Payment Institutions

A payment service is defined in the Schedule to the European Union (Payment Services) Regulations 2018 as:

1. Services enabling cash to be placed on a payment account as well as all the operations required for operating a payment account.
2. Services enabling cash withdrawals from a payment account as well as all the operations required for operating a payment account.
3. Execution of payment transactions, including transfers of funds on a payment account with the user's payment service provider or with another payment service provider:
    (a) execution of direct debits, including one-off direct debits;
    (b) execution of payment transactions through a payment card or a similar device;
    (c) execution of credit transfers, including standing orders.
4. Execution of payment transactions where the funds are covered by a credit line for a payment service user:
    (a) execution of direct debits, including one-off direct debits;
    (b) execution of payment transactions through a payment card or a similar device;
    (c) execution of credit transfers, including standing orders.
5. Issuing payment instruments and/or acquiring payment transactions.
6. Money remittance.
7. Payment initiation services
8. Account information services

In addition to the firms listed on the Register of Payment Institutions who have been granted an authorisation pursuant to Regulation 18 of the Regulations and the Register of Credit Unions under Regulation 9(1)(b) of the Regulations, there are other Payment Service Providers who have the right to provide payment services under Regulation 8 of the Regulations. These are: 

1. A credit institution within the meaning of Directive 2006/48/EC, 
2. An electronic money institution (within the meaning of the European Communities (Electronic Money) Regulations 2011 (S.I. No. 183 of 2011),
3. An Post, in its capacity as a provider of banking and giro services, or the postal authority of another Member State in its capacity as the provider of a giro service,
4. The Central Bank, European Central Bank & other Member State Central Banks not acting in its capacity as a monetary authority, 
5. A Member State, or a regional or local authority not acting in its capacity as a public authority,
6. A person for the time being permitted under Part 8 of the Regulations to provide the payment service,
7. Small payment institutions, and
8. Payment Institutions authorised in another EEA Member State who have given notice in accordance with Article 25 of the Payment Services Directive (a register of these firms will be available on the Home Member State Register of Payment Institutions).

Regulation 4 of the European Union (Payment Services) Regulations 2018 (PSR) provides for a number of exclusions from the scope of the PSR, i.e. certain services and payment transactions to which the PSR does not apply.  Regulations 45 and 46 of the PSR  provides that, in the case of the two exclusions referred to below, the relevant service provider is subject to certain notification requirements and other obligations. 

1. Limited Network Exclusion (provided for by Regulation 4(k)(i) and (ii) of the PSR) - services based on specific payment instruments that can be used only in a limited way (subject to certain conditions); and
2. Electronic Communications Exclusion (provided for by Regulation 4(l) of the PSR) - certain payment transactions by a provider of electronic communications networks or services provided in addition to electronic communications services for a subscriber to the network or service.

Further information in respect of these exclusions, the relevant notification requirements and other obligations imposed on service providers falling within the scope of these exclusions, can be found in Regulations 4(k)(i) and (ii), 4(l), 45 and 46 of the PSR .

The onus is on any firm availing of an exclusion provided for under the PSR to satisfy itself that any such services and/or payment transactions qualify for exclusion and to ensure that it adheres to the relevant notification requirements and other obligations.  The Central Bank has published forms to enable firms to make notifications relating to these exclusions. 

Both the Limited Network Exclusion and the Electronic Communications Exclusion Notification Forms contain information and guidance to support firms in completing the forms.  They also contain details of when, and in what circumstances, notifications are required.

The Central Bank will maintain a public register on its website of service providers that fall within the scope of the Limited Network and Electronic Communications Exclusions and who have submitted a notification pursuant to Regulations 45 and 46 of the PSR.  The European Banking Authority will also maintain a public register that will include the information covered in the Central Bank register as well as information provided by the relevant competent authorities in other Member States.

Limited Network Exclusion and Electronic Communications Exclusion Forms can be sent electronically to [email protected].

Furthermore any queries in relation to the above may be sent to:
[email protected].

Please note that the Central Bank does not give advice on whether or not a service and/or payment transaction falls for exclusion under the PSR. The Central Bank recommends that firms seek legal advice if they are unsure as to whether their proposed activities fall with the scope of the above-mentioned exclusions or if they are unsure as to how to comply with their notification and other obligations under the PSR.

22 June 2023

Chartered Accountants Ireland have issued Technical Release 01/2023 Safeguarding reporting for payment and electronic money firms.

The purpose of this Technical Release (TR) is to provide assistance to auditors who are engaged by Payment and Electronic Money institutions to carry out the specific audit of their compliance with the safeguarding requirements under the PSR/EMR. The TR was prepared in consultation with the Central Bank of Ireland. 

24 May 2023

In reference to the Central Bank of Ireland’s Dear CEO letter of 20 January 2023 and, in particular, the requirement that payment and e-money firms obtain a specific audit of their compliance with the safeguarding requirements under the PSR/EMR by 31 July 2023.

Following discussions with Chartered Accountants Ireland (CAI), an acceptable format for these engagements has been agreed. CAI will issue guidance to their members on performing these engagements in due course. 

Firms are required to prepare a detailed document setting out a description of aspects of their organisational arrangements to secure their compliance with the relevant safeguarding requirements under the PSR/EMR.   Firms should also prepare an assertion, approved by the Board of directors, stating that in all material respects 1 the description is fairly presented, and 2 the controls and processes included in the description were operating as described at the reference date.

Further details are outlined in the Safeguarding Notice to Payment and E-Money Firms.

20 March 2023

In reference to the Central Bank of Ireland’s Dear CEO letter of 20 January 2023 and, in particular, the requirement that payment and e-money firms obtain a specific audit of their compliance with the safeguarding requirements under the PSR/EMR by 31 July 2023.

The Central Bank has engaged with Chartered Accountants Ireland regarding the type of engagement that is appropriate and it is proposed that Chartered Accountants Ireland will develop guidance to assist auditors in the completion of this engagement in due course. This should help both firms/auditors in the scoping of the engagement and also enhance the consistency of approach adopted across the sector.

We acknowledge the guidance will take some time to develop and for this reason we are extending the timeframe for the engagement, and the submission of the accompanying Board response, to 31 October 2023.

20 January 2023

The Central Bank has issued a Dear CEO letter with the purpose to reaffirm our supervisory expectations built on our supervisory experiences, both firm specific and sector wide, and enhance transparency around our approach to, and judgements around, regulation and supervision. Section 1 of the letter provides wider and specific context to our supervisory approach. Section 2 details key findings from our supervisory engagements over the last 12 months, including outlining a number of actions we expect firms to undertake. Section 3 of the letter sets out our expectation that this letter is provided to and discussed with your Board, and any areas requiring improvement that directly relate to your firm are actioned.

• 2023 Dear CEO Letter - Supervisory Findings and Expectations for Payment and Electronic Money (E-Money) Firms (PDF)

1 June 2022

Payment services based on instruments used within a limited network of service providers or for a very limited range of goods or services, e.g. shopping centre cards, may, under Article 3(k) of Directive (EU) 2015/2366 (PSD2), be excluded from its regulations.

On 24 February 2022, the EBA published its Guidelines on the limited network exclusion under PSD2 (the Guidelines). The EBA outline that the Guidelines “aim at clarifying specific aspects of its application, including on how a network of service providers or a range of goods and services should be assessed in order to qualify as ‘limited’, the use of payment instruments within limited networks, the provision of excluded services by regulated financial institutions and the submission of notification to competent authorities (CAs)”.

The Guidelines apply to CAs but should also be used by the issuers of limited network exclusion (LNE) payment instruments to assess the criteria of their application for the exclusion under Article 3(k) of Directive (EU)2015/2366 (PSD2) ahead of submission of an LNE notification to the Central Bank of Ireland.

The Central Bank has confirmed to the EBA that it intends to comply with the Guidelines. The Guidelines are effective from June 1 2022, with the following transitional arrangements also provided for:

• Competent authorities should request issuers benefitting from the exclusion under Article 3(k)(i) or (ii) of PSD2 and who have already submitted a notification under Article37(2) of PSD2 to resubmit the notification taking into account the provisions of these Guidelines by 1 September 2022.

• Competent authorities should assess the resubmitted notifications under paragraph 13 (a) in an expedited manner.

10 December 2021

The Central Bank has issued a Dear CEO letter with the purpose of setting out clearly the Central Bank’s expectations for all Payment and E-Money firms and the actions we expect the Boards and senior management of these firms to undertake to ensure the firms are in compliance, on an ongoing basis, with their regulatory requirements and any conditions imposed on the firms’ authorisation. In broad terms, the Central Bank expects regulated firms to be well-governed, with appropriate cultures, effective risk management and control arrangements in place. Firms should have sustainable business models with sufficient financial resources, including under a plausible but severe stress.  The Central Bank expects firms to be operationally resilient such that they are able to respond to, recover and learn from operational disruptions. Additionally, and importantly, the financial system must be protected from use for money laundering or terrorist financing activities.

• Dear CEO Letter - Supervisory Expectations for Payment and Electronic Money (E-Money) Firms (PDF)

Background

The Central Bank of Ireland’s (‘Central Bank’) statutory “gatekeeper” role is critically important. In assessing applications for authorisation as a PI or an EMI, the Central Bank adopts a robust, structured and risk-based approach that seeks to ensure that only applicants that demonstrate an ability to comply with the authorisation requirements applicable to their proposed business model are authorised.

The authorisation and supervision of firms operating in the PI and EMI sector is an important part of our mandate. This sector has grown substantively over the last number of years. The number of firms authorised by the Central Bank has more than doubled since 2018 and there continues to be a strong authorisation pipeline.

The purpose of this communication is to clearly set out the Central Bank’s expectations for all PI and EMI firms applying for authorisation, and to remind applicant firms of the authorisation principles, approach and the core elements that will be assessed by the Central Bank. In addition, information about the service standards to which the Central Bank operates is set out below.

1. Authorisation Principles

It is the Central Bank’s expectation that firms fully understand the risks arising from their business model and operations and how to mitigate those risks. As a general principle applicable to all firms, both incoming and those firms we currently supervise, the Central Bank expects that firms:

a) Have sufficient financial resources, including under a plausible but severe stress;

b) Have sustainable business models;

c) Be well governed, with appropriate cultures, effective risk management and control arrangements in place; and

d) Be able to recover if they get into difficulty, and if they cannot, they should be resolvable in an orderly manner without significant externalities.

From an overarching perspective, through the authorisation process, the Central Bank is seeking to gain assurance in an evidence-based manner that firms have the capabilities to manage risk and the proposed governance, risk and compliance frameworks are therefore sufficient and will operate as described post authorisation. In this regard, firms are expected, in the context of seeking to become a regulated firm, to be fully aware of the Central Bank’s broader financial regulation (prudential and conduct) expectations post authorisation. To this end, firms are expected to proactively and diligently consider regulatory requirements and guidance as well as published communication from the Central Bank to regulated firms in this sector.

PIs and EMIs firms play an increasingly important role in the financial system and in the lives of consumers. Consequently, the failure of firms to meet their supervisory obligations, including breaches of regulatory requirements can have a significant impact on consumers, who are reliant on the services provided, and/or on the functioning of the broader financial system. Therefore, firms must demonstrate that they have robust internal systems and controls, including well-developed risk management frameworks in place to drive effective behaviour and culture. In this regard, the Central Bank has no tolerance for widespread consumer or investor harm and it is the responsibility of firms to ensure that their business has a consumer-focused culture. From a conduct perspective, the Central Bank expects applicant firms to:

• Go beyond consumer protection obligations under law and be proactive and meticulous in ensuring that they do business in a way that protects consumers and investors.
• Ensure that consumer-focused cultures are evident and demonstrable throughout the entire structure. Firms must show evidence of robust oversight and challenge led by the board (in particular over the product/service lifecycle), execute comprehensive training for staff and measure key indicators of the firm’s culture.
• Regularly track and monitor the behaviour and culture in their organisations, and reflect on any shortfalls in the collective understanding of what ‘consumer focus’ actually means for their firm.
• Firms must ensure they have the right structures, processes and systems embedded to support consumer-focused behaviours.

Further elaboration of the Central Bank’s consumer protection expectations are outlined in the recent publication of the Consumer Protection Outlook 2021.

2. The Authorisation Assessment

The Central Bank’s assessment takes into consideration the nature, scale, and complexity of a firm’s application both from a point in time and forward looking perspective. Therefore it is recommended that firm’s clearly demonstrate within their application submission how they will own and control the risks to which they are exposed both upon authorisation and in the future in line with their growth plans and ambitions.  In this regard, it is the Central Bank’s expectation that throughout the authorisation process that engagement is robustly led by persons proposed to be performing Pre-Approved Control Functions (‘PCF’) in the firm.

Based on the foregoing and the relevant underpinning legislative requirements and guidelines, the Central Bank authorisation assessment focuses on five distinct areas:

a) Business Model and Financial Resilience: Assessment of the viability and sustainability of the applicant’s business strategy, programme of operations and financial projections for the first three years of operation including underpinning assumptions. This includes an assessment of the firm’s ability to meet capital requirements on an on-going basis including vulnerabilities stemming from enterprise wide risks.

 b) Governance: Assessment of the local governance framework including the proposed board construct, its terms of reference, suitability of members of the management body and key function holders, management committees and the three lines of defence framework. The Central Bank expects decision-making at Board and Executive level to take place within the State. Non-executive directors on the Board are expected to devote sufficient time to fulfil their duties and to act critically and independently so as to exercise objective and independent judgement.  In the future, the Central Bank will conduct interviews for PCF roles as a core part of the assessment process. The adequacy of local resources will also be specifically assessed including the alignment of same to the management of the key functions and risks of the firm both from a prudential and conduct perspective.

c) Risk Management, Operational Resilience and Safeguarding

Assessment of the firm’s articulation of its key prudential and conduct risks and the respective risk management frameworks. Applicant firms should demonstrate comprehensive risk management systems commensurate with the proposed business model of the applicants activities are in place. Applicant firms should coherently describe the key risks inherent in the proposed business activities of the applicant including details on how these risks will be identified, managed, monitored, controlled and mitigated. For the most material risks including; safeguarding, operational and IT risk, outsourcing (including intragroup) capital and credit risk a detailed assessment of the individual policy documents, frameworks and internal control mechanisms will be performed. Such documents should clearly describe the end-to-end operational and risk management process. Assessment of the firm’s IT risk management policy and framework including procedures for monitoring, handling and following up on security incidents and security related customer complaints is also a key assessment feature.

d) Money-Laundering/Terrorist Financing risk

The financial system must be protected from use for money laundering or terrorist financing activities. Protecting the financial system from money laundering and terrorist financing is of the utmost importance to the Central Bank. Firms operating in the PI and EMI sector are classified as a designated person under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) (“CJA 2010”).As a designated person, firms are subject to the obligations of the CJA 2010, and in particular, the obligations set out in Part 4.Firms must demonstrate that they invest in and maintain strong AML compliance frameworks to protect the financial system, consumers and the wider public from money laundering and terrorist financing. One of the Central Bank’s key expectations for an effective AML control framework is that it is based on a money laundering and terrorist financing risk assessment that specifically focusses on the money-laundering and terrorist financing risks arising from the firm’s business model. This risk assessment should drive the firm’s framework such that it ensures there are robust controls in place to mitigate and manage the risks identified through the risk assessment. The Central Bank’s view is that a “tick box” or rules-based approach to risk assessment is not fit for purpose and does not meet regulatory expectations.

e) Resolution and Wind Up

Assessment of the measures to be taken by the applicant firm in the event of termination of its payment services (due to insolvency, etc.).It is expected that where failure arises, the insolvency process can be managed in an orderly fashion without customer detriment. Measures to be reviewed will include, inter alia, an assessment of the firm’s ability to (i) ensure operational continuity by all service providers during the wind-down process, (ii) execute pending payment transactions, (iii) repay outstanding client balances without delay and/or (iv) protect client funds from the claims of other creditors in the event of insolvency.

The Central Bank has published service standards in respect of the processing of applications for the Payments Sector. In the context of meeting those standards, the service standard timeframe to which the Central Bank has and remains committed to the assessment phase of the application process is 90 working days.  However, firms should expect that the assessment clock will be paused resulting in a prolonged assessment period where:

1. The information provided does not address, in substance and detail, the key assessment areas as outlined under the Authorisation Process section of the Central Bank website.
2. Firms do not comprehensively address, within their applications, the firm specific feedback provided by the Central Bank during the formal assessment phase period.

3. Closing

The Central Bank deals with all applications for authorisation in an open, engaged and constructive manner. The Central Bank encourages all firms seeking authorisation to engage at the earliest opportunity regarding it proposed application having fully reflected on the information contained within this communication as well as the broader suite of information available on the Central Bank’s website.

The EBA has published an Opinion in relation to the transition from the first Payment Services Directive (PSD1) to the revised Payment Services Directive (PSD2) which became effective 13 January 2018. The EBA opinion clarifies a number of issues identified by market participants and competent authorities, including with regard to the transitional period foreseen under PSD2, including the transitional arrangements that apply to account information service providers and payment initiation service providers.

8 December 2017

The Central Bank of Ireland has published a Guidance note on the specific requirements provided for in the revised Payment Services Directive (Directive (EU) 2015/2366) (PSD2), that apply to persons seeking approval for a Pre-Approval Controlled Function role in a Payment Institution or Electronic Money Institution (PSD2 F&P Guidance).

Links to the F&P Guidance can be found for:

1. Authorisation as a Payment Institution

2. Authorisation as an Electronic Money Institution

3. Amendments Processing for Payments Institutions

4. Supervision Process for Payments Institutions

5. Amendments Processing for Electronic Money Institutions

6. Supervision Process for Electronic Money Institutions

The Central Bank has issued this Guidance Note to provide support to applicants completing the Fitness & Probity Individual Questionnaire via our Online Reporting System.

Note
This notice applies to persons seeking approval for a Pre-Approval Controlled Function role in a firm seeking authorisation as a Payment Institution or Electronic Money Institution or in a firm that has already been granted an authorisation as a Payment Institution or Electronic Money Institution by the Central Bank.