Not long after the European Union’s top court ordered Ireland on 16 July 2020 to pay a lump sum of €2 million to the European Commission for Ireland's failure to implement regulations aimed to prevent money laundering and terrorist financing, a new law aimed at strengthening existing Irish anti-money laundering legislation and giving effect to provisions of the 5th EU Money Laundering Directive has been approved by the Cabinet of the Irish Government.

On Monday 10th August 2020, the Cabinet has approved the publication of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020.  This follows the signing into law by the President of Ireland on 5th May 2020 of the earlier Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (Act 6 of 2010) [previously known as the Criminal Justice (Money Laundering and Terrorist Financing) Bill 2009 (Bill 55 of 2009)].

If you need advice on the new Bill or your existing regulatory compliance obligations, get i touch with Peter Oakes here at at CompliReg.  

Useful Links: 

• 10th August 2020, Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020 [will insert link once copy of new Bill located]
• 10th August 2020, Announcement of 2020 Bill receiving Cabinet Approval
• 16th July 2020, EU court fines Ireland €2m over delay in anti-money laundering rules
• 5th May 2020, Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (Act 6 of 2010)
• 5th May 2020, History of Act 6 of 2020
• 13th August 2020, LinkedIN post 
• Central Bank of Ireland AML/CFT Regulation Page

The Minister for Justice and Equality, Helen McEntee T.D., has received Cabinet approval for the publication of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020. The Bill transposes the criminal justice elements of the 5th EU Money Laundering Directive and strengthens existing legislation.

Upon announcing the new Bill, the Minister McEntee said, "I look forward to bringing this legislation before my colleagues in both Houses, and anticipate that this Bill will receive broad, cross-party support."

What does the Bill contain?

The Bill includes provisions to:

• improve the safeguards for financial transactions to and from high-risk third countries and sets new limits on the use of anonymous pre-paid cards;
• bring a number of new ‘designated bodies’ under the existing legislation, this includes virtual currency providers and associated online ‘wallet providers’ for virtual currencies as well as dealers and intermediaries in the art trade;
• prevents credit and financial institutions from creating anonymous safe-deposit boxes;
• enhance the customer due diligence (CDD) requirements of the existing legislation;
• provide for Ministerial guidance which will clarify domestic “prominent public functions.

 
The Minister also noted that: "This Bill is an important piece of legislation for tackling money-laundering. The reality is that money laundering is a crime that helps serious criminals and terrorists to function, destroying lives in the process. Criminals seek to exploit the EU’s open borders, and EU-wide measures are vital for that reason.

This new legislation also includes a number of technical amendments to other provisions of Acts already in force."

While the Bill transposes certain elements of the 5th Anti-Money Laundering Directive, the Department of Finance is also engaged in giving effect to certain provisions of the Directive, including those relating to:

• facilitating increasing transparency on who really owns corporate entities, financial vehicles and trusts by establishing beneficial ownership registers;
• ensure the creation of, and access to, centralised national bank and payment account registers or central data retrieval

The Minister for Finance (Paschal Donohue, T.D.) has also secured Government Approval to bring forward amendments in respect of the regulation of Virtual Asset Service Providers (VASPs). The amendments will ensure that the necessary registration and fitness and probity regime, required by 5AMLD for virtual asset service providers, become statutory requirements. Amendments will also address Ireland’s international obligations, relating to a robust regulatory framework for new technologies, new products and new practices, as identified by the Financial Action Task Force (FATF).

Here's a blueprint for inviting an enforcement action for cyber-fraud & misleading your regulator arising from Bank of Ireland's fine €1,660,000 announced today. [Linkedin Post Here]

What did Bank of Ireland do wrong?:

1) failed to implement sound administrative procedures & internal control mechanisms in respect of third party payments.

2) failed to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud.

3) failed to establish, implement & maintain systems & procedures adequate to safeguard the security, integrity & confidentiality of client bank account details.

4) failed to establish, implement & maintain adequate internal control mechanisms designed to secure compliance with its reporting obligations pursuant to Sec. 19 of the Criminal Justice Act 2011.

5) failed to monitor adequacy & effectiveness of the measures & procedures put in place & the actions taken to address any deficiencies in respect of third party payments.

6) failed to be open & transparent, having the effect of misleading the Central Bank in the course of the investigation.

On 27 July 2020, the Central Bank of Ireland (the Central Bank) reprimanded and fined The Governor and Company of the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations) committed by its former subsidiary, Bank of Ireland Private Banking Limited (BOIPB).  BOI has admitted the breaches, which vary in length from one to ten years.

In line with its published Sanctions Guidance, the Central Bank has determined the appropriate fine to be €2,370,000, which has been reduced by 30% in accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure.

The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014 (the Incident).  Acting on instructions from a fraudster impersonating a client, BOIPB made two payments to a third party account totalling €106,430: one from a client’s personal current account, the other from BOIPB’s own funds.  BOIPB immediately reimbursed the client. During a Full Risk Assessment of BOIPB in 2015, the Central Bank discovered a reference to the Incident in an operational incident log. 

BOIPB had not reported the cyber-fraud to An Garda Síochána, and only did so at the request of the Central Bank over one year after the Incident.
​
The Central Bank’s investigation found serious deficiencies in respect of third party payments, including:

• Inadequate systems and controls to minimise the risk of loss from fraud
• Inadequate governance, oversight and ongoing review of the systems and control environment
• Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements
• Lack of compliance monitoring.

BOIPB’s failure to be open and transparent had the effect of misleading the Central Bank in the course of the investigation.  BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments.  During that same period, BOIPB strenuously denied the existence of any such failings to the Central Bank in response to the investigation. BOIPB’s conduct materially added to the time it took to investigate this case.

This is one of two aggravating factors in this case; the other being the excessive amount of time it took BOIPB to fully remediate the relevant deficiencies.  Remediation in relation to third party payment processes took place in February 2016, 17 months after the Incident, and then only following the Central Bank’s intervention.  In August 2016, the Central Bank determined that a Risk Mitigation Programme (RMP) relating to third party payment processes was completed.

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said: “The Central Bank has a clear expectation that firms are alert to the real and increasing risks from cyber-fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.

This is the second time the Central Bank has imposed a sanction on a firm where a client has suffered a loss from cyber-fraud as a direct result of the firm’s regulatory failings.  BOIPB’s failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud. That risk crystallised twice.  BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter.  Reporting illegal activity is essential in the fight against financial crime.

This case should serve to highlight to all firms the importance of ongoing vigilance in the area of cyber security.  The Central Bank expects all firms to consider, identify and manage operational and cyber risks and ensure that their staff receive appropriate training tailored to the risks associated with their duties and responsibilities.

The Central Bank expects pro-active engagement from regulated entities – that extends from self-reporting through remediation and full cooperation with the investigation. The excessive time taken by BOIPB to remediate identified deficiencies and the failure to be fully transparent and open in the context of the Central Bank’s investigation were aggravating features in this case.”

BACKGROUND
Founded in 1989, BOIPB was first authorised as a “section 10 investment business firm” under the Investment Intermediaries Act, 1995 (the 1995 Act) on 26 May 2000.  This authorisation was subsequently transferred to an authorisation under the MiFID Regulations on 1 November 2007.
At the time of the cyber-fraud, BOIPB was an independently regulated MiFID firm and its primary activity was to provide investment services to high net worth individuals who had investable assets in excess of €1,000,000. In addition, BOIPB provided a full range of banking services to its clients (lending, deposit taking and day-to-day current account banking) as a deposit agent of BOI.

Since 1 September 2017, BOIPB is no longer a MiFID firm and is now a business unit within the Retail Division of BOI. The unit retains the name Bank of Ireland Private Banking as a trading name of the Governor and Company of the Bank of Ireland. Its services are authorised by the Central Bank of Ireland under the licence of BOI, a regulated financial service provider for the purposes of the Central Bank Act 1942.  BOIPB’s audited financial statements for the year ended 31 December 2016, the last year it existed as a separate entity, reported operating income of €19,867,000.

THE CYBER-FRAUD
Third party payment instructions were processed by BOIPB with particular reference to a procedure called the Third Party Payments Procedure (the TPPP), which outlined steps to be followed to verify a client’s identity before processing a third party payment instruction. 

BOIPB processed two separate payment instructions received in September 2014, purportedly from a client (the Client), which in fact were sent by a cyber-fraudster (the Fraudster) who had hacked the Client’s e-mail account.  This led to two transfers totalling €106,430 to be transmitted to a corporate bank account at a UK bank.  The first transfer was drawn from the Client’s current account, and the second transfer was drawn, at the instigation and authorisation of BOIPB, from BOIPB’s suspense account because the payment from the Client’s deposit account was rejected due to insufficient funds.

The Client made contact with BOIPB and notified it of the fraud on 30 September 2014, on receipt of an e-mail from BOIPB indicating recent communications (which were unfamiliar to the Client).  The Client was immediately reimbursed by BOIPB.

To facilitate the instructions received from the Fraudster, BOIPB staff, in breach of BOIPB’s policies and procedures:

• Released confidential account details to the Fraudster in response to an email request
• Did not ask security questions of the Fraudster when taking transfer instructions and responding to requests for account balances over the telephone
• Did not use the telephone number held for the Client on BOIPB’s database, instead speaking to the Fraudster on a telephone number provided in a fraudulent e-mail instruction
• Did not have a second staff member complete a call-back to verify the request.

The Fraudster used the following tactics:

• “Email hijacking”: hacking the Client’s e-mail account and re-directing e-mails coming from BOIPB to a mirror image e-mail account secretly set up by the Fraudster to intercept communications coming from BOIPB in relation to the fraudulent payment requests
• “Social engineering”:  in communications with BOIPB staff, making reference to the purchase of a property, the name of the Client’s solicitor, and similar terminology to that used by the Client in other emails.
• BOIPB did not identify certain flags which could have been indicative of fraud.
• The Fraudster used the expression “Ireland Account” when referring to the Client’s current account
• One email sent by the Fraudster from the Client’s email account to BOIPB staff was signed off with an entirely different name than the name of the Client.  The name used was that of an unrelated client of BOIPB.  The BOIPB recipient of the email did not pick up this discrepancy, or if he did, did not query it
• The fraudulent instructions were suspicious in nature. They included: incorrect telephone details; the request for a second substantial transfer within two days of an initial substantial transfer in an amount greater than the balance on the Client’s account; and the remittance of funds to a jurisdiction other than the jurisdiction in which the Client resided.

 
PRESCRIBED CONTRAVENTIONS
The Central Bank investigation identified the following contraventions:

Contravention 1
BOIPB breached Regulation 33(1)(f)(i) of the MiFID Regulations between 1 November 2007 and August 2016 by failing to implement sound administrative procedures and internal control mechanisms in respect of third party payments.

The Central Bank’s investigation found that the TPPP was wholly inadequate for the purposes of safeguarding client deposits when processing third party payments.  In particular, key procedural, security and authorisation steps were not outlined in the document. Staff did not receive adequate training on the processing of third party payments to ensure they were fully aware of how to safely process these payments.

Contravention 2
BOIPB breached Regulation 160(2)(f) of the MiFID Regulations between 1 November 2007 and August 2016 by failing to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud.

The serious weaknesses in the process around third party payments, which had existed for some time, should have been known to management through proper governance, oversight and monitoring. There was no monitoring of third party payments by the first or second lines of defence. Furthermore, the recommendations of the first internal report commissioned by BOIPB in relation to this matter, dated December 2014, were not acted on. Similar weaknesses were identified in a second internal report in January 2016. Remediation of the issues identified in both reports did not take place until February 2016. 

Contravention 3
BOIPB breached Regulation 34(3)(a) of the MiFID Regulations between 1 November 2007 and 2 January 2018 by failing to establish, implement and maintain systems and procedures adequate to safeguard the security, integrity and confidentiality of client bank account details.

The investigation found that for the purposes of customer service, BOIPB staff frequently engaged with private clients through e-mail.  E-mail communication, because it is more vulnerable to infiltration by fraudsters than other forms of communication, needs to incorporate additional checks before being acted upon. By failing to identify and provide for this, BOIPB failed to safeguard the security, integrity and confidentiality of information relating to client bank accounts.

Contravention 4
BOIPB breached Regulation 34(1)(c) of the MiFID Regulations between 30 September 2014 and 16 December 2015 by failing to establish, implement and maintain adequate internal control mechanisms designed to secure compliance with its reporting obligations pursuant to Section 19 of the Criminal Justice Act 2011.  

BOIPB reported the Incident to its Group Financial Crime Unit (GFCU) on 1 October 2014. GFCU, on behalf of BOIPB, did not report the Incident to An Garda Síochána until December 2015, on the instigation of the Central Bank.

Contravention 5
BOIPB breached Regulation 35(2)(c) of the MiFID Regulations by failing to comply with Regulation 34(4) between November 2013 and December 2016 because, for that period, BOIPB’s Compliance function failed to monitor, and on a regular basis to assess the adequacy and effectiveness of the measures and procedures put in place and the actions taken to address any deficiencies in respect of third party payments.

The TPPP included a requirement that ad-hoc monitoring of third party payments be carried out by the Compliance function. The investigation found that throughout the period November 2013 to May 2016, no ad-hoc monitoring of third party payments was in fact carried out.
This failure persisted despite two internal reports highlighting the absence of monitoring and the systemic non-adherence to the TPPP.

BOIPB’S RESPONSE TO THE CYBER-FRAUD AND REMEDIATION
The Central Bank expects firms to promptly remediate known deficiencies in their procedures and internal control mechanisms.  BOIPB failed to do so.

Following the Incident, BOI Group Internal Audit function (GIA) investigated how it had occurred. GIA produced their findings in a report in December 2014, which pointed to systemic failings in the processing of third party payments. GIA strongly recommended that BOIPB carry out sampling to verify the authenticity of other “high-value interpays”. BOIPB failed to do this. GIA further recommended, that, at a minimum, the procedure in place relating to third party payments should be enhanced to clarify roles and responsibilities for authenticating and approving third party payments. Again, BOIPB failed to do this. The procedure remained unchanged until February 2016.
In March 2015, BOIPB commissioned a further internal review, this time by BOI Retail Business Assurance (RBA) centred on BOIPB’s procedures for processing third party payments.

Separately, following the Full Risk Assessment (the FRA) conducted in 2015, the Central Bank informed BOIPB that improvements in relation to third party payment processes would be part of the subsequent RMP arising from the FRA as the process in place was “not robust enough”.  The RMP was issued in February 2016, which set out the Central Bank’s expectations in relation to the actions needed to improve the third party payment process.

RBA issued its findings in draft to BOIPB in January 2016 (the RBA Report).  Following an assessment of a sample of third party payment records, RBA concluded that the same issues identified in December 2014 persisted, namely that client identification questions were not consistently being asked of clients as well as other deficiencies in the third party payment process.

BOIPB updated and revised the TPPP in February 2016. The RBA Report was signed-off in June 2016.  In August 2016, the Central Bank determined that the full RMP was completed.

BOIPB’S COOPERATION WITH THE CENTRAL BANK
The Central Bank expects regulated entities to cooperate in an open manner at all times and to respond to requests promptly, effectively and accurately.

When the Central Bank’s investigation commenced in February 2016, BOIPB possessed the RBA Report which contained highly critical findings in relation to the processing of third party payments. As such, it was highly probative to the Central Bank’s investigation.

The Central Bank issued a request for records in February 2016.  BOIPB should have provided a copy of the RBA Report when it responded to this request in April 2016. BOIPB failed to do so, instead it included one vague narrative reference to a risk assessment of banking activities (making no reference to a “report” or the fact that it related to third party payments specifically) within a document accompanying the records it supplied in response to the Central Bank’s request.
BOIPB disclosed the RBA Report to the Central Bank 19 months after the commencement of its investigation in response to a Central Bank statutory request explicitly requiring production of the record BOIPB had described as a “risk assessment”.  It was only when the document was disclosed and reviewed that its true nature and content became apparent to the Central Bank. 

The Central Bank conducted lengthy enquiries as to the circumstances around BOIPB’s failure to promptly disclose the RBA Report and the following arose:

• BOIPB held the RBA Report back as it was in “draft format”
• BOIPB decided not to proactively provide the RBA Report to the Central Bank following its signing-off in June 2016.  Instead, it would provide the signed-off report to the Central Bank only if specifically requested to do so
• Notwithstanding BOIPB’s acceptance of the recommendations of the RBA Report, in the course of the Central Bank’s investigation:
• BOIPB made no reference to the existence of the RBA Report or its highly critical findings until after it was provided to the Central Bank in September 2017; and
• Until May 2018, BOIPB denied that there were any deficiencies whatsoever in its third party payment processes, despite the manifestly contrary findings of the RBA Report, available since January 2016.

SANCTIONING FACTORS
In deciding the appropriate penalty to impose, the Central Bank considered the ASP Sanctions Guidance issued in November 2019. The following particular factors are highlighted in this case.

The Nature, Seriousness and Impact of the Contravention

• The contraventions revealed serious weaknesses of the management systems and internal controls relating to the processing of third party payments. The Central Bank, at a minimum, expects that firms ensure that there are comprehensive written procedures and robust internal controls, with effective and appropriate oversight and governance afforded to these. BOIPB had a responsibility to have adequate controls in place to protect  its clients’ deposits, and those controls were not sound 
• There was an actual loss of client deposits and the continued exposure of those deposits to potential loss
• The breaches spanned the lengthy period from November 2007 to January 2018.

​
The Conduct of the Regulated Entity after the Contravention

Aggravating

• BOIPB’s level of cooperation was far below what is expected.  BOIPB failed to provide complete and timely information and documentation in response to the Central Bank’s investigation letter and statutory request.  It also provided information to the Central Bank that was imprecise and vague.  The cumulative effect was that the Central Bank’s investigation was frustrated and prolonged.
• BOIPB did not take remedial action in a timely manner to address the contraventions despite knowledge of the severity of the deficiencies and the attendant risk of further loss to client deposits.

Other Considerations

• The financial position of BOIPB (prior to being merged into BOI on 1 September 2017) and the need to impose a proportionate level of penalty.

The Central Bank confirms that the investigation is now closed.
 
NOTES

1. The fine imposed by the Central Bank was imposed under Section 33AQ of the Central Bank Act 1942. The maximum penalty under Section 33AQ is €10,000,000, or an amount equal to 10% of the annual turnover of a regulated financial service provider, whichever is the greater.
2. This is the Central Bank’s 137th settlement since 2006 under its Administrative Sanctions Procedure, bringing the total fines imposed by the Central Bank to over €105 million.
3. Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts.  The penalties are not included in general Central Bank revenue.
4. The fine reflects the application of an early settlement discount of 30%, as per the discount scheme set out in the Central Bank’s Outline of the Administrative Sanctions Procedure 2018 which is here: link. 
5. A copy of the ASP Sanctions Guidance November 2019 is available here: link This guidance provides further information on the application of the sanctioning factors set out in the Outline of the Administrative Sanctions Procedure (see link above) and the Inquiry Guidelines prescribed pursuant to section 33BD of the Central Bank Act 1942 (a copy of which is here:  link.   These documents should be read together.
6. The European Communities (Markets in Financial Instruments) Regulations 2007 (S.I. No. 60 of 2007) were repealed and replaced by the European Union (Markets in Financial Instruments) Regulations 2017 (S.I. No. 375 of 2017) which are available link and the European Union (Markets in Financial Instruments) (Amendment) Regulations 2017 (S.I. No 614 of 2017) which are available here: link
7. Bank of Ireland Private Banking Limited  merged into The Governor and Company of the Bank of Ireland on 1 September 2017.
8. On 22 September 2015, the Central Bank sent a Dear CEO letter following its review of the management of operational risk around cyber-security within the investment firm and funds industry that is here: link On 13 September 2016, the Central Bank issued cross-industry guidance in respect of IT and cybersecurity risks that is available for download here: link
9. On 10 March 2020, the Central Bank issued an industry letter for the attention for the attention of all Board members and Senior Management of asset management firms and published findings of a Thematic Inspection into the cybersecurity risk management practices in Asset Management firms: link

​Further information:
Media Relations: [email protected] / 01 224 6299
Ewan Kelly: [email protected] / 086 463 9652

Download Westpac's Report released 17 July 2020 - Reassessment of the Culture, Governance and Accountability Remediation Plan

Linkedin Post at ​https://www.linkedin.com/posts/peteroakes_riskculture-riskmanagement-regtech-activity-6689803983407628288-ynbv


Here's a good 5 point list of root causes of non-financial risk issues at large systemically important banks & institutions (anywhere in the world). In this case Westpac, arising from a report ordered by the Australian prudential regulator.

Applicable to non banks and non systemically important institutions:

1. an organisational construct that creates complexity;
2. an "immature and reactive" #riskculture in non‑financial risk management;
3. a 'three lines of defence model' that is not well understood or embedded among bank staff;
4. the lack of sufficient non-financial #riskmanagement capability; and
5. challenges in execution and staying the course.

With Westpac's CEO responsible for its new initiative "customer outcomes and risk excellence" or CORE, #regtech will need to feature heavily in execution, tracking & learnings.

Professor Elizabeth Sheedy, a #riskculture expert saying that the latest report shows too often risk is seen as a handbrake by banks rather than an enabler for long-term success.
Westpac "admitted the "culture, governance and accountability program", set up in January 2019 to implement the reforms, "has not delivered sufficient momentum", with many in the bank still do not "fully appreciate the cumulative impact of the issues". Paul McCarthy

Copyright with Australian Financial Review and James Eyers

Westpac Banking Corp has been forced to launch a new program to attempt to fix its broad risk-management failings, after a reassessment of its culture demanded by Australian Prudential Regulation Authority identified ongoing concerns, including that its non-financial risk culture is still "immature and reactive".

The new report identifies a lack of urgency and clarity in Westpac's response to problems it identified in a 2018 self-assessment of governance, which were exacerbated when AUSTRAC dropped a bombshell case last November that triggered the departures of the bank's CEO and chairman.

The Australian Prudential Regulation Authority insisted on the reassessment because it was concerned Westpac was not tackling the root causes of its failings when it read AUSTRAC's statement of claim. The latest investigation found Westpac is still "overly complex, which results in confusion around accountability and challenges in execution".

The shortcomings identified in the report, which was sent to all of Westpac's 35,000 staff on Friday morning, found Westpac's organisational structure created complexity, and its 'three lines defence' model, which is supposed to prevent risks materialising, "is not well understood or embedded".
The report highlights a "shortfall in sufficient non-financial risk-management capability" and says that even though Westpac has made various changes to respond to issues, "what is required is a program of deeper change".

It criticised an ongoing blame game, stating a priority for its work on culture "will be to strengthen psychological safety" for staff after the reassessment found "in some situations leaders had reacted to incidents with a focus on who is to blame rather than what to learn".
Many of the same failings were identified in the bank's self-assessment for APRA in 2018, after all banks were asked to audit themselves against the prudential regulator's expectations for fixing widespread cultural problems at Commonwealth Bank of Australia. The Hayne royal commission should also have emphasised the urgency of repairing culture to meet community expectations and restore trust.

But Westpac recognised on Friday the changes it has been making to respond to the 45 recommendations set out in its 2018 self-assessment had been "incremental". It admitted the "culture, governance and accountability program", set up in January 2019 to implement the reforms, "has not delivered sufficient momentum". It said many in the bank still do not "fully appreciate the cumulative impact of the issues".

“Our reassessment confirms that our management of non-financial risk is currently not at the standard we set for ourselves," said Westpac CEO, Peter King, releasing the 50-page report to the ASX.
“It is clear we have more to do to address these shortcomings, including improving our risk management capability and risk culture which is not where we want it to be."

APRA is continuing to investigate possible breaches of the Banking Act by Westpac, including the speed at which it has rectified issues identified by AUSTRAC. APRA has already imposed a $1 billion capital penalty on the bank to reflect its "heightened operational risk profile".

At the CORE

Westpac on Friday announced it would initiate a multi-year, multi-million dollar program, which it is calling "customer outcomes and risk excellence" (CORE). Mr King said he would be accountable for its delivery.

The reassessment said Mr King, who replaced Brian Hartzer as CEO, and the Westpac board, now led by John McFarlane who took the reins from Lindsay Maxsted, need to take more responsibility and set a proper "direction and tone" about the importance of the measures.

The report – which was conducted by Westpac management and a team from consultants Oliver Wyman together with assurance oversight by another consulting firm, Promontory – pointed to five ongoing "root causes" of Westpac's travails.

These are: an organisational construct that creates complexity; an "immature and reactive" risk culture in non‑financial risk management; a 'three lines of defence model' that is not well understood or embedded among bank staff; the lack of sufficient non-financial risk management capability; and challenges in execution and staying the course.

"Westpac does not underestimate both the magnitude of the changes that are required and the effort involved."

Professor Elizabeth Sheedy, a risk culture expert from Macquarie University, said the latest report shows too often risk is seen as a handbrake by banks rather than an enabler for long-term success.

"For me it all comes back to excessive focus on short-term profits which is driven by short-term cash bonuses," she said. "There is also a massive shortage of qualified and experienced risk and compliance executives across the industry. Institutions tend to want to keep budgets very tight when it comes to resourcing risk and compliance, which sends a message about organisational priorities."

It is expected that Westpac will look to make additional cost savings in order to pay for additional investment that will be required to improve risk systems.

The report was released after Mr McFarlane warned in an interview with the Financial Review on Friday that excessive financial regulation could make it more difficult for banks to lend and hamstring the economic recovery.

Westpac has been negotiating with AUSTRAC over a potential settlement of the anti-money laundering case, with the financial crimes regulator due to file an amended statement of claim next month to incorporate broader allegations that the bank should have suspected another 270 customers were paedophiles.

It is also waiting for a decision from the Australian Securities and Investments Commission on whether it will appeal the bank's responsible lending victory in the full Federal Court last month to the High Court.


James Eyers writes on banking, fintech and technology. Based in our Sydney newsroom, James is a former Legal Affairs and Capital editor for the Financial Review Connect with James on Twitter. Email James at [email protected]

Source: https://www.afr.com/companies/financial-services/westpac-culture-still-immature-and-reactive-20200717-p55cxa

If you use all or any part of this blog, please ensure you cite and credit CompliReg and Peter Oakes in your re-use of this blog.


Another electronic money institution (EMI) fined and sanctioned in Lithuania for anti-money laundering regulatory requirements and in this case also for an equity capital requirement failure. 
 
While the case is worth noting for both aspects, it is particularly so because across Europe, following the collapse of Wirecard, there will be continuing heightened awareness of both safeguarding and capitalisation of regulated EMIs and payment institutions (PIs). The case also makes known that the BoL is conducting targeted inspections of EMIs across a range of themes.
 
In our previous blog, 2 June 2020, on the Lithuanian Central Bank (Bank of Lithuania / BoL) giving banks guidelines on opening accounts for electronic money institutions (EMIs) and payment institutions (PIs) Peter Oakes noted recent examples of fines against EMIs/PIs including failures to comply with requirements for: (i) anti-money laundering; (ii) safeguarding of customer funds; and (iii) segregation of customer funds and; execution of payment transactions. 
 
The Bank of Lithuania, which supervises 71 EMIs - which is the largest number of EMIs supervised by an EU financial regulator national competent authority* - has announced that it has taken regulatory action against Via Payments UAB for both:
 
(1) violations of the requirements for prevention of money laundering and terrorist financing (sanctioned with a fine of €120,000 and publicity); and
(2) failure to meet the equity capital requirement (sanctioned with publicity only).
 
Via Payments UAB holds an electronic money institution licence, issued on 10 October 2017.

As you will see from the graphic below, in addition to BoL supervising 71 EMIs we also learn that Q1 2020 income from EMI and payment services amounted to €17.3 million.

Keep reading below for the background to the facts of the Via Payments UAB enforcement action. 

(1) Background to the money laundering law violations:

The regulatory actions were taken on foot of a "targeted inspection of the electronic money institution Via Payments UAB". During the course of the inspection, the Supervision Service of the BoL identified breaches of the Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing. In addition to a fine of €120,000, the BoL obligated Via Payments to remedy the deficiencies.

BoL says that Via Payments has confirmed that all deficiencies have been remediated.
 
With respect to the money laundering violations, the inspection revealed that:

• customer risk assessment procedures applied by the institution did not allow for the ensuring of proper allocation of customers into risk groups.
• customer’s beneficiary’s information was not, in all cases, checked against reliable and independent sources.
• information about the purpose and nature of the customer’s business relationship was not received.
• there were shortcomings in procedures to determine whether the customer was a politically exposed person.
• Via Payments did not take the appropriate measures to identify the source of the funds of high-risk customers.
• there were deficiencies found in the mandatory ongoing monitoring of business relationships and transactions.

 
BoL imposed a fine of €120,000 on Via Payments UAB.  As part of its mitigation Via Payments informed the BoL’s Supervision Service that it had already taken measures to strengthen its AML compliance by increasing the number of specialists and improving technological solutions.
 
 (2) background to the equity capital requirement failure
​
This regulatory failure came to the attention of the BoL through a separate analysis of the activities of EMIs.  Here the Supervision Service of the BoL recorded that Via Payments violated legal acts because as at 31 March 2020 the company “failed to meet the equity capital requirement”.  The BoL appears to have place a lot of reliance on the institution having “eliminated the indicated shortcomings without further delay, no interests of their clients have been violated” and therefore BoL “decided to impose a mild enforcement measure by making these infringements public”.
 
 
* Note that notwithstanding that the UK is in a post-Brexit transition period, it left the European Union on 31 January 2020.  Accordingly, Lithuania although it may have fewer EMIs than the UK, it records the largest number of EMIs in the European Union.
 
Sources:

• https://www.lb.lt/en/news/view_item/id.11484
• https://complireg.com/blogs--insights/lithuanian-central-bank-gives-banks-guidelines-on-opening-accounts-for-electronic-money-and-payment-institutions-some-examples-of-fines-against-emoneypayments-firms

 
This blog written by Peter Oakes.  Peter  advises on Lithuanian EMI/PI issues and advised on the authorisation of one Lithuania's first special bank authorisations.  If you require a licence to operate in Lithuania, Ireland, Cyprus, Malta or the UK, see our Authorisation Page.  We have a great network of experts in each country too, from lawyers, to accountants to technical experts. And get in contact if you have a question about this blog.

This post first appeared on Peter Oakes's Linkedin Page on 3 July 2020.  Given the high level of interest in the post, we have published further information here about the details of the case.

One for the money laundering typologies.

This is a useful example to demonstrate how a corrupt solicitor can launder money for clients.

ow many times has the compliance department been told "Hey its OK, the client is being vouched for by his / it's lawyer. We don't need proof of source of funds or wealth". Well here's the story of the gangsters' 'go to' solicitor.

• Father-of-three Ross McKay, 39, formerly of Wilmslow, United Kingdom agreed to be struck off the roll.
• ​McKay was jailed for 7 years back in January 2019 for helping fraudsters develop a multi-million-pound property portfolio.
• McKay was responsible for more than 80 property transactions for various criminals, all of whom were subsequently convicted of offences including money laundering and fraud.
• McKay was the conveyancing solicitor who gave a 'veneer of respectability' in a series of illicit properties deals masterminded by Scott Rowbotham, 35 years of age. Businessman Rowbotham managed 88 homes and made huge profits.
  McKay, of Wilmslow, was jailed for seven years leaving wife and children behind
• During McKay's trial, Manchester Crown Court was told he was the gangsters’ ‘go-to’ solicitor who would carry out property transactions without asking questions about where money had come from.  The trial also heard McKay represented Billy Black, a friend of killer Dale Cregan.  Black is currently serving 22 year for fraud and drugs offences. 
• Rowbotham accumulated around £500,000 a year in rent from his property empire, getting mortgage lenders to hand over huge amounts by lying about his income.  Rowbotham told clients he was an operations manager for a TV company with a salary of £48,000 a year - but the fake pay slips covered up the reality - that he had only declared £1,000 in income and £18.20 in tax over 11 years. 
• Rowbotham's girlfriend was also pocketing £20,000 in tax credits at the time.   
• Worked for two clients on total purchases worth more than £7.3m.
• Assisted them in the acquisition of criminal property.
• The court was told that deposits were put down on property where the source of funds was disguised and mortgage applications used nominees instead of the names of the legitimate purchasers.
• Mortgage applications used nominees instead of names of legitimate purchasers.

Read more at:
​
2 July 2020 - Solicitor jailed over money laundering links is now struck off
8 January 2019 - 'Go to' solicitor for dodgy property deals jailed for seven years
7 January 2019 - Corrupt lawyer, 39, linked to police killer Dale Cregan is jailed for seven years after he helped a buy-to-let landlord use dirty money to fraudulently build a £10.8m property empire - 

For advice and training on anti-money laundering and counter-terrorist financing contact Peter Oakes at CompliReg.

CompliReg is proud to power the Official Fintech Ireland Map 2020.

We are now powering the Regulated Fintech Ireland Map version 2 which showcases the regulated payment services directive and electronic money directive firms authorised by the Central Bank of Ireland.  Joining this Map in 2020 are the first of two - hopefully many more to come - e-money firms, Squareup International Limited  ("Square") and MoneyCorp. 

Ireland now has:

• 18 authorised payments firms,
• 3 registered AISPs, and
• 14 authorised emoney firms.

In addition to issuing emoney, Square is authorised to provide payment services number 3b (execution of payment transactions through a payment card or a similar device) and number 5 (issuing of payment instruments and/or acquiring of payment transactions).  

Although Moneycorp is yet to appear on the Central Bank of Ireland register, Moneycorp confirmed to us that it is also authorised to provide payment services 3b, 5 and in addition 3c (execution of credit transfers, including standing orders).  Moneycorp has been fairly busy. In addition to its emoney authorisation, it also secured a MiFID authorisation.  By the way, AFEX which was authorised as payments institution in 2019 also secured a MiFID licence. Expect to see more firms seek both an emoney/payments authorisation together with a MiFID one.

Moneycorp’s Dublin office, which opened in 2013, has operated as a branch of its UK regulated entities, saying that as part of Moneycorp’s strategic response to Brexit and wider market developments, it has now secured its e-money and MiFID licences from the Central Bank of Ireland for a newly established Irish company.  Bryan McSharry, chief executive of Moneycorp’s European business, said the licences ensured it could “continue to support our existing customer base, continue to grow our business in Ireland and expand our business across the EU in a post-Brexit environment”.

​
They are:
Payments Firms:
AIB Merchant Services, Western Union, Fexco, CurrencyFair.com, TransferMate Global Payments, #Fire, CUSOP (Payments) Ltd, #PrimaFinance, Avantcard, Barclaycard, #Chasepaymentech, Google Pay, #smallworld, AFEX, BUREAU BUTTERCRANE LTD, Remitly, J.P. Morgan, Circit.io, Xpress Money, CRIF & Finclude (fka. Verge.Capital)
​
Emoney Firms:
EML, Facebook, Soldo, Optal, Paysafe Group, paysafecard.com, Prepaid Financial Services Limited (PFS), #foreigncurrencydirect, Stripe, Coinbase. One4all Group, Payoneer, Square and Moneycorp.

Congratulations Moneycorp and Square and welcome to the thriving regulated Irish fintech ecosystem.

If you are looking to get authorised in Ireland as an emoney or payments firm, see these Authorisation Guides. 

Read Moneycorp's press release below.

​Moneycorp secures its E-Money and MiFID licences in Ireland
 
New Irish entity, licenced by Central Bank of Ireland, to drive expansion across EU
 
Moneycorp to build on €3 billion of transactions executed for Irish clients in 2019
 
Dublin, 1 July 2020 | Moneycorp Group, the global foreign exchange and payments business has been granted its Electronic Money Institution (E-Money) and MiFID licences by the Central Bank of Ireland (CBI), further bolstering its offering and expansion in the European Union (EU).
 
Moneycorp is one of the world’s largest specialist foreign exchange companies, serving corporates and individuals across multiple channels since 1979. Headquartered in London, Moneycorp opened its Dublin office in 2013 to provide corporate clients with foreign exchange and payment services over its market leading on-line platform as well as directly from its Dublin dealing room.
 
Since launch, the Dublin office has operated as a branch of the Group’s UK regulated entities, however, as part of Moneycorp’s strategic response to Brexit and wider market developments, it has now secured its E-money and MiFID licences from the CBI for a newly established Irish company; Moneycorp Technologies Limited (MTL).
 
Bryan McSharry, CEO of Moneycorp’s European business, said: “We are delighted to have secured both E-money and MiFID licences from the Central Bank of Ireland. This ensures we can continue to support our existing customer base; continue to  grow our business in Ireland; and expand our business across the EU in a post Brexit environment.”
 
“Since launching in Dublin in 2013, we have built a strong corporate and individual customer base of Irish clients – based on our ability to provide best in class foreign exchange services across our market-leading technology platform. We completed €3 billion of transactions for Irish clients in 2019 and we will build on that in 2020 and beyond. Our CBI licences will enable us to continue to expand our business and headcount in Ireland and offer our market-leading service to a vastly increased customer base across the EU.”
 
About Moneycorp Group
Moneycorp Group is a global foreign exchange and payments business with offices in the UK, USA, Brazil, Hong Kong, Spain, Gibraltar, Romania, Australia, the UAE and Ireland.
 
With a forty year record of outstanding customer service, today the Moneycorp group serves the growing foreign exchange and payments needs of global businesses, importers and exporters as well as personal clients.
 
W:          www.moneycorp.com                                   L:             linkedin.com/company/moneycorp/
T:            @moneycorp                                                    I:             instagram.com/moneycorp/

​Here's an enforcement action which will serve as a useful typology for fitness and probity, not to mention culture and behavior, as Ireland heads towards a Senior Executive Accountability Regime by Peter Oakes  

Peter is was appointed the first Director of Enforcement and Ant-Money Laundering at the newly reconstituted Central Bank of Ireland in 2010, where he led and developed the creation and staffing of the new Enforcement and Anti-Money Laundering Directorate with responsibility for delivering administrative sanction procedure enforcement actions, unauthorised providers actions, fitness and probity supervisory and enforcement actions and development of new regulatory laws.  Peter has worked on a number of regulatory enforcement matters since leaving the Central Bank and is available to advise and represent on such matters.  Read more here.

Bullet Point Summary

• This enforcement action is the 136th enforcement settlement since 2006 under the administrative sanctions procedure, bringing total fines imposed to over €103 million.
• Relates to a previous enforcement action against RSA Ireland Insurance DAC (RSAII), an insurance undertaking authorised and regulated by the Central Bank where Rory O’Connor was an Executive Director and Chief Financial Officer from 2010 to 2013.
• RSAII was fined in December 2018 €3,500,000 for what is termed a 'prescribed contravention', in that case serious breaches of financial services law (admitted by RSAII), including but not limited to the failure to establish and maintain technical reserves in accordance with Article 13(1)(a) of the European Communities (Non-Life Insurance) Framework Regulations 1994, S.I. No. 359 of 1994.  Technical reserves are the amount set aside by an insurance company to cover its liability for claims.
• Mr O'Connor's "misconduct merited a disqualification period of 12 years and a monetary penalty of €100,000"; however following a settlement discount, the sanction was reduced to 8 years 4 months and €70,000 respectively.

• The action against Mr O’Connor arose, as admitted, by his participation in the prescribed contravention in RSAII’s breach of Article 13(1)(a) of the 1994 Regulations, which requires an insurance undertaking to maintain sufficient levels of Technical Reserves (the Prescribed Contravention). 
• ​The Central Bank’s investigation found that Mr O’Connor participated in the prescribed contravention through his involvement in the deliberate manipulation of large loss claim reserve estimates, referred to in the enforcement action against RSAII as the “Under-Reserving Process”. 
• Unrelated to this matter, the Irish government announced in its programme for work release on 15 June 2020, the Irish government announced it will "introduce the Senior Executive Accountability Regime to deliver heightened accountability within the banking system".  (see page 25 of the Programme for Government Our Shared Future. 
• The comments from the Central Bank signal that behaviour and culture, not just conduct risk, prudential risk and fitness and probity are squarely on the Central Bank's agenda where it comes to supervisory and enforcement actions.​

Enforcement Action Notice: Mr Rory O’Connor, former Executive Director and Chief Financial Officer of RSA Ireland Insurance DAC (RSAII) disqualified for 8 years 4 months and fined €70,000 by the Central Bank of Ireland for his admitted participation in a breach of financial services law by RSAII

On 9 June 2020, the Central Bank of Ireland (the Central Bank) reprimanded Mr O’Connor, disqualified him from being a person concerned in the management of a regulated financial service provider for a period of 8 years 4 months, and imposed a fine of €70,000 for his admitted participation in RSAII’s failure to maintain sufficient technical reserves from February 2010 to 30 September 2013 (the Relevant Period).

This enforcement action against Mr O’Connor follows a separate investigation conducted by the Central Bank in respect of RSAII, at the conclusion of which the Central Bank reprimanded RSAII and imposed a financial penalty of €3.5 million in December 2018. [footnote 1]
​
The Central Bank’s investigation in respect of RSAII found that deliberate and wrongful under-reserving of large loss claim reserve estimates resulted in incomplete and inaccurate information being relied upon in the calculation of RSAII’s technical reserves.  The investigation found that the claim reserve estimates on RSAII’s claims database were understated in the sum of approximately €29 million as at 30 September 2013. 

The Central Bank’s investigation in respect of Mr O’Connor, who held the positions of Executive Director and Chief Financial Officer (CFO) in RSAII, found that he knowingly and actively participated in RSAII’s failure to maintain sufficient technical reserves through his involvement in the under-reserving of large loss claim reserve estimates.

In particular, Mr O’Connor:

• Participated, along with certain other individuals, in undocumented meetings during which certain large loss claim reserve estimates were deliberately and wrongfully under-reserved;
• Gave instructions and transmitted information relating to those claims within RSAII knowing them to be under reserved; and
• Concealed the under-reserving by knowingly providing inaccurate and misleading financial information to the Central Bank in his role as CFO.

Following a full investigation, the Central Bank determined that Mr O’ Connor’s misconduct merited a disqualification period of 12 years and a monetary penalty of €100,000.  In accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure, these sanctions were reduced to 8 years 4 months and €70,000 respectively.

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, stated:

“The Central Bank takes enforcement action against senior individuals in regulated financial services firms in order to hold them accountable where they have participated in serious or significant breaches of regulatory requirements. 

For over three and a half years, in his roles as Chief Financial Officer and Executive Director on the board of RSAII, Mr O’Connor knowingly participated in the systematic under-reserving of large loss claims, actively facilitated the on-going operation of the under-reserving and concealed it from the Central Bank through the provision of inaccurate financial information.

The under-reserving of large loss claim reserve estimates directly contributed to the understatement of RSAII’s technical reserves and resulted in the Firm’s financial position being artificially enhanced.  The failure to maintain adequate technical reserves led to significant risk for policyholders in the event that RSAII did not hold sufficient assets to meet its liabilities and was, as a result, unable to pay claims made against and by its policyholders.  Mr O’Connor’s conduct in this case was deliberate and fell far below the standards expected of him in the roles he held in RSAII.

It is imperative that individuals working in regulated financial services and particularly those in senior roles, fully understand the risks and consequences that their decisions, actions and behaviours may have for an organisation, its employees, its customers and the wider market.

By taking action to address misconduct in the regulated financial services sector, the Central Bank seeks to safeguard financial stability and ensure that consumers and financial markets are protected from wrongdoing and that misconduct within the regulated financial services sector is deterred.  It also signals to the market, the practices and behaviours, of those in senior roles in financial services, that will not be tolerated and highlights the serious consequences should an individual fail in such a material and deliberate way to comply with regulatory requirements.

The sanctions imposed on Mr O’Connor reflect the nature and seriousness of his actions in this case.”

ADMITTED PRESCRIBED CONTRAVENTION
Enforcement Action against RSAII
RSAII is an insurance undertaking authorised and regulated by the Central Bank.  Mr O’Connor was an Executive Director and Chief Financial Officer of RSAII from 2010 to 2013.

On 18 December 2018, the Central Bank reprimanded and imposed a fine of €5,000,000 on RSAII which was reduced to €3,500,000 with the application of the settlement discount scheme in respect of serious breaches of financial services law (admitted by RSAII), including but not limited to the failure to establish and maintain technical reserves in accordance with Article 13(1)(a) of the European Communities (Non-Life Insurance) Framework Regulations 1994, S.I. No. 359 of 1994 (the 1994 Regulations).  Technical reserves are the amount set aside by an insurance company to cover its liability for claims.

Mr O’Connor’s Participation in the Prescribed Contravention
Mr O’Connor has admitted his participation in the prescribed contravention in RSAII’s breach of Article 13(1)(a) of the 1994 Regulations, which requires an insurance undertaking to maintain sufficient levels of Technical Reserves (the Prescribed Contravention). 

The Central Bank’s investigation found that Mr O’Connor participated in the Prescribed Contravention through his involvement in the deliberate manipulation of large loss claim reserve estimates, referred to in the enforcement action against RSAII as the “Under-Reserving Process”. 

As a result of the Under-Reserving Process, specific large loss claims were deliberately suppressed by significantly delaying the recording of the reserve estimates recommended by RSAII’s claims handlers (the Recommended Estimates) in the claims database and/or by recording claim reserve estimates which were lower than the Recommended Estimates.  To give a clear example of how the Under-Reserving Process operated in practice, a claim relating to a serious motor accident should have been recorded on RSAII’s claims database with a recommended estimate of €2.7 million.  However, the claim was in fact recorded with a claim reserve estimate of just €20,001 thus, making RSAII’s potential liability for that claim appear to be far less than it was.  

Mr O’Connor has admitted his involvement in the Under-Reserving Process as follows:
During the Relevant Period, Mr O’Connor participated in frequent, undocumented meetings, during which claim reserve estimates for large loss claims were deliberately and wrongfully manipulated resulting in the  relevant claim reserve estimates being  understated on the Firm’s official claims database. 

From around 2012 onwards, Mr O’Connor became more involved in the under-reserving by assuming responsibility for communicating  the outcome of the meetings and the decisions made in relation to the understated claims to RSAII’s Claims Department together with the claim reserve estimate amounts which could be officially recorded on the claims database. 

Specific large loss claims were deliberately suppressed by significantly delaying the recording of the Recommended Estimates in the claims database and/or by recording claim reserve estimates which were lower than the Recommended Estimates.  This was referred to in the Enforcement Action against RSAII as the “Under-Reserving Process”.  The under-reserving was concealed by from the Central Bank the presentation and provision of inaccurate and misleading financial information.

The Central Bank’s investigation found that Mr O’Connor intentionally concealed the Under-Reserving Process in the following ways:

• As CFO during the Relevant Period, Mr O’Connor was responsible for RSAII’s regulatory reporting to the Central Bank.  Specifically, he signed off the Data Accuracy Statement appended to the Report on the 2012 Statement of Actuarial Opinion which was submitted to the Central Bank in April 2013.  In signing the Data Accuracy Statement, Mr O’Connor confirmed that the relevant financial data relied on by the Signing Actuary to calculate technical reserves as at 31 December 2012 was, to the best of his knowledge and belief, accurate and complete.  By virtue of his involvement in the Under-Reserving Process, Mr. O’Connor accepts that he was fully aware that the financial data relied by the Signing Actuary was not accurate.

 

• As CFO during the Relevant Period, Mr O’Connor was responsible for ensuring that RSAII’s Financial Statements reflected a true and fair view of the financial position of RSAII.  RSAII’s Financial Statements included technical provisions calculated on the basis of the claim reserve estimates recorded on RSAII’s claims database.  As a result of his involvement in the Under-Reserving Process, Mr. O’Connor accepts that he was aware that the technical reserves were inaccurate as they had been calculated using claim reserve estimates he knew were understated.

The Impact of the Under-Reserving Process on the Technical Reserves
Claim reserve estimates are used in the calculation of technical reserves.  The Under-Reserving Process resulted in the claim reserve estimates for certain large loss claims being significantly understated on RSAII’s claims database and consequently the claim reserve estimates on the database did not accurately reflect the estimated cost of these claims. 

As at 30 September 2013, the systematic under-reserving of large loss claims resulted in claim reserve estimates for seventeen large loss claims being recorded on RSAII’s claims database in amounts significantly lower than the Recommended Estimates.  The shortfall between the claim estimates recorded on RSAII’s claims database and the Recommended Estimates was €29,300,070, as at 30 September 2013.  Ultimately, as a result of the Under-Reserving Process, RSAII was required to increase its technical reserves as at 30 September 2013 to take account of these under-reserved large loss claims, requiring a significant capital injection from RSA Insurance Group PLC.

On the basis that a decrease in technical reserves has the effect of decreasing an insurer’s technical expenses and thus increasing the amount that the Firm could report as profit, the under-reserving also resulted in the artificial inflation of the Firm’s profits for 2012.
 
SANCTIONING FACTORS
 
In determining the appropriate sanction, the Central Bank has considered the guidance on the sanctioning factors set out in Part II of the ASP Sanctions Guidance (November 2019).  The following factors are relevant in this case:
 
The Nature, Seriousness and Impact of the Contravention

• Mr O’Connor engaged in serious misconduct which directly contributed to RSAII’s failure to maintain technical reserves in accordance with the 1994 Regulations.

 

• Mr O’Connor’s participation in the contravention was deliberate.  As CFO, Mr O’Connor actively facilitated the under-reserving by concealing it from the Central Bank through the presentation and provision of inaccurate and misleading financial information.

 

• Mr O’Connor’s participation in RSAII’s breach occurred over a significant period, i.e.  three years and eight months, from February 2010 when he was appointed as interim CFO, until October 2013 when the under-reserving was first discovered.

 

• The misconduct in this case represents a significant departure from the standard required, and expected, of a person concerned in the management of a regulated firm.  Mr O’Connor was CFO and a director on the board of RSAII from 2010 to 2013. One of the primary responsibilities of the CFO during this period was the approval of complete and accurate financial statements and regulatory returns, which included technical reserves.  Mr O’Connor’s involvement in the Under-Reserving Process demonstrated a fundamental failure to discharge the responsibilities he had assumed as CFO of RSAII and a failure to act ethically and with integrity. 

 

• The potential impact of the breach on the orderliness of the financial services market.  Insurance companies are important for the stability of financial system.  This systematic under-reserving of large loss claims resulted in a material understatement of RSAII’s liabilities and ultimately contributed to RSAII requiring a significant capital injection.

 

• RSAII’s failure to maintain technical reserves in accordance with the 1994 Regulations, as a result of the Under-Reserving Process, posed a significant risk of loss to policyholders. The investigation did not find any evidence that actual loss or detriment was caused to policyholders or market users as RSAII was at all times in a position to continue to pay insurance claimants and other debtors.

 
Mr O’ Connor’s conduct after the contravention
Mitigating

• Mr O’Connor admitted his participation in the contravention at an early stage in the investigation.

 

• The exemplary degree to which Mr O’Connor cooperated with the Central Bank during the investigation.  The Central Bank expects firms and individuals to cooperate in an open manner at all times and to respond to requests promptly, effectively and accurately. In this case, Mr O’Connor’s cooperation at interview, timely provision of information and active engagement with the Central Bank’s investigative procedures went beyond  the level expected by the Central Bank.

 
Mr O’Connor’s previous record
Mitigating:

• No previous enforcement action has been taken against Mr O’Connor by the Central Bank.

 
Other Considerations

• Holding Mr O’Connor to account through the imposition of sanctions in respect of his misconduct is necessary in order to create an effective and appropriate deterrent impact on individuals holding senior positions in regulated financial service providers.

 
This settlement represents the conclusion of the Central Bank’s investigation into Mr O’Connor.

NOTES

1. This is the Central Bank’s 136th settlement since 2006 under its Administrative Sanctions Procedure, bringing total fines imposed by the Central Bank to over €103 million.
2.  The fine of €3,500,000 imposed on RSAII by the Central Bank represented the maximum applicable penalty of €5,000,000 with a settlement discount of 30% in accordance with the Central Bank’s Administrative Sanctions Procedure.  The settlement with RSAII on 18 December 2018 can be found here.
3.  The Central Bank’s sanctioning powers were increased in 2013, pursuant to Section 68(b) of the Central Bank (Supervision and Enforcement) Act 2013.  The maximum penalty which the Central Bank may now impose on an individual is €1,000,000.
4.  Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts.  The penalties are not included in general Central Bank revenue.
5.  The Central Bank promotes the option of early settlement. Where a regulated entity or person concerned in the management of a regulated entity settles a matter at an early stage with the Central Bank of the administrative sanction process, a discount of up to 30% may be applied to the sanction (Early Settlement Discount Scheme). Additional information on the Early Settlement Discount Scheme is contained in section 4.4. of the Central Bank’s Outline of the Administrative Sanctions Procedure (2018). 
6.  The period of disqualification takes effect from 9 June 2020.
7. Article 13(1) of the 1994 Regulations required all insurance undertakings to establish and maintain technical reserves in respect of all underwriting liabilities assumed by it, determined in accordance with the rules laid down in Council Directive 91/674/EEC.

[1] Central Bank of Ireland Enforcement Action Notice December 2018

[first posted by Fintech UK] 

Panel: Has the crisis helped companies shift from being product-centric to customer centric, are they ready for consumer of 2021? 

What: Fintech Week Lithuania: Panel: Has the crisis helped companies shift from being product-centric to customer-centric, are they ready for consumer of 2021? 
When: Tuesday 16th June 2020. Start time 9:55am (Irish/UK time) / 11:55am (Lithuania time).
Where: Online Event.   
Cost: Free
Registration: See registration link at https://fintechuk.com/events/covid19-fintech-shift-from-product-to-customer-centric
Details: Fintech UK's Peter Oakes* (Board Director at global fintech / payments business TransferMate) joins an excellent line up of fellow panel members Agnė Selemonaitė, Deputy CEO & Board Member at ConnectPay and Anastasija Oleinika, CEO of TWINO Group in a lively session moderated by Nick Price, Chief Executive of Bright Purple. 

*Peter is also founder of Fintech Ireland, US Fintech, Fintech Cyprus, leading fintech advisory firm CompliReg and a director of several regulated fintech companies including Susquehanna International, Optal Financial Europe and AWM Wealth Advisers) ​

"As I write, the impact on people and businesses arising from the coronavirus is being felt across all parts of society and the economy. It is keeping many of us exceptionally busy not only assisting our clients but dealing with the impacts on our businesses too."

Fintech Ireland's and CompliReg's Peter Oakes writes on the The Irish Fintech Ecosystem: Headwinds and Tailwinds (and the Making of a Global Fintech Centre) for CPA Ireland's Accountancy Plus

Download the article in PDF and visit CPA Ireland's excellent resources.

Continue reading below.

Why would one start an article about fintech referencing Covid-19? The fact is that the virus is acting as both a headwind and tailwind for fintech companies operating from Ireland and internationally. The impact of the virus over the last month and a half on fintech has shone a spotlight on many aspects of the ecosystem that might not have otherwise come to our attention. In the current climate Ireland must also be mindful of any potential slippage of its position as a global fintech player garnered from recent years of excellent work.

Let’s start with an overview of fintech. The word fintech came to prominence after the last financial crisis, particularly noticeable from 2012 onwards. Yet there were many examples of ‘financial technology’, shortened to “fintech”, existing well before the start of the last financial crisis. A number of these fintech businesses date back to the latter part of the 1980’s. Examples include the internet and phone retail bank First Direct[1] (a division of HSBC) which kicked off in 1989 and today regularly achieves high satisfaction rates in financial surveys. Ireland too served as HQ to a pioneer challenger bank, First-e[2] [6], which despite great promise was a casualty of the dot.com boom[3].

What does the Irish fintech scene look like? The consensus is that Ireland is home to somewhere between 220-250 indigenous fintech companies and that together with international fintech companies in Ireland, the number is probably around 400. It is difficult to give an exact figure if only because the word “fintech” is a broad-church.  

The word captures, (a) the new nonbank disruptors which focus on discrete parts of the banking value chain, e.g. payments, wealth management, treasury services and credit and lending; (b) the new breed of digital only (non-branch) challenger banks entering both retail and business banking; and (c) the incumbent banks (sometimes referred to as legacy banks) embarking - with various degrees of success – on digital transformation journeys.

The recent release in April of the 2020 edition of the Fintech Ireland Map[4] identified 230 indigenous / Irish controlled fintech companies. This was an increase of 30% from the previous year. The Map is supported by both research and a survey[5]. The criteria to meet to join the Map is challenging. Entrants must be fintech companies with a proprietary product or service.  

Footnotes from above section -
1 https://en.wikipedia.org/wiki/First_Direct
2 https://en.wikipedia.org/wiki/First-e_Group
3 https://www.theguardian.com/money/2001/sep/08/saving.onlinebanking
4 https://fintechireland.com/fintech-ireland-map.html
5 https://fintechireland.com/fintech-survey.html

Broadly speaking the fintech companies operate across 12 categories, being Credit & Lending; Platforms; Funds & Trading; Crypto & Blockchain; FinOps (Financial Operations); InsurTech (Insurance Technology); Accounting; Payments; RegTech (Regulatory Technology); Savings / Investing; Big Data / Analytics; and Others. The number of firms in each category is shown in the diagram below.

During 2019, the fintech ecosystem in Ireland, both the Republic of Ireland and Northern Ireland, continued to grow and evolve. There was strong growth in RegTech which not only increased to 39 companies but is rapidly closing in on Payments which retains its crown as the largest category for fintech companies, increasing to 58. It is no surprise that the Irish payments sector is so large given that it powers e-commerce transactions which by 2024 will double from 2010 to €3.8 billion in value. Also boding well for Ireland are two recent reports from UBS which estimate that global e-commerce will grow by 15-20% per annum over the next decade[7] from USD 3 trillion today. 

​It is no wonder that global fintech revenue is expected to reach a staggering USD 500 billion by 2030[8].

The number of fintech firms in the Irish credit and lending sector grew in 2019, with the addition of six new entrants, to 23. This is positive news for cash strapped small-medium size enterprises. Hopefully these fintech companies will help fill the supply of liquidity which is currently in demand by cash-strapped businesses. 

Headwinds and Tailwinds

The coronavirus crisis and its impact upon fintech is no different than the impact of the virus on other sectors of the economy. However, being a broadchurch, there are just as many fintech’s flourishing as there are floundering. FinTech’s, on average, didn’t begin 2020 with large amounts of equity. In fact, before Covid-19 the level of global investment in fintech dropped between 2018-2019 while the level of venture capital investment in Irish fintech fell off a cliff edge. 

In some cases, Irish fintech companies who had struck deals with international purchasers had to reduce the price to reflect, in the words of one fintech purchaser, the “economic reality” that businesses and individuals are currently facing.

E-commerce companies and the fintech companies which process their payments have seen a significant fall in transaction volume and therefore revenue (processing fees) for travel related items, including airfares, hotels, holiday clothing, luggage and pre-paid travel vouchers. 

Whereas the fastest growing category of products and services includes – no surprises – disposable gloves, bread machines, cough & cold medicines as well as fitness equipment[9]. Thus, be wary about reading too much into e-commerce and payments processing growth, because it is not all good news. Having said that one of the most well-known e-commerce marketplaces specialising in crafted and homespun goods enjoyed a 100+% increase in share price in less than two months owing to demand for face masks! 

The World Bank predicts that global remittances from wealthy to poorer countries will drop by at least 20% to $445 billion. This represents a loss of a crucial financing lifeline for many vulnerable households. Much of this money is often eaten by fees by various middlemen. It is estimated that between 7% -12% of the money being transferred [10] is swallowed up by bank collection, transfer and receiving fees. Yet remittances are a vital source of income for people in developing countries.

The loss of USD 10 from the value chain may mean the difference of food on the table for a family for a week in the poorest of countries. This challenge also provides an opportunity for fintech companies which can perform foreign exchange and international money transfers at a much lower cost than banks. 


Footnotes from above section -
6 https://en.wikipedia.org/wiki/First_Direct
7 https://www.ubs.com/global/en/wealth-management/chief-investment-office/investment-opportunities/longer-term-investments.html
8 https://fintechnews.ch/fintech/fintech-revenues-to-reach-us500b-by-2030-ubs-research/35500/
​9 https://www.visualcapitalist.com
10 This is a conservative estimate of fees. In some cases, the fees can be higher when cash is being handled at the collection and reception points

Another disruptor in this area is cryptocurrency. Cryptocurrency service providers remit crypto currency11, instead of fiat currency[12], and do so on distributed ledger technology – the most commonly known example being blockchain – which is simply a different set of payment rails than that used by the banks for money movement, such as SWIFT, the UK’s Faster Payments and Europe’s SEPA. Proponents of cryptocurrency for money transfers argue that it is 250 times cheaper on average to use cryptocurrency than traditional banks and is also cheaper than using many fintech apps. 

There are less than ten indigenous crypto/blockchain fintech companies operating in Ireland. In recent years they have been joined by about half a dozen large international crypto/ blockchain firms focussed on financial services. Collectively these international companies are valued in the tens of billions of dollars. Like the indigenous companies, these international fintech’s have chosen Ireland to access our highly skilled software engineers, software developers, coders, programmers and data scientists. 

Noting the Irish government’s support of both blockchain and international financial services, we should expect to see a lot more from this nascent and promising industry in Ireland.

Ireland is already perceived as a top global fintech ecosystem. Our challenge is not about reaching the number one spot globally, which simply will not be the case for a small open economy regardless of how progressive we are. 

Our challenge is to incrementally raise our profile and position year on year and more importantly remain in the upper echelons vis-à-vis our European Union peers. Ireland is home to 10,000+ regulated financial services companies, it is the 4th largest exporter of financial services in the European Union, 250 of the world’s largest financial services institutions have a base here including half of the world’s top 50 banks. With more than 45,000 people employed directly in international financial services, 15% of which work in fintech, is it any wonder that Dublin ranks 5th highest amongst the top 50 European cities according to Findexable Global Fintech Index 2020 and 7th highest ranked EU member state on the OECD’s Ease of Doing Business Index 2019. 

The future looks bright for Irish fintech. Many of these companies work in regulated markets and a number of these companies are authorised by the Central Bank of Ireland. What they have in common is the need for capital, people and a stable political environment. Ireland benefits from being a member of the European Union.

It is an English first speaking language country, enjoys a common law legal system and adheres to the International Financial Reporting Standards.

Ireland’s accountancy profession has a lot to offer and gain from Ireland’s fintech ecosystem. Whether it is a young fintech start-up requiring business and financial advice, seed funding, interim CFO services or larger fintech operator with important financial, taxation and HR strategic planning needs, a competent accounting professional is not only the corner stone but indeed the foundation of a successful and sustainable fintech. 

Footnotes from above section -
​11 Examples of two cryptocurrencies include bitcoin and ethereum
​12 Fiat currency is legal tender backed by a government, such as USD, EURO and GBP

​Our blog of yesterday (02/06/2020) which was highlighted by Peter Oakes in his Linkedin account yesterday was been viewed 3,500+ times in less than a day*.  Thanks for your interest in the topic of "Lithuanian Central Bank gives banks guidelines on opening accounts for electronic money and payment institutions."

By the way, for those interested in #tokens, #virtualassets and initial coin offerings (#ICOs), Lietuvos bankas / Bank of Lithuania has released a number of relevant documents in this space, worthy of a read, including: 

1. Guidelines on security token offering (17/10/2019)  - https://www.lb.lt/uploads/documents/docs/23488_be8ce9606ecb203bf8a9a4bde09ac399.pdf 
2. Opinion of the Bank of Lithuania on questions related to virtual assets and initial coin offering (21/01/2019) - https://www.lb.lt/uploads/documents/docs/21413_fcc1aef91ab038b33e7c61d6d5439fb0.docx 
3. Position of the Bank of Lithuania on Virtual Assets and Initial Coin Offering (21/01/2019)  - https://www.lb.lt/uploads/documents/docs/21410_afc0daafce702d949014d46ea0a97550.docx 

If a problem with the above links, try to access via https://www.lb.lt/en/bank-of-lithuania-positions-and-guidelines


See Linkedin Post at https://www.linkedin.com/posts/peteroakes_lithuania-electronicmoney-paymentinstitutions-activity-6673647923059798016-CBqg​