It is barely a year since all authorised payment and e-money firms in Ireland received a “Dear CEO” letter from the Central Bank of Ireland.
Now, another letter has landed on these firms’ doormats and their CEOs’ desks. It outlines the Central Bank’s expectations for regulatory compliance and specifies areas where firms should focus efforts to improve their compliance approach.
The 11-page letter comes from the Central Bank’s Director of Credit Institutions Supervision, Mary-Elizabeth McMunn, and carries a warning that the last year has seen more intense supervision of the sector than the Central Bank would have expected.
Ms McMunn writes that this increase in supervision is “on the basis of significant deficiencies identified in the governance, risk management and control frameworks of some payment and e-money firms”.
The Central Bank “expects all firms in the sector to discuss this letter with their Board” and makes some specific calls to action which firms must undertake.
This blog aims to make life easier for firms by highlighting six key takeaways from the letter to which you should pay particular attention:
- Deadline set for safeguarding audits
The letter starts by outlining one of the Central Bank’s most important objectives: that “users’ funds are protected”. To this end, it imposes a requirement on firms to submit to the Central Bank an audit opinion on the institution’s compliance with regulatory requirements on safeguarding. This should be sent to the regulator, along with a response from the institution’s Board, by 31 July 2023. Given the short timeframe and the small number of specialist safeguarding auditors, it would be prudent to secure your auditor of choice soon.
- Heightened focus on specific areas of governance and risk management
The focus of the Central Bank on governance, risk management, conduct and culture will be nothing new to authorised institutions. However, the letter sets out specific areas that you should consider including in your review of your regulatory compliance. These include the compliance culture in your business; the maturity of internal risk and control frameworks; succession planning; adequate of compliance and internal audit functions; clear reporting to Board; and customer disclosures.
- Warning on lack of planning frameworks
The Central Bank’s letter calls out the industry for a lack of locally run robust strategic and capital planning frameworks. Authorised institutions should therefore ensure their capital adequacy policy, financial forecasts, and stress testing are underpinned by clear definitions, logical assumptions and robust stress testing. Additionally, institutions should test their wind-up strategies, making sure that the scenarios are plausible and appropriately modelled.
- Review and re-review regulatory reporting processes
After the surprisingly smooth ‘go live’ day of XBRL reporting, it might now be worth reviewing your regulatory reporting processes again. The letter gives a striking figure that approximately one in five firms in the sector “have submitted inaccurate regulatory returns to the Central Bank during the last 12 months”. Regulatory reporting governance and controls are essential for ensuring accurate data is presented to the regulator. Too often, compliance functions are expected to complete the reports, creating a lack of control over the submitted data. Instead, front-line teams should complete the reports, with oversight from the compliance function.
- Operational resilience remains a key area of focus
Operational resilience, and its relation to outsourcing, has been a growing area of regulatory focus not just in Ireland but across Europe (through the Digital Operational Resilience Act) and the UK in recent years. The increase of major incidents suggests incomplete mapping or misaligned impact tolerances of important functions and their underlying interdependencies. Testing and improving your operational resilience is often a painful process but always worthwhile because it will inform and underline significant decisions within your business.
- Beware deficiencies in AML and CTF processes
The ever-topical areas of Anti-Money Laundering and Countering Terrorist Financing remain high on the agenda of the Central Bank. The Dear CEO letter voices clear concerns on the application of risk-based approaches, the usage of agents and distributors, and the misapplication of Simplified Due Diligence to e-money products.
While the letter points out areas of weakness in the regulatory compliance of many payment and e-money firms, it also makes a positive case for improving compliance: that appropriate governance and control arrangements will help firms to “grow safely and sustainably, and contribute to the financial ecosystem in a positive way”.
fscom specialises in advising and auditing payment and e-money institutions on all of these key areas. We are specialists in safeguarding audits and we can support firms to assess their systems and controls against the expectations set out in the letter and identify any remedial action that should be taken. If you want to discuss this, and how fscom can help you to improve your approach to regulatory compliance, contact us today.