This page deals with a Payment Institution Authorisation. Click the download button for version 2.1 (31 October 2021).
Our Peter Oakes has written comprehensive guides on Why Ireland For Fintech for:
These guides have been downloaded 15,000+ times
If there is no link to a document you are looking for, contact office@complireg.com.
Please be respectful of the author's copyright and don't reproduce any part of this material for commercial purposes. If you leverage content from this page/document for your any other use, please acknowledge the author.
Other guides for a fintech authorisation can be found here.
Our Peter Oakes has written comprehensive guides on Why Ireland For Fintech for:
- securing an Electronic Money Authorisation;
- securing a Payment Institution Authorisation (which includes AISP and PISPs);
- securing a Virtual Asset Services Provider Registration;
- securing a MiFID authorisation;
- Overview of Certain Prudential, Conduct of Business Rules, Outsourcing and AML/CFT Guide.
These guides have been downloaded 15,000+ times
If there is no link to a document you are looking for, contact office@complireg.com.
Please be respectful of the author's copyright and don't reproduce any part of this material for commercial purposes. If you leverage content from this page/document for your any other use, please acknowledge the author.
Other guides for a fintech authorisation can be found here.
Why Ireland for Fintech? (Payments Institutions) [V2.1 31 October 2021]
Congratulations. You have made a great decision: Ireland is fantastic place to obtain a payment institution authorisation (“API / payments institution”) from the Central Bank of Ireland (“CBI”). If you are seeking authorisation as an electronic money institution (“AEMI / emoney institution”) or MiFID firm or registration as a Virtual Asset Services Provider (“VASP”) visit https://fintechireland.com/fintech-authorisations.html for those and other authorisation and regulatory guides.
You have found the right people to assist you obtain a presence in Ireland. Peter Oakes is recognised by Chambers & Partners in its Fintech 2021 and 2020 edition as a Band 1 leading fintech expert. Peter is a past member of the selection panel of the Fintech 50 Panel.
Congratulations. You have made a great decision: Ireland is fantastic place to obtain a payment institution authorisation (“API / payments institution”) from the Central Bank of Ireland (“CBI”). If you are seeking authorisation as an electronic money institution (“AEMI / emoney institution”) or MiFID firm or registration as a Virtual Asset Services Provider (“VASP”) visit https://fintechireland.com/fintech-authorisations.html for those and other authorisation and regulatory guides.
You have found the right people to assist you obtain a presence in Ireland. Peter Oakes is recognised by Chambers & Partners in its Fintech 2021 and 2020 edition as a Band 1 leading fintech expert. Peter is a past member of the selection panel of the Fintech 50 Panel.
As of 31 October 2021, Ireland has more than 40 e-money and payment services firms authorised by the CBI. Here is a Fintech Ireland Map of all these regulated firms[1] as appearing on the CBI’s website at the end of October 2021.
[1] https://fintechireland.com/news/news-number-of-fintech-companies-establishing-in-ireland-continues-to-rise-in-2019-as-at-31-december-2019
[1] https://fintechireland.com/news/news-number-of-fintech-companies-establishing-in-ireland-continues-to-rise-in-2019-as-at-31-december-2019
While it may be thought that the growth in the number of AEMIs and APIs is driven by Brexit uncertainty, Ireland has more than 350 fintech and regtech companies, many of which operated in Ireland long before Brexit. This solid fintech and payments foundation means that many more fintechs are opting to join the Irish fintech ecosystem which we are proud to support.
The 350+ fintech and regtech companies identified by Fintech Ireland as of 31 October 2021 appear in the below Indigenous Map (dark green) and International Map (light green).
The 350+ fintech and regtech companies identified by Fintech Ireland as of 31 October 2021 appear in the below Indigenous Map (dark green) and International Map (light green).
The above Maps are updated on a regular basis. You can find the most recent editions of the three Maps and the Regtech Ireland Map here[1].
What does Ireland offer your payment services company?
[1] https://fintechireland.com/fintech-ireland-map.html
[2] Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden (note that the United Kingdom left the EU on 31 December 2020 and is not part of the EEA.)
[3] https://fintechireland.com/index.html
[4] http://www.competitiveness.ie/publications/2019/the-world-bank-2020-rankings-bulletin-19-3.pdf
What does Ireland offer your payment services company?
- government support, including a range of services from IDA Ireland for international companies setting up in Ireland and Enterprise Ireland for indigenous fintech companies, particularly those looking to expand. We maintain a very good working relationship with these independent agencies and are happy to help you with introductions to appropriate contact points at these agencies;
- an internationally recognised mature financial services industry supported by a highly educated financial services workforce comprising of more than 45,000 such professionals; 15%+ of which work in fintech, working in international financial services and 100,000+ in total working in financial services in Ireland;
- once authorised by the CBI, your API or AEMI will be able to passport to other European Economic Area countries. The EEA comprises of the 27 European Union Member States[2] plus Norway, Liechtenstein and Iceland. APIs and AEMIs may ‘passport’ on either a freedom of establishment or a freedom of services. As you can see from the above Map by Fintech Ireland[3], the CBI regulates many payment services and electronic money firms, the first being authorised in 2009. Our Peter Oakes worked with that fintech to help it obtain the first licence issued under the Payment Services Directive in Ireland. In 2020 and up to 31 October 2021, five (5) payment services firms and five (5) emoney firms were authorised or registered by the CBI. This speaks to the depth of experience the CBI and its staff have in authorising and supervising payment services and electronic money firms;
- payment services and electronic money companies (indeed virtually all companies) in Ireland benefit from a competitive 12.5% corporate tax rate, comprehensive double tax agreements and numerous research and development tax breaks. On 7 October 2021, the Irish government announced that Ireland had agreed to become a signatory to the international agreement to reform international tax rules and has agreed, as part of a 140 member jurisdiction group, the OECD’s global minimum effective corporation tax rate of 15%. This will see Ireland’s corporate tax rate increase to 15% for multinationals with revenues in excess of €750mn;
- the World Bank flagship Ease of Doing Business Report 2020 places Ireland at 24 of 190 countries[4] based on efficiency of the business regulation and tax regime, as well as ease of starting a business. Amongst euro area countries, Ireland is ranked 6th; and
- a stable and dynamic common law legal system that upholds contractual rights.
[1] https://fintechireland.com/fintech-ireland-map.html
[2] Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden (note that the United Kingdom left the EU on 31 December 2020 and is not part of the EEA.)
[3] https://fintechireland.com/index.html
[4] http://www.competitiveness.ie/publications/2019/the-world-bank-2020-rankings-bulletin-19-3.pdf
Why Peter Oakes (www.peteroakes.com)
Peter Oakes is leading expert in fintech, including emoney, payments, crowdfunding, banking and investment management specialising in start-ups, governance, risk and compliance. Peter is a non-executive director of regulated emoney, payment services and investment services firms (investment advice and options market making). He is a former senior executive regulator in Australia (ASC/ASIC), the UK (FSA/FCA), Saudi Arabia (SAMA) and in Ireland (CBI). Between 2010-2013, Peter was appointed as Ireland’s inaugural director of enforcement and financial crime at the CBI. He was one of six individuals with an international background recruited into CBI at that time to address the economic and regulatory fallout arising from Ireland’s financial crisis.
During his time at the CBI he was involved in the implementation of numerous financial laws and regulations, including the regulations (PSD 1) preceding the European Communities (Payment Services) Regulations 2018 (the “PSR”) which transposed the Directive 2015/2336 (PSD 2) and including the European Communities (Electronic Money) Regulations 2011 (the “EMR”) which transposed the Directive 2009/110 into Ireland.
Since leaving the CBI in 2013, Peter has established the European payment services operations of Bank of America Merchant Services (including its authorisation as a PSD 2 firm with the UK FCA), led and supported numerous fintech authorisations with the UK FCA and the CBI. Peter worked on the application for a company which successfully achieved authorisation as a specialised bank with the Bank of Lithuania (“BoL”), including engagements with the BoL’s senior board director. Peter is a leading fintech and regulatory expert and the Founder of both Fintech Ireland[1] and Fintech UK[2]. Peter Oakes brings extensive practical experience and operational know-how to client instructions as well as unrivalled executive director, non-executive director and governance expertise, founded on a vast background of international regulator and central bank experience.
[1] https://fintechireland.com/index.html
[2] https://fintechuk.com/index.html
Peter Oakes is leading expert in fintech, including emoney, payments, crowdfunding, banking and investment management specialising in start-ups, governance, risk and compliance. Peter is a non-executive director of regulated emoney, payment services and investment services firms (investment advice and options market making). He is a former senior executive regulator in Australia (ASC/ASIC), the UK (FSA/FCA), Saudi Arabia (SAMA) and in Ireland (CBI). Between 2010-2013, Peter was appointed as Ireland’s inaugural director of enforcement and financial crime at the CBI. He was one of six individuals with an international background recruited into CBI at that time to address the economic and regulatory fallout arising from Ireland’s financial crisis.
During his time at the CBI he was involved in the implementation of numerous financial laws and regulations, including the regulations (PSD 1) preceding the European Communities (Payment Services) Regulations 2018 (the “PSR”) which transposed the Directive 2015/2336 (PSD 2) and including the European Communities (Electronic Money) Regulations 2011 (the “EMR”) which transposed the Directive 2009/110 into Ireland.
Since leaving the CBI in 2013, Peter has established the European payment services operations of Bank of America Merchant Services (including its authorisation as a PSD 2 firm with the UK FCA), led and supported numerous fintech authorisations with the UK FCA and the CBI. Peter worked on the application for a company which successfully achieved authorisation as a specialised bank with the Bank of Lithuania (“BoL”), including engagements with the BoL’s senior board director. Peter is a leading fintech and regulatory expert and the Founder of both Fintech Ireland[1] and Fintech UK[2]. Peter Oakes brings extensive practical experience and operational know-how to client instructions as well as unrivalled executive director, non-executive director and governance expertise, founded on a vast background of international regulator and central bank experience.
[1] https://fintechireland.com/index.html
[2] https://fintechuk.com/index.html
Who is responsible for authorising payment institutions in Ireland?
The CBI in addition to being the competent authority for e-money, banking, insurance and investment services, is also the body which authorises payment institutions in Ireland.
Can I passport my authorised payment institution’s services?
Yes, you can. Every authorised payment institution (i.e. API) is entitled to passport across the EEA those services for which it authorised.
Whether you obtain an authorisation for your own company in Ireland, or acquire an API already authorised in Ireland, you will have the right to passport.
It is important to note that neither a small payment institution (“SPI”) nor a small electronic money institution (“SEMI”) are not able to passport. However, to date, the CBI has not permitted SPIs to operate in Ireland nor has it registered any SEMIs.
How can my API passport?
An API and AEMI may passport in two ways:
Use of agents – APIs/AEMIs are now obliged to inform the CBI when its proposed agent has commenced activities. Once the CBI is satisfied with the information provided, the notification shall be transmitted to the relevant competent authority within one month of receipt from the APIs/AEMIs.
It is important to remember that when a national competent authority (“NCA”) authorises an API / AEMI, it is essentially allowing that institution, subject to it applying for a passport, to conduct business in another NCA’s jurisdiction. Accordingly the PSR (or the relevant electronic money regulations) set out the rules relating to the supervision off APIs / AEMIs, their agents and branches when exercising their freedom of services and freedom of establishment to provide services in other member states. To this end, the European Banking Authority issued a RTS (EBA/RTS/2018/03), referenced above, specifying the framework for co-operation and the exchange of information between competent authorities.
Although not the focus of this document, any reader at a payments institution or electronic money institution authorised in another member state (i.e. its head office is in that member state) and passporting services into Ireland should note that the CBI may require that payment institution or electronic money institution operating in Ireland via agents in Ireland to establish a central contact point in Ireland. See EBA report (EBA/RTS/2017/09) issued December 2017 for further detail on the regulatory technical standards in this area.
Authorisation Requirements
The €64mn question we are often asked is “How likely is it that my company can obtain an authorisation as a Payment and / or E-Money Institution in Ireland?” An applicant should expect authorisation as a payments institution or electronic money institution provided that: (i) it meets in full the regulatory requirements including initial and own funds requirements (i.e. sustainable business model), (ii) demonstrates to the satisfaction of the CBI its ability to be supervised after authorisation; and (iii) its board, management and employees, are fit and proper (“F&P”) in accordance with applicable F&P regulations and standards.
We encourage every applicant for an API / AEMI authorisation to familiarise itself with the detailed information on the CBI’s website. The CBI has a statutory duty to ensure that only those companies, their management, board and shareholders which meet the requirements are authorised in Ireland. The CBI refers to its process as being ‘robust, structured and risk-based’. We would add, to the foregoing, the words ‘rigorous’ and ‘probing’; in a ‘fair and transparent environment’ which ensures that the CBI can meet its ‘gatekeeper’ function.
In summary there are several steps every applicant must adhered to in order to demonstrate it can meet the regulatory requirements. These include demonstrating that the applicant:
How does an applicant demonstrate the ‘substance test’?
Bad practice:
If an applicant’s approach to its API / AEMI application appears to the CBI as being ‘I need a brass plate authorisation and I will outsource everything overseas’ then you are best utilising your resources elsewhere. However, no member state can afford to adopt such an approach given that they themselves are subject to oversight by the European Banking Authority in the area of payments and emoney. Poor conduct by a competent authority can result in infringement proceedings as well as associated reputational damage. Why would any self-respecting EU competent authority lower the relatively high but fair bar established by the European Commission and Parliament?
Good Practice:
The “heart and mind” requirement referenced above is essential to a successful application. Another phrase used is “mind and management”. Both phrases are used by CBI as interpretative tools because neither the PSR nor the EMR define what is meant by “head office”. The way of demonstrating this is via good practice, meaning that you must run your API / AEMI from within Ireland in such a manner that the CBI, as the competent authority, can effectively oversee and supervise it. We advise every applicant to actively consider the following:
How does outsourcing impact the substance test?:
Outsourcing is a legitimate and operationally effective way for any business, regulated or not, to remain a sustainable, prudent and consumer protectionist operation. When it comes to regulated fintech, such as APIs / AEMIs, they must remain aware of both the CBI’s and the EBA’s requirements and guidelines on outsourcing.
In this regard, Ireland adopts the ‘you may outsource the function, but you cannot outsource the responsibility’ adage. Therefore, in circumstances where an API / AEMI wishes to outsource to a third party either within Ireland or overseas it must be able to demonstrate to the CBI that it can comply with its regulatory obligations. When completing an application, the applicant provides details to the CBI about how outsourced functions will be monitored and controlled on a day-to-day basis. The description must include: details of on-going reporting; details of how service levels are monitored; and details of oversight meetings held with the outsource service provider.
The CBI views outsourcing as a considerable risk and issued a discussion paper on the topic in November 2018 which every applicant should read[6]. Accordingly, APIs/AEMIs need to be aware that the CBI must be notified of the outsourcing of critical or important functions, including where the API seeks to materially alter existing outsourcing arrangements. In addition to the PSR which set out the outsourcing requirements, APIs/AEMIs must also adhere to the separate EBA’s Guidelines on Outsourcing.
What is critical or important function?: ‘critical or important functions’ would include an operational function … where a defect or failure in its performance would materially impair the continuing compliance of payments / electronic money institution with the conditions and obligations of its authorisation or its regulatory obligations, or its financial performance, or the soundness or the continuity of its investment services and activities. See para 20 Final Report on EBA Guidelines on outsourcing arrangements[7] and the relevant provisions of the PSR / EMR.
A payment institution / electronic money institution may only outsource an important operational function where it meets the following requirements:
Outsourcing of important operational functions, including information technology systems, shall not be undertaken in a manner that materially impairs the quality of the API’s/AEMI’s internal control and the ability of the CBI to monitor and review compliance by APIs/AEMIs with their obligations under the PSR/EMR.
Prior notification to CBI (not less than 30 days): Where a payment institution / electronic money institution whose home Member State is the State (in this case Ireland) proposes to outsource an operational function relating to the provision of payment services or electronic money services, it must inform the CBI accordingly not less than 30 days prior to the date on which it proposes to commence such outsourcing.
Details as to how outsourced functions are monitored and controlled on a day-to-day basis must be provided by an applicant in Guideline 8.1(g) of the Application Forms for Payments and Electronic Money Institutions. The description provided should include:
In February 2021, the CBI issued CP138 - Consultation on Cross-Industry Guidance on Outsourcing. Closing date for submissions was 26 July 2021[8]. In April 2021, the CBI issued CP140 - Cross Industry Guidance on Operational Resilience. Closing date for submissions was 9 July 2021[9]. Both Consultation Papers are highly recommended to applicants seeking authorisation as a payments institution or electronic money institution.
Are the capital requirements for an API different in Ireland than elsewhere?
No matter which EU member state in which you establish your authorised payments institution, the institution must (without exception) hold initial capital. The amount of initial capital to be held by an API varies between €20,000 - €125,000 depending upon the exact type of services applied for. The actual amount of both initial capital and ‘own funds’ required for each individual institution will be notified to the applicant as a part of the authorisation process.
If you have not been involved with the calculation of capital requirements previously, you should take advice and we are happy to help in this regard. For specific information about the capital requirements of for AEMIs please see the Why Ireland for Fintech – Getting an Electronic Money Institution Authorisation in Ireland at https://fintechireland.com/fintech-authorisations.html
Arrangements
When getting ready to start preparation work on your API / AEMI application, an important document to read is the Guidance Note[10]. If you are not familiar with the process, you run the real risk of creating an impression within the CBI that your application is overly complex, lacks awareness of the requirements and/or may be difficult to supervise. The CBI will assess the following areas when considering an application for authorisation as an API / AEMI: business plan; programme of operations; structural organisation; measures to safeguard the funds of payment services users; governance arrangements and internal controls; security policy document; control mechanisms for anti-money laundering and counter terrorist financing; identity and suitability assessment of persons with qualifying holdings; identity and suitability assessment of directors and persons responsible for managing the firm; and business continuity arrangements.
What is Fitness and Probity?
All individuals being proposed by the applicant to hold a pre-approval controlled function (“PCF”) role must complete a fitness and probity individual questionnaire (“IQ”). IQs are submitted electronically via the CBI’s Online Reporting System which becomes available after an application has been deemed to contain all the key information needed to progress to the assessment phase of the application process (see below). To fulfil a PCF role, the person must be competent and capable, honest, ethical and of integrity and also financially sound.
An applicant must not permit any person to perform a controlled function, including a PCF, unless it is satisfied on reasonable grounds that the person complies with the standard of fitness and probity issued by the CBI. The Guidance on Fitness and Probity Standards provides further information.[11] A list of prescribed CFs and PCFs for regulated financial services providers (other than credit unions) appears on the CBI’s website.[12]
Examples of the type of roles at an API / AEMI that will require a person to complete an IQ includes the senior management, such as the chief executive/manging director, chief financial officer/financial controller; persons with head of function responsibility for compliance, risk and anti-financial crime and members of the board of directors. We are happy to advise on the PCF roles you may require for your API / AEMI and advise on the requirements of the Fitness and Probity regime.
Like outsourcing, the EBA has also issued guidelines on fitness and probity which supplement those issued by CBI relating to the identity and suitability assessment of directors and persons responsible for the management of the payment institution or emoney institution.
On 22 September 2021, the CBI issued a ‘Notice of Intention’ informing of its intention to make changes to PCFs. These amendments will apply to all firms authorised by the CBI, including payments institutions and electronic money institutions. In brief, we expect the following amendments to the PCF regime in Ireland:
The above changes are the ones most likely to impact applicants for authorisation as a payments institution and emoney institution. Another intended change is the removal of the existing PCF-31 (Head of Investment), with the PCF-30 role (Chief Investment Officer) remaining unaffected.
Guidance on Fitness and Probity for a Payment Institution, Electronic Money Institution or Account Information Service Provider Under Payment Services Regulations 2018 and Electronic Money Regulations 2011 (April 2021)
Persons seeking approval for Pre-Approval Controlled Function (PCF) roles in a payment institution, electronic money institution, or account information service provider must comply with the requirements of the EBA Guidelines on the Information to be Provided for Authorisation and Registration under PSD2 (EBA Guidelines). The CBI has made a number of amendments to the standard Fitness and Probity IQ to reflect the requirements outlined in the EBA Guidelines.
In April 2021 the CBI published a document to provide guidance on the requirements under PSR and EMR that apply to persons seeking approval for a PCF role in an API, AEMI, or AISP. Any F&P IQ submitted to the Central Bank via its Online Reporting System (ONR) must be in accordance with these requirements.[13]
Senior Executive Accountability Regime (SEAR)
On 27 July 2021, the Minister of Finance announced the publication of the General Scheme of the Central Bank (Individual Accountability Framework) Bill 2021. The General Scheme provides for the establishment of the Individual Accountability Framework (IAF) which includes the SEAR. The IAF framework facilitates individual accountability and responsibility, particularly for persons performing what are called senior executive functions within regulated financial services providers. CompliReg has established a specific website to assist firms understand the important obligations proposed by the IAF and SEAR which can be accessed here - https://SEARHub.com (www.sear.ie).
What Payment Services can an API provide?
Payment Services:
To become an API, you, as a future ‘payment services provider’ must be intending to provide a “payment service” otherwise your business will not fall under the PSR and you will fail to become authorised. While this may sound obvious, it is a question of both fact and law as to whether or not you are providing a payment service. Across Europe, there can be different interpretations applied by different national competent authorities and therefore advice is very often needed; such advice CompliReg is happy to provide. For example, numerous firms regulated by the UK Financial Conduct Authority (FCA) either as an authorised payments institution or an emoney institution are surprised that the CBI doesn’t necessarily adopt the same approach as the FCA when it comes to interpreting one or more payments services (notwithstanding they may have been providing services in Ireland under a passport). For example, some firms which have money remittance approved by the FCA may find that the CBI doesn’t consider that the applicant is providing money remittance despite the UK and the intended Irish firm having the same business model.
It should be noted that where a payment institution wishes to or is engaged in other business activities, the CBI may require the API (or applicant) to establish a separate entity for the payment services business if the non-payment services activities (e.g. Virtual Asset Service Provider) impair or are likely to impair either the financial soundness of the API or the ability of the CBI to monitor the API compliance with these PSR.[14]
The person providing the “payment service” is referred to as the “payment services provider” for the purposes of the PSR. Payment services are defined in Article 4(3) of Directive 2015/2366 and means any business activity set out in the Annex 1 of Directive 2015/2366, as follows (1-8 below):
1. Services enabling cash to be placed on a payment account as well as all operations required for operating a payment account;
2. Services enabling cash withdrawals from a payment account and all of the operations required for operating a payment account;
3. The execution of the following types of payment transactions:
3a. direct debits, including one-off direct debits;
3b. payment transactions through a payment card or similar device;
3c. credit transfers, including standing orders;
4. The execution of the following types of payment transactions where the funds are covered by a credit line for the payment user:
4a. direct debits, including one-off direct debits;
4b. payment transactions executed through a payment card or similar device;
4c. credit transfers, including standing orders;
5. Issuing of payment instruments and/or acquiring of payment transactions.
6. Money remittance;
7. Payment initiation services; and
8. Account information services.
A list of activities not captured as a payment service under the PSR is set out at Regulation 4 of the PSR.
Ancillary Activities
In addition to nominating which payment services an applicant is applying for, the CBI’s authorisation form requires applicants to set out which ancillary services they require in addition to the payment services above. Ancillary services are set out in Regulation 29 of the PSR which permit APIs:
Where a payment institution engages in the provision of one or more payment services, it may hold only payment accounts which are used exclusively for payment transactions[15].
Under Regulation 29 PSR, a payment institution may hold only payment accounts which are exclusively for payment transactions. The PSR also allow a payment institution to grant credit for a maximum period of 12 months in certain circumstances[16].
A question often asked is whether funds received by an API from a payment service user are either (a) a deposit or other repayable funds, or (b) electronic money. Provided that the funds pass from the payment services user to the API for one or more payment services, the funds are not deposits, other repayable funds or emoney as per Regulation 29(3) of the PSR.
What is the Authorisation Process?
The CBI’s website is quite good in this area and its practical approach breaking down the process into its constituent elements is very useful. You can read all the relevant information on its website. Application Process for Payment Institutions[17]
[Note: Although the CBI’s website references the registration of SPIs (i.e. small payments institutions), the CBI has not registered any SPIs to date.)]
The Payments Authorisation Team at the CBI is the point of contact for applicants seeking an authorisation as a payments institution. During the course of an application, an applicant will likely also deal with addition areas at the CBI including the Fitness and Probity, Technology Risk and Anti-Money Laundering teams.
[Note: The CBI has an Innovation Hub, which is a facility available to firms to engage with the CBI outside of existing formal regulator/firm engagement processes. We have held many productive meetings with the Innovation Hub prior to and adjacent with an applicant making an application.]
Each applicant seeking authorisation/registration must satisfy the CBI that it can meet the authorisation/registration standards set out in the PSR. The CBI intends to process each application as expeditiously as possible while meeting its obligation to operate a rigorous and effective gatekeeper function. It aims to ensure that the application process is facilitative and accessible from the perspective of applicants and, importantly, that applicants have clarity regarding the process, its requirements and timelines.
The Application Process as set out on the CBI’s website includes details of:
Anti-Money Laundering and Countering the Financing of Terrorism
It is important to note applicants must complete an Anti-Money Laundering, Counter-Terrorist Financing and Financial Sanctions Pre Authorisation Risk Evaluation. This takes the form of a Questionnaire (“AML/CTF & FS Questionnaire”).
On 23 April 2021, Ireland signed into law the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the “2021 Act”). The 2021 Act (No. 3 of 2021) makes several changes to the 2010 Act (No. 6 of 2010) transposing the EU 5AMLD (EU 2018/843) into national law. You can find more information about this change in law on CompliReg’s website[18]..
You can read more about the CBI’s requirements on Money Laundering and Terrorist Financing at its website[19].
Financial Sanctions and Terrorist Financing – additional obligations
To ensure compliance with Ireland’s AML and CFT requirements and to prevent the financing of terrorism, credit and financial institutions including payment institutions and emoney institutions must monitor their customers and transactions against both the EU and UN Sanctions Committees lists relating to terrorism. The lists are regularly updated and must be frequently checked to ensure that they are the latest ones available.
Financial Sanctions lists that relate to terrorism should be monitored to assist in preventing terrorist financing from occurring, including, but not limited to, the following:
You can read more about the CBI’s requirements on Financial Sanctions and Terrorist Financing at its website[20].
A brief word about the MLRO
The term “MLRO” is not defined in Irish legislation.
The CBI will require the applicant to appoint either or both a Head of Compliance (PCF 12) and / or PCF 15 (Head of Compliance with responsibility for AML/CFT Legislation). This person must be fit and proper and be pre-approved by the CBI before he/she may commence his/her role. In terms of custom and practice, this person will often be called the “MLRO”.
Like all PCF roles, the person must be competent and capable, honest, ethical and of integrity and also financially sound.
In addition, Section 54(8) of the CJA2010 (explained at para 6.3 of the AML/CFT Guidelines) provides that designated persons, such as emoney and payments institutions, shall appoint a member of Senior Management with primary responsibility for the implementation and management of anti-money laundering measures in accordance with Part 4 CJA 2010 if directed in writing to do so by the CBI for that designated person. The CBI expects institutions to appoint a Member of Senior Management with primary responsibility for implementing, managing and overseeing compliance with AML/CFT measures, where such an appointment is proportionate to the nature, scale and complexity of an institution’s activities.
Where an institution has decided that it is not necessary to appoint a Member of Senior Management, having regard to the nature, scale and complexities of the institution activities, it should record in detail its rationale for such decision. In such circumstances, the institution must ensure that it remains in compliance with all obligations under the CJA2010. This includes ensuring that all matters requiring approval by senior management are approved at the appropriate level.
Please refer to our Overview of Certain Prudential and Conduct of Business Rules for Payment Institutions and Electronic Money Institutions available at https://fintechireland.com/fintech-authorisations.html for more detail about the AML/CFT obligations of APIs and AEMIs, including the use of electronic means to verify the identity of customers and how the CBI will supervise an AEMI / API post-authorisation.
Key Stages in the Application Process
There are five stages to the authorisation process for the authorisation of a payments institution / electronic money institution; however, the CBI’s approach is flexible in terms of applicants which take their application seriously. Although the CBI will reserve the right to follow its procedures to the letter, where such adherence might cause unfairness to an applicant, we have always found the CBI to being open to practical discussions about advancing applications in the spirit of the regulations and guidelines.
The diagram appearing on the next page is a high-level representation of an application passing through the process with relative speed. Below the diagram we have set out some additional information about requests of the CBI for a pre-application meeting and the Pre-Application Key Facts Document which occur before an applicant files an application for an API or an AEMI.
[1] Regulatory Technical Standards on the framework for co-operation and exchange of information between competent authorities for passport notifications under the Directive (EU) 2015/2366 (‘RTS’)
[2] EMR being Statutory Instrument No. 183 of 2011 - European Communities (Electronic Money) Regulations 2011 (as amended)
[3] This is not intended to be a ‘formula’ for meeting the “head office” requirement, rather to provide an indication of what the CBI will expect to see in this regard.
[4] This must be someone who is familiar with the applicant’s business model and its application submission and must be someone who works for/will work for the applicant if and when authorised, and not a professional advisor to the applicant
[5] It should be noted that in order to meet the requirements of Regulation 21 of the PSR, an applicant payment institution must carry out at least part of its payment services business in Ireland.
[6] Outsourcing – Findings and Issues for Discussion (November 2018) https://centralbank.ie/news-media/press-releases/outsourcing-activities-in-financial-service-providers
[7] https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf?retry=1
[8] https://www.centralbank.ie/publication/consultation-papers/consultation-paper-detail/cp138---consultation-on-cross-industry-guidance-on-outsourcing
[9] https://www.centralbank.ie/publication/consultation-papers/consultation-paper-detail/cp140---cross-industry-guidance-on-operational-resilience
[10] Guidance Note on Completing an Application for Authorised Payment Institution (September 2020) replacing the previous version dated April 2018 https://www.centralbank.ie/docs/default-source/Regulation/industry-market-sectors/Electronic-Money-Institutions/Authorisation-Process/psd2-guidance-note.pdf?sfvrsn=3
[11] Guidance on Fitness and Probity Standards - https://www.centralbank.ie/regulation/how-we-regulate/fitness-probity and https://www.centralbank.ie/regulation/how-we-regulate/fitness-probity/about-fitness-and-probity
[12] https://www.centralbank.ie/regulation/how-we-regulate/fitness-probity/requirements-assessment-compliance/regulated-financial-service-providers/introduction
[13] https://www.centralbank.ie/docs/default-source/regulation/industry-market-sectors/electronic-money-institutions/authorisation-process/guidance-note-on-completing-an-application-for-emi-pi-aisp.pdf?sfvrsn=4
[14] Regulation 20 PSR
[15] Regulation 29(2) of the PSR
[16] Regulation 29(4) of the PSR.
[17] Application Process for Payment Institutions - https://www.centralbank.ie/regulation/industry-market-sectors/payment-institutions/authorisation-process
[18] https://complireg.com/blogs--insights/ireland-transposes-additional-provisions-of-eu-5amld-into-national-law
[19] https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism
[20] https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism/countering-the-financing-of-terrorism
The CBI in addition to being the competent authority for e-money, banking, insurance and investment services, is also the body which authorises payment institutions in Ireland.
Can I passport my authorised payment institution’s services?
Yes, you can. Every authorised payment institution (i.e. API) is entitled to passport across the EEA those services for which it authorised.
Whether you obtain an authorisation for your own company in Ireland, or acquire an API already authorised in Ireland, you will have the right to passport.
It is important to note that neither a small payment institution (“SPI”) nor a small electronic money institution (“SEMI”) are not able to passport. However, to date, the CBI has not permitted SPIs to operate in Ireland nor has it registered any SEMIs.
How can my API passport?
An API and AEMI may passport in two ways:
- Freedom of Services – an API/AEMI wishing to avail of the freedom to provide services on a cross border basis in another EU member state / EEA must inform the CBI in advance through the RTS[1]. Once it is satisfied with the information provided by the API/AEMI the notification is transmitted to the competent authority in the member state(s) within one month of its receipt from the API/AEMI.
- Freedom of Establishment – another way an API/AEMI authorised in Ireland may passport is by establishing a branch in another member state or appointing an agent to operate in another member state. Again, the API/AEMI must communicate certain information to the CBI by way of the RTS. See Regulation 37 of the PSRs for further detail.
Use of agents – APIs/AEMIs are now obliged to inform the CBI when its proposed agent has commenced activities. Once the CBI is satisfied with the information provided, the notification shall be transmitted to the relevant competent authority within one month of receipt from the APIs/AEMIs.
It is important to remember that when a national competent authority (“NCA”) authorises an API / AEMI, it is essentially allowing that institution, subject to it applying for a passport, to conduct business in another NCA’s jurisdiction. Accordingly the PSR (or the relevant electronic money regulations) set out the rules relating to the supervision off APIs / AEMIs, their agents and branches when exercising their freedom of services and freedom of establishment to provide services in other member states. To this end, the European Banking Authority issued a RTS (EBA/RTS/2018/03), referenced above, specifying the framework for co-operation and the exchange of information between competent authorities.
Although not the focus of this document, any reader at a payments institution or electronic money institution authorised in another member state (i.e. its head office is in that member state) and passporting services into Ireland should note that the CBI may require that payment institution or electronic money institution operating in Ireland via agents in Ireland to establish a central contact point in Ireland. See EBA report (EBA/RTS/2017/09) issued December 2017 for further detail on the regulatory technical standards in this area.
Authorisation Requirements
The €64mn question we are often asked is “How likely is it that my company can obtain an authorisation as a Payment and / or E-Money Institution in Ireland?” An applicant should expect authorisation as a payments institution or electronic money institution provided that: (i) it meets in full the regulatory requirements including initial and own funds requirements (i.e. sustainable business model), (ii) demonstrates to the satisfaction of the CBI its ability to be supervised after authorisation; and (iii) its board, management and employees, are fit and proper (“F&P”) in accordance with applicable F&P regulations and standards.
We encourage every applicant for an API / AEMI authorisation to familiarise itself with the detailed information on the CBI’s website. The CBI has a statutory duty to ensure that only those companies, their management, board and shareholders which meet the requirements are authorised in Ireland. The CBI refers to its process as being ‘robust, structured and risk-based’. We would add, to the foregoing, the words ‘rigorous’ and ‘probing’; in a ‘fair and transparent environment’ which ensures that the CBI can meet its ‘gatekeeper’ function.
In summary there are several steps every applicant must adhered to in order to demonstrate it can meet the regulatory requirements. These include demonstrating that the applicant:
- has a clear, meaningful and articulated understanding of the proposed business model;
- will have sufficient substance in Ireland (i.e. the traditionally named ‘heart and mind’ requirement in regulatory speak). However, in the context of the PSR and the EMR[2], the term used is “mind and management”. The CBI use this phrase to interpret what is meant by a firm’s “head office”;
- be financially sound, or in regulatory speak adequately capitalised;
- have appropriate arrangements in place to run an API / AEMI;
- will be capable of complying with, and adhering to, the authorisation and on-going supervisory requirements that each API / AEMI must satisfied on an on-going basis; and
- its employees, management and board will meet the thresholds of, and on an on-going basis, comply with fitness and probity requirements.
How does an applicant demonstrate the ‘substance test’?
Bad practice:
If an applicant’s approach to its API / AEMI application appears to the CBI as being ‘I need a brass plate authorisation and I will outsource everything overseas’ then you are best utilising your resources elsewhere. However, no member state can afford to adopt such an approach given that they themselves are subject to oversight by the European Banking Authority in the area of payments and emoney. Poor conduct by a competent authority can result in infringement proceedings as well as associated reputational damage. Why would any self-respecting EU competent authority lower the relatively high but fair bar established by the European Commission and Parliament?
Good Practice:
The “heart and mind” requirement referenced above is essential to a successful application. Another phrase used is “mind and management”. Both phrases are used by CBI as interpretative tools because neither the PSR nor the EMR define what is meant by “head office”. The way of demonstrating this is via good practice, meaning that you must run your API / AEMI from within Ireland in such a manner that the CBI, as the competent authority, can effectively oversee and supervise it. We advise every applicant to actively consider the following:
- “head office” – in general, the CBI interprets “head office” to mean the location of the mind and management of the applicant and the place where the day-to-day decisions about the direction of the applicant’s business are taken. The onus of meeting the statutory requirements and satisfying the CBI that adequate and effective control of an entity rests in Ireland (not abroad) lies with the applicant. The CBI has issued some guidance on what it expects to see, as follows[3]:
- decision-making at Board and Committee level to take place within the Republic of Ireland;
- ensure central management is located within the “head office”;
- the functions within the head office would normally include as a minimum; and
- Financial Control.
- Legal and Compliance.
- Risk Management.
- a significant senior management presence (within the applicant[4]) in the Republic of Ireland to ensure that full authority and effective control of the applicant rests within the “head office”.[5]
- a senior management team – your management team must have sufficient operational expertise, strength and depth to demonstrate that they can run the business in a manner which the CBI can effectively supervise. There is no regulatory requirement that each or all persons concerned in the management of the API/AEMI must permanently reside in Ireland. The degree to which any person must reside in Ireland will be driven by the nature, scale and complexity of the business model, the time required in Ireland for him/her to discharge core functional operations together with satisfying the CBI that the proposed arrangements do not negatively impact its ability to effectively supervise the API / AEMI;
- board of directors – the board too must have the knowledge, skills and experience to oversee the management team which runs the business on a day to day basis. Although not a written regulatory requirement, the CBI is likely to require that each applicant appoint at least one non-executive director (‘NED’) to the board, and more than likely that such person will need to be an independent NED (‘INED’);
- organisation structure – together with clear reporting lines the applicant’s organisational structure must be established in a manner that ensures appropriate systems and controls are in place, that segregation of duties are sufficient to ensure that there are no real or perceived conflicts of interest whilst ensuring that the procedures and policies do not inhibit effective oversight of the applicant’s activities; and
- shareholders – shareholders do not manage the operations of the applicant unless a shareholder is a member of management or the board. A shareholder, acting in the capacity of a shareholder, must not involve itself in the management or oversight of the regulated API / AEMI or otherwise seek to inappropriately influence the management or board of the API / AEMI.
How does outsourcing impact the substance test?:
Outsourcing is a legitimate and operationally effective way for any business, regulated or not, to remain a sustainable, prudent and consumer protectionist operation. When it comes to regulated fintech, such as APIs / AEMIs, they must remain aware of both the CBI’s and the EBA’s requirements and guidelines on outsourcing.
In this regard, Ireland adopts the ‘you may outsource the function, but you cannot outsource the responsibility’ adage. Therefore, in circumstances where an API / AEMI wishes to outsource to a third party either within Ireland or overseas it must be able to demonstrate to the CBI that it can comply with its regulatory obligations. When completing an application, the applicant provides details to the CBI about how outsourced functions will be monitored and controlled on a day-to-day basis. The description must include: details of on-going reporting; details of how service levels are monitored; and details of oversight meetings held with the outsource service provider.
The CBI views outsourcing as a considerable risk and issued a discussion paper on the topic in November 2018 which every applicant should read[6]. Accordingly, APIs/AEMIs need to be aware that the CBI must be notified of the outsourcing of critical or important functions, including where the API seeks to materially alter existing outsourcing arrangements. In addition to the PSR which set out the outsourcing requirements, APIs/AEMIs must also adhere to the separate EBA’s Guidelines on Outsourcing.
What is critical or important function?: ‘critical or important functions’ would include an operational function … where a defect or failure in its performance would materially impair the continuing compliance of payments / electronic money institution with the conditions and obligations of its authorisation or its regulatory obligations, or its financial performance, or the soundness or the continuity of its investment services and activities. See para 20 Final Report on EBA Guidelines on outsourcing arrangements[7] and the relevant provisions of the PSR / EMR.
A payment institution / electronic money institution may only outsource an important operational function where it meets the following requirements:
- the outsourcing will not result in the delegation by senior management of its responsibility;
- the relationship and obligations of the payment institution / electronic money institution towards its electronic money holders or payment service users under the PSR / EMR will not be altered;
- the conditions with which the payment institution / electronic money institution is to comply in order to be authorised and remain so in accordance with the PSR / EMR will not be breached;
- none of the other conditions subject to which the payment institution’s / electronic money institution’s authorisation was granted will be removed or modified.
Outsourcing of important operational functions, including information technology systems, shall not be undertaken in a manner that materially impairs the quality of the API’s/AEMI’s internal control and the ability of the CBI to monitor and review compliance by APIs/AEMIs with their obligations under the PSR/EMR.
Prior notification to CBI (not less than 30 days): Where a payment institution / electronic money institution whose home Member State is the State (in this case Ireland) proposes to outsource an operational function relating to the provision of payment services or electronic money services, it must inform the CBI accordingly not less than 30 days prior to the date on which it proposes to commence such outsourcing.
Details as to how outsourced functions are monitored and controlled on a day-to-day basis must be provided by an applicant in Guideline 8.1(g) of the Application Forms for Payments and Electronic Money Institutions. The description provided should include:
- details of on-going reporting;
- details of how service levels are monitored;
- details of oversight meetings held with the outsource service provider; and
- consideration of the EBA Guidelines on outsourcing arrangements.
In February 2021, the CBI issued CP138 - Consultation on Cross-Industry Guidance on Outsourcing. Closing date for submissions was 26 July 2021[8]. In April 2021, the CBI issued CP140 - Cross Industry Guidance on Operational Resilience. Closing date for submissions was 9 July 2021[9]. Both Consultation Papers are highly recommended to applicants seeking authorisation as a payments institution or electronic money institution.
Are the capital requirements for an API different in Ireland than elsewhere?
No matter which EU member state in which you establish your authorised payments institution, the institution must (without exception) hold initial capital. The amount of initial capital to be held by an API varies between €20,000 - €125,000 depending upon the exact type of services applied for. The actual amount of both initial capital and ‘own funds’ required for each individual institution will be notified to the applicant as a part of the authorisation process.
If you have not been involved with the calculation of capital requirements previously, you should take advice and we are happy to help in this regard. For specific information about the capital requirements of for AEMIs please see the Why Ireland for Fintech – Getting an Electronic Money Institution Authorisation in Ireland at https://fintechireland.com/fintech-authorisations.html
Arrangements
When getting ready to start preparation work on your API / AEMI application, an important document to read is the Guidance Note[10]. If you are not familiar with the process, you run the real risk of creating an impression within the CBI that your application is overly complex, lacks awareness of the requirements and/or may be difficult to supervise. The CBI will assess the following areas when considering an application for authorisation as an API / AEMI: business plan; programme of operations; structural organisation; measures to safeguard the funds of payment services users; governance arrangements and internal controls; security policy document; control mechanisms for anti-money laundering and counter terrorist financing; identity and suitability assessment of persons with qualifying holdings; identity and suitability assessment of directors and persons responsible for managing the firm; and business continuity arrangements.
What is Fitness and Probity?
All individuals being proposed by the applicant to hold a pre-approval controlled function (“PCF”) role must complete a fitness and probity individual questionnaire (“IQ”). IQs are submitted electronically via the CBI’s Online Reporting System which becomes available after an application has been deemed to contain all the key information needed to progress to the assessment phase of the application process (see below). To fulfil a PCF role, the person must be competent and capable, honest, ethical and of integrity and also financially sound.
An applicant must not permit any person to perform a controlled function, including a PCF, unless it is satisfied on reasonable grounds that the person complies with the standard of fitness and probity issued by the CBI. The Guidance on Fitness and Probity Standards provides further information.[11] A list of prescribed CFs and PCFs for regulated financial services providers (other than credit unions) appears on the CBI’s website.[12]
Examples of the type of roles at an API / AEMI that will require a person to complete an IQ includes the senior management, such as the chief executive/manging director, chief financial officer/financial controller; persons with head of function responsibility for compliance, risk and anti-financial crime and members of the board of directors. We are happy to advise on the PCF roles you may require for your API / AEMI and advise on the requirements of the Fitness and Probity regime.
Like outsourcing, the EBA has also issued guidelines on fitness and probity which supplement those issued by CBI relating to the identity and suitability assessment of directors and persons responsible for the management of the payment institution or emoney institution.
On 22 September 2021, the CBI issued a ‘Notice of Intention’ informing of its intention to make changes to PCFs. These amendments will apply to all firms authorised by the CBI, including payments institutions and electronic money institutions. In brief, we expect the following amendments to the PCF regime in Ireland:
- PCF-2 (Non-Executive Director) to be divided into two individual positions to distinguish between non-executive directors which are independent and those which are not. PCF-2A will be the PCF designation for Non-Executive Directors and PCF-2B will be the designation for Independent Non-Executive Directors.
- The PCF-15 role (Head of Compliance with responsibility for AML) will be abolished and a PCF-52 role will be introduced as the new PCF of Head of Anti-Money Laundering and Counter Terrorist Financing. There is no change the existing PCF-12 (Head of Compliance). As is the case with other PCF roles, it will be permissible, subject to the CBI’s approval, for one person to perform both the PCF-12 and PCF-52 roles.
- PCF-16 role will be expanded so that managers of branches of Irish regulated entities (such as payment institutions and emoney institutions) established in non-EEA countries - including the UK - will become PCF functions.
The above changes are the ones most likely to impact applicants for authorisation as a payments institution and emoney institution. Another intended change is the removal of the existing PCF-31 (Head of Investment), with the PCF-30 role (Chief Investment Officer) remaining unaffected.
Guidance on Fitness and Probity for a Payment Institution, Electronic Money Institution or Account Information Service Provider Under Payment Services Regulations 2018 and Electronic Money Regulations 2011 (April 2021)
Persons seeking approval for Pre-Approval Controlled Function (PCF) roles in a payment institution, electronic money institution, or account information service provider must comply with the requirements of the EBA Guidelines on the Information to be Provided for Authorisation and Registration under PSD2 (EBA Guidelines). The CBI has made a number of amendments to the standard Fitness and Probity IQ to reflect the requirements outlined in the EBA Guidelines.
In April 2021 the CBI published a document to provide guidance on the requirements under PSR and EMR that apply to persons seeking approval for a PCF role in an API, AEMI, or AISP. Any F&P IQ submitted to the Central Bank via its Online Reporting System (ONR) must be in accordance with these requirements.[13]
Senior Executive Accountability Regime (SEAR)
On 27 July 2021, the Minister of Finance announced the publication of the General Scheme of the Central Bank (Individual Accountability Framework) Bill 2021. The General Scheme provides for the establishment of the Individual Accountability Framework (IAF) which includes the SEAR. The IAF framework facilitates individual accountability and responsibility, particularly for persons performing what are called senior executive functions within regulated financial services providers. CompliReg has established a specific website to assist firms understand the important obligations proposed by the IAF and SEAR which can be accessed here - https://SEARHub.com (www.sear.ie).
What Payment Services can an API provide?
Payment Services:
To become an API, you, as a future ‘payment services provider’ must be intending to provide a “payment service” otherwise your business will not fall under the PSR and you will fail to become authorised. While this may sound obvious, it is a question of both fact and law as to whether or not you are providing a payment service. Across Europe, there can be different interpretations applied by different national competent authorities and therefore advice is very often needed; such advice CompliReg is happy to provide. For example, numerous firms regulated by the UK Financial Conduct Authority (FCA) either as an authorised payments institution or an emoney institution are surprised that the CBI doesn’t necessarily adopt the same approach as the FCA when it comes to interpreting one or more payments services (notwithstanding they may have been providing services in Ireland under a passport). For example, some firms which have money remittance approved by the FCA may find that the CBI doesn’t consider that the applicant is providing money remittance despite the UK and the intended Irish firm having the same business model.
It should be noted that where a payment institution wishes to or is engaged in other business activities, the CBI may require the API (or applicant) to establish a separate entity for the payment services business if the non-payment services activities (e.g. Virtual Asset Service Provider) impair or are likely to impair either the financial soundness of the API or the ability of the CBI to monitor the API compliance with these PSR.[14]
The person providing the “payment service” is referred to as the “payment services provider” for the purposes of the PSR. Payment services are defined in Article 4(3) of Directive 2015/2366 and means any business activity set out in the Annex 1 of Directive 2015/2366, as follows (1-8 below):
1. Services enabling cash to be placed on a payment account as well as all operations required for operating a payment account;
2. Services enabling cash withdrawals from a payment account and all of the operations required for operating a payment account;
3. The execution of the following types of payment transactions:
3a. direct debits, including one-off direct debits;
3b. payment transactions through a payment card or similar device;
3c. credit transfers, including standing orders;
4. The execution of the following types of payment transactions where the funds are covered by a credit line for the payment user:
4a. direct debits, including one-off direct debits;
4b. payment transactions executed through a payment card or similar device;
4c. credit transfers, including standing orders;
5. Issuing of payment instruments and/or acquiring of payment transactions.
6. Money remittance;
7. Payment initiation services; and
8. Account information services.
A list of activities not captured as a payment service under the PSR is set out at Regulation 4 of the PSR.
Ancillary Activities
In addition to nominating which payment services an applicant is applying for, the CBI’s authorisation form requires applicants to set out which ancillary services they require in addition to the payment services above. Ancillary services are set out in Regulation 29 of the PSR which permit APIs:
- the provision of operational and closely related ancillary services such as ensuring the execution of payment transactions, foreign exchange services, safekeeping activities, and the storage and processing of data;
- the operation of payment systems; and
- business activities other than the provision of payment services, subject to any Irish law or law of the EU applicable to such activities.
Where a payment institution engages in the provision of one or more payment services, it may hold only payment accounts which are used exclusively for payment transactions[15].
Under Regulation 29 PSR, a payment institution may hold only payment accounts which are exclusively for payment transactions. The PSR also allow a payment institution to grant credit for a maximum period of 12 months in certain circumstances[16].
A question often asked is whether funds received by an API from a payment service user are either (a) a deposit or other repayable funds, or (b) electronic money. Provided that the funds pass from the payment services user to the API for one or more payment services, the funds are not deposits, other repayable funds or emoney as per Regulation 29(3) of the PSR.
What is the Authorisation Process?
The CBI’s website is quite good in this area and its practical approach breaking down the process into its constituent elements is very useful. You can read all the relevant information on its website. Application Process for Payment Institutions[17]
[Note: Although the CBI’s website references the registration of SPIs (i.e. small payments institutions), the CBI has not registered any SPIs to date.)]
The Payments Authorisation Team at the CBI is the point of contact for applicants seeking an authorisation as a payments institution. During the course of an application, an applicant will likely also deal with addition areas at the CBI including the Fitness and Probity, Technology Risk and Anti-Money Laundering teams.
[Note: The CBI has an Innovation Hub, which is a facility available to firms to engage with the CBI outside of existing formal regulator/firm engagement processes. We have held many productive meetings with the Innovation Hub prior to and adjacent with an applicant making an application.]
Each applicant seeking authorisation/registration must satisfy the CBI that it can meet the authorisation/registration standards set out in the PSR. The CBI intends to process each application as expeditiously as possible while meeting its obligation to operate a rigorous and effective gatekeeper function. It aims to ensure that the application process is facilitative and accessible from the perspective of applicants and, importantly, that applicants have clarity regarding the process, its requirements and timelines.
The Application Process as set out on the CBI’s website includes details of:
- things to do before applying for authorisation.
- summary of the key stages in the application process.
- documentation required to make an application for authorisation/registration.
Anti-Money Laundering and Countering the Financing of Terrorism
It is important to note applicants must complete an Anti-Money Laundering, Counter-Terrorist Financing and Financial Sanctions Pre Authorisation Risk Evaluation. This takes the form of a Questionnaire (“AML/CTF & FS Questionnaire”).
On 23 April 2021, Ireland signed into law the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the “2021 Act”). The 2021 Act (No. 3 of 2021) makes several changes to the 2010 Act (No. 6 of 2010) transposing the EU 5AMLD (EU 2018/843) into national law. You can find more information about this change in law on CompliReg’s website[18]..
You can read more about the CBI’s requirements on Money Laundering and Terrorist Financing at its website[19].
Financial Sanctions and Terrorist Financing – additional obligations
To ensure compliance with Ireland’s AML and CFT requirements and to prevent the financing of terrorism, credit and financial institutions including payment institutions and emoney institutions must monitor their customers and transactions against both the EU and UN Sanctions Committees lists relating to terrorism. The lists are regularly updated and must be frequently checked to ensure that they are the latest ones available.
Financial Sanctions lists that relate to terrorism should be monitored to assist in preventing terrorist financing from occurring, including, but not limited to, the following:
- EU Financial Sanctions list; and
- United Nations Sanctions Committees lists.
You can read more about the CBI’s requirements on Financial Sanctions and Terrorist Financing at its website[20].
A brief word about the MLRO
The term “MLRO” is not defined in Irish legislation.
The CBI will require the applicant to appoint either or both a Head of Compliance (PCF 12) and / or PCF 15 (Head of Compliance with responsibility for AML/CFT Legislation). This person must be fit and proper and be pre-approved by the CBI before he/she may commence his/her role. In terms of custom and practice, this person will often be called the “MLRO”.
Like all PCF roles, the person must be competent and capable, honest, ethical and of integrity and also financially sound.
In addition, Section 54(8) of the CJA2010 (explained at para 6.3 of the AML/CFT Guidelines) provides that designated persons, such as emoney and payments institutions, shall appoint a member of Senior Management with primary responsibility for the implementation and management of anti-money laundering measures in accordance with Part 4 CJA 2010 if directed in writing to do so by the CBI for that designated person. The CBI expects institutions to appoint a Member of Senior Management with primary responsibility for implementing, managing and overseeing compliance with AML/CFT measures, where such an appointment is proportionate to the nature, scale and complexity of an institution’s activities.
Where an institution has decided that it is not necessary to appoint a Member of Senior Management, having regard to the nature, scale and complexities of the institution activities, it should record in detail its rationale for such decision. In such circumstances, the institution must ensure that it remains in compliance with all obligations under the CJA2010. This includes ensuring that all matters requiring approval by senior management are approved at the appropriate level.
Please refer to our Overview of Certain Prudential and Conduct of Business Rules for Payment Institutions and Electronic Money Institutions available at https://fintechireland.com/fintech-authorisations.html for more detail about the AML/CFT obligations of APIs and AEMIs, including the use of electronic means to verify the identity of customers and how the CBI will supervise an AEMI / API post-authorisation.
Key Stages in the Application Process
There are five stages to the authorisation process for the authorisation of a payments institution / electronic money institution; however, the CBI’s approach is flexible in terms of applicants which take their application seriously. Although the CBI will reserve the right to follow its procedures to the letter, where such adherence might cause unfairness to an applicant, we have always found the CBI to being open to practical discussions about advancing applications in the spirit of the regulations and guidelines.
The diagram appearing on the next page is a high-level representation of an application passing through the process with relative speed. Below the diagram we have set out some additional information about requests of the CBI for a pre-application meeting and the Pre-Application Key Facts Document which occur before an applicant files an application for an API or an AEMI.
[1] Regulatory Technical Standards on the framework for co-operation and exchange of information between competent authorities for passport notifications under the Directive (EU) 2015/2366 (‘RTS’)
[2] EMR being Statutory Instrument No. 183 of 2011 - European Communities (Electronic Money) Regulations 2011 (as amended)
[3] This is not intended to be a ‘formula’ for meeting the “head office” requirement, rather to provide an indication of what the CBI will expect to see in this regard.
[4] This must be someone who is familiar with the applicant’s business model and its application submission and must be someone who works for/will work for the applicant if and when authorised, and not a professional advisor to the applicant
[5] It should be noted that in order to meet the requirements of Regulation 21 of the PSR, an applicant payment institution must carry out at least part of its payment services business in Ireland.
[6] Outsourcing – Findings and Issues for Discussion (November 2018) https://centralbank.ie/news-media/press-releases/outsourcing-activities-in-financial-service-providers
[7] https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf?retry=1
[8] https://www.centralbank.ie/publication/consultation-papers/consultation-paper-detail/cp138---consultation-on-cross-industry-guidance-on-outsourcing
[9] https://www.centralbank.ie/publication/consultation-papers/consultation-paper-detail/cp140---cross-industry-guidance-on-operational-resilience
[10] Guidance Note on Completing an Application for Authorised Payment Institution (September 2020) replacing the previous version dated April 2018 https://www.centralbank.ie/docs/default-source/Regulation/industry-market-sectors/Electronic-Money-Institutions/Authorisation-Process/psd2-guidance-note.pdf?sfvrsn=3
[11] Guidance on Fitness and Probity Standards - https://www.centralbank.ie/regulation/how-we-regulate/fitness-probity and https://www.centralbank.ie/regulation/how-we-regulate/fitness-probity/about-fitness-and-probity
[12] https://www.centralbank.ie/regulation/how-we-regulate/fitness-probity/requirements-assessment-compliance/regulated-financial-service-providers/introduction
[13] https://www.centralbank.ie/docs/default-source/regulation/industry-market-sectors/electronic-money-institutions/authorisation-process/guidance-note-on-completing-an-application-for-emi-pi-aisp.pdf?sfvrsn=4
[14] Regulation 20 PSR
[15] Regulation 29(2) of the PSR
[16] Regulation 29(4) of the PSR.
[17] Application Process for Payment Institutions - https://www.centralbank.ie/regulation/industry-market-sectors/payment-institutions/authorisation-process
[18] https://complireg.com/blogs--insights/ireland-transposes-additional-provisions-of-eu-5amld-into-national-law
[19] https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism
[20] https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism/countering-the-financing-of-terrorism
Some important information about each stage of the Authorisation Process:
The CBI informs “Applicant firms must seek their own legal advice prior to submitting an application for authorisation or registration.” Peter Oakes and the team at CompliReg are available to advise firms seeking to apply for an authorisation by the CBI. Where legal advice is required, we can introduce you to reputable law firms with extensive experience in the area of financial services regulations, including advice on banking, insurance MiFID, payments and emoney.
Applicant firms may request a pre-application meeting with the CBI to ask specific queries about the authorisation process. However, it is not within the remit of the CBI to provide advice at these meetings.
When availing of a pre-application meeting, the CBI requires applicants to be at an advanced stage of their application before requesting a meeting. Furthermore, the CBI expects that specific questions be prepared by the applicant in advance in order to make the meeting as productive as possible. The CBI informs that meetings are limited to no more than forty five minutes.
Although it does not appear on the CBI’s website, the CBI has recently introduced a pilot scheme called the Pre-Application Key Facts Document (KFD) to provide valuable summary details to the CBI on the applicant firm’s proposed arrangements prior to the pre-application meeting. If invited to submit a KFD by the CBI, note the following:
Summary of the Authorisation Process
What documents, in general, does an applicant for authorisation as a payments institution need to submit to the CBI?
In general there are four (4) groups of documents which need to be submitted to the CBI for authorisation as a Payment Institution. In addition, specific information and documentation, identified in the below groups of documentation must be submitted.
The CBI informs “Applicant firms must seek their own legal advice prior to submitting an application for authorisation or registration.” Peter Oakes and the team at CompliReg are available to advise firms seeking to apply for an authorisation by the CBI. Where legal advice is required, we can introduce you to reputable law firms with extensive experience in the area of financial services regulations, including advice on banking, insurance MiFID, payments and emoney.
Applicant firms may request a pre-application meeting with the CBI to ask specific queries about the authorisation process. However, it is not within the remit of the CBI to provide advice at these meetings.
When availing of a pre-application meeting, the CBI requires applicants to be at an advanced stage of their application before requesting a meeting. Furthermore, the CBI expects that specific questions be prepared by the applicant in advance in order to make the meeting as productive as possible. The CBI informs that meetings are limited to no more than forty five minutes.
Although it does not appear on the CBI’s website, the CBI has recently introduced a pilot scheme called the Pre-Application Key Facts Document (KFD) to provide valuable summary details to the CBI on the applicant firm’s proposed arrangements prior to the pre-application meeting. If invited to submit a KFD by the CBI, note the following:
- the completed KFD must be no more than 5 pages, inclusive of the applicant firm’s organisational and shareholders charts, and in Word format.
- applicant firms must provide a response to this questionnaire no less than 5 working days prior to the pre-application meeting.
Summary of the Authorisation Process
- Stage 1: straight-forward.
- Stage 2: if an application is lacking the necessary information to allow it to move to Stage 3, the CBI will identify the omitted information in a statement to assist the applicant should it wish to file another application.
- Stage 3: it should be noted that in the event of further and/or subsequent information being sought, the 90 day ‘clock’ is paused until such information is received by the CBI from the applicant. The CBI can disband its 90-working day service standard in certain circumstances. Should an applicant not respond to a request from the CBI for further and/or subsequent information, within 60 working days, the CBI is at liberty not to consider the applicant any further.
- Stage 4: where the notification is favourable, the CBI may specify any specific conditions it proposes to impose on the authorisation/registration once granted. The CBI will explain the reasons for proposed conditions and the applicant is able to make representations before the CBI makes any decision on the application. Should the CBI be not satisfied following the Assessment Phase it will inform the applicant. The CBI will set out the areas to be addressed and afford the applicant the opportunity to do so and to make any submissions in respect of these matters.
- Stage 5: should the CBI propose to refuse an application it will notify the applicant of the grounds for the proposed refusal. The applicant then has the opportunity to make submissions in response to the proposed refusal. These submissions are considered by the CBI following which a decision is taken to grant or refuse the authorisation/registration. The CBI must inform a firm whether its application has been granted or refused within three months of receiving all the information required to make a decision.
What documents, in general, does an applicant for authorisation as a payments institution need to submit to the CBI?
In general there are four (4) groups of documents which need to be submitted to the CBI for authorisation as a Payment Institution. In addition, specific information and documentation, identified in the below groups of documentation must be submitted.
Group 1: What is contained in the Group 1 Application Form for Authorisation as a Payments Institution?
The following Guidelines are contained in the Application Form and must be completed in full. Although each Guideline is equally important, in our experience, Guideline 3 (Programme of Operation) and Guideline 4 (Business Plan) can often be the most complex and material in terms of demonstrating your proposed authorised institution to the Central Bank of Ireland and require significant attention to detail. Like Group 2 to Group 4 documents, the completion of Group 1 should not be considered to be a simple form filing exercise. A poor quality application may be rejected at the Stage 2 Key Information Check.
The following Guidelines are contained in the Application Form and must be completed in full. Although each Guideline is equally important, in our experience, Guideline 3 (Programme of Operation) and Guideline 4 (Business Plan) can often be the most complex and material in terms of demonstrating your proposed authorised institution to the Central Bank of Ireland and require significant attention to detail. Like Group 2 to Group 4 documents, the completion of Group 1 should not be considered to be a simple form filing exercise. A poor quality application may be rejected at the Stage 2 Key Information Check.
- Guideline 1: General Principles (this document does not require any data input)
- Guideline 2: Identification Details
- Guideline 3: Programme of Operations
- Guideline 4: Business Plan
- Guideline 5: Structural Organisation
- Guideline 6: Evidence of Initial Capital
- Guideline 7: Measures to Safeguard the Funds of Electronic Money Users and/or Payment Service Users
- Guideline 8: Governance Arrangements and Internal Control Mechanisms
- Guideline 9: Procedure for Monitoring, Handling and Following up on Security Incidents and Security-related Customer Complaints
- Guideline 10: Process for Filing, Monitoring, Tracking and Restricting Access to Sensitive Payment Data
- Guideline 11: Business Continuity Arrangements
- Guideline 12: The Principles and Definitions applicable to the Collection of Statistical Data on Performance, Transactions and Fraud
- Guideline 13: Security Policy Document
- Guideline 14: Internal Control Mechanisms to Comply with Obligations in relation to Money Laundering and Terrorist Financing (AML/CFT Obligations)
- Guideline 15: Identity and Suitability Assessment of Persons with Qualifying Holdings in the Applicant
- Guideline 16: Identity and Suitability Assessment of Directors and Persons Responsible for the Management of the Payment Institution
- Guideline 17: Identity of Statutory Auditors and Audit Firms
- Guideline 18: Professional Indemnity Insurance or Comparable Guarantee for Payment Initiation Services and Account Information Services
- Declaration
Group 2: What is contained in the Group 2 Anti-Money Laundering, Counter-Terrorist Financing and Financial Sanctions Pre-Authorisation Risk Evaluation: Questionnaire for Payment Institution and Electronic Money Institution Applicants?
1) Firm’s details and name of MLRO
2) Establish Governance
3) Firm Risk Profile
|
4) Adopt a Risk-Based Approach to On-going Monitoring
6) Report Management Information 7) Pre-Authorisation REQ Completed By 8) Completion Notes |
Group 3: What is contained in the Group 3 Qualifying Holder Application Forms?
Are there any specific requirements on who can be a shareholder?
Generally speaking, any legal person can be a shareholder in a company under Irish company law. However a person, whether a natural or legal person, of an authorised emoney / payments institution, who owns or proposes to have a ‘Qualifying Holding’ must be approved by the Central Bank of Ireland.
“Qualifying Holding” means a legal or natural person with a direct or indirect holding of shares or other interest in the applicant which represents 10% or more of the capital or of the voting rights, or any direct or indirect holding of less than 10% of the capital or of the voting rights but which makes it possible to control or exercise a significant influence over the management of the applicant in which a holding subsists.
It is also a legal obligation for all persons who directly or indirectly propose to:
[1] https://www.centralbank.ie/regulation/industry-market-sectors/payment-institutions/notification-process-for-proposed-acquisitions-of-qualifying-holdings
[2] https://www.centralbank.ie/regulation/industry-market-sectors/electronic-money-institutions/notification-process-for-proposed-acquisitions-of-qualifiying-holdings
- Application for a Legal Person or other entity type with Qualifying Holdings in an Applicant Payment Institution or Electronic Money Institution;
- Application for a Natural Person with Qualifying Holding in an Applicant Payment Institution or Electronic Money Institution; and
- Application for a Director with Qualifying Holdings in an Applicant Payment Institution or Electronic Money Institution;
Are there any specific requirements on who can be a shareholder?
Generally speaking, any legal person can be a shareholder in a company under Irish company law. However a person, whether a natural or legal person, of an authorised emoney / payments institution, who owns or proposes to have a ‘Qualifying Holding’ must be approved by the Central Bank of Ireland.
“Qualifying Holding” means a legal or natural person with a direct or indirect holding of shares or other interest in the applicant which represents 10% or more of the capital or of the voting rights, or any direct or indirect holding of less than 10% of the capital or of the voting rights but which makes it possible to control or exercise a significant influence over the management of the applicant in which a holding subsists.
It is also a legal obligation for all persons who directly or indirectly propose to:
- dispose of a qualifying holding;
- decrease a qualifying holding,
- falls to or below a prescribed percentage in an electronic money/payment institution
[1] https://www.centralbank.ie/regulation/industry-market-sectors/payment-institutions/notification-process-for-proposed-acquisitions-of-qualifying-holdings
[2] https://www.centralbank.ie/regulation/industry-market-sectors/electronic-money-institutions/notification-process-for-proposed-acquisitions-of-qualifiying-holdings
Group 4: What is contained in the Group 3 Fitness and Probity Individual Questionnaires?
Fitness and Probity Individual Questionnaires for all Pre-Approval Controlled Function (PCF) roles (typically board members, senior management, key function holders) are submitted electronically via the CBI’s Online Reporting System (ONR). The CBI has informed on its website that access to the ONR is only provided once an application has progressed to Stage 3 - Assessment Phase (detailed above).
Note: You may also wish to refer to the section above on the Pre-Application Key Facts Document, which is a stage in the authorisation process which you may be invited to execute ahead of files application for authorisation.
Fitness and Probity Individual Questionnaires for all Pre-Approval Controlled Function (PCF) roles (typically board members, senior management, key function holders) are submitted electronically via the CBI’s Online Reporting System (ONR). The CBI has informed on its website that access to the ONR is only provided once an application has progressed to Stage 3 - Assessment Phase (detailed above).
Note: You may also wish to refer to the section above on the Pre-Application Key Facts Document, which is a stage in the authorisation process which you may be invited to execute ahead of files application for authorisation.
In summary, you can find the relevant forms for Authorisation as Payment Institutions, Authorisation as Electronic Money Institutions and Registration as an Account Information Service Provider below (as of 31 October 2021).
This document is focused upon obtaining authorisation as a payments institution and is a summary only. Other topics that we will discuss with you impacting your business once authorised include:
- Payment Institutions - https://www.centralbank.ie/regulation/industry-market-sectors/payment-institutions/authorisation-process
- Electronic Money Institutions - https://www.centralbank.ie/regulation/industry-market-sectors/electronic-money-institutions
- Account Information Service Provider - https://www.centralbank.ie/regulation/industry-market-sectors/payment-institutions/authorisation-process (https://www.centralbank.ie/docs/default-source/Regulation/industry-market-sectors/Electronic-Money-Institutions/Forms/application-for-registration-as-an-account-information-service-provider.docx?sfvrsn=3)
This document is focused upon obtaining authorisation as a payments institution and is a summary only. Other topics that we will discuss with you impacting your business once authorised include:
- prudential supervision requirement.
- passporting provisions.
- conduct of business rules.
- data protection.
Next Steps?
Like what you have read? Contact Peter Oakes at peter@peteroakes.com (or office@complireg.com) to discuss how establishing an Authorised Payment Institution in Ireland is the wise choice and why Peter Oakes is the wise choice to assist.
Please also refer to our Overview of Certain Prudential and Conduct of Business Rules for Payment Institutions and Electronic Money Institutions available at https://fintechireland.com/fintech-authorisations.html for more detail about topics relevant to AEMIs / APIs.
Like what you have read? Contact Peter Oakes at peter@peteroakes.com (or office@complireg.com) to discuss how establishing an Authorised Payment Institution in Ireland is the wise choice and why Peter Oakes is the wise choice to assist.
Please also refer to our Overview of Certain Prudential and Conduct of Business Rules for Payment Institutions and Electronic Money Institutions available at https://fintechireland.com/fintech-authorisations.html for more detail about topics relevant to AEMIs / APIs.
This document is general guidance and information. It is not legal or other professional advice. Such advice should always be taken before acting on any of the matters discussed. If you need legal advice we can help with referral to a leading international law firm with operations in Dublin. This document draws upon information from Fintech Ireland, Fintech UK and CompliReg.
Version 2.1