On 20 January 2023, the Central Bank of Ireland (“the Central Bank”) issued a ‘Dear CEO’ Letter addressed to all licenced Payment and Electronic Money (E-Money) Firms. The latest letter issued is the direct result of accelerated and heightened supervision of the sector over the previous 12 months. Our Risk team explain the implications below.

Due to the heightened supervisory measures, which the Central Bank has noted is beyond what they would expect for the sector, significant deficiencies have been identified since the issuance of the previous letter in December 2021. This includes reoccurring deficiencies in relation to governance, risk management and control frameworks of some Payment and E-Money Firms. 

The Dear CEO Letter identified the following five key focus areas from the Central Banks supervisory engagement over 2022:  

In 2021, the Central Bank requested that all regulated firms to complete a comprehensive assessment of their compliance with their safeguarding obligations. Following the completion of these self-assessments, the Central Bank have noted that one of every four Payment and E-Money firms have self-identified deficiencies in their safeguarding risk management frameworks.

As a result, all Payment and E-Money firms who are required to safeguard users’ funds are required to obtain a specific audit of their compliance with the safeguarding requirements under the PSR/EMR. The audit opinion and a Board response on the Audit opinion is required to be submitted to the Central Bank by 31 July 2023. 

Firms are expected to consider their governance, risk management and internal control frameworks and how they align to their overall business strategies, in addition to the composition of their Board and management teams, to ensure they are sufficient to run their business in Ireland.

It was noted that some firms do not have defined or embedded Board approved business strategies in place. While the Central Bank have recognised that some firms may operate as part of a larger group and are reliant on group strategic decisions, it is of critical importance that there is sufficient financial as well as operational capacity and capability within the firm to execute that strategy. Firms must also have a meaningful exit/wind-up strategy, linked to their business model which considers the timely return of users’ funds.

In addition, irregularities and failures have been noted due to the submission of inaccurate regulatory returns which raises concerns around the accuracy and integrity of data being used by firms. 

An increasing number of major incidents/outages are being reported by firms as a result of issues emerging with group / third parties who are critical to supporting the IT infrastructure of firms. The Central Bank expects the Board and senior management of regulated firms to adopt appropriate measures to strengthen their operational resilience frameworks.

Firms are expected to be cognisant of the risk factors which can lead to or increase ML/TF Risk. A number of observations were noted by the Central Bank including a lack of maturity in the risk-based approach applied by some firms, a weakness in oversight measures and controls with regard to distributors and agent’s relationships and incorrect levels of CDD applied to customers due to a misinterpretation of relevant sections of CJA2010.  

How can KPMG help?

Our Risk and Regulatory team are a multi-disciplinary team of regulatory and risk experts who have worked in regulatory policy, supervision, and enforcement divisions of the Central Bank, as well as industry professionals with extensive experience in providing risk focused outcomes that meet regulatory expectations. 

Our team have tried and tested methodologies that can accelerate compliance with the Dear CEO letter. We can also provide global and peer insights to ensure the outcome is tailored to the nature, scale and complexity of your business model. This will ensure the right level of regulatory and risk experience which is key to enhancing your risk and regulatory frameworks and ensuring on-going compliance with the Central Banks requirements.

Our services

Safeguarding

  • Perform an independent audit of controls and issuance of an opinion on the firm’s compliance with the safeguarding requirements under the PSR/EMR.

Governance, Risk Management, Culture and Conduct

  • Assess your overarching Governance and Risk Management frameworks to ensure it is in line with regulatory expectations. 
  • Support you in the design of your Three Lines of Defence Target Operating model to ensure you have the right capacity and capability within your firm. 
  • Drive embedding of a robust risk culture by replicating the success of our other clients. 

Business Model, Strategy and Financial Resilience

  • Support you in the alignment of your Business Strategy, capital frameworks and risk management frameworks that underpin the delivery of your business objectives. 
  • Help you design / enhance your exit and wind-up strategies, policies and procedures that are tailored to your nature, scale and complexity of the firm. 
  • Complete an assessment of your internal reporting process and recommend enhancements to ensure accuracy / integrity of regulatory reporting. 

Operational Resilience & Outsourcing

  • Design an Operational Resilience model fit for your Business and wider organisation. 
  • Identify, define and map your firm’s important business services and the operational assets that underpin the delivery of these services. 
  • Assist in the development of your firm’s Business Continuity Plan with scenario testing and impact tolerances. 
  • Assist with the development and enhancement of the firm’s Outsourcing Framework including risk registers. 

Anti-Money Laundering and Countering the Financing of Terrorism

  • Complete a maturity assessment of your AML Frameworks against peer firms of a similar size and complexity and / or assess CJA 2010 compliance to highlight any gaps / weaknesses.

Get in touch

If you have any queries on the "Dear CEO" letter or related issues, please contact our Risk team below. We'd be delighted to hear from you.