Ireland: Fintech 2023

Fintech in Ireland: an Introduction

As 2023 progresses, Ireland's fintech sector is continuing to mature and evolve. This article sets out some of the key trends and developments in the sector.

Supervisory focus on safeguarding

Following a year of intense supervision during 2022, on 20 January 2023 the Central Bank of Ireland (CBI) issued a new Dear CEO Letter addressed to the payment institutions (PIs) and electronic money institutions (EMIs) it has authorised and supervises (the “2023 Dear CEO Letter”). The 2023 Dear CEO Letter follows an earlier letter from December 2021, which sought to provide greater clarity on the CBI's supervisory expectations for the PI and EMI sector in Ireland.

The main action arising from the 2023 Dear CEO Letter is that all PIs and EMIs must have an external audit opinion of their safeguarding processes completed by 31 July 2023. The CBI has imposed this requirement after finding that one in every five firms it supervises submitted inaccurate regulatory returns to the CBI during 2022. Furthermore, one in every four firms it supervises self-identified deficiencies in their safeguarding frameworks during the course of 2022.

The 2023 Dear CEO Letter is helpful in providing a list of items against which PIs and EMIs can benchmark their safeguarding frameworks, because these are essentially new regulatory requirements that will need to be considered by all firms going forward (to the extent they have not already done so). Many firms may now be refining their safeguarding frameworks ahead of the external audit being completed in the coming months.

It is notable that most other sectors that are supervised by the CBI and that hold client moneys (eg, MiFID investment firms, fund administrators, collective investment schemes) have bespoke sector-specific rules governing both the operational requirements and the risk management requirements that apply to their safeguarding processes. The PIs and EMIs operating in Ireland do not currently have the benefit of clear, well-defined regulatory expectations; arguably, a series of annual ad-hoc Dear CEO Letters will not, by themselves, provide a comprehensive and fully transparent regulatory rulebook for firms in the sector to follow. Further work is expected to be undertaken by the CBI during 2023, and in time there is expected to be a bespoke sectoral framework around safeguarding requirements for PIs and EMIs in Ireland.

Governance and risk management expectations continue to increase

A second major theme in the 2023 Dear CEO Letter is that the governance, risk management and internal control frameworks of many EMIs and PIs do not keep pace with their business strategies and business objectives. Since the authorisation and supervision of EMIs and PIs moved to the CBI's Banking Supervision Directorate during 2021, this regulatory concern has presented itself in a number of ways.

Pre-Approval Controlled Function (PCF) holders in key roles (such as CEO, Chief Risk Officer, Head of Compliance, Head of Internal Audit and Chair of the Board) should be intimately involved in the drafting of any authorisation application submitted to the CBI and should expect to be interviewed by the CBI prior to being approved for that role. The CBI is known to scrutinise the résumés and career experience of PCF candidates very closely. Since this supervisory practice was adopted, candidates without considerable prior experience in the area they are being proposed for are unlikely to be approved, and there is also an expectation that group personnel being nominated to take on PCF roles are intimately familiar with Irish and EU regulatory requirements.

Firms seeking authorisation are now required to be very clear in their three-year staffing forecast in terms of resourcing for the functions within the second and third lines of defence. The CBI will require there to be dedicated local executives serving as Chief Risk Officer and Head of Compliance, and ideally there will be an additional number of local employees supporting the relevant PCF holders in those functions.

Increasingly, firms will not make much headway with their authorisation applications where compliance and risk functions are based at group level and local resourcing based in Ireland is proposed to be limited. This is borne out by the fact that the CBI perceives EMIs and PIs to be weak at succession planning, often arising from the fact that too many functions are reliant on just one or two people, or are over-reliant on secondments from personnel based at group level.

The CBI also appears to be retrospectively applying its current regulatory standards (which it applies to firms seeking authorisation) by conducting inspections on and issuing risk mitigation programmes to existing firms. This supervisory trend is consistent with the CBI's approach over recent years in other sectors it supervises, such as fund management companies. The main result of this supervision practice is that firms are often being required to take on additional staff, resulting in firms allocating extra resources to their operations, finance, risk, compliance and audit functions in the main. This helps firms to engage in better succession planning, better management information reporting and better oversight of their regulated operations overall.

Virtual asset service providers (VASPs) in Ireland

The domestic AML/CTF registration regime for firms acting as VASPs in Ireland has progressed significantly of late, with five VASPs permanently authorised by January 2023 and more expected to follow in the coming months. The definition of a “virtual asset” is in line with the latest recommendations of the Financial Action Task Force in this area and is technologically neutral. Irish firms that wish to offer some kind of virtual asset -based product or service have registered, regardless of whether or not they hold a regulatory authorisation from the CBI under other legislation.

To date, the Irish registration process run by the CBI for VASPs has been very focused on AML/ CTF compliance and less so on other areas that are undoubtedly important operational considerations for any firm operating in the virtual assets industry, such as client money controls, information security arrangements and business continuity planning. Undoubtedly, the regulatory focus will broaden in time once the AML/CTF registration regime is replaced with the more comprehensive Markets in Crypto-Asset Regulation (MiCA) legislative proposal that is now finalised politically and will be made law during Q2 of 2023 and come into full force during 2024.

It is also worth noting that many of the world's largest crypto-exchanges have established Irish EMIs to act as their fiat on-ramp and off-ramps, which means that the CBI has good familiarity with the virtual asset sector. It is reasonable to expect that many of these entities will seek to expand their range of activity beyond e-money issuing to include the additional permissions that the MiCA regime will offer and passport these across the EEA in the coming period.

In recent times, there has been a rush to unveil new regulations to better regulate virtual asset advertising to retail customers and to curb misleading advertising in the UK and several EU member states. Ireland's own advertising standards watchdog says it is monitoring developments in other countries but has yet to formally regulate the sector. Furthermore, the CBI is only empowered to regulate the advertising of regulated financial products and services, so advertising by the sector remains essentially unregulated. The CBI is updating its 2012 Consumer Protection Code and, notably, this is one area that has been earmarked for review and reform, so watch this space during 2023.

The opportunity for fintechs to dislodge the main retail banks in Ireland

2021 saw two major retail banks (Ulster Bank and KBC Ireland) announce that they were quitting the Irish market for good and signal their intention to close down all customer accounts during 2023. These banks are now at an advanced stage of quitting Ireland, and there is currently an unprecedented level of consumer switching occurring in the Irish retail market for payment service providers. Furthermore, many of the remaining retail banks are continuing to scale down the number of branches they have located around Ireland.

This shift in the Irish banking sector represents perhaps the single biggest opportunity for fintechs to grow and win a significant number of new Irish customers (both consumers and business) in the coming years, particularly since the COVID-19 pandemic brought about a huge jump in the numbers of Irish people using mobile apps and contactless payments instead of cash and cheques. Strong customer authentication has also been successfully rolled out across the Irish market.

With all of this in mind, a number of major EEA fintechs are eyeing up the Irish market with a view to making the most of the competitive opportunities that will arise here during 2023. Those with deposit guarantee scheme features and local Irish IBAN capabilities are expected to do best out of this once-in-a-generation shift in retail banking in the Irish market.

Review of PSD2 and the proposed PSD3 directive

During 2022, the European Banking Authority prepared a report in response to the European Commission's call for advice on the review of the Payment Services Directive 2 (PSD2). The suggestions for reform included:

• merging the PSD2 directive with the Electronic Money Directive 2 into a single regulatory framework;
• addressing the risks for consumers posed by authorised push payments fraud;
• clarifying the scope of the commercial agent exclusion and limited network exclusions in PSD2;
• moving beyond the “open banking” reforms of PSD2 to facilitate a greater range of “open finance” products in the EEA market; and
• adjusting the prudential requirements for payment institutions and e-money institutions, including greater clarity on the nature and extent of safeguarding rules for the sector.

The European Commission is expected to table a draft PSD3 during Q2 of 2023, which is likely to take account of these suggestions. It will then be open to the EU Parliament and EU Council to review, comment and amend the draft before final adoption into law, perhaps during 2024.

The revision of PSD3 is expected to be of significant interest to all fintechs operating in Ireland because it is likely to alter the scope of the regulatory perimeter for regulation and to lead to some significant changes in the prudential requirement models and regulatory permissions under which existing payment service providers currently operate.

Operational resilience

The adoption of the Digital Operational Resilience Act (DORA) by the EU in December 2022 now sits alongside the CBI's Cross Industry Guidance on Operational Resilience (the “Guidance”) published in December 2021, and shows that digital operational resilience will be a key supervisory focus for Irish fintechs during 2023 as these new frameworks come into full force. Indeed, the CBI has made clear that the topic is a significant area of policy development and that the strengthening of operational resilience across the firms it supervises is one of its strategic objectives.

The Guidance sets out the CBI's expectations of firms in terms of implementing an effective operational resilience framework. The Guidance is based on 15 Guidelines framed around three pillars of operational resilience:

• Identify and Prepare;
• Respond and Adapt; and
• Recover and Learn.

Crucially, the Guidance relates to resilience in respect of all types of operational disruptions, not just digital operational disruptions. Helpfully, anticipating the adoption of DORA, the CBI noted in its feedback statement to the consultation paper on the draft Guidance that the Guidance was “in line with international best practice and compatible with and complementary to DORA”, and that it had “determined that there are no contradictions between this Guidance and the forthcoming DORA regulation”.

The CBI also committed to “continue to update and align the intended outcomes of our supervisory approach with relevant international operational resilience policy developments as they evolve”, and to “monitor international developments after the issuance of this Guidance, including any updates to ICT & Cyber Resilience best practices”. Consequently, any work being carried out by firms in preparation for the 1 December 2023 deadline for compliance with the Guidance will be compatible and complementary to any work required to demonstrate compliance with the obligations under DORA in due course.

It should, however, be flagged that the level of work required to ensure compliance under DORA will likely exceed that required under the Guidance, particularly in terms of specificity of actions. In addition, the CBI has undertaken a number of operational resilience maturity assessment inspections on firms during 2022 and this trend is expected to continue during 2023, with an expectation that firms should now be putting board-approved operational resilience frameworks in place that are bespoke to the needs of their business and operating models.

Originally Published by Chambers And Partners

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.