Abstract
This Technical Note on Oversight of Fintech explains that Ireland’s fintech sector is growing in importance through the entry of innovative new players and digital transformation of incumbents’ business models and products. This note seeks to identify risks arising from fintech as well as policy responses by authorities. The Irish Government has adopted a Strategy implemented by annual action plans for the development of Ireland’s international financial services sector that includes several initiatives of relevance to fintech. The Central Bank has an Innovation Hub that provides a single point of contact for stakeholders on fintech-related issues. Under the EU’s passporting framework host regulators receive limited information on the activities that passporting entities carry out in their jurisdiction. Incumbent retail banks in Ireland are dedicating significant resources to digital transformation, while fintechs are enlarging consumer choice through innovative new services. The Central Bank should further intensify its efforts to monitor developments on crypto-assets through systematic data collection within the scope of its powers and, where unacceptable risks remain, issue carefully targeted warnings and investor communications.
Introduction1
A. Background
1. Fintech2 is playing an increasingly important role in the financial sector in Ireland, with growth focused on payments services. There is a mixture of new players gaining market share by offering innovative products and services, while incumbents dedicate significant resources to digital transformation. Interconnectedness between existing regulated entities and fintechs/BigTechs is increasing through a mixture of outsourcing and partnership agreements. The Irish authorities are working to facilitate innovation and competition while identifying and addressing risks to consumers and financial stability that may arise from the new financial sector landscape.
2. This note seeks to identify risks arising from fintech as well as policy responses by authorities. The note does not aim at carrying out a detailed review of the current regulatory regime, as no formally binding international standards exist for fintech against which the authorities’ practices could be compared (with the exception of the Financial Action Task Force standards on virtual assets (VAs) and virtual asset service providers (VASPs), which cover anti-money laundering (AML) and counter-financing of terrorism (CFT)). However, the regulatory and supervisory framework has been an area of focus for the larger sub-sectors (e.g., PIEMI). Key issues assessed in the preparation of the note included the impact of fintech on the regulated sector, the interaction between new market entrants and incumbents, data and market monitoring, and supervisory cooperation.
Total Non-Cash Payments Volume, by Proportion of Payment Instrument
Citation: IMF Staff Country Reports 2022, 243; 10.5089/9798400216619.002.A001
Source: Central BankFintech Industry Overview
3. Ireland’s position as an international financial center and hub for global technology firms is reflected in the growth of fintech in the jurisdiction. The largest sub-sector is represented by payment and e-money institutions (PIEMIs), where the number of authorized firms and value of transactions increased by 45 percent and 53 percent respectively between Q4 2019 and Q2 2021. Data from 2020 show that 65 percent of Irish adults are using non-cash payments multiple times a week, while 24 percent use their mobile phone for contactless payments. Research commissioned by the Competition and Consumer Protection Commission (CCPC) shows that 11 percent of Irish citizens with investments hold crypto-assets, which increases to 25 percent among those aged 25-34. Beyond payments and crypto-assets, fintech activities are developing on a smaller scale in areas such as insurance and investment management. Meanwhile, the importance of market support firms, including cloud service providers (CSPs), continues to grow: a 2018 survey by the Central Bank indicated that 40 percent of regulated firms were using CSPs.
4. The Irish Government has adopted a Strategy implemented by annual action plans for the development of Ireland’s international financial services sector that includes several initiatives of relevance to fintech. The “Ireland for Finance” Strategy identifies technology and innovation as a key theme, and in Action Plan 2022 the five priority actions in this area are: implementing the second phase of the Department of Finance’s (DoF) Fintech Steering Group,3 developing educational resources to support consumers to engage with fintech (which falls under the responsibility of the CCPC), developing the instech.ie insurtech hub, delivering a program of activities to support Irish-owned fintech companies’ growth in international markets, and developing a coordinated program of activities to raise Ireland’s global visibility as a hub for fintech. It is envisaged that these actions will be complemented by Enterprise Ireland’s4 support to indigenous firms and the support of the Industrial Development Agency (IDA Ireland) for foreign-owned firms.
5. Ireland’s status as an open economy with extensive global trade and foreign direct investment links has influenced the development of fintech in the country. The UK’s withdrawal from the European Union (Brexit) led to a significant shift in the composition of the Irish financial services sector with the transfer of established U.K. firms’ business to newly authorized Irish firms to retain access to the EU market. A new generation of digital natives has led to fundamental behavioral changes in the usage of many consumer products, as well as an evolution in public expectations for the delivery and distribution of goods and services. The COVID-19 pandemic has further accelerated this behavioral change and the shift toward digitalization. These interdependent trends coincide with an evolution in the global regulatory environment as digitalization and innovation across all industries has accelerated the pace by which the private sector can design, develop, and deploy financial products and services. In recognition of these challenges, the Central Bank has incorporated the pace at which innovation occurs as a component of its strategic planning process.
Regulatory Approach
A. Institutional Setting and General Approach to Fintech
General Approach to Fintech
6. The Central Bank is an integrated regulator with responsibility for almost all of the financial services sector in Ireland. The Central Bank’s mission is to serve the public interest by maintaining monetary and financial stability while ensuring that the financial system operates in the best interests of consumers and the wider economy. It is a public body, the functions, responsibilities and powers of which are clearly defined and enshrined in the Central Bank of Ireland Act of 1942 (as amended) (the Act) and in other primary and secondary legislation. In addition to its regulatory and supervisory responsibilities across authorization (licensing), supervision, enforcement and regulatory policy development, the Central Bank is the macroprudential authority for Ireland. Accordingly, it monitors risks to financial stability and implements policies to mitigate the impact of those risks on both the financial system and the real economy. It is also the national resolution authority under the European Single Resolution Mechanism framework.
7. The Central Bank seeks to harness the benefits of fintech while managing additional risks it may generate. The growth of fintech, BigTech, non-bank financial intermediation, and the increased role of technology in the provision of financial services to households and business are key areas of regulatory focus. Risks posed by innovation in the provision of financial services include questions over the robustness of the underlying business models of these firms; cyber-related threats; too-big-to-fail concerns; interconnectedness; operational concerns; procyclicality and the impact that fintechs pose for incumbents’ business models as well as consumers.
Regulatory and Supervisory Approach to Fintech
8. In 2018, the Central Bank established the Innovation Steering Group (ISG) and the Fintech Network to coordinate its approach. The ISG is the internal structure that coordinates effective prioritization and operationalization of fintech and technological innovation-related activities across the Central Bank. It comprises senior staff from all areas of the organization, including central banking, prudential regulation, conduct regulation and operations. Among its current strategic priorities are protection of consumers in an increasingly digitalized financial services landscape and effective contribution to the EU and international innovation agenda to further embed the Central Bank’s positions on innovation. The Fintech Network, meanwhile, is a working level cross-Central Bank group of specialists who support the Innovation Hub but also share information across the Central Bank on a more informal basis.
9. The Central Bank’s Innovation Hub facilitates engagement and access by providing a direct point of contact for fintechs and incumbents, as well as providing early intelligence on innovative products and services. The Innovation Hub is open to enquiries from providers or potential providers of financial products or services that are innovative and sufficiently mature. Enquiries related to authorization/registration are generally driven by changes to the regulatory perimeter, as illustrated by the increase in queries from potential Virtual Asset Services Providers (VASPs) and Crowdfunding Service Providers following the introduction of new legal frameworks for these entities. Since its establishment in 2018 the Hub has received 266 enquiries from innovative firms. The profile of entities has remained broadly stable over that period: small and micro-sized enterprises comprise ~75 percent and early stage start-ups ~40 percent, while ~92 percent of enquiry firms operate outside the Central Bank’s regulatory perimeter. The Central Bank also has other means to conduct sectoral outreach with fintechs including engagement with industry bodies, providing published guidance on authorization processes and expectations as well as prioritizing early engagement with firms, enabling them to engage at the preliminary or speculative phase to gain information and guidance about the authorization process.
10. The Central Bank is an active participant in the European Forum for Innovation Facilitators (EFIF). EFIF was established further to the January 2019 Joint European Supervisory Authority (ESA) report on regulatory sandboxes and innovation hubs, which identified a need for action to foster greater coordination and cooperation between innovation facilitators to support the scaling up of fintech across the EU single market. EFIF is intended to provide a platform for participating authorities to share experiences from engagement with firms through innovation facilitators, to share technological expertise, and to reach common views on the regulatory and supervisory treatment of innovative products, services and business models, boosting bilateral and multilateral coordination. Efforts are also underway to introduce a cross-border testing framework, building on the approach already put in place by the Global Financial Innovation Network.5 The Central Bank is considering how best to participate in this initiative.
11. The Central Bank’s upcoming review of the Innovation Hub is an opportunity to assess the experience gained since its establishment. Financial regulators in several jurisdictions (e.g., the U.K., the Netherlands and Hong Kong SAR) have established regulatory sandboxes to allow products and services to be tested in a controlled environment with real consumers. Feedback from market participants in Ireland indicates that there is some measure of support for the introduction of such a sandbox in Ireland. Other jurisdictions have found innovation facilitators (similar to the Central Bank’s Innovation Hub) to be equally effective.
12. Recommendation 1: The Central Bank should use the experience gained with the Innovation Hub to inform its reflections on the future development of the regulatory framework for fintech in Ireland.
13. The regulatory and supervisory framework for fintech in Ireland, including the Central Bank’s role and powers, should be understood against the background of the EU institutional and regulatory framework. Many regulatory initiatives on the financial sector originate from the EC. The Central Bank is actively involved in the EU policy development process and engages closely alongside the DoF and other relevant stakeholders to influence and shape new EU legislation throughout the development lifecycle. Application of the regulatory framework takes place through the European System of Financial Supervision, consisting of the national competent authorities (NCAs) in each EU Member State (MS), the ESAs6 and the European Systemic Risk Board (ESRB).
14. The EC’s Digital Finance Strategy aims to ensure that the EU’s financial services legislation is fit for the digital age. The Regulation on Markets in Crypto-Assets (MiCA) (Box 1) and Digital Operational Resilience Act (DORA) (Box 2) are two important initiatives in this context. To allow for competition while preserving a level playing field and high standards of investor protection as well as financial stability, the EC strives to ensure that the regulatory framework is technologically neutral, applying the concept of “same activity, same risks, same rules".
15. The Central Bank is a member of the European System of Central Banks (ESCB), as led by the European Central Bank (ECB), and participates in the Eurosystem as a MS that has adopted the Euro. One of the Eurosystem’s statutory tasks is promoting the smooth operation of payment and settlement systems. The Eurosystem fulfills this task by owning and operating financial market infrastructures (FMIs), conducting oversight of the overall FMI landscape (including wholesale and retail), acting as a catalyst for change and establishing oversight policies for retail payment systems, instruments and arrangements. The Central Bank also engages at an international level with the International Organization of Securities Commissions (IOSCO), the Committee on Payments and Market Infrastructures and other supranational bodies through a number of committees that include within their remit innovation and fintech elements.
Fintech Monitoring
16. The Central Bank monitors fintech developments in several ways, ranging from participation in EU and international fora; conducting monitoring and horizon scanning exercises; and gathering intelligence from the Innovation Hub and other regulatory activities. The ISG completes an annual exercise to review trends in technological innovation and identify risks and opportunities. The horizon-scanning exercise gathers information from several sources including desk-based research of market trends, insight from the Central Bank’s Innovation Hub engagements, and a review of planned activities by the ESAs and other relevant agencies. Key themes for 2022 include crypto-assets and their underlying technology, progress of and plans for global stablecoins, and monitoring the development of Decentralized Finance (DeFi).
17. The importance of social media as a forum for consumers to discuss financial services is growing. Since 2013 the Central Bank’s monitoring of social media and online platforms has helped it to understand consumers’ experiences and concerns around financial services and products. The Central Bank uses a third-party provider to collate information in real-time from social and online media. This includes material published to online public forums by Irish consumers, potential customers and representatives of regulated firms, and other stakeholders including media. Insights gathered are fed into the Central Bank’s ongoing risk assessment processes, as well as interventions with individual firms on live issues.
18. DoF, the Central Bank, and the National Treasury Management Agency monitor the financial stability impacts of developments in fintech. They use the forum of the Financial Stability Group (FSG) to present research to senior management of the agencies for high-level discussions. Relevant topics which have been discussed include: Digital Euro and EU Digital Proposals (January 2021); Evolution of Banking Services (June 2021); Financial Stability Risks of new Institutions Establishing in Ireland (March 2019); Update on Stablecoins (September 2019); and Cryptocurrencies (March 2018).7
19. The Central Bank is a member of various EU level fora which monitor developments in fintech via regular reports. For example, fintech is covered in the ECB’s Financial Stability Review, ESMA’s Trends, Risks and Vulnerabilities Report and EIOPA’s Financial Stability Report. In addition, there are two EBA Standing Committees (the Standing Committee on Consumer Protection and Financial Innovation, and the Standing Committee on Supervision, Risks and Innovation) that incorporate monitoring of innovation and technological change into their mandates.
Areas of Focus
A. Crypto-Assets
20. Interest in and ownership of crypto-assets is growing at a significant pace globally (Figure 2), including in Ireland. There is a lack of comprehensive and reliable data on crypto-asset activity in Ireland due to the unregulated nature of large parts of the sector. However, the Finder Cryptocurrency Adoption Index indicates that approximately 12 percent of internet users in Ireland own crypto-assets. A recent World Bank Working Paper,8 citing a Statista Global Consumer Survey, put the figure at approximately 10 percent. The recent trend whereby payments institutions are increasingly providing an on-ramp for crypto-assets (see section D below) is likely to encourage further growth.
Global Market Capitalization for Crypto Assets (Billions of US dollars)
Citation: IMF Staff Country Reports 2022, 243; 10.5089/9798400216619.002.A001
Source: CoinGeckoRegulatory Framework
22. The EU regulatory framework for crypto-assets is fragmented. Where crypto-assets qualify as transferable securities or other types of financial instrument under the Markets in Financial Instruments Directive (MiFID), a full set of EU financial rules apply. However, work by ESMA in 20199 suggested that only 10 to 30 percent of crypto-assets in existence at that time might be covered by MiFID. For crypto-assets that do not qualify as MiFID financial instruments (or that are outside the scope of other EU rules applicable to non-financial instruments, such as the Electronic Money Directive), consumer protection and market integrity risks can arise through the current absence of rules. The EC is seeking to address this issue through its proposed new regulation on markets in crypto-assets (MiCA) (Box 1).
23. The EU’s regulatory framework for crypto-assets that do not fall within the scope of MiFID currently extends only to obligations on anti-money laundering (AML) and countering the financing of terrorism (CFT). The Fifth Anti-Money Laundering Directive (5AMLD) expanded AML and CFT obligations to entities that provide certain services relating to “virtual assets”.10 For the purposes of the legislation, virtual asset service providers (VASPs) are firms that provide any of the following services relating to virtual assets:
exchange between virtual assets and fiat currencies;
exchange between one or more forms of virtual assets;
transfer of virtual assets, that is to say, to conduct a transaction on behalf of another person that moves a virtual asset from one virtual asset address or account to another;
custodian wallet provider; and
participation in, and provision of, financial services related to an issuer’s offer or sale of a virtual asset or both.
All VASPs established in Ireland are required to register with the Central Bank for AML/CFT purposes only. If a firm that is currently authorized by the Central Bank for prudential and/or conduct of business services plans to carry on business as a VASP, the firm is also obliged to seek registration as a VASP.11
Prudential Treatment of Exposures
24. The Central Bank has not put in place any national requirements in relation to the prudential treatment of banks’ crypto-asset exposures and is awaiting the outcome of international discussions on the matter. The Basel Committee on Banking Supervision’s (BCBS) recent consultation on this topic proposes to categorize crypto-asset exposures into two groups. Group 1 crypto-asset exposures include tokenized traditional assets and crypto-assets with stabilization mechanisms (e.g., stablecoins). Group 2 crypto-asset exposures comprise those crypto- assets that do not qualify under Group 1 (e.g., Bitcoin). Central bank digital currencies are out of scope. The consultation paper outlines the proposed treatment of the aforementioned crypto-assets in the following areas: credit and market risk requirements, other minimum requirements (leverage ratio, large exposures, liquidity ratios), supervisory review, and disclosure. The EBA has not yet communicated its position on the prudential treatment of banks’ crypto-asset exposures.
Prohibitions on Exposures
25. Rules on permissibility of exposures to crypto-assets vary depending on the type of regulated entity, although prior approval by the Central Bank is likely to be required in most cases. In the case of investment funds, the Central Bank’s position on whether UCITS12 and AIFs13 can gain exposure to crypto-assets is that any such proposal would require a detailed submission outlining: i) how the risks associated with exposure to crypto-assets could be managed by the UCITS/AIF in its risk management process; and ii) in the case of a UCITS seeking to invest directly in crypto-assets, detailed analysis outlining how direct investment in crypto-assets is deemed to be eligible.14 In the case of UCITS or retail AIFs, taking into account the potential that retail investors will not be able to appropriately assess the risks of making an investment in a fund which gives such exposure, the Central Bank has indicated that it is highly unlikely to approve a fund proposing such exposure. In the insurance sector there are currently seven companies that hold extremely small relative exposures to crypto-assets through unit-linked products, where the market risk is entirely borne by the end-investor. Improvements to data reporting under the Solvency II framework due for year-end 2023 will provide asset-by-asset reporting and give a breakdown of crypto-asset categories; pending the new approach, the Central Bank uses a workaround that gives a reasonably accurate view of crypto-asset exposures.
Markets in Crypto-Assets Regulation
On September 24, 2020, the EC issued, as part of a Digital Finance Package, a new regulatory proposal on Markets in Crypto-Assets (MiCA). The objectives of MiCA are four-fold: i) legal certainty; ii) supporting innovation; iii) ensuring appropriate levels of consumer protection and market integrity; and iv) ensuring financial stability.
MiCA is expected to cover all crypto-assets not covered elsewhere in EU financial services legislation and will categorize them as either: i) utility tokens; ii) asset-referenced tokens (ARTs, commonly known as multi- currency stablecoins); or iii) e-money tokens (EMTs, commonly known as single currency stablecoins). Issuers and crypto-asset service providers providing services on such assets in the EU (e.g., custody, exchange, advice etc.) will be in scope and become subject to prudential requirements as well as rules on complaints handling, conflicts of interest and conduct.
One of the principal drivers for MiCA was Facebook’s plan to issue a crypto-currency with the potential to reach billions of users. As such, the MiCA proposal recognizes the risks and circumstances surrounding some ARTs and EMTs that have the potential to reach a large scale and size by setting out different regimes based on the significance of the crypto-asset and calibrating the requirements accordingly. The determination of significance will take into account the size of the customer base of the promoters of the asset, the value of the tokens or their market capitalization, the number and value of transactions, the size of the reserve of assets, significance of the issuers’ cross-border activities and interconnectedness with the financial system.
The original MiCA proposal envisaged a centralized supervision framework led by the EBA and supported by a college of supervisors for the issuers of significant ARTs and EMTs. However, the precise allocation of powers between agencies has been a key area of discussion in the subsequent negotiations, with some lawmakers advocating that competences be shared between the EBA and ESMA, and disagreements over the treatment of credit institutions supervised by the Single Supervisory Mechanism (SSM) that issue a significant EMT/ART. MiCA also foresees a strong role for the ECB to ensure mitigation of monetary policy and financial stability risks: the ECB (or National Central Bank in non-Euro area countries) will be empowered to issue a binding opinion providing for the refusal of authorization on grounds of smooth operation of payment systems, monetary policy transmission, or monetary sovereignty. This is important given the high probability that at least some proposed ARTs are likely to be significant and could pose a threat to either monetary policy or financial stability.
MiCA is currently being negotiated in the EU’s “trilogue”1 process, from which it is hoped an agreement can be reached in the coming months. Based on current expectations, parts of the new framework will start to apply in H2 2023, with full application in 2024. However, even then some crypto-assets may remain outside of the perimeter both of MiFID and MiCA.
1 Informal tripartite meetings on legislative proposals between representatives of the European Parliament, the Council and the EC.
26. Unlike several other jurisdictions (e.g., France, Germany, Malta and Switzerland), Ireland has not put in place a bespoke framework at national level for crypto-assets not covered by existing securities laws. Investors in these assets are exposing themselves to risks of which they may not be fully aware. Hence, the Central Bank has issued warnings to consumers on the risks of investing in crypto-assets and issued consumer explainers. Another consequence of the absence of regulation is a lack of reliable data on the sector, including on possible interconnections with the regulated financial services sector. As discussed below, payments institutions are increasingly providing an on-ramp for crypto-assets, leading to a risk of investors conflating regulated and unregulated services. The Central Bank seeks to mitigate this risk by requiring disclaimers be displayed to consumers when they move between regulated and unregulated product offerings. Similarly, the Central Bank seeks to ensure that funds used for crypto-trading that are moved back to a customer’s e-money wallet are immediately safeguarded.
27. Recommendation 2: The Irish authorities have contributed actively to the MiCA negotiations and advocated for the earliest possible introduction of the new rules. The authorities should continue to do so and prepare to introduce domestic legislation in the event of significant delay or material gaps in the MiCA framework.
28. Recommendation 3: The Central Bank should further intensify its efforts to monitor developments on crypto-assets through systematic data collection (including on consumer trends) within the scope of its powers and, where unacceptable risks remain, issue carefully targeted warnings and investor communications.
B. Payments
29. The payment institution and e-money institution (PIEMI) sector has experienced material growth in recent years. PIEMIs operate on a cross-border basis, servicing customers in Ireland and across the EU. The Central Bank adopts an integrated approach to supervising the PIEMI sector, given its prudential, conduct and AML mandate. The authorization and supervisory approach continues to evolve and be enhanced in recognition of the changing nature, scale and complexity of the PIEMI sector. Between Q4 2019 and Q4 2021, the number of authorized firms increased by 45 percent while the volume and value of transactions increased by 47 percent and 83 percent respectively. The PIEMI sector consists of a growing number of small firms that attract a personal and business customer base. A number of PIEMI firms hold client monies; while these monies are subject to safeguarding requirements, they are not covered by the Irish Deposit Guarantee Scheme (DGS). The Central Bank expects regulated firms to be well-governed, with appropriate cultures, effective risk management and control arrangements in place. The Central Bank has no tolerance for widespread consumer or investor harm. The Central Bank is conscious that the PIEMI sector is not as mature as other sectors and consists of many new entrants both in terms of operating in the financial services sector but also as a regulated entity.
30. PIEMIs are regulated under the Irish legislation implementing the Payment Services Directive 2 (PSD2) and the Electronic Money Directive (EMD). PIs are a category of payment service provider that provides money remittance services and issues payment instruments or acquires payment transactions. Examples of PIs are merchant acquirers, payment account operators, money remitters and credit card issuers. EMIs are entities that have been authorized to issue e- money (a digital alternative to cash). Examples of EMIs are gift card issuers and e-wallet providers. Account Information Service Providers (AISPs) allow consumers to share financial details with third party providers to help manage their accounts in a more informed and efficient manner, while Payment Initiation Service Providers (PISPs) allow payments to be initiated directly from a customer’s bank account instead of using a credit or debit card.
31. PIEMIs represent one of the largest sub-sectors within the broader fintech universe in Ireland and the number of entities is continuing to grow. While EMIs are prohibited from taking deposits,15 a growing number of these firms are offering services that are comparable to elements of banking-type services, through the provision of e-money wallets into which customers are encouraged to lodge monies (as noted above, funds in these wallets are not covered by the Irish DGS). E-money wallets can potentially also be used as an on-ramp to investment in crypto-assets.
Regulation and Supervision
32. A key challenge facing the Central Bank is ensuring the supervisory approach to PIEMIs keeps pace with the evolution of the sector. While there are three supervisory engagement models to deliver the prudential, conduct and AML mandates, the Central Bank ensures that there is a joined-up approach via its planning, supervisory and authorization strategy processes, as well as regular collaboration between prudential, conduct and AML supervisors. For example, issues identified by AML supervisors can illustrate broader governance concerns with a firm that informs prudential concerns. Similarly, prudential/AML concerns inform conduct assessments. The level of supervisory engagement is largely determined by each firm’s rating under the Central Bank’s PRISM framework.16 The impact model for the PIEMI sector was updated in 2019 and was refined further in 2021 to reflect the changing nature, scale and complexity of the sector. The Central Bank seeks to apply an authorization approach for the PIEMI sector which is risk based, proportionate and is focused on assessing a firm’s ability to continuously comply with regulatory requirements, best practice (as appropriate) and overall meet supervisory expectations post-authorization.
33. Certain aspects of the regulatory and supervisory framework for PIEMIs could usefully be strengthened. Given that safeguarded monies are not covered by the Irish DGS, the safeguarding of client funds is a key risk facing the PIEMI sector. Safeguarding is therefore a key supervisory priority, given the potential for consumer detriment if a firm has not adequately safeguarded customer funds. The Central Bank expects firms to have robust, board-approved, safeguarding risk frameworks in place which ensure that relevant client monies are appropriately protected. An additional challenge arises from the fact that the methodology for calculation of capital requirements is not fully sensitive to the nature, scale and complexity of this sector.
34. Governance, conduct risk and technological developments are areas to which supervision of PIEMIs should have due regard. Many PIEMIs are first and foremost technology firms with an internal culture that may not have fully adapted to the legitimate expectations of a robust financial services regulator. The Central Bank has proactively strengthened the governance expectations for these firms informed by best practice corporate governance requirements, such as the Corporate Governance Requirements for Credit Institutions, as well as from supervisory learnings. However, the Central Bank itself sees room for further progress on governance expectations, as well as various aspects of the safeguarding rules (including suitability of insurance policies, acceptable guarantees, definition of low-risk assets and the process for repayment of funds in case of failure). Similarly, the Central Bank sees merit in the introduction of a bespoke corporate insolvency regime for PIEMIs that takes due account of these entities’ business models. The review of PSD2 that is currently underway as part of the EC’s Retail Payments Strategy17 is an important opportunity to address these shortcomings in the regulatory regime for PIEMIs.
35. Recommendation 4: The Irish authorities should actively contribute to the EC’s review of PSD2 and push for the regime to be strengthened through the introduction of a corporate insolvency regime, clarification of safeguarding rules and stronger obligations on governance and risk management; in the absence of such changes, the authorities should introduce corresponding reforms at national level to the extent compatible with EU legislation. Equivalent changes should also be made to the EMD.
36. Recommendation 5: Subject to sufficient progress being made on PIEMIs’ governance standards, the Central Bank could also consider accelerating the timetable for application of the full Senior Executive Accountability Regime (SEAR)18 to PIEMIs.
C. BigTech
BigTech firms are a significant presence in Ireland and have the potential quickly to scale up their role in the provision of financial services. These firms can utilize their existing user base and big data; advanced analytical technologies, such as artificial intelligence and machine learning; cross-subsidization; and economies of scale to deliver new technologies and innovative products and services.19 The expansion of BigTech into financial services has the potential to bring both benefits and risks.20 For example, where a small number of companies dominate service provision there is the potential for concentration risk. As set out below, this is evident in the increasing use of the cloud in the financial services sector and the small number of CSPs.
37. BigTechs can become active in the provision of financial services either as licensed entities or through partnerships with regulated providers, in the latter case forming Mixed Activity Groups (MAGs) offering both financial and non-financial services. Some of these groups, including BigTechs, already have a presence in the payments sector, which can be traced to the introduction of PSD2, and have the potential to gain market share quickly in other financial services because of their large consumer base. These same groups, whose core competencies lie mainly outside of financial services, may use partnerships to create additional layers on top of existing financial infrastructures, leveraging their network effects and data collection superiority to create ’one-stop-shops’ for retail products and services.
38. Recent advice21 from the ESAs to the EC sets out a range of measures to address risks from BigTechs’ move into financial services. The EC had requested the ESAs’ input on the following issues related to digital finance: (i) more fragmented or non-integrated value chains; (ii) platforms and bundling of various financial services; and (iii) MAGs. The report to the EC documents risks and opportunities for the three areas and proposes recommendations across themes such as operational resilience, consumer protection, AML/CFT and financial stability risks. The Central Bank contributed to the development of the recommendations through its membership of relevant ESA working groups.
39. The Central Bank is of the view that the EU financial services regulatory framework should remain technology neutral. In this context, an important challenge for legislators and regulators is to monitor and maintain the regulatory perimeter so that, regardless of the changing landscape, the protections of financial regulation remain firm. Similarly, in the case of BigTechs moving towards financial services provision, the Central Bank supports an activities-based approach whereby entities carrying on the same business and that create the same risks should be subject to the same rules. It will be important for the EU financial services regulatory framework, as applied in Ireland, to be sufficiently flexible to incorporate the regulation of BigTechs when they provide services that are, in effect, financial services. Similarly, there will have to be particular focus on the additional and heightened risks that arise from the indirect participation of BigTechs in the financial services system.
D. Outsourcing and Third-Party Relationships
40. Regulated financial services providers in Ireland are increasingly reliant on outsourced services providers (OSPs). This includes the use of both intragroup entities and third party OSPs, for the provision of activities and services (both regulated and unregulated) considered central to the successful delivery of regulated firms’ strategic objectives. Research conducted by the Central Bank in 2018 to understand the scale and scope of outsourcing activity in Ireland found that all regulated firms surveyed were using OSPs, and that 40 percent of firms were planning further outsourcing activity in the following 12 to 18 months. In 2022, the Central Bank will operationalize an online portal for regulated firms to register their OSPs. This will provide a more up-to-date picture of outsourcing in Ireland and highlight any significant concentration risks.
41. Cross-industry guidance on outsourcing issued by the Central Bank identifies key risks arising from this practice and puts in place measures to address them. The 2021 guidance22 highlights risks such as sub-outsourcing (i.e., where an entity to which services have been outsourced further outsources them to a third entity) risk, which can complicate effective management of outsourcing risk; sensitive data risk; data security; offshoring risk; and concentration risk, where a regulated firm develops a dependency on a single or small number of OSPs for the provision of critical or important activities or functions.
42. The use of cloud computing has become increasingly widespread in recent years across the financial services sector. CSPs23 eliminate the need for traditional in-house IT data storage infrastructure, generating significant cost savings for firms. However, the increasing use of the cloud in the financial services sector, combined with reliance on a relatively small number of large CSPs, could evolve to be a single point of failure. This is of particular relevance in the area of fintech given the importance of technological resilience to the provision of fintech activities and services. Efforts have been made to address this vulnerability through the introduction of wide-ranging obligations on outsourcing both at the domestic and EU level. Taken together, the EBA/ESMA/EIOPA and Central Bank guidelines provide a strong framework for indirect supervision of CSPs. However, the CSPs themselves – some of which may be systemically important to the resilience of the financial sector – remain outside the regulatory perimeter in Ireland. The EU’s upcoming Digital Operational Resilience Act (DORA) provides an opportunity to bring CSPs under direct supervisory oversight (Box 2).
Digital Operational Resilience Act
On September 24, 2020, the EC issued, as part of a Digital Finance Package, a new regulatory proposal on Digital Operational Resilience for the financial sector (DORA). DORA will affect all financial services currently regulated by the Central Bank and have a potentially profound impact on certain aspects of existing regulations.
DORA aims to introduce a harmonized and comprehensive framework on digital operational resilience for European financial institutions. When formally adopted, DORA will also bring critical third-party service providers – such as cloud computing services - within direct oversight of the ESAs.
As currently structured, DORA is divided into two parts. The first part of DORA applies to a very wide spectrum of EU “financial entities", including banks, insurers, payment service providers, crypto-asset issuers and service providers, and crowdfunding service providers. The obligations which DORA would impose on these entities include ICT risk management, incident reporting and information sharing, while ICT third-party risk with financial entities identified as “significant and cyber-mature” is subject to the most onerous obligations.
The second part of DORA would affect businesses providing ICT services to financial entities. This is in part to respond to fears of concentration risk. As drafted, DORA would allow the ESAs to designate certain service providers – including providers of cloud computing services, software, and data analytics – as being “critical” to the functioning of the financial sector. DORA proposes a new Union Oversight Framework whereby one of the ESAs will be appointed as lead overseer for each critical third-party ICT service provider. The lead overseer will monitor whether the ICT service provider has in place comprehensive, sound and effective rules, procedures and mechanisms to manage the ICT risks that it may pose to financial entities.
DORA is currently under discussion in the “trilogues” involving the EC, the European Council and the European Parliament. The current expectation is that agreement on the text will be reached under the French Presidency, with the rules starting to apply towards the end of 2024.
43. Recommendation 6: The Irish authorities should continue to advocate that CSPs of systemic importance to the Irish financial services sector (the identification of which will be facilitated by the Central Bank’s upcoming outsourcing register) be included in the Union Oversight Framework under DORA; failing which, the authorities should seek additional statutory powers to review and examine the resilience of these entities.
E. RegTech
44. RegTech has the potential to facilitate the digitalization of financial institutions and make them more effective in managing risks. A significant proportion of the Innovation Hub’s engagements since its establishment have related to RegTech. Regtech solutions are currently most evident in:
AML/CFT – providing solutions for sanction screening or remote onboarding of customers;
Fraud prevention – automated behavior and transaction monitoring;
Prudential reporting – supporting institutions in their regulatory submissions;
ICT security – providing detection mechanisms for the security of an institution’s operations; and
Creditworthiness assessments – providing new capabilities for assessing the creditworthiness of clients.
The Central Bank emphasizes in its interaction with regulated entities that the added value of any RegTech solutions needs to be clear (i.e., the use of innovative technology is not justification in itself). There is also a growing trend of partnerships between regulated entities and RegTech providers, some of which have been categorized as OSPs taking into account the specific activity provided.
F. Buy Now Pay Later
45. The most significant fintech development in the non-bank lending sector in Ireland is the emergence of new business models for Buy Now Pay Later (BNPL) products. BNPL products are currently unregulated but will be brought into the regulatory perimeter by an upcoming legislative change,24 following which the activity of BNPL will need to be provided by a regulated entity such as a bank or retail credit firm (RCF).25 The provision of BNPL services is in the early stages with a relatively low market size of approximately USD 267 million, but with the potential for significant growth over the medium term. BNPL offers retailers the ability to integrate different payment solutions into their product offerings, particularly online. Such offerings are likely to increase consumers’ access to credit for purchases (generally of a lower value nature) for which they may not have previously considered obtaining credit. In addition, it is likely that BNPL providers may use algorithms and statistical models to assess creditworthiness. The ease of access to credit and differing methods of assessing creditworthiness may present regulatory challenges. In particular, it will be important that the credit agreement element of the transaction is sufficiently transparent to consumers in their dealings with BNPL providers.
G. Supervisory Cooperation
46. The Central Bank has extensive arrangements in place both to coordinate its work on fintech internally and to ensure appropriate cooperation with other agencies. A range of internal committees and working groups have been set up to share information and ensure a consistent approach is taken to fintech across supervision and regulation. The Central Bank also engages with counterpart regulators at international level on development of fintech policy, notably through IOSCO, and has bilateral arrangements in place with peer agencies to facilitate cooperation and information-sharing.
47. The EU’s passporting framework allows firms to conduct services across MS on the basis of a single authorization. Passporting can take place in the form of the freedom of services (FOS), whereby the entity has no physical presence in the host MS, or the freedom of establishment (FOE), whereby the entity establishes a branch or engages agents in the host MS. Depending on the relevant sectoral legislation, responsibility for conduct supervision varies between home and host competent authorities. For PIEMIs, operating on a FOE basis, the regulator in the jurisdiction in which the entity has its head office (the home MS) is responsible for prudential supervision, while the regulator in the jurisdiction where the firm has an established presence (the host MS) is responsible for conduct supervision. In contrast to its status as a hub for investment funds that passport their activities out of Ireland, in sectors such as payments the majority of passporting takes place into Ireland. In 2021, the Central Bank received four notifications from firms seeking to passport outwards on a freedom of services basis, while a further 56 notifications were received relating to the appointment of agents (four) and distributors (52). In the same year, the Central Bank received 102 notifications from EU-based firms passporting into Ireland on a freedom of services basis and 120 notifications relating to the appointment of agents (95) and distributors (25).
48. Host regulators currently receive limited information on the activities that passporting entities are carrying out in their jurisdiction once the initial notification has taken place. To obtain more information on the activities on any of the roughly 3,500 firms actively passporting into Ireland, the Central Bank would currently have to liaise with the home regulator bilaterally (and there are numerous examples of such cooperation). Although it is not possible for the Central Bank to quantify how many of the total number of passporting firms are fintechs, cross-border activity is typical of many fintechs’ business models.
49. Recommendation 7: The Central Bank should engage with the ESAs on how to expand the set of information that host regulators receive systematically from home regulators.
H. Open Banking and Retail Bank Business Models
50. One of the principal aims of the PSD2 was to encourage the development of “open banking". Open banking is the process of enabling third-party payment service and financial service providers to access consumer banking information such as transactions and payment history, which is made possible through the use of application programming interfaces (APIs). This is designed to allow for new types of business model where firms utilizing new payment services provided for through PSD2 leverage traditional providers to initiate payments or view account information. Ultimately this initiative should promote competition by giving consumers greater choice and facilitating the entry of new players in the market.
51. With one notable exception, take-up of the opportunities afforded by open banking has been slow in Ireland. A number of factors have been mentioned as possible explanations: issues faced by incumbent retail banks in upgrading legacy systems; a relative absence of third-party providers (the entities that may directly access payment service users’ online payment accounts with their explicit consent) operating in Ireland compared to elsewhere in Europe; general lack of interest among Irish consumers; and remaining challenges around harmonization of APIs. The EBA has been active in seeking to address the latter issue: from January 2019 to December 2021, the EBA established an industry working group on APIs under PSD2 to identify issues that emerged as the industry was preparing for the application of the framework. Seven sets of clarifications resulted from the EBA’s work.26
52. Incumbent retail banks in Ireland are dedicating significant resources to digital transformation.27 The entrance of new players has increased competitive pressures on the banks that have suffered from delayed investment in IT in the post-GFC years. Banks’ ability to meet customers’ demand for modern technological solutions will be key to keeping the customer base. One element that is still missing from the retail banking landscape in Ireland are instant payments (Box 3).
53. Efforts to end IBAN discrimination28 remain a work in progress. While the SEPA Regulation that went into effect in 2014 mandates the acceptance of all European international bank account numbers (IBANs) for the purposes of sending or receiving credit transfers and direct debits, technical limitations in legacy core banking systems and a lack of awareness amongst some payers have delayed the full implementation of this regulatory obligation in Ireland. In this context, the CCPC is responsible for receiving complaints related to cases where the payee is a consumer and the payer is a trader, or where the payer is a consumer and the payee is a trader. For all other cases of IBAN discrimination, the Central Bank is the competent authority in Ireland for the SEPA Regulation.
In its capacity as competent authority, the Central Bank has actively engaged with non-compliant institutions to ensure that the requisite changes are made to systems and practices to enable full IBAN connectivity. This is a critical enabler for many fintechs in the payments space as IBAN discrimination limits their capacity to provide pan-European services on a cross-border basis, which is central to their ability to achieve scale and profitability. However, the Central Bank has had to rely on moral suasion to resolve some cases, and has begun discussions with DoF on whether additional legislative powers are needed.
Instant Payments
One of the goals of the Eurosystem’s retail payments strategy is the full deployment of instant payments (electronic retail payments that are processed in real time) through the launch of the European Payments Council’s (EPC) Single European Payments Area (SEPA) instant credit transfer (SCT Inst) scheme, the provision of instant payment clearing services by a number of European automated clearing houses, and the introduction of the TARGET Instant Payment Settlement (TIPS) service. The ECB took steps to ensure that instant payments have a pan-European reach via TIPS at the end of 2021. However, adoption of instant payments has been slow and unevenly spread across the EU,1 warranting the need to re-examine obstacles to adoption.
A possible revision of the SEPA Regulation to mandate adoption of instant payments is currently under consideration by the EC and may have a significant impact on the payments landscape for incumbent players in Ireland as well as for new market entrants. Fintech has the potential to play a significant role in facilitating an effective transition to instant payments through API connectivity, anti-fraud and sanctions screening software, and sophisticated IT systems. Other relevant initiatives include the reviews of PSD2 and the Settlement Finality Directive (the latter will address the issue of direct access to payment systems by non-bank payment service providers).
Pending a possible legislative change that would mandate instant payments, the main Irish banks are in the early stage of setting up a mobile money-transfer system, called Synch Payments. Synch Payments DAC, a joint venture company, plans to create a new industry-wide open payment service in Ireland that can be used, subject to the joint venture licensing terms, by all financial institutions (including consortia of smaller financial institutions) that issue Euro-denominated IBANs to Irish customers. The founding shareholders of Synch Payments DAC are Allied Irish Banks P.L.C, Bank of Ireland, Permanent TSB P.L.C and KBC Bank Ireland P.L.C. One aim of this innovation is to allow the incumbent banks to compete with fintechs. The proposal is currently being assessed by the CCPC.2
1 In Q1 2021, SCT Inst was used for just 8.57 percent of all SEPA credit transfer transactions.
2 https://www.ccpc.ie/business/mergers-acquisitions/merger-notifications/m-21-004-aib-boi-ptsb-synch-payments-jv/
54. Recommendation 8: The Central Bank, working with the CCPC, should continue its efforts to address IBAN discrimination and, where it considers an expansion of its powers to impose remedial action necessary, actively seek legislative change. The Central Bank should also continue to encourage the adoption of instant payments and identify obstacles to the take-up of open banking.
I. Approach to Cyber Risk
55. The Central Bank’s approach to cyber risk does not differentiate between fintech and more established financial services activities. However, there is a recognition that the changing landscape, with increased use of CSPs, new and evolving business models that leverage fintech, and the increasingly digital world, has had a significant impact on the cyber risk profile of the financial sector. IT security and cyber risk has been a focus of the Central Bank’s work across all sectors since 2015.
56. An IT Risk Questionnaire (ITRQ) forms the basis for all of the Central Bank’s assessments of IT risk, including cyber risk, and is used for both authorization and supervisory assessments. The tool evolved from an early questionnaire issued to banks in 2015, to become part of the SSM’s ITRQ that was developed in 2016/17. The Central Bank now uses the SSM’s ITRQ but enhances it with 17 additional cyber-related questions for the firms it supervises. Both institutions’ ITRQs are updated annually to incorporate any new developments or issues that are identified as part of the SSM’s horizontal assessment, and the Central Bank is actively involved in contributing to this review and update. The resulting Annual Report is published on the ECB website.29
57. In 2019, the Central Bank established Operational and Cyber Resilience Teams within the Governance and Operational Resilience Division (GOR) to focus supervisory attention on these issues. The Technology Risk Team continues to support supervisors on the supervisory and authorization aspects of IT security and cyber risk, while the Cyber Resilience Team is focused on sector engagement to enhance the cyber resilience of the financial system and manages two of the Central Bank’s key cyber resilience initiatives, the Threat Intelligence Based Ethical Red-teaming (TIBER-IE) and Cyber Information and Intelligence Sharing Initiatives (CIISI-IE), in a catalyst rather than supervisory capacity.
58. TIBER-IE was launched in Ireland in 2019 and is based on the TIBER-EU framework30 that has now been implemented in many other EU Member States. TIBER tests, which aim to enhance the cyber resilience of individual entities and of the financial sector more generally, have been designed for use at entities which are part of the core financial infrastructure, but could be used for any type or size of entity across the financial and other sectors. These tests are controlled, bespoke, intelligence-led red team tests (ethical hacking) of financial infrastructures and institutions’ critical live production systems. These tests mimic the tactics, techniques and procedures of real-life threat actors who, on the basis of threat intelligence, are perceived as posing a genuine threat. The outcome of a TIBER test is not a pass or fail; instead, the test is intended to reveal the strengths and weaknesses of the tested entity, enabling it to reach a higher level of cyber maturity.
59. The Central Bank’s Cyber Resilience Team manages any TIBER tests on Irish entities and coordinates with other TIBER jurisdictions on cross-jurisdictional tests to ensure mutual recognition of the test across all EU jurisdictions in which an entity operates. The Cyber Resilience Team is also part of the EU’s TIBER Knowledge Centre, which works as a trusted community to share information and further enhance the TIBER program across Europe.31 The Central Bank launched CIISI-IE in 2021, modelled on CIISI-EU, which had been launched in 2020 for the critical pan-European financial infrastructures. CIISI-IE facilitates a peer-to-peer, trusted sharing community for the financial institutions that have been recognized as delivering critical services to the Irish economy (e.g., payments, stock exchange etc.) and includes the National Cyber Security Centre.
This technical note (TN) was prepared by Richard Stobo.
The Financial Stability Board defines fintech as “technologically enabled innovation in financial services that could result in new business models, applications, processes or products.”
The role of this Group is to consult and co-ordinate on fintech across the DoF and develop a shared understanding of the various policy and market developments, as well as to capitalize on the opportunities presented by the EC’s Digital Finance Package and develop Ireland’s policy positions in light of the legislative elements of the package.
The Irish Government organization responsible for the development and growth of Irish enterprises in world markets.
The European Securities and Markets Authority (ESMA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Banking Authority (EBA).
For a full list of topics discussed by the FSG recently, see The FSG Annual Review 2021: https://assets.gov.ie/217731/2f4787df-5f4c-40b8-95d0-e04d57f8d7a0.pdf
Crypto-Assets Activity around the World – Evolution and Macro-Financial Drivers
ESMA’s Advice on Initial Coin Offerings and Crypto-Assets, January 9, 2019.
For the purposes of this TN, the terms “virtual asset” and “crypto-asset” are interchangeable.
There are currently no VASPs registered in Ireland but the Central Bank is processing a number of applications.
Undertakings for Collective Investment in Transferable Securities
Alternative Investment Funds
To date, the Central Bank has not seen information which would satisfy it that exposure to crypto-assets is capable of being appropriately risk managed by a UCITS/AIF or that crypto-assets meet the eligible asset criteria for UCITS.
Regulation 28 of the EMR states that, “an electronic money institution shall not engage in the business of taking deposits or other repayable funds”.
For more background on the PRISM framework, please see technical notes on Banking Supervision, Insurance Regulation and Supervision, and Oversight of Market-Based Finance.
For more background on SEAR, please see technical notes on Banking Supervision, Insurance Regulation and Supervision, and Oversight of Market-Based Finance.
BigTech in Financial Services: Regulatory Approaches and Architecture, IMF 2022
Adrian, Tobias. 2021. “BigTech in Financial Services.” Speech to the European Parliament FinTech Working Group, International Monetary Fund, Washington, DC, June 16, 2021. https://www.imf.org/en/News/Articles/2021/06/16/sp061721-bigtech-in-financial-services.
Key players in this sector include Amazon Web Services, Google, and Microsoft.
Via an amendment to the Consumer Protection (Regulation of Retail Credit and Credit Servicing Firms) Act 2022.
RCFs are firms authorized to provide credit to natural persons.
Figures from the Banking & Payments Federation Ireland indicate that Irish retail banks have spent more than EUR 3bn on digital innovation over the last five years.
IBAN discrimination is where an employer or company, such as a utility company, refuses to accept a SEPA IBAN for euro payments or direct debits.
More detail, including the TIBER-IE National Guide, can be found on the Central Bank’s website: https://www.centralbank.ie/financial-system/operational-resilience-and-cyber/cyber-resilience/tiber-ie
