Contributed By Walkers
Ireland is home to well-developed and globally recognised technology and financial services sectors and is a fintech hub.
IDA Ireland, the industrial development agency in Ireland, reports that Ireland is the world's second-largest exporter of software, and that 16 of the top 20 global technology firms and 20 of the top 25 global financial institutions operate from the jurisdiction. In addition to technology firms including Microsoft, Google, Apple and Facebook, Ireland is home to over 430 international financial services companies (September 2019, government of Ireland).
Ireland is also home to a large number of fintech firms, the European home for global innovation labs (for companies such as Mastercard, Accenture, Deloitte, Google, ConsenSys, BNP Paribas and Citi) and incubators. The Central Bank of Ireland (the "Central Bank") established its Innovation Hub in April 2018 to provide a direct and dedicated point of contact for firms developing or implementing innovations in financial services based on new technologies, outside of the existing formal regulator/firm engagement processes. The Innovation Hub had facilitated 166 engagements as of the publication of the Central Bank's 2019 update.
Brexit Helps Drive Increase in Fintech Activity in Ireland
The past 12 months have seen continued fintech activity in Ireland and entities operating in the country, reflecting the positive ecosystem that has been developed. In addition, the ending of the transition period following the UK’s withdrawal from the EU (“Brexit”) and the consequent loss of the ability for UK firms to "passport" their UK authorisations to provide services into other EU member states has led a number of established fintech firms to locate operations and seek licences in Ireland. Examples include Coinbase and Stripe, both of which have obtained electronic money institution authorisations, which also allow for the provision of payment services. Other firms such as Revolut and Starling Bank have also indicated an intention to locate certain operations in Ireland.
Ireland has also fostered successful firms domestically; eg, Prepaid Financial Services, which was acquired by Australian firm EML Payments for USD162 million in 2020. In early 2021 it was announced that several Irish retail banks were seeking to create a digital money transfer service in response to fintech challengers.
The government's strategy for the development of Ireland’s international financial services sector to 2025, Ireland for Finance, includes actions to help drive fintech, including blockchain technologies. In the next 12 months, fintech developments in Ireland are likely to continue to focus on the payments sector, regulatory technology ("regtech"), artificial intelligence and blockchain, amongst other sectors. From a regulatory or supervisory perspective, it is expected that anti-money laundering (AML), outsourcing, cyber and ICT risk, resilience as well as data protection will remain key topics.
EU Legislative Developments
EU legislation is implemented into Irish law and/or is directly applicable. In the context of virtual assets, changes to EU AML rules, which are expected to be implemented in Ireland imminently, will impact providers engaged in various services in respect of virtual assets. Regulation (EU) 2020/1503 on European crowdfunding service providers for business (the "Crowdfunding Regulation") provides a framework for crowdfunding within the EU and allows for operators of crowdfunding platforms to obtain authorisation as a crowdfunding service provider, which can be passported across the EU. It applies from November 2021.
Other recent EU initiatives impacting fintech include the European Commission's September 2020 adoption of the Digital Finance Package (the "Digital Package"), which includes a proposal for a regulation on markets in crypto-assets ("MiCA"), a proposal for a regulation on a pilot regime for market infrastructures based on distributed ledger technologies and a proposal for a regulation on digital operational resilience for the financial sector. These proposals are not yet law, being at an early stage of the legislative process, and are subject to amendment prior to implementation. The current draft of MiCA proposes to implement a legislative framework including rules applicable to the issuance of crypto-assets and the provision of various services in relation to crypto-assets. MiCA also seeks to implement market abuse-type rules in relation to crypto-assets.
The Digital Package follows a public consultation in respect of a proposed EU regulatory framework for crypto-assets (the "Crypto Consultation"). In its April 2020 response to the Crypto Consultation, the Central Bank stated that it is supportive of the initiative and welcomes the development of a more harmonised approach to crypto-assets, although it raised concerns with certain issues, including the monetary policy implications of the emergence of global stablecoins.
The Central Bank has commented that fintech activity in Ireland is at its most intense in the payments sector. This is reflected in an increased number of authorised payment institutions and electronic money institutions in Ireland in recent years, including Stripe, Coinbase (a cryptocurrency platform), MoneyCorp and SumUp. Bigtech firms have also established in this space, and it is likely that payment services will continue to be an area of focus in Ireland. This is helped by the existing fintech and payments-friendly ecosystem, but is also attributable to the impact of Brexit, which has already led a number of payments firms to locate EU operations in Ireland.
A number of international challenger banks are operating in Ireland on a cross-border basis and may soon open operations in the country or are in the licensing process.
Other prominent areas for fintech in Ireland include regtech and digital identity, asset management solutions and financial software. Peer-to-peer lending platforms have also established in Ireland.
In the insurance sector, the Central Bank has reported that it has seen firms developing models to offer on-demand insurance. In addition, it has indicated that one of the key technologies driving innovation in insurance is telematics and wearable technology, which may reward good behaviour with lower premiums.
A number of firms established in Ireland are carrying out work in relation to blockchain solutions. The Central Bank has indicated that, in the context of its Innovation Hub, in the area of markets and exchanges the highest adoption of more advanced technology has been seen, with 71% of enquiries involving blockchain-related applications.
Fintech firms must look to the regulatory regimes that may be applicable to their business model on a case-by-case basis. Fintech-specific legislative developments are in the pipeline with the implementation of amendments to AML legislation applying a registration requirement and AML obligations to certain virtual asset service providers expected imminently, the Crowdfunding Regulation applying from November 2021 and, in the longer term, the introduction of MiCA and the Digital Package, which will provide a bespoke regulatory framework for crypto-assets.
In relation to the provision of payment services or issuance of electronic money, the primary rules to be considered are the European Union (Payment Services) Regulations 2018 (the “Payment Services Regulations”) (which transpose Directive 2015/2366/EU (PSD 2) into Irish law) or the European Communities (Electronic Money) Regulations 2011 (the “Electronic Money Regulations”) (which transpose Directive 2009/110/EC (“Electronic Money Directive”) into Irish law). The domestic Irish regime governing money transmission businesses under the Central Bank Act, 1997 (CBA 1997) may be relevant to a money transmission service falling outside the Payment Services Regulations.
Challenger banks seeking to undertake "banking business" require a bank licence under the Central Bank Act, 1971 (CBA 1971) and will be subject to the Irish implementation of the EU Capital Requirements Directive (Directive 2013/36/EU) and the directly applicable EU Capital Requirements Regulation (Regulation 575/2013/EU). Banking business, in summary, means any business that consists of or includes receiving money on own account from members of the public either on deposit or as repayable funds and the granting of credits on own account. Licensing decisions are taken by the European Central Bank.
Credit institutions authorised in other European Economic Area (EEA) jurisdictions may passport their authorisation into Ireland, which requires notification to their regulator in the first instance. All companies that are not licensed banks (or passported credit institutions) must avoid including “bank” in their name, as this is restricted under the CBA 1971.
Generally speaking, the provision of regtech services is less likely to be a regulated activity in Ireland as these will typically involve supporting technical services rather than regulated financial services. However, a case-by-case analysis is required.
Investment Services/Asset Management
Depending on the services provided, a fintech firm providing asset management solutions may be subject to regulation. For example, if the activities constitute "investment services" in respect of "financial instruments" for the purposes of European Union (Markets in Financial Instruments) Regulations 2017 (the “MiFID Regulations”), an investment firm authorisation will be required, unless an exemption applies. The MiFID Regulations implement Directive 2014/65/EU (MiFID II) into Irish law. Investment business services, including depository or administration services, would require authorisation under, for example, the Investment Intermediaries Act 1995 (IIA). Fund management companies are also regulated.
There is currently no bespoke regulation of peer-to-peer or crowdfunding platforms in force, although the Crowdfunding Regulation will apply from November 2021. Depending on the services they provide, a number of existing rules may also be applicable and are discussed elsewhere in this guide.
Firms providing software or blockchain solutions will need to examine the particular service they are offering and activities they are undertaking in order to assess if a licence or registration is required. These firms will need to consider the imminent AML developments (see below) and, in the longer term, MiCA.
The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended (CJA 2010) implements the Fourth Money Laundering Directive (Directive (EU) 2015/849) (4MLD) into Irish law. Fintech firms that are "designated persons" due to the services they provide will be subject to the requirements of the CJA 2010. Firms that do not hold a financial services licence or authorisation, but that are within the scope of the CJA 2010 (for example, commercial lenders or financial leasing firms), are subject to the AML requirements and are also required to register with the Central Bank for money laundering purposes.
The Fifth Money Laundering Directive (Directive (EU) 2018/843) (5MLD) is expected to be fully implemented into Irish law in the first quarter of 2021. When implemented, AML regulation will be extended to include "virtual asset service providers", which will include persons engaging in exchange services between virtual assets and/or virtual assets and fiat currencies, transfers of virtual assets, the provision of custodian wallet services and/or the participation in, and provision of, financial services related to an issuer’s offer or sale of virtual assets. Virtual asset service providers will be required to register with the Central Bank.
Fintech firms will also need to be aware of and comply with specific security requirements introduced under PSD 2 (eg, strong customer authentication) where they provide payment services, and, more broadly, cross-industry and industry-specific guidance from the Central Bank and EU regulators in relation to ICT and cyber risks. Such guidance includes the European Banking Authority (EBA) revised Guidelines on ICT and security risk management, which became applicable to credit institutions, certain investment firms, and payment institutions and electronic money institutions on 30 June 2020, and the Central Bank's September 2016 Cross-Industry Guidance in respect of Information Technology and Cybersecurity Risks. Other cybersecurity and criminal legislation or guidance may also be relevant.
In the longer term, the Digital Package includes a proposal for a regulation on digital operational resilience for the financial sector.
Fintech firms will need to comply with data privacy laws, including the European Union General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR), in respect of any processing of personal data. The GDPR is broad in application, such that the vast majority of companies are impacted regardless of regulatory status or services being provided.
The GDPR was designed to be technology neutral, meaning that it protects personal data notwithstanding the technology used or how the personal data is stored. However, such neutrality means that fintech firms will be presented with challenges when navigating through the obligations imposed by the GDPR. Amongst the issues to be considered are transfers of personal data to countries outside of the EEA (which includes the UK post-Brexit), provision of transparent and accessible privacy notices, the principles of "privacy by design" and "privacy by default", implementation of risk-based data security measures, data breach reporting obligations and the enhanced rights of data subjects, including the right to be forgotten and the right to data portability.
The permissible compensation models for fintech firms will depend on the type of service they provide, their customer base, regulatory status and the rules applicable to those services or customer types. Similarly, disclosure requirements in relation to fees and charges will depend on these factors.
As a general rule, there is no differentiation between services provided by fintech firms or legacy players. However, some regulated services or activities are more likely to be carried on by fintech firms.
There is currently no regulatory sandbox in Ireland. The Central Bank has established an Innovation Hub to provide a direct and dedicated point of contact for firms developing or implementing innovations in financial services based on new technologies, outside of existing formal regulator/firm engagement processes. As part of the Digital Package, the European Commission has proposed a regulation that seeks to create a sandbox for the integration of blockchain technology into European financial market infrastructure.
The Central Bank is the financial services regulator in Ireland with responsibility for authorisation and supervision of financial service providers. The Central Bank supervises Irish firms from both a prudential and conduct of business perspective. For EEA passporting firms, the Central Bank will generally have a level of competence in relation to conduct of business requirements, rather than prudential requirements.
The European Central Bank is the competent licensing authority for new Irish credit institutions (banks) and it supervises significant credit institutions directly under the Single Supervisory Mechanism.
The Data Protection Commission is the Irish supervisory authority for the GDPR.
If a regulated function is outsourced, the vendor is likely to require authorisation to provide that service unless it can rely on an exemption.
Separately, for regulated firms that are engaging in outsourcing of regulated and unregulated functions, a number of rules and requirements may apply. These are generally sector specific; for example, the Payment Services Regulations and MiFID II contain outsourcing requirements relevant to in-scope firms.
The EBA Guidelines on outsourcing arrangements (the “EBA Outsourcing Guidelines”) are applicable to credit institutions, certain investment firms, and payment institutions and electronic money institutions, and set out a number of requirements for internal governance and risk management as well as specific requirements in relation to outsourcing contracts. These requirements include the vendor agreeing to provide access and audit rights for the regulated firm and its regulators for critical or important functions.
The European Securities and Markets Authority (ESMA) has published Guidelines on outsourcing to cloud service providers (the "ESMA Cloud Guidelines"), which apply to a broad range of regulated financial service providers falling under ESMA's remit. The ESMA Cloud Guidelines apply from 31 July 2021, and in-scope entities must review and amend their cloud outsourcing arrangements to align with these requirements by 31 December 2022. The European Insurance and Occupational Pensions Authority has also published Guidelines on outsourcing to cloud service providers (the "EIOPA Cloud Guidelines"), which apply to the insurance sector from 1 January 2021.
Of more general application is the November 2018 Central Bank Outsourcing Discussion Paper (the “CBI Outsourcing Paper”), which sets out certain regulatory findings and expectations the Central Bank has for outsourcing by entities that it regulates, including in relation to outsourcing contracts.
The extent to which any fintech provider is deemed to be a "gatekeeper" will depend on its activities or the services it provides. Fintech providers may be subject to various authorisation requirements as discussed throughout this chapter, or may be within the scope of Irish AML legislation. Where AML legislation is applicable, fintech providers may be required to undertake customer due diligence and may be subject to an obligation to identify, escalate and report to the authorities transactions they determine to be suspicious or unlawful.
The Criminal Justice Act 2011 imposes a reporting obligation on a person that has information that said person “knows or believes might be of material assistance” in preventing or prosecuting a “relevant offence” to disclose this information to the Garda Síochána (the Irish police force).
The Central Bank has taken enforcement actions in a broad range of areas where breaches of financial services legislation have been committed by regulated entities.
It is noteworthy that the Irish authorities have successfully confiscated cryptocurrencies that were determined to be assets that were the proceeds of crime by the Irish courts (in the case of CAB v Mannion  IEHC 729).
Firms will need to ensure that they operate in accordance with non-financial services requirements in Ireland. These include data protection laws, cybersecurity requirements, consumer protection legislation, company law and intellectual property law.
Where companies are required to produce audited financial statements, their statutory auditors will review their financial accounts. A broad range of bodies may be relevant during a firm's life cycle, including tax authorities, the Office of the Director of Corporate Enforcement, exchanges, and the Financial Services and Pensions Ombudsman.
For the most part, it is possible for a regulated entity to offer regulated and unregulated services, unless restricted by its financial services licence. Under both the Payment Services Regulations and Electronic Money Regulations, the Central Bank is empowered to require firms that undertake additional activities to establish separate entities.
The Consumer Protection Code 2012 (CPC) applies to Irish regulated entities and EEA firms operating in Ireland on a branch basis or cross-border basis. The CPC primarily impacts services provided to consumers (for example, individuals and certain small companies), although certain services are excluded from its scope (for example, MiFID II services).
Under the CPC, regulated entities must use a prescribed form regulatory disclosure statement in certain circumstances. This statement cannot be used in communications with a consumer unless the communications relate solely to a regulated activity. A regulated entity must have separate sections on any website it operates, for regulated activities and any other activities that it carries out. In addition, the CPC restricts contingent selling by regulated entities and provides restrictions or requirements in relation to bundling of services.
Per the EBA Glossary for Financial Innovation, robo-advisers are defined as “Applications that combine digital interfaces and algorithms, and can also include machine learning, in order to provide services ranging from automated financial recommendations to contract brokering to portfolio management to their clients. Such advisors may be standalone firms and platforms, or can be in-house applications of incumbent financial institutions” (“Robo-advisers”).
While the specific services and business models of differing Robo-advisers will vary, once the activities of the Robo-adviser constitute MiFID II "investment services" in respect of "financial instruments", they will require authorisation as a MiFID II investment firm under the MiFID Regulations, unless an exemption applies.
The MiFID II investment services most likely to be triggered by Robo-adviser activity are portfolio management and/or the provision of investment advice. MiFID II financial instruments include:
MiFID II investment firms are subject to extensive conduct of business rules when providing investment services. The authorisation requirements and process will help shape and define a MiFID II investment firm’s business model.
The MiFID Regulations requirements in relation to suitability assessments will also affect Robo-advisers, and certain of the ESMA Guidelines on MiFID Suitability – which define Robo-advice as “the provision of investment advice or portfolio management services (in whole or in part) through an automated or semi-automated system used as a client-facing tool” – are stated to be particularly applicable to Robo-advisers, given the limited amount or total absence of human involvement in the investment service performance process.
No information is available in this jurisdiction.
A Robo-adviser authorised under the MiFID Regulations that executes orders on behalf of clients is subject to the MiFID II rules, including the obligation to execute orders on terms most favourable to its clients and the client order handling rules. MiFID II and the MiFID Regulations also set out related requirements for portfolio managers placing orders or where firms receive and transmit orders.
There are significant differences between the regulation of lending to individuals and companies in Ireland.
Commercial lending (ie, lending to corporates) does not generally require a financial services licence in Ireland. By contrast, lending to individuals may require a retail credit firm authorisation under the CBA 1997, subject to certain exemptions. This is a domestic Irish requirement. The Consumer Credit Act, 1995 (CCA) contains another domestic-only regime whereby a person who meets the definition of a “moneylender” lending to consumers is required to obtain authorisation in certain circumstances.
Credit servicing (including legal title loan ownership, managing or administering a credit agreement and related borrower communications) in relation to loans to individuals and small and medium enterprises (SMEs) requires authorisation in certain circumstances. Where a business provides payment services (eg, issuing a payment instrument) as part of its business model, it may be required to seek authorisation under the Payment Services Regulations or the Electronic Money Regulations. The domestic Irish regime governing money transmission businesses under the CBA 1997 may alternatively be relevant.
Lending to individuals acting outside their business is subject to the requirements of a range of consumer protection legislation. Additional rules apply in respect of mortgage lending.
Regulated financial service providers (including EEA lenders operating in Ireland on a cross-border basis) may also be subject to certain conduct of business rules when lending to individuals, certain small companies or SMEs. These rules include the CPC and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Lending to Small and Medium-Sized Enterprises) Regulations 2015 (the “SME Regulations”).
Irish conduct of business rules and legislation requires creditworthiness or suitability assessments in certain circumstances. For example, the European Communities (Consumer Credit Agreements) Regulations 2010, the CPC and the SME Regulations are relevant in this regard.
Ireland has established a Central Credit Register (CCR) under the Credit Reporting Act 2013 (CRA). The CRA requires lenders to check the CCR prior to advancing in-scope credit, and also imposes a requirement on lenders to report information relating to certain loans and borrowers.
Credit institutions such as banks raise funds for their lending activities from a wide range of sources, including deposits, inter-bank lending, issuing debt and securitisations. Deposit-taking in Ireland triggers a requirement for a banking licence, and securitisations are subject to a number of Irish and EU rules.
Dedicated lending entities – for example, a retail credit firm – may raise funds for their lending activities from securitisations or lending from other investors or institutions. Funds may also be sourced through peer-to-peer lending.
It is not typical for consumer loans or loans to small businesses to be syndicated. Where peer-to-peer lending is taking place, there may be multiple bilateral loan agreements. The Crowdfunding Regulation will provide a European framework for peer-to-peer lending platforms.
Payment processors may use existing payment infrastructure or create or implement new ones, so long as they operate within the bounds of their financial services authorisation and adhere to relevant regulatory requirements.
Cross-border payments may be regulated under the Payment Services Regulations, which cover services including the execution of various forms of payment transactions, issuing payment instruments and money remittance. There are also requirements in respect of wire transfers, credit transfers and direct debits; eg, the Single Euro Payments Area (SEPA).
Fund administrators in Ireland are generally authorised pursuant to the IIA but may also be authorised pursuant to the MiFID Regulations depending on the types of activities to be undertaken.
In addition, fund administrators are subject to the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2017, the Central Bank's Investment Firms' Q&A and the Investor Compensation Act 1998.
Boards of directors of Irish investment funds and fund management companies ("Boards") require administrators to enter into service level agreements setting out in granular detail the services described in the administration agreement and the parties' expectations in terms of timing, performance, escalation of issues and actions to be taken in the event of non-compliance with specific provisions of the service level agreement.
In addition, administrators are being requested to provide key performance indicators as part of their quarterly reporting to Boards in respect of services such as the calculation and release of the net asset value. Such requests are a result of increased focus by regulators on oversight of service providers, which has resulted in the contractual terms relating to ongoing reporting by the fund administrator becoming increasingly important.
The increasing reliance by firms operating within the global financial sector on information technology has led to a focus by regulators and firms alike on improving cybersecurity and data protection within the financial industry. As fund administrators maintain trading data, account details and extremely sensitive investor information, they are at particular risk from the evolving sophistication of cyber-attacks and the heightened frequency of data breaches. Accordingly, Boards are increasingly seeking to impose contractual terms that ensure fund administrators have appropriate IT and cybersecurity risk management procedures and frameworks in place to protect against cybercrime and data breaches, as well as IT disaster recovery and business continuity planning arrangements encompassing the recovery and resumption of daily operations should a disruptive event occur. These provisions stem from the sharpened focus of regulators on data protection as well as the management of cybersecurity across the financial sector, but also from an increasing awareness by industry of the devastating financial and reputational implications that a successful cyber-attack could yield.
Fund administrators are likely to be under a contractual obligation to report any data breaches and cybersecurity issues that may impact their client. They may also be subject to industry guidance and best practice in this regard.
The activity of operating a peer-to-peer crowdfunding platform is not currently regulated in Ireland as a distinct activity, although the application of the Crowdfunding Regulation from November 2021 will provide a European framework for debt and investment-based crowdfunding, including an authorisation requirement.
In summary, this will provide for a single set of rules that will apply to crowdfunding offers in the EU up to EUR5 million over a 12-month period. A platform operator can become authorised as a crowdfunding service provider and can provide crowdfunding services across the EU on the basis of its home state authorisation.
Certain crowdfunding activities may currently already be within the scope of investment services legislation (such as MiFID II or prospectus requirements) where MiFID II financial instruments are offered and/or funds regulation where collective investment undertakings are involved. In addition, crowdfunding platforms arranging or offering to arrange loans to individuals who are consumers for commission or payment may require authorisation as credit intermediaries under the CCA.
Payment services involving fiat currencies will typically have to be carried out by a regulated payment service provider, in accordance with the conduct of business rules contained in the Payment Services Regulations. The Irish regime governing money transmission businesses under the CBA 1997 may alternatively be relevant.
The provision of investment services, exchanges and trading platforms in respect of MiFID II financial instruments is primarily regulated by the Central Bank under the MiFID Regulations, which provide for the regulation of investment firms and various types of securities exchanges, including market operators, regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs).
Where a crypto-asset amounts to a MiFID financial instrument, a crypto-exchange will be subject to regulation under the MiFID Regulations. Pure cryptocurrency platforms that do not involve MiFID financial instruments do not currently require authorisation in Ireland. However, proposed amendments implementing 5MLD will bring providers engaged in multiple services, including exchange services between virtual assets and/or virtual assets and fiat currencies within the scope of Irish AML requirements, including a registration requirement. Implementation into Irish law is expected imminently.
Crypto-exchanges should also consider whether they are providing payment services and/or, such as where issuing their own tokens, electronic money. In the longer term, MiCA proposes to regulate the operation of crypto-asset exchanges, with the operation of such an exchange being a regulated service that will require authorisation.
No information is available in this jurisdiction.
The imminent implementation of 5MLD will bring providers of exchange services between various virtual assets and between virtual assets and fiat currencies within the scope of Irish AML legislation. MiCA also proposes to require the providers of crypto-asset exchange services to obtain authorisation.
No formal listing standards exist for unregulated platforms. General contractual principles should apply, and certain general consumer protection rules may also apply. Exchanges for MiFID II financial instruments established under the MiFID Regulations will usually have detailed listing/admission to trading rules to ensure transparency and compliance with applicable laws and regulation (eg, the Euronext Dublin Listing Rules), while rules in relation to the requirement to publish a prospectus may also be relevant.
No formal order handling rules apply for unregulated platforms; general contractual principles should apply. Detailed order handling rules apply to MiFID II investment firms when executing orders in MiFID II financial instruments.
No information is available in this jurisdiction.
No formal best execution standards apply to an unregulated platform in Ireland; general contractual principles should apply.
Detailed best execution standards apply for MiFID II investment firms dealing in MiFID II financial instruments.
The MiFID II inducements, conflicts of interests and best execution rules will apply to all MiFID II investment firms.
In February 2021 comments in response to the January 2021 surge in trading and associated price volatility of shares in US retailer GameStop, the chair of ESMA stated: "The phenomenon of zero-commission trading needs to be looked at in more detail. To be sure, as such lower costs for retail investors are a welcome development, given the importance of costs in determining investors’ long-term returns. However, there is no such thing as a free lunch. Payments for order flow from third parties such as market makers may substitute commissions that are otherwise paid by clients, creating conflicts of interest and resulting in less transparency for retail clients. In my view, the practice of payment for order flow needs to be carefully assessed against the MiFID II requirements on conflicts of interest, best execution and inducements."
In addition to domestic requirements, Ireland has implemented EU securities markets legislation, certain of which are applicable directly. These measures include:
See 9.2 Regulation of Unverified Information and 9.3 Conversation Curation in relation to Market Abuse.
The primary method of regulation of these technologies is under the MiFID Regulations. The definition of algorithmic trading contained in the MiFID Regulations is limited to trading in MiFID II financial instruments, so asset classes outside the scope of regulation under the MiFID Regulations will not be regulated.
Specific, detailed rules apply where a MiFID II investment firm engages in algorithmic trading to pursue a market-making strategy. These include carrying out the market-making continuously during a specified proportion of the trading venue’s trading hours, and entering into a binding written agreement with the trading venue.
No information is available in this jurisdiction.
Programming is not a regulated activity in Ireland. It will need to be assessed on a case-by-case basis whether programs or programmers are carrying out regulated activities, in which case the applicable regulations will be relevant.
Platforms providing financial research are not specifically regulated by the Central Bank. However, participants and platforms should consider whether a regulated investment service is being provided.
The provision of investment research and financial analysis or other forms of general recommendation relating to transactions in financial instruments is an ancillary service under Part 2 of Schedule 1 of the MiFID Regulations. The provision of this service without any other MiFID II investment services would not trigger a requirement for authorisation as a MiFID II investment firm.
In contrast, the provision of investment advice (as defined in MiFID II) in relation to MiFID II financial instruments is an activity requiring authorisation under the MiFID Regulations, unless an exemption applies.
The MiFID Regulations and Commission Delegated Regulation (EU) 2017/565 provide requirements in relation to conflicts of interest and inducements that apply to regulated MiFID II investment firms in relation to research.
The IIA regulates the provision of investment advice in relation to investment instruments, subject to certain exemptions. The IIA definition of investment instruments captures certain instruments that are not MiFID II financial instruments and certain activities or firms that might fall outside the MiFID Regulations.
The Market Abuse Regulation (Regulation (EU) 596/2014) (MAR) establishes a common EU regulatory framework on insider dealing, the unlawful disclosure of inside information and market manipulation (“Market Abuse”) as well as measures to prevent Market Abuse.
MAR prohibits insider dealing, the unlawful disclosure of inside information, market manipulation and attempted market manipulation. Market manipulation is broadly defined under MAR, and includes disseminating information through the media, including the internet or by any other means, that gives, or is likely to give, false or misleading signals as to the supply of, demand for, or price of a financial instrument, a related spot commodity contract or an auctioned product based on emission allowances or secures, or is likely to secure, the price of one or several MiFID II financial instruments, a related spot commodity contract or an auctioned product based on emission allowances at an abnormal or artificial level, including the dissemination of rumours, where the person who made the dissemination knew, or ought to have known, that the information was false or misleading.
Recital 48 to MAR confirms that, given the rise in the use of websites, blogs and social media, disseminating false or misleading information via the internet (including through social media sites or unattributable blogs) should be considered to be equivalent to doing so via more traditional communication channels for the purposes of MAR.
In summary, MAR applies to MiFID II financial instruments admitted to trading on an EU-regulated market or for which a request for admission to trading has been made, as well as any MiFID II financial instruments traded on an MTF, admitted to trading on an MTF or for which a request for admission to trading on an MTF has been made or traded on an OTF and certain other financial instruments, the price or value of which depends on, or has an effect on, the price or value of the above and emission allowances. MAR can apply to other instruments and is not limited to transactions, orders or behaviour on a trading venue. The terms “regulated market”, “MTF”, “OTF” and “trading venue” are defined in MiFID II.
Market manipulation, as defined under the European Union (Market Abuse) Regulations 2016 (the “MAR Regulations”), is an offence in Ireland. The MAR Regulations also provide for certain civil sanctions for breaches of MAR, such as a breach of the prohibition on market manipulation.
In a February 2021 statement in relation to the January 2021 trading of shares in GameStop, ESMA advised retail investors to be careful when taking investment decisions based exclusively on information from social media and other unregulated online platforms if they cannot verify the reliability and quality of that information. This ESMA statement also set out the following in respect of market abuse: "Discussing the opportunity to buy or sell the shares of an issuer does not constitute market abuse. However, organising or executing coordinated strategies to trade or place orders at certain conditions and times to move a share’s price could constitute market manipulation.
"Similarly, special care should be taken when posting information on social media about an issuer or a financial instrument, as disseminating false or misleading information may also be market manipulation. Additionally, care should be taken when disseminating investment recommendations through any media, including social media and online platforms, as they are subject to a number of regulatory requirements."
The MAR prohibition on market manipulation (including attempted market manipulation) includes a prohibition on “taking advantage of occasional or regular access to the traditional or electronic media” to voice opinions about in-scope instruments with a view to profiting from the impact of those opinions, without having simultaneously publicly disclosed that conflict of interest.
MAR is also intended to ensure that the prohibitions against market abuse should also cover those persons who act in collaboration to commit market abuse, so the platform should ensure it takes steps to avoid being seen to collaborate with such activity.
Liability under the MAR Regulations can also attach to an entity that collaborates or facilitates market abuse/manipulation. MAR also requires member states (including Ireland) to put mechanisms in place to allow for the reporting of infringements of MAR (ie, whistle-blowing mechanisms).
The EU’s Solvency II regime (as implemented in Ireland) applies to the majority of Irish (re)insurance undertakings, including the underwriting process of these undertakings.
The Solvency II framework sets out detailed requirements around capital, governance and risk management in all Irish and EU authorised (re)insurance undertakings.
In broad summary, Solvency II undertakings must obtain an authorisation under the European Union (Insurance and Reinsurance) Regulations 2015, to carry on either life insurance business, non-life insurance business, or both.
Generally speaking, the provision of regtech services is less likely to be a regulated activity in Ireland as these will typically involve supporting technical services rather than regulated financial services. However, certain exceptions to this position could apply, depending on the nature of the regtech service performed and the nature of the entity to which such services are provided. Therefore, a case-by-case analysis is required.
Depending on the particular service provided and the particular financial services firm receiving those services, they may fall within the legal and regulatory requirements governing outsourcing and this will impact the contractual provisions required.
For example, where a MiFID II investment firm outsources “a critical or important function”, outsourcing rules apply under the MiFID II framework. Similar issues would arise where regulated payment institutions, electronic money institutions, credit institutions and other regulated entities engage in outsourcing. In these circumstances, regulated firms should require regtech outsourcing agreements to reflect the applicable rules.
The Central Bank has issued the CBI Outsourcing Paper, wherein it sets out its minimum supervisory expectations for the outsourcing agreements of Irish regulated financial service providers. The EBA Outsourcing Guidelines require, inter alia, that outsourcing agreements specify service levels and precise quantitative and qualitative performance targets to allow for the timely monitoring of the performance of the outsourced function. In addition, specific termination rights, provisions around business continuity, data and access and audit rights for the regulated firm and its regulators are also required. The EBA has commented that it is imperative that business continuity and data protection are appropriately considered when outsourcing IT or data services. The ESMA Cloud Guidelines and the EIOPA Cloud Guidelines may also be relevant to applicable entities where services are provided on a cloud basis.
Outsourcing is a particularly topical issue for the Central Bank.
Regtech providers may have legal and regulatory or contractual obligations to notify certain behaviour, depending on their regulatory status and contractual arrangements, the sector in which they operate and the information and material that they come into contact with.
Domestic institutions are investigating the use of blockchain, and certain institutions have conducted trials in this area, including in the area of payments. We.trade, a blockchain-based trade finance service provider that was established by an international consortium of banks, is based in Dublin.
In addition, in May 2019, the Institute of Banking, domestic banks Bank of Ireland, AIB and Ulster Bank (part of the RBS Group), and Deloitte announced that they are collaborating to develop a financial services industry education platform based on blockchain technology. The platform will support the verification, tracking, direct access to, and management of, regulatory and other professional designations, education qualifications and lifelong learning credentials.
The Central Bank has not provided any specific regulatory updates or guidance to address blockchain technology, other than issuing consumer warnings regarding the risks of both cryptocurrencies and initial coin offerings (ICOs). In a January 2020 speech, the Central Bank stated that it plans to subject virtual asset service providers to intense supervision as it increases its understanding of their business models and service.
Ireland does not have any legislation specific to blockchain technologies, although the implementation of 5MLD will bring various services related to virtual assets within the scope of Irish AML legislation.
The January 2019 EBA report with advice for the European Commission on crypto-assets (the “EBA Crypto Report”) and ESMA advice in relation to initial coin offerings and crypto-assets (the “ESMA Crypto Report”) provide useful information in relation to the interpretation of blockchain assets within existing rules and highlighting gaps, as well as suggesting that further consideration be given at an EU level to legislating in the area. This work fed into the Crypto Consultation, which, amongst other things, looked at crypto-assets that are covered by EU rules and whether the rules can be effectively applied, as well as crypto-assets that are not covered by EU rules at present, and a possible common regulatory approach. The Crypto Consultation, in turn, has fed into the Digital Package and MiCA.
The government's international financial services sector strategy document to 2025, Ireland for Finance, includes actions to help drive fintech, including blockchain technologies.
The Central Bank has confirmed in a consumer warning that virtual currencies are not legal tender, and has also issued a consumer warning regarding the risks of ICOs.
Definition of "Virtual Assets" under Proposed Legislation
While 5MLD includes a definition of "virtual currencies", the proposed Irish implementation instead uses the term "virtual asset", which will align Irish legislation with the relevant Financial Action Task Force recommendations. The draft Irish implementing legislation defines "virtual asset" as "a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes but does not include digital representations of fiat currencies, securities or other financial assets".
The current draft of MiCA also defines various forms of blockchain assets, including:
Blockchain assets and/or services in relation to those assets may fall within existing regulatory regimes and, depending on the features of a particular blockchain asset, its legal classification may vary.
MiFID II Definition of Transferable Securities Significance to Regulatory Approach
One area of focus has been whether a particular blockchain asset qualifies to be considered as a MiFID II financial instrument, typically focused on the definition of a transferable security. Given the variance in structure among blockchain assets, it is necessary to analyse individual blockchain assets against the criteria for the MiFID II financial instrument of “transferable securities”, defined under Article 4 (1) (44) of MiFID II as those “classes of securities which are negotiable on the capital market, with the exception of instruments of payment, such as:
(a) shares in companies and other securities equivalent to shares in companies, partnerships or other entities, and depositary receipts in respect of shares;
(b) bonds or other forms of securitised debt, including depositary receipts in respect of such securities;
(c) any other securities giving the right to acquire or sell any such transferable securities or giving rise to a cash settlement determined by reference to transferable securities, currencies, interest rates or yields, commodities or other indices or measures."
If a blockchain asset is determined to be a transferable security, then it falls within the regulatory scope of, inter alia, MiFID II, the Prospectus Regulation and MAR. The ESMA Crypto Report also states that several European regulators considered that certain types of crypto-assets could qualify as units in collective investment undertakings (another MiFID II financial instrument), most likely alternative investment funds, and thus the Alternative Investment Fund Managers Directive (Directive 2011/61/ EU) (AIFMD) could be relevant. The ESMA Crypto Report notes that existing rules that may be applicable do not fit perfectly with the characteristics of blockchain.
In very broad terms, a blockchain asset with characteristics that are similar to shares, bonds or other securities, or related derivatives, including being transferable, will be more likely to fall within the definition of a “transferable security”. An investment-type blockchain asset may be more likely to have these characteristics, while the ESMA Crypto Report specifically notes that a pure payment-type cryptocurrency (such as Bitcoin) is less likely to be considered a “transferable security”. The ESMA Crypto Report cautions against extrapolating its analysis against the entire crypto-asset universe.
Crypto-Assets and Payment Services under the Electronic Money Directive
In the EBA Crypto Report, the EBA notes that a crypto-asset can qualify as electronic money under the Electronic Money Directive, and thus fall to be regulated under that directive, provided the following circumstances are met:
Additionally, if a person performs a "payment service" as listed in PSD 2 with a blockchain asset that qualifies as "electronic money" under the Electronic Money Directive, such activity would fall within the scope of PSD 2 by virtue of constituting "funds". More generally, PSD 2 and the domestic Irish regime of money transmission should also be considered in the context of fiat transfers or services related to blockchain activities.
There is currently no specific regulatory regime for, or prohibition on, the issuance of blockchain assets or ICOs in Ireland or at EU level, although the provision of services in relation to such issuances will be within the scope of Irish AML legislation following the implementation of 5MLD. Additionally, MiCA proposes to impose extensive requirements on the issuers of blockchain assets.
As with the applicability of the existing legal or regulatory requirements to a blockchain asset depending on its particular structure, an issuance may come within the scope of existing Irish legal regimes, depending on its specific characteristics.
In two statements from November 2017, ESMA alerted participants in ICOs of the potential applicability of MiFID II, AIFMD, the Prospectus Directive and the applicable AML rules, depending on the structure of the issuance, and alerted investors of the risks of ICOs.
At the time of writing, there is no specific regime regulating blockchain asset trading platforms. However, the imminent implementation of 5MLD will bring the provision of exchange services between various virtual assets and/or between virtual assets and fiat currency within the scope of Irish AML legislation.
The operation of blockchain asset trading or exchange platforms may involve the issuance of electronic money or provision of payment services, in order to facilitate wallet and payment features.
Where blockchain assets constitute MiFID II financial instruments – such as transferable securities – then the operation of a trading platform will be in the scope of existing regulatory regimes.
Existing Irish AML legislation may also be applicable, depending on the nature of the blockchain asset/issuance, the nature of activities undertaken (eg, payment services), the identity and regulated status of the actors and the method of payment. Platforms will also need to consider data protection and cybersecurity requirements where applicable.
MiCA also proposes to impose requirements in relation to the provision of exchange services.
Irish regulated investment funds are either authorised as undertakings for collective investment in transferable securities (UCITS) or as alternative investment funds. In order for such investment funds to invest in blockchain assets, consideration needs to be given to whether such assets fall within the types of assets such funds are permitted to invest in. This analysis is most relevant for UCITS, as such funds may only invest in transferable securities and other liquid assets. Given questions over the liquidity and valuation of crypto-assets, including blockchain assets, and the perceived risks involved with such investment, the Central Bank has stated that it does not consider that funds authorised for retail investors – in particular, UCITS – should at this time provide exposure to crypto-assets, noting the difficulties for depositaries associated with providing safekeeping where direct investments in virtual currencies are proposed.
As part of the Digital Package, the European Commission published legislative proposals relating to crypto-assets that, once finalised, should provide certainty in terms of:
Currently for crypto-assets that do not qualify as financial instruments, the rules for "other assets" under the UCITS Directive and AIFMD apply and in such cases the depositary needs to ensure the safekeeping (which involves verification of ownership and up-to-date record-keeping) but not the custody of such assets. Practical obstacles still exist in the market to the extent that currently many depositories are not comfortable that they can capably hold blockchain assets directly while also meeting their safekeeping obligations.
The legal treatment of any cryptocurrency or other blockchain asset will be determined by whether that particular asset’s features come within the scope of existing legislative and regulatory regimes. Typically, a pure cryptocurrency will not be considered a financial instrument under MiFID II.
DeFi transactions will require a case-by-case analysis to determine the regulatory categorisation of the activities involved and jurisdictional questions regarding applicable legislation and relevant regulatory bodies. This is a rapidly developing area and the authors expect to see increasing regulatory interest in DeFi.
PSD 2 introduced two new regulated payment services: payment initiation service and account information service. A disruptive aspect of PSD 2 is the customer's right to make use of third parties to obtain payment initiation services and for third parties to access payment data to provide account information services. This facilitates open banking and opens up opportunities for challenger banks and other fintech firms to bring new products to market. Application programming interfaces are to be used for third-party access to online payment accounts.
PSD 2 imposes certain conditions on the access to and use of data by firms providing a payment initiation service or account information service. This includes a requirement for customer consent and other requirements in relation to security and the use of data.
In addition, the GDPR requires customers to be made fully aware – in a clear, concise and transparent fashion – of how their personal data will be used and by whom. It also provides for the right to withdraw consent, access to data and a right for information to be erased. In sharing data with third parties such as account information service providers, banks will need to be aware of the potential for fraud or other risks.