Contributed By Walkers (Ireland) LLP
Ireland is home to well-developed and globally recognised technology and financial services sectors, and is a fintech hub.
IDA Ireland (the country's industrial development agency) reports that Ireland is the world's second-largest exporter of software, and that 16 of the top 20 global technology firms and 20 of the top 25 global financial institutions operate from the jurisdiction.
Ireland is also home to a large number of fintech firms and to European global innovation labs and incubators. The Central Bank of Ireland (the “Central Bank”) established its Innovation Hub in April 2018 to provide a direct and dedicated point of contact for firms developing or implementing innovations in financial services based on new technologies, outside of the existing formal regulator/firm engagement processes. In 2021, the Innovation Hub received 83 enquiries, representing a 19% increase on 2020, as of the publication of the Central Bank's 2021 update.
Increase in Fintech Activity in Ireland
Recent years have seen an increase in fintech activity in Ireland and in the number of entities operating in the country, reflecting the positive ecosystem that has been developed. Ireland is a popular location for firms seeking an EU base, which has increased further following the UK’s withdrawal from the EU (“Brexit”), so as to “passport” their Irish authorisations to provide services into other EU member states. Coinbase, Stripe, Gemini Payments and Modulr, for example, have obtained electronic money institution authorisations, which also allow for the provision of payment services. Virtual asset service providers (VASPs) are also establishing in Ireland, with Gemini, Zodia, Coinbase and Paysafe all being registered in the last 12 months.
The government's strategy for the development of Ireland’s international financial services sector to 2025, Ireland for Finance, includes actions to help drive fintech, including blockchain technologies. More recently, Ireland's sustainable finance strategy for the fintech sector launched in October 2022, in order to support the development of innovative technology solutions to environmental, social and governance (ESG) challenges.
In the short term, fintech developments in Ireland are likely to continue to focus on the payments sector, regtech, artificial intelligence and blockchain, among other sectors. From a regulatory or supervisory perspective, it is expected that anti-money laundering (AML), outsourcing, data protection and governance will remain key topics.
The Central Bank has published Guidance on Operational Resilience and on Outsourcing, which, along with existing Guidance on IT and Cybersecurity Risks, require regulated firms in the Irish market to review their frameworks. In addition, regulated financial service providers will prepare for the enactment of the Central Bank (Individual Accountability Framework) Bill 2022.
EU Legislative Developments
EU legislation is implemented into Irish law and/or is directly applicable. In the context of virtual assets, the Fifth Money Laundering Directive (Directive (EU) 2018/843) (5MLD), as transposed into Irish law by the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021, affects providers engaged in various services in respect of virtual assets. Regulation (EU) 2020/1503 on European crowdfunding service providers for business (the “Crowdfunding Regulation”) provides a framework for equity and peer-to-peer lending-based crowdfunding within the EU, and allows operators of crowdfunding platforms to obtain authorisation as a crowdfunding service provider, which can be passported across the EU. The Crowdfunding Regulation came into force on 10 November 2021, with the transitional period ending on 10 November 2023 for existing providers who have sought authorisation.
Other EU initiatives impacting fintech include the European Commission's September 2020 adoption of the Digital Finance Package (the “Digital Package”), which includes the far-reaching Markets in Crypto Assets Regulation (MiCA), which will enter into force in 2023. The current draft of MiCA proposes the implementation of a legislative framework, including rules applicable to the issuance of crypto-assets and the provision of various services in relation to crypto-assets. MiCA also seeks to implement market abuse-type rules in relation to crypto-assets and an EU supervisory regime.
The EU distributed ledge technology (DLT) pilot regime commences in March 2023, creating a sandbox for the trading and settlement of DLT financial instruments. Market participants who intend to operate DLT market infrastructures under the DLT pilot regime should prepare an application in accordance with the “Guidelines on standard forms, formats and templates”, published by European Securities and Markets Authority (ESMA) in December 2022. Of broader application is the EU Digital Operational Resilience Act (DORA), which entered into force in January 2023 and will apply from January 2025.
As part of the AML package, the European Commission proposed changes to the 2015 regulation on information accompanying transfers of funds, which would subject crypto-asset services providers regulated under MiCA to the “travel rule” and render them obliged entities for AML/CFT purposes. The application timeline of the updated transfer of funds regulation is expected to be aligned with that of MiCA.
The European Banking Authority (EBA) recently published its final Guidelines on the use of remote customer onboarding solutions, which are also relevant to fintech entities.
As part of the Digital Finance Strategy and the Retail Payments Strategy, the European Commission is actively involved in the ongoing review of Directive 2015/2366/EU (the Payment Services Directive – PSD2), by engaging in targeted consultations. The Eurosystem has a new framework for overseeing electronic payment instruments, schemes and arrangements, which will also cover crypto-asset-related services such as the acceptance of crypto-assets by merchants within a card payment scheme and the option to send, receive or pay with crypto-assets via an electronic wallet (the “PISA Framework”).
Lastly, the European Commission presented its artificial intelligence (AI) package in April 2021, including a proposal for a regulation laying down harmonised rules on AI (the “AI Act”). The EU draft AI regulation aims to regulate the use and development of AI systems in the EU, and will soon enter negotiation stages.
The Central Bank has commented that fintech activity in Ireland is at its most intense in the payments sector. This is reflected in an increased number of authorised payment institutions and electronic money institutions in Ireland in recent years, including Stripe, Coinbase (a cryptocurrency platform), Gemini Payments and Modulr. Bigtech firms have also established in this space, and it is likely that payment services will continue to be an area of focus in Ireland. This is helped by the existing fintech and payments-friendly ecosystem, while Brexit has also resulted in a number of payments firms locating their EU operations in Ireland.
Other areas for innovation include regtech, insurance, digital identity and asset management, with loan and investment crowdfunding set to increase.
In the context of its Innovation Hub, the Central Bank has commented on the increase in engagements regarding e-money and instant payments solutions, as well as decentralised finance (DeFi) and tokenisation projects.
Fintech firms must look to the existing regulatory regimes that may be applicable to their business model on a case-by-case basis, as well as any new fintech-specific legislation. Fintech-specific legislative developments in the pipeline include the introduction of MiCA, which will provide a bespoke regulatory framework for crypto-assets in due course. Other developments include the implementation of amendments to AML legislation applying a registration requirement and AML obligations to certain VASPs, and the implementation of the Crowdfunding Regulation.
In relation to the provision of payment services or the issuance of electronic money, the primary rules to be considered are:
The domestic Irish regime governing money transmission businesses under the Central Bank Act, 1997 (CBA 1997) may be relevant to a money transmission service falling outside the PSR.
Challenger banks seeking to undertake “banking business” require a bank licence under the CBA 1971 and will be subject to the Irish implementation of the EU Capital Requirements Directive (Directive 2013/36/EU) (as amended) and the directly applicable EU Capital Requirements Regulation (Regulation 575/2013/EU). Banking business, in summary, means any business that consists of or includes receiving money on own account from members of the public either on deposit or as repayable funds, and the granting of credits on own account. Licensing decisions are taken by the European Central Bank.
Credit institutions authorised in other European Economic Area (EEA) jurisdictions may passport their authorisation into Ireland, which requires notification to their regulator in the first instance. All companies that are not licensed banks (or passported credit institutions) must avoid including “bank” in their name, as this is restricted under the CBA 1971.
Generally speaking, the provision of regtech services is less likely to be a regulated activity in Ireland, as it will typically involve supporting technical services rather than regulated financial services. However, a case-by-case analysis is required.
Investment Services/Asset Management
Depending on the services provided, a fintech firm providing asset management solutions may be subject to regulation. For example, if the activities constitute “investment services” in respect of “financial instruments” for the purposes of European Union (Markets in Financial Instruments) Regulations 2017 (the “MiFID Regulations”), an investment firm authorisation will be required, unless an exemption applies. The MiFID Regulations implement Directive 2014/65/EU (MiFID II) into Irish law. Investment business services, including depository or administration services, would require authorisation under, for example, the Investment Intermediaries Act 1995 (IIA). Fund management companies, alternative investment fund managers and UCITS management companies are also regulated.
Following the implementation of the Crowdfunding Regulation, the operation of a loan or investment-based crowdfunding platform is now a regulated activity. However, depending on the services they provide, a number of existing rules may also be applicable, which are discussed elsewhere in this guide (eg, payment services).
Firms providing software or blockchain solutions will need to examine the particular service they are offering and the activities they are undertaking in order to assess whether a licence or registration is required. These firms will need to consider whether AML rules applicable to VASPs (see below) and, in the longer term, MiCA are applicable.
The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended (CJA 2010), implements the European AML rules into Irish law.
The CJA 2010 was amended in 2021 to implement 5MLD to include a registration requirement for VASPs, which include persons engaging in:
The EBA recently published its final Guidelines on the use of remote customer onboarding solutions for credit and financial institutions, which include the steps such institutions should take when adopting or reviewing solutions to comply with their customer due diligence obligations when onboarding customers remotely.
As part of the AML package, the European Commission proposed changes to the 2015 regulation on information accompanying transfers of funds, which would subject crypto-asset services providers regulated under MiCA to the “travel rule” and render them obliged entities for AML/CFT purposes. The application timeline of the updated transfer of funds regulation is expected to be aligned with that of MiCA.
Fintech firms will also need to be aware of and comply with specific security requirements introduced under PSD2 (eg, strong customer authentication) if they provide payment services, and, more broadly, cross-industry and industry-specific guidance from the Central Bank and EU regulators in relation to ICT and cyber-risks. Such guidance includes the EBA's revised Guidelines on ICT and security risk management, applicable to credit institutions, certain investment firms, and payment institutions and electronic money institutions, and the Central Bank's September 2016 Cross-Industry Guidance in respect of Information Technology and Cybersecurity Risks. The Central Bank's Guidance on Operational Resilience and on Outsourcing contains additional security requirements applicable to regulated firms. Other cybersecurity and criminal legislation or guidance may also be relevant.
DORA entered into force in January 2023 and will apply from January 2025, laying down specific requirements for financial institutions in the context of the security of network and information systems.
Furthermore, the technical, operational and organisational cybersecurity measures contained in Directive (EU) 2022/255 (NIS2) will be applicable to in-scope essential and important entities, which includes cloud computing service providers, by the end of 2024.
Fintech firms will need to comply with data privacy laws, including the European Union General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR), in respect of any processing of personal data. The GDPR is broad in application, such that the vast majority of companies are impacted regardless of their regulatory status or the services being provided.
The GDPR was designed to be technology-neutral, meaning that it protects personal data no matter what technology is used or how the personal data is stored. However, such neutrality means that fintech firms will be presented with challenges when navigating through the obligations imposed by the GDPR. The issues to be considered include:
The permissible compensation models for fintech firms will depend on the type of service they provide, their customer base and regulatory status, and the rules applicable to those services or customer types. Similarly, disclosure requirements in relation to fees and charges will depend on these factors.
As a general rule, there is no differentiation between services provided by fintech firms or legacy players. However, some regulated services or activities are more likely to be performed by fintech firms.
There is currently no regulatory sandbox in Ireland. The Central Bank has established an Innovation Hub to provide a direct and dedicated point of contact for firms developing or implementing innovations in financial services based on new technologies, outside of existing formal regulator/firm engagement processes. As part of the Digital Package, the EU DLT pilot regime commenced in March 2023, creating a sandbox for the trading and settlement of DLT financial instruments.
The Central Bank is the financial services regulator in Ireland, with responsibility for the authorisation and supervision of financial services providers. It supervises Irish firms from both a prudential and conduct of business perspective. For EEA passporting firms, the Central Bank will generally have a level of competence in relation to conduct of business requirements, rather than prudential requirements.
The European Central Bank is the competent licensing authority for new Irish credit institutions (banks), and supervises significant credit institutions directly under the Single Supervisory Mechanism.
The Data Protection Commission is the Irish supervisory authority for the GDPR.
If a regulated function is outsourced, the vendor is likely to require authorisation to provide that service, unless it can rely on an exemption.
A number of rules and requirements may apply to regulated firms that are engaged in outsourcing regulated and unregulated functions. These are generally sector-specific – eg, the PSR and MiFID II contain outsourcing requirements that are relevant to in-scope firms.
In December 2021, the Central Bank implemented its Cross-Industry Guidance on Outsourcing (the “CBI Outsourcing Guidance”), which firms need to consider alongside specific outsourcing rules under various sectoral legislation. The CBI Outsourcing Guidance is heavily influenced by the EBA Guidelines on outsourcing arrangements (the “EBA Outsourcing Guidelines”).
The EBA Outsourcing Guidelines are applicable to credit institutions, certain investment firms, and payment institutions and electronic money institutions, and set out a number of requirements for internal governance and risk management, as well as specific requirements in relation to outsourcing contracts. These requirements include the vendor agreeing to provide access and audit rights for the regulated firm and its regulators for critical or important functions.
ESMA has also implemented guidelines on outsourcing to cloud service providers (the “ESMA Cloud Guidelines”), which apply to a broad range of regulated financial services providers falling under ESMA's remit. In-scope entities had to review and amend their cloud outsourcing arrangements to align with these requirements by 31 December 2022. The European Insurance and Occupational Pensions Authority has also published guidelines on outsourcing to cloud service providers (the “EIOPA Cloud Guidelines”).
The extent to which any fintech provider is deemed to be a “gatekeeper” will depend on its activities or the services it provides. Fintech providers may be subject to various authorisation requirements, as discussed throughout this chapter, or may fall within the scope of Irish AML legislation. Where AML legislation is applicable, fintech providers may be required to undertake customer due diligence and may be subject to an obligation to identify, escalate and report transactions they deem suspicious or unlawful to the authorities.
The Criminal Justice Act 2011 imposes a reporting obligation on a person who has information that said person “knows or believes might be of material assistance” in preventing or prosecuting a “relevant offence”, who must disclose this information to the Garda Síochána (the Irish police force).
The Digital Markets Act (DMA) entered into force on 1 November 2022 and will be applicable from May 2023. It will require gatekeepers that have established a “core platform service” – including search engines, social networking services, app stores, web browsers, etc – to abide by various requirements around fairness and transparency.
The Central Bank has taken enforcement actions in a broad range of areas where breaches of financial services legislation have been committed by regulated entities.
It is noteworthy that the Irish authorities have successfully confiscated cryptocurrencies that were determined by the Irish courts to be assets that were the proceeds of crime (in the case of CAB v Mannion (2018) IEHC 729). In Trafalgar Developments Limited v Mazepin  IEHC 7, the court granted worldwide freezing orders and disclosure orders over cryptocurrency wallets. In its 2020 Annual Report, the Irish Criminal Assets Bureau noted a 2019 seizure of cryptocurrency in excess of EUR53 million.
Firms will need to ensure that they operate in accordance with non-financial services requirements in Ireland. These include data protection laws, cybersecurity requirements, consumer protection legislation, company law and intellectual property law.
The Digital Services Act (DSA) and the DMA form a single set of rules to create a fairer digital space for users. The DMA will become applicable from May 2023 and applies to online gatekeepers that reach certain turnover volumes. The DSA entered into force on 16 November 2022 and will apply from January 2024. It will apply to various online intermediary services, such as large online search engines.
Where companies are required to produce audited financial statements, their statutory auditors will review their financial accounts. The Central Bank has stated in its recent “Dear CEO Letter” that Irish payment and e-money firms, which are required to safeguard users’ funds, must obtain a specific audit of their compliance with the safeguarding requirements under the PSR/EMR by an external audit firm by 31 July 2023.
A broad range of authorities may be relevant during a firm's life cycle, including tax authorities, the Office of the Director of Corporate Enforcement, exchanges and the Financial Services and Pensions Ombudsman.
For the most part, it is possible for a regulated entity to offer regulated and unregulated services, unless restricted by its financial services licence. Under both the PSR and EMR, the Central Bank is empowered to require firms that undertake additional activities to establish separate entities.
The Consumer Protection Code 2012 (CPC) applies to Irish regulated entities and EEA firms operating in Ireland on a branch basis or cross-border basis, and primarily impacts services provided to consumers. Under certain circumstances, the CPC can require regulated entities to provide regulatory disclosure statements, which must relate solely to a regulated activity, and to have separate sections on their websites for regulated activities and any other activities.
The applicability of AML rules will depend primarily on whether a fintech company falls within the categories of “designated persons” under the CJA 2010. Where a fintech firm is regulated by the Central Bank, it will typically be a designated person as would VASPs (which are not “regulated” but require an AML registration) and potentially other businesses, including lenders, operators of a casino, traders in artworks or cash traders in high-value goods.
The requirements imposed on designated persons include:
Under the EBA Glossary for Financial Innovation, robo-advisers are defined as applications that “combine digital interfaces and algorithms, and can also include machine learning, in order to provide services ranging from automated financial recommendations to contract brokering to portfolio management to their clients. Such advisers may be standalone firms and platforms, or can be in-house applications of incumbent financial institutions.”
While the specific services and business models of differing robo-advisers will vary, once the activities of a robo-adviser constitute MiFID II “investment services” in respect of “financial instruments”, it will require authorisation as a MiFID II investment firm under the MiFID Regulations, unless an exemption applies.
The MiFID II investment services most likely to be triggered by robo-adviser activity are portfolio management and/or the provision of investment advice. MiFID II financial instruments include:
MiFID II investment firms are subject to extensive conduct of business rules when providing investment services. The authorisation requirements and process will help shape and define a MiFID II investment firm’s business model.
The MiFID Regulations requirements in relation to suitability assessments will also affect robo-advisers, and certain of the ESMA Guidelines on MiFID Suitability – which define robo-advice as “the provision of investment advice or portfolio management services (in whole or in part) through an automated or semi-automated system used as a client-facing tool” – are stated to be particularly applicable to robo-advisers, given the limited amount or total absence of human involvement in the investment service performance process.
No information is available in this jurisdiction.
A robo-adviser that is authorised under the MiFID Regulations and executes orders on behalf of clients is subject to the MiFID II rules, including the client order handling rules and the obligation to execute orders on terms most favourable to its clients. MiFID II and the MiFID Regulations also set out related requirements for portfolio managers placing orders or where firms receive and transmit orders.
There are significant differences between the regulation of lending to individuals and to companies in Ireland.
Commercial lending (ie, lending to corporates) does not generally require a financial services licence in Ireland, although AML registration may be required.
The Crowdfunding Regulation facilitates peer-to-peer business lending, with crowdfunding service providers authorised to facilitate the granting of loans. Crowdfunding service providers can also perform individual portfolio management of loans for investors within certain criteria.
Loans to Individuals and SMEs
By contrast, lending to individuals may require a retail credit firm authorisation under the CBA 1997, subject to certain exemptions. This is a domestic Irish requirement. The scope of the Irish retail credit regime has recently expanded, through amendments made by the Consumer Protection (Regulation of Retail Credit and Credit Servicing Firms) Act 2022, by introducing a broader definition of “credit” and capturing direct and indirect credit, meaning that, for example, buy-now-pay-later products are now within scope, as are hire-purchase agreements and consumer-hire agreements. The Consumer Credit Act, 1995 contains another domestic-only regime, whereby a person who meets the definition of a “moneylender” lending to consumers is required to obtain authorisation in certain circumstances.
Credit servicing (including legal title loan ownership, managing or administering a credit agreement and related borrower communications) in relation to loans to individuals and small and medium enterprises (SMEs) requires authorisation in certain circumstances. Again, this regime now also applies to hire-purchase agreements and consumer-hire agreements. The rules contained in Directive (EU) 2021/2167 will apply from December 2023. This directive applies to non-performing loans issued by banks established in the EU. In-scope credit servicers that are authorised in their home state can passport their services across the EU.
Lending to individuals acting outside their business is subject to the requirements of a range of consumer protection legislation. Additional rules apply in respect of mortgage lending.
Regulated financial service providers (including EEA lenders operating in Ireland on a cross-border basis) may also be subject to certain conduct of business rules when lending to individuals, certain small companies or SMEs. These rules include the CPC and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Lending to Small and Medium-Sized Enterprises) Regulations 2015 (the “SME Regulations”).
Irish conduct of business rules and legislation require creditworthiness or suitability assessments in certain circumstances; for example, the European Communities (Consumer Credit Agreements) Regulations 2010, the CPC and the SME Regulations are relevant in this regard.
Ireland has established a Central Credit Register (CCR) under the Credit Reporting Act 2013, which requires lenders to check the CCR prior to advancing in-scope credit and also imposes a requirement on lenders to report information relating to certain loans and borrowers.
Credit institutions such as banks raise funds for their lending activities from a wide range of sources, including deposits, inter-bank lending, issuing debt and securitisations. Deposit-taking in Ireland triggers a requirement for a banking licence, and securitisations are subject to a number of Irish and EU rules.
Dedicated lending entities – eg, a retail credit firm – may raise funds for their lending activities from securitisations or lending from other investors or institutions. Funds may also be sourced through peer-to-peer lending – eg, via a crowdfunding service provider.
It is not typical for consumer loans or loans to small businesses to be syndicated. Where peer-to-peer lending is taking place, there may be multiple bilateral loan agreements. The Crowdfunding Regulation provides a European framework for peer-to-peer lending platforms.
Payment processors may use existing payment infrastructure or create or implement new payment rails, as long as they operate within the bounds of their financial services authorisation and adhere to relevant regulatory requirements.
Cross-border payments may be regulated under the PSR, which cover services including the execution of various forms of payment transactions, issuing payment instruments and money remittance. There are also requirements in respect of wire transfers, credit transfers and direct debits – eg, the Single Euro Payments Area (SEPA). The PISA Framework is also relevant to companies enabling or supporting the use of payment cards, credit transfers, direct debits, e-money transfers and digital payment tokens, including e-wallets.
Fund administrators in Ireland are generally authorised pursuant to the IIA but may also be authorised pursuant to the MiFID Regulations depending on the types of activities to be undertaken.
In addition, fund administrators are subject to the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2017, the Central Bank's Investment Firms' Q&A and the Investor Compensation Act 1998.
Boards of directors of Irish investment funds and fund management companies (“Boards”) require administrators to enter into service-level agreements setting out in granular detail the services described in the administration agreement and the parties' expectations in terms of timing, performance, escalation of issues and actions to be taken in the event of non-compliance with specific provisions of the service-level agreement.
In addition, administrators are being requested to provide key performance indicators as part of their quarterly reporting to Boards in respect of services such as the calculation and release of the net asset value. Such requests are a result of increased focus by regulators on the overseeing of service providers, which has resulted in the contractual terms relating to ongoing reporting by the fund administrator becoming increasingly important.
The increasing reliance by firms operating within the global financial sector on IT has led to a focus by regulators and firms alike on improving cybersecurity, operational resilience and data protection within the financial industry. As fund administrators maintain trading data, account details and extremely sensitive investor information, they are at particular risk from the evolving sophistication of cyber-attacks and the heightened frequency of data breaches. Accordingly, Boards are increasingly seeking to impose contractual terms that ensure fund administrators have appropriate IT and cybersecurity risk management procedures and frameworks in place to protect against cybercrime and data breaches, as well as IT disaster recovery and business continuity planning arrangements encompassing the recovery and resumption of daily operations should a disruptive event occur. These provisions stem not only from the sharpened focus of regulators on data protection and the management of cybersecurity across the financial sector, but also from an increasing industry awareness of the devastating financial and reputational implications that a successful cyber-attack could have.
Fund administrators are likely to be under a contractual obligation to report any data breaches and cybersecurity issues that may impact their client. They may also be subject to industry guidance and best practice in this regard.
The activity of operating a peer-to-peer crowdfunding platform is regulated under the Crowdfunding Regulation, which provides a European framework for loan and investment-based crowdfunding.
In summary, it provides for a single set of rules that apply to crowdfunding offers in the EU up to EUR5 million over a 12-month period. A platform operator can become authorised as a crowdfunding service provider and can provide crowdfunding services across the EU on the basis of its home state authorisation.
Payment Services Providers
Payment services involving fiat currencies will typically have to be carried out by a regulated payment services provider.
Investment Services, Exchanges and Trading Platforms
The provision of investment services, exchanges and trading platforms in respect of MiFID II financial instruments is primarily regulated by the Central Bank under the MiFID Regulations, which provide for the regulation of investment firms and various types of securities exchanges, including market operators, regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs).
The operation of a crypto-asset exchange from Ireland, involving either exchange services between virtual assets and/or virtual assets and fiat currencies, will require registration as a VASP. Where a crypto-asset amounts to a MiFID financial instrument, a crypto-exchange will be subject to regulation under the MiFID Regulations.
Crypto-exchanges should also consider whether they are providing payment services and/or electronic money (where issuing their own tokens). In the longer term, MiCA will regulate the operation of crypto-asset exchanges, once applicable (which is expected to be in 2025), with the operation of such an exchange being a regulated service that will require authorisation.
No information is available in this jurisdiction.
The implementation of the 5MLD brings providers of exchange services between various virtual assets and between virtual assets and fiat currencies within the scope of Irish AML legislation. MiCA also proposes to require the providers of crypto-asset exchange services to obtain authorisation.
No formal listing standards exist for unregulated platforms. General contractual principles should apply, and certain general consumer protection rules may also apply. Exchanges for MiFID II financial instruments established under the MiFID Regulations will usually have detailed listing/admission to trading rules to ensure transparency and compliance with applicable laws and regulations (eg, the Euronext Dublin Listing Rules); rules in relation to the requirement to publish a prospectus may also be relevant.
No formal order handling rules apply for unregulated platforms; general contractual principles should apply. Detailed order handling rules apply to MiFID II investment firms when executing orders in MiFID II financial instruments.
No information is available in this jurisdiction.
No formal best execution standards apply to an unregulated platform in Ireland; general contractual principles should apply.
Detailed best execution standards apply for MiFID II investment firms dealing in MiFID II financial instruments.
The MiFID II inducements, conflicts of interest and best execution rules will apply to all MiFID II investment firms, including in the context of payment for order flow (PFOF). PFOF is the practice of brokers receiving payments from third parties for directing client order flow to them as execution venues.
In February 2021, the chair of ESMA stated: “The phenomenon of zero-commission trading needs to be looked at in more detail. To be sure, such lower costs for retail investors are a welcome development, given the importance of costs in determining investors’ long-term returns. However, there is no such thing as a free lunch. Payments for order flow from third parties such as market makers may substitute commissions that are otherwise paid by clients, creating conflicts of interest and resulting in less transparency for retail clients. In my view, the practice of payment for order flow needs to be carefully assessed against the MiFID II requirements on conflicts of interest, best execution and inducements.”
In a public statement issued on 13 July 2021, ESMA restated its concerns regarding investor protection, conflicts of interest and best execution, and inducements and cost transparency. ESMA considers that, in most cases, it is unlikely that PFOF could be compatible with MiFID II and its delegated acts.
A proposal to amend Regulation 600/2014/EU (MiFIR) adopted by the European Commission on 25 November 2021 seeks to effectively ban PFOF. However, the Council of the EU has rejected a complete ban on PFOF and proposes that investment firms should be prohibited from receiving PFOF for orders in shares or ETFs, but member states have discretion to deviate in respect of retail clients.
The European Parliament is expected to set out its position in early 2023.
In addition to domestic requirements, Ireland has implemented EU securities markets legislation, some of which is directly applicable. These measures include:
See 9.2 Regulation of Unverified Information and 9.3 Conversation Curation in relation to market abuse.
The primary method of regulating these technologies is under the MiFID Regulations. The definition of algorithmic trading contained in the MiFID Regulations is limited to trading in MiFID II financial instruments, so asset classes outside the scope of regulation under the MiFID Regulations will not be regulated.
Specific, detailed rules apply where a MiFID II investment firm engages in algorithmic trading to pursue a market-making strategy. These include carrying out the market-making continuously during a specified proportion of the trading venue’s trading hours, and entering into a binding written agreement with the trading venue.
No information is available in this jurisdiction.
Programming is not a regulated activity in Ireland. Whether programs or programmers are carrying out regulated activities, in which case the applicable regulations will be relevant, will need to be assessed on a case-by-case basis.
Platforms providing financial research are not specifically regulated by the Central Bank. However, participants and platforms should consider whether a regulated investment service is being provided.
The provision of investment research and financial analysis or other forms of general recommendation relating to transactions in financial instruments is an ancillary service under Part 2 of Schedule 1 of the MiFID Regulations. The provision of this service without any other MiFID II investment services would not trigger a requirement for authorisation as a MiFID II investment firm.
In contrast, the provision of investment advice (as defined in MiFID II) in relation to MiFID II financial instruments is an activity requiring authorisation under the MiFID Regulations, unless an exemption applies.
The MiFID Regulations and Commission Delegated Regulation (EU) 2017/565 provide requirements in relation to conflicts of interest and inducements that apply to regulated MiFID II investment firms in relation to research.
The IIA regulates the provision of investment advice in relation to investment instruments, subject to certain exemptions. The IIA definition of investment instruments captures certain instruments that are not MiFID II financial instruments and certain activities or firms that might fall outside the MiFID Regulations.
The Market Abuse Regulation
The Market Abuse Regulation (Regulation (EU) 596/2014) (MAR) establishes a common EU regulatory framework on insider dealing, the unlawful disclosure of inside information and market manipulation (“market abuse”), and measures to prevent market abuse.
MAR prohibits insider dealing, the unlawful disclosure of inside information, market manipulation and attempted market manipulation. Market manipulation is broadly defined under MAR to include disseminating information through the media, including the internet or by any other means, that gives, or is likely to give, false or misleading signals as to the supply of, demand for, or price of a financial instrument, a related spot commodity contract or an auctioned product based on emission allowances, or that secures, or is likely to secure, the price of one or several MiFID II financial instruments, a related spot commodity contract or an auctioned product based on emission allowances at an abnormal or artificial level, including the dissemination of rumours, where the person who made the dissemination knew, or ought to have known, that the information was false or misleading.
Recital 48 to MAR confirms that, given the rise in the use of websites, blogs and social media, disseminating false or misleading information via the internet (including through social media sites or unattributable blogs) should be considered to be equivalent to doing so via more traditional communication channels for the purposes of MAR.
In summary, MAR applies to MiFID II financial instruments admitted to trading on an EU-regulated market or for which a request for admission to trading has been made, as well as any MiFID II financial instruments traded on an MTF, admitted to trading on an MTF or for which a request for admission to trading on an MTF has been made, or traded on an OTF and certain other financial instruments, the price or value of which depends or has an effect on the price or value of the above and emission allowances. MAR can apply to other instruments and is not limited to transactions, orders or behaviour on a trading venue.
Market manipulation, as defined under the European Union (Market Abuse) Regulations 2016 (the “MAR Regulations”), is an offence in Ireland. The MAR Regulations also provide certain civil sanctions for breaches of MAR, such as a breach of the prohibition on market manipulation.
Central Bank focus
The Central Bank has increased its focus on market abuse compliance by issuers, firms and their advisers, and published “Dear CEO letters” to the industry in July 2021 detailing its expectations of various stakeholders.
ESMA has advised retail investors to be careful when taking investment decisions based exclusively on information from social media and other unregulated online platforms if they cannot verify the reliability and quality of that information. This ESMA statement also notes that organising or executing co-ordinated strategies to trade or place orders under certain conditions and at certain times to move a share’s price could constitute market manipulation.
ESMA noted that special care should be taken when posting information on social media about an issuer or a financial instrument, as disseminating false or misleading information may also be market manipulation, and when disseminating investment recommendations through any media, including social media and online platforms.
In August 2021, ESMA published its Guidelines on marketing communications under the Regulation on cross-border distribution of funds, which include requirements for marketing communications via social media, and in October 2021 ESMA published a statement on investment recommendations on social media. In January 2022, the European Supervisory Authorities published a joint response to the Commission's Call for Advice on digital finance and related issues which, among other points, noted the “rise of so-called finfluencers – individuals with a wide social media reach, discussing money-related topics and sometimes offering financial recommendations”.
The MAR prohibition on market manipulation (including attempted market manipulation) includes a prohibition on “taking advantage of occasional or regular access to the traditional or electronic media” to voice opinions about in-scope instruments with a view to profiting from the impact of those opinions, without having simultaneously publicly disclosed that conflict of interest.
MAR is also intended to ensure that the prohibitions against market abuse should cover those persons who act in collaboration to commit market abuse, so the platform should ensure it takes steps to avoid being seen to collaborate with such activity.
Liability under the MAR Regulations can also attach to an entity that collaborates or facilitates market abuse/manipulation. MAR also requires member states (including Ireland) to put mechanisms in place to allow for the reporting of infringements of MAR (ie, whistle-blowing mechanisms).
The EU’s Solvency II regime (as implemented in Ireland) applies to the majority of Irish (re)insurance undertakings, including the underwriting process of these undertakings.
The Solvency II framework sets out detailed requirements around capital, governance and risk management in Irish and EU authorised (re)insurance undertakings.
In broad summary, Solvency II undertakings must obtain an authorisation under the European Union (Insurance and Reinsurance) Regulations 2015, to carry on either life insurance business, non-life insurance business, or both.
Generally speaking, the provision of regtech services is less likely to be a regulated activity in Ireland, as it will typically involve supporting technical services rather than regulated financial services. However, certain exceptions to this position could apply, depending on the nature of the regtech service performed and the nature of the entity to which such services are provided. Therefore, a case-by-case analysis is required.
Depending on the particular service provided and the particular financial services firm receiving that service, the legal and regulatory requirements governing outsourcing may apply, and this will impact the contractual provisions required.
The CBI Outsourcing Guidance
Outsourcing is a particularly topical issue for the Central Bank. The CBI Outsourcing Guidance applies to all Irish regulated firms and is to be implemented alongside any specific sectoral legislative outsourcing requirements. The CBI Outsourcing Guidance imposes similar contractual requirements to the EBA Outsourcing Guidelines (which apply directly to credit institutions, certain investment firms and payments/e-money institutions).
The EBA Outsourcing Guidelines
The EBA Outsourcing Guidelines require, inter alia, that outsourcing agreements specify service levels and precise quantitative and qualitative performance targets to allow for the timely monitoring of the performance of the outsourced function. Specific termination rights, provisions around business continuity, data and access and audit rights for the regulated firm and its regulators are also required. The EBA has commented that it is imperative that business continuity and data protection are appropriately considered when outsourcing IT or data services. The ESMA Cloud Guidelines and the EIOPA Cloud Guidelines may also be relevant to applicable entities where services are provided on a cloud basis.
Regtech providers may have legal and regulatory or contractual obligations to notify certain behaviour, depending on their regulatory status and contractual arrangements, the sector in which they operate and the information and material with which they come into contact.
Domestic institutions are investigating the use of blockchain, and certain institutions have conducted trials in this area, including in the area of payments. In a November 2021 speech, the Central Bank noted in the context of its Innovation Hub that, in crypto-related activities, it has observed growing activity, reflecting greater institutional interest, a trend reflected in the wider market.
Dublin-based We.trade is a blockchain-based trade finance service provider that was established by an international consortium of banks. In April 2021, ConsenSys (a blockchain company that develops DeFi and Web3 applications) announced a significant expansion of its Dublin operations. Furthermore, financial institutions such as MasterCard, CitiBank, Fidelity and IBM are working on blockchain projects in Ireland.
In addition, in February 2021, the Institute of Banking, domestic banks Bank of Ireland, AIB and Ulster Bank (part of the RBS Group), and Deloitte announced the launch of EdQ, a blockchain-based education credentialling platform for financial services. The platform provides real-time access to unalterable records of professional credentials that facilitates financial services firms' compliance with regulatory obligations that involve the credentialling of employees.
The Central Bank's Approach
The Central Bank requires firms providing certain services in relation to crypto-assets to register as VASPs (see 2.2 Regulatory Regime and 2.13 Impact of AML Rules for more detail). Outside of this process, the Central Bank has not provided any specific regulatory updates or guidance to address blockchain technology, other than issuing consumer warnings regarding the risks of virtual currencies (most recently in April 2021) and initial coin offerings (ICOs).
In a July 2021 blog post, the governor of the Central Bank noted the concerns regarding the environmental impact of crypto-assets and the facilitation of crime through the anonymity these can provide, and stated that, as things stand today, the negatives surrounding crypto far outweigh any benefits. However, the governor also noted that the positive elements of the underlying technology should not be ignored.
In a May 2022 speech, the Central Bank Director of Financial Regulation noted that the Central Bank approach to companies that are active in the technological innovation space can be characterised as being “approachable, clear, proportionate and considered”.
The European Union (Markets in Financial Instruments) (Amendment) (No 4) Regulation 2022 amended the definition of “financial instrument” contained in the MiFID Regulations to include instruments issued by means of DLT. This amendment will take effect on 23 March 2023.
Aside from the VASP registration requirement, Ireland does not have any legislation specific to blockchain technologies.
EBA and ESMA Reports
The January 2019 EBA report with advice for the European Commission on crypto-assets (the “EBA Crypto Report”) and ESMA advice in relation to ICOs and crypto-assets (the “ESMA Crypto Report”) provide useful information in relation to the interpretation of blockchain assets within existing rules and highlighting gaps, as well as suggesting that further consideration should be given at an EU level to legislating in the area. This work fed into the Crypto Consultation, which, among other things, looked at crypto-assets that are covered by EU rules and whether the rules can be effectively applied, as well as crypto-assets that are not covered by EU rules at present, and a possible common regulatory approach. The Crypto Consultation, in turn, has fed into the Digital Package and MiCA.
Ireland for Finance
The government's international financial services sector strategy document to 2025, Ireland for Finance, includes actions to help drive fintech, including blockchain technologies.
The Central Bank has confirmed in a consumer warning that virtual currencies are not legal tender, and has also issued a consumer warning regarding the risks of ICOs.
Definition of “Virtual Assets”
While the 5MLD includes a definition of “virtual currencies”, the implementation of the VASP regime into the CJA 2010 instead predominantly uses the term “virtual asset”, which aligns Irish legislation with the relevant Financial Action Task Force (FATF) recommendations. The Irish legislation defines “virtual asset” as “a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes but does not include digital representations of fiat currencies, securities or other financial assets.”
The draft MiCA text from October 2022 published by the Council of the EU sets out the following definitions for in-scope blockchain assets:
Blockchain assets and/or services in relation to those assets may fall within existing regulatory regimes and the legal classification of a particular blockchain asset may vary, depending on its features.
MiFID II Definition of Transferable Securities' Significance to Regulatory Approach
One area of focus has been whether a particular blockchain asset qualifies to be considered as a MiFID II financial instrument, typically focused on the definition of a transferable security. Given the variance in structure among blockchain assets, it is necessary to analyse individual blockchain assets against the criteria for the MiFID II financial instrument of “transferable securities”, defined under Article 4 (1) (44) of MiFID II as those “classes of securities which are negotiable on the capital market, with the exception of instruments of payment, such as:
(a) shares in companies and other securities equivalent to shares in companies, partnerships or other entities, and depositary receipts in respect of shares;
(b) bonds or other forms of securitised debt, including depositary receipts in respect of such securities;
(c) any other securities giving the right to acquire or sell any such transferable securities or giving rise to a cash settlement determined by reference to transferable securities, currencies, interest rates or yields, commodities or other indices or measures.”
If a blockchain asset is determined to be a transferable security, then it falls within the regulatory scope of, inter alia, MiFID II, the Prospectus Regulation and MAR. The ESMA Crypto Report also states that several European regulators considered that certain types of crypto-assets could qualify as units in collective investment undertakings (another MiFID II financial instrument), most likely alternative investment funds, and thus the Alternative Investment Fund Managers Directive (Directive 2011/61/ EU) (AIFMD) could be relevant. The ESMA Crypto Report notes that existing rules that may be applicable do not fit perfectly with the characteristics of blockchain.
In very broad terms, a blockchain asset with characteristics that are similar to shares, bonds or other securities, or related derivatives, including being transferable, will be more likely to fall within the definition of a “transferable security”. An investment-type blockchain asset may be more likely to have these characteristics, while the ESMA Crypto Report specifically notes that a pure payment-type cryptocurrency (such as Bitcoin) is less likely to be considered a “transferable security”. The ESMA Crypto Report cautions against extrapolating its analysis against the entire crypto-asset universe.
It should be noted that the European Union (Markets in Financial Instruments) (Amendment) (No 4) Regulation 2022 amended the definition of “financial instrument” contained in the MiFID Regulations to include instruments issued by means of DLT. This amendment will take effect on 23 March 2023.
Crypto-Assets and Payment Services Under the Electronic Money Directive
In the EBA Crypto Report, the EBA notes that a crypto-asset can qualify as electronic money under the Electronic Money Directive, and thus be regulated under that directive, provided that it:
In addition, if a person performs a “payment service” as listed in PSD2 with a blockchain asset that qualifies as “electronic money” under the Electronic Money Directive, such activity would fall within the scope of PSD2 by virtue of constituting “funds”. More generally, PSD2 and the domestic Irish regime of money transmission should also be considered in the context of fiat transfers or services related to blockchain activities.
Assuming the blockchain assets are not financial instruments, e-money or any other regulated token, there is no specific regulatory regime for the issuance of such assets alone. However, as set out in the FATF Guidance, registration as a VASP may be required for issuers of blockchain assets where, in addition to the issuance itself, the issuers engage in any of the activities that fall under any limb of the VASP definition (exchange between virtual assets and fiat, or one or more forms of virtual assets, transfer of virtual assets, etc). In addition, MiCA proposes to impose extensive requirements on the issuers of blockchain assets.
As with the applicability of the existing legal or regulatory requirements to a blockchain asset depending on its particular structure, an issuance may come within the scope of existing Irish legal regimes, depending on its specific characteristics.
In two statements from November 2017, ESMA alerted participants in ICOs of the potential applicability of MiFID II, AIFMD, the Prospectus Directive and the applicable AML rules, depending on the structure of the issuance, and alerted investors of the risks of ICOs.
The provision of exchange services between various virtual assets and/or between virtual assets and fiat currency is within the scope of Irish AML legislation and may require a VASP registration.
The operation of blockchain asset trading or exchange platforms may involve the issuance of electronic money or the provision of payment services, in order to facilitate wallet and payment features.
Where blockchain assets constitute MiFID II financial instruments, such as transferable securities, the operation of a trading platform will be in the scope of existing regulatory regimes.
Platforms will also need to consider data protection and cybersecurity requirements, where applicable.
MiCA also proposes to impose requirements on crypto-asset service providers operating a trading platform for crypto-assets. Such players will also be subject to the travel rule through the proposed changes to the 2015 regulation on information accompanying transfer of funds.
Irish regulated investment funds are authorised either as undertakings for collective investment in transferable securities (UCITS) or as alternative investment funds (AIFs).
Distinctions Between Crypto-Assets
The Central Bank has provided guidance on investment in crypto-assets, which states that such assets are generally considered to be private digital assets that depend primarily on cryptography and distributed ledger or similar technology. This guidance recognises that the nature and characteristics of crypto-assets vary considerably, and distinguishes between crypto-assets that are tokenised traditional assets (the value of which is linked to an underlying traditional asset or a pool of traditional assets, such as financial instruments or commodities) and those assets that are based on intangible or non-traditional underlying assets.
In respect of this latter type of crypto-asset, the guidance states that the Central Bank is highly unlikely to approve a UCITS or an AIF marketed to retail investors proposing any exposure (either direct or indirect) to crypto-assets.
For Qualifying Investor AIFs (QAIFs) marketed to qualifying investors that seek to gain exposure to this latter type of crypto-asset, a submission is required to be made to the Central Bank outlining how the risks associated with exposure to such assets will be effectively managed by the alternative investment fund manager, including:
In the case of direct investment by QIAIFs in crypto-assets, the submission should include details from the proposed depositary demonstrating how it is satisfied that it can provide for the safe-keeping of the assets. This submission will need to be made to the Central Bank in advance of seeking to have a fund with such exposures authorised by the Central Bank.
Following the Central Bank approval of two QIAIFs with indirect exposure to Bitcoin in April 2022, the Central Bank noted that no pre-submission is required if a QIAIF proposes to invest no more than 10% of its net asset value in cash-settled Bitcoin futures traded on the Chicago Mercantile Exchange.
The guidance states that the Central Bank’s approach in relation to crypto-assets will be kept under review, will continue to be informed by European regulatory discussions on the topic and may change if new information or developments emerge in the future.
The Digital Package Proposals on Crypto-Assets
Once finalised, MiCA will provide certainty in terms of:
Rules for Crypto-Assets That Are Not Financial Instruments
For crypto-assets that do not qualify as financial instruments, the rules for “other assets” under the UCITS Directive and AIFMD currently apply, and the depositary needs to ensure the safekeeping (which involves verification of ownership and up-to-date record-keeping) but not the custody of such assets. As well as regulatory uncertainty, practical obstacles still exist in the Irish market to the extent that many depositories are currently not comfortable that they can capably hold or sub-custody crypto-assets while also meeting their safekeeping obligations.
The legal treatment of any cryptocurrency or other blockchain asset will be determined by whether that particular asset’s features come within the scope of existing legislative and regulatory regimes. Typically, a pure cryptocurrency will not be considered a financial instrument under MiFID II.
DeFi transactions will require a case-by-case analysis to determine the regulatory categorisation of the activities involved and jurisdictional questions regarding applicable legislation and relevant regulatory bodies. This is a rapidly developing area that is expected to see increasing regulatory interest in DeFi. In its September 2021 “Report on Trends, Risks and Vulnerabilities”, ESMA stated that, although the DeFi market itself is not yet large enough to be considered a risk to financial stability, it is still worthwhile for regulators and supervisory authorities to closely monitor its developments and better understand its activities, structures, potential benefits and underlying risks.
As the draft MiCA Regulation does not address DeFi platforms, it proposes that the European Commission shall present a report to the European Parliament 18 months after the date of entry into force, containing an assessment of the development of DeFi in the crypto-assets markets and of the adequate regulatory treatment of decentralised crypto-asset systems without an issuer or crypto-asset service provider, including an assessment of the necessity and feasibility of regulating DeFi.
There are no specific Irish legal or regulatory provisions addressing the status of NFTs.
It is unlikely that NFTs constitute virtual assets for the purposes of the VASP registration requirement under the CJA 2010 but a case-by-case analysis is required. The FATF October 2021 Guidance on virtual assets and VASPs (which is helpful but not binding or directly applicable in interpreting the scope of the CJA 2010 VASP regime) provides that, depending on their characteristics, digital assets that are unique rather than interchangeable, and that are used as collectibles in practice rather than as payment or investment instruments, are generally not considered to be virtual assets under the FATF definition. However, it is important to consider the nature of the NFT and its function in practice.
A case-by-case analysis is required to understand if an NFT would be considered a financial instrument under MiFID. “Transferable securities” are defined under MiFID as “classes of securities” that are negotiable on the capital market, so it appears unlikely that NFTs should amount to “transferable securities”, as their inherent non-fungible nature would appear inconsistent with this requirement. However, a case-by-case analysis may be required in some circumstances.
While an NFT would look to qualify as a crypto-asset under the definition in the initial draft of MiCA, that latest draft specifies that crypto-assets that are unique and not fungible with other crypto-assets fall outside the scope of the Regulation; however, it also states that the fractional parts of a unique and non-fungible crypto-asset should not be considered unique and non-fungible, and that the issuance of crypto-assets as non-fungible tokens in a large series should be considered as an indicator of their fungibility.
It remains to be seen how NFTs will be treated in the final legislation, but it is likely that categorisation will depend on the individual characteristics of NFTs and the rights and assets they represent.
PSD2 introduced two new regulated payment services: payment initiation service and account information service. A disruptive aspect of PSD2 is the customer's right to make use of third parties to obtain payment initiation services, and for third parties to access payment data to provide account information services. This facilitates open banking and opens up opportunities for challenger banks and other fintech firms to bring new products to the market. Application programming interfaces are to be used for third-party access to online payment accounts.
As part of the review of PSD2, the European Commission carried out a targeted consultation on open finance framework and data sharing in the financial sector. It remains to be seen what changes PSD3 will bring to the open banking sector.
PSD2 imposes certain conditions on access to and use of data by firms providing a payment initiation service or account information service. This includes a requirement for customer consent and other requirements in relation to security and the use of data.
In addition, the GDPR requires customers to be made fully aware – in a clear, concise and transparent fashion – of how their personal data will be used and by whom. It also provides for the right to withdraw consent, a right to access data and a right for information to be erased. In sharing data with third parties such as account information service providers, banks will need to be aware of the potential for fraud or other risks.