CBI’s key priorities for Payments & E-Money sector: Take action to ensure compliance

As of December 2023, there is approximately €8bn held in safeguarded funds, protecting consumers against the crystallisation of unacceptable risks in the eyes of the CBI. As outlined by Elizabeth McMunn, Director of Banking, Payments, and Credit Union Supervision, in her speech to the industry on the 29^th of February 2024¹, the stability and reliance of the sector is a key focus of the CBI.

With this growth of the sector also comes the need for an increased focus from the CBI, with an acknowledgement that the regulator must evolve and adapt its approach to regulating and supervising the sector. Innovative firms can develop new technologies giving substantial advantages to consumers and the broader marketplace. However, these new innovations also bring new risks to consumers and the wider economy as a result. One of the key priorities for the CBI is to create a regulatory environment that is suitable, “remains risk-based,” and “is led by judgement and focussed on the outcomes we are seeking to achieve”.

In order to achieve this outcome, the CBI mentions the following four principles as key priorities:

1. Safeguarding;
2. Operational Resilience and Outsourcing;
3. Governance, Risk Management, and Anti-Money Laundering and Countering the Financing of Terrorism, and
4. Business Model and Financial Resilience.

1. Safeguarding

The safeguarding of customer funds is a key focus of the CBI, as demonstrated by the “Dear CEO” letter issued in January 2023². The letter was sent with the purpose of reaffirming their supervisory expectations, both firm-specific and sector-wide, and to enhance transparency around the CBI’s approach to, and judgements around regulation and supervision. The letter sent to all Payment and E-Money firms requested the firms to obtain a specific audit of compliance with the safeguarding requirements under the European Union (Payment Services) Regulations 2018 (“PSR”) and/or European Communities (Electronic Money) Regulations 2011 (“EMR”). The audits of their compliance with safeguarding requirements were to be submitted to the CBI by the end of October 2023, along with a Board response to the outcome of the audit.

The focus on safeguarding funds is not just a key priority of the CBI. In the UK, the Financial Conduct Authority (FCA) has told payment firms that their “top priority” should be ensuring that their customers’ money is safe. The FCA is due to consult on tightening the rules around how payment firms manage safeguarded funds. As it stands, the UK legislator is responsible for the rules that govern how Payment and E-Money institutions hold their customers’ money. The UK government now intends to move these rules off the statute books and, instead, give the responsibility to the regulators so they can determine the rules that apply to financial services firms with greater agility.

2. Operational Resilience and Outsourcing

We have seen from other instances across the banking section that when key infrastructure to a firm is impacted it can have detrimental impacts on customers and the sector as a whole. As the industry has a high reliance on technology, the CBI expects that firms have the ability to respond to, adapt to, and be able to recover quickly from disruptions. They also expect that firms demonstrate that they have learnt from the operational disruptions and put measures in place that will prevent similar outages. 

Operation resilience should be front of mind for a firm’s Board and Executive team. It is critical that they have full oversight of their outsourced agreements and have comprehensive contingency planning in the event of an outage.

With the vast majority of the Payment and E-Money firms operating in Ireland being part of larger international groups, the CBI expects that firms do not place a reliance on group structures to such an extent that it compromises their requirements as an Irish-regulated entity. The CBI expects that the Boards and Executive teams of all firms operating here can demonstrate that they:

• Can make strategic decisions, maintaining responsibility for core activities;
• Have oversight and ownership of its material risks and can demonstrate management of them, and
• Can demonstrate financial and operational resources to deliver its strategy in a sustainable and customer-centric way.

All are expected to be conducted in compliance with its regulatory and legislative obligations as an Irish-authorised firm.

3. Governance, Risk Management, and Anti-Money Laundering and Countering the Financing of Terrorism

Given the industry's fast-paced growth, the CBI believes that firms with strong governance and risk management foundations are best placed to reap the benefits of growth and innovation in the sector. As the sector expands at a rapid pace, so do the potential risks to customers and the sector. 

A functioning payments sector is one in which governance, risk and control frameworks are well-designed, embedded and overseen by suitably experienced and accountable personnel. Firms that have embedded strong governance and risk and control frameworks into their business are best placed to capture the opportunities that come with the new innovations as they have a holistic understanding of their risk and control environment. 

The inherent risks of money laundering (ML) and terrorist financing (TF) associated with the sector are high and the CBI has noted shortcomings in the industry in understanding the risk of ML and TF. Firms that have robust controls in place and understand their requirements under Anti Money Laundering requirements when onboarding new clients, along with well embedded governance frameworks will mitigate these risks.

4. Business Model and Financial Resilience

This period of rapid change within the Payments & E-Money sector is driven by innovation, evolving regulations, and emerging technologies. As CBI Deputy Governor Sharon Donnery remarked at the Milano Hub a short time back, “regulating in the interests of us all”³ is high on the list of priorities. Firms and boards are ultimately responsible for managing the risks to which they are exposed. And while the CBI will “serve the public interest by maintaining monetary and financial stability, while ensuring that the financial system operates in the best interests of consumers and the wider economy”⁴, the responsibility of staying agile, diverse, and resilient remains with the individual firms. There are a number of safeguarding strategies and aspects to consider in this regard.

Diversity & Inclusion

The CBI outlines that, according to their supervisory insights, companies embracing diverse perspectives demonstrate effective management, financial resilience, and strategic acumen. While each organisation is responsible for cultivating its unique culture, the CBI advocates for regulated firms to foster diversity and inclusivity, especially at senior levels. This approach aims to mitigate groupthink, prevent overconfidence, and encourage internal challenges. 

Research underscores that diversity at senior levels within regulated entities not only enhances decision-making and elevates the level of scrutiny but, crucially, from the CBI’s supervisory experience, highlights that a lack of diversity can signify heightened risks in behaviour and organisational culture.

Future Regulatory Evolution

How will upcoming legislative proposals further shape the regulatory landscape for Payment and E-Money firms?

• Third Payment Services Directive (PSD3)⁵: While still under development, PSD3's provisions will undoubtedly have a profound impact on the way firms operate. The directive will focus on three key areas: open banking, e-money, and strong customer authentication (SCA). Notably, it is anticipated that PSD3 will necessitate several key actions from firms. These include enhancing transaction security through stricter SCA requirements, facilitating open banking by enabling secure access to customer data for authorised third-party providers (TPPs), and adapting existing compliance frameworks to effectively navigate the evolving regulatory landscape. By proactively preparing for these upcoming changes, Payments & E-Money firms can ensure continued success in the face of this evolving regulatory environment.
• Markets in Crypto-Assets Regulation (MiCAR)⁶:  This EU regulation will come into effect in the second half of 2024 and aims to harmonise crypto-asset regulations across member states, fostering greater clarity and stability within the crypto ecosystem. For Payments & E-Money firms involved in crypto activities, MiCAR demands careful consideration. Obtaining specific licenses for crypto-asset services, such as exchange or custody operations, will be important. Additionally, firms must implement robust anti-money laundering (AML) and combating the financing of terrorism (CFT) controls tailored to the specific risks associated with crypto transactions. Furthermore, MiCAR underscores the importance of clear and comprehensive communication with customers regarding the inherent risks involved in crypto-asset investment. By proactively complying with these new regulations, Payments & E-money firms can ensure responsible participation in the burgeoning world of crypto-assets.
• Individual Accountability Framework (IAF)⁷: The recently enacted Central Bank IAF Act marks a significant step towards strengthening governance and accountability within the Payments & E-money sector. While the full implementation is staged, key elements like the Senior Executive Accountability Regime (SEAR) will have a direct impact. SEAR mandates a clear delineation of responsibilities and decision-making authority within the senior management of Payments & E-money firms. This fosters a culture of ownership and individual responsibility for regulatory compliance within the sector. The IAF also introduces a robust set of Conduct Standards, including those specifically applicable to senior executives. These standards, coupled with enhanced Fitness & Probity (F&P) requirements, ensure that individuals operating in critical roles within Payments & E-money firms possess the necessary qualifications and adhere to the highest ethical standards. Furthermore, the IAF empowers the Central Bank to hold individuals directly accountable for breaches of their obligations. This reinforces the importance of personal responsibility and strengthens the overall regulatory framework for the Payments & E-Money sector.

Technological Advancements and Risks

As the sector continues to innovate, what new technological risks might emerge, and how should firms prepare to mitigate these effectively?

In the face of continuous technological innovation within the Payments & E-money sector, a new wave of potential risks emerges. One such concern lies in the potential for bias within Artificial Intelligence (AI) systems. Algorithmic bias can lead to unfair treatment of customers, necessitating robust testing and monitoring procedures to mitigate such issues. In terms of the vulnerability to cyberattacks, firms must prioritise robust cybersecurity measures, including data encryption, multi-factor authentication, and regular penetration testing, to safeguard their systems and customer data. Payments & E-money firms should conduct thorough due diligence on Third-Party Providers (TPPs) and implement comprehensive risk management frameworks to address potential vulnerabilities within the third-party ecosystem. Finally, the ever-expanding volume of customer data necessitates heightened vigilance regarding data privacy. Firms must ensure unwavering compliance with regulations like GDPR and implement robust data governance practices to maintain customer trust and mitigate associated risks. By proactively addressing these emerging challenges, Payments & E-money firms can navigate the exciting world of technological innovation while safeguarding their operations and customers. 

How can BDO help?

From the CBI’s communications, we have seen that they expect Payment and E-Money firms to have a deep understanding of their business and its risks, not only to the business itself but also to its customers and the sector as a whole, so that trust is maintained in the industry. 

Our team in BDO includes industry experts who collaborate with firms, helping to advise and support them to develop and embed comprehensive risk governance frameworks, ensuring they meet the expectations of the CBI. We use our industry knowledge and experience of completing safeguarding reviews to guide on best practices, positioning firms to be robust, resilient, and ready to adapt as the regulatory environment evolves to innovations in the industry.

Our team of industry experts will:

• Perform an independent audit of controls and the firm’s compliance with the safeguarding requirements under the PSR/EMR.
• Provide guidance on regulatory expectations and industry best practices in terms of what a comprehensive safeguarding framework looks like.
• Assess your overarching Governance and Risk Management frameworks to make sure it is in line with regulatory expectations. 
• Help with the embedding of a robust risk culture by replicating best practice we have seen through our Global network.
• Assess and advise on the enhancement of your Operational Resilience & Outsourcing framework to achieve a best in industry standard.
• Complete a maturity assessment of your AML Frameworks against industry standards and/or assess CJA 2010 compliance to highlight any gaps/weaknesses.

    References:

[1] Press Release, Perspectives and priorities - payments and e-money" - Remarks by Mary-Elizabeth McMunn, Director of Banking, Payments and Credit Union Supervision.

[2] Dear CEO letter: Supervisory Findings and Expectations for Payment and Electronic Money (E-Money) Firms, issued by the Central Bank of Ireland, January 2023.

[3] Press Release, “Innovation and Trust – Regulating in the interests of us all” Remarks by Deputy Governor Sharon Donnery at the Milano Hub.

[4] Press Release, Maintaining stability in the face of volatility – financial regulation in a rapidly changing world” – Remarks by Deputy Governor Sharon Donnery at The Compliance Institute annual conference.

[5] European Payments Council, “What do the PSD3 and PSR mean for the payments sector?” – Eric Ducoulombier, Head of Unit, Retail and Payments, European Commission.

[6] Markets in Crypto-Assets Regulations (MiCAR), CBI regulatory framework.

[7] Individual Accountability Framework, CBI Act 2023.