We discuss some of the more significant regulatory and legal developments in the fintech sector that happened in 2021.
VASPs
Ireland transposed provisions of the Fifth Anti-Money Laundering Directive (5AMLD) into Irish law in April 2021 by the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 ("2021 Act"). This Actamended the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. One of the most significant changes introduced by the 2021 Act was the extension of anti-money laundering obligations and countering the financing of terrorism (AML/CFT) obligations to virtual asset service providers (VASPs).
All new and existing VASPs are required to register with the Central Bank for AML/CFT purposes. Existing VASPs established in Ireland and carrying on business immediately prior to the 2021 Act coming into force, had a “grace period” of 3 months to register with the Central Bank. All other VASPs must register with the Central Bank prior to the commencement of any services relating to virtual assets from Ireland.
In order for the Central Bank to register a VASP, it must be satisfied that the firm's AML/CFT policies and procedures are effective in combating the risks associated with its business model and that the firm's management and beneficial owners are fit and proper. Once registered, VASPs must ensure ongoing compliance with their obligations under the AML/CFT regulatory framework.
Cross-industry Guidance on Outsourcing
Outsourcing is widely used by regulated financial service providers (RFSPs) in Ireland, and thus remains a supervisory priority for the Central Bank. This is due to the potential threat outsourcing poses to the operational resilience of firms. The Central Bank launched a consultation on draft guidance on outsourcing (the Guidance) in March 2021. The consultation closed in July 2021.
The Guidance, as currently envisaged, sets out the expectations of the Central Bank regarding the management of:
- Outsourcing risk relating to information technology
- Sub-outsourcing and the complexity of such arrangements
- The off-shoring of outsourcing, particularly outside the EU/EAA, and
- Concentration risk
The draft Guidance is relevant to all RFSPs that outsource services or functions. It will also be relevant for the entities providing services to these RFSPs. It does not supersede existing sectoral legislation, regulations or guidance on outsourcing and should be treated as a guide to good practice. RFSPs should ensure that their current practices are in line with current Irish and European sectoral requirements.
The Central Bank is expected to publish the finalised Guidance imminently.
Crowdfunding Regulation (EU) 2929/1503
Crowdfunding, a method of raising capital by collecting small contributions from a large number of individuals, has become an increasingly popular form of alternative finance for start-ups and SMEs in recent years. Until now, crowdfunding was not a regulated activity in Ireland. However, Member States were required to adopt the Crowdfunding Regulation (EU 2020/1503) (the Crowdfunding Regulation) by 10 May 2021 and apply those measures from 10 November 2021.
The Crowdfunding Regulation applies to “peer-to-peer” crowdfunding platforms facilitating business funding; and to investment-based crowdfunding platforms in relation to transferable securities only.
Crowdfunding service providers (CSPs) who fall within the scope of the Crowdfunding Regulation are not subject to the MiFID II regime.
The Central Bank is expected to provide details of the authorisation process it will apply to CSPs soon. CSPs already engaging in activities that require authorisation under the Crowdfunding Regulation, may continue to do so on a transitional basis until November 2022.
AI Regulation
Artificial Intelligence (AI) is a rapidly evolving area of technology. Consequently its use by RFSPs, while innovative, also poses significant risks related to safety and security. The European Commission, in April 2021, published its draft Artificial Intelligence Regulation (AIR) which proposes to introduce a regulatory framework for AI in the EU by imposing obligations on users and providers of AI systems. It adopts a risk-based approach, with the four levels of risk posed by AI systems designated as:
- “Unacceptable”
- “High”
- “Limited”
- “Minimal”
The AIR is currently being discussed by the European Parliament and the European Council. It appears that while Member States agree with the overarching objectives of the AIR, some queries have arisen, particularly in relation to:
- The definition of key terms
- The scope of AIR, and
- The proposed requirements for “high-risk” AI systems
It can take some time to pass complex legislation like AIR. While the final version of the legislation may differ somewhat from the current draft, RFSPs should be mindful that AIR is likely to introduce a significant change in the regulatory requirements around AI.
In terms of VASP registrations, the Central Bank has indicated that it will process each application for registration as expeditiously as possible, while meeting its obligation to operate a rigorous and effective gatekeeper function. To date it does not appear that any VASPs have completed the registration process with the Central Bank.
Ireland is a popular location for crowdfunding platforms. This move into a regulated environment may present challenges for CSPs, some of whom may be seeking authorisation from the Central Bank for the first time. It is also important for financial entities to note that the scope of the Crowdfunding Regulation is limited. A MiFID II licence is still required to provide investment services that do not fall within scope of the Crowdfunding Regulation.
Finally, looking ahead to 2022, we can expect to see a continued focus on technology and outsourcing risk on both a domestic and a European front for RFSPs.
If you would like to discuss any of the points highlighted, please contact a member of the Financial Regulation team.