RegSol Blog Posts
Competition (Amendment) Act 2022September 2023
On 27th September 2023, the Competition (Amendment) Act 2022 will largely come into operation. The Amendment Act increases the Irish merger control and competition law powers of the Competition and Consumer Protection Commission (“CCPC”). The commencement order was signed by the Minister for Enterprise, Trade and Employment on 13 September 2023 and the Amendment Act will enter into operation on 27 September 2023 (excluding Section 26).
The main changes introduced by the Amendment Act include:
- increased merger control powers for the CCPC (such as the statutory ability to call in unnotified ‘sub-threshold’ transactions, the ability to impose interim measures on notified deals and, in certain cases, the ability to unwind anti-competitive transactions)
- new powers for the CCPC including EU and Irish competition law administrative and enforcement powers
- changes to criminal law sanctions, including a new offence of bid-rigging, increased fines and new standards of proof for competition law breaches
- a new distinct offence of ‘bid-rigging’
- increased dawn raid powers for the CCPC
- increased surveillance powers for the CCPC
Ahead of the commencement date, the CCPC have issued a set of policies, procedures and guidelines which provide guidance on how the new regime will operate. These published policies will take effect from 27 September 2023.
- mandatory notifiable transactions.
- those which are voluntarily notified either pre- or post-implementation.
- those which are neither mandatorily notifiable not voluntarily notified but which are “called in” by the CCPC.
The full amendment act can be found HERE
Data Protection Commission Outcome of Prosecution proceedings for marketing offensesSeptember 2023
On 11th September 2023, the Data Protection Commissioner (“DPC”) announced the outcome of the prosecution proceedings against Chill Insurance Limited, Hidden Hearing Limited, The Multiple Sclerosis Society of Ireland and Vodafone Ireland Limited.
The DPC noted that the Dublin Metropolitan District Court had identified the following violations in contravention of Regulation 13 of Statutory Instrument 336 of 2011:
· Chill Insurance pleaded guilty to two charges related to sending to one individual one unsolicited marketing SMS without consent and without a valid opt-out.
· Hidden Hearing pleased guilty to four changes related to sending of unsolicited marketing SMS and telephone calls to four individuals without consent.
· The Multiple Sclerosis Society of Ireland pleased guilty to one charge related to the sending of an unsolicited marketing email to one individual without consent.
· Vodafone Ireland pleaded guilty to one charge related to the sending of an unsolicited marketing email to one individual without consent.
The Court applied the Probation of Offenders Act 1907 on the basis of a charitable donation of €500 each to Little Flower Penny Dinners. Furthermore, the Court also convicted Vodafone Ireland on the one charge, and it imposed a further fine of €500 to be paid within three months.
You can read the full press release HERE
On 20th September 2023, the
Data Protection Commissioner (“DPC”) announced the outcome of the prosecution
proceedings against Alpha Wealth Limited, a Financial Advisory Company.
The DPC noted that Alpha Wealth Limited
pleaded guilty to two charges in violation of Regulation 13 of Statutory
Instrument 336 of 2011 (E-Privacy Regulations) for the sending of unsolicited
marketing email communications to two individuals without consent, in January
2023. The Company previously received warnings from the DPC in 2022 following
an investigation of a previous complaint regarding unsolicited marketing emails
sent to one of the individuals concerned.
The Court applied the Probation of
Offenders Act 1907 on condition that Alpha Wealth donates €500 to each
individual concerned by 18th October. Failing compliance with that
Order, it would convict the defendant and apply a fine of €1,000.
You can read the full press release HERE.
Data Protection Commissioner TikTok FineSeptember 2023
On 15th September 2023, the Data Protection Commissioner (“DPC”} published its final decision regarding its inquiry into TikTok’s data processing practices involving children’s data. The social media platform was fined €345 million for shortcomings in adequately protecting children and their personal data, while using the platform.
The EDPB adopted a binding decision on the matter on August 2, 2023 (in accordance with the Article 65 GDPR dispute resolution mechanism) after consulting with its supervisory counterparts in other EU Member States following an investigation into the platform between July 31, 2020, and December 31, 2020. The DPC adopted its final conclusion in response to this EDPB ruling, stating its major findings of non-compliance with several GDPR rules as follows:
· profile settings for child user accounts on the TikTok platform were set to ‘public’ by default, meaning anyone (on or off the platform) could view the content posted by the child user;
· the ‘Family Pairing’ setting allowed an adult user (who could not be verified as the parent or guardian of the child) to pair their account to a child’s account. This allowed the adult user to enable direct messages for children above the age of 16, which posed several possible risks to child users;
· the ‘public by default’ setting on children’s accounts posed several significant risks to children aged under 13 who gained access to the platform;
· TikTok failed to provide sufficient transparency information to children who use the platform; and
· TikTok implemented ‘dark patterns’ by nudging users towards choosing more privacy-intrusive options during the registration process, and when posting videos.
In addition to the administrative fine, the DPC has issued a reprimand and an order requiring TikTok to bring its processing into compliance within a period of three months from 1st September 2023. TikTok has disagreed with aspects of the decision, mentioning that the settings and features of the platform condemned by the DPC in its decision had been updated to enhance protection of child users, even before the DPC’s investigation commenced.
The full press release can be read HERE
EIOPA Cyber Insurance Survey for SMEsSeptember 2023
On 20th September 2023, the European Insurance and Occupational Pensions Authority (“EIOPA”) has launched a survey on access to cyber insurance by small and medium-sized enterprises (“SMEs”) to better understand the challenges SMEs face in protecting themselves against cyber risks and assess the level of access to cyber insurance.
The survey will collect information on the size and type of business of the companies surveyed, the level of awareness of cyber risks in relation to their business, the availability, affordability and understanding of cyber insurance products. It will also highlight SMEs’ experience and perceptions of cyber insurance, including whether they have considered taking out a policy, the factors that influenced their decision (not to) take out cover and potential barriers to taking out cover.
SMEs are invited to take part until 20th March 2024. Access the survey HERE
Data Protection Commission InquiriesAugust 20231) Inquiry Concerning the Department of Health – June 2023
The Data Protection Commission (“DPC”) has imposed a fine of €22,500 on the Department of Health (“DoH”) after completing an inquiry into certain aspects of it’s processing of personal data in 29 litigation files.
The DPCs statutory inquiry was commenced following public allegations in 2021 that the DoH had unlawfully collected and processed personal data about plaintiffs and their families in the context of litigation surrounding the plaintiff special education needs.
The DPC concluded that the DoH did not infringe Data Protection law by seeking information about the services that were being provided to plaintiffs, however, the DoH did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families. The DoH had no lawful basis for processing such data, and also did so in breach of the data minimisation principle.
The DPC imposed the fine of €22,500 for the DoH's infringements of Articles 5(1)(c) (data minimisation principle), 6(1) and 9(1) (lawful basis requirements), 6(4) GDPR (further compatible processing requirements). The DPC also issued a reprimand on the DoH in respect of these infringements, as well as for infringements of Articles 5(1)(c) and 32(1) (security obligations) and 14 (transparency obligations). In addition, the DPC imposed a ban on the DoH processing the excessive personal data and special category data in the litigation files in question for the purposes of determining an appropriate time to settle a case.
For more information, the full decision can be found HERE
.2) Inquiry concerning Airbnb Ireland – June 2023
The DPC has published the final decision, issued on 21st June 2023 in which it imposed a reprimand and corrective measures on Airbnb Ireland UC for violations of the GDPR. The SDPC commences its inquiry following a complaint that Airbnb Ireland had unlawfully requested a copy of the complainants ID to verify their identify, which had not previously been requested by Airbnb. Initial attempts by the complainant to verify their identify had been rejected by Airbnb as the ID provided did not meet their criteria. The complaint contented that this went against the principles of data minimisation and that Airbnb also failed to comply with the principles of transparency and provision of information.
Following its investigation, the DPC found that Airbnb’s retention of a copy of the complainants ID following successful completion of the verification process infringed the principles of data minimisation under Article 5(1)(c) and the principle of storage limitation under Article 5(1)(e). the DPC also found that the continued processing and retention of partially redacted and out of date IDs that had been deemed inadequate or insufficient to verify the identify of the complainant infringed the same principles.
In light of these infringements, the DPC issued a reprimand to Airbnb Ireland. In addition, the DPC made the following orders against Airbnb Ireland to remedy the infringements identified and to prevent similar infringements occurring in the future:
Delete from all of its systems and records the redacted and out of date copies of the complaints IDs
Delete from all of its systems and records the IDs that the complaint uploaded
Revise its internal policies and procedures concerning user verification to endure that a.
Once the identify of data subjects has been verified to Airbnb Ireland satisfaction, discontinue the practice of retaining improperly redacted and/or out of date IDs which may be submitted by data subjects as part of the identify verification process; and b.
The period for which valid or fraudulent or illegitimate IDs submitted by data subjects as part of
the identity verification process are stored is limited to a strict minimum period.
For more information, the full decision can be found HERE
Department of Finance - MiCA: Consultation Opened on National DiscretionsAugust 2023
On 9th August 2023, the Department of Finance (“DoF”) launched a public consultation on the exercise of certain national discretions contained in the EU Markets in Crypto-Assets Regulation (“MiCA”). The DoF is consulting on how Irish law should address transitional arrangements for existing Virtual Asset Service Providers (“VASPs”) already providing services in accordance with Irelands domestic regulatory framework.
Thile MiCA was enacted in June 2023, the new framework and obligations that it creates will mostly take effect during 2024. Read our previous blogpost on MiCA here
. As an EU regulation, MiCA has direct effect in EU member states, however it does leave certain matters to each member state’s discretion and Ireland’s decision on those matters will need to be implemented through national legislation; thus the DoF’s current consultation.
The DoF is consulting on the following four discretions:
- Public Disclosure of Inside Information (Article 88(3))
- Administrative Penalties and Administrative Measures (Article 111(1))
- Transition Period for Existing Crypto-Asset Service Providers (Article 143)
- Simplified Authorisation Application for existing CASPs (Article 143(6))
This consultation represents an opportunity for participants, especially existing VASPs, to have their say on the shaping of some important policy and legislative issues. The consultation closes on 15th September 2023.
Read the full Consultation here
Central Bank of Ireland: Product Oversight and Governance (“POG”) Thematic ReviewAugust 2023
A thematic inspection of product oversight and governance was undertaken by the Central Bank of Ireland in the latter half of 2022. The inspection included a selection of six non-life insurance undertakings to assess the current level of controls, processes and systems in place relating to POG arrangements. The inspection focused on five key control areas:
Key themes identified:
- POG policies & procedures
- Underwriting controls
- Post implementation reviews
- Risk management oversight; and
- Board oversight
- Board Oversight
The inspection found that there wasn’t always strong Board oversight of all new products and material changes to existing products. The CBI notes that Boards should have sign-off role for new products and material product changes.
- Risk Management
The CBI found that the risk function’s role in POG arrangements to be lacking in some instances. The CBI stated that the POG process should be meaningful and a control that is integrated with both the emerging risk and Own Risk Solvency (“ORSA”) process.
- Policy Wording
The CBI outlined its expectation that firms ensure sufficient resources and attention are provided to ensure any potential detriment to the firm and the customer is identified and mitigated without delay and also have in place a plan of ongoing policy wording reviews.
- Protection Gaps
The CBI found that while undertakings in general are aware of the EIOPA recent Supervisory Statement and the requirements within, these requirements need to be reinforced to ensure that the POG process considers both prudential and consumer considerations.
The CBI also outlined various good practices which firms should consider embedding into their own POG arrangements such as the CRO having a ‘gatekeeper’ role with responsibility for considering materiality of product changes, having at least one member of the Board with general insurance background and a detailed understanding of products, establishing a customer forum and dedicated wordings committees, implementing a schedule of product reviews and manual wordings, to name a few.
The CBI concluded that:
- To ensure they have a complete awareness of their exposures in connection to the products they offer, many undertakings need to take additional steps to guarantee they have reliable procedures and controls, as well as technical expertise to advise on and challenge.
Central Bank of Ireland: Dear Chairperson Letter on Trading Venue Compliance with Requirements under MARAugust 2023
The CBI has published a letter, dated 26th July 2023 addressed to trading venue operators, outlining the findings of the CBI’s thematic inspection of operators’ market surveillance arrangements and their compliance with the Market Abuse Regulation (“MAR”).
The inspection identified several failings concerning the effectiveness of market surveillance arrangements:
- Governance, MI Reporting and Training: Boards, Senior Management Teams and Second Line of Defence were unable to demonstrate the necessary level of understanding, accountability and ownership with regards to surveillance systems. MI was not sufficiently detailed to evidence adequate escalation of issues and specific surveillance training was not provided in a formal basis to all staff, including Board members.
- Prevention, Detection and Assurance: Trading Venues do not have sufficiently effective procedures, systems and staff in place to effectively prevent, monitor, detect and identify market abuse issues. Gaps were identified to relation to real time surveillance, resources, and controls.
- Suspicious Transaction Order Reports (“STORs”): The number of STORs received by the CBI from Trading Venues have decreased substantially since 2018. This does not reflect the quantity of transactions has increased and the number of overall STPRs received by the CBI has increased. Issues identified during the inspection include Compliance officers having no formal role in relation to the production and review of STORs and no internally set deadlines to ensure timely STOR submission.
The CBI requires that the Chairpersons take responsibility for the findings in the letter, ensuring that it is discussed, minuted, and actioned. The CBI requires trading venues to immediately commence a review of the trade surveillance arrangements.
The full letter can be read HERE
Central Bank of Ireland: Engagement Update on Consumer Protection Code ReviewAugust 2023
On 31st July 2023, the CBI published an engagement update following on from its discussion paper published in October 2022, on the review of the Consumer Protection Code 2012. The CBI has conducted a six month engagement programme across a wide array of stakeholder which included round tables, bilateral meetings, industry events, public surveys and written stakeholder submissions.
From the feedback sought, five themes have emerged:
- Digitalisation: New technologies have provided greater opportunities for customers, but firms must ensure that the needs of all customers continue to be met.
- Vulnerable Customers: firms need to be able to identify actual or potential vulnerability characteristics and support customers through changing life events.
- Transparency: standardised and clear disclosure requirements need to be provided to accurately inform customers, ensuing that information provided is not excessive.
- Financial Literacy: improved financial education can aid customers a number of key financial areas.
- Regulatory status: it must be clear if firms and products are not regulated by the CBI. The availability of unregulated products by regulated firms creates confusion for customers.
The CBI intends to introduce a revised and modernised Consumer Protection Code 2024, which wil include consolidating existing riles with he Code of Conduct on Mortgage Arrears (“CCMA”). It plans to consult on the Code in December 2023.
Following adoption of the revised Code in 2024, work on further enhancements to the Code will be undertaken over the course of 2024, with additional Regulations planned for 2025.
The full Engagement Update can be read HERE
Central Bank of Ireland Discussion Paper on Macroprudential Policy for Investment FundsJuly 2023
On 18th July 2023, the Central Bank of Ireland (“CBI”) published a Discussion Paper seeking views on a new macroprudential policy framework for investment funds (“DP11”). It aims to advance ongoing European discussions on how a macroprudential perspective in the regulation of the funds sector could be achieved. It discusses important factors to take into account when creating and implementing such a framework.
A macroprudential framework for the funds sector would adopt a systemic viewpoint and seek to make sure that this expanding area of the financial industry is more stress-resistant and less likely to magnify negative shocks. As a result, the sector would be better prepared to contribute as a dependable source of funding, supporting larger-scale economic activities.
The Central Bank is seeking feedback from stakeholders on a number of issues raised in the discussion paper to inform further analysis and policy work in this area via an online survey which will run until 15 November 2023.
The full Discussion Paper can be found here
Central Bank of Ireland: Dear CEO Letter to High-Cost Credit ProvidersJuly 2023
On 30th June 2023, the Central Bank of Ireland (“CBI”) issued a Dear CEO Letter to High-Cost Credit Providers (“HCCPs”). The aim of the letter was to give an insight into the findings from CBI supervisory engagements with HCPPs and to set out their expectations in relation to HCCPs compliance with their AML/CFT & Financial Sanction obligations.
The CBI highlighted a lack of compliance with legislative obligations in the following areas:
- HCCPs have not adequately considered their obligations under the CJA 2010 and therefore have not ensured that their business operations and control frameworks are compliant;
- Some HCCPs have not undertaken a business wide risk assessment (“BWRA”) and therefore are not in a position to identify their ML/TF;
- Some HCCPs have not sufficiently tailored the BWRA and/or AML/CFT policies and procedures to the business model, limiting their ability to implement an appropriate control framework;
- Many HCCPs were unable to demonstrate compliance with a number of obligations under the CJA 2010, including adequate customer due diligence, ongoing monitoring and suspicious transaction reporting.
Further points noted by the CBI in the letter include:
- The importance of complying with all relevant obligations under the CJA 202, regardless of size or structure of the entity.
- Many HCCPs did not have documented AML/CFT frameworks or AML/CFT policies and procedures in place,
- The CBI outlined their concern regarding the level of deficiencies it has observed in relation to the responses via the Risk Evaluation Questionnaire (“REQ”).
- The CBI reminded HCCPs of their obligation to provide accurate, complete and timely information when requested to do so by the CBI.
All HCCPs are required to review the findings and expectations in the letter and where gaps/weaknesses are identified by the HCCP, they are required to take steps to remediate the identified gaps/weaknesses in a timely manner.
The full Dear CEO Letter can be accessed here
Central Bank of Ireland Consultation Paper seeking views on enhanced enforcement processJune 2023
On 22nd June, the Central Bank of Ireland (“CBI”) launched a 12 week consultation (“CP154”) on enhancements to the Administrative Sanctions Procedure (“ASP”). The purpose of CP154 is to seek views on the revised procedures in the ASP following the introduction of changes under the Individual Accountability Framework (“IAF”) and to provide guidance in an open and clear manner as to how the CBI proposes to operate these revised procedures.
The IAF was signed into law on 9th March 2023. The Act introduces several changes to the ASP under Part IIC of the Central Bank Act 1942. The strengthened ASP is designed to underpin and support the introduction of IAF and in particular, the Senior Executive Accountability Regime (“SEAR”) and conduct standards for firms and individuals.
This follows CP153 on the Enhanced governance, performance, and accountability in financial services, which closed on 13th June which included regulatory guidance and draft regulations supplementing the IAF. Read our blogpost on CP153 here
The Consultation will remain open from 22nd June to 14th September. When submitting a response via email, the CBI asks that respondents include the following subject heading in their email “Consultation Paper 154 on the ASP Guidelines under the Individual Accountability Framework” and address their response to ASPconsultation2023@centralbank.ie. The CBI will then review all feedback received on the Consultation and prepare a Feedback statement for publication online. `View the full press release and consultation paper here
European Commission: Retail Investment PackageJune 2023
On 24th May 2023, the European Commission (“Commission”) adopted the Retail Investment Package as part of its 2020 capital markets union action plan. The retail investment package consists of two legislative proposals:
- A proposed Directive amending the UCITS Directive, Solvency II Directive, AIFMD, MiFID II Directive and Insurance Distribution Directive as regards retail investor protection rules (referred to as the “Omnibus Directive”) (here); and
- A proposed Regulation amending the PRIIPs Regulation as regards modernisation of the key information document (here).
One of the primary goals of the 2020 capital markets union action plan is to make the EU a safer place for long term investments. The retail investment package aims to achieve that goal while also encouraging involvement in EU capital markets. Key Features of the Retail Investment Package
According to the Commission, the retail investment package includes ambitious and wide-ranging measures:
- Disclosure: the package will change the existing disclosure rules to respond to digitisation and to meet investors growing sustainability preferences. For example, investment firms, insurance intermediaries and insurance undertakings distributing insurance-based investment products will have to display appropriate risk warnings.
- Costs: new rules will require the use of standard presentation and terminology on costs. The package will include new provisions in the UCITs Directive and AIFMD to define the conditions for considering that costs are due and provide rules in the pricing process.
- Inducements: the package introduces restrictions and safeguards in relation to inducements and advice, based on a staged approach by:
- Banning inducements for sales of investment products where no advice is provided;
- For sales where advice is provided, replacing the current criteria with a new uniform test specifying the duty for advisors to act in the best interests of the client; and
- Where inducements are allowed, requiring distributors to inform clients about what the inducements are we well as their costs and impact on investment returns.
- Marketing: financial intermediaries will be fully responsible for the use and misuse of their marketing communications.
- Advisors: the package intends to apply a high standard of qualifications to financial advisors and compliance with requirements will need to be proved by obtaining a certificate.
- Professional Investors: The new rules are intended to reduce administrative burdens and increase product and service accessibility for sophisticated retail investors by making the qualifying conditions for becoming a professional investor more equitable upon request. MiFID II amendments include lowering the wealth criteria from €500,000 to €250,000, adding a fourth possible criterion pertaining to education or training, and allowing legal entities to qualify as professional.
Central Register of Beneficial Ownership of Companies: New Restrictions on AccessJune 2023
Since 13 June 2023, persons seeking to inspect information on the central register of beneficial ownership of companies must first demonstrate they have a “legitimate interest” in anti-money laundering and countering terrorist financing, to justify that access. The changes are introduced under new 2023 Regulations, following a significant 2022 judgement of the Court of Justice of the European Union.
“Legitimate Interest” Requirement
A person may not access the central register unless they can demonstrate to the Registrar of Beneficial Ownership of Companies and Industrial and Provident Societies (“the Registrar”) that:
- The person is engaged in the prevention, detection or investigation of money-laundering or terrorist financing offences;
- They are seeking to inspect the information for those purposes; and
- The access would be in respect of an entity that is connected with a person that has been convicted of an AML offence or who holds assets in a high-risk third country.
Making a submission and if necessary, providing information document pertaining to the requestors previous AML activities to the Registrar will demonstrate “legitimate interest”.
Read the 2023 Regulations (European Union (Anti-Money Laundering: Beneficial Ownership of Corporate Entities) (Amendment) Regulations 2023) here
Central Bank of Ireland Annual Report and Annual Performance Statement 2022-2023June 2023
On 24th May 2023, the Central Bank of Ireland (“CBI”) published its Annual Report and Annual Performance Statement 2022-2023. The report provides an overview of activities and work completed by the CBI in 2022, as well as outlining key priorities for 2023. Authorisation Activity
In 2022, the CBI received a high volume of new applications for various types of authorisations.
The investment fund sector continued to grow in scale and complexity with a significant volume of funds (744) and fund service provider (23) authorisations in 2022.
4 Virtual Asset Service providers (“VASPs”) were registered in 2022.
2022 also saw the CBI being authorisation processes for providers of hire purchase, buy-now-pay-later and consumer hires, as well as introducing new requirements for high cost credit providers.
233 applications for retail intermediary/brokers were approved. 2023 Key Priorities
In the near term, we can expect to see a feedback statement following the Discussion Paper on the Consumer Protection Code, followed by a consultation paper. The review of how the Innovation Hub is functioning will begin (that is also a key deliverable under the Government's updated 'Ireland for Finance' strategy).
The key priorities remain consistent with those signposted in detail by the Central Bank ‘Dear CEO’ letter to all regulated firms. See our published blogpost here
The Full Annual Report and Annual Performance Statement can be found here
Section 35 The Companies (Corporate Enforcement Authority) Act 2021 Commencement of section 888A of the Companies Act 2014May 2023
With effect from 23rd April 2023, there is a new requirement to furnish Personal Public Service (“PPS”) number or Verified Identity Number (“VIN”) when filing the following forms with the Companies Registration Office (“CRO”):
- Form A1 – incorporation of a new company
- Form B10 / B69 – notifying a change of director
The requirement protects both the integrity of the registration of businesses and the misuse of director identities.
The CRO will verify the director's first name, surname, date of birth and PPS number submitted by crosschecking the information against data held by the Department of Social Protection (“DSP”).
PPS numbers, RBO numbers and VINs will not be accessible on the public register.
In accordance with Section 888A(2) of Companies Act 2014, any person who, without just cause, fails to comply shall be guilty of a Category 4 offence which can result in a fine of up to €5,000.
Central Bank of Ireland Updated Fitness & Probity process for Individual QuestionnairesMay 2023
In March 2023, the Central Bank updated its Individual Questionnaire (“IQ”) which must be submitted by any person seeking approval from the Central Bank to perform a PCF Function under the Fitness & probity Regime. It also published draft guidance on a new process for the submission of IQs via the Central Bank Portal, which is applicable from 20th April.
A PDF version of the updated IQ can be accessed here
The Central Bank’s guidance on the submission of the IQ can be accessed here
European Commission Markets in Crypto-Assets RegulationMay 2023
The European Commission introduced in September 2020 a proposal for a regulation on Markets in Crypto-Assets (MiCA) as part of its digital finance strategy.
MiCA will apply across the European Union without any need for national implementation laws. This approach is in line with consumer protection and ensuring effective and harmonised access to the innovative crypto-assets markets across the single market. The MiCA regulation has four essential objectives:
- Ensuring legal certainty by establishing a sound legal framework for crypto-assets in its scope that are not covered by existing financial services legislation;
- Supporting innovation and fair competition in order to promote the development of crypto-assets by instituting a safe and proportionate framework;
- Protecting consumers, investors and market integrity in consideration of the risks associated with crypto-assets; and
- Ensuring financial stability, with the inclusion of safeguards to address potential risks to financial stability.
MiCA will be phased in across the EU in two parts – the first part will deal with stablecoins which will become applicable within 12 months’ time (around Q2 2024), while the second part will address Crypto Asset Service Providers (CASPs) which will apply within 18 months (around Q4 2024) Crypto-Assets in Scope of MiCA
A majority of crypto–assets which are not already governed by other regulations, such as security tokens and central bank digital currencies, shall fall into the scope of MiCA:
Crypto-assets, other than e-money tokens or asset-referenced tokens, offered to the public are also in scope of the regulation, underlining the objective to have a broad scope.
Who will be caught by the legislation?
Crypto-Asset Service Providers (“CASPs”) are defined in MiCA as “any person whose occupation or business is the provision of one or more crypto-asset services to third parties on a professional basis.” The European legislators have opted for the term ‘Crypto’ as opposed to ‘Virtual’ which is used both in Ireland and internationally by the Financial Action Task Force (“FATF”).
Under MiCA, the definition of crypto-asset services is such that a business providing at least one of the following activities, may be classed as a CASP:
- exchanging crypto assets and fiat currency (e.g. using Euro to buy Bitcoin);
- exchanging one class of crypto assets for another (e.g. using Bitcoin to buy Ethereum);
- the custody and administration of crypto-assets on behalf of third parties;
- the operation of a trading platform for crypto-assets;
- the execution of orders for crypto-assets on behalf of third parties;
- the placing of crypto-assets;
- the reception and transmission of orders for crypto assets on behalf of third parties; and
- providing advice on crypto-assets.
The final category encapsulates the broad nature of MiCA as ‘providing advice’ and could be construed as a catch all for any operator in this space. These categories also go a lot further than the existing definition of a Virtual Asset Service Provider (“VASP”) under the Irish Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021. Obligations of issuers of crypto-assets under MiCA
- The publication of a whitepaper having some similarities with prospectuses published under the prospectus regulation
- The necessity to be authorised to issue crypto-assets
- Compliance with certain prudential rules when marketing crypto assets; and
- The obligation to act honestly, fairly and professionally vis-à-vis crypto-asset holders, in particular in relation to conflict management and prevention or maintenance of security access protocols.
The applicable regime depends on several elements considering notably the type of crypto-asset offered and the amount of the offered.
Read the recent European Council Press Release here
Data Protection Commission: Meta Fine of €1.2 billionMay 2023
On 22nd May 2023, the Data Protection Commission (“DPC”) announced that it had issued its decision (dated 12 May 2023) in which it fined Meta Platforms Ireland Limited €1.2 billion for breach of Article 46(1) of the General Data Protection Regulation (GDPR) relating to its delivery of its Facebook service. Background to the decision
The DPC launched an investigation into Meta in August 2020. After conducting its investigation, the DPC released its draft decision in which it determined that Meta’s data transfers to its US equivalent, Meta Platforms, Inc., were done in violation of Article 46(1) of the GDPR and that those transfers should be stopped.
In this regard, the transfers were made in accordance with a transfer and processing agreement between Meta and its US counterpart, which included a Transfer Impact Assessment (“TIA”), noting a record of safeguards Meta and/or its US counterpart had in place to safeguard transfers, among other things. The agreement also incorporated the 2021 Standard Contractual clauses (“SCCs”) of the European Commission.
Against this background, the DPC's draft decision was then submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (CSAs), pursuant to a cooperation procedure mandated by Article 60 of the GDPR. After failing to reach a consensus under the cooperation procedure, the DPC referred objections by the CSAs to its draft decision to the European Data Protection Board (EDPB) for determination pursuant to the dispute resolution mechanism under Article 65 of the GDPR. Findings of the DPC
The DPC found Meta in breach of Article 46(1) og the GDPR in relation to its transfer of personal data to the US, following the deliver of the Court of Justice of the European Union’s (“CJEU”) judgement in Schrems II case. In particular, while the transfers took place on the basis of the updated 2021 SCCs, along with additional supplementary measures implemented by Meta, the arrangements were not sufficient to address the risks to fundamental rights and freedoms of data subjects identified by the CJEU in the Schrems II case.
More specifically, the DPC specified that:
- US law does not provide a level of protection that is equivalent to that provided by EU law
- Neither the 2010 SCCs, nor the 2021 SCCs, could compensate for the inadequate protection provided by US law
- The measures set out in Meta’s record of safeguards that form part of the TIA that are presented as supplemental to the measures for which provision is made in the 2010 SCCs and/or 2021 SCCs, do not compensate for the inadequate protection provided by US law; and
- It is not open to Meta to rely on the derogations provided for in Article 49(1) of the GDPR when making the data transfers.
On the basis of the EDPB's decision of April 13, 2023
, the DPC exercised the following corrective powers against Meta for its breach of Article 46(1) of the GDPR:
- an order, under Article 58(2)(d) of the GDPR, to bring its processing operations into compliance with Chapter V of the GDPR, by way of ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC's decision to Meta; and
- an order, under Article 58(2)(j) of the GDPR, to suspend future transfers of personal data to the US within the period of five months from the date of notification of the DPC's decision to Meta.
In response to the DPC's decision, Meta noted that it will be appealing the DPC's decision and will seek a stay with the courts to pause the implementation of applicable deadlines under the same.
You can read the press release here
, and Meta’s response here
Data Protection Commission New Guidance: The Records of Processing Activities (RoPA)April 2023
On 21st April, the Data Protection Commission published new guidance on the Records of Processing Activities (RoPA). Article 30 of the General Data Protection Regulation (GDPR) requires Data Controllers to maintain a RoPA. Article 30 prescribes the information the records must contain and controllers and processors must be able to provide such records to the DPC on request.
Central Bank of Ireland Industry Letter on costs and fees to fund managersApril 2023
On 24th March 2023, the Central Bank of Ireland (“the CBI”) published an industry letter on the 2021 Common Supervisory Action (“CSA”) on costs and fees of UCITs. The letter outlines the CBI’s findings from the CSA and supervisory expectations and key actions for fund managers.
AIF managers should be aware that while the CSA concentrated on the costs and fees of UCITS, the CBI expects that AIFMs will also take the findings and actions in the Letter into account with respect to the costs and fees charged to AIFs.
Scope of the CSA
The CBI undertook the review as part of a European-wide CSA established by ESMA. The CBI assessed UCITS management companies and self-managed investment companies (“Firms”)’s compliance with relevant cost-related provisions in the UCITS framework.
The CSA examined whether Firms, when charging costs to the fund/unitholders:
- comply in practice with the cost-related disclosure provisions set out in UCITS legislation;
- act honestly and fairly in conducting their business activities and do so with due skill, care and diligence and in the best interests of their underlying investors; and
- do not charge investors with undue costs.
The CBI found several flaws in how funds cost and fee structures were established, which, according to the CBI, raises the likelihood of unfair expenses being imposed on investors. The CBI highlights that while defining the cost and charge structure, firms must consider their duty to act in the best interests of investors, supported by rules and procedures and monitoring from senior management.
- Policies and procedures on costs and fees
The CBI expects that all Firms have structured and formalised pricing policies and procedures in place, with clear oversight and approval from senior management., enabling the transparent identification and measurement of all costs charged to a fund.
- Periodic review of costs and fees
The CBI expects that all costs are reviewed annually, taking into account the investment objective and strategy of a fund, the target and actual level of performance achieved and the role and responsibilities of service providers. the viability and competitiveness of a fund should be considered as part of the costs review.
- Design and oversight of fee structure
The CBI found that there was an over-reliance by Firms on the assessments made by delegate investment managers for determining the pricing structure of the funds, with limited engagement in the process by some Firms. The CBI requires Firms to have clear policies and procedures for the design, oversight and regular review of the costs and fees structures, to ensure they are operating effectively and in the best interests of investors.
- Efficient portfolio management (“EPM”)
The CBI expects that all fee arrangements regarding securities lending programmes are compliant with ESMA’s expectations and are clearly disclosed within a fund prospectus or supplements as well as being captured in the policies and procedures of a Firm.
- Fixed Operating expense (“FOE”) models
The CBI expects that in cases where a FOE model is being used to give investors protection and certainty about the fees being incurred, those investors should be fully aware of all costs and the model should be calibrated so that any difference is minimised and that investors are not charged excessive costs.
The CBI also expects that FOE models should be reviewed as part of the annual costs and fees review. The CBI acknowledges that this will be an area of focus un its future supervisory engagements.
- Non discretionary investment advisor charge
The CBI expects that the investment advisor's position will be complementary to the investment managers and non-discretionary in nature. Firms must make sure that the pricing arrangements for non-discretionary advisors are reasonable for the services being rendered. The CBI expects managers of both UCITS and AIFs to conduct a gap analysis against the findings and expectations detailed in the Letter and where appropriate, put in a place a plan by the end of Q3 2023 to address any deficiencies identified.
The full Letter can be found at:
Central Bank of Ireland Updates to Fitness and Probity Enforcement ProceduresApril 2023
On 21st April 2023, The Central Bank of Ireland (‘CBI’) published an Industry letter notifying firms of the updated procedures for fitness and probity investigations, suspensions and prohibitions. The updated procedures apply from 20th April 2023.
Part 3 of the Central Bank Reform Act 2010 has been amended by the Central Bank (Individual Accountability Framework) Act 2023. The amendments, which were commenced by order on 19th April 2023 are summarised below:
- Investigation of individuals who formerly performed CF roles: the central bank can now investigate a former controlled function (CF) role holder, provided that they performed the role within the shorter of the following periods: (a) the period since 19th April 22023 and (b) the 6 years before the date on which an investigation is commenced.
- Commencement of investigation: a new statutory procedure has been introduced for giving notice of investigations.
- Suspension: the limit for the initial duration of s suspension notice has increased from 3 months to 6 months. Suspension notices may now be appealed to the Irish Financial Services Appeals Tribunal. The period for which the High Court may extend a suspension notice has increased from 3 months to 6 months. The CBI may make subsequent applications to the High Court to further extend the suspension notice.
- Investigation report: the statutory procedure for investigation reports has been changed to provide for the preparation and service of a draft report followed by a final report.
- Discontinuing an investigation: the CBI may discontinue an investigation for reasons to be stated in a notice.
- Prohibition Notices: will now only take effect when confirmed by the High Court or agreed in writing.
- Varying/revoking prohibition: a new procedure allowing the CBI or the subject to apply to the High Court for an order varying or revoking a prohibition notice.
- Regime extended to certain holding companies: the fitness and probity regime (upon CBI issuing regulations) apply to individuals performing certain CF roles in holding companies of certain regulated firms.
- Enhanced independence requirements: certain requirements have been introduced to ensure the independence of an investigation and associated decision-making procedures.
The amendments to Part 3 of the 2010 Act have necessitated changes to regulations and guidance. The updated regulations and guidance are: Central Bank Reform Act 2010 (Procedures Governing Conduct of Investigations) Regulations 2023 Fitness and Probity Investigations, Suspensions and Prohibitions: Guidance 2023
More information can be found at: https://www.centralbank.ie/regulation/how-we-regulate/fitness-probity/investigations-enforcement
RegSol’s Vulnerable Customers’ SeminarMarch 2023
The RegSol team would like to give a massive thank you to all of those who attended our Seminar on Friday 24th March 2023 - 'Vulnerable Customers: Who cares about Accessibility in Financial Services?'
We would also like to thank our wonderful MC Bernard Jackman, our amazing Special Guest Joanne O'Riordan, our CEO AnneMarie Whelan, and our unbelievably informative speaker Kyran O'Mahoney from Inclusion and Accessibility Labs (IA Labs). From the feedback we received, this event was a great success! We are thrilled to have hosted an event with such an ethical topic.
Attendees can expect the presentation and update on CPD within the coming days.
To anyone who missed out, we will be announcing the scheduling of a live screening of the event recording as a CPD Event shortly. If you are interested, please email firstname.lastname@example.org
to be included on the invitation list.
Central Bank of Ireland: Consumer Protection Outlook Report 2023March 2023
The Central Bank of Ireland (‘CBI’) have published the Consumer Protection Outlook Report 2023. The report outlines the five key drivers of consumer risk in Ireland, in this changing and challenging economic environment.
These risk drivers reflect the feedback and engagement that the CBI has undertaken with various stakeholders over the last year which has been incorporated into their annual risk assessment. The five Key Drivers of Consumer Risks and associated CBI expectations of firms are: 1) The changing operational landscape
- Actively identify and address risks to consumers that may emerge from change in the landscape within which the firm and/or its consumers are operating
- Engage with financial innovation to address the needs and interests of consumers
- Have sufficient operational resilience to manage change
2) Poor business practices and weak business processes
- Clearly distinguish between regulated and unregulated services for the consumer, particularly when they are being offered in the same digital space.
- Place the best interests of consumers at the heard of commercial decisions
- Implement robust governance and oversight arrangements for the design, sale and delivery of the product
- Comply with suitability requirements
- Monitor products to ensure it is performing as intended and remains suitable for the target market
3) Ineffective disclosures to consumers
- Ensure proper resources are deployed to deliver a high quality service
- Provide clear information promptly, to consumers, disclosing key information upfront
- Support consumers by ensuing information is provided in a way that can be easily understood
- Ensure that statements of suitability and other disclosures are fully compliant with legislative requirements
- Ensure disclosure is as clear on digital media as with more traditional methods
- Avoid Greenwashing by producing disclosure documents that are clear and full compliant with legislative requirements
- Disclose exclusions to financial products effectively at the outset, to support consumers in making good decisions
4) Technology-driven risks to consumer protection;
- Have well defined and comprehensive IT and cybersecurity risk management frameworks, supported by sufficient resources
- Make sure that the interests of the consumer are the firm's top priorities when designing and distributing financial products digitally, and that the product will only be made available to suitable consumers
- Have effective measures to mitigate the risk of fraud and scams and be proactive in identifying and dealing with cases
5) The impact of shifting business models
- Demonstratable oversight of delegated or outsourced arrangements and evidence that associated risks are appropriately considered and managed
- Consider the impact of decisions on vulnerable customers and implement effective processes and communication plans
- Proactively assess and mitigate the risks and consumer impact of commercial decisions whilst ensuring that customers understand that changes mean for them
- Have sufficient customer service capacity and structures
- Only design and bring to market products that meet the needs of identified target market
The CBI have anchored on these risks for their work in 2023 and beyond, which means that regulated firms can focus on making long-term sustainable improvements. The report also includes a description of key bodies of work to be delivered by the CBI with respect to the Key Drivers of Consumer Risk.
The full Report can be found at: Central Bank of Ireland Consumer Protection Outlook Report 2023
Individual Accountability Framework Consultation Paper (CP153)March 2023
Following the enactment of the Central Bank (Individual Accountability Framework) Bill 2022 on 9th March, the CBI has launched a three-month consultation (CP153) on key aspects of the implementation of the Individual Accountability Framework (IAF). This includes the publication of draft Regulations and guidance.
The draft regulations and guidance seeks to provide clarity in terms of the Central Bank’s expectations for the implementation of three aspects of the framework: the Senior Executive Accountability Framework (SEAR), the Conduct Standards and certain aspects of the enhancements to the Fitness & Probity Regime.
The following implementation timeline is proposed:
- Conduct standards including accountability of senior individuals to apply from 31st December 2023
- Fitness & Probity Regime – Certification and inclusion of Holding Companies to apply from 31st December 2023
- Allocation of responsibilities and decision making to apply to in-scope firms from 1st July 2024
The consultation will remain open until 13th June 2023. The full Consultation Paper can be found here: Consultation Paper 153: enhanced Governance and performance and accountability in financial services
Central Bank of Ireland Portal UpdateMarch 2023
The Central Bank of Ireland Portal will be enhanced to simplify the process for submitting applications to become a Pre-Approval Controlled function holder. Applicants will submit individual questionnaires via the Portal instead of the Online Reporting System starting from April 24, 2023. If you are not already a Portal user, you should register now.
An overview of the changes to the system is provided below:
Central Bank Dear CEO letter – MiFID Structured Retail Product Review - Supervisory GuidanceMarch 2023
On 3rd March 2023, the Central Bank of Ireland (the “CBI”) published further Supervisory Guidance following the “Dear CEO” of April 2022, which outlined its findings of a review identifying issues in the marketing of complex investment products - Structured Retail Products (SRPs) - manufactured and distributed by MiFID investment firms.
The Supervisory Guidance supplements this letter and provides clarification to firms on how the warnings on use of a decrement index should appear, and the presentation of back-testing.
1. Use of decrement index – appearance of prominent wording
In April 2022, it was determined that one area of complexity was the use of decrement indices (where a fixed dividend is periodically subtracted from the underlying index and which can act as a "downward drag" on performance where it is higher than the actual dividend paid, and in particular where the index falls below its initial level).
Last week's letter clarifies that the prominent warning must appear (in a separate text box) "on the front cover of the marketing material or brochure and on the page on which the decrement index is described in further detail". The letter provides two sample warnings (one for the front page and one for the page that describes the index in more detail).
Firms should also keep in mind that, in cases where the SRP uses a fixed dividend deduction in the form of a fixed-point value (rather than a percentage), this "drag on performance" will be accelerated if the index drops below its initial level and that a sustained decline in markets will accelerate the decline in the value of the index.
2. Presentation of back-testing/overlapping simulations for ‘capital at risk’ SRPs
The Central Bank noted that if a firm uses past performance representations covering periods of positive client outcomes, that may not accurately reflect the likelihood of a client suffering a capital loss in the future. The Central Bank is concerned with ensuring that the presentation of historical data is not misleading.
The Central Bank wants firms to avoid using a large number of overlapping simulations that show little, if any, capital losses as that has the potential to mislead clients about the likelihood of experiencing a capital loss. This is because using such a large number of overlapping simulations that show little, if any, capital losses could mislead clients about the likelihood of experiencing a capital loss given the largely positive market conditions in recent years.
The full Letter can be found through the link below:
FSPO Levy RegulationsFebruary 2023
The Financial Services and Pensions Ombudsman (‘FSPO’) resolves complaints from consumers, small businesses and other organisations, against financial service providers and pension providers.
On 20th January 2023, the Financial Services and Pensions Ombudsman Act 2017 [Financial Services and Pensions Ombudsman Council] Financial Services Industry Levy Regulations 2023 (‘the Regulations’)were signed (here
The Regulations came into operation on 1st February 2023.
The Regulations require that each financial service provider is liable to pay an annual levy in relation to the services provided by the FSPO to the finance industry.
The levy payable by each type of financial service provider for the year ended 31st December 2023 is to be calculated by reference to the criteria in each category under the Schedule to these Regulations.
In order to ensure an equitable distribution of the levy among financial service providers, on an annual basis an exercise is carried out to ensure that the proportion of the levy applicable to each category of financial service provider reflects the volume of complaints received by the FSPO in the previous three-year period.
The Regulations also provide for the collection and recovery of the levy and provide for certain obligations in respect of self-assessment and record keeping by financial service providers.
For more information regarding the levy, the FSPO has issued a helpful guidance which can be found at the following link: The Financial Services and Pensions Ombudsman Levy Report 2023
Central Bank Dear CEO Letter on Financial Regulation Priorities for 2023February 2023
On 16th February 2023, the Central Bank issued a Dear CEO Letter setting out its key regulation and supervision priorities for 2023.
The Letter first highlights the challenging macro-financial environment and the risks facing the financial system and global markets, which were also highlighted in the Central Bank’s most recent Financial Stability Review
. The Central Bank expects the Irish economy will continue to experience positive (although lower) growth in 2023 and notes that it is facing increased downside risks given the size of the energy and inflation shock and the slowdown in the global economy. The Central Bank confirms that this economic context will be central to their regulatory focus in 2023 to ensure the financial system and firms operate to support the interests of consumers and users as they cope with those risks and challenges.
The Letter then identifies the Central Bank’s key 2023 regulatory and supervisory priorities as follows:
The Central Bank aims to provide a clear, open and transparent authorisation process through active and constructive engagement with industry and other stakeholders. It is focused on creating the regulatory context in which the potential benefits of innovation for consumers, investors, businesses and society can be realised, while the risks are effectively managed and mitigated.
- Operational Resilience
The Central Bank will be assessing and managing risks to the financial and operational resilience of firms. This includes the potential decline in asset quality arising from prevailing inflationary pressures, lingering effects from the pandemic and a slowdown in the UK economy.
- Non- Banking Sector
Actions on the systemic risks generated by non-banks will be progressed, in particular by advancing a macro-prudential framework for non-banks and improvements to legislative frameworks and investor protections in the investment fund sector.
- Banking Sector
The Central Bank will continue to oversee the consolidation of the Irish banking sector and associated programme of account migration, implement new credit supervision mandates and continue to monitor for emerging risks in relation to distressed debt, investor protection and product governance.
The Central Bank will continue to consult and engage on regulatory developments under the Consumer Protection Framework and Individual Accountability Framework leading to enhancements in existing and new regulations.
- Credit Unions
Changes will be implemented to credit union regulations/guidance arising from the Department of Finance-led Policy Framework Review, including through engaging with sectoral stakeholders.
The Central Bank will consult on its approach to innovation that will include an exploration of new ways of engagement with innovators and their products.
- AML & Sanctions
There will be ongoing focus and vigilance around the integrity of the financial system and preventing misuse through detecting and sanctioning market abuse, supervising firms’ compliance with Anti-Money Laundering/Combating the Financing of Terrorism obligations and administering and enforcing financial sanctions (working closely with An Garda Síochána and other relevant bodies in all these areas).
The Central Bank will also be ensuring that the EU’s Anti-Money Laundering Action Plan, including the establishment of a single supervisory authority (the Anti-Money Laundering Authority (AMLA)), results in a consistent and robust EU-wide framework.
- EU Regulation
The Central Bank will be contributing to progressing European regulation, particularly the review of the Payment Services Directive (PSD2) and the functioning of open banking, as well as implementing new EU regulations on digital operational resilience (DORA) and markets in crypto assets (MiCA).
The Central Bank will be aiming to strengthen the resilience of the financial system to climate change risks and its ability to support the transition to a climate-neutral economy, along with implementing the EU’s Sustainable Finance Disclosures Regulation.
If your firm has a query regarding any of the key priorities highlighted by the Central Bank above, feel free to contact us at email@example.com
To read the Dear CEO Letter in full, please follow the link below: Dear CEO Letter - Central Bank's key regulation and supervision priorities for 2023
DPC Fines Meta (Facebook, Instagram & WhatsApp) nearly €400 Million for incorrect legal basis relied upon to justify data collection under GDPRJanuary 2023
On 4th January 2023, the Data Protection Commissioner (the ‘DPC’) announced that it had concluded two inquiries into Meta Platforms Ireland Limited’s (‘Meta’) data processing operations in respect of its Instagram and Facebook services.
Final decisions have now been made by the DPC where it has fined Meta Ireland €210 million and €180 million for breaches of the GDPR relating to its Facebook and Instagram services, respectively. Meta has also been directed to bring its data processing operations into compliance within a period of 3 months.
Prior to the introduction of the General Data Protection Regulation (‘GDPR’) on 25th May 2018, Meta changed the legal basis on which it was processing users’ data in its Terms of Services for its Facebook and Instagram users. Previously Meta relied on the consent of its users, but they now sought to rely upon contractual as the legal basis for the majority of its processing operations. All users were asked to select ‘I accept’ to indicate their acceptance of the updated Terms of Service however if users declined, they would no longer be able to access the services.
According to Meta, by selecting ‘I accept’ this created a contract between it and the user. Meta thereby contended that the processing of users’ data for the delivery of its Facebook and Instagram services was necessary for the performance of the contract and this included the provision of personalised services and behavioural advertising. However, objections by an Austrian data subject and a Belgian data subject were raised arguing that by restricting the accessibility to the services resulted in ‘forcing’ the user to consent to the processing of their personal data for behavioural advertising and other personalised services and that this was in breach of the GDPR.
Draft decisions were prepared by the DPC in which it found against Meta on a lack of transparency, however, the DPC also noted that Meta was not required to rely on consent and in principle, the GDPR did not preclude Meta’s reliance on the contract as a legal basis for processing.
When this draft decision was circulated with other EU privacy regulators, several of them objected to the Irish DPC’s “contract” position.
The matter was referred to the European Data Protection Board (‘EDPB’), which agreed that “contract” could not be relied on as means of personal data procession legitimacy in this case.
Accordingly, the DPC’s final decisions include findings that Meta is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.
Rise of the Money Mule in IrelandJanuary 2023
It is estimated that the most prolific fraud gang in Ireland — the Black Axe crime network - a notorious West African-based criminal organisation formed in the 1970s and now operating world-wide, has stolen or laundered €64 million in Ireland in recent years. While that gang has its origins in Nigeria, it is believed that more than 4,000 people who have used Irish addresses are laundering money for the gang.
The Garda National Economic Crime Bureau’s (GNECB) long-running probe, called Operation Skein, is an ongoing investigation into fraud being committed in Ireland that includes international business email compromise (BEC), invoice redirect fraud and romance scams. The investigation also targets the laundering of the proceeds through Irish accounts.
A money mule is a person who transfers illegally obtained money between different payment accounts, very often in different countries, on behalf of others. The money mule receives stolen money into their account, then transfers it to another account, usually overseas, and keep some of the cash for themselves as ‘payment’ or withdraw the cash and pass it on to the money mule recruiter. Fraud gangs need very large numbers of bank accounts, opened into the names of other people, for their unsuspecting victims to send money to. They then quickly disperse that money over a wide network of other mule accounts.
Offers to make quick and easy money by answering seemingly legitimate job adverts or online posts, social media (i.e. Facebook posts on closed groups) and messages sent through instant messaging apps (e.g.: Whatsapp, Viber) are the most common methods of initial contact by the money mule recruiter.
Those aged 18-24 (including unemployed, students and people in economic distress being the most susceptible to the crime) and those over 55 years of age are the most commonly targeted age groups.
An Garda Síochána in association with FraudSMART, a fraud awareness initiative led by the Banking & Payments Federation Ireland (‘BPFI’), are advising consumers, particularly young adults, to be alert to the risks and consequences of recruitment as “money mules”.
The warning comes as a new survey
commissioned by BPFI as part of its FraudSMART campaign for 2019 shows strong evidence of money mule activity among young people in Ireland.
The FraudSMART research also mirrors new data from BPFI’s member banks, including AIB, Bank of Ireland, KBC, PTSB and Ulster Bank, who collectively had more than 1,600 confirmed cases of money mule activity on customer accounts in 2018, a large proportion of which involved young account holders.
According to the FraudSMART survey more than 40% of 18-24-year-olds are likely or very likely to lodge or transfer money for someone using their own bank account in exchange for keeping some of the money for themselves.
Even if money mules may not be aware of, or be involved in, the crimes which generate the money (cybercrime, payment and online fraud, drugs, human trafficking, etc.), they are complicit and acting illegally by recklessly allowing their account to be used to launder the proceeds of crime, helping criminal syndicates move funds easily around the world and remain anonymous.
Penalties include a prison sentence of up to 14 years, a criminal conviction with a lifetime criminal record, extradition to the country where the predicate crime occurred, and not being permitted to open another bank account or secure a mortgage.
Protecting your firm from money mule fraud
It is highly advisable to have robust or review existing AML policies and procedures in place making all staff aware of the potential scams and pitfalls such as:
- Being caution of unsolicited emails or approaches over social media promising opportunities to make easy money;
- Being alive to vishing which is a tactic in which people are tricked into revealing financial or personal information to unauthorised people over the phone;
- Verifying any company that makes an unsolicited offer and check their contact details (address, landline phone number, email address and website) are correct and whether they are registered in Ireland;
- Ensuring staff are aware not to give the firm’s bank account or any other personal details to anyone unless you know and trust them;
- And lastly, be mindful of adage, if an opportunity sounds too good to be true, it probably is!
For information about implementing AML policies and procedures in your firm or about our CPD certified training courses in AML and for MLROs, please see our training timetable below or contact us at firstname.lastname@example.org
Central Bank Dear CEO Letter to Payment & E-Money InstitutionsJanuary 2023
On 20th January 2023, the Central Bank published a Dear CEO Letter (‘January 2023 Letter’) to payment and electronic money institutions highlighting recent supervisory weaknesses and reaffirming supervisory expectations and actions for these sectors.
The January 2023 Letter follows the December 2021 Dear CEO Letter
from the Central Bank to these institutions which it provided greater clarity on its supervisory expectations for the sector. The January 2023 Letter also refers to the Consumer Protection Outlook Report 2022
published in March 2022 which sets out the key cross sectoral risks identified by the Central Bank as the primary drivers of risk for consumers of financial services in Ireland and across the EU today. The Central Bank highlights these risks are particularly relevant to the payment and e-money sector based on what it has observed over the course of 2022.
It also refers to the recent reference in the International Monetary Fund’s (IMF) Technical Note on Oversight of Fintech in Ireland
of the payment and e-money sector’s growing importance within the broader fintech sector in Ireland.
The January 2023 Letter sets out actions identified by the Central Bank to remedy deficiencies in five key areas, namely:
- Governance, risk management, conduct and culture,
- Business model, strategy, and financial resilience,
- Operational resilience, and
- Anti-money laundering and countering terrorist financing.
The main focus of the January 2023 Letter is safeguarding. In the December 2021 Dear CEO Letter, the Central Bank asked all firms to comprehensively review compliance with the safeguarding requirements set out in the E-Money Regulations or Payment Services Regulations (as appropriate) by 31st March 2022. One quarter of those firms self-identified deficiencies in their safeguarding risk management frameworks, and deficiencies were later identified in other firms.
As a result, the Central Bank sets out its expectations as follows for firms to:
- Have robust, Board approved, safeguarding risk management frameworks in place which ensure that relevant users’ funds are appropriately identified, managed and protected on an ongoing basis. This includes the clear segregation, designation and reconciliation of users’ funds held on behalf of customer.
- Be proactive in ensuring that the design and operating effectiveness of the firm’s safeguarding frameworks is tested on an ongoing basis.
- Notify the Central Bank immediately of any safeguarding issues identified.
- Take mitigating and corrective measures immediately to ensure that users’ funds are safeguarded where, in exceptional circumstances, issues are identified.
- Investigate and remediate on a timely basis the underlying root cause of the safeguarding issue(s).
The Central Bank also request all payment institutions and e-money firms who are subject to the safeguarding requirements to commission an audit of their compliance with those requirements from an audit firm which has the necessary specialist skill to audit compliance in this area. Each firm must provide that audit opinion, together with a response from its board to the outcome of that audit, to the Central Bank by 31st July 2023
Given the 31st July 2023 deadline, the January 2023 Letter should promptly be brought to the attention of the board of any payment institution or electronic money institution and if your particular entity has a query regarding any of the issues highlighted by the Central Bank above, feel free to contact us at email@example.com
To read the January 2023 Letter in full, please follow the link below: Dear CEO Letter - Supervisory Findings and Expectations for Payment and Electronic Money (E-Money) Firms (centralbank.ie)
RegSol’s Vulnerable Customers Seminar 24th March 2023January 2023
Are you missing out on engaging with potential clients because your website isn’t fully accessible or your meeting space isn’t physically accessible?
Are you fearful of engaging with clients who have identified vulnerabilities because you don’t know how to navigate those needs or know what reasonable accommodations should be offered?
This half day in-person event is designed to inform, encourage and support Financial Advisors in embracing a thitherto under-served market.
You will learn what the legal and regulatory requirements are but more importantly, how best to support individuals that do require some assistance to ensure your services are truly accessible.Cost: €100 p/p
* CPD accreditation for this event is sought from the Insurance Institute, Institute of Bankers, LIA and ILCU
AXA Life Europe DAC fined €3,640,000 for failures in Corporate Governance and Risk ManagementDecember 2022
On 8th December 2022, the Central Bank reprimanded and fined AXA Life Europe DAC (AXA) €3.64 million for failures in corporate governance, risk management and handling of conflicts of interest.
The fine relates to three breaches of European insurance regulations by AXA, authorised by the Central Bank in Ireland to carry out life insurance business and who set up a German branch in 2006 on a freedom of establishment basis where it started selling an insurance product known as TwinStar.
The German Federal Financial Supervisory Authority (BaFin) regulated the German branch for conduct of business.
Between 2006 and 2012, AXA sold around 350,000 TwinStar policies, of which approximately 203,000 remain in place.
When the policies first went on sale between 2006 and 2007, there was a reference in the documentation to a Parental Claims Guarantee (PCG) provided by AXA’s parent, AXA SA, to provide AXA with the necessary resources to pay all outstanding German policyholder claim liabilities, if AXA became unable to do so itself. The PCG was provided because AXA, as an Irish-based insurer, could not participate in the insolvency protection scheme for German life insurance companies.
In 2006, BaFin, wrote to AXA’s German branch and told it that the references to the guarantee in some of the documentation inferred a higher level of security than had actually been provided. This was because some policy documentation failed to make clear that the PCG was conditional and could terminate automatically if certain conditions were met.
In early 2018, the sale of AXA was being considered by its parent and as part of this consideration, the Central Bank became aware that policies sold in 2006 and 2007 may not have been updated to disclose the conditional nature of the PCG, despite the letter from BaFin. As a result, the Central Bank commenced an investigation.
The Central Bank’s investigation found that AXA's risk management systems had failed over a 13-year period, where it had not put in place an effective process to identify, manage, monitor and report the risks in around 30,000 TwinStar policies in not making it clear that the guarantee was conditional, despite the BaFin warning.
The Central Bank also found that AXA did not conduct an adequate assessment of potential conflicts when its board considered the guarantee issues in July 2018 and that between 2015 and 2021, it did not have effective policies and / or procedures established to identify potential sources of conflicts of interest or ensure that directors understood where conflicts of interest could arise and how such conflicts should be addressed if they did arise.
The Central Bank, however, was satisfied that AXA made early admissions to the three breaches in the case while also acknowledging that no previous enforcement action had been taken against the regulated entity.
To read the Central Bank Enforcement Action Notice in its entirety, you can click on the following link: Public statement relating to Enforcement Action against AXA Life Europe DAC
Central Bank Publishes Research on Insurance Engagement and Switching December 2022
On 1st December 2022 the Central Bank published an Economic Letter, “Engagement, switching, and digital usage in consumer and insurance markets: who does it and why it matters
” examining engagement and switching patterns among car and home insurance consumers.
The Letter examines the traits of consumers who find it difficult to look for and buy financial products, including insurance, online.
The Letter highlights factors that may prevent policyholder participation and switching from a comprehensive survey of Irish policyholders as well as behavioural economics. Among its main conclusions are:
- 8 out of 10 car and home insurance consumers engage with their provider on renewal. Around 1 in 4 switch provider.
- Policyholders are more likely to engage with and/or switch provider if, on renewing their policy, the price increases.
- Behavioural characteristics play a role in engagement and switching. Specifically, certain consumers may be more likely to stick with the status quo, even when doing so may not be financially beneficial. These consumers are less likely to engage or to switch provider.
- Perceptions also play a role in consumer behaviour. Around 1 in 4 believe that loyalty to an existing provider will be rewarded. These consumers are significantly less likely to switch.
- Where consumers believe that they can make significant savings by switching, they will be more likely to do so.
- Time-poor consumers are less likely to switch their policies.
- Around 55% use digital information and channels as part of their engagement and switching. However, 1 in 5 policyholders report difficulties in using the internet to search for and purchase financial purchases, including insurance. These consumers tend to be older, lower income, and less educated.
- Policyholders that are less comfortable with digital channels are more likely to exhibit status quo bias.
The Central Bank expects firms to take into account consumer psychology and insights from behavioural economics to design effective disclosures and consumer protection policies to support consumers in making fully informed decisions.
The Letter also highlights the importance of digital literacy in supporting consumers to engage and switch.
The Central Bank reminds firms of its Consumer Protection Outlook Report
which highlights the key cross sectoral risks facing consumers of financial services and the Central Bank’s expectations of firms to avoid these risks materialising.
The Letter also refers and reminds firms of its Dear CEO Letter
published in November 2022 detailing its expectations in the context of a more challenging economic outlook characterised by energy-driven inflation and uncertainty – please find RegSol’s article on the Letter here
If you have a query regarding any of the issues highlighted by the Central Bank above, please contact us at firstname.lastname@example.org
Central Bank FAQs re Ireland Safe Deposit Box, Bank and Payment Accounts RegisterDecember 2022FAQs - Ireland Safe Deposit Box, Bank and Payment Accounts Register
On 15th December 2022, the Central Bank updated its frequently asked questions (FAQs) in relation to Ireland Safe Deposit Box, Bank and Payment Accounts Register (ISBAR).
ISBAR was recently established and will be administered by the Central Bank to hold information on accounts identifiable by IBAN (including account holders, beneficial owners and signatories), and information on safe deposit box services. The register is established in line with 5th EU AML Directive requirements and is designed to enable Financial Intelligence Unit within An Garda Síochána to search and retrieve information as part of criminal investigations.
Any credit institution established in Ireland, which issues Irish IBAN identifiable accounts, or holds Safe Deposit Boxes on behalf of its customers, is required to provide Bank Account and Safe Deposit Information to ISBAR.
The obligation for credit institutions to provide information will commence once formally notified by the Central Bank to do so in Q1 2023.
Legislation will be enacted at a later date to extend the scope of the reporting obligation to other financial service providers who issue Irish IBANs.
The FAQs cover What is ISBAR, General Reporting Requirements, File Generation and Technical Questions.
You can read them in full via the following link: ISBAR FAQ | Central Bank of Ireland Guidance - Beneficial Ownership Register of Certain Financial Vehicles
The Central Bank, who is also responsible for establishing and maintaining the Beneficial Ownership Register of Certain Financial Vehicles (CFV), has recently updated its Guidance in respect of the CFV Register.
The Register aims to deter money laundering and terrorist financing by those that seek to hide their ownership and control of corporate or legal entities by ensuring that the ultimate owners/controllers of Irish Collective Asset-management Vehicles, Credit Unions, Unit Trusts, Investment Limited Partnerships, and Common Contractual Funds are identified, and that this information is readily accessible to law enforcement, regulators and obliged entities.
The Guidance aims to:
(i) provide CFV, their beneficial owners, and members of the public with information in relation to the scope of the Register;
(ii) outline related processes to the submission of data to the Register; and
(iii) provide all interested parties with information in relation to the use and safeguarding of the data provided, under data protection legislation.
To read the Guidance in full, please follow the link below:Beneficial Ownership Register of Certain Financial Vehicles Guidance
Consumer Rights Act 2022 Soon to be CommencedNovember 2022
The Consumer Rights Act 2022
(the Act’), which has been signed into law on 7th November 2022 and is expected to be commenced soon, is the biggest overhaul of consumer protection in Ireland, strengthening consumer rights, protections and remedies in a range of key areas.
The Act consolidates and modernises Irish consumer rights legislation for the sale of goods and supply of services, ensuring that the updated legislation is more in keeping with the digital age.
In addition to updating the current Irish legislation, the Act will also transpose the following directives aligning the legislation more closely with those applying across the EU:
- Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services (the “Digital Content Directive”);
- Directive (EU) 2019/771 on certain aspects concerning contracts for the sale of goods (the “Revised Sale of Goods Directive”); and
- The main provisions of Directive (EU) 2019/2161 on the better enforcement and modernisation of Union consumer protection rules (the “Omnibus Directive”).
What does the Act apply to?
The Act applies to all written and oral contracts (as well as combinations of both) between traders and consumers. (A “trader” means a natural person, or a legal person (such as a company) who is acting for purposes relating to the person’s trade, business, craft or profession, and includes any person acting in the name, or on behalf, of the trader.)
It also applies to contracts implied by the conduct of the parties.
Apart from regulating the sale of goods and services, the Act also extends consumer protections to digital goods and services so that consumers are protected when they use cloud-based services or buy downloadable or streamed goods and services, such as games, films, music and software. Key Provisions of the Act
- Conformity - the contract must conform with certain (i) objective and (ii) subjective requirements as detailed in the Act. In the event of any lack of conformity during the 12 month period after supply, the burden of proof shifts to the trader to prove that the supply of goods/services were in conformity with the contract.
- Transparency - the Act strengthens the transparency requirements that apply to contract terms. Traders must ensure that the terms of a contract with consumers are transparent e.g. in plain language, presented clearly, easily available, with novel/onerous terms being brought to consumers' attention and the terms' financial consequences are understandable to an average consumer.
- Prohibited notices – under the Act, it will be an offence for a trader to display a notice, publish an advertisement or supply goods bearing, or digital content or a digital service displaying in any form, a representation, or to furnish any document which indicates, that (i) consumers' rights under the Act or (ii) an obligation/liability are/is restricted or excluded other than as permitted by the Act.
- Commercial Guarantees – traders are liable for commercial guarantees provided by other guarantors, unless they express the contrary or give their own commercial guarantee.
- Unfair Terms – the Act determines that a term is unfair if it causes a significant imbalance in the parties’ rights and obligations to the detriment of the consumer and extends the lists of contract terms which are presumed to be unfair (“grey list”) or are outright prohibited (“blacklist”).
- Advanced Trader Compliance - as a means of ensuring that businesses adhere to such enhanced consumer protections, the Act also provides for areas of advanced trader compliance.
- Increased Enforcement Powers - increased enforcement powers have been given to authorised bodies including the Competition and Consumer Protection Commission (‘CCPC’). These increased powers allow the CCPC to apply to the courts for declarations or injunctions against businesses who mislead their consumers, or fail to provide them with the adequate remedies or compensation they are entitled to.
- Penalties - it is an offence to breach certain provisions in the Act, with secondary liability for officers of a body corporate where it is proved that the offence was committed with their consent, connivance or approval or be attributable to any wilful neglect on their part.
It will be a defence for the person to prove that due diligence was exercised, and all reasonable precautions were taken to avoid the commission of the offence.
A convicted trader will be liable for the costs and expenses of the proceedings and investigation unless the Court believes there are “special and substantial reasons” for not doing so. This is in addition to, and not instead of, any fine or penalty that the Court may impose. A trader may also be ordered, in certain circumstances, to compensate consumers for any loss or damage resulting from the offence. If the Court does grant a compensation order, this may be instead of or in addition to any fine or penalty imposed on the trader.
The Act also amends the European Union (Cooperation Between National Authorities Responsible for the Enforcement of Consumer Protection Laws) Regulations 2020. When this amendment is implemented, these Regulations will specify that, where (i) an offence is committed under specified parts of the Act or certain provisions of the Consumer Protection Act 2007 and (ii) this also constitutes an intra-EU or relevant widespread infringement under those Regulations, then further fines can be imposed of up to 4% of relevant turnover or €2 million, depending on the circumstances.
In preparation of the commencement of the Act, firms should assess which aspects of the Act will impact them and make any necessary changes to their relevant documentation, such as business terms and conditions, to ensure they are accurate and not misleading and do not contain unfair terms and advertising. Firms should also review their internal processes to ensure compliance with this new framework.
If you have any queries arising from this article, please contact us at email@example.com
DPC Fines Meta €265 Million for ‘data scraping’ leakNovember 2022
On 29th November 2022, the Data Protection Commission (‘DPC’) imposed a fine of €265 million and a range of corrective measures on Meta Platforms Ireland Limited (‘Meta’), data controller of the “Facebook” social media network, for failing to properly protect its data.
The fine relates to a data breach discovered in 2021 whereby personal data of EU Justice Commissioner Didier Reynders, Luxembourg Prime Minister Xavier Bettel and dozens of EU officials were included in a leak of the personal data of 533 million users across 106 countries including phone numbers, Facebook IDs, full names and birthdates that surfaced on a public forum and circulating widely on the web. Facebook subsequently fixed the vulnerability on this feature, where data could be collected by external parties through a process called scraping.
The DPC held Meta failed to comply with the GDPR obligation to ensure privacy "by design and default," meaning it had engineered its products in a way that personal data could leak.
The latest sanction brings the total amount Meta has been fined to roughly €1bn, including €225mn against its messaging service WhatsApp for failing to enforce transparency requirements under EU law, and a €405mn fine against Instagram for failing to protect children’s data.
For further details on the DPC’s decision, please go to the following link: Data Protection Commission announces decision in Facebook “Data Scraping” Inquiry
28/11/2022 - Data Protection Commission
EBA Guidelines for Remote Customer Onboarding November 2022
The European Banking Authority (EBA) has published its final Guidelines
on the application of anti-money laundering and countering the financing of terrorism (AML/CFT) rules where customers are onboarded remotely.
The EBA are aware that designed persons, as defined under the Irish Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 as amended, have been experiencing a growing demand for remote customer onboarding solutions, especially due to the restrictions on movement caused by the COVID-19 pandemic and that there is not sufficient clarity and convergence about what is, and what is not, allowed in a remote and digital context.
The Guidelines therefore set out the steps credit and financial institutions should take when choosing remote customer onboarding tools and when assessing the adequacy and reliability of such tools, in order to comply effectively with their AML/CFT obligations. The guidelines are technologically neutral and do not prioritise the use of one tool over another.
These guidelines establish common EU standards on the development and implementation of sound, risk-sensitive initial customer due diligence policies, and processes which must be followed when customers are onboarded remotely.
A list indicating considerations which the above-mentioned internal policies and procedures should set out is also provided within the Guidelines and includes:
- the types of documents that are admissible and the information and authenticity checks that are necessary to identify the customer and verify their identity;
- the level of human intervention required in the remote verification process;
- the controls in place to monitor, on an ongoing basis, the correct and appropriate functioning of each remote customer onboarding solution and the effective implementation of the remote customer onboarding policies and procedures; and
- a description of the induction and regular training programs to ensure staff awareness and up-to-date knowledge of the functioning of the remote customer onboarding solution(s), the associated risks, and of the remote customer onboarding policies and procedures aimed at mitigating such risks.
To see learn more on how RegSol can assist your firm in implementing the EBA’s Guidelines and/or provide tailored AML training relevant to your firm, please do not hesitate to contact us at firstname.lastname@example.org
Mercer Global Investments Management Limited Fined €117,600 for Breaches of UCITS RegulationsNovember 2022
On 14th November 2022, the Central Bank reprimanded and fined Mercer Global Investments Management Limited (‘MGIM’) €117,600 pursuant to its Administrative Sanctions Procedure (‘ASP’) for six breaches of UCITS investment fund regulations (the ‘UCITS Regulations’).
MGIM, as a UCITS Management Company, was responsible under the UCITS Regulations for ensuring that certain information must be included in prospectuses and key investor information documents (‘KIIDs’) for funds it managed, and that this information should have been kept up to date in order to enable investors to make informed decisions about their investments.
The Central Bank found that, for varying periods between 1st July 2011 and 31st December 2018, the prospectuses and KIIDs for five sub-funds failed to disclose that the sub-funds relied upon an index-tracking strategy or provide the details of the index being tracked.
As a result, MGIM’s failure to comply with these requirements may have resulted in investors not being fully informed of the investment strategy of a particular fund or the risks associated with investment in that fund.
In addition, to ensure effective gatekeeping by the Central Bank in the authorisation of funds, the Central Bank reviews prospectuses (including any supplements to those prospectuses) before authorising a fund. The Central Bank noted the effectiveness of its gatekeeper role ultimately relies on accurate and complete information being submitted by firms seeking fund authorisation, as part of the assessment of their applications and in ongoing supervision.
The Central Bank’s investigation found that MGIM failed in its obligations to both investors and to the Central Bank by not including required information regarding index-tracking strategy in the prospectuses and KIIDs of five investment funds managed by MGIM.
Penalty Decision Factors
In deciding the appropriate penalty to impose, the Central Bank considered the ASP Sanctions Guidance issued in November 2019 and highlighted the following particular factors in this case as: