Required actions

The Letter requires:

1. all firms to discuss the Letter with their Board, and to reflect on the supervisory findings called out;
2. that any areas requiring improvement that directly relate to the firm are actioned;
3. that all firms take proactive measures to ensure robust and appropriate governance and control arrangements are in place;
4. that all firms obtain an external audit of their safeguarding framework and submit this to the CBI by 31 July 2023 (see further details below under ‘CBI expectations, Safeguarding’).

CBI expectations

Safeguarding

The CBI has observed deficiencies in firms’ safeguarding frameworks, and notes that numerous firms submitted attestations regarding their safeguarding arrangements in response to its December 2021 Dear CEO Letter and then subsequently identified deficiencies.

The CBI expects firms to:

• Have robust, Board approved, safeguarding risk management frameworks in place which ensure that relevant users’ funds are appropriately identified, managed and protected on an ongoing basis. This includes the clear segregation, designation and reconciliation of users’ funds held on behalf of customers.
• Be proactive in ensuring that the design and operating effectiveness of the firm’s safeguarding frameworks is tested on an ongoing basis.
• Notify the CBI immediately of any safeguarding issues identified.
• Take mitigating and corrective measures immediately to ensure that users’ funds are safeguarded where, in exceptional circumstances, issues are identified.
• Investigate and remediate on a timely basis the underlying root cause of the safeguarding issue(s).

All PIs and EMIs are required to engage an appropriately skilled and qualified external auditor to review their compliance with the safeguarding requirements under the European Union (Payment Services) Regulations 2011 (PSRs) or the European Communities (Electronic Money) Regulations 2011 (EMRs) (PSRs/EMRs). The external auditor should provide an opinion confirming whether the firm has maintained adequate organisational arrangements to enable it to meet the safeguarding provisions of the PSRs/EMRs on an ongoing basis, with the specific areas, at a minimum, that should be subject to review and assurance by the auditor outlined in Appendix 2 of the Letter. The audit opinion and the Board response to the outcome of the audit should be submitted to the CBI by 31 July 2023.

Governance, risk management, conduct and culture

The CBI expects firms to consider their governance, risk management and internal control frameworks, in addition to the composition (both number and skills) of their Board and management team, to ensure they are sufficient to run their business from Ireland.

Business model, strategy and financial resilience

The CBI expects firms to have Board-approved business strategies in place supported by robust financial projections. Firms must understand and meet their capital requirements at all times. This is particularly important given the aforementioned uncertain and complex macroeconomic environment. Strong internal controls must be in place, that are subject to regular testing, to ensure the accuracy and integrity of data used by the firm for regulatory reporting purposes, and for strategic and financial planning.

Operational resilience and outsourcing

The CBI expects Boards and senior management of PIs and EMIs to review and adopt appropriate measures to strengthen and improve their operational resilience frameworks in line with the CBI Outsourcing and Operational Resilience Guidance. Given the importance of operational continuity and resilience for the stability of the system and for consumers, businesses and the wider economy, the CBI will continue to challenge how firms are ensuring that risk and control frameworks are operating effectively and are prepared for unforeseen operational disruptions.

Anti-money laundering and countering the financing of terrorism

• Risk-based approach – AML/CFT controls should be risk sensitive and tailored to the risks identified as part of the ML/TF risk assessment carried out by the firm. For example, transaction monitoring controls should be configured to detect where the ML/TF risks identified as part of the ML/TF risk assessment are materialising.
• Distribution channels – The CBI expects firms to exercise adequate oversight of agents and distributors with an appropriate level of ongoing assurance conducted. Firms must undertake appropriate assessment of their agents and distributors that undertake activities on their behalf. The outcome of any testing carried out as part of the oversight of these arrangements should be included in management information prepared for the Board and senior management. It is important that firms recognise that the responsibility for carrying out customer risk assessments and CDD on the end user of the products and services ultimately rests with firms, even where such tasks are being performed by agents and distributors.
• E-money derogation and Simplified Due Diligence (SDD) – The CBI expects that SDD is carried out only where appropriate to do so and where the firm has carried out a risk assessment of each individual relationship, and to do so is justified on the basis of the lower level of risk presente

Next steps

As set out above, the CBI’s Letter requires a number of actions by payments and e-money firms. These include obtaining an external audit of their safeguarding framework, to be submitted to the CBI by 31 July 2023.