If below post on the marketing of complex investment products is of interest, then you should also look at our post of 1 December 2021 on the Central Bank's review findings on firms providing investment services.  The Central Bank's found that there is a  need to improve suitability assessments.

Central Bank reviews identify issues in marketing of complex investment products

• Retail investment market shifting towards increasingly complex products.
• Review identified a number of poor practices and weaknesses in firms, which increase risks to investors.
• Firms required to take specific actions to ensure investors are protected.

 
The Central Bank of Ireland has written to MiFID investment firms, outlining the findings from a series of targeted reviews of Structured Retail Products (SRPs). These reviews examined SRPs manufactured and distributed by investment firms in the MiFID investment sector. A number of areas were identified where further action is needed by firms to ensure their governance and oversight of SRPs keeps pace with an increasingly complex retail investment market, so that investors are appropriately protected.
 
The reviews found a number of poor practices and weaknesses in firms’ processes, which increase risks to investors. This includes failure by firms to consider potential difficulties investors may have in understanding the complex features involved in some SRPs; failing to present past performance information in a fair and balanced manner; and not including prominent capital at risk warnings in marketing materials.
 
Director of Consumer Protection, Colm Kincaid, said: “The retail investment market is changing rapidly, with an increasing shift away from traditional, capital protected products to more complex, capital at risk products. As complexity increases, so too do the risks to investors and the responsibilities regulated firms have to protect those investors’ best interests. Our recently published Outlook Report highlighted a number of risks for consumers from changing business practices and ineffective disclosures on investment products, as well as what we expect regulated firms to do to deal with those risks. The work we are publishing today builds on that Report.
 
“We carried out these reviews because we want to see that regulated firms meet high standards in how they design, manufacture and distribute complex investment products to retail investors. In particular, we want to see that complex investment products are designed with real investment needs in mind, that they are targeted only at investors with those needs and that the risks are properly explained. We are requiring firms to take action to improve their performance on each of these fronts, as well as highlighting good practices which we want to see emulated across the sector.”
 
The letter requires regulated firms to take action to identify a sufficiently granular target market for SRPs and to drive improvements in the quality and transparency of disclosures to investors of the risks relating to these products. In particular:

• Given the increasingly complex nature of SRPs, it is essential that the assessment of the target market is done in a proportionate manner, one that considers the nature and complexity of the product. The more complex the SRP, the more onerous and granular the target market assessment must be.
• Where complex features are proposed, firms must consider if they are appropriate for the retail market and whether they are likely to be understood by the target market. The approval of the use of such features should be subject to robust governance and challenge to ensure they are justified and in clients’ best interests and this should be clearly documented.
• Where past performance (back-testing) information is presented, it must be fair and balanced, supported by clear narrative and context, and must not diminish the potential likelihood of capital loss. Care must be taken to avoid presenting an overly-optimistic or unbalanced picture of the likely investor outcomes.
• Capital at Risk warnings must be in a prominent location in all marketing communications and advertisements.
• In the case of complex products such as SRPs, special care is needed when designing and presenting marketing information to ensure that individual statements, as well as the tone and overall content when read together, remains clear, fair and not misleading. In particular, care must be taken to avoid presenting an overly-optimistic or unbalanced picture of the likely investor outcomes.
• The risk that a product may be restructured must be disclosed to clients prior to sale.

 
The Central Bank expects firms to adhere to high standards of investor protection, acting in the best interests of investors at all times.  We continue to monitor developments in the retail investment market, and the findings of these reviews and the expectations set out in today’s letter will be considered as part of future supervisory engagements.
 
ENDS
Notes to Editors

• The Markets in Financial Instruments Directive (MiFID II) governs the provision of investment services in financial instruments. It applies to investment firms, wealth managers, broker dealers, product manufacturers, and credit institutions authorised to carry out MiFID activities.
• MiFID II Regulation 32(1)  requires firms that manufacture financial instruments to ensure those instruments are designed to meet the needs of an identified target market of end clients.
• MiFID II Regulation 32(3) requires firms to ensure that all information addressed to clients is fair, clear and not misleading.
• MiFID II Regulation 32(6) requires firms to ensure that information on financial instruments includes appropriate warnings of the risks associated with investing in those instruments.
• MiFID II Commission Delegated Regulation Article 48 (1) requires that, where providing clients with information about financial instruments, firms should include information regarding the functioning and performance in different market conditions, including both positive and negative conditions.

Source: Central Bank of Ireland, 22 April 2022

UPDATE 22/04/2022: If below below on suitability requirements is of interest, then you should also look at our post of 22 April 2022 on the Central Bank's review findings on issues in marketing of complex investment products.

The Central Bank of Ireland has released a Dear CEO letter setting out findings under four headings and expected Actions following a Thematic assessment of Algorithmic Trading Firms’ compliance with RTS 6 of MIFID II. 

1. Governance – Deficient control and risk management frameworks:

Varying levels of maturity were observed with respect to firms’ governance, control and risk
management frameworks. Supervisors observed weaknesses with respect to:

• i. The absence of formalised algorithm governance documentation;
• ii. The lack of local entity autonomy evidenced through minimal Board involvement in the
• setting or challenging of the key controls and in the oversight of the development of trading
• algorithms;
• iii. The absence of regular, formalised reporting to the Board in relation to algorithms; and
• iv. The significant reliance placed on Group resources without an appropriate level of
• formalised Group reporting lines.

The Central Bank considers the maintenance of a robust algorithmic governance and oversight
framework to be of paramount importance in enabling firms to identify, monitor and mitigate the
risks associated with algorithm trading strategies. Firms are reminded RTS 6 requires that as part
of its overall governance framework and decision-making framework, an investment firm should
have a clear and formalised governance arrangement, including clear lines of accountability, effective procedures for the communication of information and a separation of tasks and responsibilities. These arrangements should ensure reduced dependency on a single person or unit.


2. Development and Testing - Lack of formal documentation with respect to development,
testing and deployment processes:
Supervisors observed strong development, testing and deployment controls. However, significant
disparities were identified between firms with respect to the level of detail pertaining to
documentation on development, testing and deployment processes most notably:

• i. Firms were unable to provide sufficient detail with respect to their testing environments
• and how the parameters detailed in Article 5 of RTS 6 were embedded.
• ii. There is a lack of adequate information in relation to testing environments used to assess
• the performance of algorithms including assurance that trading algorithms:
• (ii) a. would not contribute to disorderly trading conditions;
• (ii) b. can continue to work effectively in stressed market conditions; and,
• (ii) c. where necessary under those conditions, can be disabled without contributing to
• disorderly trading.
• iii. Where firms are part of larger groups, it was noted that strong reliance was placed on Group entities. While outsourcing the development of trading algorithms is permitted under MiFID II, the investment firms deploying trading algorithms must fully understand the development and testing processes and the subsequent controls required. Outsourcing arrangements must be supported by appropriate documentation at local entity level with respect to the development, testing and deployment processes, be subject to regular review by the appropriate control function and consider the parameters detailed in Article 5 of RTS6.

3. Risk Measurement and Control - Lack of clearly defined Three Lines of Defence:
While it was evident that certain firms had appropriately skilled and resourced second lines of
defence, a number of firms demonstrated an absence of a formalised “Three Lines of Defence
model”. It is important that firms have a robust model in place, with clear delineation between each
line i.e. the business, the risk management functions and the internal audit function. Supervisors
observed:

• i. A blurring of lines between the first line, where the operation and implementation of risk management occurs, and second line management of risk, responsible for oversight of risk management, creating concerns around independence and appropriate separation of duties;
• ii. Within the second line, a lack of clarity between the roles and responsibilities of Risk and Compliance, in some instances, may increase the likelihood for risks to go unidentified or identified risks to go unaddressed;
• iii. An absence of a formalised plan regarding the steps taken by the Head of Compliance or first line in the event that the kill switch has been activated; and
• iv. As required under Article 9 of RTS6, all firms are required to conduct annual self-assessments and produce subsequent validation reports. Supervisors observed three common areas not sufficiently addressed by the majority of firms within the self-assessment:

:

• (iv) a. The adequacy of governance arrangements;
• (iv) b. The lack of appropriate detail with respect to testing methodologies applied and
• testing environments used; and
• (iv) c. A lack of clarity with regard to the third line of defence and the role of Internal Audit in the self-assessment and validation process. As per Article 9(3) of RTS 6, Internal Audit should play a key role in the oversight of the self-assessment and validation process to ensure that the governance and conclusions reached are valid.

 4. Trade Lifecycle Management – Lack of appropriate documentation with respect to pre and
post-trade controls:
The presence of extensive pre and post-trade controls was evident during this Thematic Review
however:

• i. These were not formally reflected in the firms’ policies and procedures, where supervisors identified a lack of adequate documentation regarding these controls and calculation of associated limits.
• ii. Firms did not demonstrate appropriate compliance with Article 15 of RTS 6 with respect to the documentation of the application and usage of appropriate limits. This information must be formally documented within the firms’ algorithmic governance documentation.

Firms must have in place appropriate pre and post-trade controls that are commensurate to the
nature, scale and complexity of the entity and ensure that these controls are appropriately
documented.

Actions
As a result of the findings of this thematic review, the Central Bank has engaged with the
investment firms where specific concerns have been identified, issuing risk mitigation programmes
to address these specific issues.

The Central Bank requires all firms engaging in algorithmic trading to consider the contents of this
letter, where applicable and take all remedial action necessary to ensure that they have the
appropriate control and oversight in place with respect to algorithmic trading and that the
requirements within RTS 6 of MIFID II are being fully adhered to. This letter should be read in
conjunction with the joint ESMA and European Banking Authority (“EBA”) Guidelines on the 
assessment of suitability of members of the management body and key function holders ; EBA
Guidelines on internal governance; and the Central Bank’s Outsourcing: Findings & Issues for
Discussion.

The Central Bank will continue to assess whether firms have taken sufficient steps to reduce risks
arising from algorithmic trading and will have regard to the contents of this letter when conducting
future supervisory engagement. Furthermore, in circumstances of non-compliance by any firm with
the regulatory requirements associated with algorithmic trading, the Central Bank may, in the
course of future supervisory engagement, or when exercising its supervisory and/or enforcement
powers in respect of such non-compliance, have regard to the consideration given by a firm to the
matters raised in the letter. 

Background:

​ The Central Bank of Ireland (“Central Bank”) undertook a thematic review to assess how firms
undertaking algorithmic trading have incorporated within their risk management and control
frameworks the requirements set out in Regulatory Technical Standard C(2016) 4478 (“RTS 6“)
supplementing Directive 2014/65/EU (“MIFID II”). The purpose of this letter is to provide
background to our assessment, highlight the key findings of this review and outline the expectations
of the Central Bank in relation to the governance, testing and controls surrounding algorithmic
trading.

Algorithmic trading gives rise to significant risks stemming from potential failures of algorithms,
information technology (“IT”) systems and processes. In recent years, a number of significant
algorithmic trading failures have resulted in substantial losses, fines and reputational damage for
firms globally. This demonstrates a clear need for all entities engaging in algorithmic trading to
ensure risk management and control frameworks in respect of algorithmic trading are
appropriately embedded and are operating to a high standard. RTS 6 provides a framework to
mitigate these, and other risks, through the requirement to maintain effective systems, procedures,
arrangements and controls.

This thematic review focused on the five principal areas underpinned by the requirements set out
in RTS 6 of MIFID II: (i) Governance; (ii) Development & Testing; (iii) Risk Measurement and
Control; (iv) Processes and Controls; and (v) Trade Lifecycle Management.

The Central Bank noted many positive practices, including the presence of experienced, competent
professionals across the first and second lines of defence, in addition to a comprehensive suite of
controls in terms of monitoring, development, testing and deployment of trading algorithms.
Notwithstanding this, supervisors also identified varying levels of maturity and a number of
concerns across governance, control and risk management frameworks of in scope entities. A full
list of the practices observed are noted in Appendix 1 of this letter. The key concerns arising from
the review include: 

​An over-reliance on service providers with a lack of demonstrable autonomy at regulated
entity level. This was evidenced through a distinct absence of entity Board oversight in
setting or challenging the key controls and in the oversight of the development of trading
algorithms.
ii. Insufficient formality with respect to key documentation. This was evidenced through a
lack of appropriate documentation in relation to algorithmic trading controls and
procedures. This speaks to this sector being at the early stages of maturity and also the
extent to which firms leverage Group documentation, where relevant, which creates a
possibility that entity specific risk may be overlooked.
iii. A lack of clearly defined roles and responsibilities, and in particular a lack of appropriate
delineation between the “Three Lines of Defence”. This is a consequence of a combination
of (i) the scale of certain firms, (ii) the maturity of risk management frameworks and (iii) the
non-specific nature for managing risks associated with algorithmic trading in certain firms.
These do not align with a comprehensive and effective implementation of the requirements set out
in RTS 6. 

Here's a blueprint for inviting an enforcement action for cyber-fraud & misleading your regulator arising from Bank of Ireland's fine €1,660,000 announced today. [Linkedin Post Here]

What did Bank of Ireland do wrong?:

1) failed to implement sound administrative procedures & internal control mechanisms in respect of third party payments.

2) failed to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud.

3) failed to establish, implement & maintain systems & procedures adequate to safeguard the security, integrity & confidentiality of client bank account details.

4) failed to establish, implement & maintain adequate internal control mechanisms designed to secure compliance with its reporting obligations pursuant to Sec. 19 of the Criminal Justice Act 2011.

5) failed to monitor adequacy & effectiveness of the measures & procedures put in place & the actions taken to address any deficiencies in respect of third party payments.

6) failed to be open & transparent, having the effect of misleading the Central Bank in the course of the investigation.

On 27 July 2020, the Central Bank of Ireland (the Central Bank) reprimanded and fined The Governor and Company of the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations) committed by its former subsidiary, Bank of Ireland Private Banking Limited (BOIPB).  BOI has admitted the breaches, which vary in length from one to ten years.

In line with its published Sanctions Guidance, the Central Bank has determined the appropriate fine to be €2,370,000, which has been reduced by 30% in accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure.

The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014 (the Incident).  Acting on instructions from a fraudster impersonating a client, BOIPB made two payments to a third party account totalling €106,430: one from a client’s personal current account, the other from BOIPB’s own funds.  BOIPB immediately reimbursed the client. During a Full Risk Assessment of BOIPB in 2015, the Central Bank discovered a reference to the Incident in an operational incident log. 

BOIPB had not reported the cyber-fraud to An Garda Síochána, and only did so at the request of the Central Bank over one year after the Incident.
​
The Central Bank’s investigation found serious deficiencies in respect of third party payments, including:

• Inadequate systems and controls to minimise the risk of loss from fraud
• Inadequate governance, oversight and ongoing review of the systems and control environment
• Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements
• Lack of compliance monitoring.

BOIPB’s failure to be open and transparent had the effect of misleading the Central Bank in the course of the investigation.  BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments.  During that same period, BOIPB strenuously denied the existence of any such failings to the Central Bank in response to the investigation. BOIPB’s conduct materially added to the time it took to investigate this case.

This is one of two aggravating factors in this case; the other being the excessive amount of time it took BOIPB to fully remediate the relevant deficiencies.  Remediation in relation to third party payment processes took place in February 2016, 17 months after the Incident, and then only following the Central Bank’s intervention.  In August 2016, the Central Bank determined that a Risk Mitigation Programme (RMP) relating to third party payment processes was completed.

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said: “The Central Bank has a clear expectation that firms are alert to the real and increasing risks from cyber-fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.

This is the second time the Central Bank has imposed a sanction on a firm where a client has suffered a loss from cyber-fraud as a direct result of the firm’s regulatory failings.  BOIPB’s failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud. That risk crystallised twice.  BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter.  Reporting illegal activity is essential in the fight against financial crime.

This case should serve to highlight to all firms the importance of ongoing vigilance in the area of cyber security.  The Central Bank expects all firms to consider, identify and manage operational and cyber risks and ensure that their staff receive appropriate training tailored to the risks associated with their duties and responsibilities.

The Central Bank expects pro-active engagement from regulated entities – that extends from self-reporting through remediation and full cooperation with the investigation. The excessive time taken by BOIPB to remediate identified deficiencies and the failure to be fully transparent and open in the context of the Central Bank’s investigation were aggravating features in this case.”

BACKGROUND
Founded in 1989, BOIPB was first authorised as a “section 10 investment business firm” under the Investment Intermediaries Act, 1995 (the 1995 Act) on 26 May 2000.  This authorisation was subsequently transferred to an authorisation under the MiFID Regulations on 1 November 2007.
At the time of the cyber-fraud, BOIPB was an independently regulated MiFID firm and its primary activity was to provide investment services to high net worth individuals who had investable assets in excess of €1,000,000. In addition, BOIPB provided a full range of banking services to its clients (lending, deposit taking and day-to-day current account banking) as a deposit agent of BOI.

Since 1 September 2017, BOIPB is no longer a MiFID firm and is now a business unit within the Retail Division of BOI. The unit retains the name Bank of Ireland Private Banking as a trading name of the Governor and Company of the Bank of Ireland. Its services are authorised by the Central Bank of Ireland under the licence of BOI, a regulated financial service provider for the purposes of the Central Bank Act 1942.  BOIPB’s audited financial statements for the year ended 31 December 2016, the last year it existed as a separate entity, reported operating income of €19,867,000.

THE CYBER-FRAUD
Third party payment instructions were processed by BOIPB with particular reference to a procedure called the Third Party Payments Procedure (the TPPP), which outlined steps to be followed to verify a client’s identity before processing a third party payment instruction. 

BOIPB processed two separate payment instructions received in September 2014, purportedly from a client (the Client), which in fact were sent by a cyber-fraudster (the Fraudster) who had hacked the Client’s e-mail account.  This led to two transfers totalling €106,430 to be transmitted to a corporate bank account at a UK bank.  The first transfer was drawn from the Client’s current account, and the second transfer was drawn, at the instigation and authorisation of BOIPB, from BOIPB’s suspense account because the payment from the Client’s deposit account was rejected due to insufficient funds.

The Client made contact with BOIPB and notified it of the fraud on 30 September 2014, on receipt of an e-mail from BOIPB indicating recent communications (which were unfamiliar to the Client).  The Client was immediately reimbursed by BOIPB.

To facilitate the instructions received from the Fraudster, BOIPB staff, in breach of BOIPB’s policies and procedures:

• Released confidential account details to the Fraudster in response to an email request
• Did not ask security questions of the Fraudster when taking transfer instructions and responding to requests for account balances over the telephone
• Did not use the telephone number held for the Client on BOIPB’s database, instead speaking to the Fraudster on a telephone number provided in a fraudulent e-mail instruction
• Did not have a second staff member complete a call-back to verify the request.

The Fraudster used the following tactics:

• “Email hijacking”: hacking the Client’s e-mail account and re-directing e-mails coming from BOIPB to a mirror image e-mail account secretly set up by the Fraudster to intercept communications coming from BOIPB in relation to the fraudulent payment requests
• “Social engineering”:  in communications with BOIPB staff, making reference to the purchase of a property, the name of the Client’s solicitor, and similar terminology to that used by the Client in other emails.
• BOIPB did not identify certain flags which could have been indicative of fraud.
• The Fraudster used the expression “Ireland Account” when referring to the Client’s current account
• One email sent by the Fraudster from the Client’s email account to BOIPB staff was signed off with an entirely different name than the name of the Client.  The name used was that of an unrelated client of BOIPB.  The BOIPB recipient of the email did not pick up this discrepancy, or if he did, did not query it
• The fraudulent instructions were suspicious in nature. They included: incorrect telephone details; the request for a second substantial transfer within two days of an initial substantial transfer in an amount greater than the balance on the Client’s account; and the remittance of funds to a jurisdiction other than the jurisdiction in which the Client resided.

 
PRESCRIBED CONTRAVENTIONS
The Central Bank investigation identified the following contraventions:

Contravention 1
BOIPB breached Regulation 33(1)(f)(i) of the MiFID Regulations between 1 November 2007 and August 2016 by failing to implement sound administrative procedures and internal control mechanisms in respect of third party payments.

The Central Bank’s investigation found that the TPPP was wholly inadequate for the purposes of safeguarding client deposits when processing third party payments.  In particular, key procedural, security and authorisation steps were not outlined in the document. Staff did not receive adequate training on the processing of third party payments to ensure they were fully aware of how to safely process these payments.

Contravention 2
BOIPB breached Regulation 160(2)(f) of the MiFID Regulations between 1 November 2007 and August 2016 by failing to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud.

The serious weaknesses in the process around third party payments, which had existed for some time, should have been known to management through proper governance, oversight and monitoring. There was no monitoring of third party payments by the first or second lines of defence. Furthermore, the recommendations of the first internal report commissioned by BOIPB in relation to this matter, dated December 2014, were not acted on. Similar weaknesses were identified in a second internal report in January 2016. Remediation of the issues identified in both reports did not take place until February 2016. 

Contravention 3
BOIPB breached Regulation 34(3)(a) of the MiFID Regulations between 1 November 2007 and 2 January 2018 by failing to establish, implement and maintain systems and procedures adequate to safeguard the security, integrity and confidentiality of client bank account details.

The investigation found that for the purposes of customer service, BOIPB staff frequently engaged with private clients through e-mail.  E-mail communication, because it is more vulnerable to infiltration by fraudsters than other forms of communication, needs to incorporate additional checks before being acted upon. By failing to identify and provide for this, BOIPB failed to safeguard the security, integrity and confidentiality of information relating to client bank accounts.

Contravention 4
BOIPB breached Regulation 34(1)(c) of the MiFID Regulations between 30 September 2014 and 16 December 2015 by failing to establish, implement and maintain adequate internal control mechanisms designed to secure compliance with its reporting obligations pursuant to Section 19 of the Criminal Justice Act 2011.  

BOIPB reported the Incident to its Group Financial Crime Unit (GFCU) on 1 October 2014. GFCU, on behalf of BOIPB, did not report the Incident to An Garda Síochána until December 2015, on the instigation of the Central Bank.

Contravention 5
BOIPB breached Regulation 35(2)(c) of the MiFID Regulations by failing to comply with Regulation 34(4) between November 2013 and December 2016 because, for that period, BOIPB’s Compliance function failed to monitor, and on a regular basis to assess the adequacy and effectiveness of the measures and procedures put in place and the actions taken to address any deficiencies in respect of third party payments.

The TPPP included a requirement that ad-hoc monitoring of third party payments be carried out by the Compliance function. The investigation found that throughout the period November 2013 to May 2016, no ad-hoc monitoring of third party payments was in fact carried out.
This failure persisted despite two internal reports highlighting the absence of monitoring and the systemic non-adherence to the TPPP.

BOIPB’S RESPONSE TO THE CYBER-FRAUD AND REMEDIATION
The Central Bank expects firms to promptly remediate known deficiencies in their procedures and internal control mechanisms.  BOIPB failed to do so.

Following the Incident, BOI Group Internal Audit function (GIA) investigated how it had occurred. GIA produced their findings in a report in December 2014, which pointed to systemic failings in the processing of third party payments. GIA strongly recommended that BOIPB carry out sampling to verify the authenticity of other “high-value interpays”. BOIPB failed to do this. GIA further recommended, that, at a minimum, the procedure in place relating to third party payments should be enhanced to clarify roles and responsibilities for authenticating and approving third party payments. Again, BOIPB failed to do this. The procedure remained unchanged until February 2016.
In March 2015, BOIPB commissioned a further internal review, this time by BOI Retail Business Assurance (RBA) centred on BOIPB’s procedures for processing third party payments.

Separately, following the Full Risk Assessment (the FRA) conducted in 2015, the Central Bank informed BOIPB that improvements in relation to third party payment processes would be part of the subsequent RMP arising from the FRA as the process in place was “not robust enough”.  The RMP was issued in February 2016, which set out the Central Bank’s expectations in relation to the actions needed to improve the third party payment process.

RBA issued its findings in draft to BOIPB in January 2016 (the RBA Report).  Following an assessment of a sample of third party payment records, RBA concluded that the same issues identified in December 2014 persisted, namely that client identification questions were not consistently being asked of clients as well as other deficiencies in the third party payment process.

BOIPB updated and revised the TPPP in February 2016. The RBA Report was signed-off in June 2016.  In August 2016, the Central Bank determined that the full RMP was completed.

BOIPB’S COOPERATION WITH THE CENTRAL BANK
The Central Bank expects regulated entities to cooperate in an open manner at all times and to respond to requests promptly, effectively and accurately.

When the Central Bank’s investigation commenced in February 2016, BOIPB possessed the RBA Report which contained highly critical findings in relation to the processing of third party payments. As such, it was highly probative to the Central Bank’s investigation.

The Central Bank issued a request for records in February 2016.  BOIPB should have provided a copy of the RBA Report when it responded to this request in April 2016. BOIPB failed to do so, instead it included one vague narrative reference to a risk assessment of banking activities (making no reference to a “report” or the fact that it related to third party payments specifically) within a document accompanying the records it supplied in response to the Central Bank’s request.
BOIPB disclosed the RBA Report to the Central Bank 19 months after the commencement of its investigation in response to a Central Bank statutory request explicitly requiring production of the record BOIPB had described as a “risk assessment”.  It was only when the document was disclosed and reviewed that its true nature and content became apparent to the Central Bank. 

The Central Bank conducted lengthy enquiries as to the circumstances around BOIPB’s failure to promptly disclose the RBA Report and the following arose:

• BOIPB held the RBA Report back as it was in “draft format”
• BOIPB decided not to proactively provide the RBA Report to the Central Bank following its signing-off in June 2016.  Instead, it would provide the signed-off report to the Central Bank only if specifically requested to do so
• Notwithstanding BOIPB’s acceptance of the recommendations of the RBA Report, in the course of the Central Bank’s investigation:
• BOIPB made no reference to the existence of the RBA Report or its highly critical findings until after it was provided to the Central Bank in September 2017; and
• Until May 2018, BOIPB denied that there were any deficiencies whatsoever in its third party payment processes, despite the manifestly contrary findings of the RBA Report, available since January 2016.

SANCTIONING FACTORS
In deciding the appropriate penalty to impose, the Central Bank considered the ASP Sanctions Guidance issued in November 2019. The following particular factors are highlighted in this case.

The Nature, Seriousness and Impact of the Contravention

• The contraventions revealed serious weaknesses of the management systems and internal controls relating to the processing of third party payments. The Central Bank, at a minimum, expects that firms ensure that there are comprehensive written procedures and robust internal controls, with effective and appropriate oversight and governance afforded to these. BOIPB had a responsibility to have adequate controls in place to protect  its clients’ deposits, and those controls were not sound 
• There was an actual loss of client deposits and the continued exposure of those deposits to potential loss
• The breaches spanned the lengthy period from November 2007 to January 2018.

​
The Conduct of the Regulated Entity after the Contravention

Aggravating

• BOIPB’s level of cooperation was far below what is expected.  BOIPB failed to provide complete and timely information and documentation in response to the Central Bank’s investigation letter and statutory request.  It also provided information to the Central Bank that was imprecise and vague.  The cumulative effect was that the Central Bank’s investigation was frustrated and prolonged.
• BOIPB did not take remedial action in a timely manner to address the contraventions despite knowledge of the severity of the deficiencies and the attendant risk of further loss to client deposits.

Other Considerations

• The financial position of BOIPB (prior to being merged into BOI on 1 September 2017) and the need to impose a proportionate level of penalty.

The Central Bank confirms that the investigation is now closed.
 
NOTES

1. The fine imposed by the Central Bank was imposed under Section 33AQ of the Central Bank Act 1942. The maximum penalty under Section 33AQ is €10,000,000, or an amount equal to 10% of the annual turnover of a regulated financial service provider, whichever is the greater.
2. This is the Central Bank’s 137th settlement since 2006 under its Administrative Sanctions Procedure, bringing the total fines imposed by the Central Bank to over €105 million.
3. Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts.  The penalties are not included in general Central Bank revenue.
4. The fine reflects the application of an early settlement discount of 30%, as per the discount scheme set out in the Central Bank’s Outline of the Administrative Sanctions Procedure 2018 which is here: link. 
5. A copy of the ASP Sanctions Guidance November 2019 is available here: link This guidance provides further information on the application of the sanctioning factors set out in the Outline of the Administrative Sanctions Procedure (see link above) and the Inquiry Guidelines prescribed pursuant to section 33BD of the Central Bank Act 1942 (a copy of which is here:  link.   These documents should be read together.
6. The European Communities (Markets in Financial Instruments) Regulations 2007 (S.I. No. 60 of 2007) were repealed and replaced by the European Union (Markets in Financial Instruments) Regulations 2017 (S.I. No. 375 of 2017) which are available link and the European Union (Markets in Financial Instruments) (Amendment) Regulations 2017 (S.I. No 614 of 2017) which are available here: link
7. Bank of Ireland Private Banking Limited  merged into The Governor and Company of the Bank of Ireland on 1 September 2017.
8. On 22 September 2015, the Central Bank sent a Dear CEO letter following its review of the management of operational risk around cyber-security within the investment firm and funds industry that is here: link On 13 September 2016, the Central Bank issued cross-industry guidance in respect of IT and cybersecurity risks that is available for download here: link
9. On 10 March 2020, the Central Bank issued an industry letter for the attention for the attention of all Board members and Senior Management of asset management firms and published findings of a Thematic Inspection into the cybersecurity risk management practices in Asset Management firms: link

​Further information:
Media Relations: [email protected] / 01 224 6299
Ewan Kelly: [email protected] / 086 463 9652

CompliReg is proud to power the Official Fintech Ireland Map 2020.

We are now powering the Regulated Fintech Ireland Map version 2 which showcases the regulated payment services directive and electronic money directive firms authorised by the Central Bank of Ireland.  Joining this Map in 2020 are the first of two - hopefully many more to come - e-money firms, Squareup International Limited  ("Square") and MoneyCorp. 

Ireland now has:

• 18 authorised payments firms,
• 3 registered AISPs, and
• 14 authorised emoney firms.

In addition to issuing emoney, Square is authorised to provide payment services number 3b (execution of payment transactions through a payment card or a similar device) and number 5 (issuing of payment instruments and/or acquiring of payment transactions).  

Although Moneycorp is yet to appear on the Central Bank of Ireland register, Moneycorp confirmed to us that it is also authorised to provide payment services 3b, 5 and in addition 3c (execution of credit transfers, including standing orders).  Moneycorp has been fairly busy. In addition to its emoney authorisation, it also secured a MiFID authorisation.  By the way, AFEX which was authorised as payments institution in 2019 also secured a MiFID licence. Expect to see more firms seek both an emoney/payments authorisation together with a MiFID one.

Moneycorp’s Dublin office, which opened in 2013, has operated as a branch of its UK regulated entities, saying that as part of Moneycorp’s strategic response to Brexit and wider market developments, it has now secured its e-money and MiFID licences from the Central Bank of Ireland for a newly established Irish company.  Bryan McSharry, chief executive of Moneycorp’s European business, said the licences ensured it could “continue to support our existing customer base, continue to grow our business in Ireland and expand our business across the EU in a post-Brexit environment”.

​
They are:
Payments Firms:
AIB Merchant Services, Western Union, Fexco, CurrencyFair.com, TransferMate Global Payments, #Fire, CUSOP (Payments) Ltd, #PrimaFinance, Avantcard, Barclaycard, #Chasepaymentech, Google Pay, #smallworld, AFEX, BUREAU BUTTERCRANE LTD, Remitly, J.P. Morgan, Circit.io, Xpress Money, CRIF & Finclude (fka. Verge.Capital)
​
Emoney Firms:
EML, Facebook, Soldo, Optal, Paysafe Group, paysafecard.com, Prepaid Financial Services Limited (PFS), #foreigncurrencydirect, Stripe, Coinbase. One4all Group, Payoneer, Square and Moneycorp.

Congratulations Moneycorp and Square and welcome to the thriving regulated Irish fintech ecosystem.

If you are looking to get authorised in Ireland as an emoney or payments firm, see these Authorisation Guides. 

Read Moneycorp's press release below.

​Moneycorp secures its E-Money and MiFID licences in Ireland
 
New Irish entity, licenced by Central Bank of Ireland, to drive expansion across EU
 
Moneycorp to build on €3 billion of transactions executed for Irish clients in 2019
 
Dublin, 1 July 2020 | Moneycorp Group, the global foreign exchange and payments business has been granted its Electronic Money Institution (E-Money) and MiFID licences by the Central Bank of Ireland (CBI), further bolstering its offering and expansion in the European Union (EU).
 
Moneycorp is one of the world’s largest specialist foreign exchange companies, serving corporates and individuals across multiple channels since 1979. Headquartered in London, Moneycorp opened its Dublin office in 2013 to provide corporate clients with foreign exchange and payment services over its market leading on-line platform as well as directly from its Dublin dealing room.
 
Since launch, the Dublin office has operated as a branch of the Group’s UK regulated entities, however, as part of Moneycorp’s strategic response to Brexit and wider market developments, it has now secured its E-money and MiFID licences from the CBI for a newly established Irish company; Moneycorp Technologies Limited (MTL).
 
Bryan McSharry, CEO of Moneycorp’s European business, said: “We are delighted to have secured both E-money and MiFID licences from the Central Bank of Ireland. This ensures we can continue to support our existing customer base; continue to  grow our business in Ireland; and expand our business across the EU in a post Brexit environment.”
 
“Since launching in Dublin in 2013, we have built a strong corporate and individual customer base of Irish clients – based on our ability to provide best in class foreign exchange services across our market-leading technology platform. We completed €3 billion of transactions for Irish clients in 2019 and we will build on that in 2020 and beyond. Our CBI licences will enable us to continue to expand our business and headcount in Ireland and offer our market-leading service to a vastly increased customer base across the EU.”
 
About Moneycorp Group
Moneycorp Group is a global foreign exchange and payments business with offices in the UK, USA, Brazil, Hong Kong, Spain, Gibraltar, Romania, Australia, the UAE and Ireland.
 
With a forty year record of outstanding customer service, today the Moneycorp group serves the growing foreign exchange and payments needs of global businesses, importers and exporters as well as personal clients.
 
W:          www.moneycorp.com                                   L:             linkedin.com/company/moneycorp/
T:            @moneycorp                                                    I:             instagram.com/moneycorp/