We discuss some of the more significant regulatory and legal developments in the fintech sector that occurred in 2022.
The Central Bank (Individual Accountability Framework) Bill
The Central Bank (Individual Accountability Framework) (IAF) Bill was published on 28 July 2022. On 19 October 2022, the IAF Bill passed the Second Stage of the Dáil and is likely to be enacted in the coming months.
The aim of the IAF is to enhance individual accountability within the financial services industry by introducing the following:
- The Senior Executive Accountability Regime (SEAR) will enhance the ability of the Central Bank to hold individuals performing senior executive functions liable when regulatory contraventions occur in the business area for which they are responsible
- The introduction of new conduct standards to apply to persons in controlled functions (CFs), additional conduct standards to apply to individuals in pre-approval controlled functions (PCFs) and in senior positions, and business conduct standards for all regulated financial service providers (RFSPs)
- Enhancements to the Fitness and Probity regime
- A streamlined enforcement process
Apart from the UK, no other European domicile has or is proposing to introduce a senior managers’ accountability regime as strict as the IAF/SEAR. This new regime will mean that individual senior managers in regulated financial firms, not just the firms themselves, can be directly sanctioned and fined by the CBI for alleged personal breaches of regulatory conduct standards or allocated responsibilities.
Dear CEO letter November 2022
The Central Bank of Ireland (the CBI) published a Dear CEO letter on 17 November 2022. Its objective was to provide further guidance in relation to the measures it expects RFSPs to take to address risks to consumers in the current economic climate. RFSPs are required to:
- Identify and address consumer risks that may emerge from changes in the RFSP’s operating landscape
- Have sufficient operational resilience to manage change without creating risks to consumers
- Assess the risks and consumer impact a commercial decision may pose to customers and develop an action plan to mitigate those risks while ensuring that customers understand what the changes mean
- Have adequate customer service capacity and structures in place to meet expected service levels and provide timely customer service
- Have processes and communication plans in place to support and assist vulnerable customers
- Only design and bring to market products that meet the needs of consumers identified for the product
The letter reminds RFSPs of their obligation to prioritise the best interests of consumers when making commercial decisions, particularly in the following key areas:
- Affordability and sustainability, e.g., for RFSPs providing or advising on credit
- The provision of relevant, clear and timely information, i.e., in a manner that allows consumers to make informed decisions
- Effective operational capacity, e.g., ensuring staff have sufficient knowledge of the protections and supports available to borrowers
- Sales and product governance, e.g., ensuring consumers understand the impact of increasing costs on their budgets and the implications of any reduction in cover
Markets in Crypto-assets Regulation
Currently, crypto-assets have no regulatory framework in Ireland, other than the requirements on virtual asset service providers (VASPs), who are required to comply with AML legislation. The CBI has issued warnings to consumers about the risks of investing in crypto-assets in the absence of regulatory protection.
This will change with the adoption of the Markets in Crypto-assets Regulation (MiCA), which was approved by the European Council on 5 October 2022. It is expected to be ratified in early 2023 and implemented by all EU member states by 2024.
MiCA will establish a crypto regulatory framework at EU level and will apply directly to Ireland. It will apply to entities and persons engaged in the issuance, offer to the public and trading of crypto assets (CASPs) or that provide services related to crypto-assets in the EU. CASPs will be required to apply to the CBI to obtain a MiCA licence.
Digital Operational Resilience Act
On 28 November 2022, the Council of the EU adopted the Digital Operational Resilience Act (DORA).
DORA will apply to a wide range of financial entities, including credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers and certain insurance undertakings and intermediaries.
The objective of DORA is to implement a common regulatory framework at EU Level to manage digital risks and build resilience against IT related disruptions. It sets out requirements for security of network and information systems of financial entities, as well as for critical third parties who provide ICT-related services to them such as cloud platforms or data analytics services.
Aspects of DORA that require national transposition will be passed into law by each EU member state and the respective national competent authorities, including the CBI, will oversee compliance with DORA.
Looking ahead to 2023, we can expect to see a continued focus on consumer protection and accountability for regulatory breaches in the financial sector, particularly in the uncertain economic climate. Fintechs in particular are likely be affected by inflation, reduced budgets and a drop in start-up funding.
As the EU moves closer to a comprehensive regulatory regime for crypto assets, it remains to be seen how the practicalities of the implementation of MiCA will be decided at national level.
We can also expect to see a focus on cybersecurity risks in 2023. RFSPs should be mindful of issues such as IT security, cyber-security threats and best practice in addressing them pending implementation of DORA.
The content of this article is provided for information purposes only and does not constitute legal or other advice.