Fintech 2024

Last Updated March 21, 2024

Ireland

Law and Practice

Authors



Walkers (Ireland) LLP is a leading international firm that provides legal, corporate and fiduciary services to global corporations, financial institutions, capital markets participants and investment fund managers. Clients include Fortune 100 and FTSE 100 companies, and some of the most innovative firms and institutions across the financial markets. The firm has ten offices, in Bermuda, the British Virgin Islands, the Cayman Islands, Dubai, Guernsey, Hong Kong, Ireland, Jersey, London and Singapore. It regularly advises innovative fintech firms on legal and regulatory considerations arising from offering their products to the Irish and European market, often for the first time and in novel areas. It leverages its expertise in multiple areas of regulated financial services when assessing novel fintech proposals to provide clear mapping of product features that could trigger regulatory issues. It has also assisted start-up clients with novel offerings in engaging with the Central Bank of Ireland's Innovation Hub, which is only open to innovative services.

Ireland is home to well-developed and globally recognised technology and financial services sectors, and is one of the leading European jurisdictions for fintech activity. The Central Bank has recently recognised that the fintech sector is of increasing importance to both the Irish and EU financial services landscape and that the industry has seen significant growth in recent years.

IDA Ireland (the country's industrial development agency) reports that Ireland is the world's second-largest exporter of software, and that 16 of the top 20 global technology firms, 20 of the top 25 global financial institutions and the top three global enterprise software providers operate from the jurisdiction.

Ireland is also home to a large number of fintech firms and European global innovation labs and incubators. The Central Bank established its Innovation Hub in April 2018 to provide a direct and dedicated point of contact for firms developing or implementing innovations in financial services based on new technologies, outside of the existing formal regulator/firm engagement processes. The Central Bank will soon look to enhance the framework for engagement with the fintech and innovation sectors through the establishment of an Innovation Sandbox.

Increase in Fintech Activity in Ireland

Ireland is a popular location for firms seeking an EU base (more so following Brexit), so as to “passport” their Irish authorisations to provide services into other EU member states. Coinbase, Stripe, Gemini Payments and Kraken, for example, have obtained electronic money institution authorisations, which also allow for the provision of payment services. Virtual asset service providers (VASPs) are also establishing in Ireland, with Gemini, Zodia, Coinbase and Paysafe all recently being registered with the Central Bank.

Due to the evolution and increasing digitalisation of the financial services industry, fintech firms and traditional financial services firms have increasingly found themselves competing with each other as they seek to meet shifts in customer demands. Traditional financial services firms have adopted the use of technology in the services they provide, while fintech firms have sought to offer services that would historically have been the preserve of traditional financial services firms, such as the provision of credit and offering savings accounts to clients. Given the contraction of the traditional Irish retail banking market in recent years, these trends are likely to continue.

Domestic Initiatives

The government's strategy for the development of Ireland’s international financial services sector to 2026, Ireland for Finance, includes actions to help drive fintech, including blockchain technologies. Ireland's sustainable finance strategy for the fintech sector was launched in October 2022 (and updated in March 2023), in order to support the development of innovative technology solutions to environmental, social and governance (ESG) challenges.

The Central Bank has continued its focus on the regulation of the conduct of regulated firms through the publication of Guidance on Operational Resilience and on Outsourcing, which, along with existing Guidance on IT and Cybersecurity Risks, requires regulated firms in the Irish market to review their frameworks. The recent introduction of the Central Bank's Individual Accountability Framework and enhancements to the existing Fitness & Probity Regime mean that the conduct of individuals within regulated firms will be a key focus for the Central Bank and the firms it regulates in the coming months and years.

With regard to the payments and e-money sector specifically, the Central Bank has focused its attention on a number of areas where firms operating in the fintech industry have been found to have deficiencies. In a Dear CEO letter addressed to payments and e-money firms in January 2023, the Central Bank highlighted issues in relation to safeguarding, governance, risk management, conduct and culture, financial and operational resilience and financial crime. In particular, the Central Bank requested that firms carry out an audit of their compliance with safeguarding requirements by the end of October 2023.

In a recent report, the Central Bank highlighted that it will be undertaking policy work and developing its supervisory expectations of regulated entities related to the use of artificial intelligence (AI) in financial services, including preparing for the implementation of the proposed EU regulation laying down harmonised rules on AI (the “AI Act”). The Central Bank will seek to understand how firms are using AI to deliver and support existing financial services, and to consider how AI could be used for new products, services and business models. It will make any necessary changes to its supervisory framework that it identifies based on the deployment of AI in practice, to ensure that it can continue to deliver on its regulatory and supervisory objectives.

In the short term, fintech developments in Ireland are likely to continue to focus on the payments sector, regtech, AI and blockchain, among other areas. From a regulatory or supervisory perspective, anti-money laundering (AML), outsourcing, operational resilience, data protection, individual accountability and governance are expected to remain key topics.

EU Legislative Developments

EU legislation is implemented into Irish law and/or is directly applicable. In the context of virtual assets, the Fifth Money Laundering Directive (Directive (EU) 2018/843 – 5MLD), as transposed into Irish law by the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021, affects providers engaged in various services in respect of virtual assets. Regulation (EU) 2020/1503 on European crowdfunding service providers for business (the “Crowdfunding Regulation”) provides a framework for equity and peer-to-peer lending-based crowdfunding within the EU, and allows operators of crowdfunding platforms to obtain authorisation as a crowdfunding service provider, which can be passported across the EU. The Crowdfunding Regulation came into force on 10 November 2021, with a transitional period for existing providers who sought authorisation under the Crowdfunding Regulation ending on 10 November 2023.

Other EU initiatives impacting fintech include the European Commission's September 2020 adoption of the Digital Finance Package (the “Digital Package”), which includes the far-reaching Markets in Crypto Assets Regulation (MiCA), which will apply in full in Ireland from 30 December 2024. Once fully in force, MiCA will create a legislative framework, setting out rules applicable to the issuance of crypto-assets and the provision of various services in relation to crypto-assets. MiCA will also put in place market abuse-type rules in relation to crypto-assets and an EU supervisory regime.

As part of the EU's package of reforms of AML legislation (the “EU AML Package”), the Commission proposed changes to the 2015 regulation on information accompanying transfers of funds, to subject crypto-asset services providers regulated under MiCA to the “travel rule” and render them obliged entities for AML/CFT purposes. The updated transfer of funds regulation will apply from 30 December 2024, to coincide with the commencement of MiCA.

On 18 January 2024, further developments in relation to the EU AML Package were announced, including that the Council of the EU and the European Parliament have reached a provisional agreement on the content of a new AML Regulation and a new Directive (AMLD6). Key AML rules applying to the private sector will be transferred from existing EU AML directives to the new AML Regulation, while AMLD6 will deal with the organisation of institutional AML systems at national level in each EU member state. The provisional agreement on an AML Regulation will harmonise rules throughout the EU, closing possible loopholes used by criminals to launder illicit proceeds or finance terrorist activities through the financial system. The agreement on AMLD6 will improve the organisation of national AML systems.

The EU distributed ledger technology (DLT) pilot regime commenced in March 2023, creating a sandbox for the trading and settlement of DLT financial instruments.

Of broader application is the EU Digital Operational Resilience Act (DORA), which entered into force in January 2023 and will apply from January 2025. DORA will apply to certain financial services firms with the objective of ensuring that entities operating in the EU financial services industry can withstand, respond to and recover from all types of ICT-related disruptions and threats. DORA also applies to critical ICT third-party service providers to the financial services industry, and provides for an oversight framework for such entities by the European Supervisory Authorities – ie, the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).

As part of the Digital Finance Strategy and the Retail Payments Strategy, the Commission is actively involved in the ongoing review of Directive 2015/2366/EU (the Payment Services Directive – PSD2), by engaging in targeted consultations. The Eurosystem has a new framework for overseeing electronic payment instruments, schemes and arrangements, which, from 15 November 2022, covers crypto-asset-related services such as the acceptance of crypto-assets by merchants within a card payment scheme and the option to send, receive or pay with crypto-assets via an electronic wallet (the “PISA Framework”).

In response to the advancements in payments and financial services technologies and the increasing challenges faced by the industry with instances of fraud and financial crime, the Commission evaluated the PSD2 and found a number of positives in relation to the impact of the PSD2 framework. However, it also found some shortcomings. The review culminated in the publication of proposals for an updated Payment Services Directive (PSD3) and Payment Services Regulation (EU PSR). The proposed amendments include the strengthening of measures to combat payment fraud (see 14. Fraud for more information), improving the functioning of open banking, reinforcing the enforcement powers of national competent authorities, further improving consumer information and rights, and merging the legal frameworks applicable to electronic money and to payment services. The PSD3 and EU PSR are expected to take effect by the end of 2026, although the timeline is not yet clear.

On 26 February 2024, the Council of the EU adopted a proposal for a regulation regarding instant credit transfers in euro. Once in force, this regulation will provide for transfers of money within ten seconds at any time of day, including outside business hours, to any EU member state. Payment service providers that provide standard credit transfers in euro will be required to offer the service of sending and receiving instant payments in euro.

Online platforms and online service providers are now the subject of greater regulation in the EU following the introduction in recent months of Regulation (EU) 2022/1925 on contestable and fair markets in the digital sector (Digital Markets Act – DMA) and Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act – DSA). The DMA applied from May 2023 to certain online “gatekeepers”, with the objective of creating a safer, fairer online environment for users of the services and providers to which it applies. The DSA applied from 17 February 2024 and together with the DMA forms a single set of rules to create a fairer digital space for users. The DSA is also supplemented by the Digital Services Act 2024 (the “Irish DSA”), which also entered force on 17 February 2024.

Lastly, the Commission has published a proposal for an AI Act, which aims to regulate the use and development of AI systems in the EU and ensure that fundamental rights, democracy, the rule of law and environmental sustainability are protected from high-risk AI, while also supporting AI innovation in the EU. On 9 December 2023, the European Parliament and the Council of the EU reached a provisional agreement on the AI Act, and the final text of the AI Act was published on 26 January 2024; it is expected to enter into force in the coming months. The obligations under the AI Act will be phased in over a period of 36 months, with the key obligations in place within 24 months.

In Consultation Paper 156 “Central Bank approach to innovation engagement in financial services” (the “Innovation Hub CP”), the Central Bank noted that the number of authorised payment institutions and electronic money institutions in Ireland has more than tripled in the last six years, with a tenfold increase in safeguarded funds held by this sector.

Outside of payments, which has driven the majority of fintech activity, it is notable that the number of registered VASPs and authorised crowdfunding service providers continues to increase.

Looking forward, the Central Bank has commented that most of the enquiries received by its Innovation Hub remain in the payments, blockchain and crypto sectors.

Other areas for innovation include regtech, insurance, digital identity and asset management. Firms are also looking to incorporate new technology, such as blockchain and AI, into their operations.

Fintech firms must look to the existing regulatory regimes that may be applicable to their business model on a case-by-case basis.

Payments

In relation to the provision of payment services or the issuance of electronic money, the primary rules to be considered are:

  • the PSR, which transpose PSD2 into Irish law; and
  • the European Communities (Electronic Money) Regulations 2011 (EMR), which transpose Directive 2009/110/EC (the “Electronic Money Directive”) into Irish law.

The domestic Irish regime governing money transmission businesses under the Central Bank Act (CBA) 1997 may be relevant to a money transmission service falling outside the PSR.

Banking

Challenger banks seeking to undertake “banking business” require a bank licence under the CBA 1971 and will be subject to the Irish implementation of the EU Capital Requirements Directive (Directive 2013/36/EU) (as amended) and the directly applicable EU Capital Requirements Regulation (Regulation 575/2013/EU). Banking business, in summary, means any business that consists of or includes receiving money on own account from members of the public either on deposit or as repayable funds, and the granting of credits on own account. Licensing decisions are taken by the European Central Bank.

Credit institutions authorised in other European Economic Area (EEA) jurisdictions may passport their authorisation into Ireland, which requires notification to their regulator in the first instance. All companies that are not licensed banks (or passported credit institutions) must avoid including “bank” in their name, as this is restricted under the CBA 1971.

Regtech

Generally speaking, the provision of regtech services is less likely to be a regulated activity in Ireland, as it will typically involve supporting technical services rather than regulated financial services. However, a case-by-case analysis is required.

Investment Services/Asset Management

Depending on the services provided, a fintech firm providing investment services or asset management solutions may be subject to regulation. For example, if the activities constitute “investment services” in respect of “financial instruments” for the purposes of European Union (Markets in Financial Instruments) Regulations 2017 (the “MiFID Regulations”), an investment firm authorisation will be required, unless an exemption applies. The MiFID Regulations implement Directive 2014/65/EU (MiFID II) into Irish law. Investment services include the provision of investment advice, the receipt and transmission of orders, the execution of orders on behalf of clients and the provision of portfolio management services.

Crowdfunding

The operation of a loan or investment-based crowdfunding platform is a regulated activity under the Crowdfunding Regulation.

Blockchain

Firms providing software or blockchain solutions will need to examine the particular service they are offering and the activities they are undertaking in order to assess whether a licence or registration is required. Crypto-asset service providers (CASPs) need to consider whether AML rules applicable to VASPs (see below) and, in the longer term, MiCA are applicable.

Anti-Money Laundering

The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended (CJA 2010), implements European AML rules into Irish law. The CJA 2010 was amended in 2021 to implement 5MLD to include a registration requirement for VASPs, which include persons engaging in:

  • exchange services between virtual assets and/or virtual assets and fiat currencies;
  • transfers of virtual assets;
  • the provision of custodian wallet services; and/or
  • participation in, and provision of, financial services related to an issuer’s offer or sale of virtual assets.

On 16 January 2024, the EBA released its updated Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions. The updates cover the risks associated with CASPs and the steps CASPs and other credit and financial institutions should take to manage these risks.

Security Requirements

Fintech firms will also need to be aware of and comply with specific security requirements introduced under PSD2 (eg, strong customer authentication) if they provide payment services, and, more broadly, cross-industry and industry-specific guidance from the Central Bank and EU regulators in relation to ICT and cyber-risks. Such guidance includes the EBA's revised Guidelines on ICT and security risk management, applicable to credit institutions, certain investment firms, payment institutions and electronic money institutions, and the Central Bank's September 2016 Cross-Industry Guidance in respect of Information Technology and Cybersecurity Risks. DORA and the Central Bank's Guidance on Outsourcing and on Operational Resilience also set out specific requirements for certain financial institutions in the context of the security of network and information systems. Other cybersecurity and criminal legislation or guidance may also be relevant.

Furthermore, the technical, operational and organisational cybersecurity measures contained in Directive (EU) 2022/255 (NIS2) will be applicable to in-scope essential and important entities, which include cloud computing service providers, by the end of 2024.

Data Privacy

Fintech firms will need to comply with data privacy laws, including the European Union General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR), in respect of any processing of personal data. The GDPR is broad in application, such that the vast majority of companies are impacted regardless of their regulatory status or the services being provided.

The GDPR was designed to be technology-neutral, meaning that it protects personal data no matter what technology is used or how the personal data is stored. However, such neutrality means that fintech firms will be presented with challenges when navigating the obligations imposed by the GDPR, and will need to consider:

  • transfers of personal data to countries outside the EEA;
  • the provision of transparent and accessible privacy notices;
  • the principles of “privacy by design” and “privacy by default”;
  • the implementation of risk-based data security measures;
  • data breach reporting obligations; and
  • the enhanced rights of data subjects, including the right to be forgotten and the right to data portability.

Individual Accountability Framework and Fitness and Probity Regime

Fitness and Probity (F&P) Regime

The Central Bank’s F&P Regime was established under the Central Bank Reform Act 2010 and applies to persons performing certain roles in regulated financial service providers (RFSPs), including fintech firms regulated by the Central Bank. It applies to persons performing certain prescribed “controlled functions” (CFs) and “pre-approval controlled functions” (PCFs). PCFs are a sub-set of CFs and include directors, chairs of the board and committees, the chief executive and heads of certain internal control functions, amongst other functions.

A regulated firm must not permit a person to perform a CF or PCF unless:

  • it is satisfied on reasonable grounds that the person complies with the Central Bank’s Standards of Fitness and Probity (the “Standards”);
  • the person has agreed to comply with the Standards; and
  • the firm has issued a certificate of compliance with the Standards. 

PCF appointments must be approved by the Central Bank and persons may be interviewed by the Central Bank as part of the assessment process.

Individual Accountability Framework and the Senior Executive Accountability Regime (SEAR)

The Central Bank (Individual Accountability Framework) Act 2023 (the “IAF Act”) introduced, amongst other things, a requirement for persons in CF and PCF roles in regulated firms to take any steps reasonable in the circumstances to ensure that certain prescribed conduct standards are met. Business standards will also be imposed on regulated firms in due course.

The requirements in respect of the conduct standards were introduced with effect from 29 December 2023.

The SEAR will initially apply to a limited range of regulated firms, including credit institutions, insurance undertakings and certain investment firms, and will not take effect until July 2024. Fintech firms will generally not be in these categories, but the SEAR will be applied to other sectors on a phased basis.

The obligations created by the SEAR include:

  • the imposition of a new statutory Duty of Responsibility on all individuals holding a PCF role to take reasonable steps to avoid a contravention by the firm of its obligations under financial services law in respect of activities of the firm for which the PCF holder is responsible; and
  • in-scope RFSPs are required to prepare documented Statements of Responsibility for each individual holding a PCF role, and must also prepare a Management Responsibilities Map detailing their key management and governance arrangements.

The permissible compensation models for fintech firms will depend on the type of service they provide, their customer base and regulatory status, and the rules applicable to those services or customer types. Disclosure requirements in relation to fees and charges will also depend on these factors.

As a general rule, there is no differentiation between services provided by fintech firms or legacy players. However, some regulated services or activities are more likely to be performed by fintech firms.

There is currently no regulatory sandbox in Ireland. The Central Bank established an Innovation Hub in 2018 to provide a direct and dedicated point of contact for firms developing or implementing innovations in financial services based on new technologies, outside of existing formal regulator/firm engagement processes.

In November 2023, the Central Bank published a consultation paper outlining the enhancements it is seeking to introduce to improve the current Innovation Hub, and detailing its proposal to introduce a new Innovation Sandbox to allow innovative firms to engage with the relevant Central Bank experts rather than provide firms with a waiver from regulatory requirements. The consultation closed on 8 February 2024.

As part of the Digital Package, the EU DLT pilot regime commenced in March 2023, creating a sandbox for successful applicant operators of market infrastructures to conduct the trading and settlement of DLT financial instruments.

The Central Bank is the financial services regulator in Ireland, with responsibility for the authorisation and supervision of financial services providers. It supervises Irish firms from both a prudential and conduct of business perspective. For EEA passporting firms, the Central Bank will generally have a level of competence in relation to conduct of business requirements, rather than prudential requirements.

The European Central Bank is the competent licensing authority for new Irish credit institutions (banks), and supervises significant credit institutions directly under the Single Supervisory Mechanism.

The Data Protection Commission is the Irish supervisory authority for the GDPR.

The Irish DSA designates Coimisiún na Meán as the designated Digital Services Co-ordinator in Ireland, implementing and enforcing the DSA in Ireland. The Competition and Consumer Protection Commission is also designated as a competent authority under the Irish DSA in relation to certain matters relating to online marketplaces.

If a regulated function is outsourced, the vendor is likely to require authorisation to provide that service, unless it can rely on an exemption.

Separately, a number of rules and requirements may apply to already regulated firms that are engaged in outsourcing regulated and unregulated functions. These are generally sector-specific – eg, the PSR and MiFID II contain outsourcing requirements that are relevant to in-scope firms.

By contrast, the Central Bank Cross-Industry Guidance on Outsourcing (the “CBI Outsourcing Guidance”) applies across sectors to all regulated firms and must be considered alongside specific outsourcing rules under the various sectoral legislation. The CBI Outsourcing Guidance is heavily influenced by the EBA Guidelines on outsourcing arrangements (the “EBA Outsourcing Guidelines”), which are applicable to credit institutions, certain investment firms, payment institutions and electronic money institutions, and set out a number of requirements for internal governance and risk management, as well as specific requirements in relation to outsourcing contracts. These requirements include the vendor agreeing to provide access and audit rights for the regulated firm and its regulators for critical or important functions.

ESMA has also implemented guidelines on outsourcing to cloud service providers (the “ESMA Cloud Guidelines”), which apply to a broad range of RFSPs falling under ESMA's remit. In-scope entities had to review and amend their cloud outsourcing arrangements to align with these requirements by 31 December 2022. The EIOPA has also published guidelines on outsourcing to cloud service providers (the “EIOPA Cloud Guidelines”).

The extent to which any fintech provider is deemed a “gatekeeper” for activities on its platform will depend on its activities or the services it provides. Fintech providers may be subject to various authorisation requirements or may fall within the scope of Irish AML legislation. Where AML legislation is applicable, fintech providers may be required to undertake customer due diligence and may be subject to an obligation to identify, escalate and report transactions they deem suspicious or unlawful to the authorities.

The Criminal Justice Act 2011 imposes a reporting obligation on a person who has information that said person “knows or believes might be of material assistance” in preventing or prosecuting a “relevant offence”, who must disclose this information to the Garda Síochána (the Irish police force).

The DMA entered into force on 1 November 2022 and became applicable from May 2023. It requires gatekeepers that have established a “core platform service” – search engines, social networking services, app stores, web browsers, etc – to abide by various requirements around fairness and transparency.       

The Central Bank has taken enforcement actions in a broad range of areas where breaches of financial services legislation have been committed by regulated entities.

It is noteworthy that the Irish authorities have successfully confiscated cryptocurrencies that were determined by the Irish courts to be the proceeds of crime (CAB v Mannion (2018) IEHC 729). In Trafalgar Developments Limited v Mazepin [2019] IEHC 7, the court granted worldwide freezing orders and disclosure orders over cryptocurrency wallets. In recent editions of its annual reports, the Irish Criminal Assets Bureau (CAB) has noted that it has made a number of seizures of various forms of cryptocurrencies, including Bitcoin and Ethereum.

Firms will need to ensure that they operate in accordance with non-financial services requirements in Ireland, including data protection laws, cybersecurity requirements, consumer protection legislation, company law and intellectual property law.

The DSA and the DMA form a single set of rules to create a fairer digital space for users. The DMA became applicable from May 2023 and applies to online gatekeepers that reach certain turnover volumes. The DSA entered into force on 16 November 2022 and has applied from 17 February 2024; the Irish DSA came into force on the same date and gives further effect to the DSA. The DSA and the Irish DSA regulate online intermediaries and platforms such as online marketplaces, large online search engines, social networks, online travel and accommodation platforms and internet access providers. The DSA aims to introduce better protection of individuals' fundamental rights online while also addressing systemic risks such as the spread of disinformation online.

Where companies are required to produce audited financial statements, their statutory auditors will review their financial accounts. In 2023, the Central Bank required Irish payment and e-money firms, which are required to safeguard users’ funds, to obtain a specific audit of their compliance with the safeguarding requirements under the PSR/EMR by an external audit firm.

A broad range of authorities may be relevant during a firm's life cycle, including tax authorities, the Office of the Director of Corporate Enforcement, exchanges and the Financial Services and Pensions Ombudsman.       

For the most part, it is possible for a regulated entity to offer regulated and unregulated services, unless it is restricted by its financial services licence. Under both the PSR and EMR, the Central Bank is empowered to require firms that undertake additional activities to establish separate entities.

The Consumer Protection Code 2012 (CPC) applies to Irish regulated entities and EEA firms operating in Ireland on a branch basis or cross-border basis, and primarily affects services provided to consumers. Under certain circumstances, the CPC can require regulated entities to provide regulatory disclosure statements, which must relate solely to a regulated activity, and to have separate sections on their websites for regulated activities and any other activities.       

The applicability of AML rules will depend primarily on whether a fintech company falls within the categories of “designated persons” under the CJA 2010. Where a fintech firm is regulated by the Central Bank, it will typically be a designated person, as would VASPs (which are not “regulated” but require an AML registration).

Designated persons are obliged to:

  • carry out a money laundering/terrorist financing risk assessment of their business;
  • undertake customer due diligence;
  • carry out ongoing monitoring of customers and customer transactions;
  • file suspicious transaction reports with investigating authorities in instances where money laundering or terrorist financing is known or suspected;
  • maintain and implement AML/CFT policies, procedures and controls;
  • retain appropriate records;
  • provide AML/CFT training to all staff on an ongoing basis; and
  • implement an appropriate AML governance framework.

EU and Irish financial sanctions rules will apply to all fintech firms regardless of authorisation status.       

The EBA Glossary for Financial Innovation defines robo-advisers as applications that “combine digital interfaces and algorithms, and can also include machine learning, in order to provide services ranging from automated financial recommendations to contract brokering to portfolio management to their clients. Such advisers may be standalone firms and platforms, or can be in-house applications of incumbent financial institutions”.

While the specific services and business models of robo-advisers will vary, once the activities of a robo-adviser constitute MiFID II “investment services” in respect of “financial instruments”, it will require authorisation as a MiFID II investment firm under the MiFID Regulations, unless an exemption applies.

The MiFID II investment services most likely to be triggered by robo-adviser activity are portfolio management and/or the provision of investment advice. MiFID II financial instruments include:

  • transferable securities;
  • units in collective investment undertakings;
  • certain options, futures, swaps and other derivatives; and
  • emissions allowances.

MiFID II investment firms are subject to extensive conduct of business rules when providing investment services. The authorisation requirements and process will help shape and define a MiFID II investment firm’s business model.

The MiFID Regulations requirements in relation to suitability assessments will also affect robo-advisers, and certain of the ESMA Guidelines on MiFID Suitability – which define robo-advice as “the provision of investment advice or portfolio management services (in whole or in part) through an automated or semi-automated system used as a client-facing tool” – are stated to be particularly applicable to robo-advisers, given the limited amount or total absence of human involvement in the investment service performance process.

MiCA introduces an authorisation requirement for CASPs providing certain services in relation to crypto-assets, including where the CASP undertakes the receipt or transmission of orders for crypto-assets on behalf of clients, the execution of orders for crypto-assets on behalf of clients, providing advice on crypto-assets and providing portfolio management of crypto-assets. Therefore, developers of robo-advisers in this asset class will also need to consider their regulatory position in advance of MiCA entering into force.

No information is available in this jurisdiction.

A robo-adviser that is authorised under the MiFID Regulations and executes orders on behalf of clients is subject to the MiFID II rules, including the client order handling rules and the obligation to execute orders on terms most favourable to its clients. MiFID II and the MiFID Regulations also set out related requirements for portfolio managers placing orders or where firms receive and transmit orders. MiCA will introduce best execution requirements for CASPs.

There are significant differences between the regulation of lending to individuals and to companies in Ireland.

Commercial Lending

Commercial lending (ie, lending to corporates) does not generally require a financial services licence in Ireland, although AML registration may be required.

The Crowdfunding Regulation facilitates peer-to-peer business lending, with crowdfunding service providers authorised to facilitate the granting of loans. Crowdfunding service providers can also perform individual portfolio management of loans for investors within certain criteria.

Loans to Individuals and SMEs

By contrast, lending to individuals may require a retail credit firm authorisation under the CBA 1997, subject to certain exemptions. This is a domestic Irish requirement. The scope of the Irish retail credit regime captures credit agreements, including buy-now-pay-later products or other indirect credit, as well as hire-purchase agreements and consumer-hire agreements. The Consumer Credit Act, 1995 contains another domestic-only regime, whereby a person who engages in providing “high-cost credit” to consumers is required to obtain authorisation in certain circumstances.

Lending to individuals acting outside their business is subject to the requirements of a range of consumer protection legislation. Additional rules apply in respect of mortgage lending.

RFSPs (including EEA lenders operating in Ireland on a cross-border basis) may also be subject to certain conduct of business rules when lending to individuals, certain small companies or SMEs. These rules include the CPC and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Lending to Small and Medium-Sized Enterprises) Regulations 2015 (the “SME Regulations”).

Credit servicing (including legal title loan ownership, managing or administering a credit agreement and related borrower communications) in relation to loans to individuals and SMEs requires authorisation in certain circumstances under the CBA 1997. This regime also applies to hire-purchase agreements and consumer-hire agreements.

Separately, a new EU-wide credit servicers directive (Directive (EU) 2021/2167 – CSD) has been introduced and regulates credit servicers in certain circumstances. The CSD has been transposed into Irish law, with effect from 30 December 2023, and imposes obligations on both credit servicers and credit purchasers of non-performing credit agreements issued by EU credit institutions. In-scope credit servicers that are authorised in their home state under the CSD regime can passport their services across the EU.

Irish conduct of business rules and legislation require creditworthiness or suitability assessments in certain circumstances; for example, the European Communities (Consumer Credit Agreements) Regulations 2010, the CPC and the SME Regulations are relevant in this regard.

Ireland has established a Central Credit Register (CCR) under the Credit Reporting Act 2013, which lenders must check before advancing in-scope credit; the Act also requires lenders to report information relating to certain loans and borrowers.

Credit institutions such as banks raise funds for their lending activities from a wide range of sources, including deposits, inter-bank lending, issuing debt and securitisations. Deposit-taking in Ireland triggers a requirement for a banking licence, and securitisations are subject to a number of Irish and EU rules.

Dedicated lending entities – eg, a retail credit firm – may raise funds for their lending activities from securitisations or lending from other investors or institutions. Funds may also be sourced through peer-to-peer lending – eg, via a crowdfunding service provider.

It is not typical for consumer loans or loans to small businesses to be syndicated. Where peer-to-peer lending is taking place, there may be multiple bilateral loan agreements. The Crowdfunding Regulation provides a European framework for peer-to-peer lending platforms.

Payment processors may use existing payment infrastructure or create or implement new payment rails, as long as they operate within the bounds of their financial services authorisation and adhere to relevant regulatory requirements.

Cross-border payments may be regulated under the PSR, which includes services such as the execution of various forms of payment transactions, issuing payment instruments and money remittance. There are also requirements in respect of wire transfers, credit transfers and direct debits – eg, the Single Euro Payments Area (SEPA). The PISA Framework is also relevant to companies enabling or supporting the use of payment cards, credit transfers, direct debits, e-money transfers and digital payment tokens, including e-wallets.

Fund administrators in Ireland are generally authorised pursuant to the Investment Intermediaries Act 1995 (IIA) but may also be authorised pursuant to the MiFID Regulations, depending on the types of activities to be undertaken.

In addition, fund administrators are subject to the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2023, the Central Bank's Investment Firms' Q&A and the Investor Compensation Act 1998.

Boards of directors of Irish investment funds and fund management companies (“Boards”) require administrators to enter into service-level agreements setting out in granular detail the services described in the administration agreement and the parties' expectations in terms of timing, performance, escalation of issues and actions to be taken in the event of non-compliance with specific provisions of the service-level agreement.

In addition, following increased regulatory focus on the overseeing of service providers, which has resulted in increased importance for the contractual terms relating to ongoing reporting by the fund administrator, administrators are being requested to provide key performance indicators as part of their quarterly reporting to Boards in respect of services such as the calculation and release of the net asset value (NAV).

The increasing reliance by firms operating within the global financial sector on IT has led to regulators and firms alike focusing on improving cybersecurity, operational resilience and data protection within the financial industry. As fund administrators maintain trading data, account details and extremely sensitive investor information, they are at particular risk from the evolving sophistication of cyber-attacks and the heightened frequency of data breaches. Accordingly, Boards are increasingly seeking to impose contractual terms that ensure fund administrators have appropriate IT and cybersecurity risk management procedures and frameworks in place to protect against cybercrime and data breaches, as well as IT disaster recovery and business continuity planning arrangements encompassing the recovery and resumption of daily operations should a disruptive event occur. These provisions stem not only from the sharpened focus of regulators on data protection and the management of cybersecurity across the financial sector, but also from an increasing industry awareness of the devastating financial and reputational implications that a successful cyber-attack could have.

Fund administrators are likely to be contractually obliged to report any data breaches and cybersecurity issues that may impact their client. They may also be subject to industry guidance and best practice in this regard.

Crowdfunding Platforms

The activity of operating a peer-to-peer crowdfunding platform is regulated under the Crowdfunding Regulation, which provides a European framework for loan and investment-based crowdfunding. In summary, it provides for a single set of rules that apply to crowdfunding offers in the EU up to EUR5 million over a 12-month period. A platform operator can become authorised as a crowdfunding service provider and can provide crowdfunding services across the EU on the basis of its home state authorisation.

Payment Services Providers

Payment services involving fiat currencies will typically have to be carried out by a regulated payment services provider.

Investment Services, Exchanges and Trading Platforms

The provision of investment services, exchanges and trading platforms in respect of MiFID II financial instruments is primarily regulated by the Central Bank under the MiFID Regulations, which provide for the regulation of investment firms and various types of securities exchanges, including market operators, regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs).

Crypto-Asset Exchanges

The operation of a crypto-asset exchange from Ireland, involving exchange services between virtual assets and/or virtual assets and fiat currencies, will require registration as a VASP. Where a crypto-asset amounts to a MiFID financial instrument, a crypto-exchange will be subject to regulation under the MiFID Regulations.

Crypto-exchanges should also consider whether they are providing payment services and/or electronic money (where issuing their own tokens). Once applicable, MiCA will regulate the operation of crypto-asset exchanges, which is a regulated service that will require authorisation.

No information is available in this jurisdiction.

The implementation of 5MLD brings providers of exchange services between various virtual assets and between virtual assets and fiat currencies within the scope of Irish AML legislation.

MiCA will regulate the provision of crypto-asset exchange services and the operation of a trading platform for crypto-assets. MiCA will apply to persons and to the crypto-asset services and activities performed, provided or controlled, directly or indirectly, by them, including when part of such activities or services is performed in a decentralised manner. However, where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of the MiCA authorisation requirement, although each model will need to be considered separately.

No formal listing standards exist for unregulated platforms. General contractual principles should apply, and certain general consumer protection rules may also apply. Exchanges for MiFID II financial instruments established under the MiFID Regulations will usually have detailed listing/admission to trading rules to ensure transparency and compliance with applicable laws and regulations (eg, the Euronext Dublin Listing Rules); rules in relation to the requirement to publish a prospectus may also be relevant. MiCA will also require CASPs operating a trading platform for crypto-assets to have detailed operating rules.

No formal order handling rules apply for unregulated platforms; general contractual principles should apply. Detailed order handling rules apply to MiFID II investment firms when executing orders in MiFID II financial instruments. MiCA sets out requirements for the execution of orders in relation to crypto-assets by CASPs.

No information is available in this jurisdiction.

No formal best execution standards apply to an unregulated platform in Ireland; general contractual principles should apply.

Detailed best execution standards apply for MiFID II investment firms dealing in MiFID II financial instruments and, under MiCA, rules will apply to the execution of orders in relation to crypto-assets by CASPs.

The MiFID II inducements, conflicts of interest and best execution rules will apply to all MiFID II investment firms, including in the context of payment for order flow (PFOF). PFOF is the practice of brokers receiving payments from third parties for directing client order flow to them as execution venues.

In February 2021, the chair of ESMA stated: “The phenomenon of zero-commission trading needs to be looked at in more detail. To be sure, such lower costs for retail investors are a welcome development, given the importance of costs in determining investors’ long-term returns. However, there is no such thing as a free lunch. Payments for order flow from third parties such as market makers may substitute commissions that are otherwise paid by clients, creating conflicts of interest and resulting in less transparency for retail clients. In my view, the practice of payment for order flow needs to be carefully assessed against the MiFID II requirements on conflicts of interest, best execution and inducements.”

In a public statement issued on 13 July 2021, ESMA restated its concerns regarding investor protection, conflicts of interest and best execution, and inducements and cost transparency. ESMA considers that, in most cases, it is unlikely that PFOF could be compatible with MiFID II and its delegated acts.

On 16 January 2024, the European Parliament voted to adopt drafts of a Markets in Financial Instruments Regulation (MiFIR) amending regulation (the “MiFIR Update”) and amendments to MiFID II. One of the key aspects of the draft MiFIR Update is that it prohibits financial intermediaries, when acting on behalf of retail clients or clients that have opted up to the professional client, from receiving a fee, commission or non-monetary benefit from any third party for their execution on a particular execution venue, or for forwarding orders of those clients to any third party for their execution on a particular execution venue.

The agreed compromise text of the MiFIR Update gives EU member states discretion to allow such PFOF to continue the practice (prior to the MiFIR Update entering into force) of exempting investment firms under their jurisdiction from this overall prohibition until 30 June 2026.

Under MiCA, CASPs receiving and transmitting orders for crypto-assets on behalf of clients are prohibited from receiving any remuneration, discount or non-monetary benefit in return for routing orders received from clients to a particular trading platform or to another CASP.

In addition to domestic requirements, Ireland has implemented EU securities markets legislation, some of which is directly applicable. These measures include:

  • the Prospectus Regulation;
  • the Market Abuse Regulation;
  • the Transparency Directive;
  • the Short Selling Regulation;
  • the Securities Financing Transaction Regulation;
  • Regulation 648/2012 on OTC Derivatives, Central Counterparties and Trade Repositories (EMIR); and
  • MiFID II.

MiCA will introduce provisions to prevent and prohibit market abuse involving certain crypto-assets, as well as white paper requirements for crypto-asset issuances.

See 9.2 Regulation of Unverified Information and 9.3 Conversation Curation in relation to market abuse.

The primary method of regulating these technologies is under the MiFID Regulations. The definition of algorithmic trading contained in the MiFID Regulations is limited to trading in MiFID II financial instruments.

For asset classes outside the scope of regulation under the MiFID Regulations, it would be important to consult the requirements applicable to the particular asset class.

Specific, detailed rules apply where a MiFID II investment firm engages in algorithmic trading to pursue a market-making strategy. These include carrying out the market-making continuously during a specified proportion of the trading venue’s trading hours, and entering into a binding written agreement with the trading venue.

No information is available in this jurisdiction.

Programming is not a regulated activity in Ireland. If programs or programmers are carrying out regulated activities, he applicable regulations will be relevant, but this will need to be assessed on a case-by-case basis.

DeFi presents challenges for EU regulatory authorities, as it does not sit neatly within the existing regulatory landscape. For example, MiCA, which revolves around the regulation of intermediaries and/or central authorities, does not regulate DeFi. MiCA is likely to be the subject of ongoing review to ensure that it adapts and keeps pace with technological developments such as DeFi.

Platforms providing financial research are not specifically regulated by the Central Bank. However, participants and platforms should consider whether a regulated investment service is being provided.

MiFID

The provision of investment research and financial analysis or other forms of general recommendation relating to transactions in financial instruments is an ancillary service under Part 2 of Schedule 1 of the MiFID Regulations. The provision of this service without any other MiFID II investment services would not trigger a requirement for authorisation as a MiFID II investment firm.

In contrast, the provision of investment advice (as defined in MiFID II) in relation to MiFID II financial instruments is an activity requiring authorisation under the MiFID Regulations, unless an exemption applies.

The MiFID Regulations and Commission Delegated Regulation (EU) 2017/565 provide requirements in relation to conflicts of interest and inducements that apply to regulated MiFID II investment firms in relation to research.

The IIA

The IIA regulates the provision of investment advice in relation to investment instruments, with certain exemptions. The IIA definition of investment instruments captures certain instruments that are not MiFID II financial instruments and certain activities or firms that might fall outside the MiFID Regulations.

The Market Abuse Regulation

The Market Abuse Regulation (Regulation (EU) 596/2014 – MAR) establishes a common EU regulatory framework on insider dealing, the unlawful disclosure of inside information and market manipulation (“market abuse”), and measures to prevent market abuse.

MAR prohibits insider dealing, the unlawful disclosure of inside information and market manipulation. Market manipulation is broadly defined to include disseminating information through the media, including the internet or by any other means, that gives or is likely to give false or misleading signals as to the supply of, demand for or price of a financial instrument, a related spot commodity contract or an auctioned product based on emission allowances, or that secures or is likely to secure the price of one or several MiFID II financial instruments, a related spot commodity contract or an auctioned product based on emission allowances at an abnormal or artificial level, including the dissemination of rumours, where the person who made the dissemination knew, or ought to have known, that the information was false or misleading.

Recital 48 to MAR confirms that, given the rise in the use of websites, blogs and social media, disseminating false or misleading information via the internet (including through social media sites or unattributable blogs) should be considered to be equivalent to doing so via more traditional communication channels for the purposes of MAR.

In summary, MAR applies to MiFID II financial instruments admitted to trading on an EU-regulated market or for which a request for admission to trading has been made, as well as any MiFID II financial instruments traded on an MTF, admitted to trading on an MTF or for which a request for admission to trading on an MTF has been made, or traded on an OTF and certain other financial instruments, the price or value of which depends or has an effect on the price or value of the above and emission allowances. MAR can apply to other instruments and is not limited to transactions, orders or behaviour on a trading venue.

Market manipulation, as defined under the European Union (Market Abuse) Regulations 2016 (the “MAR Regulations”), is an offence in Ireland. The MAR Regulations also provide certain civil sanctions for breaches of MAR. In October 2023, the first ever conviction in Ireland for the offence of “insider dealing” was handed down by Dublin Circuit Criminal Court, with the accused being fined approximately EUR70,000.

Central Bank focus

The Central Bank has increased its focus on market abuse compliance by issuers, firms and their advisers, and published “Dear CEO letters” to the industry in July 2021 detailing the key findings from its 2020 industry-wide review of MAR compliance and its expectations of various industry stakeholders. The Central Bank also issued a letter in July 2023 to related market participants regarding the findings of its 2022 Market Abuse Thematic Review carried out to assess the measures established and implemented by trading venues to prevent, monitor, detect, identify and report potential or actual instances of market abuse to the Central Bank. The Central Bank recently published details of an enforcement action taken against a firm on foot of breaches of MAR. This enforcement action is evidence of the Central Bank's focus on MAR compliance and the importance the Central Bank places on firms’ abilities to monitor, detect and report suspected market abuse, a critical part of protecting the integrity of financial markets.

ESMA's position

ESMA has advised retail investors to be careful when taking investment decisions based exclusively on information from social media and other unregulated online platforms if they cannot verify the reliability and quality of that information. This ESMA statement also notes that organising or executing co-ordinated strategies to trade or place orders under certain conditions and at certain times to move a share’s price could constitute market manipulation.

ESMA noted that special care should be taken when posting information on social media about an issuer or a financial instrument, as disseminating false or misleading information may also be market manipulation, and when disseminating investment recommendations through any media, including social media and online platforms.

In August 2021, ESMA published its Guidelines on marketing communications under the Regulation on cross-border distribution of funds, which include requirements for marketing communications via social media; in October 2021 it published a statement on investment recommendations on social media. In January 2022, the European Supervisory Authorities published a joint response to the Commission's Call for Advice on digital finance and related issues, which, among other points, noted the “rise of so-called finfluencers – individuals with a wide social media reach, discussing money-related topics and sometimes offering financial recommendations”. In December 2023, ESMA published a discussion paper containing a number of recommendations to national competent authorities, firms subject to MiFID II and their clients on a number of investor protection topics linked to digitalisation, including on online disclosures, digital tools and marketing practices such as the use of finfluencers and gamification under MiFID II.

MiCA

MiCA will introduce provisions to prevent and prohibit market abuse involving crypto-assets admitting to trading.

The MAR prohibition on market manipulation (including attempted market manipulation) includes a prohibition on “taking advantage of occasional or regular access to the traditional or electronic media” to voice opinions about in-scope instruments with a view to profiting from the impact of those opinions, without having simultaneously publicly disclosed that conflict of interest.

MAR is also intended to ensure that the prohibitions against market abuse should cover those persons who act in collaboration to commit market abuse, so the platform should ensure it takes steps to avoid being seen to collaborate with such activity.

Liability under the MAR Regulations can also attach to an entity that collaborates or facilitates market abuse/manipulation. MAR also requires member states (including Ireland) to put mechanisms in place to allow for the reporting of infringements of MAR (ie, whistle-blowing mechanisms).

Similar considerations will also apply under MiCA, in relation to crypto-assets.

The EU’s Solvency II regime (as implemented in Ireland) applies to the majority of Irish (re)insurance undertakings, including the underwriting process of these undertakings. It sets out detailed requirements around capital, governance and risk management in Irish and EU authorised (re)insurance undertakings.

In broad summary, Solvency II undertakings must obtain an authorisation under the European Union (Insurance and Reinsurance) Regulations 2015 to carry on life insurance business, non-life insurance business, or both.

Generally speaking, the provision of regtech services is less likely to be a regulated activity in Ireland, as it will typically involve supporting technical services rather than regulated financial services. However, certain exceptions to this position could apply, depending on the nature of the regtech service performed and the nature of the entity to which such services are provided. Therefore, a case-by-case analysis is required.

Depending on the particular service provided and the particular financial services firm receiving that service, the legal and regulatory requirements governing outsourcing may apply, and this will affect the contractual provisions required.

The CBI Outsourcing Guidance

Outsourcing is a particularly topical issue for the Central Bank. The CBI Outsourcing Guidance applies to all Irish regulated firms and is to be implemented alongside any specific sectoral legislative outsourcing requirements. It imposes similar contractual requirements to the EBA Outsourcing Guidelines (which apply directly to credit institutions, certain investment firms and payments/e-money institutions).

The EBA Outsourcing Guidelines

The EBA Outsourcing Guidelines require, inter alia, that outsourcing agreements specify service levels and precise quantitative and qualitative performance targets to allow for the timely monitoring of the performance of the outsourced function. Specific termination rights, provisions around business continuity, data and access and audit rights for the regulated firm and its regulators are also required. The EBA has commented that it is imperative that business continuity and data protection are appropriately considered when outsourcing IT or data services. The ESMA Cloud Guidelines and the EIOPA Cloud Guidelines may also be relevant to applicable entities where services are provided on a cloud basis.

Regtech providers may have legal and regulatory or contractual obligations to notify certain behaviour, depending on their regulatory status and contractual arrangements, the sector in which they operate and the information and material with which they come into contact.

Traditional domestic and international institutions operating in Ireland are investigating the use of blockchain, and certain institutions have conducted trials in this area, including in the area of payments. Ireland is also home to a number of crypto-led businesses and this population is expected to grow.

The Central Bank's Approach

Firms providing certain services in relation to crypto-assets are required to register as VASPs (see 2.2 Regulatory Regime and 2.13 Impact of AML and Sanctions Rules for more detail). The Central Bank will also be the competent authority in Ireland under MiCA.

Outside of these processes, the Central Bank has issued consumer explainers and warnings regarding the risks of virtual currencies and initial coin offerings (ICOs), and remains cautious on the benefits and risks of crypto. However, it has acknowledged that technological innovation is a key feature of the environment in which it seeks to deliver its mandate.

Please also see 12.6 Regulation of Funds in relation to the Central Bank's approach to investment in digital assets by funds.

Ireland for Finance

The government's international financial services sector strategy document to 2026, Ireland for Finance, includes actions to help drive fintech, including blockchain technologies.

Funds Sector Review 2030

In June 2023, the Department of Finance published a consultation entitled “Funds Sector 2030: A Framework for Open, Resilient & Developing Markets”, forming a wide-ranging review of the funds sector in Ireland. The review is designed to be both holistic and extensive, representing a significant opportunity to fully unlock the potential of the asset management and fund servicing industry in Ireland. One of the key areas being examined in the review is how technological change and innovation will influence the future development of the sector.

The Central Bank has confirmed in a consumer warning that virtual currencies are not legal tender, and has also issued a consumer warning regarding the risks of ICOs.

Definition of “Virtual Assets” and “Crypto-Assets”

While 5MLD includes a definition of “virtual currencies”, the implementation of the VASP regime into the CJA 2010 instead predominantly uses the term “virtual asset”, which aligns Irish legislation with the relevant Financial Action Task Force (FATF) recommendations. The Irish legislation defines “virtual asset” as “a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes but does not include digital representations of fiat currencies, securities or other financial assets”.

MiCA sets out the following definitions for in-scope blockchain assets:

  • asset-referenced token – “a type of crypto-asset that is not an electronic money token and that purports to maintain a stable value by referencing another value or right or a combination thereof, including one or more official currencies”;
  • electronic money token or e-money token – “a type of crypto-asset that purports to maintain a stable value by referencing the value of one official currency”; and
  • utility token – “a type of crypto-asset that is only intended to provide access to a good or a service supplied by its issuer”.

Blockchain assets and/or services in relation to those assets may fall within existing regulatory regimes and the legal classification of a particular blockchain asset may vary, depending on its features. MiCA will not apply to MiFID II financial instruments nor to “funds” as defined in PSD2 (unless they qualify as electronic money tokens), with the intention that crypto-assets falling under existing EU legislative acts on financial services should remain regulated under the existing regulatory framework.

MiFID II Definition of Transferable Securities' Significance to Regulatory Approach

The European Union (Markets in Financial Instruments) (Amendment) (No 4) Regulation 2022 amended the definition of “financial instrument” contained in the MiFID Regulations to include financial instruments issued by means of DLT.

One area of focus has been whether a particular blockchain asset qualifies to be considered as a MiFID II financial instrument, typically focused on the definition of a transferable security. Given the variance in structure among blockchain assets, it is necessary to analyse individual blockchain assets against the criteria for the MiFID II financial instrument of “transferable securities”, defined under Article 4 (1) (44) of MiFID II as those “classes of securities which are negotiable on the capital market, with the exception of instruments of payment, such as:

  • shares in companies and other securities equivalent to shares in companies, partnerships or other entities, and depositary receipts in respect of shares;
  • bonds or other forms of securitised debt, including depositary receipts in respect of such securities;
  • any other securities giving the right to acquire or sell any such transferable securities or giving rise to a cash settlement determined by reference to transferable securities, currencies, interest rates or yields, commodities or other indices or measures”.

A blockchain asset that is determined to be a transferable security falls within the regulatory scope of, inter alia, MiFID II, the Prospectus Regulation and MAR.

Certain types of crypto-assets could qualify as units in collective investment undertakings (another MiFID II financial instrument), most likely alternative investment funds, and thus the Alternative Investment Fund Managers Directive (Directive 2011/61/ EU) (AIFMD) may be relevant, taking into account the criteria set out in the ESMA Guidelines on key concepts of the AIFMD. Certain digital assets may instead qualify as money-market instruments or derivatives within the scope of regulation. A case-by-case analysis is required.

At the time of writing, ESMA is consulting on draft Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments, and this should provide further clarity on the approach to be taken.

Crypto-Assets and Payment Services Under the Electronic Money Directive

The EBA has noted that a crypto-asset can qualify as electronic money under the Electronic Money Directive, and thus be regulated under that directive, provided that it:

  • is electronically stored;
  • has monetary value;
  • represents a claim on the issuer;
  • is issued on receipt of funds;
  • is issued for the purpose of making payment transactions; and
  • is accepted by persons other than the issuer.

In addition, if a person performs a “payment service” as listed in PSD2 with a blockchain asset that qualifies as “electronic money” under the Electronic Money Directive, such activity would fall within the scope of PSD2 by virtue of constituting “funds”. More generally, PSD2 and the domestic Irish regime of money transmission should also be considered in the context of fiat transfers or services related to blockchain activities.

As noted above, electronic money tokens will fall within MiCA once it is in force.

Assuming the blockchain assets are not financial instruments, e-money or any other regulated token, there is no specific regulatory regime for the issuance of such assets until MiCA is in force. However, as set out in the FATF Guidance, registration as a VASP may be required for issuers of blockchain assets where, in addition to the issuance itself, the issuers engage in any of the activities that fall under any limb of the VASP definition (exchange between virtual assets and fiat, or one or more forms of virtual assets, transfer of virtual assets, etc).

MiCA proposes to impose extensive requirements on the issuers of blockchain assets, including authorisation requirements and/or limiting the types of entities that may issue certain crypto-assets. MiCA will also impose transparency requirements, including regarding the issuance of a white paper.

The provision of exchange services between various virtual assets and/or between virtual assets and fiat currency is within the scope of Irish AML legislation and may require a VASP registration.

Where blockchain assets constitute MiFID II financial instruments, such as transferable securities, the operation of a trading platform will be in the scope of existing regulatory regimes.

The operation of blockchain asset trading or exchange platforms may involve the issuance of electronic money or the provision of payment services, in order to facilitate wallet and payment features.

MiCA will impose requirements on CASPs operating a trading platform for crypto-assets.

Irish regulated investment funds are authorised either as UCITS or as alternative investment funds (AIFs).

Distinctions Between Digital Assets

The Central Bank has provided guidance on investment in digital assets, which are generally considered to be assets that exist in digital form and that attach ownership rights which depend primarily on cryptography and distributed ledger or similar technology. This guidance recognises that the nature and characteristics of digital assets vary considerably, and distinguishes, for example, between digital assets that are tokenised traditional assets (whose value is linked to an underlying traditional asset or a pool of traditional assets, such as financial instruments or commodities) and digital assets that are based on intangible or non-traditional underlying assets. In respect of the latter, the guidance states that the Central Bank is highly unlikely to approve a UCITS or an AIF marketed to retail investors proposing any exposure (either direct or indirect) to digital assets. This is due to the specific risks attached to such digital assets and the potential that retail investors may not be able to appropriately assess the risks of making an investment in a fund that gives such exposures.

Since April 2022, the Central Bank had permitted qualifying investor alternative investment funds (QIAIFs) to invest up to 10% of their NAV in cash-settled Bitcoin futures traded on the Chicago Mercantile Exchange. In April 2023, the Central Bank increased the investment limits for QIAIFs seeking exposure to the latter type of digital assets, as follows:

  • where a QIAIF is open-ended it can gain exposure to digital assets of up to 20% of NAV; and
  • where a QIAIF is closed-ended or is open-ended with limited liquidity it can gain exposure to digital assets of up to 50% of NAV.

In order to avail of these limits, AIFMs must ensure the following requirements are satisfied:

  • implementation of an effective risk management policy to address all risks relevant to investment in digital assets, at a minimum addressing risk relating to liquidity, credit, market, custody, operational, exchange risk, money laundering, legal, reputational and cyber-risk;
  • appropriate stress testing on the proposed investment in digital assets, reflecting asset price volatility of digital assets, including the potential entire loss of value in the investment;
  • an effective liquidity management policy is in place, which includes a sufficient suite of tools to enable the AIFM to manage liquidity events arising in the QIAIF;
  • the prospectus of the QIAIF must contain clear disclosure in relation to the nature of the proposed investment in digital assets and a clear articulation of the risks associated with that investment; and
  • the QIAIF should assess the overall construction of its portfolio to ensure that there is alignment between the redemption profile, the level of investment in digital assets and the likelihood of illiquidity (in both normal and stressed conditions) in the types of digital assets invested in.

Direct exposure by QIAIFs to digital assets continues to be prohibited by the Central Bank, pending satisfactory demonstration that the depositary safekeeping obligations can be complied with in accordance with AIFMD. The Central Bank has updated its procedures to provide for a pre-submission approval process in the event a QIAIF proposes to invest indirectly in digital assets in excess of the thresholds outlined above or to make any direct investment in digital assets.

The Central Bank’s approach in relation to crypto-assets will be kept under review and will continue to be informed by European regulatory discussions on the topic; it may change if new information or developments emerge.

In June 2023, the Commission instructed ESMA to review the Eligible Assets Directive (2007/16/EC) to assess possible changes to the eligibility rules under which UCITS may gain direct and indirect exposures, including in respect of certain asset categories that may give rise to divergent interpretations and/or risk for retail investors, including crypto-assets. ESMA is due to deliver its technical advice by 31 October 2024.

The legal treatment of any cryptocurrency or other blockchain asset will be determined by whether that particular asset’s features come within the scope of existing legislative and regulatory regimes. Typically, a pure cryptocurrency will not be considered a financial instrument under MiFID II but would be within the scope of the VASP regime and would be subject to MiCA, once introduced.

DeFi transactions will require a case-by-case analysis to determine the regulatory categorisation of the activities involved and jurisdictional questions regarding applicable legislation and relevant regulatory bodies. This is a rapidly developing area that is expected to see increasing regulatory interest in DeFi.

MiCA should not apply where crypto-asset services are provided in a fully decentralised manner without any intermediary. MiCA instead proposes that the Commission shall present a report to the European Parliament 18 months after the date of entry into force, containing an assessment of the development of DeFi in the crypto-assets markets and of the adequate regulatory treatment of decentralised crypto-asset systems without an issuer or CASP, including an assessment of the necessity and feasibility of regulating DeFi.       

It is unlikely that NFTs constitute virtual assets for the purposes of the VASP registration requirement under the CJA 2010 but a case-by-case analysis is required. The FATF October 2021 Guidance on virtual assets and VASPs (which is helpful but not binding or directly applicable in interpreting the scope of the CJA 2010 VASP regime) provides that, depending on their characteristics, digital assets that are unique rather than interchangeable, and that are used as collectibles in practice rather than as payment or investment instruments, are generally not considered to be virtual assets under the FATF definition. However, it is important to consider the nature of the NFT and its function in practice.

MiCA will not apply to crypto-assets that are unique and not fungible with other crypto-assets. The recitals to MiCA state that the fractional parts of a unique and non-fungible crypto-asset should not be considered unique and non-fungible, and that the issuance of crypto-assets as non-fungible tokens in a large series should be considered as an indicator of their fungibility. Therefore, categorisation will depend on the individual characteristics of NFTs and the rights and assets they represent, meaning a case-by-case analysis is required. ESMA's consultation on draft Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments considers the classification of NFTs.

A case-by-case analysis is also required to understand if an NFT would be considered a financial instrument under MiFID. “Transferable securities” are defined under MiFID as “classes of securities” that are negotiable on the capital market, so it appears unlikely that NFTs should amount to “transferable securities”, as their inherent non-fungible nature would appear inconsistent with this requirement. However, it is important to consider each NFT individually.       

PSD2 introduced two new regulated payment services: payment initiation service and account information service. A disruptive aspect of PSD2 is the customer's right to make use of third parties to obtain payment initiation services, and for third parties to access payment data to provide account information services. This facilitates open banking and opens up opportunities for challenger banks and other fintech firms to bring new products to the market. Application programming interfaces are to be used for third-party access to online payment accounts.

As part of the review of PSD2, the Commission carried out a targeted consultation on open finance framework and data sharing in the financial sector. PSD3 will seek to improve the functioning of open banking through the removal of the remaining obstacles to the provision of open banking services, by improving customers' control over their payment data and by enabling new innovative services to enter the market.

PSD2 imposes certain conditions on access to and use of data by firms providing a payment initiation service or account information service. This includes a requirement for customer consent and other requirements in relation to security and the use of data.

In addition, the GDPR requires customers to be made fully aware – in a clear, concise and transparent fashion – of how their personal data will be used and by whom. It also provides for the rights to withdraw consent, to access data and for information to be erased. In sharing data with third parties such as account information service providers, banks will need to be aware of the potential for fraud or other risks.

In recent years, incidences of fraud perpetrated through online means have risen dramatically. Unfortunately, the fintech industry has found itself at the forefront of many fraud-related incidents. Due to the nature of the fintech industry, where complex products are offered through novel technological means, fraudsters often misuse products and services from the fintech industry to target their victims.

The Central Bank and the Financial Intelligence Unit, which forms part of the Garda National Economic Crime Bureau and is the relevant authority responsible for combatting fraud in Ireland, regularly issue warnings to the public about the risk of falling victims to online scams. These warnings often centre on the risks posed by investing in cryptocurrency.

Fintech firms are at the forefront of fraud-related incidents, with the most common examples being credit card fraud, identity fraud and scam-related activity. Many firms including VASPs have reported concerns relating to transactions and access or ownership of virtual asset wallets, prominent use of fake identification documents or stolen KYC data, and the involvement of shell companies and bank accounts opened by a third party.

Given the increasing prevalence of fraud in the fintech space, it has been paramount to address through regulation. PSD2 actively addressed Account Take-Over fraud via Strong Customer Authentication (SCA), but steps are now being taken to update PSD2 to help stem the tide of the emerging types of fraud.

With the review of PSD2 underway, the draft proposal of PSD3 proposes to address instances of Authorised Push Payment (APP) fraud where the distinction between authorised and unauthorised transactions is unclear (as the user is induced to authorise payments through manipulation by the relevant fraudster as a form of social engineering). Proposed measures include IBAN/name matching verification services for all credit transfers, transaction monitoring, fraud data sharing and user education.

PSD3 also proposes to provide further clarity on the requirements around SCA, including extending the requirements beyond a single SCA mechanism by providing support through various authentication mechanisms instead of just adopting a “mobile-only” approach, and requiring a diversity of SCA mechanisms to ensure all users can undertake the SCA.

In addition, the proposed Payment Services Regulation requires the EBA to develop Regulatory Technical Standards, which are expected to cover SCA, transaction risk monitoring, security measures to protect the confidentiality and integrity of personalised security credentials, and the usage of European digital identity wallets for SCA.

The Central Bank is currently conducting a comprehensive review of its CPC and has launched a Consultation Paper on how it is proposing to update the CPC. The focus is on ensuring firms effectively incorporate customers' interests into their strategy and decision making, and provide clarity for firms on their consumer protection obligations to ensure that consumers remain protected against fraud and other scams, even in the face of advancing technology and a changing financial services landscape. The Central Bank will seek to achieve its goals through the imposition of enhanced conduct of business rules and through helping consumers to identify and avoid fraud.

Walkers (Ireland) LLP

The Exchange
George's Dock
IFSC
Dublin 1
Ireland

+353 1 470 6600

+353 1 470 6601

info@walkersglobal.com www.walkersglobal.com
Author Business Card

Law and Practice

Authors



Walkers (Ireland) LLP is a leading international firm that provides legal, corporate and fiduciary services to global corporations, financial institutions, capital markets participants and investment fund managers. Clients include Fortune 100 and FTSE 100 companies, and some of the most innovative firms and institutions across the financial markets. The firm has ten offices, in Bermuda, the British Virgin Islands, the Cayman Islands, Dubai, Guernsey, Hong Kong, Ireland, Jersey, London and Singapore. It regularly advises innovative fintech firms on legal and regulatory considerations arising from offering their products to the Irish and European market, often for the first time and in novel areas. It leverages its expertise in multiple areas of regulated financial services when assessing novel fintech proposals to provide clear mapping of product features that could trigger regulatory issues. It has also assisted start-up clients with novel offerings in engaging with the Central Bank of Ireland's Innovation Hub, which is only open to innovative services.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.