On 29 February 2024, the Central Bank of Ireland (Central Bank) hosted a Payment Institution and Electronic Money Institution event (event) and separately published its 2024 Regulatory and Supervisory Outlook (RSO), which contained a sector-specific update on these firms.

At the event, Mary-Elizabeth McMunn, Director of Banking, Payments and Credit Union Supervision (Director) highlighted key supervisory priorities for the payments and e-money sector for 2024. We look at key takeaways for the sector based on the event and the RSO.

Growing payment and electronic money sector

The Central Bank notes that the payments and electronic money sector is in a growth phase in Ireland and Europe with a significant increase in the numbers of firms operating in the sector and their activity levels. For instance, the number of payment institutions and electronic money institutions regulated by the Central Bank has tripled in the past six years (to 51 authorised firms at the end of 2023). There has been a significant increase in safeguarded funds (to approximately €8bn), and there is a strong pipeline of firms seeking authorisation.

Ireland serves as a base for many regulated Fintech firms to provide services, via passporting, throughout the European Economic Area (EEA). The Central Bank recognises that large firms with broad geographical reach play an increasingly pivotal role in the European payments systems architecture and consequently the functioning of the financial system across the EEA.

In a recent letter to the Minister for Finance, the Central Bank Governor reaffirmed the Central Bank's commitment to continuously improving its authorisation processes, ensuring there is clarity, predictability and transparency for firms seeking authorisation while maintaining the high standards the public expects for regulated financial service providers.

At the event, the Director remarked that the Central Bank has seen firms in the sector that "are well-run, whose regulatory maturity and risk management capabilities have grown in line with their balance sheets and whose board and executive are well-versed in the local regulatory environment". However, issues have in the past been identified, for example, in cases where a firm's growth rate has outpaced the firm's operational, governance, compliance and risk management capabilities. For further information please see our related update on the January 2023 Dear CEO letter from the Central Bank to the sector here.

RSO

The RSO sets out key trends and risks that are shaping the financial services sector operational landscape and the Central Bank's consequent regulatory and supervisory priorities for the next two years. The RSO is intended to complement the detailed feedback given by the Central Bank to firms through its sector-specific supervisory engagement, the variety of publications issued, and the various consultative forums and conferences held throughout the year. Please see our article here for further information on the RSO.

Central Bank's approach to regulation and supervision of this sector

The Central Bank's supervisory approach to the payments and e-money sector is risk-based, led by judgement and focussed on outcomes. The Director highlighted at the event that unacceptable or unmanaged risks will bring an increase in the intensity of supervisory engagement by the Central Bank. In line with its risk-based approach, the Central Bank does not operate a no-failures regime and works to ensure that any firms that fail do so in an orderly way. For this sector, at the front of the Central Bank's mind for the year ahead is safeguarding and resolution planning.

Supervisory priorities

In the RSO, the supervisory priorities outlined for this sector include addressing deficiencies in safeguarding, governance, risk management and control frameworks, conduct and culture, business models, operational resilience and outsourcing.

At the event, the Director stated that for the year ahead priorities for the sector are:

  1. Safeguarding;
  2. Operational Resilience and Outsourcing;
  3. Governance, Risk Management, and Anti-Money Laundering and Countering the Financing of Terrorism;
  4. Business Model and Financial Resilience.

Sectoral risks and Central Bank expectations

Safeguarding

Under the Payment Services Regulations (PSR) and the E-Money Regulations (EMR), customer funds are required to be safeguarded, for example, by keeping users' funds separate from the firm's funds.

The Central Bank is clear that effective safeguarding by firms facilitates trust and confidence in the sector, protects the interests of customers and supports sustainable business models.

Weaknesses have been observed by the Central Bank in safeguarding arrangements across the sector, which heightens the risk that users' funds are not appropriately identified, managed and protected on a day-to-day basis.

In its January 2023 Dear CEO letter, the Central Bank requested that all firms obtain an audit of their compliance with safeguarding requirements, submitted with a Board response, by the end of October 2023. The audit findings signal to the Central Bank that the sector needs to take further significant action to enhance safeguarding practices.

The Central Bank expects firms to have good governance structures and controls in place and appropriate levels of board oversight of user funds safeguarding. It reiterates that it has no tolerance for weaknesses in safeguarding arrangements and expects firms to have credible wind-up plans to fully return users' funds in an efficient and timely manner in the context of an exit and wind-up scenario.

Culture, governance and risk management effectiveness

According to the Central Bank, a functioning payments sector is "one in which governance, risk and control frameworks are well-designed, embedded and overseen by suitably experienced and accountable personnel".

A well-embedded consumer-focused culture in firms is important and the risk of consumer detriment resulting from poor business practices and weak business processes is a focus for the Central Bank.

In the RSO, the Central Bank reports that some firms have engaged in practices that lack transparency, accuracy and fairness, in particular relating to customer disclosure and complaints handling.

Also, where payments institutions and/or electronic money institutions offer regulated and unregulated services there may be a higher risk that consumers conflate regulated and unregulated services and are not aware of the consumer risks associated with unregulated services (e.g. risks associated with crypto).

Further significant growth in the sector may mean that the operational, governance, compliance and risk management capabilities of firms become outpaced.

Many firms in Ireland are part of larger international groups. The Central Bank recognises that this brings benefits of having access to global networks and intelligence, resourcing, IT infrastructure, data and funding. However, the reliance on the group mustn't be to such an extent that it compromises a firm's substance as an Irish-regulated entity. In this regard, the Central Bank typically expects that a firm's Board and executive team can evidence that it:

  • makes strategic decisions and maintains responsibility for core activities;
  • has oversight and ownership of its material risks and manages these risks; and
  • has the financial and operational resources to deliver its strategy in a sustainable and customer-centric way.

Financial risks and resilience

Fast growth in this sector and a focus on building customer base and revenue in early years can mean high rates of cash burn.

The Central Bank has identified that the uncertain macroeconomic environment caused by fears of a global recession, high inflation and interest rate rises, may have an impact on the viability and sustainability of some firms. For example, in a tighter external funding market, firms or their parent group may find it challenging to secure the funding necessary to support continuing business operations. Revenue generation may also be affected by macroeconomic conditions.

The Central Bank has underscored that the uncertain macroeconomic environment reinforces the need for firms to have appropriate exit and wind-up strategies to deal with circumstances where funding availability is constrained.

Money Laundering (ML) and Terrorist Financing (TF)

The Central Bank will continue to focus on effective risk-based Anti-Money Laundering (AML) / Countering the Financing of Terrorism (CFT) frameworks. Both Irish and EU regulators have identified shortcomings in the understanding of ML/TF risk amongst some firms, with controls not as robust as they should be and not commensurate with the level of risk exposure. Specific AML/CFT weaknesses and controls include ineffective customer onboarding and monitoring systems and weak processes to identify high-risk ML and TF factors associated with customers and transaction activity.

Operational risks and resilience

The Central Bank views that firms in this sector "are still at a relatively early stage in their journey towards being operationally resilient".

Operational continuity and resilience are key for the Fintech sector given the technology-based 24/7 service offering of firms and the sector's reliance on technology to deliver services. Firms should expect that operational disruptions will occur and when they do a firm's ability to identify and prepare for, respond and adapt to and recover and learn from operational disruptions is fundamental. Firms should build the capability to do this and view their business operations through the business services lens.

An increasing number of major incidents and outages are being reported to the Central Bank by the sector, many because of the failure of outsourced service providers.

There is a significant reliance on parent groups for the oversight and management of outsourcing arrangements with a lack of rigorous contingency planning and exit planning.

Growth outpacing operational infrastructure and controls and any over-reliance on group/third-party providers with weak controls and oversight arrangements will be a focus of the Central Bank.

In the RSO, the Central Bank reminds firms that they must fully comply with the requirements under the EBA Guidelines on Outsourcing and the Central Bank's Cross Industry Guidance on Outsourcing, in particular the requirements relating to outsourcing registers and ongoing monitoring and due diligence. For further information please see our briefing here.

Key supervisory activities for the payments and electronic money sector in 2024/25

  • Assessment of remediation actions being taken by firms to address deficiencies identified in safeguarding audits conducted in 2023.
  • Assessment of firms' risk and control frameworks to ensure they are operating effectively and are prepared for unforeseen operational disruptions.
  • Enhanced engagement with firms who are in breach of regulatory requirements, where deficiencies are identified in their governance, risk management and control frameworks, or other key risk areas.
  • Ongoing enhancements to regulatory returns to ensure the Central Bank's supervisory approach remains risk-based and data-driven.
  • Incorporating and supporting the development of incoming regulations and initiatives, related to the payments and electronic money sector. These include the Digital Operational Resilience Act (DORA) and the third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR). For further information please see our related updates here and here.
  • Ongoing risk-based supervision and engagement to include the assessment of remediation actions to ensure firms holistically address the root cause of issues, being clear about the ownership of activity required to address underlying risk-management deficiencies proactively.

Markets in Crypto Assets Regulation (MiCA)

The RSO states that certain large global crypto firms have entities authorised by the Central Bank, mainly as electronic money institutions, to provide customer access to exchanges, where customers can exchange fiat currencies for crypto currencies. The Central Bank remarks that the introduction of MiCA will drive more opportunities for evolving business models through Asset Referenced Token, E-Money Token and Crypto Asset Service Provision licensing. For further information please see our most recent MiCA article here.

Contributed by Jane Balfe

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.