Enforcement Action: E-Services and Communications Credit Union Limited fined €155,000

26 October 2018 Press Release

Central Bank of Ireland

E-Services and Communications Credit Union Limited fined €155,000 by the Central Bank of Ireland in respect of a contravention of Section 21 of Central Bank Reform Act 2010

On 24 October 2018, the Central Bank of Ireland (the “Central Bank”) imposed on E-Services & Communications Credit Union Limited (“E-Services”) a fine of €155,000 and reprimanded it for a contravention of regulatory requirements contained in Section 21 of Central Bank Reform Act 2010 (the “2010 Act”). The contravention was admitted by E-Services and the enforcement action has been concluded by way of settlement agreement between the parties.

A Fitness and Probity (“F&P”) regime for credit unions came into effect on 1 August 2013 and was implemented on a phased basis. The regime imposes regulatory standards on individuals performing influential and customer facing roles, designated ‘controlled functions’ (“CFs”). The Fitness and Probity Standards for Credit Unions (the “Standards”) have applied to all CF holders in E-Services since 1 August 2014. The regime further imposes obligations on credit unions themselves to not allow individuals to perform CFs unless they are “satisfied on reasonable grounds” that the individuals meet the Standards and have agreed that they will abide by the Standards.

The Central Bank’s investigation identified three separate breaches in relation to E-Services’ F&P requirements. Two breaches occurred over a period of three years and three months. One breach occurred over a period of three years and five months.

During these periods, E-Services failed to: 

  • Introduce adequate systems or controls to ensure full compliance with its F&P obligations;
  • Take all reasonable steps to carry out adequate F&P due diligence on individuals performing CFs; and
  • Ensure that certain employees and an outsourced internal audit service provider complied with and agreed to abide by the F&P Standards.

The breaches came to light as a result of a Themed Inspection carried out by the Central Bank. Following the inspection the Central Bank issued a Risk Mitigation Programme (“RMP”) to E-Services detailing the deficiencies identified, as well as the remedial actions required. An aggravating feature in the case was a representation made by E-Services in response to the RMP that all F&P deficiencies had been rectified, when it subsequently transpired that this was not the case.

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, stated:

“Under the fitness and probity regime, financial service providers, including credit unions, are responsible for ensuring that individuals in senior positions are fit and proper, both at the time of their appointment, and on an ongoing basis.

The risks where credit unions fail to do so are significant, and misconduct by senior management in the wider credit union sector and other sectors has previously been identified and sanctioned by the Central Bank.

This is the first case against a credit union for a breach of its section 21 obligations. 

E-Services not only failed to meet its obligations under the fitness and probity regime but it represented to the Central Bank in response to an RMP that these obligations had been met, when it subsequently transpired that this was not the case.  RMPs are a key supervisory tool and the Bank must be able to rely on firms responding to them accurately. E-Services failure to do so was therefore an aggravating factor.

The fine reflects both the significance of the underlying regulatory failings, and the seriousness of misrepresenting compliance to the regulator”.

Background

E-Services is authorised as a regulated financial service provider and is registered as a credit union under the Credit Union Act, 1997. The principal activity of E-Services involves the provision of financial services to approximately 15,000 members countrywide.

In September 2016, following a thematic review, the Central Bank made E-Services aware of deficiencies in its F&P due diligence practices and instructed it to rectify the issues identified. The Central Bank issued an RMP detailing the deficiencies identified, as well as the remedial actions required. In January 2017, E-Services represented to the Central Bank that compliance with all F&P items in the RMP had been achieved.

In June 2017, the Central Bank went onsite at E-Services to conduct a further investigation and to verify the accuracy of E-Services’ RMP representations. This inspection found that, contrary to the representation made by E-Services in response to the RMP that all F&P deficiencies had been rectified, deficiencies pertained, both in terms of the due diligence conducted, and in E-Services’ systems and controls to achieve compliance with its obligations. The Central Bank accepts that this misrepresentation was not intentional.

The Central Bank acknowledges that E-Services has, since 2014, as part of a programme taken steps to improve compliance; including a review of compliance with the F&P regime.

Prescribed Contravention

The Central Bank’s investigation identified a contravention of Section 21 of the 2010 Act the details of which are set out below:

1. Due diligence deficiencies

Credit unions are required to conduct thorough due diligence to ensure that employees performing CFs comply with the Standards. This due diligence is at the heart of the F&P regime and must be conducted, both upon initial appointment, and on an ongoing basis. Strict adherence to these requirements is crucial to ensure that persons in senior positions are competent, capable, honest and ethical, have integrity and are financially sound.

For a period of three years and three months, E-Services failed to conduct the requisite level of due diligence for the ongoing assessment of CFs and PCFs.

E-Services failed to undertake adequate due diligence to evidence that certain CFs:

  1. Had the requisite professional or other qualifications and capability;
  2. Had the requisite competence and skills;
  3. Had a sound business knowledge of the Credit Union as a whole, and the specific responsibilities to be undertaken in their relevant functions;
  4. Had a clear and comprehensive understanding of the relevant legal and regulatory environment appropriate to their relevant functions;
  5. Did not have concurrent responsibilities or personal conflicts of interest;
  6. Had acted honestly, ethically or with integrity; and/or
  7. Were financially sound.

While E-Services did produce some F&P due diligence records, these were limited and inadequate for the purposes of fully demonstrating compliance with the F&P requirements.

These breaches are admitted by E-Services.

2. Failure to obtain agreements to abide by F&P Standards

E-Services could not fully demonstrate that certain employees had agreed to comply with and abide by the Standards. These breaches occurred for a period of three years and three months.

Similarly, E-Services did not demonstrate that a service provider to whom it had outsourced its internal audit function had agreed to comply with and abide by the F&P Standards.

Credit unions remain responsible for Section 21 compliance even if they enter into outsourcing arrangements with unregulated entities.

These breaches are admitted by E-Services.

3. Systems and controls deficiencies

Credit unions cannot permit individuals to perform CFs or PCFs unless they have satisfied themselves on reasonable grounds that those individuals comply with the Standards. For reasonable grounds to exist and to be capable of objective demonstration, credit unions must put in place proper systems and controls against which compliance can be monitored. 

For a period of three years and five months, E-Services did not fully implement proper systems and controls. In particular:

  1. The Credit Union introduced an F&P policy in March 2013. However, the policy:
    1. Was not sufficiently tailored to the business of E-Services;
    2. Did not sufficiently prescribe how E-Services would ensure compliance with its F&P obligations; and
    3. Did not make adequate provision for the on-going nature of E-Services’ F&P obligations.
  2. To the extent to which E-Services did put in place systems and controls, it appears that these were not always followed. In particular it appears that:
    1. Prior to November 2017, insufficient CF due diligence was conducted;
    2. To the extent to which due diligence was conducted, it was not always adequately documented;
    3. When assessing compliance with the Standards, E-Services did not always consider the specific requirements of the CFs being performed.  Further, in relation to a number of individuals who performed multiple CFs, E-Services did not assess the individuals’ compliance with the Standards in relation to each specific CF;
    4. When outsourcing a CF (Internal Audit) to a non-regulated entity, E-Services failed to document how it satisfied itself on reasonable grounds that the non-regulated entity complied with the Standards; and
    5. E-Services did not always maintain a comprehensive register listing all individuals that performed CFs.

These breaches are admitted by E-Services.

Remediation

The Central Bank is satisfied that E-Services has taken the necessary steps to rectify the deficiencies that gave rise to the breaches.

Penalty Decision Factors

The sanction imposed in this case reflects the seriousness with which the Central Bank treats the relevant contraventions and the importance the Central Bank places on compliance with the F&P regime.

In deciding the appropriate penalty to impose, the Central Bank has taken the following into account:

  • The seriousness with which the conduct is viewed, particularly in circumstances where adherence to the F&P regime is vital to ensuring that suitable individuals work in regulated entities;
  • The period of time over which the breaches occurred;
  • The prevalence of the breaches;
  • The need to impose an effective and dissuasive sanction on regulated entities;
  • The representation to the Central Bank, in response to an RMP, that all F&P deficiencies had been addressed when it subsequently transpired that this was not the case;
  • The co-operation of E-Services during the Central Bank’s investigation and in settling at an early stage in the Administrative Sanctions Procedure.

The Central Bank confirms that the matter is now closed.