Partners Niall Esler and Shane Martin, along with senior associate Conor Daly and trainee solicitor Coleen Wegmann, have authored the Ireland chapter for Global Legal Insights Fintech 2023. They provide an up-to-date summary of the current FinTech and crypto law in a number of key offshore jurisdictions prepared by our global market-leading FinTech team.
Approaches and developments
Fintech initiatives in Ireland
Ireland is considered a fintech hub and is home to globally recognised technology and financial services firms.
The Irish government has been supportive of the development of the financial services sector in Ireland and this extends to fintech. The government’s strategy for the development of Ireland’s international financial services sector to 2025, “Ireland for Finance”, includes actions to help drive fintech including blockchain technologies. In October 2022, the “Update to Ireland for Finance” strategy was published in order to take account of the significant developments in the digital finance and sustainable finance space. In March 2023, the Update to Ireland for Finance Action Plan 2023 was released, which sets out six priority measures in order to support the growth of Fintech in Ireland.
Since November 2022, the Irish government Fintech Steering Group works with industry stakeholders through the Joint Fintech Group consisting of a number of Steering Group members and industry representatives. The key objective is to provide “strategic guidance on fintech from an expert industry perspective in order to inform the state on skills and education requirements and to act as a forum for the private and public sectors to engage on policy developments at a domestic and European Union (“EU”) level”.
Furthermore, Ireland’s sustainable finance e strategy of the fintech sector launched in October 2022, in order to support the development of innovative technology solutions to Environmental, Social and Governance (“ESG”) challenges. More recently, the Sustainable Finance Centre of Excellence was established which will lead on the development, and launch of innovative financial mechanisms.
According to Ireland’s enterprise agencies, the Industrial Development Agency (“IDA”) Ireland and Enterprise Ireland, there are now over 430 internationally focused financial services companies operating in Ireland, employing more than 50,000 people between them.
International financial services companies have set up research and development operations in Ireland focusing on themes such as the utilisation of blockchain, crypto, and AI. BNY Mellon recently announced the establishment of a new Digital Research and Development Hub in Dublin that will drive innovation in the areas of artificial l intelligence (“AI”), machine learning, and data analytics. Mastercard’s European Technology Hub and Citi’s Global Innovation Labs are based in Dublin and are investing in emerging areas such as AI, cybersecurity, blockchain and virtual reality. Furthermore, Fidelity Investments’ Center for Applied Technology lab has a base in Ireland and provides technology and operational business services to the US in areas such as cloud, cybersecurity, digital assets, AI and the metaverse. There are also indigenous accelerator and incubation programmes.
Central Bank of Ireland approach to Fintech and crypto
The Central Bank of Ireland (the “Central Bank”), as the national regulatory authority of financial services firms established the Innovation Hub in 2018 to provide firms engaged in the Fintech and innovation space, with a point of contact outside of the existing formal engagement processes. In 2022, the Innovation Hub received 56 enquiries originated predominantly from firms sin the payments sector, and the blockchain and crypto sector.
In recent public statements, the Central Bank emphasised their strong focus on technological innovation, and being “open and engaged is a key part of their strategy”. The Central Bank confirmed that in 2023 it will be enhancing the Innovation Hub and more generally their approach to innovation engagement.
Overview of regulatory developments
It is expected that the Central Bank will continue its supervisory focus in the areas of anti-money laundering (“AML”), outsourcing, safeguarding of client funds, governance and operational resilience.
Regulated financial lservice providers are reviewing their policies and frameworks in light of existing Central Bank Guidance on IT and Cybersecurity Risks, Operational Resilience, Outsourcing as well as the recent introduction of the Individual Accountability Framework under the Central Bank (Individual Accountability Framework) Act 2023 and are preparing for the impact of the EU Digital Operational Resilience Act1 (“DORA”). The European Commission’s 2020 Digital Finance Package significantly y changed the Fintech and crypto landscape in the EU with the introduction of the Markets in Crypto Assets Regulation2 (“MiCA”), DORA and the distributed ledger technology (“DLT”) pilot regime. MiCA, which completed the legislative process in May 2023, implements a legislative framework including rules applicable to the issuance of crypto-assets and the provision of various services in relation to crypto-assets. The EU DLT pilot regime commenced in March 2023 which creates a sandbox for the trading and settlement of DLT financial instruments.
As part of the Digital Finance Strategy and the Retail Payments Strategy, the European Commission is actively involved in the ongoing review of PSD2. On 28 June 2023, the European Commission put forward proposals for PSD3, a Regulation on payment services, and a Regulation on a framework for financial data access. These proposals will now go through the legislative process in order for the final texts to be agreed between the EU institutions. Contributing to progressing the review of PSD2 is also part of the Central Bank’s key supervisory priorities for 2023. Additionally, the Eurosystem has developed the oversight framework for electronic payment instruments, schemes and arrangements (the “PISA Framework”), directed at the governance bodies of schemes and arrangements. The PISA Framework also covers digital payment tokens such as crypto-assets and stablecoins.
Furthermore, the European Commission presented its AI package in April 2021, which includes the AI Act, a proposal for a regulation laying down harmonised rules on AI. The AI Act proposed to regulate providers placing on the market or putting into service AI systems in the EU as well as users of AI systems located within the EU. The AI Act will soon enter negotiation stages.
Fintech offering in Ireland
Recent years have seen an increase in fintech activity in Ireland and in the number of entities operating in the country, reflecting the positive ecosystem that has been developed. Ireland is a popular location for firms seeking an EU base, which has increased further following the UK’s withdrawal from the EU, so as to “passport” their Irish authorisations to provide services into other EU Member States.
In a May 2023 speech, the Central Bank Director of Financial Regulation, Policy & Risk commented that data in the Fintech sector indicates that the fintech ecosystem in Ireland comprises approximately 270 indigenous fintechs and 120 international fintechs The Central Bank is struck by the diversity of the applications and solutions, with fintechs ssector providing solutions in Regtech, Payments, Insurtech, Funds/Trading, and Credit and Lending sectors. This is in addition to the significant growth of the Blockchain and crypto sectors.
Recent examples of firms which have obtained an electronic money institution authorisation or payment institution authorisation include Google, Facebook, Coinbase, Stripe, Gemini Payments, and myPOS. Virtual Asset Service Providers (“VASPs”) are also establishing in Ireland with Gemini, Zodia Custody, Coinbase, Paysafe, Kraken, NoFrixion, and Pionew which all completed their VASP AML registration with the Central Bank since July 2022.
Most recently, crypto exchange Gemini announced that they selected Ireland as their European headquarters. Similarly, Coinbase has shortlisted Ireland as a potential MiCA hub for its European business.
Bigtech and international social media companies such as Google, Facebook, Twitter and LinkedIn all have their EMEA headquarters in Ireland.
The Fintech activity is likely to be most active in the payment and e-money space. Other areas for innovation include Regtech, insurance, digital identity and asset management, with loan and investment crowdfunding set to increase. In the context of its Innovation Hub, the Central Bank has commented on the increase in engagements regarding payment activities, crypto services and Regtech solutions. In particular, there was an increase in the number of enquiries from large, established crypto asset service providers. While many focused on the VASP registration regime, some firms were also considering other authorisations including e-money, and MiFID authorisations.
Domestic regulatory developments to address fintech disruptions
One of the Central Bank’s mandates is to ensure consumer protection. In October 2022, the Central Bank commenced its review of its Consumer Protection Code, which includes a themed discussion on Innovation and Disruption. In its discussion paper, the Central Bank has commented that the consequences and impacts of innovation need to be carefully considered, to ensure consumers are appropriately protected, while potential opportunities and benefits for consumers are maximised. The publication of a Consultation Paper setting out specific proposals on how the Code should be updated and improved is set to take place in Q4 2023. In order to address the growing Buy Now Pay Later market in Ireland, the Consumer Protection (Regulation of Retail Credit and Credit Servicing Firms) Act 2022 commenced on 16 May 2022 and widened the scope of the retail credit firm regime to include firms offering “indirect credit” (i.e. the provision of credit to a borrower by paying a retailer on behalf of a consumer for the purchase of a good or service as part of a “buy now, pay later” offering).
Furthermore, as part of the Central Bank Consumer Protection Outlook Report 2023, the Central Bank noted that it will advance its work to implement the Crowdfunding Regulations and MiCA, thereby enhancing the reach of regulation for consumers of those services.
The Central Bank takes an overall cautionary stance towards crypto-assets, particularly crypto-asset which are not backed by real world assets, and has released several warnings over the years on the risks of investing in crypto assets for retail customers. Regulatory and insurance technology
There is a growing ecosystem of Irish firms s that are providing regulatory technology (“Regtech”) services. Some of the main indigenous Regtech players are CalQRisk, Fenergo, Corlytics, AQMetrics, and Miura Regtech.
According to the Central Bank Innovation Hub 2022 Update, 14% of enquiries, throughout 2022, came from Regtech firms representing a stabilisation from the gradual overall decline of Regtech enquiries since 2018. Based on the 2022 Update, the majority of Regtech enquiries related to AML/CFT solutions or fraud prevention tools. Many of the Regtech solutions demonstrated implemented A.I. or machine learning techniques into their solutions, showing the growing use of technology in such solutions. The Central Bank Innovation Hub commented that it was evident from the engagements that such solutions are being used in regulated entities, showing a growing adoption of such solutions in financial institutions.
Generally speaking, the provision of Regtech services is less likely to be a regulated activity in Ireland as these will typically involve supporting technical services rather than regulated financial services. However, this analysis should be carried out on a case-by-case basis examining the specific Regtech service in question and the nature of the entity to which such services are provided to. A Regtech service may fall within the legal and regulatory requirements governing outsourcing which will in turn impact the contractual provisions and obligations required.
Particularly in the Fintech space, the Central Bank has dedicated much of its attention to the issue of outsourcing. The Central Bank has published Cross-Industry Guidance on Outsourcing which imposes similar contractual requirements to the European Banking Authority (“EBA”) Outsourcing Guidelines. The EBA Outsourcing Guidelines apply directly to credit institutions, certain investment firms and payments/e-money institutions. Additionally, the European Securities and Markets Authority (“ESMA”) Cloud Guidelines and the European Insurance and Occupational Pensions Authority (“EIOPA”) Cloud Guidelines may also be relevant to applicable entities where services are provided on a cloud basis. Insurance technology
Irish insurance technology (“Insurtech”) companies include firms such as CodeEast, Covernet, Describe Data, and Fineos. According to the Central Bank Innovation Hub 2022 Update, 4% of overall enquiries in 2022 came from firms engaged in the Insurtech sector.
Based on the Update to Ireland for Finance Action Plan 2023, insurance firms are working with higher education providers on Insurtech and instech.ie is aiming to make Ireland a leading European Insurtech hub.
From a regulatory perspective, the EU’s Solvency II regime (as implemented in Ireland), which sets out detailed capital, governance and risk management requirements for Irish and EU authorised (re)insurance undertakings, applies to the majority of Irish (re)insurance undertakings.
Such undertakings must obtain an authorisation under the European Union (Insurance and Reinsurance) Regulations 2015, to carry on either life insurance business, non-life insurance business, or both. Regulatory bodies
The Central Bank is the financial services regulator in Ireland which is responsible for the authorisation and supervision of financial services providers. The Central Bank supervises Irish firms from both a prudential and conduct of business perspective. For EEA passporting firms the Central Bank will generally have a level of competence in relation to conduct of business requirements, rather than prudential requirements. The European Central Bank is the competent licensing authority for new Irish credit institutions (banks) and it supervises significant credit institutions directly under the Single Supervisory Mechanism. The Central Bank will be the national competent authority for the authorisation and supervision of entities that will be subject to MiCA. The EBA will have supervisory responsibilities and powers with respect to issuers of significant asset-referenced tokens and significant e-money tokens under MiCA.
The Data Protection Commission is the Irish supervisory authority for the GDPR. Key regulations and regulatory approaches
Fintech firms must look to the existing regulatory regimes that may be applicable to their business model on a case-by-case basis, as well as any new Fintech-specific legislation, such as MiCA and the Crowdfunding Regulation.
In addition to the key regulatory frameworks, outlined below, Fintech firms smay also need to comply with data privacy laws, consumer protection legislation, and Central Bank conduct of business rules.
Key regulatory frameworks
Payment and electronic money services
The provision of payment services is regulated by the primary rules to be considered are the European Union (Payment Services) Regulations 2018 (the “PSRs”) which transpose Directive 2015/2366/EU (PSD 2) into Irish law. The issuance of electronic money is regulated by the European Communities (Electronic Money) Regulations 2011 (the “EMRs”) which transpose Directive 2009/110/EC (the “Electronic Money Directive”) into Irish law. The domestic Irish regime governing money transmission businesses under the Central Bank Act, 1997 (“CBA 1997”) may be relevant to a money transmission service falling outside the PSRs.
Challenger banks seeking to undertake “banking business” (i.e. any business that consists of or includes receiving money on own account from members of the public either on deposit or as repayable funds, and the granting of credits on own account) require a bank licence under the Central Bank Act, 1971 (“CBA 1971”) and will be subject to the Irish implementation of the EU Capital Requirements Directive (Directive 2013/36/EU) (as amended) and the directly applicable EU Capital Requirements Regulation (Regulation 575/2013/EU). Investment services Depending on the services provided, a fintech firm providing asset management solutions may be subject to regulation. For example, if the activities constitute “investment services” in respect of “financial l instruments” for the purposes of European Union (Markets in Financial Instruments) Regulations 2017 (the “MiFID Regulations”), an investment firm authorisation will be required, unless an exemption applies. The MiFID Regulations implement Directive 2014/65/EU (MiFID II) into Irish law. A key consideration for firms providing services in relation to crypto assets will be whether the particular asset falls within the definition of a financial instrument under the MiFID Regulations as, for example, operating a multilateral trading facility, placing, receiving and transmitting orders, executing client orders or providing investment advice in relation to those investment instruments will require authorisation unless an exemption applies. In broad terms, pure cryptocurrencies (e.g. bitcoin) are unlikely to be classified das financial instruments under the MiFID Regulations.
Investment business services, including depository or administration services, would require authorisation under, for example, the Investment Intermediaries Act 1995 (the “IIA”).
Irish regulated investment funds are either authorised as undertakings for collective investment in transferable securities (“UCITS”) or as alternative investment funds (“AIFs”).
The Central Bank has taken the stance that currently it is highly unlikely that it will approve a UCITS or an AIF marketed to retail investors proposing any exposure (either direct or indirect) to crypto-assets. In April 2023, the Central Bank updated its AIFMD Q&A (47th edition) to increase the investment limits for qualifying investor alternative investment funds (“QIAIFs”) seeking exposure to digital assets. In Ireland, QIAIFs may now hold indirect exposures to digital assets of up to 20% for open-ended funds and up to 50% for funds that are closed ended or offer limited liquidity. Investment funds which have an indirect exposure to crypto-assets over 50% will be required to go through the Central Bank pre-submission process. Direct holding will be subject to demonstration that a depositary can meet its obligations to provide appropriate custody services to digital assets.
The Central Bank’s approach in relation to funds investing in crypto-assets will be kept under review, continue to be informed by European regulatory discussions on the topic and may change should new information or developments emerge in the future.
Crowdfunding The EU Crowdfunding Regulation3 creates a designated regulatory framework for equity and peer-to-peer lending-based crowdfunding within the EU and allows operators of crowdfunding platforms to obtain authorisation as a crowdfunding service provider (“CSP”), which can be passported across the EU. The Crowdfunding Regulation came into force on 10 November 2021 with the transitional period ending on 10 November 2023 for existing providers who have sought authorisation. Virtual Asset Service Providers
The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended (“CJA 2010”) implements the European AML rules into Irish law. The CJA 2010 was amended in 2021 to implement the EU’s Fifth AML Directive to include a registration requirement for VASPs, which include persons engaging in exchange services between virtual assets and/or virtual assets and fiat currencies, transfers of virtual assets, the provision of custodian wallet services and/or participation in, and provision of, financial services related to an issuer’s offer ror sale of virtual assets. It should be noted that the VASP registration requirement is not an authorisation by the Central Bank but merely a registration for AML/CFT purposes.
Offerors / issuers of crypto-assets and Crypto-Asset Service Providers
MiCA introduces a dedicated and harmonised legislative framework for crypto-assets and related activities and services. MiCA applies to natural and legal persons and other undertakings that are engaged in the issuance, offer ro the public and admission to trading of crypto-assets, including stablecocin issuers, or that provide services related to crypto-assets in the EU (the latter being referred to as Crypto-Asset Service Providers (“CASPs”)).
MiCA creates a harmonised definition of “crypto-asset” (i.e. “a digital representations of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology”) and divides in-scope tokens into three categorised: Electronic Money Tokens; Asset-Referenced Tokens; and all other crypto-assets which includes utility tokens. Crypto-assets which fall within existing financial services legislation are not regulated under MiCA.
The provisions regarding the regulation of stablecoin issuers will apply from 30 June 2024 and the remainder of the provisions under MiCA will apply from 30 December 2024. On 12 July 2023, ESMA published the first consultation package under MiCA which includes, inter alia, technical standards on the content of the application for authorisation for CASPs. The second and third consultation package will be published by October 2023 and Q1 2024, respectively.
Key regulatory approaches/trends
There is currently no dedicated regulatory sandbox in Ireland. The Central Bank has established an Innovation Hub to provide firms engaged in the Fintech and innovation space, with a point of contact outside of the existing formal engagement processes. As part of the Digital Package, the EU DLT pilot regime commenced in March 2023 which creates a sandbox for the trading and settlement of DLT financial instruments. Anti-money laundering
The EBA published Guidelines on the use of remote customer onboarding solutions for credit and financial institutions which includes the steps such institutions should take when adopting or reviewing solutions to comply with their CDD obligations when onboarding customers remotely.
The Regulation on Information accompanying transfers of funds and certain crypto-assets (“TFR”) has recently been adopted by the European Parliament and Council and will apply from 30 December 2024. The TFR requires CASPs, as obliged entities under the current AML regime, to collect, verify and submit certain information about the originator (i.e. a person that holds a crypto-asset account or address) and the beneficiary y(i.e. a person that is the intended recipient of the transfer of crypto-assets) of crypto-asset transfers (the so-called “travel rule”).
Operational resilience and security risk
There has been a notable focus by EU bodies and the Central Bank on the operational and technical resilience of regulated firms Assessing and managing risks to the operational resilience of firms sis one of the Central Bank’s key regulatory and supervisory priorities for 2023. Fintech firms swill need to be aware of the Central Bank’s Guidance on Operational Resilience and the Cross-Industry Guidance in respect of Information Technology and Cybersecurity Risks, as well as the EBA revised Guidelines on ICT and security risk management. More recently, DORA which entered into force in January 2023 and will apply from January 2025 lays down specific requirements for financial institutions in the context of security of network and information systems. Furthermore, the technical, operational and organisational cybersecurity measures contained in Directive (EU) 2022/255 (“NIS 2”) updates the NIS Directive (EU Directive on the Security of Network, and Information Systems) and sets out requirements in relation to cybersecurity and incident reporting of operators of essential services and digital services providers, which includes cloud computing service providers. EU Member States are required to transpose its measures into national law by 17 October 2024.
There do not exist any outright bans on Fintech or crypto activities in Ireland. However, Fintech firms swill have to assess on a case-by-case basis whether their activities or services bring them within scope of existing regulatory frameworks or any new regulatory regimes, such as MiCA or the Crowdfunding Regulation. Based on this assessment Fintech firms may be required to be authorised by the Central Bank.
Ireland does not have a general financial l promotions regime (i.e. restricting certain invitations or inducements to engage in investment activities). However, in line with the Central Bank’s consumer protection mandate, the Central Bank has released several warnings on the risks of investing in crypto assets for retail customers. Specifically with regard to crypto-asset which are not backed by real world assets, the Central Bank remains concerned at the potential for consumer harm and, in particular, discourages the marketing of crypto to the public.
ESMA has released a statement highlighting the risks arising from the provision of unregulated products and/or services by investment firms such as crypto-asset services (pending applicability of MiCA). ESMA recommends that investment firms stake all necessary measures to ensure that clients are fully aware of the regulatory status of the product/service they are receiving, and clearly disclose to clients when regulatory protections do not apply to the product or service provided. In addition, ESMA recommends investment firms stake into consideration the impact that their unregulated activities may have on their business activity as a whole as part of their risk management systems and policies.
Ireland is a globally recognised technology and financial services centre and is continuing to grow its fintech hand crypto hub. According to IDA Ireland and Enterprise Ireland, there are now over 430 internationally focused financial services companies operating in Ireland, employing more than 50,000 people between them.
Ireland is a popular location for firms seeking an EU base, which has increased further following the UK’s withdrawal from the EU. The passporting regime under the various legislative frameworks relevant to Fintech firms s allows firms s to passport their Irish authorisations to provide services into other EU Member States. Cross-border business is particularly prevalent in the payments and e-money space.
Ireland is well positioned to establish itself as a MiCA hub for firms seeking access to the European market and recent announcements by Gemini and Coinbase could demonstrate a trend in this direction.