-asset” is used to refer to the latter type of crypto-asset. The Central Bank must be satisfied that direct or indirect exposure to crypto-assets is capable of being appropriately risk managed. As of the date of publication of this Q&A, the Central Bank has not seen information which would satisfy it that direct or indirect exposure to crypto-assets is capable of being appropriately risk managed. Though crypto-assets do not all have uniform characteristics, the Central Bank has noted that they can present significant risks, including liquidity risk; credit risk; market risk; operational risk (including fraud and cyber risks); money laundering / terrorist financing risk; and legal and reputation risks. Taking into account the specific risks attached to crypto-assets and the potential that retail investors will not be able to appropriately assess the risks of making an investment in a fund which gives such exposures, the Central Bank is highly unlikely to approve a RIAIF proposing any exposure (either direct or indirect) to crypto assets. In the case of a QIAIF seeking to gain exposure to crypto-assets, the relevant QIAIF would need to make a submission to the Central Bank outlining how the risks associated with such exposures could be managed effectively by the AIFM. The Central Bank’s approach in relation to crypto-assets will be kept under review, continue to be informed by European regulatory discussions on the topic and may change should new information or developments emerge in the future. 
​

• ​​ID 1100  - Central Bank of Ireland 36th edition (20 December 2021) of the Central Bank UCITS Q&A

​Question.  Can a UCITS invest either directly or indirectly in crypto-assets?

Answer. Crypto-assets are generally considered to be private digital assets that depend primarily on cryptography and distributed ledger or similar technology. However, the nature and characteristics of crypto-assets vary considerably. For example, crypto-assets that are tokenised traditional assets (whose value is linked to an underlying traditional asset or a pool of traditional assets (such as financial instruments or commodities)) may have a different risk profile when compared to other crypto-assets that are based on an intangible or non-traditional underlying. For the purposes of this Q&A “crypto-asset” is used to refer to the latter type of crypto-asset. The Central Bank must be satisfied that assets in which a UCITS invests are capable of meeting the eligible asset criteria for UCITS and that indirect exposure to the assets is capable of being appropriately risk managed. As of the date of publication of this Q&A, the Central Bank has not seen information which would satisfy it that crypto-assets are capable of meeting the eligible asset criteria for UCITS or that indirect exposure to crypto-assets is capable of being appropriately risk managed. Though crypto-assets do not all have uniform characteristics, the Central Bank has noted that they can present significant risks, including liquidity risk; credit risk; market risk; operational risk (including fraud and cyber risks); money laundering / terrorist financing risk; and legal and reputation risks. Taking into account the specific risks attached to crypto-assets and the potential that retail investors will not be able to appropriately assess the risks of making an investment in a fund which gives such exposures, the Central Bank is highly unlikely to approve a UCITS proposing any exposure (either direct or indirect) to crypto assets. The Central Bank’s approach in relation to crypto-assets will be kept under review, continue to be informed by European regulatory discussions on the topic and may change should new information or developments emerge in the future. 

• Central Bank of Ireland Warning (22 March 2022)

The Central Bank again emphasised that crypto assets are highly risky and speculative, and may not be suitable for retail customers. In particular people need to be alert to the risks of misleading advertisements, particularly on social media, where influencers are being paid to advertise crypto assets.  The Central Bank has published a plain English explainer for consumers on cryptocurrencies.

• European Supervisory Authorities (EBA, ESMA and EIOPA Warning (17 March 2022)

The ESAs warned consumers that many crypto-assets are highly risky and speculative. The ESAs set out key steps consumers can take to ensure they make informed decisions.

Bank of Ireland (BOI) cops a €24.5mn fine over its information technology service for the reason that "the impact of these breaches meant that had [note: “HAD” not 'did have'] a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services."
 
Today’s announcement by the Central Bank of Ireland (CBI) falls in the week the CBI published its ‘Operational Resilience Finalised Guidance Paper’ arising from CP140 - Cross Industry Guidance on Operational Resilience.
 
Speaking of timing, last week there was a well-publicised outage at Revolut which is seeking authorisation in Ireland as an emoney firm and, as previously raised by its founder, potentially a bank/credit institution authorisation in Ireland.  It has a bank and emoney authorisations in Lithuania.

The case is well worth a read by all regulated financial technology (#fintech) firms focused on emoney and payments and not just banks operating in Ireland.  In particular, the statement should be read and digested by the large pipeline of emoney and payment services applicants.
 
A number of points to call out include:

• “Firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls. These are core parts of a firm’s operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy.” says the CBI.  As noted above, the CBI is due to publish Operational Resilience Finalised Guidance Paper;
• The significance of the fine and the duration of the breaches makes one think about whether under a SEAR regime whether individuals might be in the cross-hairs.  And perhaps they may be under the current Administrative Sanction Procedures relating to a person or persons concerned in the management of a prescribed offence.  If you think that is unlikely, then consider the fact that the CBI is pursuing, via an Inquiry, a person formerly concerned in the management of permanent tsb plc.  Joe Brennan of the Irish Times reported on 10 November 2021 that the person concerned (in that case) is a former chief executive of permanent tsb; [see also SEARHub]
• The CBI found there were failings in the oft touted ‘Three Lines of Defence’ at each line of defence in relation to the bank’s IT service continuity;
• BOI failed to demonstrate an ability to ensure continuity of service in the event of significant IT disruption;
• BOI failed to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to the senior management committees and ultimately the Board; and
• BOI failed to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.

 
In the case of BoI, admitted five contraventions occurring between 2008 and 2019 – quite an extended period. 

• Contravention 1 – Failure to have in place contingency and business continuity plans in relation to IT service continuity.
• Contravention 2 – Failure to have in place and maintain robust governance arrangements, including effective processes to identify, manage, monitor and report the risks that the Firm was exposed to and failure to have adequate internal control mechanisms.
• Contravention 3 – Failure to have in place and maintain robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility.
• Contravention 4 – Failure to adequately develop a clear understanding of the roles, responsibilities, accountabilities and clear interdependencies between third party IT service providers.
• Contravention 5 – Failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation.

Being a INED of several regulated fintechs and financial services firms in Ireland, I thought this point in the publicity statement by the CBI was worth noting.

• "Firms and their boards must have in place robust internal controls to ensure that their IT service continuity frameworks are maintained to a necessary standard. This enforcement outcome highlights the actions the Central Bank will take where firms cannot demonstrate that they are maintaining effective IT service continuity frameworks."

Read the statement issued by the Central Bank of Ireland on 2nd December 2021  below.

​Posted by Peter Oakes, CompliReg. 

Linkedin Post at https://www.linkedin.com/feed/update/urn:li:activity:6872160483626029056/

On 30 November 2021, the Central Bank of Ireland (the Central Bank) reprimanded and fined The Governor and Company of the Bank of Ireland (the Firm or BOI) €24,500,000 pursuant to its Administrative Sanctions Procedure (ASP) for failures to have a robust framework in place to ensure continuity of service for the Firm and its customers in the event of a significant IT disruption. These IT service continuity deficiencies were repeatedly identified from 2008 onwards but due to internal control failings only started to be appropriately recognised and addressed in 2015. The steps taken by the Firm to address the deficiencies were completed by 2019.

The Central Bank has determined the appropriate fine to be €35,000,000, which has been reduced by 30% to €24,500,000 in accordance with the settlement discount scheme provided for in the Central Bank’s ASP.

The Firm has admitted five contraventions1 occurring between 2008 and 2019 including:

• The failure to demonstrate an ability to ensure continuity of service in the event of significant IT disruption;
• The failure to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to the senior management committees and ultimately the Board; and
• The failure to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.

Firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls. These are core parts of a firm’s operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy.
The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said “Today’s banks and financial services firms are wholly dependent on effective, reliable and resilient IT systems. It is vital that firms have a framework in place so that they can ensure continuity of critical IT services and minimise the impact of any significant disruption.

"Without an effective IT service continuity framework, significant IT disruptions, particularly if they were to happen in a bank, could have a very serious impact on millions of customers who rely on ready access to their funds and services to keep their everyday lives and businesses moving.
"From 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity, arising from deficiencies that were repeatedly identified between 2008 and 2015 in third party reports. However, steps to address these deficiencies only commenced in 2015.

"The extent and duration of these breaches were particularly serious given the ‘always on’ nature of the services BOI provides and how pivotal IT is to the entirety of its business operations. The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services. Had BOI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system.
"This case is an example of robust enforcement action where failures expose consumers and the financial system to serious potential risk. The Central Bank expects boards and senior management of firms to implement and operate robust risk and control frameworks which recognise and address risk issues in a timely way as part of an effective risk culture. This is a core element of operational resilience designed to protect consumers and ensure financial stability.”

BACKGROUND
BOI is authorised to carry on banking business in Ireland as a credit institution under Section 9 of the Central Bank Act 1971. BOI is one of the largest banks in Ireland with 169 branches and over 2 million customers. Its principal activities consist of retail and commercial banking. BOI reported total operating income (net of insurance claims) for the year ended 31 December 2020 of €2,645 million.

The European Central Bank (the ECB) is the prudential supervisor of BOI and works closely with the Central Bank as part of the Single Supervisory Mechanism (SSM).2

Under the SSM, the ECB has the power to ask national banking regulators to investigate issues that it has identified, and to take enforcement action where this is merited.

In 2015, BOI’s Internal Audit raised concerns about deficiencies in BOI’s IT service continuity framework. In 2016, BOI commissioned an internal investigation into how the IT service continuity deficiencies had persisted from 2008 to 2015. The resulting report (completed in October 2017), which was provided to the ECB, identified a number of risk management and internal control failings in respect of BOI’s IT service continuity. In addition, the report identified failings relating to BOI’s management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework.

Following consideration of the report, the ECB determined that these issues merited further investigation. The Central Bank’s investigation commenced following a referral3 by the ECB in August 2018.

From 2008, BOI’s internal controls in relation to IT service continuity employed a three lines of defence model, whereby:

• the first line of defence owns and manages the risks;
• the second line of defence is responsible for oversight and challenge of the first line of defence and risk oversight; and
• the third line of defence provides independent assurance.

The Central Bank’s investigation found that there were failings in each line of defence (as detailed further below). The failures in each line of defence culminated in an overall failure of this model in relation to the Firm’s IT service continuity framework.  This is most clearly demonstrated in circumstances where IT service continuity deficiencies were not addressed, despite being repeatedly identified in third party reports, between 2008 and 2015.

The Central Bank’s investigation found that BOI had in place second and third lines of defence which were meant to challenge and oversee the first line business unit responsible for IT service continuity. However, both the second and third lines of defence failed to ensure that the first line business unit was acting on the adverse findings of reports prepared by third parties, which had reviewed BOI’s IT service continuity framework. In addition, the second and third lines of defence failed, independently, to address and escalate the IT service continuity risks to which BOI was exposed.

Ultimately, these internal control failings resulted in deficiencies in the Firm’s IT service continuity framework persisting for a prolonged period. This is particularly serious as the Firm’s reliance on IT was significantly increasing year on year, in common with the sector.

In 2015 the Firm initiated steps to address the deficiencies in both its IT service continuity framework and associated internal controls. The Central Bank acknowledges that the steps taken by the Firm have resulted in an overall improvement in its IT service continuity framework and internal controls. Firms and their boards must have in place robust internal controls to ensure that their IT service continuity frameworks are maintained to a necessary standard. This enforcement outcome highlights the actions the Central Bank will take where firms cannot demonstrate that they are maintaining effective IT service continuity frameworks.

PRESCRIBED CONTRAVENTIONS
The Central Bank’s investigation identified five breaches relating to the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended) (the 1992 Regulations) and European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014) (the Capital Requirements Regulations) as set out below.

Contravention 1 – Failure to have in place contingency and business continuity plans in relation to IT service continuity.
From June 2008 to April 2019, the Firm breached Regulation 16(4)(b) of the 1992 Regulations and Regulation 73(3) of the Capital Requirements Regulations by failing to have in place contingency and business continuity plans with regard to IT service continuity to ensure the Firm’s ability to operate on an ongoing basis and limit losses in the event of severe business disruption. In particular:

• The Firm failed to define its critical services4 or put in place IT runbooks.5
• It was unlikely that the Firm would have been able to successfully failover6 a critical service to a secondary site (in the event a serious incident occurring) within an acceptable timeframe.
• The Firm did not undertake adequate full end-to-end IT service continuity testing.7

Contravention 2 – Failure to have in place and maintain robust governance arrangements, including effective processes to identify, manage, monitor and report the risks that the Firm was exposed to and failure to have adequate internal control mechanisms.
From June 2008 to April 2019 the Firm breached Regulation 16(3) (b) and (c) of the 1992 Regulations and Regulation 61(1) (b) and (c) of the Capital Requirements Regulations by failing to have in place and maintain robust governance arrangements including:

• effective processes to identify, manage, monitor and report IT service continuity risks the Firm was exposed to; and
• adequate internal control mechanisms concerning IT service continuity.

These governance failings led to the Firm’s failure to address the IT service continuity deficiencies as set out in Contravention 1.

The Firm failed to have in place and maintain effective governance arrangements through its three lines of defence model regarding IT service continuity. As a result, deficiencies in the Firm’s IT service continuity framework were identified by third party reports prepared for the Firm but were not managed, escalated and appropriately dealt with by the Firm. This demonstrates a recurring failure that is indicative of poor internal controls and demonstrates an overall failure of the Firm’s three lines of defence model with regard to its IT service continuity framework, which arose due to the following:

• First Line of Defence

The first line of defence (the Firm’s central IT unit responsible for IT service continuity) failed to (i) have in place effective risk management practices and processes, (ii) have in place an effective risk register, and (iii) manage and escalate findings from third party reports.

• Second Line of Defence

The second line of defence failed to provide robust oversight and challenge of the first line of defence. The second line of defence failed to ensure that the first line of defence was adequately identifying, managing and escalating risks. Furthermore, the second line of defence failed to independently (of the first line) manage or monitor IT service continuity risks to which the Firm was exposed.

• Third Line of Defence

The third line of defence failed to understand the gravity of the key IT service continuity risks within the Firm from 2008 to 2015. Additionally the third line of defence failed to provide robust oversight and challenge of the Firm’s first and second lines of defence in relation to the risk management of IT service continuity.

Contravention 3 – Failure to have in place and maintain robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility.
From June 2008 to April 2019 the Firm breached Regulation 16(3)(a) of the 1992 Regulations and Regulation 61(1)(a) of the Capital Requirements Regulations by failing to have in place a clear organisational structure with well-defined, transparent and consistent lines of responsibility in relation to IT service continuity.

In this case, the first line business units were siloed, which resulted in an uncoordinated approach to IT service continuity with no consistent processes or procedures in place for managing and reporting IT service continuity requirements and risks. In addition, there was no well-defined, transparent and consistent second line function with responsibility for overseeing and challenging IT service continuity requirements and risks across the Firm to ensure that they were being adequately managed.

The first line unit responsible for IT service continuity was identifying risks, however, due to the siloed nature of this unit, stakeholders within the Firm had limited or no visibility of these IT service continuity risks. This had the effect of excluding key stakeholders in the Firm from involvement in the assessment of prioritisation decisions regarding IT service continuity, which is a key area of operational risk.

Contravention 4 – Failure to adequately develop a clear understanding of the roles, responsibilities, accountabilities and clear interdependencies between third party IT service providers.
From June 2008 to December 2019 the Firm breached Regulation 16(4)(a) of the 1992 Regulations and Regulation 61(3)(a) of the Capital Requirements Regulations by failing to adequately develop a clear understanding of the roles, responsibilities, accountabilities and interdependencies between different third party IT service providers.

Contravention 5 – Failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation.
The Firm breached Regulation 64(13) of the Capital Requirements Regulations, from 31 March 2014 (when the requirement was introduced) until Q4 2015, by its failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation in respect of IT service continuity, which was a key area of operational risk. Specifically, the findings of third party reports which identified deficiencies with IT service continuity were not made available to the Firm’s management body.

SANCTIONING FACTORS
In deciding the appropriate penalty to impose, the Central Bank had regard to the Outline of the Administrative Sanctions Procedure 2018 and the ASP Sanctions Guidance November 2019.  It considered the need to impose a level of penalty proportionate to the nature, seriousness and impact of the contraventions and the size of the Firm’s operations. The Central Bank also had regard to the need for deterrence. The following particular factors are highlighted in this case:

The Nature, Seriousness and Impact of the Contravention
Duration and frequency of the contravention

• The Firm failed to have an adequate IT service continuity framework and associated internal controls in place over a sustained period from 2008 to 2019, despite the repeated reporting of these IT service continuity framework deficiencies by third parties from 2008 to 2015.

​Serious or systemic weakness of the management systems or internal controls relating to all or part of the business

• The investigation found serious weaknesses in: IT service continuity plans; internal controls; organisational structures and consistent lines of responsibility; appropriate management of the Firm’s third party IT vendors concerning IT service continuity; and reporting to management body of IT service continuity risks.

​

​The impact or potential impact of the contraventions

• IT underpins the delivery of services across the entirety of the Firm’s business operations. In the event of a significant IT disruption, the Firm could potentially have been exposed to significant risk and potentially have been unable to continue to provide critical services, such as payments. This could have caused serious financial and reputational damage to both the Firm and the wider financial system.

​The loss or detriment or risk of loss or detriment caused to consumers or other market users

• While no detriment arose in this case, had a significant IT failure or prolonged outage occurred, given the increasing dependence on online banking, this could have had a very serious impact and could have resulted in customers being denied access to the basic banking services they needed on a day to day basis.

The extent to which the contravention departs from the required standard

• The contraventions represented a serious departure from the required standards expected of the Firm to ensure that in the event of a significant IT incident the Firm could ensure continuity of critical services.

The Conduct of the Regulated Entity after the Contravention
Mitigating:
The following two mitigating factors, indicative of exemplary co-operation and self-reporting on behalf of the Firm, applied in this case:

• the regulated entity proactively and voluntarily provides the Central Bank with the output of any pre-existing internal investigation and/or third party review;
• there has been identification of other contraventions by the regulated entity.

The investigation found that, following concerns that had been raised by its Internal Audit in 2015 about deficiencies in BOI’s IT service continuity framework, BOI commissioned an internal investigation in 2016 (completed in 2017) into how the IT service continuity deficiencies had persisted from 2008 to 2015. The resulting report:

1. was proactively and voluntarily provided to the ECB;
2. identified a number of risk management and internal control failings in respect of BOI’s IT service continuity; and
3. identified a number of additional contraventions relating to BOI’s management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework.

This assisted the Central Bank’s investigation, facilitated the review of documentation, and reduced the time and resources required to complete the investigation.

The Previous Record of the Regulated Entity

Aggravating:

• The Firm has been the subject of four prior enforcement actions.

​
​Other Considerations

• The need to have an appropriate deterrent impact on the Firm and other regulated entities.This enforcement action against the Firm is now concluded.

1. The fine imposed by the Central Bank was imposed under Section 33AQ of the Central Bank Act 1942. The maximum penalty under Section 33AQ is €10,000,000, or an amount equal to 10% of the annual turnover of a regulated financial service provider, whichever is the greater.

2. This is the Central Bank’s 145th settlement under its Administrative Sanctions Procedure, bringing the total fines imposed by the Central Bank to over €191 million.

3. Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts. The penalties are not included in general Central Bank revenue.

4. The fine reflects the application of an early settlement discount of 30%, as per the discount scheme set out in the Central Bank’s Outline of the Administrative Sanctions Procedure 2018 which is here: link.

5. A copy of the ASP Sanctions Guidance November 2019 is available here: link. This guidance provides further information on the application of the sanctioning factors set out in the Outline of the Administrative Sanctions Procedure 2018 and the Inquiry Guidelines prescribed pursuant to section 33BD of the Central Bank Act 1942 (a copy of which is here: link). These documents should be read together.

6. In accordance with the SSM, the Firm became subject to direct supervision in prudential matters by the ECB as of 4 November 2014.

7. The European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended) were in force between 1 January 1993 to 31 March 2014; a copy can be found here: link.

​These were repealed and replaced by the European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014) which are here: link.

8. On 13 September 2016, the Central Bank issued cross-industry guidance in respect of IT and cybersecurity risks that is available for download here: link.

9. The Firm has been the subject of four previous settlement agreements with the Central Bank, as follows:        

• 2012: Breaches of the Assets Covered Securities Act 2001 and Regulation 16 of the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992.
• 2016: Breaches of the Consumer Protection Code 2012.
• 2017: Breaches for non-compliance with the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.
• 2020: Breaches of European Communities (Markets in Financial Instruments) Regulations 2007.

Footnotes
1 Breaches of the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended)) and the European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014).

2 The Firm became subject to direct supervision in prudential matters by the European Central Bank as of 4 November 2014.
3 Pursuant to Articles 4(1) and 18(5) of the SSM Regulation (Council Regulation (EU) No 1024/2013).

4 Critical services are business services that provide a substantial banking or operational activity and are of such importance that any weakness or failure in the provision of these activities could have a significant impact on BOI’s ability to meet its regulatory and legal obligations and/or control over, or continuity of, its services and activities. They could also adversely impact on BOI’s ability to manage risks related to these activities.

5 A runbook describes how the Firm would continue to provide a service should an incident arise. A runbook would also contain procedures to begin, stop, supervise, test and restart a service/system.

6 Failover is a procedure by which a system automatically transfers control to a duplicate system when it detects a fault or failure.

7 End-to-end testing refers to a software testing method that involves testing an application's workflow from beginning to end.

UPDATE 22/04/2022: If below below on suitability requirements is of interest, then you should also look at our post of 22 April 2022 on the Central Bank's review findings on issues in marketing of complex investment products.

This is around minutes 55-57 (around 2:25pm-2:27pm) at ​https://media.heanet.ie/page/0382d466362a4d90b07d8e7d7f27fdd9

In my previous post on EML Payments (EML) (see here) we noted that EML had advised that its Irish regulated subsidiary, PFS Card Services (Ireland) Limited ('PCSIL'), had received correspondence from the Central Bank of Ireland ('CBI'), including a letter received on Friday 14 May 2021 (Australian time) raising significant regulatory concerns ('Correspondence'). The CBI's concerns relate to PCSIL's Anti-Money Laundering / Counter Terrorism Financing ('AML/CTF'), risk and control frameworks and governance. The Correspondence states that the CBI is minded to issue directions to PCSIL pursuant to section 45 of the Central Bank (Supervision and Enforcement) Act 2013.

A few days ago, EML provided the Australian Stock Exchange with a trading update.  The trading update also included its Quarter 3 FY2021 update in which EML confirmed:

"Current Status:
 

• EML advised the market on 19 May 2021 that it had received correspondence from the CBI raising significant regulatory concerns (‘Section 45 Letter). EMI responded to the CBI's Section 45 letter within the deadline on 27 Moy 2021. 
• EMA remains in an ongoing dialogue with the CBI in relation to their concerns through substantial responses, data and access to our teams.  
• There ie no statutory timeframe for the CBI to finale its consideration of the matters.
• A project governance structure has been established to assist our local team in Ireland, including subcommittee of the EML Board, members of the EML executive team, external regulatory consultants and legal resources.

Communication:

• We are working co-operatively with the CBI and it authorised officers.
• Communications with the CBI are confidential and we will provide updates when appropriote, . 
• EML is proactively communicating with, and providing information if and when requested, with other regulatory in the regions where EML operates.

Business Impact:  

• We continue to focus on EMI's strong pipeline of new customers and support out existing customers, yet we are aware that ongoing uncertainty is a risk and a challenge.
• Immediate one-off costs incurred for legal (Arthur Cox) and professional advisory (PriceWaterhouseCoopers) fees are expected to be less than $2 millon in FY21. In addition, we may see an impact of delayed program launches on establishment income and transaction fees which we cannot quantify at this time.
• Financial impact for FY22 can not be fully determined at this time." 

 
Some observations:

• This statement, and in particular the fees, relates to the current financial year for EML which ends on 30 June 2021 and a new financial year starts in Australia for the company on 1 July 2021, i.e. FY22. Thus, as we all know, CBI enquiries and investigations last for many years, so one could expect the 'less than $2 million' figure to go northwards. 
• There will be costs in terms of management time and that of Board involvement, as EML points out.
• Furthermore, there is a potential loss of revenue from "an impact of delayed program launches on establishment income and transaction fees which we cannot quantify at this time.

Further reading - EML Payments Q3 FY21 Trading Update June 2021 (dated 7 June 2021)

Received a letter from the Central Bank of Ireland's Anti-Money Laundering Division headed "AML Risk Evaluation Questionnaire (‘REQ’) Notification to [Name of Regulated Firm] (or ‘the firm’) to submit an REQ on an Annual Basis." last month with a return date this month? If so you are not alone.
The letter reminds that credit and financial institutions are required to have anti-money laundering (AML) and countering financing of terrorism (CFT) preventive measures to ensure compliance with the Criminal Justice (Money and Terrorist Financing) Acts 2010 to 2021, a well as reminding of the obligation to comply with EU Council Regulations setting out financial sanctions (‘FS’) measures.

The CBI has established the REQ to seek information regarding individual firms’ exposure to Money Laundering / Terrorist Financing risks and also the AML/CFT compliance framework.

Firms are being informed to submit the REQ in the specified format via the CBI's Online Reporting System on an ANNUAL BASIS within the time period specified on ONR.

The CBI has informed firms that "for 2021, this deadline for the submission of the REQ return is 18 June 2021".

Not only is the form detailed, and there are a few potential ways of interpreting some of the questions, or at least their interaction with other questions, but importantly for Boards of Directors note:

i) Statement of Compliance: "... the REQ includes a statement to be signed by the firm confirming compliance with the firm’s AML/CFT/FS obligations. This statement if [sic] compliance should be signed and dated by a person who is duly authorised to do so by the Board (or equivalent). Ideally this person will have responsibility for AML/CFT/FS within the firm." NB this person doesn't need to be in a PCF role, but the CBI expect them to be of sufficient seniority within the firm to provide the confirmation sought.

ii) Record Retention: "A record of the person who signed the statement of compliance must be formally noted in the Board minutes (or equivalent) when it is brought forward for consideration. The original signed and dated hard copy of the statement of compliance and the accompanying REQ is required to be kept on file and made available for review by the Central Bank on request."

Need assistance with your risk assessment?  Get in contact with us at the details here.

Further reading: Risk Evaluation Questionnaire ('REQ') Return

Building upon the obligations of credit and financial institutions under the CJA 2010, the Central Bank has developed a REQ in order to seek information regarding individual firms' exposure to ML / TF risks and also their AML / CFT compliance framework.

Firms selected by the Central Bank to submit an REQ are required to submit the REQ in the specified format, through the Central Bank's Online Reporting System ('ONR'), within the time period specified on ONR.

The minimum frequency that a firm will be required to submit an REQ is predicated on the level of ML/TF risk presented by the firm, either by virtue of its business model and/or the sector into which it falls (for further information on the frequency of submission please see the Table: AML/CFT Minimum Supervisory Engagement Model on the Central Bank AML / CFT Supervision Tab).

• CBI's website - Risk-based approach to AML Supervision 
• Risk-Evaluation-Questionnaire | xls 101 KB
• REQ Guidance Materials | pdf 1126 KB

Linkedin Post:  https://www.linkedin.com/posts/peteroakes_antimoney-aml-cft-activity-6808437129467756546-vRba

The ASX Market Announcement says:

"EML PAYMENTS LIMITED (ASX: EML) ("EMU') refers to its request for a trading halt dated 17 May 2021.

EML advises that its Irish regulated subsidiary, PFS Card Services (Ireland) Limited ('PCSIL'), has received correspondence from the Central Bank of Ireland ('CBI'), including a letter received on Friday 14 May 2021 (Australian time) raising significant regulatory concerns ('Correspondence'). The CBI is the relevant regulator in Ireland.

The CBI's concerns relate to PCSIL's Anti-Money Laundering / Counter Terrorism Financing ('AML/CTF'), risk and control frameworks and governance. The Correspondence states that the CBI is minded to issue directions to PCSIL pursuant to section 45 of the Central Bank (Supervision and Enforcement) Act 2013.

The Correspondence does not concern EML's Australian or North American operations, or the operations of PFS' UK subsidiary ('Prepaid Financial Services Limited' which is incorporated in England and regulated by the FCA), or EML's other Irish regulated subsidiary ('EML Money DAC')."

ASX Announcement in PDF and at source. 

The Central Bank of Ireland has released a Dear CEO letter setting out findings under four headings and expected Actions following a Thematic assessment of Algorithmic Trading Firms’ compliance with RTS 6 of MIFID II. 

1. Governance – Deficient control and risk management frameworks:

Varying levels of maturity were observed with respect to firms’ governance, control and risk
management frameworks. Supervisors observed weaknesses with respect to:

• i. The absence of formalised algorithm governance documentation;
• ii. The lack of local entity autonomy evidenced through minimal Board involvement in the
• setting or challenging of the key controls and in the oversight of the development of trading
• algorithms;
• iii. The absence of regular, formalised reporting to the Board in relation to algorithms; and
• iv. The significant reliance placed on Group resources without an appropriate level of
• formalised Group reporting lines.

The Central Bank considers the maintenance of a robust algorithmic governance and oversight
framework to be of paramount importance in enabling firms to identify, monitor and mitigate the
risks associated with algorithm trading strategies. Firms are reminded RTS 6 requires that as part
of its overall governance framework and decision-making framework, an investment firm should
have a clear and formalised governance arrangement, including clear lines of accountability, effective procedures for the communication of information and a separation of tasks and responsibilities. These arrangements should ensure reduced dependency on a single person or unit.


2. Development and Testing - Lack of formal documentation with respect to development,
testing and deployment processes:
Supervisors observed strong development, testing and deployment controls. However, significant
disparities were identified between firms with respect to the level of detail pertaining to
documentation on development, testing and deployment processes most notably:

• i. Firms were unable to provide sufficient detail with respect to their testing environments
• and how the parameters detailed in Article 5 of RTS 6 were embedded.
• ii. There is a lack of adequate information in relation to testing environments used to assess
• the performance of algorithms including assurance that trading algorithms:
• (ii) a. would not contribute to disorderly trading conditions;
• (ii) b. can continue to work effectively in stressed market conditions; and,
• (ii) c. where necessary under those conditions, can be disabled without contributing to
• disorderly trading.
• iii. Where firms are part of larger groups, it was noted that strong reliance was placed on Group entities. While outsourcing the development of trading algorithms is permitted under MiFID II, the investment firms deploying trading algorithms must fully understand the development and testing processes and the subsequent controls required. Outsourcing arrangements must be supported by appropriate documentation at local entity level with respect to the development, testing and deployment processes, be subject to regular review by the appropriate control function and consider the parameters detailed in Article 5 of RTS6.

3. Risk Measurement and Control - Lack of clearly defined Three Lines of Defence:
While it was evident that certain firms had appropriately skilled and resourced second lines of
defence, a number of firms demonstrated an absence of a formalised “Three Lines of Defence
model”. It is important that firms have a robust model in place, with clear delineation between each
line i.e. the business, the risk management functions and the internal audit function. Supervisors
observed:

• i. A blurring of lines between the first line, where the operation and implementation of risk management occurs, and second line management of risk, responsible for oversight of risk management, creating concerns around independence and appropriate separation of duties;
• ii. Within the second line, a lack of clarity between the roles and responsibilities of Risk and Compliance, in some instances, may increase the likelihood for risks to go unidentified or identified risks to go unaddressed;
• iii. An absence of a formalised plan regarding the steps taken by the Head of Compliance or first line in the event that the kill switch has been activated; and
• iv. As required under Article 9 of RTS6, all firms are required to conduct annual self-assessments and produce subsequent validation reports. Supervisors observed three common areas not sufficiently addressed by the majority of firms within the self-assessment:

:

• (iv) a. The adequacy of governance arrangements;
• (iv) b. The lack of appropriate detail with respect to testing methodologies applied and
• testing environments used; and
• (iv) c. A lack of clarity with regard to the third line of defence and the role of Internal Audit in the self-assessment and validation process. As per Article 9(3) of RTS 6, Internal Audit should play a key role in the oversight of the self-assessment and validation process to ensure that the governance and conclusions reached are valid.

 4. Trade Lifecycle Management – Lack of appropriate documentation with respect to pre and
post-trade controls:
The presence of extensive pre and post-trade controls was evident during this Thematic Review
however:

• i. These were not formally reflected in the firms’ policies and procedures, where supervisors identified a lack of adequate documentation regarding these controls and calculation of associated limits.
• ii. Firms did not demonstrate appropriate compliance with Article 15 of RTS 6 with respect to the documentation of the application and usage of appropriate limits. This information must be formally documented within the firms’ algorithmic governance documentation.

Firms must have in place appropriate pre and post-trade controls that are commensurate to the
nature, scale and complexity of the entity and ensure that these controls are appropriately
documented.

Actions
As a result of the findings of this thematic review, the Central Bank has engaged with the
investment firms where specific concerns have been identified, issuing risk mitigation programmes
to address these specific issues.

The Central Bank requires all firms engaging in algorithmic trading to consider the contents of this
letter, where applicable and take all remedial action necessary to ensure that they have the
appropriate control and oversight in place with respect to algorithmic trading and that the
requirements within RTS 6 of MIFID II are being fully adhered to. This letter should be read in
conjunction with the joint ESMA and European Banking Authority (“EBA”) Guidelines on the 
assessment of suitability of members of the management body and key function holders ; EBA
Guidelines on internal governance; and the Central Bank’s Outsourcing: Findings & Issues for
Discussion.

The Central Bank will continue to assess whether firms have taken sufficient steps to reduce risks
arising from algorithmic trading and will have regard to the contents of this letter when conducting
future supervisory engagement. Furthermore, in circumstances of non-compliance by any firm with
the regulatory requirements associated with algorithmic trading, the Central Bank may, in the
course of future supervisory engagement, or when exercising its supervisory and/or enforcement
powers in respect of such non-compliance, have regard to the consideration given by a firm to the
matters raised in the letter. 

Background:

​ The Central Bank of Ireland (“Central Bank”) undertook a thematic review to assess how firms
undertaking algorithmic trading have incorporated within their risk management and control
frameworks the requirements set out in Regulatory Technical Standard C(2016) 4478 (“RTS 6“)
supplementing Directive 2014/65/EU (“MIFID II”). The purpose of this letter is to provide
background to our assessment, highlight the key findings of this review and outline the expectations
of the Central Bank in relation to the governance, testing and controls surrounding algorithmic
trading.

Algorithmic trading gives rise to significant risks stemming from potential failures of algorithms,
information technology (“IT”) systems and processes. In recent years, a number of significant
algorithmic trading failures have resulted in substantial losses, fines and reputational damage for
firms globally. This demonstrates a clear need for all entities engaging in algorithmic trading to
ensure risk management and control frameworks in respect of algorithmic trading are
appropriately embedded and are operating to a high standard. RTS 6 provides a framework to
mitigate these, and other risks, through the requirement to maintain effective systems, procedures,
arrangements and controls.

This thematic review focused on the five principal areas underpinned by the requirements set out
in RTS 6 of MIFID II: (i) Governance; (ii) Development & Testing; (iii) Risk Measurement and
Control; (iv) Processes and Controls; and (v) Trade Lifecycle Management.

The Central Bank noted many positive practices, including the presence of experienced, competent
professionals across the first and second lines of defence, in addition to a comprehensive suite of
controls in terms of monitoring, development, testing and deployment of trading algorithms.
Notwithstanding this, supervisors also identified varying levels of maturity and a number of
concerns across governance, control and risk management frameworks of in scope entities. A full
list of the practices observed are noted in Appendix 1 of this letter. The key concerns arising from
the review include: 

​An over-reliance on service providers with a lack of demonstrable autonomy at regulated
entity level. This was evidenced through a distinct absence of entity Board oversight in
setting or challenging the key controls and in the oversight of the development of trading
algorithms.
ii. Insufficient formality with respect to key documentation. This was evidenced through a
lack of appropriate documentation in relation to algorithmic trading controls and
procedures. This speaks to this sector being at the early stages of maturity and also the
extent to which firms leverage Group documentation, where relevant, which creates a
possibility that entity specific risk may be overlooked.
iii. A lack of clearly defined roles and responsibilities, and in particular a lack of appropriate
delineation between the “Three Lines of Defence”. This is a consequence of a combination
of (i) the scale of certain firms, (ii) the maturity of risk management frameworks and (iii) the
non-specific nature for managing risks associated with algorithmic trading in certain firms.
These do not align with a comprehensive and effective implementation of the requirements set out
in RTS 6.