The Central Bank of Ireland (“CBI”) has published a Dear CEO letter to Payment and Electronic Money (E-Money) firms to reaffirm their supervisory expectations. The CBI had previously published such a letter in December 2021 outlining these supervisory expectations. This latest letter noted the increasing importance of the Payments and E-Money sector and that the CBI have had a further year of “intense supervision of the sector”. They further noted that “the level of intensity, which is beyond what we would expect for this sector, is on the basis of the significant deficiencies identified in the governance, risk management and control frameworks of some Payment and E-Money firms” and hence this letter.
The letter does not contain anything new in regard to their supervisory expectations or their approach however Section 1 provides wider and specific context to this supervisory approach by further detailed the risk based approach they utilise.
Section 2 gives further key findings from their supervision over the past year and also contains a number of actions for firms, most notably the requirement for a Safeguarding Audit: “requiring that all Payment and E-Money firms who are required to safeguard users’ funds obtain a specific audit of their compliance with the safeguarding requirements under the PSR/EMR” This Audit, which should be accompanied by a Board response to the outcome of the Audit, should be submitted to the CBI by 31 July 2023.
They further noted a number of recurring issues in relation to Governance, Risk Management, Conduct and Culture and included a list of these deficiencies which firms should use to check and test their own internal frameworks as the CBI stated “We expect firms to consider their governance, risk management and internal control frameworks, in addition to the composition (both number and skills) of their Board and management team, to ensure they are sufficient to run their business from Ireland, as their licenced jurisdiction”. It is interesting to note what were formerly commonly know as “GRC” frameworks, being Governance, Risk and Compliance/Control, now being replaced by both Conduct and Culture.
In relation to Business Model, Strategy and Financial Resilience, they note the importance of not only having a strategy but an embedded one, specifically noting that accurate data and management information is critical “to support a firm’s strategic and financial planning, and the risk management processes that run and support your business”. Importantly they noted that 1 in 5 firms in the sector submitted inaccurate returns to the CBI during the past 12 months hence this emphasis on the criticality of correct calculation methodologies and data controls/governance to support strategies and financial planning. Their expectation is “to have Board-approved business strategies in place supported by robust financial projections. Firms must understand and meet their capital requirements at all times”.
Finally, they reiterated that all Payment and Electronic Money firms are expected to fully comply with both the Cross Industry Guidance on Operational Resilience and Cross Industry Guidance on Outsourcing, issued in December 2021 as well as with all AML/CFT obligations of the CJA 2010, and in particular, the obligations set out in Part 4. They particularly noted that Payment and Electronic Money (E-Money) Firms must ensure when using any third parties such as agents or distributors that “It is important that firms recognise that agents and distributors are an extension of the firm itself” and fully included in all AML/CFT obligations.