Contributed By Walkers
Ireland is home to well-developed and globally recognised technology and financial services sectors and is a fintech hub.
IDA Ireland, the industrial development agency in Ireland, reported in September 2019 that Ireland has been chosen as a location by nine of the top ten US technology companies, the top five global software companies and eight of the top ten financial services companies. In addition to technology firms including Microsoft, Google, Apple and Facebook, Ireland is home to over 430 international financial services companies (Ireland for International Financial Services, International Messaging, September 2019, Government of Ireland).
Ireland is also home to a large number of fintech firms and incubators, and is the European home for global innovation labs (for companies such as Mastercard, Accenture, Deloitte, Google, ConsenSys, BNP Paribas and Citi). The Central Bank of Ireland ("Central Bank") established its Innovation Hub in April 2018 to provide a direct and dedicated point of contact for firms developing or implementing innovations in financial services based on new technologies, outside of the existing formal regulator/firm engagement processes. According to the Central Bank's Innovation Hub 2019 Update, it has received 166 engagements to date; with 26% of engagements relating to regulatory technology ("regtech"), 19% relating to the payments sector and 16% relating to markets and exchanges.
The past 12 months have seen continued fintech activity in Ireland and entities operating here, reflecting the positive ecosystem that has been developed. In addition, the UK’s withdrawal from the EU (“Brexit”) and the expected consequent loss of the ability for UK firms to "passport" their UK authorisations to provide services into other EU member states has led a number of established fintech firms to locate operations and seek licences in Ireland. Recent examples include Coinbase and Stripe, both of which have obtained electronic money institution authorisations, which also allow for the provision of payment services. Other firms such as Revolut and Starling Bank have also indicated an intention to locate certain operations in Ireland.
Moving forward, the government's strategy for the development of Ireland’s international financial services sector to 2025, Ireland for Finance, includes actions to help drive fintech, including blockchain technologies. Existing domestic institutions have taken steps to utilise new technologies and acquire fintech operations. In the next 12 months, fintech developments in Ireland are likely to continue to focus on the payments sector, regtech and blockchain, amongst other sectors. From a regulatory and supervisory perspective, it is expected that outsourcing, cyber and ICT risk, resilience as well as data protection will remain key topics.
EU legislation is implemented into Irish law and/or is directly applicable. In the context of virtual currencies, providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers will be impacted by changes to EU money laundering rules to become effective in 2020. EU-wide crowdfunding legislation is also set to be finalised.
Other recent EU initiatives impacting fintech include the European Commission's December 2019 public consultation in respect of a proposed EU regulatory framework for crypto-assets ("Crypto Consultation") and the public consultation in respect of how an enhanced EU regulatory framework for digital resilience might be established (as well as related consultations on legislative roadmaps). In addition, the Expert Group on Regulatory Obstacles to Financial Innovation was established by the European Commission, in accordance with its 2018 FinTech Action Plan, to review the application and suitability of the European legal and regulatory framework to fintech in order to identify issues that may impede the scaling-up of fintech in the EU. Its final report was issued on 13 December 2019 setting out its Thirty Recommendations on Regulation, Innovation and Finance.
The Central Bank has commented that fintech activity in Ireland is at its most intense in the payments sector. This is reflected in an increased number of authorised payment institutions and electronic money institutions in Ireland over the past 12 months or so, including Stripe, Coinbase (a cryptocurrency platform) and Soldo. Bigtech firms have also established in this space, and it is likely that payment services will continue to be an area of focus in Ireland. This is helped by the existing fintech and payments-friendly ecosystem, but is also attributable to the impact of Brexit, which has already led a number of payments firms to locate operations in Ireland so as to ensure access to the EU market going forward.
A number of international challenger banks are operating in Ireland on a cross-border basis and may soon open operations here or are in the licensing process.
Other prominent areas for fintech in Ireland include regtech and digital identity, asset management solutions and financial software. Peer-to-peer lending platforms have also established in Ireland.
In the insurance sector, the Central Bank has reported that it has seen firms developing models to offer on-demand insurance. In addition, it has indicated that one of the key technologies driving innovation in insurance is telematics and wearable technology, which may reward good behaviour with lower premiums.
A number of firms established in Ireland are carrying out work in relation to blockchain solutions. In the context of its Innovation Hub, the Central Bank has indicated that the highest adoption of more advanced technology has been seen in the area of markets and exchanges, with 72% of enquiries involving blockchain-related applications.
There is currently no bespoke regulatory licensing regime for fintech firms in Ireland. Instead, industry participants must look to the existing regulatory regimes that may be applicable to their business model on a case-by-case basis.
In relation to the provision of payment services or issuance of electronic money, the primary rules to be considered are the European Union (Payment Services) Regulations 2018 (“Payment Services Regulations”) (which transpose Directive 2015/2366/EU (PSD 2) into Irish law) or the European Communities (Electronic Money) Regulations 2011 (“Electronic Money Regulations”) (which transpose Directive 2009/110/EC (“Electronic Money Directive”) into Irish law). The domestic Irish regime governing money transmission businesses under the Central Bank Act, 1997 (CBA 1997) may be relevant to a money transmission service falling outside the Payment Services Regulations.
Challenger banks seeking to undertake "banking business" require a bank licence under the Central Bank Act, 1971 (CBA 1971) and will be subject to the Irish implementation of the EU Capital Requirements Directive (Directive 2013/36/EU) and the directly applicable EU Capital Requirements Regulation (Regulation 575/2013/EU). Banking business, in summary, means any business that consists of or includes receiving money on own account from members of the public either on deposit or as repayable funds and the granting of credits on own account. Licensing decisions are taken by the European Central Bank. Credit institutions authorised in other European Economic Area (EEA) jurisdictions may passport their authorisation into Ireland, which requires notification to their local regulator in the first instance. All companies that are not licensed banks (or passported credit institutions) must avoid including “bank” in their name, as this is restricted under the CBA 1971.
Generally speaking, the provision of regtech services is less likely to be a regulated activity in Ireland as these will typically involve supporting technical services rather than regulated financial services. However, a case-by-case analysis is required.
Depending on the services provided, a fintech firm providing asset management solutions may be subject to regulation. For example, if the activities constitute "investment services" in respect of "financial instruments" for the purposes of European Union (Markets in Financial Instruments) Regulations 2017 (“MiFID Regulations”), an investment firm authorisation will be required, unless an exemption applies. The MiFID Regulations implement Directive 2014/65/EU (MiFID II) into Irish law. Investment business services, including depository or administration services, would require authorisation under the Investment Intermediaries Act 1995 (IIA). Fund management companies are also regulated.
There is currently no bespoke regulation of peer-to-peer or crowdfunding platforms. However, depending on the services they provide, a number of existing rules may be applicable and are discussed elsewhere in this guide. Legislation to establish an EU-wide regime for investment and lending-based crowdfunding platforms that will enable cross-border activity is imminent.
As with all fintech companies, those providing software or blockchain solutions will need to examine the particular services they are offering and activities they are undertaking in order to assess if a licence is required.
Conduct of business and anti-money laundering (AML) requirements may also apply, as well as data privacy requirements.
The permissible compensation models for fintech firms will depend on the type of service they provide, their customer base, regulatory status and the rules applicable to those services or customer types. Similarly, disclosure requirements in relation to fees and charges will depend on these factors.
As a general rule, there is no differentiation between services provided by fintech firms or legacy players. However, some regulated services or activities are more likely to be carried on by fintech firms.
There is currently no regulatory sandbox in Ireland. The Central Bank has established an Innovation Hub to provide a direct and dedicated point of contact for firms developing or implementing innovations in financial services based on new technologies, outside of existing formal regulator/firm engagement processes.
The Central Bank is the financial services regulator in Ireland with responsibility for authorisation and supervision of financial service providers. The Central Bank supervises Irish firms from both a prudential and conduct of business perspective. For EEA passporting firms, the Central Bank will generally have a level of competence in relation to conduct of business requirements, rather than prudential requirements.
The European Central Bank is the competent licensing authority for new Irish credit institutions (banks) and it supervises significant credit institutions directly under the Single Supervisory Mechanism.
The Data Protection Commission is the Irish supervisory authority for the European Union General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR).
If a regulated function is outsourced, the vendor is likely to require authorisation to provide that service unless it can rely on an exemption.
For regulated firms that are engaging in outsourcing, a number of rules and requirements for financial services firms may apply. These are generally sector specific; for example, the Payment Services Regulations and MiFID II contain outsourcing requirements relevant to in-scope firms.
The European Banking Authority (EBA) Guidelines on outsourcing arrangements (“EBA Outsourcing Guidelines”) are applicable to credit institutions, certain investment firms and payment institutions and electronic money institutions, and set out a number of requirements for internal governance and risk management as well as specific requirements in relation to outsourcing contracts. These requirements include the vendor agreeing to provide access and audit rights for the regulated firm and its regulators for critical or important functions.
Of more general application is the November 2018 Central Bank Outsourcing Discussion Paper (“CBI Outsourcing Paper”), which sets out certain regulatory findings and expectations the Central Bank has for outsourcing by entities that it regulates, including in relation to outsourcing contracts.
The Central Bank has taken enforcement actions in a broad range of areas where breaches of financial services legislation have been committed by regulated entities.
The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended (CJA 2010) implements Fourth Money Laundering Directive (Directive (EU) 2015/849) (4MLD) into Irish law. The Fifth Money Laundering Directive (Directive (EU) 2018/843) (5MLD) is due to be fully implemented into Irish law in the first quarter of 2020. Fintech firms that are "designated persons" due to the services they provide will be subject to the requirements of the CJA 2010. Firms that do not hold a financial services licence or authorisation, but that are within the scope of the CJA 2010 (for example, commercial lenders or financial leasing firms), will be subject to the AML requirements and will also be required to register with the Central Bank for money laundering purposes. 5MLD will extend AML regulation, including a registration requirement, to custodian wallet providers and providers engaged in exchange services between virtual currencies and fiat currencies.
Fintech firms will also need to be aware of and comply with specific security requirements introduced under PSD 2 where they provide payment services, and, more broadly, cross-industry and industry-specific guidance from the Central Bank and EU regulators in relation to ICT and cyber risks. Other cybersecurity and criminal legislation is also relevant.
Fintech firms will need to comply with data privacy laws, including the GDPR, in respect of any processing of personal data. The GDPR is broad in application such that the vast majority of companies are impacted regardless of regulatory status or services being provided. The GDPR was designed to be technology neutral, meaning that it protects personal data notwithstanding the technology used or how the personal data is stored. However, such neutrality means that fintech firms will be presented with challenges when navigating through the obligations imposed by the GDPR. Amongst the issues to be considered are transfers of personal data to countries outside of the EEA (which includes the UK post-Brexit, with these issues expected to crystallise following the expiry of the Brexit transition period), provision of transparent and accessible privacy notices, the principles of "privacy by design" and "privacy by default", implementation of risk-based data security measures, data breach reporting obligations and the enhanced rights of data subjects, including the right to be forgotten and the right to data portability.
Conduct of business rules apply in relation to advertising by regulated firms. In addition, general consumer protection legislation prohibits certain activity, such as misleading advertising.
In addition, any communication with either potential or existing clients should be done so in a manner that is compliant with all applicable data protection laws.
Where companies are required to produce audited financial statements, their statutory auditors will review their financial accounts.
For the most part, it is possible for a regulated entity to offer regulated and unregulated services, unless restricted by its financial services licence.
The Consumer Protection Code 2012 (CPC) applies to Irish regulated entities and EEA firms operating in Ireland on a branch basis or cross-border basis. The CPC primarily impacts services provided to consumers (for example, individuals and certain small companies), although certain services are excluded from its scope (for example, MiFID II services). Under the CPC, regulated entities must use a prescribed form regulatory disclosure statement in certain circumstances. This statement cannot be used in communications with a consumer unless the communications relate solely to a regulated activity. A regulated entity must have separate sections on any website it operates, for regulated activities and any other activities that it carries out. In addition, the CPC restricts contingent selling by regulated entities and provides restrictions or requirements in relation to bundling of services.
Per the EBA Glossary for Financial Innovation (“EBA Glossary”), robo-advisers are defined as “Applications that combine digital interfaces and algorithms, and can also include machine learning, in order to provide services ranging from automated financial recommendations to contract brokering to portfolio management to their clients. Such advisors may be standalone firms and platforms, or can be in-house applications of incumbent financial institutions” (“Robo-adviser”).
While the specific services and business models of differing Robo-advisers will vary, once the activities of the Robo-adviser constitute MiFID II "investment services" in respect of "financial instruments", they will require authorisation as a MiFID II investment firm under the MiFID Regulations, unless an exemption applies.
The MiFID II investment services most likely to be triggered by Robo-adviser activity are portfolio management and/or the provision of investment advice. MiFID II financial instruments include transferable securities, units in collective investment undertakings, certain options, futures swaps and other derivatives and emissions allowances.
MiFID II investment firms are subject to extensive conduct of business rules when providing investment services. The authorisation requirements and process will help shape and define a MiFID II investment firm’s business model.
The MiFID Regulations requirements in relation to suitability assessments will also affect Robo-advisers, and certain of the European Securities and Markets Authority (ESMA) Guidelines on MiFID Suitability – which define Robo-advice as “the provision of investment advice or portfolio management services (in whole or in part) through an automated or semi-automated system used as a client-facing tool” – are stated to be particularly applicable to Robo-advisers, given the limited amount or total absence of human involvement in the investment service performance process.
No information is available in this jurisdiction.
A Robo-adviser authorised under the MiFID Regulations that executes orders on behalf of clients is subject to the MiFID II rules, including the obligation to execute orders on terms most favourable to its clients and the client order handling rules. MiFID II and the MiFID Regulations also set out related requirements for portfolio managers placing orders or where firms receive and transmit orders.
There are significant differences between the regulation of lending to individuals and companies in Ireland.
Commercial lending (ie, lending to corporates) does not generally require a financial services licence in Ireland. By contrast, lending to individuals may require a retail credit firm authorisation under the CBA 1997, subject to certain exemptions. This is a domestic Irish requirement. In addition, the Consumer Credit Act, 1995 (CCA) contains another domestic-only regime whereby a person who meets the definition of a “moneylender” lending to consumers is required to obtain authorisation in certain circumstances.
Credit servicing (including legal title loan ownership, managing or administering a credit agreement and related borrower communications) in relation to loans to individuals and small and medium enterprises (SMEs) requires authorisation in certain circumstances. Where a business provides payment services (eg, issuing a payment instrument) as part of its business model, it may be required to seek authorisation under the Payment Services Regulations or the Electronic Money Regulations. The domestic Irish regime governing money transmission businesses under the CBA 1997 may alternatively be relevant.
Lending to individuals acting outside their business is subject to the requirements of a range of consumer protection legislation. Additional rules apply in respect of mortgage lending.
Regulated financial service providers (including EEA lenders operating in Ireland on a cross-border basis) may also be subject to certain conduct of business rules when lending to individuals, certain small companies or SMEs. These rules include the CPC and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Lending to Small and Medium-Sized Enterprises) Regulations 2015 (“SME Regulations”).
Irish conduct of business rules and legislation requires creditworthiness or suitability assessments in certain circumstances. For example, the European Communities (Consumer Credit Agreements) Regulations 2010, the CPC and the SME Regulations are relevant in this regard.
Ireland has established a Central Credit Register (CCR) under the Credit Reporting Act 2013 (CRA). The CRA requires lenders to check the CCR prior to advancing in-scope credit, and also imposes a requirement on lenders to report information relating to certain loans and borrowers.
Credit institutions such as banks raise funds for their lending activities from a wide range of sources, including deposits, inter-bank lending, issuing debt and securitisations. Deposit-taking in Ireland triggers a requirement for a banking licence, and securitisations are subject to a number of Irish and EU rules.
Dedicated lending entities – for example, a retail credit firm – may raise funds for their lending activities from securitisations or lending from other investors or institutions. Funds may also be sourced through peer-to-peer lending.
It is not typical for consumer loans or loans to small businesses to be syndicated. Where peer-to-peer lending is taking place, there may be multiple bilateral loan agreements.
Payment processors may use existing payment infrastructure or create or implement new infrastructure, so long as they operate within the bounds of their financial services authorisation and adhere to relevant regulatory requirements.
No information is available in this jurisdiction.
Fund administrators in Ireland are generally authorised pursuant to the IIA but may also be authorised pursuant to the MiFID Regulations depending on the types of activities to be undertaken.
In addition, fund administrators are subject to the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2017, the Central Bank's Investment Firms' Q&A and the Investor Compensation Act 1998.
Boards of directors of Irish investment funds and fund management companies ("Boards") require administrators to enter into service level agreements setting out in granular detail the services described in the administration agreement and the parties' expectations in terms of timing, performance, escalation of issues and actions to be taken in the event of non-compliance with specific provisions of the service level agreement. In addition, administrators are being requested to provide key performance indicators as part of their quarterly reporting to Boards in respect of services such as the calculation and release of the net asset value. Such requests are a result of increased focus by regulators on oversight of service providers.
The increasing reliance by firms operating within the global financial sector on information technology (IT) has led to a focus by regulators and firms alike on improving cybersecurity and data protection within the financial industry. As fund administrators maintain trading data, account details and extremely sensitive investor information, they are at particular risk from the evolving sophistication of cyber-attacks and the heightened frequency of data breaches. Accordingly, Boards are increasingly seeking to impose contractual terms that ensure fund administrators have appropriate IT and cybersecurity risk management procedures and frameworks in place to protect against cybercrime and data breaches, as well as IT disaster recovery and business continuity planning arrangements encompassing the recovery and resumption of daily operations should a disruptive event occur. These provisions stem from the sharpened focus of regulators on data protection as well as the management of cybersecurity across the financial sector, but also from an increasing awareness by industry of the devastating financial and reputational implications that a successful cyber-attack could yield.
Regulators are also becoming increasingly focused on the oversight exercised by funds and their advisers on fund administrators and, accordingly, contractual terms requiring ongoing reporting from the fund administrator to the fund are becoming increasingly important.
Generally, fund administrators do not act as "gatekeepers"; however, they are likely to be under a contractual obligation to report any data breaches and cybersecurity issues that may impact their client. They may also be subject to industry guidance and best practice in this regard.
In addition, where a fund administrator provides transfer agency activities that typically include performing due diligence on investors in line with applicable AML and counter-terrorist financing legislation, the fund administrator would have an obligation to identify and escalate transactions it determines to be suspicious or unlawful. In this situation, fund administrators would also have an affirmative duty to conduct regular testing to ensure that there are no unexplained gaps in the required due diligence documentation and records of the underlying investor and to ensure that the documentation is updated at the appropriate frequency.
In addition, the Criminal Justice Act 2011 imposes a reporting obligation on a person that has information that said person “knows or believes might be of material assistance” in preventing or prosecuting a “relevant offence” to disclose this information to the Garda Síochána (the Irish police force).
The activity of operating a peer-to-peer crowdfuding platform is not currently regulated in Ireland as a distinct activity. However, crowdfunding may currently be within the scope of investment services legislation (such as MiFID II or prospectus requirements) where MiFID II financial instruments are offered and/or funds regulation where collective investment undertakings are involved. In addition, crowdfunding platforms arranging or offering to arrange loans to individuals who are consumers for commission or payment may require authorisation as credit intermediaries under the CCA. Platforms should also consider whether they provide regulated payment services.
An EU regulation to establish a Europe-wide regime for investment and lending-based crowdfunding platforms that will enable cross-border activity is being finalised. In summary, this will provide for a single set of rules that will apply to crowdfunding services in the EU up to a certain size, provide rules to protect investors from financial losses and EU member states responsible for authorising and supervising crowdfunding providers.
Payment services involving fiat currencies will typically have to be carried out by a regulated payment service provider, in accordance with the conduct of business rules contained in the Payment Services Regulations. The Irish regime of governing money transmission businesses under the CBA 1997 may alternatively be relevant.
The provision of investment services, exchanges and trading platforms in respect of MiFID II financial instruments is primarily regulated by the Central Bank under the MiFID Regulations, which provide for the regulation of investment firms and various types of securities exchanges, including market operators, regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs).
Where a crypto-asset amounts to a MiFID financial instrument, a crypto-exchange will be subject to regulation under the MiFID Regulations. Pure cryptocurrency platforms that do not involve MiFID financial instruments do not currently require authorisation in Ireland. However, 5MLD brings providers engaged in exchange services between virtual currencies and fiat currencies within the scope of EU/Irish AML requirements, including a registration requirement. Implementation into Irish law is due in 2020. Crypto-exchanges should also consider whether they are providing payment services and/or electronic money (such as where issuing their own tokens).
No information is available in this jurisdiction.
No information is available in this jurisdiction.
No formal listing standards exist for unregulated platforms. General contractual principles should apply, and certain general consumer protection rules may also apply. Exchanges for MiFID II financial instruments established under the MiFID Regulations will usually have detailed listing/admission to trading rules to ensure transparency and compliance with applicable laws and regulation (eg, the Euronext Dublin Listing Rules), while rules in relation to the requirement to publish a prospectus may also be relevant.
No formal order handling rules apply for unregulated platforms; general contractual principles should apply. Detailed order handling rules apply to MiFID II investment firms when executing orders in MiFID II financial instruments.
No information is available in this jurisdiction.
No formal best execution standards apply to an unregulated platform in Ireland; general contractual principles should apply.
Detailed best execution standards apply for MiFID II investment firms dealing in MiFID II financial instruments.
The MiFID II inducements regime will apply to all MiFID II investment firms.
The primary method of regulation of these technologies is under the MiFID Regulations. The definition of algorithmic trading contained in the MiFID Regulations is limited to trading in MiFID II financial instruments, so asset classes outside the scope of regulation under the MiFID Regulations will not be regulated.
All MiFID II investment firms and exchange like-platforms that allow for the trading of MiFID II financial instruments will be in scope.
Specific, detailed rules apply where a MiFID II investment firm engages in algorithmic trading to pursue a market-making strategy. These include carrying out the market-making continuously during a specified proportion of the trading venue’s trading hours, and entering into a binding written agreement with the trading venue.
The MiFID II and MiFID Regulations rules governing algorithmic trading impose specific systems and risk controls on in-scope MiFID II investment firms, including ensuring their trading systems are resilient, with sufficient capacity, subject to trading thresholds and limits, and prevent the sending of erroneous orders. The MiFID Regulations set out detailed order execution and client order requirements.
No information is available in this jurisdiction.
The MiFID II inducements regime will apply to all MiFID II investment firms.
Platforms providing financial research are not specifically regulated by the Central Bank. However, participants and platforms should consider whether a regulated investment service is being provided.
The provision of investment research and financial analysis or other forms of general recommendation relating to transactions in financial instruments is an ancillary service under Part 2 of Schedule 1 of the MiFID Regulations. The provision of this service without any other MiFID II investment services would not trigger a requirement for authorisation as a MiFID II investment firm.
In contrast, the provision of investment advice (as defined in MiFID II) in relation to MiFID II financial instruments is an activity requiring authorisation under the MiFID Regulations, unless an exemption applies.
The MiFID Regulations and Commission Delegated Regulation (EU) 2017/565 provide requirements in relation to conflicts of interest and inducements that apply to regulated MiFID II investment firms in relation to research.
The IIA regulates the provision of investment advice in relation to investment instruments, subject to certain exemptions. The IIA definition of investment instruments captures certain instruments that are not MiFID II financial instruments and certain activities or firms that might fall outside the MiFID Regulations.
The Market Abuse Regulation (Regulation (EU) 596/2014) (MAR) establishes a common EU regulatory framework on insider dealing, the unlawful disclosure of inside information and market manipulation (“Market Abuse”) as well as measures to prevent Market Abuse.
MAR prohibits insider dealing, the unlawful disclosure of inside information, market manipulation and attempted market manipulation. Market manipulation is broadly defined under MAR, and includes disseminating information through the media, including the internet or by any other means, that gives, or is likely to give, false or misleading signals as to the supply of, demand for, or price of a financial instrument, a related spot commodity contract or an auctioned product based on emission allowances or secures, or is likely to secure, the price of one or several MiFID II financial instruments, a related spot commodity contract or an auctioned product based on emission allowances at an abnormal or artificial level, including the dissemination of rumours, where the person who made the dissemination knew, or ought to have known, that the information was false or misleading.
Recital 48 to MAR confirms that, given the rise in the use of websites, blogs and social media, disseminating false or misleading information via the internet (including through social media sites or unattributable blogs) should be considered to be equivalent to doing so via more traditional communication channels for the purposes of MAR.
In summary, MAR applies to MiFID II financial instruments admitted to trading on an EU-regulated market or for which a request for admission to trading has been made, as well as any MiFID II financial instruments traded on an MTF, admitted to trading on an MTF or for which a request for admission to trading on an MTF has been made or traded on an OTF and certain other financial instruments, the price or value of which depends on or has an effect on the price or value of the above and emission allowances. MAR can apply to other instruments and is not limited to transactions, orders or behaviour on a trading venue. The terms “regulated market”, “MTF”, “OTF” and “trading venue” are defined in MiFID II.
Market manipulation, as defined under the European Union (Market Abuse) Regulations 2016 (“MAR Regulations”), is an offence in Ireland. The MAR Regulations also provide for certain civil sanctions for breaches of MAR, such as a breach of the prohibition on market manipulation.
The MAR prohibition on market manipulation (including attempted market manipulation) includes a prohibition on “taking advantage of occasional or regular access to the traditional or electronic media” to voice opinions about in-scope instruments with a view to profiting from the impact of those opinions, without having simultaneously publicly disclosed that conflict of interest.
MAR is also intended to ensure that the prohibitions against market abuse should also cover those persons who act in collaboration to commit market abuse, so the platform should ensure it takes steps to avoid being seen to collaborate with such activity.
Liability under the MAR Regulations can also attach to an entity that collaborates or facilitates market abuse/manipulation. MAR also requires member states (including Ireland) to put mechanisms in place to allow for the reporting of infringements of MAR (ie, whistle-blowing mechanisms).
As noted elsewhere, it is an offence under the CJA 2011 to fail to disclose information to the authorities of a "relevant offence" as defined under that act.
Where a financial research platform has been used in furtherance of illegal activity such as a breach of MAR or the MAR Regulations, the operators of that platform may potentially face legal exposure.
The EU’s Solvency II regime (as implemented in Ireland) applies to the majority of Irish (re)insurance undertakings, including the underwriting process of these undertakings.
The Solvency II framework sets out detailed requirements around capital, governance and risk management in all Irish and EU authorised (re)insurance undertakings.
In broad summary, Solvency II Undertakings must obtain an authorisation under the European Union (Insurance and Reinsurance) Regulations 2015, to carry on either life insurance business, non-life insurance business, or both.
Generally speaking, the provision of regtech services is less likely to be a regulated activity in Ireland as these will typically involve supporting technical services rather than regulated financial services. However, certain exceptions to this position could apply, depending on the nature of the regtech service performed and the nature of the entity to which such services are provided. Therefore a case-by-case analysis is required.
Depending on the particular service provided and the particular financial services firm receiving those services, they may fall within the legal and regulatory requirements governing outsourcing and this will impact the contractual provisions required.
For example, where a MiFID II investment firm outsources “a critical or important function”, outsourcing rules apply under the MiFID II framework. Similar issues would arise where regulated payment institutions, electronic money institutions, credit institutions and other regulated entities engage in outsourcing. In these circumstances regulated firms should require regtech outsourcing agreements to reflect the applicable rules.
The Central Bank has issued the CBI Outsourcing Paper, wherein it sets out its minimum supervisory expectations for the outsourcing agreements of Irish regulated financial service providers. The EBA Outsourcing Guidelines apply to EEA authorised credit institutions, certain investment firms, payment institutions and electronic money institutions, and require, inter alia, that outsourcing agreements specify service levels and precise quantitative and qualitative performance targets to allow for the timely monitoring of the performance of the outsourced function. In addition, specific termination rights, provisions around business continuity, data and access and audit rights for the regulated firm and its regulators are also required. The EBA has commented that it is imperative that business continuity and data protection are appropriately considered when outsourcing IT or data services.
Outsourcing is a particularly topical issue for the Central Bank.
Regtech providers may have legal and regulatory or contractual obligations to notify certain behaviour, depending on their regulatory status and contractual arrangements, the sector in which they operate and the information and material that they come into contact with.
Domestic institutions are investigating the use of blockchain, and certain institutions have conducted trials in this area, including in the area of payments.
In addition, in May 2019, the Institute of Banking, domestic banks Bank of Ireland, AIB and Ulster Bank (part of the RBS Group), and Deloitte announced that they are collaborating to develop a financial services industry education platform based on blockchain technology. The platform will support the verification, tracking, direct access to, and management of, regulatory and other professional designations, education qualifications and lifelong learning credentials.
Neither the Irish legislature nor the Central Bank has implemented specific legislative or regulatory updates, or updated guidance to address blockchain technology. The Central Bank has issued consumer warnings regarding the risks of both crypto-currencies and initial coin offerings (ICOs).
The January 2019 EBA report with advice for the European Commission on crypto-assets (“EBA Crypto Report”) and ESMA advice in relation to initial coin offerings and crypto-assets (“ESMA Crypto Report”) provide useful information in relation to the interpretation of blockchain assets within existing rules and highlighting gaps, as well as suggesting that further consideration be given at an EU level to legislating in the area. This work has fed into the European Commission's December 2019 Crypto Consultation. Amongst other things, the Crypto Consultation looks at crypto-assets that are covered by EU rules and whether the rules can be effectively applied as well as crypto-assets that are not covered by EU rules at present, and a possible common regulatory approach. It is intended that new legislation for a common EU approach on crypto-assets will be proposed. On 5 December 2019 the Council and Commission issued a joint statement that no global "stablecoin" arrangement should begin operation in the European Union until the legal, regulatory and oversight challenges and risks have been adequately identified and addressed.
The government's international financial services sector strategy document to 2025, Ireland for Finance, includes actions to help drive fintech, including blockchain technologies.
There is currently no Irish or EU law or regulation that expressly classifies blockchain assets or crypto-currencies. However, blockchain assets and/or services in relation to those assets may fall within existing regulatory regimes and, depending on the features of a particular blockchain asset, its legal classification may vary. As part of the Crypto Consultation, views on classification have been sought and a number of definitions are provided for the purposes of the consultation.
The Central Bank has confirmed in a consumer warning that virtual currencies are not legal tender, and has also issued a consumer warning regarding the risks of ICOs.
One area of focus has been whether a particular blockchain asset qualifies to be considered as a MiFID II financial instrument, typically focused on the definition of a transferable security. Given the variance in structure among blockchain assets, it is necessary to analyse individual blockchain assets against the criteria for the MiFID II financial instrument of “transferable securities”, defined under Article 4 (1) (44) of MiFID II as those “classes of securities which are negotiable on the capital market, with the exception of instruments of payment, such as:
If a blockchain asset is determined to be a transferable security, then it falls within the regulatory scope of, inter alia, MiFID II, the Prospectus Regulation and MAR. The ESMA Crypto Report also states that several European regulators considered that certain types of crypto-assets could qualify as units in collective investment undertakings (another MiFID II financial instrument), most likely alternative investment funds, and thus the Alternative Investment Fund Managers Directive (Directive 2011/61/ EU) (AIFMD) could be relevant. The ESMA Crypto Report notes that existing rules that may be applicable do not fit perfectly with the characteristics of blockchain.
In very broad terms, a blockchain asset with characteristics that are similar to shares, bonds or other securities, or related derivatives including being transferable, will be more likely to fall within the definition of a “transferable security”. An investment-type blockchain asset may be more likely to have these characteristics, while the ESMA Crypto Report specifically notes that a pure payment-type cryptocurrency (such as Bitcoin) is less likely to be considered a “transferable security”. The ESMA Crypto Report cautions against extrapolating its analysis against the entire cryptoasset universe.
In the EBA Crypto Report, the EBA notes that a cryptoasset can qualify as electronic money under the Electronic Money Directive, and thus fall to be regulated under that directive, provided the following circumstances are met:
Additionally, if a person performs a "payment service" as listed in PSD 2 with a blockchain asset that qualifies as "electronic money" under the Electronic Money Directive, such activity would fall within the scope of PSD 2 by virtue of constituting "funds". More generally, PSD 2 and the domestic Irish regime of money transmission should also be considered in the context of fiat transfers or services related to blockchain activities.
There is currently no specific regulatory regime for, or prohibition on, the issuance of blockchain assets or ICOs in Ireland or at EU level.
However, as with the applicability of the existing legal or regulatory requirements to a blockchain asset depending on its particular structure, an issuance may come within the scope of existing Irish legal regimes, depending on its specific characteristics.
In two statements from November 2017, ESMA alerted participants in ICOs of the potential applicability of MiFID II, AIFMD, the Prospectus Directive and the applicable AML rules, depending on the structure of the issuance, and alerted investors of the risks of ICOs.
Generally speaking, there is minimal regulation of blockchain asset trading platforms in Ireland (where the blockchain assets do not constitute MiFID II financial instruments – such as transferable securities – and are not otherwise in the scope of existing regulatory regimes). The EBA Crypto Report highlights the lack of regulatory consumer protection provided by blockchain asset-trading platforms and custodian wallet providers.
The AML and counter-terrorist financing rules of the CJA 2010 may apply, depending on the nature of the blockchain asset/issuance (eg, whether it constitutes a MiFID II financial instrument, or electronic money), the nature of activities undertaken (eg, payment services), the identity and regulated status of the actors and the method of payment. Once implemented, 5MLD will capture providers engaged in exchange services between virtual currencies and fiat currencies as well as custodian wallet providers.
Irish investment funds are either regulated as undertakings for collective investment in transferable securities (UCITS) or as alternative investment funds. In order for such investment funds to invest in blockchain assets, consideration needs to be given to whether such assets fall within the types of assets such funds are permitted to invest in. This analysis is most relevant for UCITS as such funds may only invest in transferable securities and other liquid assets. Given questions over the liquidity and valuation of crypto-assets, including blockchain assets, and the perceived risks involved with such investment, the Central Bank has stated in recent speeches that it does not consider that funds authorised for retail investors, in particular UCITS, should at this time provide exposure to crypto-assets, noting the difficulties for depositaries associated with providing safekeeping where direct investments in virtual currencies are proposed.
The European Commission Crypto Consultation seeks stakeholder views on whether and to what extent there may be challenges in applying the UCITS Directive and AIFMD to "security tokens". It is noted that for crypto-assets that are not security tokens (and do not qualify as financial instruments), the rules for "other assets" under the UCITS Directive and AIFMD apply and in such cases needs to ensure the safekeeping (which involves verification of ownership and up-to-date recordkeeping) but not the custody. Practical obstacles still exist in the market to the extent that currently many depositories are not comfortable that they can capably hold blockchain assets directly while also meeting their safekeeping obligations.
The legal treatment of any cryptocurrency or other blockchain asset will be determined by whether that particular asset’s features come within the scope of existing legislative and regulatory regimes. Typically, a pure cryptocurrency will not be considered a financial instrument under MiFID II.
5MLD contains a definition of virtual currencies and applies AML rules to certain actors (see elsewhere in this briefing).
There are inherent tensions between the GDPR and blockchain. In July 2019, the European Parliament published a study titled “Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data protection law” that highlighted two main areas of tension, namely (i) the decentralised nature of many blockchains, which makes it difficult to identify a data controller against whom data subjects can enforce their legal rights under the GDPR; and (ii) the permanent nature of blockchain-recorded personal data, which creates challenges regarding the "right to be forgotten" and the principles of data minimisation and purpose limitation.
The study emphasises that “it is impossible to state that blockchains are, as a whole, either completely compliant or incompliant with the GDPR” and instead makes the point that compliance with the GDPR will depend on the particular blockchain use case, such that it requires a case-by-case assessment. The study acknowledges that blockchain networks that are private and permissioned will raise fewer GDPR compliance issues, as opposed to blockchain networks that are public and permissionless. The study provides a number of policy options for the European Parliament to consider, including the publication by the European Data Protection Board of specific guidance on blockchain technologies, the provision of funding for interdisciplinary research into blockchain technology and the development of codes of conduct and certification mechanisms within industries that use blockchain technology.
PSD 2 introduced two new regulated payment services: payment initiation service and account information service. A disruptive aspect of PSD 2 is the customer's right to make use of third parties to obtain payment initiation services and for third parties to access payment data to provide account information services. This facilitates open banking and opens up opportunities for challenger banks and other fintech firms to bring new products to market. Application programming interfaces are to be used for third-party access to online payment accounts.
PSD 2 imposes certain conditions on the access to and use of data by firms providing a payment initiation service or account information service. This includes a requirement for customer consent and other requirements in relation to security and the use of data. In addition, the GDPR requires customers to be made fully aware, in a clear, concise and transparent fashion, of how their personal data will be used and by whom. It also provides for the right to withdraw consent, access to data and a right for information to be erased. In sharing data with third parties such as account information service providers, banks will need to be aware of the potential for fraud or other risks.