|
Back to Blog
  Stephen Fletcher, Consultant, CompliReg Summary Virtual Asset Service Providers (VASPs) operating in Ireland now need to demonstrate that they are compliant with the provisions of the 5th Money Laundering Directive (AMLD5) which recently came into effect on Friday 23rd April 2021. Preceding that date CompliReg, together with Fintech Ireland, hosted a webinar for VASPs, e-money and payments firms. Details of that event here. Given the demand from the audience, CompliReg and Fintech Ireland are hosting another Roundtable on the topic on Thursday 6th May - ROUNDTABLE: So, you want to be a Virtual Asset Service Provider? Background AMLD5 aims to remove the anonymity from the process of providing virtual asset based services. This applies to any organisation which provides exchange services between fiat and virtual currencies, as well between virtual assets or custodian wallet providers; bringing them into the scope of the EU’s anti-money laundering and counter-terrorist financing (‘AML/CFT’) framework. The 2021 Act The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the "Act") amends the current Irish AML/CTF legislation, which started life a decade ago through the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended). New Definitions relating to Virtual Assets The Act contains the following new definitions:  Designated Persons
The Act brings VASPs within the meaning of "designated person" (equivalent to an "obliged entity" under EU anti-money laundering law). The relevant obligations (Relevant Obligations) of designated persons under the Irish AML regime can be summarised as follows:
Requirement to Register The Act requires that a person shall not carry-on business as a Virtual Asset Service Provider unless the person has successfully registered with the Central Bank of Ireland (Central Bank). This is a registration for AML/CFT purposes only. A firm currently authorised by the Central Bank under a different regime which is also acting as a Virtual Asset Service Provider will still be required to register as a VASP. Whilst there is a three-month transitional period for VASPs to conclude the registration process the Act, which commenced operation on Friday 23rd April (commencement date), other than section 8 of the Act which commenced on Saturday 24th April, applies as of the commencement date. This means that regardless of an existing VASP having three months to register, the VASP must comply with the Act on and from the commencement date. This means that VASPs availing of the transition period must comply on and from 23rd April with the Relevant Obligations listed above. The Act sets out the high-level details of the registration process, and the grounds under which the Central Bank may refuse to register a VASP. These grounds include:
Preparation The Central Bank’s website contains useful information for those requiring registration as a VASP, including the Criminal Justice Act* (as at commencement date), Guidelines on Fitness & Probity of Principal Officers/Beneficial Owners, and links to the AML/CFT Registration Form. The Central Bank will not accept a registration application until the applicant has been through the pre-registration and has obtained a Central Bank Institution Number. The Central Bank has also indicated that its current graduated approach to AML/CFT supervision will apply equally to VASPs, meaning that firms which present a higher risk of money laundering and/or terrorist financing will be subject to higher intensity and intrusive supervisory measures than those presenting a lower risk. Next Steps As many VASPs shall become designated persons for the first time, they should review their AML/CTF frameworks, their Relevant Obligations, legislation and guidance now. Given that the Act has now commenced in operation, applicants should submit a Pre-Registration Information Form to the Central Bank to request a Central Bank Institution Number as soon as possible. Being within the AML/CTF framework will surely bring benefits such as greater confidence to end-users (i.e., customers – individuals and corporates) of VASPs and hopefully, more banking partners will consider opening up their services to VASPs particularly ahead of the proposed Markets in Crypto Assets Regulation 2020/0265. Support Available As with any new process, it can appear complex and daunting until you have been through it a few times. Thankfully help is at hand through CompliReg. If you would like to setup an initial discussion to discuss your requirements, please check out our page and complete the enquiry form at https://complireg.com/vasp.html. Stephen Fletcher or Peter Oakes will get back to you ASAP. Our details at https://complireg.com/team.html. This document (and any information accessed through links in this document) is for guidance purposes only and does not constitute legal advice. CompliReg does not provide legal services. Where legal services are required, CompliReg works with a select number of law firms. If you are a law firm and wish to be considered for our panel, please contact [email protected].
Back to Blog
  Peter Oakes, Founder, Complireg UPDATE: The law commenced operation on Friday 23rd April 2021. See Stephen Fletcher's blog of Saturday 1 May 2021 for further details Below is my linkedin post of 16 April 2021. I have been asked to put a copy of the consolidation online. We spent a lot of time preparing the consolidation and are happy to share the below slideshow. If you would like a copy of the document in pdf which you can copy, paste and search within, please email [email protected] and we will inform of the costs and email. "Some comments on the updated Irish #moneylaundering and #terroristfinancing legislation. Linkedin Post: What: Ireland signed into law the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the “2021 Act”). The 2021 Act (No. 3 of 2021) makes a number of changes to the 2010 Act (No. 6 of 2010) When: 18 March 2021. Legislation passed by Oireachtas & signed into Law by the President of Ireland Action: It’s time to update your #Compliance & #FinancialCrime Risk Frameworks, Risk Assessments, Policies, Manuals & Procedures. So what areas of the the 2010 Act impacted by the changes in March do you need to know and consider taking into account to update your compliance documents? See the comments section below where I've listed the areas from the 2010 Act impacted by the 2021 Act. How: Contact the team at CompliReg. We are undertaking several reviews of policies, procedures and manuals in light of the recent changes made to Irish AML/CTF law. We have tracked the changes in our consolidation of the 2010 Act up until and including Act No 3 of 2021. Contact the team at [email protected] with your business contact details for a discussion of a review. We'll be sending a copy of our up-to-date consolidated version of the 2010 Act to our clients this week." Post at https://www.linkedin.com/feed/update/urn:li:activity:6788600737791303680/
Back to Blog
 Central Bank publishes “Dear CEO” letter to Schedule 2 firms on low level of compliance with Anti-Money Laundering and Counter Financing of Terrorism obligations
The Central Bank has today (16 December 2020) published the outcome of supervisory engagements undertaken in respect of Schedule 2 Firms to assess compliance with their obligations under Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (CJA 2010). The "Dear CEO" letter*, outlines the Central Bank’s expectations of firms in relation to Anti-Money Laundering/Counter Financing of Terrorism (AML/CFT) and Financial Sanctions (FS) requirements and details follow-up actions to be taken by CEOs and Boards in response to the findings outlined. The examination, which comprised of both inspections and review meetings, found an overall lack of compliance across all areas of the AML/CFT control framework. There is also poor understanding of the requirements from Board and senior management levels, including at those firms who outsourced their AML/CFT and FS activities to third parties. The examination identified a number of failings across Schedule 2 Firms, including:
Director of Enforcement & Anti-Money Laundering, Seána Cunningham said: “The Central Bank expects all firms to be alert to the risks that money laundering and criminal financial activities may pose to their customers and business, and the wider integrity of the Irish financial system. This requires CEOs and Boards to have in-depth knowledge and understanding of their Anti-Money Laundering and Counter Financing of Terrorism obligations. It is also essential to have the necessary control framework in place to ensure protection of their business and customers. “Our supervisory engagements revealed a low level of compliance with the AML/CFT control framework requirements. The culture and tone of any organisation is set from the top. It therefore rests with the Board of these firms to ensure that the necessary AML/CFT governance, risk assessment, policies and procedures, training and awareness are embedded throughout the organisation. While some firms may choose to outsource AML/CFT activities to third party service providers, Boards cannot outsource the responsibility for compliance. “We will continue to engage directly with those firms where compliance weaknesses and failures have been identified to ensure that they are addressed. We also require all firms to review the content of this letter to ensure that they assess their own compliance with the issues identified. “We are also taking this opportunity to remind all firms to assess their activities to determine if they are required to register with us under Schedule 2. Firms who fail to register are at risk of significant criminal and/or administrative sanctions. In 2021, the Central Bank will use all means available to identify those firms not registered and take appropriate action.” ENDS Notes to Editor
Further information Media Relations: [email protected] / 01 224 6299 Ewan Kelly: [email protected] / 01 224 6269
Back to Blog
 Some choice headlines in the papers about Brexit in the past week as we - according to Brexit Ireland's countdown to Brexit clock - just little more than 33 days before 11p.m. (UK time) on Thursday 31st December 2020 when the Brexit transition period ends with no deal on financial services in sight. This week sees the EU negotiating team returning to London after face-to-face talks came to end more than a week ago after Mr Bariner's team was hit by a case of Covid. They will be greeted by headiness such as: UK dismisses ‘derisory’ EU fishing offer ahead of last-ditch trade talks; Europe’s finance sector hits ‘peak uncertainty’ over Brexit; and The City braces for Brexit.  There is no equivalence regime provided for within either EMD2 (electronic money institutions) or PSD2 (payments services institutions)! One thing we are still very surprised by is the many in #fintech, #techfin and indeed #finserv (and scarily their advisers) who think that recent news on 'equivalence' deals are applicable to all UK #finserv which passport across the European Union / EEA. The announcement on Monday 23rd November by the European Commission was simply and specifically about European regulators finalising a late change seeking to avoid chaos in £15tn of derivatives contracts held between UK and EU counterparties. Then on Wednesday 25th, they insisted outposts of EU banks in London would have to trade certain derivatives in the EU. Back in August 2020 the European Parliament reminded that "Equivalence decisions are a unilateral decision by the Commission. The Commission ultimately exercises its discretion as conferred upon it by the “empowerment” given in EU sectoral legislation.'' BUT MORE IMPORTANTLY "The Commission also enjoys discretion to withdraw equivalence decision. The equivalence frameworks in force do not provide as such specific procedures for monitoring, reviewing or amending equivalence decisions." There are no equivalence provisions in EU bank, payments nor electronic money directives, and the equivalence provision in MiFiD doesn't apply to retail investment services. See the below table on the 'Role of equivalence in key EU banking and financial services legislation' for confirmation. The upshot is that if you are a UK authorised payments institution or electronic money intuition, come Thursday 31st December 2020 when your ability to passport across the whole of European Economic Area comes to an end, so too does your business model unless you have obtained an authorisation in an EU/EEA state. There are are other options available but we'll leave that for another article. If you are a regulated fintech looking for a home post #brexit contact https://complireg.com/authorisations.html. Read our Fintech Authorisation Guides published jointly by CompliReg and Fintech Ireland on the authorisation process. And check out the 'Why Ireland for Fintech' brochure. Why Ireland for your regulated fintech?
“From January 1st, EU rules will apply to UK firms wishing to operate in the EU. UK firms will lose their financial passport: it’ll be anything but business as usual for them. This means they will have to adhere to individual home-state rules in each and every member state,” the official said.  Further reading:
26 November 2020 - Move to EU or face disruption, City of London is warned
27 August 2019 - "Third country equivalence in EU banking and financial regulation"
29 July 2019 - Financial services: Commission sets out its equivalence policy with non-EU countries 12 July 2017 - "Third-country equivalence in EU banking legislation"
Back to Blog
KBC Bank Ireland plc fined €18.3mn for regulatory breaches and being 'simply unconscionable.'24/9/2020  "Our investigation found KBC persistently refused to accept its failings despite having multiple opportunities to remedy the detriment that it was causing to its customers over an extended period. KBC’s actions in this regard, including the failure to adequately comply with the Stop the Harm Principles of the TME [Tracker Mortgage Examination], were simply unconscionable." Central Bank of Ireland 24 September 2020 Question: If KBC conducted itself in the manner contended by the Central Bank of Ireland, which KBC arguably agreed with (otherwise why would it have agreed with the view) why did the Central Bank afford KBC a discount of 30% on a fine which would have otherwise been €26,162,857? Source: Central Bank of Ireland
Press release – 24 September 2020 Enforcement Action Notice: KBC Bank Ireland plc reprimanded and fined €18,314,000 by the Central Bank of Ireland for regulatory breaches affecting tracker mortgage customer accounts On 22 September 2020, the Central Bank of Ireland (the “Central Bank”) reprimanded and fined KBC Bank Ireland plc (“KBC” or the “Firm”) €18,314,000 pursuant to its Administrative Sanctions Procedure (“ASP”) in respect of KBC’s serious failings to certain tracker mortgage customers holding 3,741 customer accounts from June 2008 to October 2019. KBC has admitted in full to 12 regulatory breaches. The Central Bank has imposed a fine at the highest end of its sanctioning powers, reflecting the gravity with which the Central Bank views KBC’s failures. The impact of KBC’s failings on its customers, which related to 3,741 accounts, was devastating and included significant overcharging and the loss of 66 properties. Additionally, KBC’s engagement and co-operation with the Central Bank’s Tracker Mortgage Examination (the “TME”) was deeply unsatisfactory. KBC caused avoidable and sustained harm to impacted customers due to the Firm’s unwillingness to acknowledge its failings until December 2017 and to take immediate action to apply the protections of the TME. Had KBC adhered to the TME guidelines sooner, without the need for significant and sustained Central Bank intervention, the harm to its customers – particularly incidences of property loss - would have been significantly reduced. The Central Bank determined that the appropriate fine was €26,162,857, which was reduced by 30% to €18,314,000 in accordance with the settlement discount scheme provided for in the Central Bank’s ASP[1]. This will be paid to the Exchequer[2]. This fine is in addition to the €153,524,363 that KBC has been required to pay to date in redress and compensation and account balance adjustments under the TME to its impacted tracker mortgage customers. The enforcement investigation, which was conducted in parallel with the TME, sought to determine how and why KBC failed to fulfil its obligations to their customers. The investigation also examined KBC’s failure to adhere to the Central Bank’s requirements under the TME. Over the course of 2008, tracker mortgages were becoming increasingly unprofitable for KBC, resulting in the withdrawal of the product by July 2008. The Central Bank’s investigation found that in doing so, KBC failed to treat its existing tracker mortgage customers fairly and put KBC’s financial interests above the protections their customers should have been afforded. In particular, KBC’s failures resulted from: (i) A proactive strategy to convert customers off their tracker rates: In 2008, KBC devised a strategy to permanently convert certain customers from their low-cost tracker rates. This applied to customers seeking fixed rates or interest only periods at a time when KBC knew that trackers were unprofitable for them. KBC failed to adequately warn the customers concerned that such amendments would result in the permanent loss of their tracker rates. The impact of this strategy was that certain customers, some of whom were already in financial distress, were required to make higher monthly mortgage repayments over the remaining term of their mortgages. This in turn increased the profit margin KBC made on these mortgages. (ii) Failure to adequately warn customers entering interest only or fixed rate periods that they would be unable to return to their tracker rates: At a time when KBC was withdrawing tracker products, it failed to provide customers with clear documentation and/or to provide customers with vital information that their request to fix their interest rate or move to an interest only period would lead to the permanent loss of their tracker interest rate. KBC also failed to warn customers seeking an interest only arrangement that they stood to pay more interest over the lifetime of their loan. (iii) Failure to adequately comply with the Central Bank’s Framework for the TME: KBC failed to adhere to the guidelines set out in the Central Bank’s TME Framework, requiring significant intervention from the Central Bank to ensure that all impacted customers were identified, redressed and compensated. (iv) Failure to adequately comply with the Stop the Harm Principles of the TME: From the outset of the TME in December 2015, KBC failed to take adequate steps to prevent customers from suffering any further harm or detriment pending the outcome of the TME review. This included failing to stop charging higher, incorrect rates of interest and failing to halt legal activity and loss of ownership of customers’ properties. Of the 66 properties referenced above that were lost as a result of KBC’s tracker mortgage failures, 39 of these could have been avoided had KBC implemented the Stop the Harm Principles immediately and as required. The Firm’s approach to, and implementation of, these protections was grossly inadequate. (v) Provided incorrect information to the Financial Regulator[3] in respect of KBC’s treatment of certain tracker customers: In 2009, KBC advised the Central Bank that customers who sought interest only arrangements did not lose their tracker rates for the remaining term of their loans. This was incorrect. As a result, certain interest only customers were denied redress and compensation and an account balance adjustment until identified as having wrongfully lost their tracker through the TME 8 years later. KBC only acknowledged that it had not treated these customers fairly following robust and sustained intervention by the Central Bank during the TME. (vi) Operational and systems failings: In addition, the investigation found that KBC had inadequate mortgage systems and/or operational controls in place to enable them to meet their regulatory and contractual obligations to certain customers. In total there were 12 separate regulatory breaches of the European Communities (Unfair Terms in Consumer Contracts) Regulations 1995 (“1995 Regulations”), the Consumer Protection Codes 2006 and 2012 (“2006 Code” and “2012 Code” respectively). The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said: “The Central Bank’s investigation into KBC has revealed a stark example of the very real harm caused to people when financial service providers fail to treat their customers fairly. By placing their own financial interests ahead of their customers’ best interests, KBC failed to adequately consider their obligations under the Consumer Protection Codes, which were put in place in order to protect customers in their dealings with financial service providers. The impact of KBC’s actions on their customers was devastating and avoidable. By overcharging customers over extended periods, KBC forced people into arrears, including certain customers whom KBC knew were already facing financial difficulties. Some customers suffered the most severe impact with 66 properties being lost by customers, 11 of which were family homes. Our investigation found KBC persistently refused to accept its failings despite having multiple opportunities to remedy the detriment that it was causing to its customers over an extended period. KBC’s actions in this regard, including the failure to adequately comply with the Stop the Harm Principles of the TME, were simply unconscionable. KBC’s initial review of their mortgage loan book during the TME identified only 93 impacted customer accounts. The total number of impacted customer accounts has since increased to over 3,700 but only following the sustained challenge and intervention of the Central Bank. We expect firms to engage in an open, timely and constructive manner with the Central Bank and to do the right thing by their customers, not because they are told to but because it is the right thing to do. KBC’s failures reinforce the Central Bank’s view that the financial services industry has a long way to go in breaking down the deep-set cultures that cause such terrible damage to people’s lives. Our message today is clear, and goes beyond the tracker mortgage related issues to all regulated firms: Firms should act in the best interest of their customers and consider their Consumer Protection Code obligations when making decisions that impact their customers. Where firms fail to do so, our response will be robust and the consequences will be serious.” Background to the investigation into KBC KBC Mortgage Bank (formerly IIB Homeloans Limited) is a credit institution and a regulated financial service provider. IIB Homeloans Limited applied for authorisation as a retail credit firm by the Central Bank in May 2008 following the enactment of legislation introducing the retail credit firm regime, thereby becoming subject to the Consumer Protection Codes from 1 June 2008. IIB Homeloans Limited subsequently obtained a banking licence from the Central Bank on 24 October 2008, at which time it officially renamed its operations in Ireland ‘KBC Mortgage Bank.’ In or around June 2009, KBC Mortgage Bank transferred its business to KBC Bank Ireland plc, amalgamating the businesses formerly conducted by IIB Bank plc and IIB Homeloans Limited/KBC Mortgage Bank. KBC introduced tracker mortgages to its range of products in 2003, ultimately withdrawing them from the market on 4 July 2008, as KBC viewed them as no longer profitable. In September 2015, the Central Bank notified lenders that it was developing the Framework for the TME, which was to be grounded on consumer legislation, including both the 2006 Code and the 2012 Code. In December 2015, the TME was established. Lenders were required to determine whether or not in all circumstances it had complied with its consumer protection regulatory obligations. The TME was designed to ensure that lenders met their consumer protection obligations by requiring lenders to: 1. Conduct a complete review of their tracker mortgage loan book to identify customers who may not have been treated fairly. 2. Take steps - pending the determination of impact under the TME - to (i) stop charging the incorrect rate of interest at the earliest possible time, (ii) halt all legal activity and (iii) ensure that customers did not lose ownership of their properties. The objective of this requirement was for lenders to take early steps to Stop the Harm, thus shielding potentially impacted customers from further harm and detriment. 3. Return impacted customers to the position they would have been in but for the tracker mortgage failings, which included, rate rectification or the option to return to a tracker rate. Furthermore, lenders were required to pay compensation commensurate to the harm caused to each customer given their specific circumstances. In early 2016, as part of its early engagement on the TME, the Central Bank notified KBC that it should consider whether the documentation provided to customers entering into an interest only or a fixed rate period may have led to an expectation that they could return to a tracker rate on expiry. When KBC failed to include those customers in the TME in September 2016, the Central Bank continued to challenge KBC’s assessment of whether particular groups of customers were impacted under the TME and therefore entitled to redress and compensation and have their account balance adjusted. KBC persistently refused to accept its tracker mortgage failings until December 2017, further evidencing KBC’s failure to put its customers first. KBC’s failings uncovered as part of the TME led to the commencement of the Central Bank’s enforcement investigation. Regulatory breaches KBC has admitted 12 regulatory breaches of the 1995 Regulations, the 2006 Code and the 2012 Code, which were identified during the Central Bank’s investigation. These breaches occurred as a result of the following:
Further detail of these failings is set out below. 1. A proactive strategy to convert customers off their tracker rate In 2008, KBC devised a strategy to permanently convert customers from their low-cost tracker rates, with the result that they were required to make higher monthly mortgage repayments over the remaining term of their mortgages and in turn increased the profit margin KBC made on the mortgage. At a time when KBC knew trackers were unprofitable, KBC implemented this strategy of seeking to permanently convert customers from their tracker rates through two separate direct mailings to customers in August and September 2008 (the “direct mailings”). KBC’s strategy was to convert its customers from their tracker rates to fixed rates, immediately increasing their margin, while ensuring that those mortgages would revert to standard variable rates and not a tracker on the expiry of the fixed rate period. Once this occurred, KBC could control the interest rate being charged. KBC failed to adequately warn those customers that they would not return to their tracker at the expiry of the fixed rate period. Following intervention by the Financial Regulator in 2008, KBC agreed to give the option to direct mailings customers who had switched from a tracker rate to a fixed to return to their tracker rates. Furthermore, during the course of 2008 and early 2009, KBC took the opportunity to move certain customers, some of whom were in arrears, from their pre-existing tracker rate when the customer requested to enter into or extended an existing interest only period. For example, in some circumstances, KBC required customers to switch to a standard variable rate to avail of the break in capital payments arising from the interest only arrangement, whereas in other instances, customers were required as a condition of approval for the interest only period to first enter into a fixed rate period that would not revert to their tracker on its expiry. In doing so, KBC failed to adequately warn those customers that they would not return to their tracker on the expiry of the interest only period. The resulting loss of the tracker rate invalidated the benefit to customers of availing of a temporary repayment break with the customers then making higher monthly mortgage repayments over the remaining term of their mortgages and increasing the profit margin KBC made on the mortgage. This practice continued into early 2009 in respect of certain interest only customers. Due to the fact that KBC provided incorrect information to the Financial Regulator in 2009 when challenged on this matter and failed to properly engage with the TME, the position of interest only customers was not fully rectified until late 2017, as explained in more detail below. This failure to rectify was despite the fact that KBC reviewed the position of some of their interest only customers’ accounts and customer documentation in 2011 as part of an internal review. KBC failed to adequately consider the impact of the strategy on their customers and their obligations under the 2006 Code. KBC has admitted that this strategy did not meet its obligation to act honestly, fairly and professionally in the best interests of its customers. The Central Bank also found that KBC failed to have and/or effectively employ necessary and/or adequate resources, procedures, and systems and control checks in place to ensure that it adequately considered its consumer protection focused obligations when taking strategic and financial decisions in relation to its tracker book. KBC has admitted breaches of the 2006 Code in respect of this behaviour, as follows:
2. Failure to adequately warn certain customers entering into interest only or fixed rate periods that they would be unable to return to their tracker rates The Central Bank found that KBC failed to comply with the requirements of the 2006 Code, the 2012 Code and the 1995 Regulations with regard to its obligation to ensure that documentation provided to customers at key points was clear and comprehensible and that key information was brought to their attention. These failures manifested in three distinct scenarios: Interest Only Customers Certain customers who sought forbearance on their mortgages through an interest only arrangement were impacted over the period from 19 June 2008 to 3 October 2018, many of whom were in financial distress and thus particularly vulnerable. The Central Bank found that contractual documentation that issued to certain interest only customers did not specifically refer to the rate that those customers would default to on maturity of the interest only period and thus it was not clear that those customers would lose their tracker rate for the remaining term of their mortgage. Certain customers lost their low cost tracker rates for the remaining term of their mortgage when they took up an interest only facility. Customers entering into a fixed rate using a Fixed Rate Instruction Form (“FRIF”) Certain customers were impacted when they sought to enter into a fixed rate period on their mortgage and completed a FRIF. Certain FRIF documents, when read in conjunction with other loan documentation, were unclear as to the rate to which the mortgage would default to at the end of the fixed rate period. These customers were therefore not clearly informed that they would not be able to return to their pre-existing tracker rate as a consequence of entering into the fixed rate period. Customers entering into a fixed rate after trackers were withdrawn Certain tracker mortgage customers who sought to enter into a fixed rate period after KBC had withdrawn tracker mortgages as a product offering were impacted. KBC failed to inform these customers in advance of fixing that they would no longer be able to avail of their tracker rate at the end of the fixed rate period, as trackers had been withdrawn from KBC’s product offering. KBC has admitted breaches in relation to its failures to warn customers as follows:
Certain of these breaches continued until the end of 2018, when KBC corrected the interest rates, paid redress and compensation and adjusted their account balances as part of the TME. 3) KBC’s failure to adequately comply with the Central Bank’s Framework for the TME The Central Bank’s Framework for the TME required lenders to conduct the TME and determine whether or not in all circumstances they had complied with their consumer protection obligations arising from a number of pieces of consumer legislation including the 2006 and 2012 Codes. The Framework also specified the manner in which lenders were required to conduct the TME, as follows: “When completing the Examination and when assessing compliance with regulatory requirements, the lender is to demonstrate that it is ensuring that customers’ interests are protected, that customers are being treated fairly and that it has considered customers’ reasonable expectations with regard to their entitlement to a Tracker Interest Rate, in the context of the information provided and the disclosures made by the lender to customers.” The Central Bank found that KBC’s approach to the TME evidenced a failure to comply with the consumer protection principles at the heart of the TME requirements that the Central Bank put in place in order to protect customers. KBC did not give adequate consideration to its regulatory obligations, to customer fairness or to the transparency of communications with customers, as required. Instead, KBC’s decision-making during the TME resulted in the identification of only a fraction of the customers rightly entitled to redress and compensation and have their account balance adjusted. In this regard, KBC did not deem interest only customers or customers who had received the FRIF as being impacted. KBC initially concluded that interest only customers had no entitlement to inclusion and that the Fixed Rate Instruction Form was clear. KBC took this position despite the Central Bank having raised concerns regarding both interest only and fixed rate customers at the outset of the TME. KBC ultimately conceded that these customers should be included in the TME in late 2017, following prolonged and consistent challenge from the Central Bank on these and other matters. From the commencement of the TME in 22 December 2015 to April 2019, KBC failed to:
each of which is contrary to the TME Framework which was designed to ensure the protection of impacted customers. KBC’s failure to adhere to the guidelines set out within the TME Framework resulted in the continued overcharging of certain customers’ accounts until KBC customers were put on the correct interest rates and paid redress and compensation and had their account balance adjusted. KBC has admitted breaches in respect of its failure to protect customers and apply the Central Bank’s Framework for the TME, as follows:
These breaches continued until KBC customers were put on the correct interest rates, paid redress and compensation and had their account balance adjusted. 4) Failure to adequately comply with the Stop the Harm Principles of the TME In June 2015, the Central Bank issued a letter to industry which set out the Central Bank’s regulatory expectations in respect of mortgage lenders, including those in respect of customers in financial difficulty. These regulatory expectations were grounded upon the 2006 and 2012 Codes. The purpose of this letter was to set out the outcomes and feedback from a themed inspection of mortgage lenders in respect of compliance with the Code of Conduct on Mortgage Arrears. The letter set out the regulatory expectations on mortgage lenders in respect of “Customer Impacting Issues for Borrowers in Financial Difficulty”. These regulatory expectations were the Stop the Harm Principles, which lenders were required to comply with to stop further detriment to potentially impacted customers. The Central Bank subsequently reiterated the Stop the Harm Principles specifically with regard to accounts within the scope of the TME, again grounded upon the 2006 Code and the 2012 Code. The core objective of the Central Bank’s work in the TME was to require lenders to seek to address the impact their actions had on impacted customers. To help achieve this aim, the Principles of Redress, including the ‘Stop the Harm’ Principles, required lenders to put in place, amongst other things, controls and measures to ensure that potentially impacted or impacted customers did not suffer any further detriment. These measures were designed to ring-fence and protect customers until such time as the lender could either satisfy themselves that the relevant customers were not affected or until such time as the lender had paid them redress and compensation and had their account balance adjusted. The ‘Stop the Harm’ Principles were designed to ensure that lenders ceased charging the incorrect rate at the earliest possible time, that lenders did not take steps in the legal process in relation to potentially impacted and impacted customers and that potentially impacted and impacted customers did not lose ownership of their properties. The Central Bank found that between December 2015 and September 2016, KBC failed to adequately implement the Central Bank’s Stop the Harm Principles with the procedures adopted failing to prevent further detriment from occurring to customers. KBC’s ‘Stop the Harm’ policy allowed it to take steps in the legal process, up to and including obtaining orders for possession in the Courts and appointing receivers over properties. This included instances whereby KBC authorised the progression of legal activities before they had made a final determination on the cohorts of customers that it considered ‘impacted’ under the TME. In September 2016, KBC incorrectly deemed customers who lost their tracker rates on taking up interest only arrangements as ‘not-impacted’ under the TME. Consequently, KBC removed the Stop the Harm protections for these customers. As of result of this action, 11 properties were unnecessarily lost by these customers. Finally, during the course of the TME, KBC failed to inform many customers seeking to sell, or otherwise dispose of their properties, including by way of assisted voluntary sale or surrender, that they may be impacted under the TME and may be entitled to redress and compensation and to have their account balance adjusted. Therefore, in some instances, the customer’s decision to dispose of their property was not fully informed. These failures resulted in additional and avoidable harm to certain customers and in some cases legal proceedings were progressed, up to and including loss of ownership. KBC has admitted breaches in respect of its failure to apply the Stop the Harm Principles, as follows
5) Provided incorrect information to the Financial Regulator Following media reports in 2009, which referenced that KBC were allegedly exploiting interest only customers by requiring them to move to a standard variable rate as a condition of taking up an interest only facility, the Financial Regulator sought clarification regarding the manner in which KBC treated those customers. KBC confirmed to the Financial Regulator that it did not remove tracker interest rates from both arrears and non-arrears customers who entered into interest only arrangements for the remaining term of their mortgages. This was not in fact the case as certain arrears and non-arrears customers had lost their tracker rates at the time. This investigation found that, through KBC’s failures to undertake proper due diligence and care in the gathering of information, KBC provided incorrect information thus misleading the Financial Regulator in 2009 in respect of the treatment of KBC’s interest only customers. This had far-reaching consequences for these customers. Having assured the Financial Regulator that these customers returned to their tracker rates on the expiry of the interest only facility, no further regulatory action was taken at that time. Consequently, customers who sought forbearance on their mortgage repayments continued to be charged higher rates of interest for the remaining term of their mortgages. The provision of this incorrect information to the Financial Regulator facilitated the persistent and ongoing breaches of the Consumer Protection Codes by KBC in relation to these customers until this issue was later identified and ultimately rectified under the TME. The Central Bank examined KBC’s treatment of interest only customers again in the context of the TME. At that point, the Central Bank became aware that KBC had provided incorrect information to the Financial Regulator in 2009. KBC ultimately conceded that interest only customers were impacted for the purpose of the TME in October 2017. This came only after robust challenge from the Central Bank regarding KBC’s initial decision in September 2016 to exclude these customers from the TME. Interest only customers finally received redress and compensation and had their account balance adjusted in late 2017, approximately 8 years following the incorrect information that had been provided by KBC to the Financial Regulator on the same issue. KBC has admitted breaches in relation to providing inaccurate information to the Financial Regulator, as follows:
6) Operational and systems failings During the course of KBC’s review of its tracker mortgage book and also within the TME, KBC identified a number of operational and systems failings which affected customers and resulted in, amongst other things, customers being placed on the incorrect interest rate; placed on the incorrect product type; provided with incomplete, inaccurate and unclear documentation; offered the incorrect tracker rate or not receiving appropriate information in relation to their entitlement or loss of entitlement to a tracker rate. In addition, due to operational and systems failings, KBC failed to comply with an undertaking given to the Central Bank in 2009 to return all of the direct mailing customers to their previous tracker rates. The investigation found that KBC had inadequate operational and systems controls in place to enable them to meet their regulatory obligations to certain tracker mortgage customers. Procedural and systems weaknesses, deficient processes, administrative errors including the failure to implement amendments to customer accounts in a timely manner, operational errors, reliance on standard documentation not tailored to the particular customers’ circumstances and reliance on manual interventions were all factors which contributed to KBC’s failings which occurred over an extended period of time. KBC has admitted breaches in relation to these operational and systems failings, as follows
Impacted numbers In summary, our investigation found that a total of 3,741 customer accounts were impacted as a result of KBC’s numerous failures over an extended period of time, with some customers being affected by more than one of the above issues. Penalty Decision Factors In deciding the appropriate penalty to impose, the Central Bank considered the ASP Sanctions Guidance issued in November 2019. The following particular factors are highlighted in this case: The Nature, Seriousness and Impact of the Contraventions
Aggravating factors
This enforcement action against the Firm is now concluded. This marks the completion of the second in a series of ongoing investigations which were commenced, and will therefore conclude, at different times. Notes to Editors 1. The Central Bank imposed a fine of €18,314,000 on KBC, which represents the maximum applicable penalty of €26,162,857 with a settlement discount of 30%. This fine is at the highest end of its sanctioning powers. The Central Bank’s ‘Outline of the Administrative Sanctions Procedure’ provides for an early settlement discount of up to 30% in order to promote early resolution of matters, which in turn leads to better utilisation of the resources of the Central Bank. For further information on the discount scheme, see the Central Bank’s ‘Outline of the Administrative Sanctions Procedure’, which is here. In October 2016, the Central Bank fined KBC €1,400,000 and reprimanded it for breaches of the Code of Practice on Lending to Related Parties 2010 and the Code of Practice on Lending to Related Parties 2013. Details of the Enforcement Action can be found here. 2. The Central Bank’s sanctioning powers were increased in 2013, pursuant to Section 68(b) of the Central Bank (Supervision and Enforcement) Act 2013. The maximum penalty which the Central Bank may now impose is €10,000,000, or an amount equal to 10% of the annual turnover of a regulated financial service provider, whichever is the greater. 3. This is the Central Bank’s 139th settlement since 2006 under its Administrative Sanctions Procedure, bringing total fines imposed by the Central Bank to over €123m, which total includes the fine imposed against Springboard Mortgages in 2016 and Permanent TSB plc in 2019 in respect of breaches of its obligations to tracker mortgage customers. This settlement also marks the 32nd outcome in respect of Consumer Protection Code breaches. 4. Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts. The penalties are not included in general Central Bank revenue. 5. The Consumer Protection Codes 2006 and 2012 are available on the Central Bank’s website www.centralbank.ie or to download here and here. The 2006 Code ceased to have effect on 31 December 2011 and the 2012 Code came into effect on 1 January 2012. 6. The Tracker Mortgage Examination commenced in December 2015. The Examination required all lenders to review their loan book to ensure compliance with both regulatory and contractual requirements in relation to tracker mortgages. Where impacted customer accounts are identified, the Central Bank expects that those customers will receive redress and compensation commensurate with the detriment suffered and to have their account balance adjusted accordingly. Information on the Examination is available on the Central Bank’s website www.centralbank.ie or to download here. Further information: Media Relations: [email protected] / 01 224 6299 Ewan Kelly: [email protected] / 086 463 9652 [1] The Central Bank’s ‘Outline of the Administrative Sanctions Procedure’ provides for an early settlement discount of up to 30% in order to promote early resolution of matters, which in turn leads to better utilisation of the resources of the Central Bank. [2] All fines collected by the Central Bank are returned to the Exchequer. [3] The Financial Regulator was re-unified with the Central Bank on 1 October 2010.
Back to Blog
 Not long after the European Union’s top court ordered Ireland on 16 July 2020 to pay a lump sum of €2 million to the European Commission for Ireland's failure to implement regulations aimed to prevent money laundering and terrorist financing, a new law aimed at strengthening existing Irish anti-money laundering legislation and giving effect to provisions of the 5th EU Money Laundering Directive has been approved by the Cabinet of the Irish Government.
On Monday 10th August 2020, the Cabinet has approved the publication of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020. This follows the signing into law by the President of Ireland on 5th May 2020 of the earlier Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (Act 6 of 2010) [previously known as the Criminal Justice (Money Laundering and Terrorist Financing) Bill 2009 (Bill 55 of 2009)]. If you need advice on the new Bill or your existing regulatory compliance obligations, get i touch with Peter Oakes here at at CompliReg. Useful Links:
The Minister for Justice and Equality, Helen McEntee T.D., has received Cabinet approval for the publication of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020. The Bill transposes the criminal justice elements of the 5th EU Money Laundering Directive and strengthens existing legislation. Upon announcing the new Bill, the Minister McEntee said, "I look forward to bringing this legislation before my colleagues in both Houses, and anticipate that this Bill will receive broad, cross-party support." What does the Bill contain? The Bill includes provisions to:
The Minister also noted that: "This Bill is an important piece of legislation for tackling money-laundering. The reality is that money laundering is a crime that helps serious criminals and terrorists to function, destroying lives in the process. Criminals seek to exploit the EU’s open borders, and EU-wide measures are vital for that reason. This new legislation also includes a number of technical amendments to other provisions of Acts already in force." While the Bill transposes certain elements of the 5th Anti-Money Laundering Directive, the Department of Finance is also engaged in giving effect to certain provisions of the Directive, including those relating to:
The Minister for Finance (Paschal Donohue, T.D.) has also secured Government Approval to bring forward amendments in respect of the regulation of Virtual Asset Service Providers (VASPs). The amendments will ensure that the necessary registration and fitness and probity regime, required by 5AMLD for virtual asset service providers, become statutory requirements. Amendments will also address Ireland’s international obligations, relating to a robust regulatory framework for new technologies, new products and new practices, as identified by the Financial Action Task Force (FATF).
Back to Blog
Irish Bank, Bank of Ireland, fined €1,660,000 over cyber-fraud and misleading the Irish Regulator28/7/2020  Enforcement Action Notice: The Governor and Company of the Bank of Ireland fined €1,660,000 and reprimanded by the Central Bank of Ireland for regulatory breaches causing loss to a client and for misleading the Central Bank in the Central Bank in the course of the investigationSummary:Here's a blueprint for inviting an enforcement action for cyber-fraud & misleading your regulator arising from Bank of Ireland's fine €1,660,000 announced today. [Linkedin Post Here] What did Bank of Ireland do wrong?: 1) failed to implement sound administrative procedures & internal control mechanisms in respect of third party payments. 2) failed to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud. 3) failed to establish, implement & maintain systems & procedures adequate to safeguard the security, integrity & confidentiality of client bank account details. 4) failed to establish, implement & maintain adequate internal control mechanisms designed to secure compliance with its reporting obligations pursuant to Sec. 19 of the Criminal Justice Act 2011. 5) failed to monitor adequacy & effectiveness of the measures & procedures put in place & the actions taken to address any deficiencies in respect of third party payments. 6) failed to be open & transparent, having the effect of misleading the Central Bank in the course of the investigation. Facts of Matter according to Central Bank of Ireland:On 27 July 2020, the Central Bank of Ireland (the Central Bank) reprimanded and fined The Governor and Company of the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations) committed by its former subsidiary, Bank of Ireland Private Banking Limited (BOIPB). BOI has admitted the breaches, which vary in length from one to ten years.
In line with its published Sanctions Guidance, the Central Bank has determined the appropriate fine to be €2,370,000, which has been reduced by 30% in accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure. The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014 (the Incident). Acting on instructions from a fraudster impersonating a client, BOIPB made two payments to a third party account totalling €106,430: one from a client’s personal current account, the other from BOIPB’s own funds. BOIPB immediately reimbursed the client. During a Full Risk Assessment of BOIPB in 2015, the Central Bank discovered a reference to the Incident in an operational incident log. BOIPB had not reported the cyber-fraud to An Garda Síochána, and only did so at the request of the Central Bank over one year after the Incident. The Central Bank’s investigation found serious deficiencies in respect of third party payments, including:
BOIPB’s failure to be open and transparent had the effect of misleading the Central Bank in the course of the investigation. BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments. During that same period, BOIPB strenuously denied the existence of any such failings to the Central Bank in response to the investigation. BOIPB’s conduct materially added to the time it took to investigate this case. This is one of two aggravating factors in this case; the other being the excessive amount of time it took BOIPB to fully remediate the relevant deficiencies. Remediation in relation to third party payment processes took place in February 2016, 17 months after the Incident, and then only following the Central Bank’s intervention. In August 2016, the Central Bank determined that a Risk Mitigation Programme (RMP) relating to third party payment processes was completed. The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said: “The Central Bank has a clear expectation that firms are alert to the real and increasing risks from cyber-fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly. This is the second time the Central Bank has imposed a sanction on a firm where a client has suffered a loss from cyber-fraud as a direct result of the firm’s regulatory failings. BOIPB’s failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud. That risk crystallised twice. BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter. Reporting illegal activity is essential in the fight against financial crime. This case should serve to highlight to all firms the importance of ongoing vigilance in the area of cyber security. The Central Bank expects all firms to consider, identify and manage operational and cyber risks and ensure that their staff receive appropriate training tailored to the risks associated with their duties and responsibilities. The Central Bank expects pro-active engagement from regulated entities – that extends from self-reporting through remediation and full cooperation with the investigation. The excessive time taken by BOIPB to remediate identified deficiencies and the failure to be fully transparent and open in the context of the Central Bank’s investigation were aggravating features in this case.” BACKGROUND Founded in 1989, BOIPB was first authorised as a “section 10 investment business firm” under the Investment Intermediaries Act, 1995 (the 1995 Act) on 26 May 2000. This authorisation was subsequently transferred to an authorisation under the MiFID Regulations on 1 November 2007. At the time of the cyber-fraud, BOIPB was an independently regulated MiFID firm and its primary activity was to provide investment services to high net worth individuals who had investable assets in excess of €1,000,000. In addition, BOIPB provided a full range of banking services to its clients (lending, deposit taking and day-to-day current account banking) as a deposit agent of BOI. Since 1 September 2017, BOIPB is no longer a MiFID firm and is now a business unit within the Retail Division of BOI. The unit retains the name Bank of Ireland Private Banking as a trading name of the Governor and Company of the Bank of Ireland. Its services are authorised by the Central Bank of Ireland under the licence of BOI, a regulated financial service provider for the purposes of the Central Bank Act 1942. BOIPB’s audited financial statements for the year ended 31 December 2016, the last year it existed as a separate entity, reported operating income of €19,867,000. THE CYBER-FRAUD Third party payment instructions were processed by BOIPB with particular reference to a procedure called the Third Party Payments Procedure (the TPPP), which outlined steps to be followed to verify a client’s identity before processing a third party payment instruction. BOIPB processed two separate payment instructions received in September 2014, purportedly from a client (the Client), which in fact were sent by a cyber-fraudster (the Fraudster) who had hacked the Client’s e-mail account. This led to two transfers totalling €106,430 to be transmitted to a corporate bank account at a UK bank. The first transfer was drawn from the Client’s current account, and the second transfer was drawn, at the instigation and authorisation of BOIPB, from BOIPB’s suspense account because the payment from the Client’s deposit account was rejected due to insufficient funds. The Client made contact with BOIPB and notified it of the fraud on 30 September 2014, on receipt of an e-mail from BOIPB indicating recent communications (which were unfamiliar to the Client). The Client was immediately reimbursed by BOIPB. To facilitate the instructions received from the Fraudster, BOIPB staff, in breach of BOIPB’s policies and procedures:
The Fraudster used the following tactics:
PRESCRIBED CONTRAVENTIONS The Central Bank investigation identified the following contraventions: Contravention 1 BOIPB breached Regulation 33(1)(f)(i) of the MiFID Regulations between 1 November 2007 and August 2016 by failing to implement sound administrative procedures and internal control mechanisms in respect of third party payments. The Central Bank’s investigation found that the TPPP was wholly inadequate for the purposes of safeguarding client deposits when processing third party payments. In particular, key procedural, security and authorisation steps were not outlined in the document. Staff did not receive adequate training on the processing of third party payments to ensure they were fully aware of how to safely process these payments. Contravention 2 BOIPB breached Regulation 160(2)(f) of the MiFID Regulations between 1 November 2007 and August 2016 by failing to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud. The serious weaknesses in the process around third party payments, which had existed for some time, should have been known to management through proper governance, oversight and monitoring. There was no monitoring of third party payments by the first or second lines of defence. Furthermore, the recommendations of the first internal report commissioned by BOIPB in relation to this matter, dated December 2014, were not acted on. Similar weaknesses were identified in a second internal report in January 2016. Remediation of the issues identified in both reports did not take place until February 2016. Contravention 3 BOIPB breached Regulation 34(3)(a) of the MiFID Regulations between 1 November 2007 and 2 January 2018 by failing to establish, implement and maintain systems and procedures adequate to safeguard the security, integrity and confidentiality of client bank account details. The investigation found that for the purposes of customer service, BOIPB staff frequently engaged with private clients through e-mail. E-mail communication, because it is more vulnerable to infiltration by fraudsters than other forms of communication, needs to incorporate additional checks before being acted upon. By failing to identify and provide for this, BOIPB failed to safeguard the security, integrity and confidentiality of information relating to client bank accounts. Contravention 4 BOIPB breached Regulation 34(1)(c) of the MiFID Regulations between 30 September 2014 and 16 December 2015 by failing to establish, implement and maintain adequate internal control mechanisms designed to secure compliance with its reporting obligations pursuant to Section 19 of the Criminal Justice Act 2011. BOIPB reported the Incident to its Group Financial Crime Unit (GFCU) on 1 October 2014. GFCU, on behalf of BOIPB, did not report the Incident to An Garda Síochána until December 2015, on the instigation of the Central Bank. Contravention 5 BOIPB breached Regulation 35(2)(c) of the MiFID Regulations by failing to comply with Regulation 34(4) between November 2013 and December 2016 because, for that period, BOIPB’s Compliance function failed to monitor, and on a regular basis to assess the adequacy and effectiveness of the measures and procedures put in place and the actions taken to address any deficiencies in respect of third party payments. The TPPP included a requirement that ad-hoc monitoring of third party payments be carried out by the Compliance function. The investigation found that throughout the period November 2013 to May 2016, no ad-hoc monitoring of third party payments was in fact carried out. This failure persisted despite two internal reports highlighting the absence of monitoring and the systemic non-adherence to the TPPP. BOIPB’S RESPONSE TO THE CYBER-FRAUD AND REMEDIATION The Central Bank expects firms to promptly remediate known deficiencies in their procedures and internal control mechanisms. BOIPB failed to do so. Following the Incident, BOI Group Internal Audit function (GIA) investigated how it had occurred. GIA produced their findings in a report in December 2014, which pointed to systemic failings in the processing of third party payments. GIA strongly recommended that BOIPB carry out sampling to verify the authenticity of other “high-value interpays”. BOIPB failed to do this. GIA further recommended, that, at a minimum, the procedure in place relating to third party payments should be enhanced to clarify roles and responsibilities for authenticating and approving third party payments. Again, BOIPB failed to do this. The procedure remained unchanged until February 2016. In March 2015, BOIPB commissioned a further internal review, this time by BOI Retail Business Assurance (RBA) centred on BOIPB’s procedures for processing third party payments. Separately, following the Full Risk Assessment (the FRA) conducted in 2015, the Central Bank informed BOIPB that improvements in relation to third party payment processes would be part of the subsequent RMP arising from the FRA as the process in place was “not robust enough”. The RMP was issued in February 2016, which set out the Central Bank’s expectations in relation to the actions needed to improve the third party payment process. RBA issued its findings in draft to BOIPB in January 2016 (the RBA Report). Following an assessment of a sample of third party payment records, RBA concluded that the same issues identified in December 2014 persisted, namely that client identification questions were not consistently being asked of clients as well as other deficiencies in the third party payment process. BOIPB updated and revised the TPPP in February 2016. The RBA Report was signed-off in June 2016. In August 2016, the Central Bank determined that the full RMP was completed. BOIPB’S COOPERATION WITH THE CENTRAL BANK The Central Bank expects regulated entities to cooperate in an open manner at all times and to respond to requests promptly, effectively and accurately. When the Central Bank’s investigation commenced in February 2016, BOIPB possessed the RBA Report which contained highly critical findings in relation to the processing of third party payments. As such, it was highly probative to the Central Bank’s investigation. The Central Bank issued a request for records in February 2016. BOIPB should have provided a copy of the RBA Report when it responded to this request in April 2016. BOIPB failed to do so, instead it included one vague narrative reference to a risk assessment of banking activities (making no reference to a “report” or the fact that it related to third party payments specifically) within a document accompanying the records it supplied in response to the Central Bank’s request. BOIPB disclosed the RBA Report to the Central Bank 19 months after the commencement of its investigation in response to a Central Bank statutory request explicitly requiring production of the record BOIPB had described as a “risk assessment”. It was only when the document was disclosed and reviewed that its true nature and content became apparent to the Central Bank. The Central Bank conducted lengthy enquiries as to the circumstances around BOIPB’s failure to promptly disclose the RBA Report and the following arose:
SANCTIONING FACTORS In deciding the appropriate penalty to impose, the Central Bank considered the ASP Sanctions Guidance issued in November 2019. The following particular factors are highlighted in this case. The Nature, Seriousness and Impact of the Contravention
The Conduct of the Regulated Entity after the Contravention Aggravating
Other Considerations
The Central Bank confirms that the investigation is now closed. NOTES
Further information: Media Relations: [email protected] / 01 224 6299 Ewan Kelly: [email protected] / 086 463 9652
Back to Blog
 CompliReg is proud to power the Official Fintech Ireland Map 2020. We are now powering the Regulated Fintech Ireland Map version 2 which showcases the regulated payment services directive and electronic money directive firms authorised by the Central Bank of Ireland. Joining this Map in 2020 are the first of two - hopefully many more to come - e-money firms, Squareup International Limited ("Square") and MoneyCorp. Ireland now has:
In addition to issuing emoney, Square is authorised to provide payment services number 3b (execution of payment transactions through a payment card or a similar device) and number 5 (issuing of payment instruments and/or acquiring of payment transactions). Although Moneycorp is yet to appear on the Central Bank of Ireland register, Moneycorp confirmed to us that it is also authorised to provide payment services 3b, 5 and in addition 3c (execution of credit transfers, including standing orders). Moneycorp has been fairly busy. In addition to its emoney authorisation, it also secured a MiFID authorisation. By the way, AFEX which was authorised as payments institution in 2019 also secured a MiFID licence. Expect to see more firms seek both an emoney/payments authorisation together with a MiFID one. Moneycorp’s Dublin office, which opened in 2013, has operated as a branch of its UK regulated entities, saying that as part of Moneycorp’s strategic response to Brexit and wider market developments, it has now secured its e-money and MiFID licences from the Central Bank of Ireland for a newly established Irish company. Bryan McSharry, chief executive of Moneycorp’s European business, said the licences ensured it could “continue to support our existing customer base, continue to grow our business in Ireland and expand our business across the EU in a post-Brexit environment”. They are: Payments Firms: AIB Merchant Services, Western Union, Fexco, CurrencyFair.com, TransferMate Global Payments, #Fire, CUSOP (Payments) Ltd, #PrimaFinance, Avantcard, Barclaycard, #Chasepaymentech, Google Pay, #smallworld, AFEX, BUREAU BUTTERCRANE LTD, Remitly, J.P. Morgan, Circit.io, Xpress Money, CRIF & Finclude (fka. Verge.Capital) Emoney Firms: EML, Facebook, Soldo, Optal, Paysafe Group, paysafecard.com, Prepaid Financial Services Limited (PFS), #foreigncurrencydirect, Stripe, Coinbase. One4all Group, Payoneer, Square and Moneycorp. Congratulations Moneycorp and Square and welcome to the thriving regulated Irish fintech ecosystem. If you are looking to get authorised in Ireland as an emoney or payments firm, see these Authorisation Guides. Read Moneycorp's press release below.  Moneycorp secures its E-Money and MiFID licences in Ireland
New Irish entity, licenced by Central Bank of Ireland, to drive expansion across EU Moneycorp to build on €3 billion of transactions executed for Irish clients in 2019 Dublin, 1 July 2020 | Moneycorp Group, the global foreign exchange and payments business has been granted its Electronic Money Institution (E-Money) and MiFID licences by the Central Bank of Ireland (CBI), further bolstering its offering and expansion in the European Union (EU). Moneycorp is one of the world’s largest specialist foreign exchange companies, serving corporates and individuals across multiple channels since 1979. Headquartered in London, Moneycorp opened its Dublin office in 2013 to provide corporate clients with foreign exchange and payment services over its market leading on-line platform as well as directly from its Dublin dealing room. Since launch, the Dublin office has operated as a branch of the Group’s UK regulated entities, however, as part of Moneycorp’s strategic response to Brexit and wider market developments, it has now secured its E-money and MiFID licences from the CBI for a newly established Irish company; Moneycorp Technologies Limited (MTL). Bryan McSharry, CEO of Moneycorp’s European business, said: “We are delighted to have secured both E-money and MiFID licences from the Central Bank of Ireland. This ensures we can continue to support our existing customer base; continue to grow our business in Ireland; and expand our business across the EU in a post Brexit environment.” “Since launching in Dublin in 2013, we have built a strong corporate and individual customer base of Irish clients – based on our ability to provide best in class foreign exchange services across our market-leading technology platform. We completed €3 billion of transactions for Irish clients in 2019 and we will build on that in 2020 and beyond. Our CBI licences will enable us to continue to expand our business and headcount in Ireland and offer our market-leading service to a vastly increased customer base across the EU.” About Moneycorp Group Moneycorp Group is a global foreign exchange and payments business with offices in the UK, USA, Brazil, Hong Kong, Spain, Gibraltar, Romania, Australia, the UAE and Ireland. With a forty year record of outstanding customer service, today the Moneycorp group serves the growing foreign exchange and payments needs of global businesses, importers and exporters as well as personal clients. W: www.moneycorp.com L: linkedin.com/company/moneycorp/ T: @moneycorp I: instagram.com/moneycorp/ |
© CompliReg.com Dublin 2, Ireland ph +353 1 639 2971
| www.complireg.com | officeATcomplireg.com [replace AT with @]
| www.complireg.com | officeATcomplireg.com [replace AT with @]
