It’s not quite a Christmas card, but all Payment and E-money firms in Ireland received a “Dear CEO” letter from the Central Bank of Ireland earlier this month. The letter from Mary-Elizabeth McMunn, Director of Credit Institutions Supervision, sets out the actions Boards and senior management are expected to carry out to ensure ongoing compliance with its regulatory requirements.
The letter is five pages long but it broadly requires firms in this sector to demonstrate that they are:
- Well-governed
- Have a sustainable business model
- Operationally resilient
- Appropriately managing the risk of money laundering and terrorist financing
- Unlikely to destabilise the financial system, and/or their customers, if they face financial difficulty
These requirements, which come with a deadline of 31 March 2022, may concern leaders in the growing sector of Payment and E-Money. Not least because the letter comes at a busy time when companies are seeking to close out their accounts for Q4. But fscom is here to help and in this blog we summarise the key takeaways for firms from the letter:
1. Governance
The letter makes clear that regulated firms should be well-governed with risk management and internal control frameworks in place to ensure compliance with legislative and regulatory obligations – particularly the European Union’s Payment Services Directive and E-Money Directive. A firm’s compliance status should be reviewed on an ongoing basis.
2. Safeguarding
Safeguarding customer funds should be “a key supervisory priority” for firms, the letter warns. Firms should have safeguarding risk frameworks in place which identify, segregate, manage and protect clients’ funds. The Central Bank reminds Boards that they have an essential role to play in seeking assurance that client balances are reconciled and match the designated safeguarding accounts. Alison Donnelly, Director at fscom, recently took part in a webinar on safeguarding best practices.
3. Sustainability
Payment and E-Money institutions should have “viable and sustainable” business models, with resources allocated to supporting their business plans. When a firm expects that its business model will materially change, it should inform the Central Bank of Ireland as soon as possible – for example, if it makes a substantive change to a service or product.
4. Operational resilience
The Central Bank has a responsibility to ensure the financial system can withstand shocks and crises, and it requires firms to put in place plans to identify and mitigate the risks to significant interruption of their operations – even if those disruptions are unforeseen. The letter reminds the Board and senior management are responsible for ensuring the firm’s IT and cyber risk strategy is adequate, and that they should develop the skills and knowledge to understand the risks their firm faces.
5. Risk management
The letter reinforces the Central Bank’s expectation that Payment and E-Money firms have an “effective Anti-Money Laundering/Countering the Financing of Terrorism control framework”. This starts with a risk assessment of the money laundering and terrorist financing risks facing a firm that are specific to their business model. The letter says a firm’s proposed response should be appropriate to mitigate and manage these risks, not simply a “tick-box” approach.
6. Planning for the worst
The Central Bank expects that, if firms get into financial difficulty, they will have planned for an orderly insolvency process which is not to the detriment of their customers. An appropriate exit or wind-up strategy should be embedded within the business model and operational strategy, allowing customer funds to be returned as soon as is reasonably practicable.
Next steps for Payment and E-Money Firms
Unlike most Christmas cards, this letter requires the recipient to take concrete action. All firms must take the following steps:
- Provide the Central Bank with “a Board approved attestation confirming the completion and conclusion of this assessment” by 31 March 2022.
- If any issues are identified during the review, put in place a “Board approved remediation plan”.
fscom can help firms with this task, and with all areas outlined in the Dear CEO letter. You can read some of the lessons from our recent webinar on operational resilience:
The building blocks of operational resilience for financial services firms – fscom uk
The Dear CEO letter can be found in full on the Central Bank of Ireland’s website: https://www.centralbank.ie/regulation/industry-market-sectors/payment-institutions
