Contributed By Walkers (Ireland) LLP
Banking business in Ireland is regulated under both domestic legislation and the legislation of the EU, which either is directly applicable in Ireland or has been transposed into Irish law by domestic provisions. New laws and regulations applicable to Irish banks are primarily driven by developments at the EU level.
Domestic Legislation
The primary domestic legislation establishing the framework for the regulation of banking activities in Ireland is the Central Bank Acts 1942-2018 (the “Central Bank Acts”). The Central Bank Act 1942 originally established the Central Bank of Ireland (CBI) as a central bank and since then its competence has expanded. Following the introduction of the Central Bank Reform Act 2010 (2010 Act), the CBI is the primary Irish financial regulatory body.
The Central Bank Act 1971 (1971 Act) establishes the requirement for persons carrying on “banking business” to hold a banking licence and sets out certain requirements applicable to banks.
The CBI is empowered under the Central Bank Acts to issue codes of practice and regulations to be observed by banks. The CBI has issued several codes or regulations in areas such as corporate governance, related party lending, mortgage arrears, consumer protection, minimum competency, fitness and probity, individual accountability and SME lending.
European Legislation
Irish banks are also subject to extensive regulatory requirements driven by EU initiatives regulating the activities of “credit institutions” (the terms “credit institution” and “bank” are used interchangeably in this document). These include the Fourth Capital Requirements Directive (2013/36/EU) (as amended by Directive (EU) 2019/878 (CRD V)) (CRD), the Capital Requirements Regulation ((EU) 575/2013) (as amended by Regulation (EU) 2019/876 (CRR II)) (CRR) and the Bank Recovery and Resolution Directive (2014/59/EU) (as amended by Directive (EU) 2019/879 (BRRD II)) (BRRD). CRD is transposed into Irish law by the European Union (Capital Requirements) Regulations 2014 (as amended) (CRD Regulations), while the CRR, as an EU regulation, is directly applicable. BRRD is implemented in Ireland by the European Union (Bank Recovery and Resolution) Regulations 2015 (as amended) (BRRD Regulations).
Regulation (EU) 1024/2013 (SSM Regulation) establishes the Single Supervisory Mechanism (SSM), which is responsible for banking supervision in the participating member states, such as Ireland. Under the SSM, the European Central Bank (ECB) has exclusive competence in respect of certain aspects of the prudential regulation of Irish banks, including the granting and withdrawal of banking licences and the assessment of notifications of the acquisition and disposal of qualifying holdings in banks (except in the case of a bank resolution). The ECB also directly supervises “significant” banks (SIs), while the CBI directly supervises “less significant” banks (LSIs), subject to ECB oversight. The SSM sets out criteria for determining SIs and LSIs.
Other Regulatory Bodies
Other regulatory bodies that are also relevant to Irish banks include the following:
Banking Business
Section 7(1) of the 1971 Act prohibits the carrying on of “banking business” or accepting deposits or other repayable funds from the public without a banking licence. “Banking business” is defined as any business that consists of or includes receiving money on the person’s own account from members of the public either on deposit or as repayable funds, and the granting of credits on own account (subject to certain exceptions).
While the 1971 Act does not define “repayable funds”, section 2(2) of the Central Bank Act 1997 defines “deposit” for the purposes of the Central Bank Acts as “a sum of money accepted on terms under which it is repayable with or without interest whether on demand or on notice or at a fixed or determinable future date.”
A person may apply for a banking licence to be granted under Section 9 of the 1971 Act. Since the introduction of the SSM, the ECB is the competent authority for the granting of the licence.
It is also possible to apply for authorisation under Section 9A of the 1971 Act for an Irish branch of a bank that is authorised in a third country (ie, a non-EEA country).
Holding oneself out as a banker
Section 7(1) of the 1971 Act also restricts persons from holding themselves out or representing themselves as a banker, or as carrying on banking business, unless appropriately authorised.
The 1971 Act provides that, where a person carries out business under a name that includes the words “bank”, “banker” or “banking”, or any word which is a variant, derivative or translation of or is analogous to those words, or uses any advertisement, circular, business card or other document that includes such words, they hold themselves out or represent themselves as conducting or being willing to conduct banking business.
Permitted Activities
A banking licence can permit the holder to engage in a broad range of business, including deposit taking, lending, issuing e-money, payment services and investment services and activities regulated by the Markets in Financial Instruments Directive (2014/65/EU) (MiFID II).
Application Process
Applications for authorisation as a bank are made using the ECB’s Information Management System (IMAS) portal. In practice, applicants will engage in a pre-application meeting with the CBI to discuss the scope of any application. The application process for a bank licence begins with a preliminary engagement phase known as the “Exploratory Phase”. During this phase, the applicant submits an initial high-level proposal for their application. The applicant will often have meetings or calls with the CBI to discuss the proposal. Following the CBI’s review of the proposal, if no issues are identified then the applicant moves to the next stage.
The next stage is known as the “Draft Application” stage. This phase involves the submission by the applicant of a draft application. The majority of the assessment work will be carried out during this phase. The application pack requires extensive detail regarding all material areas of the applicant’s proposed business.
Following the receipt of the application, the CBI will assess the application, in conjunction with the ECB. The process is iterative and typically involves multiple rounds of extensive comments and queries from the regulators.
The ECB indicates that the assessment will cover areas including:
Following the completion of the iterative query stage, the ECB will determine whether or not to grant a licence. The ECB indicates that it usually takes from six to 12 months for a decision to be taken on an application. Where a licence is granted, it may be subject to specific conditions.
There is no fee for submitting a bank application, but banks are subject to a number of ongoing levies.
Third country (non-EEA) credit institutions can seek to establish a licensed branch in Ireland to carry out banking business. The CBI will carry out an assessment for these institutions, rather than the ECB.
Other Requirements
CRD also includes requirements for certain financial holding companies and mixed financial holding companies to be authorised and, in certain cases, non-EEA groups may be required to establish an intermediate EU parent undertaking.
Certain systemic investment firms are required to seek a bank licence.
Passporting
Under the CRD mutual recognition provisions, Irish banks can both provide services on a freedom of services basis and establish a branch on a freedom of establishment basis across the EEA, subject to completing the necessary passporting processes.
Requirements Governing Change in Control
The requirements in relation to the acquisition and disposal of interests in banks are set out in Chapter 2 of Part 3 of the CRD Regulations. The prior approval of the ECB is required in advance of any proposed acquisition of a qualifying holding in a bank.
A “qualifying holding” is defined as a direct or indirect holding in an undertaking that represents 10% or more of the capital or of the voting rights, or which makes it possible to exercise a significant influence over the management of that undertaking. Notification of the proposed acquisition of a qualifying holding must be made in advance to the CBI, as well as any proposal to increase a direct or indirect holding to reach or exceed a prescribed percentage of 20%, 33% or 50% or where the bank would become the proposed acquirer’s subsidiary.
The CRD Regulations provide that an application to the Irish High Court may be made to remedy a situation where a qualifying holding was inadvertently acquired or increased to reach or exceed a prescribed threshold without the prior notification.
There are currently no specific restrictions on private ownership nor geographical restrictions on foreign ownership of Irish banks. However, Ireland will introduce legislation to give effect to the EU Screening Regulation (Regulation (EC) 2019/452) and to introduce a screening regime for certain foreign investment transactions that may present risks to the security or public order of Ireland. At the time of writing, the Screening of Third Country Transactions Bill 2022, which will give further effect to the EU Screening Regulation in Ireland, has been passed by the Irish legislature and is currently awaiting signing into law by the President of Ireland. The CBI has expressed preferences in the past that banks not be owned or controlled by single private individuals or that ownership of banks should not be “stacked” under insurance undertakings. Prior ownership experience of banks or other financial institutions will be an advantage in applying for the approval of an acquisition of a qualifying holding.
The Nature of the Regulatory Filings
Notification of the proposed acquisition of a qualifying holding is made to the CBI via the ECB’s IMAS portal. The CBI will liaise with the ECB, which is the competent authority under the SSM for the approval of acquisitions of or increases in qualifying holdings in respect of Irish authorised banks.
The maximum total period for assessment of an acquiring transaction notification is 90 working days from the receipt of a complete application. Notifications can be rejected as not complete at the outset of the process, and so in practice this process can take longer. The CBI advises that pre-application engagement and the submission of notification and supporting documentation in draft form can help minimise the risk of a notification being deemed “incomplete”, thereby delaying the approval process.
The CBI also requires any proposed acquirers to take note of the content of the May 2017 Joint Committee of the European Supervisory Authorities, which includes the European Banking Authority’s (EBA) “Joint Guidelines on the prudential assessment of acquisitions and increases of qualifying holdings in the banking, insurance and securities sectors”.
The objective of the assessment of a proposed acquisition is to ensure the sound and prudent management of the bank concerned. The criteria assessed by the ECB are the following:
The CBI may also seek comfort from a proposed acquirer of a majority stake in an Irish bank that the proposed acquirer will provide such financial support as is necessary for the Irish bank to continue to meet its regulatory obligations.
The corporate governance requirements applicable to Irish banks include those set out in the CBI Corporate Governance Requirements for Credit Institutions 2015 (CBI Requirements) and the CRD provisions in respect of corporate governance.
CBI Requirements
The CBI Requirements provide that all Irish banks must have robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks to which they are or might be exposed, and adequate internal control mechanisms. The governance structure put in place must be sufficiently sophisticated to ensure that there is effective oversight of the activities of the institution, taking into consideration the nature, scale and complexity of the business being conducted.
The CBI Requirements are prescriptive, imposing minimum standards in relation to corporate governance, including the composition, role and conduct of the board of directors and the establishment of certain board committees, and setting out requirements in relation to risk management.
An Irish bank is required to have at least five directors, or seven if it is designated as having a High Impact under the CBI’s Probability Risk and Impact System (PRISM). The board is required to have a majority of independent non-executive directors (INED), although where a bank is part of a group, the majority of the board may also be composed of group directors, provided that the bank has at least two INEDs (or three INEDs where the bank is designated as High Impact).
CRD
The CRD Regulations set out a number of rules in relation to the governance of banks, including in relation to implementation of governance arrangements that ensure effective and prudent management, board members’ knowledge and experience, the number of directorships bank directors can hold and the requirements for board committees. The EBA has built upon these requirements in its updated guidelines on internal governance (EBA/GL/2021/05) (EBA IG Guidelines). The EBA IG Guidelines specify the internal governance arrangements, processes and mechanisms that banks and certain investment firms must implement in accordance with Article 74(1) of CRD to ensure effective and prudent management of the institution.
The EBA IG Guidelines apply in relation to governance arrangements such as organisational structure, lines of responsibility, risk identification and management and the internal control framework. Guidance is given in relation to the role of the management body and its responsibilities, as well as the role of board committees and internal control functions. Arrangements in relation to risk management, outsourcing and business continuity are also addressed.
Recent Developments
Corporate governance continues to be an area of focus for the CBI. This has been evident in recent publications and supervisory focuses on areas including behaviour and culture, conduct risk, outsourcing and individual accountability. In addition, the introduction of the individual accountability framework (see 4.2 Registration and Oversight of Senior Management) includes a Senior Executive Accountability Regime applicable to certain entities and role holders, including banks, and conduct standards for all Irish regulated financial service providers (RFSPs) and for individuals working within them.
Fitness and Probity Regime
The CBI’s Fitness and Probity Regime (the “F&P Regime”), which was established under the 2010 Act, applies to persons in certain senior positions in RFSPs, including banks.
The F&P Regime applies to persons performing certain prescribed “controlled functions” (CFs) and “pre-approval controlled functions” (PCFs). PCFs are a sub-set of CFs and include directors, chairs of the board and committees, the chief executive and heads of certain internal control functions, amongst other functions.
An RFSP must not permit a person to perform a CF or PCF unless it is satisfied on reasonable grounds that the person complies with the CBI’s Standards of Fitness and Probity (the “Standards”) and the person has agreed to comply with the Standards. The Standards require a person to be:
Please see below regarding the introduction of the certification requirement from 29 December 2023.
In order to be satisfied the person complies with the Standards, due diligence must be undertaken by the RFSP. Irish banks are also subject to the Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders (the “Suitability Guidelines”), as well as CRD requirements.
A person cannot be appointed to a PCF position unless such appointment has been approved by the CBI. For SIs, the approval of the ECB is required for members of the management body (ie, board) and key function holders. This is also the case for members of the management body of any new bank.
PCF applicants are required to submit an individual questionnaire to the CBI, setting out details of their professional qualifications and employment history, and including various confirmations from both the applicant individual and the RFSP. The CBI/ECB may interview candidates for certain PCF roles, and this is increasingly becoming the norm for bank board members and certain other senior PCFs. SIs must submit PCF applications via the IMAS Portal, along with the corresponding declarations.
The ECB has published a Guide to Fit and Proper Assessments for its fitness and probity assessments, which are conducted in accordance with the Suitability Guidelines.
In certain circumstances, CF and PCF holders may be the subject of an investigation in relation to their fitness and probity and be the subject of a suspension notice or a prohibition under the 2010 Act. Applicants for PCF roles are also not guaranteed to receive approval.
Individual Accountability Framework and the Senior Executive Accountability Regime
The Central Bank (Individual Accountability Framework) Act 2023 (the “IAF Act”) was signed into law on 9 March 2023. In summary, the IAF Act provides the legislative basis for the introduction of significant changes to the regulation and supervision of RFSPs and CF and PCF holders, through, inter alia:
The main purpose of the IAF Act is to improve accountability and trust in the financial sector by creating a framework, which contributes to bringing about cultural and practical change in the banking sector and throughout the financial services at large.
With effect from 19 April 2023, certain provisions of the IAF Act were commenced which introduced a number of important changes to enhance the CBI’s ASP under Part IIIC of the Central Bank Acts. These changes apply, subject to transitional arrangements, to the enforcement of any obligations under the ASP, whether those matters are related to existing obligations under financial services legislation, new obligations introduced as part of the Individual Accountability Framework or otherwise become subject to the ASP. The remaining provisions of the IAF Act became effective from 29 December 2023.
In November 2023, the CBI published guidance on the Individual Accountability Framework. Also, regulations in relation to the requirements that apply to holding companies under the Individual Accountability Framework and the new certification requirement under the Individual Accountability Framework are now in force. At time of writing, regulations to further implement SEAR (the “SEAR Regulations”) have not yet entered into force. However, draft SEAR Regulations have been published, which propose to apply the SEAR aspect of the Individual Accountability Framework to credit institutions, certain insurance undertakings and certain investment firms at first.
SEAR
The purpose of the SEAR is to improve governance, performance, and accountability in in-scope RFSPs by placing obligations on relevant RFSPs and senior individuals within them to set out clearly where responsibility and decision-making lies for their business and by setting out what those responsibilities entail. Individuals that occupy a PCF role at in-scope firms are subject to the SEAR. The SEAR will initially apply to a limited range of RFSPs, including credit institutions, insurance undertakings and certain investment firms.
The obligations created by the SEAR include the following.
For those firms within scope of the initial implementation phase of SEAR, the requirements will apply from 1 July 2024.
Conduct Standards
The IAF Act introduces Common Conduct Standards, which apply to individuals in all RFSPs who are performing CFs. Common Conduct Standards are basic standards such as acting with honesty and integrity, with due skill, care and diligence, and in the best interest of customers, and will apply to individuals in all RFSPs.
Senior executives will also have Additional Conduct Standards related to running the part of the business for which they are responsible. Individuals will be expected to take reasonable steps in the circumstances to discharge their responsibilities and duties.
The Common Conduct Standards and the Additional Conduct Standards will applied from 29 December 2023.
In addition, the IAF Act also provides the CBI with regulation-making power to prescribe standards for the purpose of ensuring that firms (i) act in the best interests of customers and of the integrity of the market, (ii) act honestly, fairly and professionally, and (iii) act with due skill, care and diligence. These requirements are known as the Business Standards. The Business Standards will be developed in conjunction with the separate review and consultation being carried out in relation to the Consumer Protection Code 2012 (as amended) (CPC) noting the parallel with the general principles detailed within the Consumer Protection Code and the importance of simplification and streamlining of the regulatory framework and the conduct obligations imposed on firms.
Update to Fitness and Probity Regime
As part of the introduction of the new Individual Accountability Framework, enhancements will be made to the F&P Regime. Included amongst the changes being made is the introduction of an obligation on RFSPs to proactively certify that staff performing CF or PCF roles comply with the Standards. RFSPs will be required to undertake due diligence in order to support the conclusion that each individual performing a CF role is fit and proper to perform that role and to be in a position to certify that fact. RFSPs will also be subject to a requirement to document certain information as part of the certification process, including documenting the steps taken by the RFSP to conclude that the individual meets the Standards. RFSPs must carry out the certification process in respect of relevant individuals prior to their appointment to a CF role (or, in the case of a PCF, prior to the submission of an application for approval by the CBI) and/or on an annual basis.
In addition to the certification requirements, another change to the F&P Regime brought about by the introduction of the Individual Accountability Framework is the extension of the application of the F&P Regime to holding companies of RFSPs established in Ireland.
These changes to the F&P Regime applied from 29 December 2023.
Administrative Sanctions Procedure
The IAF Act introduces a number of changes to strengthen and enhance the CBI’s Administrative Sanctions Procedure (ASP). These changes to the ASP have been made to ensure that the ASP reflects and supports the legislative changes introduced in connection with the Individual Accountability Framework.
In summary, the changes to the ASP include:
Irish banks are subject to remuneration rules under both the CBI Requirements and the CRD Regulations, and must comply with certain principles in a manner and to the extent that is appropriate to their size and internal organisation and to the nature, scope and complexity of their activities.
The EBA Guidelines on sound remuneration policies under Directive 2013/36/EU (the “EBA Remuneration Guidelines”) apply to banks, covering issues including the governance process for remuneration policies and the application of remuneration requirements in a group context.
Banks that are classified as significant are required to have a remuneration committee that complies with the requirements of the CRD Regulations. Banks with a High Impact PRISM rating are required to have a remuneration committee that complies with the CBI Requirements.
The CRD Regulations require banks to have a remuneration policy that is in line with their business strategy, objectives and long-term interests, incorporates measures to avoid conflicts of interest, is consistent with and promotes sound and effective risk management, does not encourage risk-taking that exceeds the level of tolerated risk of the institution, and is gender neutral. The policy is to apply to categories of staff whose professional activities have a material impact on the risk profile of that institution. The board is responsible for overseeing the implementation of the remuneration policy and should periodically review its general principles. Banks should review their remuneration policies at least annually. The CRD Regulations and the CRR also impose disclosure requirements relating to remuneration policies and practices.
Banks should also ensure that the remuneration of “control function” employees (note this is distinct from CF as defined in 4.2 Registration and Oversight of Senior Management) is not linked to the performance of any business areas they control, and that the remuneration of senior risk and compliance employees is suitably overseen. In respect of certain employees whose professional activities have a material impact on the risk profile of the institution, including senior management, risk takers and heads of control functions, banks are subject to extensive rules regarding variable remuneration. These rules include a “bonus cap”, which limits variable remuneration to 100% of fixed remuneration (or 200% with shareholder approval). Separately, certain restrictions on remuneration apply to certain Irish banks recapitalised by the Irish State as a consequence of the global financial crisis of 2007/8.
The prescriptive variable remuneration requirements regarding deferral, retention and payment in instruments, for staff whose activities have a material impact, are disapplied to: (i) small and non-complex institutions (as defined in the CRR) with assets on average equal to or less than EUR5 billion over the four-year period immediately preceding the current financial year; and (ii) to staff members whose annual variable remuneration does not exceed EUR50,000 and does not represent more than one third of the staff member’s total annual remuneration.
Breach of the CBI Requirements and/or the CRD Regulations is an offence and may be grounds for an enforcement action by the CBI under its ASP, which can result in fines being imposed.
Legal Framework
The primary AML and counter-terrorist financing (CTF) legislation applicable to Irish banks is the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (the “CJA 2010”), as amended, which transposed the Fourth EU Anti-Money Laundering Directive ((EU) 2015/849) (as amended by the Fifth EU Anti-Money Laundering Directive (2018/843/EU)) into Irish law.
The CJA 2010 imposes a range of obligations on banks, including obligations to:
The CBI published its AML/CTF Guidelines for the Financial Sector (the “AML Guidelines”) in September 2019 to assist firms in understanding their obligations under the CJA 2010. The AML Guidelines, which were updated in June 2021, set out the expectations of the CBI regarding AML/CTF governance and the factors that firms should take into account when identifying, assessing and managing ML and TF risks, and also emphasise the importance of firms having regard to AML/CTF guidance published by the Financial Action Task Force and European supervisory authorities.
In addition to the CJA 2010, Irish banks are also required to comply with the various international financial sanctions that emanate from the EU and the United Nations, and with Regulation (EU) 2015/847 (a recast version of which will apply from 30 December 2024), which deals with information requirements regarding wire transfers. With the imposition of EU sanctions in response to Russia’s invasion of Ukraine, there has been increased focus by the CBI on the controls implemented by Irish banks to comply with financial sanctions.
Regulatory Supervision and Enforcement
Under the CJA 2010, the CBI is the relevant competent authority in Ireland for the monitoring and supervision of banks’ compliance with AML/CTF obligations. The CBI implements a risk-based approach to AML/CTF supervision such that the extent of supervision of a given RFSP is commensurate with the CBI’s assessment of ML/TF risk within the RFSP. The retail banking sector is considered by the CBI to be a high-risk sector, with the non-retail banking sector considered to be a medium-high or medium-low risk sector, depending on the specific activities engaged in. An individual RFSP’s ML/TF risk rating will be informed by the CBI’s risk rating of the sector and its supervisory engagements with the RFSP, such as inspections.
The CBI is empowered to take measures that are reasonably necessary to ensure that RFSPs comply with the provisions of the CJA 2010. This may include the CBI issuing a risk mitigation programme to a RFSP to address identified shortcomings in the RFSP’s AML/CTF framework. The CBI also has the power to administer sanctions against banks for breaches of the CJA 2010 under its administrative sanctions regime, which can result in fines being imposed.
Ireland has transposed the Deposit Guarantee Schemes Directive (2014/49/EU) (DGS Directive) into domestic law through the European Union (Deposit Guarantee Schemes) Regulations 2015 (DGS Regulations), which govern the operation of a deposit guarantee scheme (DGS) for “eligible deposits” at Irish banks. Irish banks are not allowed to accept deposits without being members of the DGS.
The CBI is the designated authority for the purposes of the DGS Directive, and is responsible for the maintenance and ongoing supervision of the DGS and for ensuring that it has sound and transparent governance practices in place. The CBI is required to produce an annual report on the activities of the DGS.
The DGS provides protection to eligible deposits, which includes deposits belonging to individuals, companies, partnerships, clubs and associations. The eligible deposits that may be protected by the DGS include current accounts, savings accounts, demand notices, fixed-term deposit accounts and share accounts. The deposit element of structured deposits/tracker bonds may also be eligible if the deposit element is repayable at par.
Certain specified categories are not eligible deposits. These include deposits of “financial institutions” as defined under the CRR – and including insurance undertakings, collective investment schemes, MiFID II investment firms and other banks (subject to certain conditions). Deposits of public authorities, debt securities issued by banks and liabilities arising out of their own acceptances and promissory notes are also not eligible deposits; a bank’s “own funds” for the purposes of the CRR are also not covered.
The coverage level for aggregate eligible deposits for each depositor is EUR100,000. In certain specified circumstances, a depositor may be covered for aggregate deposits up to a level of EUR1 million as a “temporary high balance”. The DGS Regulations set out detailed provisions as to how a depositor’s aggregate deposits are to be calculated.
Examples of circumstances that give rise to increased “temporary high balance” cover include the following:
Subject to certain exceptions, this higher level of cover will be available to depositors for a period of six months after the relevant amount has been credited or from the moment when such deposits become legally transferable.
The DGS Regulations provide that the DGS is funded by participating banks. As the designated authority, the CBI is responsible for ensuring that it has adequate systems in place to determine the potential liabilities of this fund. The CBI identifies a target level for the fund and requires all banks that hold eligible deposits to pay contributions to the fund. The fund must hold at least 0.8% of the amount of eligible deposits of all banks authorised in the State.
A bank’s required contribution to the DGS is calculated primarily by reference to the proportion of eligible deposits it holds, and the DGS Regulations set out prescriptive provisions regarding how these obligations are to be calculated and levied.
The Irish DGS protects eligible deposits held at EEA branches of Irish banks. Deposits held with other EEA banks should be protected under the relevant other EEA bank’s home country deposit protection scheme.
In November 2015, the European Commission proposed a European Deposit Insurance Scheme, which, if established, would form part of the third pillar of the EU’s Banking Union. These proposals are still the subject of discussion between the European Parliament and the Council of the EU.
In April 2023, the European Commission tabled a package of proposals to amend various pieces of legislation relating to the existing bank management and deposit insurance legislative framework, including the DGS Directive. The purpose of the proposed changes to the DGS Directive is to ensure the uniform protection of depositors throughout the EU. At the time of drafting, the amendments are still working their way through the EU legislative procedure.
Irish banks owe a duty of confidentiality to their customers. The duty of confidentiality has its origins in the common law and is an implied term in all contracts between banks and their customers. For the purpose of this duty, the term “customers” includes both natural and legal persons. There has also been limited judicial commentary to the effect that the Irish constitutional right to privacy may encompass a right to confidentiality in relation to banking affairs.
The duty of confidentiality is a broad one and provides that, once a contractual relationship exists between a bank and a customer, the bank must not divulge to third parties any information acquired by the bank during, or by reason of, its relationship with the customer, without the express or implied consent of the customer. Banks must also ensure that their employees and agents do not breach this duty.
In practice, the duty of confidentiality applies to the following:
The duty of confidentiality continues to apply when the account is closed or ceases to be active.
Given the wide and increasing range of services offered by banks and RFSPs, where any business of a kind normally carried on by a bank is carried out, it is prudent to presume the imposition of this duty of confidentiality.
The duty of confidentiality is not absolute and the Irish courts have confirmed the existence of a number of qualifications and exemptions to the duty of confidentiality, including where:
Irish statutes contain a number of express statutory exceptions to the duty of confidentiality. For example, these exemptions are included in the Companies Act 2014, the CJA 2010, criminal justice legislation and credit reporting legislation, as well as the law of evidence, including court rules providing for discovery orders.
A court or judge may authorise a member of the Irish police force to inspect bank records to investigate an indictable offence, where the court or judge is satisfied that there are reasonable grounds for believing that such an offence has been committed and the relevant material is likely to be of substantial value to the investigation.
In addition, by virtue of their statutory powers, the CBI and the Irish Revenue Commissioners have the ability to inspect customer accounts in certain circumstances.
Where the customer consents to disclosure, the duty may be dis-applied; this is relatively common where a third party seeks a reference or statement from a bank with the customer’s consent. It is best practice to obtain the customer’s prior written authorisation in these circumstances.
Where the duty of confidentiality is breached, the customer is entitled to seek damages, which may include aggravated damages.
Banks are also subject to a requirement under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) to implement appropriate security measures to protect any personal data they process relating to their customers. Under the GDPR, banks are required to protect their customers’ personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, including through the use of appropriate technical or organisational security measures.
The prudential requirements applicable to Irish banks, including in relation to capital and liquidity, emanate from EU legislation that is itself heavily influenced by international standards.
The current prudential requirements applicable to Irish and other EEA banks are set out in CRD and the CRR, as well as secondary EU legislation. This framework seeks to address the requirements of certain international standards of the Basel Committee on Banking Supervision and the Financial Stability Board (FSB). The EU rules also contain bespoke requirements to address particular concerns of the EU Member States.
Initial Capital
Under the 1971 Act, Irish banks generally must hold initial capital of at least EUR5 million before the CBI will propose to the ECB that a banking licence should be granted. In certain circumstances, this is reduced to EUR1 million.
Capital Requirements – Pillar I
The CRR sets out the requirement for banks to maintain a minimum quantity of regulatory capital and rules governing the quality of that capital. The quality of regulatory capital is considered by reference to two categories:
CET1 includes ordinary shares and reserves, and is the highest quality capital. There are eligibility criteria and deductions that must be followed to calculate the instruments that qualify for each tier.
The minimum capital requirement is a percentage of a bank’s total risk exposure amount calculated in accordance with the CRR.
The CRR requires maintenance of the following minimum capital ratios:
There is also a leverage ratio of 3%, which must be met with Tier 1 Capital.
An additional leverage ratio buffer for G-SIIs was introduced from 1 January 2023 under CRR II equal to the G-SII’s total exposure measure referred to in CRR II multiplied by 50% of the G-SII buffer rate applicable to the G-SII as detailed in the CRD.
Capital Buffers
The following four buffers are provided for under CRD:
Institutions are restricted from using CET1 that is maintained to meet the combined buffer requirement (ie, the CET1 required to meet the buffers above) to meet Pillar I requirements or Pillar II capital.
Pillar II Capital
The CBI has the power to apply additional capital requirements to Irish banks on a case-by-case basis. Any additional requirements will be based on the CBI’s assessment under its supervisory review and evaluation process, which looks at the specific risks of the firm. Non-binding guidance may also be issued to a bank in respect of further capital it is expected to hold.
Liquidity
The CRD/CRR framework provides for two liquidity ratios. The liquidity coverage ratio requires banks to hold high-quality unencumbered liquid assets, which must be sufficient to meet net cash outflows under a 30-day stress scenario.
A separate net stable funding ratio has been introduced under the CRR to address liquidity mismatches. This aims to ensure that the level of stable funding available to a bank is aligned with the level of funding it requires over the longer term, based on the liquidity risk profiles of assets and off-balance sheet exposures. The minimum level of available stable funding must be at least 100% of the required amount of stable funding.
MREL
Under BRRD and the Single Resolution Mechanism (SRM) Regulation (806/2014) (the “SRM Regulation”), banks must comply with a minimum requirement for own funds and eligible liabilities (MREL). The MREL should assist the bank in absorbing losses and restore its capital so that the bail-in resolution tool can be applied effectively. Under BRRD II and Regulation (EU) 2019/877 (SRM Regulation II), a number of changes align MREL with the FSB’s standard relating to total loss-absorbing capacity (TLAC) and implement the TLAC standard for G-SIIs (subject to transitional arrangements).
The CBI published its “Approach to Minimum Requirement for Own Funds and Eligible Liabilities (MREL)” in October 2021, which provides further information on the regime and CBI discretions.
Regulation (EU) 2022/2036 (Daisy Chain Regulation) (which was published in October 2022) made amendments to provisions in the CRR relating to MREL and TLAC, with regard to the treatment for the indirect subscription of instruments eligible for internal MREL. The Daisy Chain Regulation also makes consequential amendments to the BRRD. The amendments to the CRR relating to the indirect subscription of internal MREL eligible instruments within resolution groups will apply from 1 January 2024. The other provisions of the Daisy Chain Regulation applied from 14 November 2022.
Other
The CRD Regulations and the CRR provide other measures to address risks applicable to banks. These include measures in relation to credit valuation adjustment, disclosure requirements, reporting requirements, governance and remuneration requirements, credit risk adjustment and the ability of regulatory authorities to impose stricter macro-prudential measures.
The legal and regulatory framework governing the insolvency, recovery and resolution of banks in Ireland has undergone significant development since the global financial crisis of 2007/8, when Ireland implemented emergency legislation to address issues affecting domestic institutions. Since then, the EU has adopted BRRD and the SRM Regulation, which provide an EU framework for the recovery and, where necessary, resolution of EU banks.
Insolvency
One of the ways in which a failing bank can be addressed is through a liquidation process. The CBI has issued a document entitled “Central Bank of Ireland’s Approach to Resolution for Banks and Investment Firms (Second Edition) October 2021” (Approach Paper), which addresses credit institutions within the scope of the BRRD Regulations that are LSIs and are not part of a “cross-border group” as defined in the SRM Regulation, certain investment firms, holding companies and others. In the Approach Paper, the CBI comments that, in fact, the most likely method for the majority of failing institutions is through a CBI-involved winding-up (liquidation) procedure. Under the BRRD Regulations, where resolution conditions are met but the resolution authority considers a resolution action would not be in the public interest, it must be wound-up.
The Central Bank and Credit Institutions (Resolution) Act 2011 (the “Resolution Act”) provides that the Irish Companies Acts will apply to the winding-up of an Irish bank. However, the CBI has an important role under the Resolution Act. No person other than the CBI can present a petition to the High Court to wind up a bank, unless they have given the CBI notice and the CBI has confirmed that it does not object. In the latter case, the CBI will be a notice party to court applications and may make representations in court.
The Resolution Act sets out a number of specific grounds under which the CBI may present a petition for a winding-up order, such as where:
Under the Resolution Act, only a liquidator approved by the CBI may be appointed. Objectives for the appointed liquidators are set out in the legislation, with the protection of eligible depositors under the DGS being a priority.
Recovery and Resolution
BRRD and the SRM Regulation set out an alternative mechanism to resolve failing banks in a more orderly way, and seek to implement the original “Key Attributes of Effective Resolution Regimes for Financial Institutions” published by the FSB. BRRD provides authorities with tools to intervene at an early stage and in a swift manner in relation to a failing institution, to ensure the continuity of critical functions and minimise the impact of the institution’s failure on the economy and financial system. In its Approach Paper, the CBI states that burden-sharing is a driving principle of the resolution framework in order to mitigate moral hazard by ensuring that shareholders and investors bear losses from an institution’s failure.
As Ireland is part of the SSM, the SRM is applicable to Irish banks, and the SRM Regulation is directly applicable in Ireland.
The CBI is designated as the national resolution authority under the SRM and the national competent authority under the SSM. Broadly speaking, the Single Resolution Board (SRB) has responsibility in relation to the resolution of SIs or institutions that are subject to direct ECB oversight, and the CBI will have responsibility for the key resolution processes for LSIs that are subject to SRB oversight.
Resolution Tools and Powers
The framework includes the following elements:
Resolution authorities are also afforded write-down and conversion powers in respect of certain capital instruments. These can be implemented as part of a resolution action or separately, where certain conditions are met. BRRD II introduced a moratorium power that allows a resolution authority to suspend any payment or delivery obligations pursuant to any contract to which an institution is a party, where certain conditions are met.
BRRD provides requirements for institutions to include contractual provisions in certain contracts governed by non-EEA law in respect of powers under BRRD.
In its Approach Paper, the CBI has commented that resolution tools are generally used where, for example, a bank’s failure could cause financial instability or disrupt critical functions. Resolution tools would be used by the CBI where certain conditions for resolution are met, including, for example, where the CBI considers resolution to be in the public interest.
Resolution funds have been established in Ireland and at the EU level, in order to provide funding for the cost of resolution.
Protection for Depositors
The DGS protects eligible depositors in the event of a bank authorised by the CBI being unable to repay deposits. Objectives related to the protection of deposits eligible under the DGS are also built into both the liquidation and resolution frameworks.
DGS eligible deposits up to an amount of EUR100,000 are exempted from bearing losses in a bail-in process. Eligible deposits of natural persons and small and medium enterprises exceeding EUR100,000 receive a preferred status over certain other unsecured liabilities in a resolution process. Amendments have also been made to the Irish Companies Act 2014 to provide for preference to certain depositors in a liquidation of a BRRD institution so as to implement the Bank Creditor Hierarchy Directive ((EU) 2017/2399).
European Commission AML Legislative Package
On 20 July 2021, the European Commission presented a package of legislative proposals to strengthen the EU’s AML/CFT framework, elements of which will impact banks. A new EU AML Authority (AMLA) is to be established, which will directly supervise certain high-risk, cross-border institutions and act as the central authority co-ordinating national supervisory authorities.
The legislative package also included a new regulation that will contain directly applicable rules, including in relation to customer due diligence and beneficial ownership, and a revised regulation on transfer of funds, which will make it possible to trace transfers of crypto-assets.
The European Commission expects the AMLA to be operational in 2024 and to commence supervisory work slightly later.
Departures From the Irish Banking Market
In 2021, both Ulster Bank Ireland DAC and KBC Bank Ireland plc announced strategic plans to wind down Irish operations and exit the Irish market. Since the announcement by both entities of their plans to withdraw from the Irish market, they have both entered into arrangements to transfer existing assets to the remaining retail banks operating in Ireland, closed branches and engaged with customers to arrange account closures. These departures reduce the already small and concentrated retail banking sector in Ireland.
Application of Client Asset Requirements to Credit Institutions
The Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2022 (the “Investment Firms Regulation 2022”) were published on 23 June 2022. Part 6 of the Investment Firms Regulation 2022, contains the revised version of the Client Asset Requirements (CAR 2022), extending the application of the CAR 2022 to banks that perform MiFID II investment business.
The CBI expects credit institutions to commence preparations to ensure they will be able to fully comply with the CAR 2022 at the end of the transitional period, on 1 January 2024.
EU Banking Package 2021
On 27 October 2021, the European Commission adopted its Banking Package 2021 (the “Package”), which consists of legislative proposals to amend the CRD and the CRR – including a separate legislative proposal to amend the CRR and the BRRD in the area of resolution (known as the “daisy chain” proposal). The Package would also implement the Basel III reforms into EU law. Due to the detailed nature of the proposed changes comprised within the Package, the CRD VI and CRR III amendments are described in this document at a high level only.
The Council of the EU and the European Parliament reached provisional political agreement on the Package in June 2023. At time of writing, the Package remains to be formally approved by the European Parliament and the Council of the EU.
The Package aims to implement the Basel III agreement, including by ensuring internal models used by banks to calculate their capital requirements do not underestimate risks, and thus ensuring banks hold sufficient capital. The Package also aims to strengthen resilience without resulting in significant increases in capital requirements, and to lower compliance costs, particularly for smaller banks, without loosening prudential standards.
The Package seeks to increase the focus on sustainability in banking supervision, including proposals for regular climate stress testing by both supervisors and banks, consideration of ESG risks as part of regular supervisory reviews, and requirements on banks to disclose the degree of ESG risk exposure.
Another objective of the Package is to strengthen supervision powers, including establishing clear, robust and balanced “fit-and-proper” rules, for supervisors to assess whether senior bank staff have the requisite skills and knowledge. As a response to the WireCard scandal, the Package proposes to equip supervisors with better tools to oversee fintech groups, including bank subsidiaries.
The Package also seeks to harmonise EU rules on the establishment of EU branches of third-country banks, which is at present largely subject to national legislation with limited harmonisation across the EU. An undertaking established in a third country coming within scope of the new requirements to be introduced as part of the Package will be required to establish a third country branch and seek authorisation for that branch prior to commencing banking activities in that EU member state. By obtaining this authorisation, the third country branch will only be permitted to carry on banking activities in the EU member state where it has been established and will not be permitted to act on a cross-border basis. These requirements will not apply in circumstances where the third country undertaking is providing services on a reverse solicitation basis.
Outsourcing and Operational Resilience
Outsourcing and operational resilience have been hot topics for the CBI for some time and the subject of recent discussion papers and consultations. In December 2021, the CBI published its Cross-Industry Guidance on Outsourcing and its Cross Industry Guidance on Operational Resilience, demonstrating the CBI’s focus in these areas. As banks are already subject to the EBA Guidelines on Outsourcing, the impact of the outsourcing guidance is somewhat lessened, although banks will need to be alive to the CBI’s own focus areas.
The Digital Operations Resilience Act (DORA) entered into force on 16 January 2023. DORA comprises a regulation (Regulation (EU) 2022/2554) (the “DORA Regulation”) and a directive (Directive (EU) 2022/2556) on digital operational resilience for the financial sector. The DORA Regulation will be effective from 17 January 2025.
DORA is part of the European Commission’s Digital Finance Strategy and applies to a broad range of financial institutions, including credit institutions. DORA introduces requirements for in-scope entities in relation to information and communication technology (ICT) risk management, including in relation to testing of operational resilience frameworks, reporting requirements around ICT incident management and management of third-party ICT risk.
Credit Servicers Directive
The Credit Servicers Directive (CSD) was transposed into Irish law by the European Union (Credit Servicers and Credit Purchasers) Regulations 2023 (the “CSD Regulations”), which entered into force with effect from 30 December 2023. The purpose of the CSD is to create a comprehensive strategy to address the issue of non-performing loans (NPLs) throughout the EU and to prevent the excessive accumulation of NPLs on EU credit institutions’ balance sheets. The CSD imposes obligations on both credit servicers and credit purchasers of NPLs originated by EU credit institutions while also seeking to foster the development of secondary markets for NPLs in the EU. The CSD will seek to achieve this by removing impediments to, and laying down safeguards for, the transfer of NPLs by credit institutions to credit purchasers, while at the same time safeguarding borrowers’ rights.
The CSD imposes an authorisation requirement on credit servicers carrying out “credit servicing activities”. However, credit purchasers are not subject to an authorisation requirement under the CSD. The credit servicing activities that are within scope of the CSD include collecting or recovering from the borrower any payments due under a credit agreement, renegotiating with the borrower, administering any complaints and/or informing the borrower of any changes in interest rates or charges. As indicated by the government prior to the introduction of the CSD Regulations, the existing Irish credit servicing regime for sales of performing loans has been retained and will operate in parallel with the CSD Regulations.
Sanctions
The CBI, the Department of Enterprise, Trade and Employment and the Department of Foreign Affairs are the competent authorities with responsibility for the administration and enforcement of financial sanctions in Ireland as it relates to financial institutions. While financial sanctions have long been an important issue facing financial institutions, Russia’s invasion of Ukraine has seen an increased focus being placed on monitoring of individuals and entities subject to sanctions/restrictive measures.
Consumer Protection
As noted above, the CBI is currently undertaking a review of the CPC. The CPC is a set of principles and rules that RFSPs must follow when engaging with consumers of financial products and services. The purpose of this review of the CPC is to ensure that it remains fit for purpose in light of the evolving financial services landscape.
In addition, as mentioned above, the review of the CPC is being conducted in parallel with the development of the Business Standards as part of the Individual Accountability Framework which will aim to ensure that RFSPs act in the best interests of customers and act honestly, fairly and professionally when conducting their business activities.
The European Parliament has also recently published its Proposal for a Directive of the European Parliament and the Council on consumer credits. This proposed directive would repeal and replace the existing EU Consumer Credit Directive (Directive 2008/48/EC on credit agreements for consumers).
Irish Developments
Environmental, social and governance considerations are becoming an increasing area of regulatory focus. In November 2021, the CBI published a Dear CEO Letter addressed to RFSPs setting out the CBI’s expectations in relation to climate and broader ESG issues. The CBI will focus their supervisory expectations in five key areas: governance, risk management, scenario analysis, strategy and business analysis risk, and disclosures.
The CBI also announced the establishment of its Climate Risk and Sustainable Finance Forum, which seeks to bring together stakeholders to share knowledge and understanding of the implications of climate change for the Irish financial system. The Climate Risk and Sustainable Finance Forum held its inaugural meeting on 29 June 2022.
EU Developments
Significant ESG developments also continue to impact the financial services regulatory framework at European level.
In 2018 the European Commission released its Action Plan for financing sustainable growth, which sets out the regulatory road map of the EU in relation to ESG and sustainable finance. The action plan contains four legislative pieces: the Taxonomy Regulation, the Sustainable Finance Disclosure Regulation (SFDR), a regulation amending the benchmark regulation, and further amendments to delegated acts under MiFID II.
In June 2021, the EBA published a report on the management and supervision of ESG risks for credit institutions and investment firms, which sets out recommendations on how credit institutions can integrate ESG risks into business strategies, governance and risk management. This report should be considered in line with the disclosure publications under the CRR, the Taxonomy Regulation and the SFDR.
In accordance with Article 434a of the CRR, the EBA published, in January 2022, its final draft implementing technical standards (ITS) on Pillar III disclosures on ESG risks, which set out requirements for quantitative disclosure on ESG risks and provides for qualitative information on how institutions are embedding ESG considerations.
Developments in ESG affecting banking include the entry into force of the Corporate Sustainability Reporting Directive (CSRD) in January 2023, which amends the existing reporting requirements of the Non-Financial Reporting Directive (Directive 2014/95/EU) (NFRD). CSRD aims to make businesses more accountable by obliging them to disclose their impact on the environment and human rights. The reporting obligations will be introduced on a phased basis, with companies already subject to the NFRD falling within scope from 2024. Furthermore, on 31 July 2023, the European Commission adopted the European Sustainability Reporting Standards, which impose requirements on all entities subject to the CSRD in relation to the provision of information to investors on matters relating to sustainability.
The European Commission has also adopted a proposal for a Corporate Sustainability Due Diligence Directive (CSDDD), requiring certain companies to identify and, where necessary, prevent, end or mitigate adverse impacts of their activities on human rights, such as child labour and exploitation of workers, and on the environment. The CSDDD remains subject to negotiation amongst the EU institutions.
The Package will also introduce certain ESG reforms, in particular in relation to the inclusion by credit institutions of ESG risks in risk management and monitoring systems and the introduction of new reporting requirements for credit institutions in relation to ESG risks.
The Exchange
George’s Dock
IFSC
Dublin 1
Ireland
+353 1 470 6600
+353 1 470 6601
info@walkersglobal.com www.walkersglobal.com