Financial Services Regulatory Group Bulletin - November 2015

Our latest Financial Services Regulatory Group bulletin contains new updates on significant developments in financial services regulation, including the Personal Insolvency (Amendment) Act 2015, financial services remuneration, cyber-security, the Capital Markets Union, and recent Supreme Court case law regarding the Code of Conduct on Mortgage Arrears and appeals from the Financial Services Ombudsman. Because of the fast-moving nature of financial services regulation and the sheer volume of regulatory material being produced, we regularly upload briefings on the firm’s website dealing with significant developments - in this bulletin we have included an easy way to access our more recent briefings, in case you have not had a chance to look at them yet. Financial Services Introduction Regulatory Group Bulletin Financial Services Regulatory Group The Financial Services Regulatory Group forms part of McCann FitzGerald’s wider Banking & Financial Services Group which is the leading practice in the Irish market. Our Financial Services Regulatory Group advises credit institutions, (re) insurance undertakings, and other clients on the complex regulatory and compliance issues that arise in the area of financial services including the administrative sanctions process, regulatory capital requirements, the provision of retail and wholesale financial services, insider dealing and market abuse issues, consumer credit matters and anti-money laundering issues. Ambrose Loughlin Partner, Head of Financial Services Regulatory Group in this issue: 2 | mccann fitzgerald ¼ november 2015 quick links Financial Services Regulatory Group Bulletin EMIR Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (EMIR) came into force on 16 August 2012 and has direct effect through the EEA, although its provisions take effect on a phased basis. Our briefings provide updates on the supervision of non-financial counterparties under EMIR and on the application of the clearing obligation: Link to briefing: Central Bank Update - Supervision of Non-Financial Counterparties Under EMIR Link to briefing: EMIR Update: Implementing the Clearing Obligation Link to briefing: EMIR Clearing: Pension Scheme Arrangements get Two-Year Reprieve Link to briefing: EMIR Update: Credit Derivatives and the Clearing Obligation Banking Over the last few months, we have published briefings on two significant domestic developments in financial services legislation. The first of these briefings gives an overview of the new regulatory framework applicable to credit servicing firms under the Consumer Protection (Regulation of Credit Servicing Firms) Act 2015, which was enacted on 8 July 2015. The second deals with the transposition of the Bank Recovery and Resolution Directive into Irish Law. Link to briefing: Credit Servicing Firms - A New Regulatory Framework Link to briefing: Ireland Implements the Bank Recovery and Resolution Directive in this issue: 3 | mccann fitzgerald ¼ november 2015 quick links Financial Services Regulatory Group Bulletin Investment Management Updates It has been an exciting few months in investment management with the Central Bank’s long-awaited publication of the UCITS Regulations, which is discussed in two of the briefings set out below. Another briefing discusses the new investment opportunities for Irish funds which are now permitted to purchase Chinese A shares through Stock Connect. The fourth briefing considers the European Securities and Markets Authority’s opinion on the functioning of the passport under the Alternative Investment Fund Managers Directive and the National Private Placement Regimes, and its advice on the application of the AIFMD passport to non-EU alternative investment fund managers and alternative investment funds. Link to briefing: New Chinese Investment Opportunities for Irish Funds Link to briefing: AIFMD Update: Passporting and National Private Placement Rules Link to briefing: Central Bank UCITS Regulations Published Link to briefing: Central Bank Update - AIFMD, UCITS and Investor Money Q&A Structured Finance Certain section 110 companies are now subject to statistical reporting requirements, as detailed in the briefing below. Link to briefing: New Registration and Reporting Requirements for Section 110 Companies in this issue: 4 | mccann fitzgerald ¼ november 2015 Update on Personal Insolvency Law Some creditors may need to engage with mortgage holders more proactively regarding Personal Insolvency Arrangements once the Personal Insolvency (Amendment) Act 2015 (“2015 Act”) fully enters into force. In particular, the new Act amends the Personal Insolvency Act 2012 (“2012 Act”) to give the courts the power to review and, where appropriate, to approve certain insolvency deals that have been rejected by creditors. The 2015 Act also makes a number of other amendments which impact, among other things, on the Debt Relief Notice procedure and on the powers of the Insolvency Service of Ireland (“ISI”). The 2015 Act has obvious implications not only for mortgage holders, but also for banks and other creditors, as well as investors in portfolios of Irish debt and other Irish financial assets where the underlying debtors include individuals. Background The 2012 Act reformed the personal insolvency regime in Ireland, including through the introduction of three new debt resolution processes, namely, the: • Debt Relief Notice (“DRN”) to allow for the write-off of qualifying unsecured debt up to €20,000 subject to a three-year supervision period; • Debt Settlement Arrangement (“DSA”) for the agreed settlement of unsecured debt of any amount; and • Personal Insolvency Arrangement (“PIA”) for the agreed settlement of secured debt up to €3 million and unsecured debt of any amount. The 2012 Act also provided for the establishment of the ISI to operate the new insolvency arrangements and reformed the Bankruptcy Act 1988. For further information, see our earlier briefings here and here. Despite these reforms, difficulties faced by mortgage holders in arrears continued to be the focal point of public and political concern. In July 2014 the Joint Committee on Finance, Public Expenditure and Reform published a “Report on Hearings on Matters Relating to Mortgage Arrears Resolution Processes” in which it recommended, among other things, a review of the 2012 Act to mitigate against the “refusal of some financial institutions to engage in writedown of secured debt”. It also recommended that provision be made to ensure that people are not denied access to insolvency solutions due to lack of money. Subsequently, on 13 October 2014, the Personal Insolvency Act 2012 (Prescribed Fees) (No 2) Regulations 2014 was signed, which waived fees payable to the ISI in respect of any application made after that date and on or before 31 December 2015. On 21 October 2014 the Personal Insolvency (Amendment) Bill 2014 (“2014 Bill”) was published for the purpose of making a number of relatively technical amendments to the 2012 Act. However, the 2014 Bill was amended shortly before being signed into law on 28 July 2015 to provide for, among other things, the introduction of a new court review procedure with the objective of ensuring a better balance between the interests of secured lenders and the interests of those facing unsustainable mortgages. This followed a Government announcement in May 2015 that it had agreed a number of new measures to support mortgage holders in arrears including the reform of the personal insolvency framework. articles Financial Services Regulatory Group Bulletin in this issue: 5 | mccann fitzgerald ¼ november 2015 articles The 2015 Act The 2015 Act makes a number of significant changes to the 2012 Act affecting both the PIA and the DRN. It also increases the powers of the ISI as well as making a number of technical amendments. Court review of proposed Personal Insolvency Arrangements (PIA) Under the 2012 Act, a Personal Insolvency Practitioner (“PIP”) may, with the debtor’s consent, call a creditors’ meeting to vote on the proposal for a PIA. For the PIA to be approved, a majority of creditors, representing not less than 65% of the total amount of the debtor’s debts due to the creditors participating in the meeting and voting, must vote in favour of it including 50% each of secured and unsecured creditors. While under the 2012 Act creditors may challenge the coming into effect of the PIA in court, that Act does not provide for a review or appeal on the part of the debtor where the creditors’ reject the PIA. The 2015 Act changes this by introducing a new review procedure which is based on the examinership approval process. Examinership is a statutory scheme for the rescue of ailing, but potentially viable, companies which involves placing the company under the protection of the court for a limited period whilst its affairs are investigated by an examiner to see whether the company is capable of being rescued. The new review procedure applies where the proposed PIA includes a “relevant debt”, namely a debt secured on the debtor’s principal private residence that was in arrears on 1 January 2015 (or is a restructure of arrears from before that date). In such cases, where the creditors have rejected a proposed PIA and the PIP considers that there are reasonable grounds for doing so, he or she may make an application to the court for an order confirming the proposed PIA’s coming into effect. This application is made on notice to each creditor, the debtor and the ISI. Following a public hearing, the court may then proceed to make the order approving the PIA, once satisfied that a number of requirements are fulfilled. As mentioned above, the purpose of the new procedure is to ensure a better balance between creditors’ interests on the one hand and those of the mortgage holder on the other. Consequently, as in the case of an examinership, and with the exception of situations where there is only one creditor, there must be some level of creditor support for the proposed PIA. In this respect, the 2015 Act provides that before making the order, the court must be satisfied that at least one class of creditors has accepted the proposed PIA, by a majority of over 50% of the value of the debts owed to the class. The 2015 Act defines a class of creditor as either one creditor, or a number of creditors that the court considers to have interests or claims of a similar nature, in relation to the debtor. There is no requirement for creditor support in sole creditor situations. The court must also be satisfied that: • there is a reasonable prospect that the proposed PIA will enable the creditors to recover the debts due to them to the extent that the means of the debtor reasonably permit; • the proposed PIA is fair and equitable in relation to each class of creditors that has not approved the proposal and whose interests or claims would be impaired by its coming into effect; and • the proposed PIA is not unfairly prejudicial to the interests of any interested party. In addition, the court will consider the debtor’s and creditors’ conduct in the previous two years before making its order. Financial Services Regulatory Group Bulletin Update on Personal Insolvency Law (continued) in this issue: 6 | mccann fitzgerald ¼ november 2015 articles The reforms are intended to negate the socalled “bank veto”. According to the Minister for Justice and Equality, it will effectively “open up the whole PIA process to a large number of cases where up to now, no PIA proposal has even been made as it was felt that the sole creditor would never agree to a deal offering statutory protection for the borrower.” Changes to the Debt Relief Notice Only debtors with qualifying debts of €20,000 or less can avail of the existing DRN procedure. The 2015 Act increases the level of debt which may be included in a DRN to €35,000. The purpose of this amendment is to open up the relief to those who are otherwise eligible for the procedure but whose debts exceed the original limit. The Insolvency Service of Ireland The 2015 Act provides more detailed powers for the ISI in respect of promoting awareness and understanding of matters related to personal insolvency and bankruptcy and providing information and analysis of the ISI’s operation in practice. Other provisions develop the ISI’s supervisory powers regarding PIPs, in line with best practice regulatory standards. While currently the ISI has the power to intervene if there is a complaint or other reason to check for any misconduct or non-compliance by a PIP with his or her duties under the 2012 Act, it cannot carry out a routine inspection in the absence of suggested misconduct. The 2015 Act gives the ISI the power to appoint authorised officers to carry out such inspections. Other Amendments Under the 2012 Act, the debtor’s proposal for a DSA or PIA, as the case may be, must be approved by “a majority of creditors representing not less than 65 per cent in value of the total of the debtor’s debts”. The 2015 Act clarifies that it is sufficient if the debtor’s proposal is accepted by creditors representing 65% in value of the debt, even if this does not constitute an overall majority of creditors. The 2015 Act also provides for more detailed procedural provisions for creditor meetings. These include, in particular, new provisions dealing specifically with two alternative scenarios, namely where: • only one creditor is entitled to vote at the meeting (that creditor is entitled to notify his/her decision without being required to hold a meeting); and • a creditors’ meeting is held but no creditor votes (leading to the proposal being deemed to have been accepted). Comment and Next Steps While the new power for the courts to make an order confirming a proposed PIA strengthens the debtor’s position, the 2015 Act also contains a number of significant protections for creditors. In this respect, it appears to successfully balance the need to ensure the effectiveness of the PIA procedure for debts involving mortgage arrears, and creditors’ legitimate interest in recovering as much of the debt as possible. Part of the 2015 Act has already been commenced with effect from 29 September 2015, including the provisions relating to the increase in the ceiling for a DRN; and the strengthened powers for the ISI. The remaining provisions require changes to the relevant Circuit and High Court rules before they can take effect. These include the new provision allowing a debtor to seek review by the Circuit Court where creditors have rejected a proposed PIA which includes the home mortgage. Work is well advanced on the revised Court Rules, and the second Order is expected to be signed as soon as these are in place. Financial Services Regulatory Group Bulletin Update on Personal Insolvency Law (continued) in this issue: Remuneration and Proportionality - What Next? articles The two CRD IV consultations were published by the European Banking Authority (“EBA”) and the European Commission respectively. The EBA’s consultation on Draft Guidelines on Sound Remuneration Policies (“CRD IV Draft Guidelines”) has proved particularly controversial, largely because of the revised approach to the application of the proportionality principle set out in those Guidelines. The European Supervisory and Markets Authority (“ESMA”) published the third consultation on Guidelines and sound remuneration policies under the UCITS Directive and AIFMD (“UCITS Draft Guidelines”). In contrast to the EBA’s proposed approach, ESMA has confirmed that proportionality can continue to be used as a basis for disapplying the requirements relating to the pay-out process set out in the UCITS Directive and AIFMD. CRD IV Remuneration Currently, the principal remuneration requirements applicable to banks and most MiFID investment firms (“Institutions”) are set out in the European Union (Capital Requirements) Regulations 2014, which transpose the EU’s Capital Requirements Directive (“CRD IV”) into Irish law. The European Commission is required to review and report on the application of these remuneration rules by 30 June 2016. Remuneration under CRD III Prior to CRD IV’s implementation, Institutions were subject to the remuneration requirements set out in Directive 2010/76 (“CRD III”). Among other things, CRD III provided that Institutions should apply the remuneration requirements proportionately, namely in a manner that is appropriate to their size, internal organisation and the nature, scope and complexity of their activities. In 2010, the EBA’s predecessor, the Committee of European Banking Supervisors, published Guidelines on Remuneration Policies and Practices in relation to the CRD III requirements (the “CEBS Guidelines”). The CEBS Guidelines expand on the potential consequences of applying the proportionality principle, explaining that its application may in some circumstances lead to the neutralisation of the requirements on the pay-out process, if this is reconcilable with the relevant Institution’s risk profile, risk appetitive and strategy. CRD IV Remuneration CRD IV came into effect on 1 January 2014. It introduced a number of changes to the CRD III requirements on remuneration policies and variable remuneration, including; the introduction of a limitation on the ratio between the variable and fixed components of remuneration to 100% (or 200% with shareholders’ approval)(“bonus cap”); stricter requirements regarding the application of malus and clawback; and requirements to pay out variable remuneration in other instruments where possible. Despite these changes, the CEBS Guidelines continue to apply to the CRD IV requirements. 7 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin Remuneration is firmly on the financial services agenda for the next couple of months, following the publication of no fewer than three consultations on remuneration over the last number of months. Two of these consultations concern the remuneration requirements under CRD IV while the third focuses on the UCITS Directive and the Alternative Investment Fund Managers Directive (“AIFMD”). in this issue: Remuneration and Proportionality - What Next? (continued) articles CRD IV Draft Guidelines On 4 March 2015 the EBA published a consultation paper on CRD IV Draft Guidelines which takes into account the changes introduced by CRD IV as well as an EBA opinion and annexed report on the use of allowances. The approach to proportionality set out in the CRD IV Draft Guidelines represents a sea-change as compared to the current approach. According to the EBA, as the terms of CRD IV do not explicitly grant a right to neutralise the proportionality requirements, in its “preliminary assessment”, “a full waiver of the application of even a limited set of remuneration principles for smaller and non-complex institutions would not be in line with the CRD”. The European Commission has confirmed this interpretation of the remuneration requirements, at the EBA’s request. Consequently, under the CRD IV Draft Guidelines, all Institutions must implement each of the remuneration requirements and it will no longer be possible to neutralise those applicable to the pay-out process. Nor will it be possible to apply proportionality to the bonus cap. Proportionality will only be relevant for the purpose of determining the possible manner and degree to which to apply the relevant CRD remuneration principle. For example, when applying specific principles such as those relating to deferral or vesting, the extent of compliance cannot fall below the figure set out in the principle (ie, 40% deferral over three years), but more complex, larger institutions will need to comply to a greater extent (by deferring more than 40% over five years or more). The new approach to proportionality will apply not only to Institutions, but to all firms that are subsidiaries of CRD IV banking or investment groups, including subsidiaries established in third countries belonging to a group established in a Member State. The Commission’s Consultation The Commission published its consultation on CRD IV remuneration on 22 October 2015. Under Article 161(2) of CRD IV, the Commission is required to review and report on the application and impact of the CRD IV remuneration rules by 30 June 2016, and the consultation forms part of that review process. The purpose of the consultation is to obtain information and views from stakeholders regarding the possible impact of the bonus cap (referred to as the ‘Maximum Ratio Rule’) on: (i) competitiveness, (ii) financial stability, and (iii) staff in nonEEA countries. It also seeks stakeholders’ views on the overall efficiency of the CRD IV remuneration provisions. The consultation closes on 14 January 2016. Remuneration under UCITS and AIFMD AIFMs have been subject to the remuneration requirements set out in the European Union (Alternative Investment Fund Managers) Regulations since 16 July 2013. Shortly prior to that date, on 3 July 2013, ESMA published its Guidelines on sound remuneration policies under AIFMD. Those AIFMD Guidelines specifically recognise that Alternative Investment Fund Managers (“AIFMs”) may disapply the payout process requirements set out in AIFMD, if it is proportionate to do so. 8 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin in this issue: Remuneration and Proportionality - What Next? (continued) articles While currently UCITS Managers are not subject to equivalent remuneration requirements, this is set to change. Specifically, the so-called UCITS V Directive, contains remuneration requirements which are largely the same as those set out in AIFMD; it must be transposed by Member States into national law by 18 March 2016. In anticipation of UCITS V’s transposition, ESMA published a consultation on the UCITS Draft Guidelines last July. In that consultation, ESMA proposes an approach to proportionality which is line with the AIFMD Remuneration Guidelines and allows for the disapplication of the pay-out process requirements on a proportionality basis. In its consultation, ESMA explains that in providing for this approach to proportionality it took into account the EBA’s proposed approach under CRD IV. According to ESMA, it is possible to read the relevant remuneration provisions in the UCITS Directive as envisaging the disapplication of some of the remuneration requirements on a proportionality basis. Moreover, the different nature of UCITS compared to credit institutions and the relatively diverse nature of the UCITS sector “could justify a different approach to proportionality”. Regarding UCITS Managers which are subsidiaries of Institutions, the UCITS Draft Guidelines endorse the EBA’s approach. According to those Guidelines, certain staff of a UCITS management company that is part of a group, may be considered to be subject to whatever sectoral remuneration requirements are applicable at group level. The UCITS Draft Guidelines then go on to consider the simultaneous application of different sectoral rules to an individual staff member. According to those Guidelines, where an individual performs services which are subject to different sectoral remuneration requirements then these should be remunerated either: • based on the activities carried out and on a pro rata basis; or • where there is a conflict between different sectoral remuneration principles, by applying those principles which are deemed more effective for discouraging excessive risk-taking and aligning the interests of the relevant individuals with those of the investors in the funds they manage. Comment The publication of no fewer than three consultations on financial services remuneration requirements demonstrates that there is still much disagreement and uncertainty regarding the existing remuneration rules, and, indeed, regarding the broader issue as to the extent to which remuneration should be regulated. The divergence between the EBA’s proposed approach and that of ESMA is particularly striking. The UCITS V Directive explicitly instructs ESMA and the EBA to cooperate in developing remuneration guidelines, “in order to ensure consistency with requirements developed for other financial services sectors, in particular credit institutions and investment firms.” The adoption of two different approaches to proportionality under CRD IV on the one hand, and UCITS and AIFMD on the other, would clearly run counter to the goal of ensuring such consistency. The relationship between the CRD IV Draft Guidelines consultation and the Commission’s review and report on the CRD IV remuneration requirements is unclear. As mentioned, according to the EBA, the CRD IV Draft Guidelines are to apply from 1 January 2016. However, the wisdom of introducing such a dramatic change to the existing remuneration requirements, or at least the way in which these have been understood and applied, when a review of these requirements is imminent appears, at least, questionable. 9 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin in this issue: Cyber-security in Financial Services - A Governance Issue articles While traditionally viewed as a matter for IT, ensuring cyber-security is in reality a responsibility of a financial institution’s (“Institutions”) board of directors (“Board”). As explained by the Central Bank of Ireland (the “Central Bank”) in a “Dear CEO Letter” dated 22 September 2015, the Board must “develop a culture of security and resilience throughout the firm and ensure that the firm has the necessary plans in place to deal with both internal and external cyber-security breaches.” The key question for the Board, therefore, is how best to approach this task. Introduction Over the past number of years, cybersecurity has become a central focus of concern for board members and C-suite executives. This is at least partially attributable to well-publicised cybersecurity attacks, many of which have involved Institutions in the financial services sector, either directly or indirectly. Banks and insurers face a daily onslaught of cyber attacks from a range of external sources including terrorists, government agencies, cyber criminals and activists. They are also vulnerable to internal attacks from their own staff as well as from staff of their delegates and third party providers. The increasing number of attacks in the financial services sector has raised concerns regarding that sector’s vulnerability to cyber attacks and their potentially devastating consequences at institutional level, including business disruption, a significant and adverse impact on profits and severe reputational damage. In a report issued at the end of September, Standard & Poors warned that in the future, lenders may see their ratings cut if they fail to sufficiently protect themselves against cyber attacks, or sustain a particularly damaging breach. Cyber attacks also raise systemic issues. The financial system depends on the collective operational resilience of the various Institutions and financial market infrastructures that participate in that system. By incapacitating one or more of these Institutions or infrastructures, a successful cyber attack could have a disruptive effect across the entire financial system. Moreover, because of the interconnected nature of IT systems, a successful cyber attack on one Institution could have wide-spread repercussions for other Institutions. The systemic implications of a cyber attack have prompted several commentators to suggest that such attacks could prompt the next financial crisis. During the course of 2015, the Central Bank carried out a thematic inspection in relation to Cyber-security/Operational risk. Following on from this, on 22 September, it wrote a “Dear CEO Letter” in which it outlined examples of best practice in dealing with cyber-security risks (“Best Practice Guide”), as well as a self-assessment questionnaire for firms regarding their cyber-security capabilities ( the “Questionnaire”). For further information, see our related briefing here. 10 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin October was “European Cyber-security Awareness Month”, a time when individuals, businesses and other organisations are invited to reflect on how best to protect their networks and data from cyber threats. For the financial services sector, however, cyber-security awareness is increasingly becoming a year round priority. This is largely been driven by a growing realisation on the part of both financial institutions and regulators of the potentially devastating consequences of a cyber-security breach not only for the individual financial institution but for the entire financial system. in this issue: Cyber-security in Financial Services - A Governance Issue (continued) articles The Central Bank’s “Dear CEO Letter” follows on from a “Dear CEO Letter” of July 2015, in which the Central Bank emphasised to investment fund boards the need for delegate oversight and the importance of specific reporting by delegates at board meetings on the policies and procedures in place to counter cyber attacks. Corporate Governance and Cyber-security The Corporate Governance Code for Credit Institutions and Insurance Undertakings includes a requirement that the Board understands the risks to which an Institution is exposed and establishes a documented risk appetite which is reflected in the Institution’s risk management system and internal controls. It is clear from the “Dear CEO Letter”, that the Central Bank views the Board as playing a central role in ensuring cyber-security. It is also clear from that letter and the accompanying documents, that the central components of an effective cyber-security strategy are: top-down commitment; effective risk-based approach; appropriate policies; third party due diligence; communication, training and guidance; monitoring and review; and critical response strategy. Top-down Commitment: the Board has primary responsibility for ensuring that the relevant Institution’s cyber-security needs are met including; identifying protection priorities, ensuring that appropriate polices and procedures are put in place and rolled out to staff; and that contingency plans are in place in the event of a successful cyber attack. According to the Best Practice Guide, cyber-security should be a standing agenda item for discussion at Board meetings. The Board should also consider the appointment of a Chief Information Officer, or, if this is not possible, task a Board member with responsibility for cyber-security agenda items. The Board should ensure that there is a clear reporting line to the Board for cybersecurity incidents. Risk-based Approach: each Institution should ensure that its cyber-security measures focus; a) on protecting its most important assets, and b) on meeting the key cyber-security threats to those assets. Consequently, one of the first steps in ensuring cyber-security is identifying the Institution’s most important assets (eg, employees, customers, property or information), where they are located and how they are protected. Once those assets are identified, an Institution must identify potential threats and vulnerabilities to those assets and consider how best to counter them. While the measures necessary to combat cyber risk are largely similar to other types of risk measures, the nature of cyber risk is different in some fundamental respects. In particular, there are multiple sources of cyber risk, representing different threat levels, some of which may be persistent. In addition, the nature of cyber risk is constantly and rapidly evolving and risk analysis must keep pace with the increasingly sophisticated and changing tactics employed by cyber actors. 11 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin in this issue: articles Appropriate Policies: an Institution should put in place an appropriate cyber-security policy explaining its rules regarding the protection of its assets, including identifying those assets and any threats to them. The policy should also describe the user’s responsibilities and privileges, including any user limitations as well as detailing procedures for responding to cyber-security threats and breaches. In addition, the policy should set out the sanctions for violating the policy. According to the Best Practice Guide, Institutions should have appropriate processes in place to verify the legitimacy of all requests, such as redemption requests, change of bank account details, etc, received via all means of communication. Third Party Due Diligence: within the financial services industry, third parties provide and enable an increasing number of both core and operational services. However, cyber-security threats frequently arise from vulnerabilities up or down the supply chain, including in subcontractors or suppliers. According to a recent survey, while employees remain the most cited source of compromise incidents, business partners were responsible for 22% of such incidents. In order for an Institution to maintain oversight and fulfil its responsibilities, it must have in place and maintain a robust and effective third party risk management programme that encompasses all aspects of risk and the different stages and types of third party relationships. The Best Practice Guide states that an Institution should satisfy itself that the cyber-security standards of the vendors/ third parties it utilises are comprehensive in that they minimise direct impact on the Institution, should the third party be subject to a cyber-security attack. An Institution should also require its vendors/ third parties to notify it immediately of any (material) attacks and all breaches and may wish to consider agreeing in advance who is responsible for what, in the event of a critical incidence occurring. Communication, Training and Guidance: instilling a culture of cyber-security throughout an Institution is probably the single most important element in an effective cyber-security strategy, more so than any single technology or process improvement. An Institution must effectively communicate its cyber-security policies and procedures to all staff and other relevant parties, including through the provision of training and guidance. When carried out effectively, communication and training should turn staff into the Institution’s strongest line of defence, instead of its weakest link. Monitoring and Review: an Institution must constantly monitor its cyber-security policies and practices and keep them under review. As mentioned above, one of the particular challanges posed by cybersecurity is that cyber threats are constantly evolving and adapting and Institutions will need to ensure that their policies and practices are kept up-to-date to reflect this. 12 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin Cyber-security in Financial Services - A Governance Issue (continued) in this issue: articles Institutions must also be able to detect cyber-security attacks and breaches. Again this presents specific issues in the case of cyber-security as cyber intrusions may be particularly difficult to detect: in some instances victims are unaware that they have been targeted until months or years later. Moreover, once detected, locating the breach on a network can take a long time. While there are a number of detection tools available that may assist in detecting a cyber-security breach, to remain effective, these tools and associated processes must be regularly upgraded to enable continuous monitoring and real-time detections of constantly evolving threats. In its Best Practice Guide, the Central Bank states, that in order to discover vulnerabilities, firms should consider engaging the services of an external specialist to carry out a penetration test of their systems, preferably annually. According to that Guide, Institutions should also consider joining a threat information sharing forum to ensure that they are kept up to date on cyber threats. Critical Response Strategy: in many respects a cyber breach is less of a risk and more of a certainty. Institutions should accept that breaches are inevitable and develop and test response plans which take into account the different types of potential cyber attack. They should also ensure that they report any successful breaches of their systems or substantial attacks to the Central Bank as well as to relevant data protection agencies. Conclusion As is clear from the Central Bank’s “Dear CEO Letter”, cyber-security is a key element of effective risk management and falls directly within the Board’s remit. While cyber-security presents a number of specific challenges, the overall requirements and objectives are clear. Specifically, the Board must ensure that cyber-security is one of the fundamental building blocks of an Institution’s processes and activities so that those processes and activities cannot be circumvented, removed or defeated. While the Central Bank’s clear concern surrounding the issue of cyber-security is reason enough to ensure that the Board takes its responsibilities in this area seriously, in reality the real threat comes from the potentially devastating nature of a cyber-security attack for the relevant Institution, their business partners and the financial system itself. Boards need to take note and put in place measures to ensure that cyber-security is embedded throughout the Institution so that it becomes part of its DNA. 13 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin Cyber-security in Financial Services - A Governance Issue (continued) in this issue: Capital Markets Union: Implications for Banking articles The Action Plan recognises that banks will play a central role in the CMU with bank lending continuing to be the main source of funding for many businesses, alongside capital markets. Accordingly, it outlines a number of key measures designed to enhance the capacity of banks to lend, including: • revitalising simple, transparent and standardised (“STS”) European securitisations to free up capacity on banks’ balance sheets and provide access to investment opportunities for long term investors; and • assessing whether and how to build a pan-European covered bond framework. The Action Plan also seeks to ensure an appropriate regulatory environment for long term and sustainable investment and financing of Europe’s infrastructure. This includes: • revising Solvency II calibrations to better reflect the true risk of infrastructure investment, followed by a review of the treatment under the Capital Requirements Regulation for bank exposures to infrastructure; and • assessing the cumulative impact of previous regulatory reforms to ensure coherence and consistency. Securitisations Since the beginning of the financial crisis, European securitisation markets have remained subdued: the current issuance level of SME securitisations is roughly half the amount prior to the crisis (€77 billion in 2007 compared with €36 billion in 2014). According to the Commission, this slow recovery reflects concerns among investors and prudential supervisors about the risks associated with the securitisation process itself. In contrast, while US securitisation markets suffered much larger losses during the financial crisis, they have experienced a stronger recovery, mainly because of strong public guarantees for securitisation instruments and correspondingly lower capital charges for banks investing in those products. The Commission sees the development of a STS securitisation market as one of the central CMU building blocks. According to the Commission, securitisation is an effective mechanism to transfer risks from credit institutions to non-credit institutions, thus increasing the former’s capacity to lend and helping to channel non-credit institution financing towards the working capital of companies. As part of its CMU Action Plan, the Commission published: • a proposal for a Regulation laying down common rules on securitisation and creating a European Framework for simple, transparent and standardised securitisation (the “STS Regulation”); and • a proposal for a Regulation amending the Capital Requirements Regulation, (the “CRR Amending Regulation”). 14 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin The Capital Markets Union (“CMU”) is a major European Commission initiative designed to tackle fragmentation and market inefficiencies. The CMU was initially launched on 18 February 2015 and the next stage kicked off at the end of September with the publication of the Commission’s Action Plan on Building a Capital Markets Union (“Action Plan”). in this issue: Capital Markets Union: Implications for Banking (continued) articles The STS Regulation The STS Regulation applies to institutional investors becoming exposed to securitisations and to originators, original lenders, sponsors and securitisation special purpose entities. It has two main parts, the first of which applies to all securitisations and the second of which applies specifically to STS securitisations. The proposal also amends certain provisions of the Capital Requirements Regulation and the Solvency II Directive and repeals provisions of the UCITS Directive and the Alternative Investment Fund Managers Directive. The first part establishes due diligence, risk retention and transparency requirements for parties involved in all securitisations. Among other things, it requires an originator, sponsor or original lender to retain a material net economic interest of 5% in the securitisation on an ongoing basis. Investors must carry out due diligence assessments commensurate with the risks involved in the securitisation, including assessing the risk characteristics of the individual securitisation position and the securitisation’s structural features that can materially impact on performance. They must also put in place appropriate internal procedures to monitor ongoing compliance with the due diligence requirements and the performance of the securitisation position and the underlying exposures. The STS Regulation imposes a number of transparency requirements on securitisations and their underlying exposures, to allow investors access to all relevant information. The second part establishes criteria for two types of STS securitisations that, respectively, apply to long and short term (including ABCP) securitisation. The STS Regulation groups requirements in terms of simplicity, standardisation and transparency. Primary responsibility for ensuring compliance with this criteria lies with originators and sponsors. Investors are expected to perform appropriate due diligence before investing in STS securitisations. The STS Regulation also provides for appropriate supervisory oversight, cross border supervisory coordination and a sanctioning mechanism. CRR Amendment Regulation The purpose of the proposed CRR Amending Regulation is to make the capital treatment of securitisations for banks and investment firms more risksensitive and better able to reflect the specific features of STS securitisations. As the prudential treatment of securitisations for insurers is laid down in level 2 texts, these will be adjusted in the future. The same applies to banks and investment firms as regards the prudential treatment for liquidity purposes which is included in a Delegated Act that will be amended at a later stage. Covered Bonds The regulation of covered bonds as a debt instrument is currently primarily a matter for Member States’ national laws, the majority of which have implemented dedicated legislation. These laws set out a more or less extensive set of requirements on a variety of subject matters, such as: (i) the authorisation of credit institutions as licensed covered bond issuers; (ii) special public supervision of the issuer and the cover pool and monitoring of the latter; (iii) types of eligible cover assets and certain minimum qualitative standards applicable to those; (iv) segregation of the cover pool upon insolvency of the issuer; and (v) standards of disclosure to investors on the cover pool. 15 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin in this issue: Capital Markets Union: Implications for Banking (continued) articles In 2014 the European Banking Authority (“EBA”) published a “Report on EU Covered Bond Frameworks and Capital Treatment”, which provides a detailed account of the similarities and differences between the covered bond laws of the Member States. Differences in the covered bond laws relate to, for example, the supervisory system; cover pool features; measures to manage mismatch between cover assets and liabilities and transparency requirements. The EBA’s Report also points to “best practices” in national covered bond laws and covered bond supervision that it has identified within the range of practices that exist across Member States. The consultation document outlines two reform options. One option is to leave the current balance of competences unchanged but encourage greater convergence in covered bond laws through voluntary, non-legislative coordination measures. To this end, the Commission could issue recommendations to Member States to implement the EBA’s best practices in their national legal frameworks. The second option involves the establishment of a dedicated EU covered bond legislative framework which would regulate covered bonds as a legal instrument. According to the Commission, the framework could include provisions on the following high level elements: • covered bond definition and protection of the term; • covered bond issuers and system of public supervision: – issuer models and licensing requirements; – on-going supervision and cover pool monitoring (pre-insolvency); – the European Central Bank’s role in relation to covered bond issuance of credit institutions falling with the scope of the Single Supervisory Mechanism. • dual recourse and insolvency/resolution regime; – definition of dual recourse principle (this essentially ensures that the bondholder has a direct claim against the cover pool on an absolute priority basis upon default of the issuer); – segregation of the cover assets, including through the use of Special Purpose Vehicles; and – administration and supervision of the cover pool (post-insolvency). The consultation also seeks views on the use of covered bond structures on the back of SME loans. The deadline for comments to the consultation document is 6 January 2016. Revision of Solvency II On 30 September 2015 the Commission adopted a Delegated Regulation amending the Solvency II Delegated Regulation 2015/35 (“Amending Regulation”). It has also published separately Annexes 1 to 3 to the Amending Regulation and a factsheet. The Amending Regulation introduces a specific treatment in the solvency capital requirements for infrastructure investments, which are investments in special purpose entities that own, finance, develop or operate infrastructure assets that provide or support essential public services. 16 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin in this issue: Capital Markets Union: Implications for Banking (continued) articles It also extends to European Long-term Investment Funds the existing provisions regarding the specific treatment of European Venture Capital Funds and European Social Entrepreneurship Funds set out in the Solvency II Delegated Regulation. If neither the Council of the EU or its Parliament object to the Amending Regulation within the prescribed timeframe it will be published and enter into force. The Commission intends for the Amending Regulation to be in place as soon as possible. EU Regulatory Framework for Financial Services As part of its CMU Action Plan, the Commission published a call for evidence to gather feedback on the combined impact of financial services legislation and whether the new legislative framework gives rise to any unintended consequences. In particular, the Commission is seeking evidence as to whether: • the existing rules achieve the right balance in promoting financial stability and investor protection or whether they unduly discourage long-term investment and sustainable growth; • the burdens imposed by EU legislation are commensurate with the intended policy objectives of that legislation; • there are any duplications, inconsistencies, regulatory gaps, loopholes and/or lack of proper enforcement at national level; and • rules to discourage excessive risk-taking or to de-risk the financial system may give rise to unintended consequences such as regulatory arbitrage or increasing procyclicality. According to the Commission, the results of the call for evidence should help build a clearer overview of the situation in the EU. The Commission is also currently carrying out a number of individual reviews of financial services legislation, (eg, under the Capital Requirements Regulation and regarding EMIR derivative rules). Next Steps The CMU Action Plan envisages a number of other measures which are likely to have implications for banking. In particular, by the end of 2015, the Commission will publish a Green Paper on retail financial services and insurance that will seek views on how to increase choice, competition and the cross-border supply of retail financial products, as well as the impact of digitalisation on retail financial services. It is expected that the paper will address a range of issues, including mortgages, loans, payments, savings accounts and other retail investments with a view to soliciting responses on the creation of a fully functional and competitive Single Market for retail financial services. See our previous briefing on the CMU, here. 17 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin in this issue: articles 18 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin News from the Courts: The Code of Conduct on Mortgage Arrears and FSO Appeals The Code of Conduct on Mortgage Arrears (CCMA) The CCMA applies to all regulated mortgage lenders operating in the State when dealing with borrowers facing or in mortgage arrears on their primary residence, including any mortgage lending activities outsourced by these lenders. According to the Central Bank, it is intended “to ensure that borrowers struggling to keep up mortgage repayments are treated in a fair and transparent manner by their lender, and that long term resolution is sought by lenders with each of their borrowers”. The CCMA requires mortgage lenders to adopt specific procedures when dealing with borrowers facing or in mortgage arrears. Among other things, it imposes a moratorium period during which a financial institution is precluded from commencing repossession proceedings as well as provisions regarding communications with borrowers and an assessment of the borrower’s financial circumstances. The Central Bank has the power to enforce the CCMA and to pursue non-compliance on the part of regulated financial institutions. The CCMA and Repossession Orders The CCMA is silent on the implications for a lender who fails to adopt the procedures specified in the CCMA and seeks a repossession order against the property from the courts. While the High Court has considered this issue on a number of occasions, different judges have taken different approaches in their judgments. The issue came before the Supreme Court for the first time in the linked cases, Irish Life & Permanent PLC v Dunne and Irish Life & Permanent PLC v Dunphy [2015] IESC 46. In its judgment, the Supreme Court focused on whether requirements of public policy as gleaned from the CCMA dictated that a lender should be prevented from seeking a repossession order where it had failed to comply with the CCMA’s requirements. In considering this issue, the Supreme Court distinguished between the moratorium on the one hand, and the CCMA’s other requirements on the other. Regarding the moratorium, the Supreme Court held that it would be improper for a court to hear an application for repossession which was brought in clear breach of the moratorium. According to the Supreme Court, the moratorium’s purpose is to provide a window of opportunity in which to explore alternative solutions to the borrower’s mortgage arrears. For the Supreme Court to entertain an application for repossession in breach of the moratorium would involve the court aiding a financial institution acting in a manner which was contrary to the CCMA’s purpose or intention and facilitating the carrying out of the “very act” which the CCMA is designed to prevent. Two recent Supreme Court judgements have clarified some important issues for financial services providers (“FSPs”)and their consumers. In particular it is now clear that breach of the Code of Conduct on Mortgage Arrears (“CCMA”) will not prevent a financial institution from obtaining a repossession order from the courts, except in instances where the proceedings are brought during the moratorium period. The Supreme Court has also set out the criteria to be applied to applications for leave to appeal from a High Court decision upholding or rejecting an appeal from the Financial Services Ombudsman (“FSO”). in this issue: articles 19 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin In contrast, regarding the CCMA’s other requirements, the Supreme Court observed that there is nothing in the CCMA to suggest that the legislature intended to give the courts a role in determining whether or not those requirements are fulfilled. It also remarked that had the Oireachtas wished to confer a wider jurisdiction on the courts in the context of repossession cases, then it should have done so clearly and within clearly defined parameters. Consequently, the Supreme Court held that breach of these other requirements will not prevent the creditor from seeking a repossession order. Conclusion The Supreme Court’s confirmation that breach of the CCMA will not affect a creditor’s entitlements to a repossession order, except in the case of the moratorium, is a welcome clarification of the potential consequences of such a breach. Nevertheless, as breach of the CCMA may lead to regulatory sanctions, creditors should still comply with its requirements, and carefully document that compliance. The Financial Services Ombudsman (FSO) The FSO’s primary role is to deal with complaints made by eligible consumers about the conduct of regulated FSPs. Parties can appeal the FSO’s decision to the High Court. The High Court’s decision can in turn be appealed to the Court of Appeal, under section 57CM(4) of the Central Bank Act 1942, as amended. However such appeals can only be on a point of law and are subject to the relevant party obtaining leave to appeal from either the High Court or the Court of Appeal. Prior to the establishment of the Court of Appeal, the Supreme Court dealt with High Court appeals. In Governey v FSO [2015] IESC 46, the Supreme Court considered, for the first time, the criteria to be applied for applications for leave to appeal from a High Court decision. That case concerned a complaint about an investment product offered by what was then Anglo Irish Assurance Company Ltd (“Anglo”) in the form of a life assurance policy. The investment proved to be unprofitable, and Mr Governey complained that Anglo had acted unlawfully in failing to disclose certain material facts regarding the investment. This complaint was rejected by the FSO and, on appeal, by the High Court. Mr Governey then sought, and was refused, the High Court’s leave to appeal its decision on a point of law. Consequently, Mr Governey made a new application for leave to the Supreme Court. In its judgment, the Supreme Court considered the criteria to be met when applying for leave to appeal from a High Court decision. It also made some observations regarding the standard of deference the courts should show to the FSO’s decisions and commented briefly on the FSO’s procedures in cases involving the establishment of legal rights and obligations. Leave criteria The Supreme Court held that in order for leave to be granted, it is sufficient for the applicant to show a stateable case. According to the Supreme Court, as there is a constitutional right of appeal any restrictions or exclusions on that right must be strictly interpreted. As section 57CM(4) does not specify any particular criteria by which leave should be granted or refused, then the courts should not imply a higher criteria than a stateable basis for appeal. News from the Courts: The Code of Conduct on Mortgage Arrears and FSO Appeals (continued) in this issue: articles 20 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Bulletin Moreover, the same standard should apply irrespective of whether the initial application for leave is made to the Supreme Court or an application for leave has already been made and refused by the High Court. The Supreme Court observed that there is nothing in the legislation which suggests a second leave application is, in any way, a form of appeal or review of the High Court’s decision. Consequently the higher court should reach its own conclusion as to whether or not there is a stateable basis for suggesting that an appeal on a point of law might succeed. While the Supreme Court should give all proper consideration to the views of the High Court when making its determination, it should not depart from its own independent task of determining whether a stateable basis for appeal has been established. Degree of deference In considering Mr Governey’s case in the High Court, Hedigen J took the view that the Court could only interfere with the FSO’s decision on appeal if, taking the adjudicative process as a whole, “the decision was vitiated by a serious and significant error or series of errors”. He noted that this test required the Court to adopt “a deferential standard” as regards the FSO’s expertise and specialist knowledge. For its part, the Supreme Court suggested a more nuanced approach. It observed that the issues that the FSO is empowered to investigate and the range of remedies it can impose go far beyond the type of cases which can be brought before the courts. However, there is an overlap between the two as the FSO’s remit potentially includes cases involving the determination of legal rights and obligations, cases which the FSO is empowered but not obliged to determine. The Supreme Court considered it arguable that in cases involving the determination of legal rights and obligations, a court is not bound to show any particular degree of deference to the FSO’s decisions. In contrast, it observed that there may well be a case for affording deference when the FSO finds a complaint to be substantiated in circumstances where there has been no breach of the complainant’s legal entitlements. FSO Procedures The Supreme Court noted that, from time to time, issues have arisen regarding the FSO’s procedures for investigating complaints, and the extent to which those procedures should mirror those of a court. According to the Supreme Court, if the FSO chooses to exercise its entitlement to resolve disputes which are fundamentally legal cases between a complainant and a financial institution, then it may well enjoy reduced flexibility in the conduct of those proceedings, and that task may “carry with it many obligations as to the manner in which those proceedings (…) are conducted”. Conclusion The Governey case has settled the criteria to be applied by the High Court and the Court of Appeal (as the Supreme Court’s successor), in considering whether to grant leave to appeal from a High Court decision on an appeal from the FSO. It also raises interesting points regarding the degree of deference which the courts will show to FSO decisions and the conduct of the FSO’s proceedings in certain cases. These issues are likely to be considered on a more formal basis at the substantive hearing of the appeal, but may already impact on the considerations of potential appellants. News from the Courts: The Code of Conduct on Mortgage Arrears and FSO Appeals (continued) in this issue: 21 | mccann fitzgerald ¼ november 2015 Financial Services Regulatory Group Adrian Farrell Partner, Banking & Financial Services ddi +353-1-607 1312 email [email protected] mccannfitzgerald.ie Darragh Murphy Partner, Banking & Financial Services ddi +353-1-607 1433 email [email protected] mccannfitzgerald.ie Ambrose Loughlin Partner, Head of Financial Services Regulatory Group ddi +353-1-607 1253 email [email protected] mccannfitzgerald.ie Fergus Gillen Partner, Head of Banking & Financial Services Group ddi +353-1-611 9146 email [email protected] mccannfitzgerald.ie Peter Osborne Consultant, Banking & Financial Services, Corporate ddi +353-1-611 9159 email [email protected] mccannfitzgerald.ie Roy Parker Partner, Banking & Financial Services ddi +353-1-607 1249 email [email protected] mccannfitzgerald.ie Brian Quigley Partner, Dispute Resolution & Litigation ddi +353-1-607 1471 email [email protected] mccannfitzgerald.ie Judith Lawless Partner, Banking & Financial Services ddi +353-1-607 1256 email [email protected] mccannfitzgerald.ie Joshua Hogan Partner, Banking & Financial Services ddi +353-1-607 1720 email [email protected] mccannfitzgerald.ie Financial Services Regulatory Group Bulletin in this issue: © McCann FitzGerald, November 2015 Principal Office Riverside One Sir John Rogerson’s Quay Dublin 2 D02 X576 Tel: +353-1-829 0000 Fax: +353-1-829 0010 London Tower 42 Level 38C 25 Old Broad Street London EC2N 1HQ Tel: +44-20-7621 1000 Fax: +44-20-7621 9000 Brussels 40 Square de Meeûs 1000 Brussels Tel: +32-2-740 0370 Fax: +32-2-740 0371 Email [email protected] www.mccannfitzgerald.ie