As readers will recall from our article in April 2019 the Central Bank of Ireland (the “CBI”) has a continued focus on fitness and probity. Pursuant to this, the CBI issued a notice of intention on 25 February, 2020 (the “Notice”) proposing to:
- Introduce three new Pre-Approval Controlled Functions (“PCFs”):
- Chief Information Officer PCF-49 (under the ‘General’ category);
- Head of Material Business Line PCF-50 (under the ‘Banking’ category);
- Head of Market Risk PCF-51 (under the ‘Banking’ category);
- Split PCF-39 Designated Person into six PCF roles aligned to the specific managerial functions.
The introduction of the new PCF roles under point one above will result in further individuals falling under the CBI’s purview with respect to whether they are fit and proper in relation to the specific PCF role they are carrying out in their firm. The CBI referenced in the Notice that the introduction of these roles is on the basis of (i) the increasing importance of and reliance on information technology within regulated financial service providers (“RFSPs”), and (ii) the changing landscape of the banking sector in Ireland due to Brexit, including the entry/expansion of investment banks/broker-dealer firms with significant capital markets activity.
Chief Information Officer PCF-49 and a focus on information technology (“IT”)
The CBI acknowledges the advancement of IT and the way it is changing how business is conducted in the financial services industry. In light of the increased role that technology plays and the risks posed by IT, the CBI appear to be of the view that it is appropriate to introduce the Chief Information Officer as a PCF role.
This role will typically apply to the most senior individual at the RFSP with responsibility for IT matters. The onus will be placed on the RFSP to review its function to determine whether the role meets the substance of a Chief Information Officer role. The person that is carrying out this role currently in the relevant RFSP may be referred to as the “Chief Technology Officer”, or other similar role title.
The CBI sets out that while the following circumstances are examples of when the CBI expect the PCF-49 role will likely apply, RFSPs should not construe these as limited circumstances:
- The RFSP has a PRISM impact rating of High or Medium High.
- IT is a key enabler or core element of the RFSP’s business model.
It is worth bearing in mind in respect of point one above that the CBI are currently reviewing and revising PRISM impact ratings. Please see our recent article on this topic for further information in this regard.
Readers will be aware that the CBI issued its Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks in September, 2016 (the “Guidance”). Under the Guidance, the CBI indicated that a person of sufficient seniority within a regulated firm in Ireland shall be designated as being responsible for IT and cybersecurity matters. Readers should bear in mind that the designation of an individual as being responsible for IT and cybersecurity matters under the Guidance does not necessarily mean that every RFSP will be automatically required to nominate an individual to perform the PCF-49 role. However, where an RFSP has nominated such an individual pursuant to the Guidance, and the RFSP considers that the role of PCF-49 will apply to their firm, then it may well be the case that the senior individual within such firm, that is responsible for IT and cybersecurity matters under the Guidance, will likely be the PCF-49 role.
Splitting the role of a designated person PCF-39 into six different roles
The CBI are proposing to split the PCF-39 role into six roles to correspond with the six managerial functions set out in the CBI’s UCITS Regulations, AIF Rulebook and the Fund Management Companies Guidance. This will likely result in PCF-39A, PCF-39B and so on appearing on the CBI’s online reporting system ("ONR") when individual questionnaires (“IQs”) are being completed in the future.
CBI approval in respect of individuals in situ that continue to perform their PCF role
The CBI indicates that amended regulations will be put in place reflecting the introduction of these new roles pursuant to Section 22 of the Central Bank Reform Act 2010 (the “Act”) which enables the CBI to prescribe by regulation PCFs. As a result, persons in situ on the date that the amended regulations come into effect will not be required to seek the approval of the CBI to continue to perform one of the new PCF roles. However, RFSPs will be required to review their assessment under Section 21 of the Act in respect of persons in situ and submit confirmation of such an assessment to the CBI. The assessment referred to under Section 21 of the Act is ensuring that the relevant person in situ complies with the Fitness and Probity Standards 2014 (the “Standards”) and that such person has agreed to abide by such Standards.
This assessment process will commence after the amended regulations come into effect and a period of six weeks will be provided to submit the in situ confirmation. Should the person in the role change after the new PCF roles have been introduced then they will be required to seek the CBI’s prior approval by means of a new IQ submission.
Changes to current practices
RFSPs are obliged to make an annual return on the ONR confirming, among other things, that they are satisfied on reasonable grounds that the written agreement of each person performing a PCF to abide by the Standards has been obtained. As a result, RFSPs will need to incorporate reference to each of these new PCF roles into any relevant confirmation letters that they obtain from PCFs.
Consideration will need to given to whether additional letters of engagement should be put in place or amendments made to existing letters of engagement to reflect the new PCF roles that individuals will be carrying out and to reflect the duties and obligations under the Standards. RFSPs should also review their fitness and probity policies to ascertain if any updates need to be made to reflect the new PCF roles.
Finally, any persons that will be carrying out the new PCF roles will have to comply with the relevant aspects of the Act (as well as any regulation designated under the Act such as the Principal Regulations 2011 (S.I. No. 437 of 2011) as amended), the Standards and any applicable minimum competency codes. As a result, any breach of these provisions may result in action being taken by the CBI, including for example investigations, suspending a person from acting as a PCF, prohibiting a person from acting as a PCF, enforcement action against the person carrying out a PCF role etc.
Responses on the above proposals should be submitted to the CBI at [email protected]no later than 26 March, 2020.