Ireland as a Location for Electronic Money Institutions 2024

Substance

The CBI places considerable emphasis on ensuring that the applicant’s “heart and mind” will be located in Ireland. This essentially means that the CBI will need to be satisfied that the applicant will be properly run in Ireland and that the CBI will be able to supervise it effectively. Among other things, the CBI will expect to see present in Ireland:

• a senior management team with strength and depth overseen and directed by a strong board; and
• an organisation structure and reporting lines which ensure there is appropriate separation and oversight of all activities.

In terms of residency, the persons who are to fulfil the applicant’s core functions should operate in Ireland and the expectation is that virtually all of the senior personnel will be permanently based in Ireland. An Irish authorised e-money institution can outsource/delegate activities to entities in other jurisdictions. However, overall responsibility for ensuring compliance with legislative requirements must stay in Ireland. In addition, an e-money institution must notify the CBI when it intends to outsource critical or important functions (or when it intends to materially alter its existing outsourcing arrangements for such functions). The E-Money Regulations set out a number of requirements with which an e-money institution must comply when outsourcing “important” operational functions, such as IT systems. The CBI expects an e-money institution to comply with the European Banking Authority’s (“EBA”) Guidelines on Outsourcing (available here) as well as the CBI’s Cross-Industry Guidance on Outsourcing (available here), including compliance with specific obligations in relation to the outsourcing of “critical and important” functions.

Capital Requirements

An e-money institution must hold initial capital of at least €350,000. The actual amount of initial capital required for each individual firm will be notified to the firm as part of the authorisation process, and can vary depending on the nature, scale and complexity of the applicant’s business. In most cases, the initial capital that will be required will be higher than the minimum figure set out above.

Arrangements

An applicant will need to provide detailed information to the CBI regarding how it intends to function as a regulated e-money institution, including details of its: programme of operations; business plan; structural organisation; governance arrangements, internal control mechanisms, business continuity arrangements and procedures for dealing with security incidents.

Governance and Risk Management

An applicant is required to maintain governance arrangements, control mechanisms and procedures that are proportionate and appropriate to its business. This includes having sufficient resources, staff, a risk management framework, IT policies, and data protection policies. Applicants must use the EBA’s tool for calculating the professional indemnity insurance where applicable to them (available here). In addition, an applicant must consider the composition (both number and skills) of its board and management team, to ensure they are sufficient to conduct the applicant’s business from Ireland. An applicant’s board has responsibility for setting and overseeing the strategy of the firm, and ensuring that adequate and effective governance, risk management and internal control frameworks are in place. The board should have an appropriate balance of executive, non-executive and independent non-executive directors (“INEDs”). The INEDs must understand the business to a sufficient degree to be able to effectively contribute and provide an independent challenge to the executive directors of the board and be skilled in relevant areas to the applicant’s business such as accounting or risk.

Conduct and Culture

An applicant is expected to have a consumer-focused culture with robust internal systems and controls, including well developed risk management frameworks. The applicant’s approach to engagement with the CBI, such as how long the applicant takes to reply to queries raised by the CBI, will be considered when assessing the firm’s corporate culture. In addition, the applicant will be expected to show that it has considered diversity and inclusion, particularly in forming its board and how the business will assist with the fight against climate change.

In relation to conduct, the applicant must comply with the Central Bank (Individual Accountability Framework) Act 2023 once authorised as an e-money institution, which includes compliance by senior role holders with the Common Conduct Standards and the Additional Conduct Standards. The CBI’s expectations on the Individual Accountability Framework are set out in its Guidance on the Individual Accountability Framework (available here). For further information on the Individual Accountability Framework, please see our dedicated information page on our website (available here).

Safeguarding

An applicant must have a safeguarding risk framework in place, approved by its board, which ensures that relevant client funds are appropriately identified, managed and protected on a day-to-day basis. Transaction approval authority regarding safeguarding accounts must reside within the Irish applicant entity and not with other group entities or third parties. There must be oversight of this framework by an applicant’s second line of defence (risk and compliance functions) and third line of defence (internal audit). In 2023, an external audit of safeguarding requirements was required for e-money firms who safeguard users’ funds. While the audit requirement was initially just for 2023, it is possible that similar audits may be required in the future. An applicant should have an independent Internal Audit Charter clearly setting out the roles and responsibilities of the Internal Audit Function which should be directly reported to the board of the applicant. Applicants should also ensure they have appropriate compliance policies in place such as a whistleblowing policy and a conflicts of interest policy.

Business Model, Strategy and Financial Resilience

An applicant is expected to have a capital accretive business model that is viable and sustainable with due regard given to potential firm specific and wider market stress scenarios. The CBI expects plausible projections covering a three-year period and the CBI has a standardised business model template for this which is provided to firms upon application.

While an applicant may operate as part of a larger group and be reliant on group strategic decisions to inform local strategy, there must be sufficient financial (capital and liquidity) and operational (resources, IT systems etc.) capacity and capability within the firm to execute that strategy.

An applicant is expected to have robust strategic and capital planning frameworks which demonstrate that it has a good understanding of risks it faces and potential financial impacts, such that the applicant can proactively manage its capital to ensure that it is in a position to meet own funds (capital) requirements on a stand-alone basis at all times, i.e. sufficient regulatory capital is available to absorb losses, including during stress conditions.

An applicant is expected to have board-approved business strategies in place supported by robust financial projections and must understand and meet its capital requirements at all times. Strong internal controls must be in place, that are subject to regular testing, to ensure the accuracy and integrity of data used by the firm for regulatory reporting purposes, and for strategic and financial planning.

Operational Resilience

The CBI expects an applicant to be able to respond to, recover and learn from operational disruptions. If an applicant is part of a wider group, the CBI will expect the applicant to operate sufficiently on a stand-alone basis to ensure the primacy of the legal entity authorised in Ireland.

An applicant’s board and senior management teams must ensure they have the skills and knowledge to meaningfully understand their responsibilities and risks the firm faces. This responsibility also extends to outsourced activities where the activities are conducted on the firm’s behalf by any third party, including any group entity.

Financial Crime

As a designated firm, an e-money institution must comply with the know-your-customer / anti-money laundering (“AML”) obligations set out in the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. An applicant must have a strong AML control framework that specifically focusses on the money laundering and terrorist financing risks arising from the applicant’s business model.

Where distributors and/or agents undertake preventative AML measures and controls, such as customer due diligence (“CDD”), on behalf of an e-money firm, these must be completed in line with the e-money firm’s own risk assessments and AML policies and procedures. E-money firms must also exercise adequate oversight of their agents and distributors with an appropriate level of ongoing assurance conducted. E-money firms must undertake appropriate assessment of their agents and distributors that undertake activities on their behalf. The responsibility for carrying out customer risk assessments and CDD on the end user of the products and services ultimately rests with e-money firms, even where such tasks are being performed by agents and distributors.

Resolution and wind-down

An applicant is expected to have an appropriate exit/wind-down strategy which is linked to its business and operational model and that ensures the return of customer funds as soon as is reasonably practical in an exit/wind-up scenario. An effective wind-down plan would include:

• governance and escalation processes to be followed during crisis management;
• a sample of scenarios which could trigger a wind-down;
• a risk management framework;
•  resources that would be required in the event of a wind-down;
• plans to assess the impact on, communicate with and mitigate the impact on counterparties, consumers, group companies and the wider market; and
• a process and timeline for returning users’ funds.

Fitness and Probity

Once an application has entered the assessment phase, the applicant will also need to ensure that all relevant individuals proposed to hold a Pre-Approval Controlled Function (“PCF”) role in the applicant entity (typically board members, senior management, key function holders) complete Fitness and Probity Individual Questionnaires. The CBI expects applicants to have conducted their own due diligence before proposing a candidate for appointment to a PCF role. Where it is proposed for a person to hold more than one PCF role, sufficient information on why this is appropriate should be provided to the CBI. The CBI has confirmed in its Expectations for Electronic Money Institutions document (available here) that a proposal for a person to hold three or more PCF roles will not be approved.

The CBI’s fitness and probity requirements are based on Guideline 16 of the “EBA Guidelines on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers” which relates to the “identity and suitability assessment of directors and persons responsible for the management of the payment institution or electronic money institution”.

The CBI has published “Guidance on the Specific Requirements that apply to persons seeking approval for a Pre-Approval Controlled Function role in a Payment Institution or Electronic Money Institution” (available here). All relevant individuals must submit an Individual Questionnaire electronically. However, access to the online Individual Questionnaire only becomes available after an application has been deemed to contain all the key information needed to progress to the assessment phase of the application process.

Phase 1: Initial meeting and Key Facts Document

Bespoke pre-application meetings are scheduled with all potential applicants to provide direction on application requirements and answer any specific questions applicants may have about the application process, service standards or completing the application form. All applicants will be required to return a ‘Key Facts Document’ to the CBI at least 5 working days prior to the pre-application meeting. The Key Facts Document was updated in April 2024 and is now required to be between 15-20 pages in length. The CBI recommends applicants take into consideration all items discussed during the pre-application meeting prior to submitting an application. The CBI will usually raise any concerns it has at this point but will not provide any legal advice. At this meeting the CBI can:

• provide greater clarity about the assessment process and the authorisation requirements; and
• identify any initial issues with the proposal which, if not addressed, would preclude the application from proceeding.

Stage 1: Submitting the Application Form and Acknowledgement

When applying for authorisation, an applicant must provide certain information to the CBI, including details of its:

• programme of operations; business plan; structural organisation;
• evidence of initial capital; governance arrangements and internal control mechanisms;
• process for dealing with sensitive payment data; business continuity arrangements;
• security policy document;
• AML/Countering the Financing of Terrorism (“CFT”) Internal Control Mechanisms; and
• identity and suitability assessments for persons with qualifying holdings in the applicant and senior managers.

The CBI aims to acknowledge receipt of an application for authorisation submitted by the applicant within 3 working days of receipt.

Phase 2: Key Information Check and Initial Assessment

The CBI checks that the applicant has submitted all the key information and documentation. The CBI aims to confirm whether or not this is the case, generally within 10 working days of receipt of the application. The CBI also carries out an initial assessment of the application to check whether the applicant is likely to meet the CBI’s expectations. There are two possible outcomes to this initial assessment:

(a) Progression: The CBI will permit the application to proceed to the assessment stage. The CBI will assign a specific case manager as the primary point of contact for the applicant at this stage. The CBI notes that applicants which make “the necessary senior appointments early in the process generally submit a more complete application” and tend to be authorised more quickly (available here); or

(b) Issues have been Identified Precluding Progression: This is where the CBI is of the view that the applicant cannot progress to the assessment stage. The CBI will identify the issues and the applicant will have the opportunity to address these issues which may be via written submissions or meetings (in person or online) with the CBI.

Stage 2: Assessment Stage

The CBI assesses the application against the authorisation requirements and issues initial comments to the applicant on its application as well as subsequent comments based on its review of the applicant’s responses. Additional information and detailed assessment meetings may be requested by the CBI. Individuals proposed for Pre-Approval Controlled Function roles are sometimes invited for interview as part of the assessment of their Fitness and Probity for key roles. There are two possible outcomes:

• Positive Outcome (Minded to Authorise letter): If the applicant has shown it will meet all authorisation requirements, the CBI will issue a Minded to Authorise letter which will include requirements to be addressed prior to authorisation, conditions for post-authorisation, and the proposed level of capital to be held; or
• Negative Outcome (Minded to Refuse letter): If the CBI is not satisfied with the application, a Minded to Refuse letter will be issued. This letter will include the reason(s) for the proposed decision and specify the period within which the applicant may make submissions in writing to the CBI before a final decision is made.

In 90% of cases, the CBI will complete the assessment phase within 90 working days, although the clock will be paused in certain circumstances.

Stage 3: Authorisation Decision

The CBI notifies the applicant of the outcome of the assessment process. There are two possible outcomes:

• Positive Outcome (Letter Granting Authorisation): Subject to the pre-authorisation requirements in the ‘Minded to Authorise’ letter having been addressed, no new adverse information coming to the CBI’s attention in the interim, and agreement from the applicant as to the proposed conditions and capital, a letter granting authorisation will be issued, and the applicant firm will then be able to commence its regulated activities; or
• Negative Outcome (Letter of Refusal): Where a ‘Minded to Refuse’ letter has issued, the CBI will review any submissions made by the applicant. If the CBI is still not satisfied to approve an application following the review of any submissions to a ‘Minded to Refuse’ letter, it will issue a letter of refusal.