Background
The Central Bank of Ireland’s (‘Central Bank’) statutory “gatekeeper” role is critically important. In assessing applications for authorisation as a PI or an EMI, the Central Bank adopts a robust, structured and risk-based approach that seeks to ensure that only applicants that demonstrate an ability to comply with the authorisation requirements applicable to their proposed business model are authorised.
The authorisation and supervision of firms operating in the PI and EMI sector is an important part of our mandate. This sector has grown substantively over the last number of years. The number of firms authorised by the Central Bank has more than doubled since 2018 and there continues to be a strong authorisation pipeline.
The purpose of this communication is to clearly set out the Central Bank’s expectations for all PI and EMI firms applying for authorisation, and to remind applicant firms of the authorisation principles, approach and the core elements that will be assessed by the Central Bank. In addition, information about the service standards to which the Central Bank operates is set out below.
1. Authorisation Principles
It is the Central Bank’s expectation that firms fully understand the risks arising from their business model and operations and how to mitigate those risks. As a general principle applicable to all firms, both incoming and those firms we currently supervise, the Central Bank expects that firms:
a) Have sufficient financial resources, including under a plausible but severe stress;
b) Have sustainable business models;
c) Be well governed, with appropriate cultures, effective risk management and control arrangements in place; and
d) Be able to recover if they get into difficulty, and if they cannot, they should be resolvable in an orderly manner without significant externalities.
From an overarching perspective, through the authorisation process, the Central Bank is seeking to gain assurance in an evidence-based manner that firms have the capabilities to manage risk and the proposed governance, risk and compliance frameworks are therefore sufficient and will operate as described post authorisation. In this regard, firms are expected, in the context of seeking to become a regulated firm, to be fully aware of the Central Bank’s broader financial regulation (prudential and conduct) expectations post authorisation. To this end, firms are expected to proactively and diligently consider regulatory requirements and guidance as well as published communication from the Central Bank to regulated firms in this sector.
PIs and EMIs firms play an increasingly important role in the financial system and in the lives of consumers. Consequently, the failure of firms to meet their supervisory obligations, including breaches of regulatory requirements can have a significant impact on consumers, who are reliant on the services provided, and/or on the functioning of the broader financial system. Therefore, firms must demonstrate that they have robust internal systems and controls, including well-developed risk management frameworks in place to drive effective behaviour and culture. In this regard, the Central Bank has no tolerance for widespread consumer or investor harm and it is the responsibility of firms to ensure that their business has a consumer-focused culture. From a conduct perspective, the Central Bank expects applicant firms to:
- Go beyond consumer protection obligations under law and be proactive and meticulous in ensuring that they do business in a way that protects consumers and investors.
- Ensure that consumer-focused cultures are evident and demonstrable throughout the entire structure. Firms must show evidence of robust oversight and challenge led by the board (in particular over the product/service lifecycle), execute comprehensive training for staff and measure key indicators of the firm’s culture.
- Regularly track and monitor the behaviour and culture in their organisations, and reflect on any shortfalls in the collective understanding of what ‘consumer focus’ actually means for their firm.
- Firms must ensure they have the right structures, processes and systems embedded to support consumer-focused behaviours.
Further elaboration of the Central Bank’s consumer protection expectations are outlined in the recent publication of the Consumer Protection Outlook 2021.
2. The Authorisation Assessment
The Central Bank’s assessment takes into consideration the nature, scale, and complexity of a firm’s application both from a point in time and forward looking perspective. Therefore it is recommended that firm’s clearly demonstrate within their application submission how they will own and control the risks to which they are exposed both upon authorisation and in the future in line with their growth plans and ambitions. In this regard, it is the Central Bank’s expectation that throughout the authorisation process that engagement is robustly led by persons proposed to be performing Pre-Approved Control Functions (‘PCF’) in the firm.
Based on the foregoing and the relevant underpinning legislative requirements and guidelines, the Central Bank authorisation assessment focuses on five distinct areas:
a) Business Model and Financial Resilience: Assessment of the viability and sustainability of the applicant’s business strategy, programme of operations and financial projections for the first three years of operation including underpinning assumptions. This includes an assessment of the firm’s ability to meet capital requirements on an on-going basis including vulnerabilities stemming from enterprise wide risks.
b) Governance: Assessment of the local governance framework including the proposed board construct, its terms of reference, suitability of members of the management body and key function holders, management committees and the three lines of defence framework. The Central Bank expects decision-making at Board and Executive level to take place within the State. Non-executive directors on the Board are expected to devote sufficient time to fulfil their duties and to act critically and independently so as to exercise objective and independent judgement. In the future, the Central Bank will conduct interviews for PCF roles as a core part of the assessment process. The adequacy of local resources will also be specifically assessed including the alignment of same to the management of the key functions and risks of the firm both from a prudential and conduct perspective.
c) Risk Management, Operational Resilience and Safeguarding
Assessment of the firm’s articulation of its key prudential and conduct risks and the respective risk management frameworks. Applicant firms should demonstrate comprehensive risk management systems commensurate with the proposed business model of the applicants activities are in place. Applicant firms should coherently describe the key risks inherent in the proposed business activities of the applicant including details on how these risks will be identified, managed, monitored, controlled and mitigated. For the most material risks including; safeguarding, operational and IT risk, outsourcing (including intragroup) capital and credit risk a detailed assessment of the individual policy documents, frameworks and internal control mechanisms will be performed. Such documents should clearly describe the end-to-end operational and risk management process. Assessment of the firm’s IT risk management policy and framework including procedures for monitoring, handling and following up on security incidents and security related customer complaints is also a key assessment feature.
d) Money-Laundering/Terrorist Financing risk
The financial system must be protected from use for money laundering or terrorist financing activities. Protecting the financial system from money laundering and terrorist financing is of the utmost importance to the Central Bank. Firms operating in the PI and EMI sector are classified as a designated person under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) (“CJA 2010”).As a designated person, firms are subject to the obligations of the CJA 2010, and in particular, the obligations set out in Part 4.Firms must demonstrate that they invest in and maintain strong AML compliance frameworks to protect the financial system, consumers and the wider public from money laundering and terrorist financing. One of the Central Bank’s key expectations for an effective AML control framework is that it is based on a money laundering and terrorist financing risk assessment that specifically focusses on the money-laundering and terrorist financing risks arising from the firm’s business model. This risk assessment should drive the firm’s framework such that it ensures there are robust controls in place to mitigate and manage the risks identified through the risk assessment. The Central Bank’s view is that a “tick box” or rules-based approach to risk assessment is not fit for purpose and does not meet regulatory expectations.
e) Resolution and Wind Up
Assessment of the measures to be taken by the applicant firm in the event of termination of its payment services (due to insolvency, etc.).It is expected that where failure arises, the insolvency process can be managed in an orderly fashion without customer detriment. Measures to be reviewed will include, inter alia, an assessment of the firm’s ability to (i) ensure operational continuity by all service providers during the wind-down process, (ii) execute pending payment transactions, (iii) repay outstanding client balances without delay and/or (iv) protect client funds from the claims of other creditors in the event of insolvency.
The Central Bank has published service standards in respect of the processing of applications for the Payments Sector. In the context of meeting those standards, the service standard timeframe to which the Central Bank has and remains committed to the assessment phase of the application process is 90 working days. However, firms should expect that the assessment clock will be paused resulting in a prolonged assessment period where:
- The information provided does not address, in substance and detail, the key assessment areas as outlined under the Authorisation Process section of the Central Bank website.
- Firms do not comprehensively address, within their applications, the firm specific feedback provided by the Central Bank during the formal assessment phase period.
3. Closing
The Central Bank deals with all applications for authorisation in an open, engaged and constructive manner. The Central Bank encourages all firms seeking authorisation to engage at the earliest opportunity regarding it proposed application having fully reflected on the information contained within this communication as well as the broader suite of information available on the Central Bank’s website.