Some Regulatory Priorities for 2018 – Gerry Cross, Director of Policy and Risk

30 November 2017 Speech

Central Bank of Ireland

Speech delivered to the Institute of Bankers in Ireland, Certified Bank Director Annual Seminar

Good morning Ladies and Gentlemen

I would like to thank the Institute of Bankers for the invitation to speak to you today and to give you some insight into some aspects of the regulatory and supervisory horizon as seen from the Central Bank.

My intention today is to discuss briefly, a number of topics that are looming large on our radar screen for next year. Let me mention a couple of caveats about this: Firstly, I have sought simply to identify a number of priority areas to speak about. This is not exhaustive; there are others just as important. Secondly I do so from my perspective of Director of Policy and Risk. So I don’t propose to cover, for example, the full range of supervisory priorities for next year. And although the Policy and Risk Directorate spans both the Prudential Regulation and Financial Conduct Pillars, with dual reporting lines, we do not have responsibility for consumer protection policy matters, so my remarks do not cover that aspect in any specifics.

In discussing any set of priorities for 2018, it is important to start with the core business as usual focus of delivering effective, high-quality, intrusive supervision. I can do no more than echo the words of Deputy Governor Sibley in his speech to yesterday’s Insurance Ireland conference where he said that the number one priority is to ensure that teams deliver effective, intrusive, analytical and outcomes-focused supervision. Our supervisory approach is, as you know, risk-based approach, anchored by our PRISM  supervisory methodology.

While I do not propose to focus on our tracker mortgage work in this speech, taking this work forward and delivering on our public commitments in this regard is a top priority for the bank over the coming period.


Let me first turn my attention to Brexit.

I am conscious that the Central Bank’s position has been well articulated publicly at this point.  Nevertheless, it is useful to briefly set out one or two timely observations.

As has been well documented by now, the Irish economy faces downside risks, both in the short and medium/long term, as a result of Brexit . The Central Bank estimates that in the event of no post-Brexit trade agreement being reached, after ten years Ireland’s Gross Domestic Product might be over three per cent lower than when compared to a no-Brexit scenario . Of course, the overall impact is contingent on the nature of the future relationship between the United Kingdom and European Union, with possibilities ranging from an EEA-type relationship at one end of the spectrum, where the impact would likely be more limited, to a World Trade Organization based relationship at the other, where the impact would be likely to be much more significant.

From a regulatory and supervisory perspective, a primary concern is to ensure that regulated firms in Ireland that have business models with direct or indirect exposures to the UK economy plan appropriately for the potential negative impacts of Brexit.  Therefore, the Central Bank expects regulated firms across all sectors to consider, plan and adapt to the potential implications for their business models and revenue streams.  It is the responsibility for you, as directors of regulated firms, and for your firms’ Boards, to think carefully about the potential impact of Brexit on your firm and to plan accordingly.

The Central Bank has taken a proactive approach to engaging with regulated firms in sectors where the implications of a hard Brexit are likely to be the most pronounced.  Over the past three months, the Central Bank has sent Dear CEO letters to insurance companies, LSI banks and self-managed funds and fund management companies on Brexit preparedness. In these letters, we highlighted the importance of performing—and management’s responsibility to perform—scenario analysis of the impacts of the various Brexit outcomes to their business models and of planning appropriately for each contingency.  In the letters to insurance firms and banks, the Central Bank also requested up-to-date information on the firms’ preparations and contingency plans, the responses to which are currently under review by their respective supervisory teams at the Bank.  The Central Bank will continue to actively engage with firms on Brexit as March 2019 draws nearer.

This approach parallels that taken at the European level by the SSM Joint Supervision Teams in which the Central Bank participate.   Letters were sent by the SSM Joint Supervision Teams to a number of in-scope banks, outlining the SSM Brexit Expectations and requesting detailed information on relevant aspects including activities in the UK, licensing, booking models, governance and risk management arrangements and outsourcing. The data is to be submitted for review in December.

While we are hopeful that the negotiations will lead to something other than a hard Brexit at the end of March 2019, this remains significantly uncertain. As part of our 2018 (and beyond) supervisory agenda, ensuring that regulated firms are planning effectively for this risk will remain a key focus for the Central Bank -  our expectation is that industry would continue to consider all possible outcomes and plan accordingly.

In terms of firms relocating EU activities from UK based firms, the Central Bank has outlined its approach on a number of occasions during the last number of months. This important work will remain a key focus going into 2018 and we will continue to adopt an approach of transparency, rigour and pragmatism in respect of Brexit related authorisation processes.

What this will mean of course is that the configuration of financial services firms and activities carrying on business from Ireland will expand and develop over the coming period. This will bring new challenges and responsibilities for the Central Bank as a supervisor. These are challenges that we are well positioned to meet and doing so will be an important priority for us during 2018.

As part of our approach to the challenges presented by Brexit, we have been, and will continue to be, closely engaged in the work of the European Authorities. The ECB/SSM, ESMA, EIOPA and more recently, the EBA, have all issued important guidance or opinions in relation to Brexit – we at the Central Bank have been to the fore in helping to shape and develop this guidance. As I have said before, the Central Bank strongly supports efforts at an EU level to promote supervisory convergence in the context of Brexit-related decision-making and we very much support these guidance documents and opinions, aimed at fostering consistency in the authorisation and supervision of entities, activities and functions proposing to relocate from the UK.

We and other authorities have been considering a range of issues related to Brexit, including potential cliff effects arising in the event of a hard Brexit and issues associated with the relocation of activities in a Brexit and we will continue to be engaged in this important work.

MiFID implementation

3 January 2018 will mark a significant milestone with the implementation of MiFID II.

Preparation for the “go live date” has been a key priority for the Central Bank for quite some time. In addition to our own extensive preparations, our engagement with industry to date has entailed a heat-mapping exercise, issuing a questionnaire to firms, providing keynote addresses and participating in industry roundtable events. In this regard, we have presented on different aspects of MiFID II during the year including investor protection, product governance, transaction reporting and transparency requirement changes which are introduced or significantly enhanced under MiFID II.

One of the key objectives of MiFID II and MiFIR is to address weaknesses in the functioning and transparency of financial markets. With this in mind, the Central Bank has developed new analytics capabilities to enhance its surveillance of financial markets using both new data available and its increased regulatory powers.  As part of this surveillance strategy, Central Bank supervisors will be engaging with market operators and participants early in 2018 to assess and monitor MiFID II compliance.

Transaction reporting obligations on firms will increase significantly under MiFIR and require complex technology solutions.  Mindful of these challenges we are working closely with industry to be ready to receive the new transaction reports on 3 January.  We expect firms to be in the final stages of their own readiness projects for 3 January and we ask that you continue to engage fully with this process.

In 2018, assessing firms’ adoption of the MiFID II requirements will be a key priority for the Bank and this will be achieved through targeted visits, full risk assessments and thematic reviews. Moreover, I think it is fair to say that the results from the heat-mapping exercise and MiFID II questionnaire have provided the Bank with much food for thought and indeed, a strong platform for assessing firm compliance with MiFID II in the new year.

Many of you present here today may be wondering as to the MiFID II areas that the Bank will focus on next year. I would be reluctant to single out a particular topics given that MiFID II, overall, represents a significant undertaking to industry and national competent authorities.

Notwithstanding this, given the transaction reporting changes that will be introduced under MiFID II, we will be closely monitoring firms and their capacity to correctly transaction report. I think firms can also expect the Bank to pay particular attention to conduct of business elements of MiFID II in light of the scale of changes coming down the track and also because, the protection of consumers is a key part of the Bank’s mandate.

Finally, as our aim is to deliver high quality risk based assertive supervision, the Bank will be proactive and ask the probing questions to determine how MiFID II impacts firms’ operations, business models and revenue streams.

While I am on the subject of implementation of European legislation, I should also mention that we will be working during 2018 together with the Department of Finance to ensure the effective implementation of both the Money Market Funds Regulation and the revised Prospectus Directive, the so-called PD3.


An important lesson of the financial crisis is that incurred loss models often resulted in provisions that are “too little, too late”. To address this IFRS 9 introduces an expected loss model (ECL), which requires more adequate and timely recognition of provisions. The standard becomes effective on 1 January 2018.

Last week the SSM published a report on the findings of a thematic review it has carried out on banks’ preparedness for IFRS 9. The report also outlines key supervisory expectations for the application of IFRS 9.  As expected, the implementation of the new standard is a major challenge and institutions are making a considerable effort however, it is clear that at some institutions there is room for improvement. The new ECL framework is considered the most challenging part of the standard as it requires a significant increase in the role of risk management, data availability and expert judgement, for which strong governance and clear internal processes are required.

Aligned to the implementation of IFRS 9 the Central Bank is withdrawing its existing Impairment Provisioning and Disclosure Guidelines  effective from 1 January 2018. We issued a statement to this effect yesterday.

Our statement also outlines a number of supervisory expectations (aligned with SSM expectations) for Irish institutions in the context of implementing IFRS 9.  Key supervisory expectations include the following:

  • The definition of default for accounting purposes should be based on the EBA definition of non-performing exposures
  • Forbearance measures should be recognised as a backstop indicator of a significant increase in credit risk (SICR).
  • Institutions should consider all of the available and relevant internal and external data when estimating ECL, ensuring that the estimates are robust, unbiased and reflective of banks’ current exposures
  • The determination of collateral valuation is important in the calculation of impairment loss provisions under the ECL model.  Expected cash-flows from collateral realisation should be based on observed reliable market valuations and appropriately reflect the inherent uncertainty associated with distressed property liquidation. As specified in the SSM Thematic Review on IFRS 9, any increased valuations to date should be backed by solid evidence that such increases are sustainable.

IT & Cyber Risk

IT and Cyber risk continues to loom large on our radar. I am not saying anything new when I say that the line between financial services activities and information technology becomes increasingly hard to define. At the same time firms’ abilities and effectiveness in the IT space continues to be a cause for concern. You won’t be surprised to learn therefore that this area will continue to be an area of sharp focus for us in the period ahead.

A year ago the Central Bank introduced its Cross Industry Guidance in respect of IT and Cybersecurity Risks. This sought to set out in a usefully accessible way our expectations generally in relation to firms’ approach to these risks. The implementation of this guidance by firms will continue to be a key focus.

In 2015, the Central Bank established a dedicated unit to perform onsite IT inspections in banks.  This unit, from next year, will have an expanded remit for IT inspections, encompassing banks, market and funds firms, insurance and payment institutions. Many supervisory authorities have centralised their IT expertise in a specialised organisational unit for IT risk supervision. These units typically focus on developing methodologies, providing input to policy/guidelines to the market, performing firm-specific and thematic IT risk assessments, and supporting the “front line” supervisors with their IT expertise. Thus, our approach is in line with recognised best practice across the world and will allow for the most efficient use of scarce IT resources.

This unit will function in coordination with and in a supporting role to direct supervisory teams who will continue to challenge firms on their governance and management of IT and cyber risks through their ongoing engagements with firms on Operational, Governance and Strategic risks.

The resilience and security of IT systems in financial services continues to be a challenging area for both the industry and regulators where the risks are constantly evolving.  There is a wide range of potential causes of operational disruption, from legacy systems failing or breaking down, to simple human error. Cyber risk is now and likely to be into the future, a significant threat to the financial services sector, which is targeted both directly and also indirectly through attacks against key national infrastructure. The speed, intensity and complexity of such attacks requires a renewed focus on operational resilience amongst banks and other financial services firms and indeed ourselves as regulators.

Firms can expect to see a continued focus by the Central Bank on IT and cyber risk including firms’ resilience capabilities. Business continuity, disaster recovery and resilience will be a key focus. Not only from a cybersecurity perspective but also from an objective of broader IT resilience.


Another area of focus for 2018 will be outsourcing by financial services firms.

The Central Bank issued a cross-sectoral survey on outsourcing activities to regulated firms on Friday 13 October 2017. The responses to this survey will facilitate the Central Bank in obtaining a holistic baseline view of outsourcing arrangements, including associated risks, across all regulated sectors at a point in time. The survey data will also assist us in ascertaining the extent, nature, concentration and complexity of outsourcing arrangements and emerging trends from a cross sectoral perspective.

In advance of this survey being issued, we also held a number of briefings to sector industry bodies, which allowed us to outline our intentions and to hear directly back from industry on this key subject.

Why is outsourcing a topic of interest for the Central Bank?  The answer quite simply is that it is a material component of many firms’ operations in the Irish financial services sector today, possibly more so now, than ever. Outsourcing of certain activities can make sense from an operational and cost perspective.  Outsourcing can also enable a firm to benefit from enhanced business processes and the additional expertise that the outsourcing service provider may have.

However, it does have associated risks that firms should consider and, where we identify risks that are above our tolerance levels, firms can expect enhanced engagement. Examples of the risks, which can arise from outsourcing, include:

  • The concentration risk whereby a market or industry segment becomes over dependent on a few service providers;
  • The governance or oversight risk that stems from firms not taking reasonable steps to oversee the outsourced function in an effective manner and to ensure that the outsourced service does not have a negative impact on clients;
  • The contingency planning risk associated with the potential failure of the outsourced provider and the impact this could have on the regulated firm which could be largely unprepared; and
  • “Mind and management” risk whereby we could be presented with a firm seeking to delegate so much that it becomes hollowed out as business being run from the jurisdiction. 


Let me turn now to some of the challenges, and indeed opportunities, presented by Fintech. An important challenge for regulators is innovation taking place through fast evolving financial technology and disruptive innovations. We increasingly hear about distributed ledger technologies; peer to peer lending; robo advisors; innovative trading platforms; crypto-currencies, coin offerings  and digital wallets. And we note that the manner in which financial services firms’ business models – how they interact with their customers and gather data from them and the products and services they offer -  is changing and is likely to continue to change in the coming years.

I am not saying anything surprising when I note that in a competitive system innovation is a good thing. At the same time of course not all innovations are good. And not all good innovations are done well. So as regulators we need to get the balance right. On the one hand regulation should protect consumers, and indeed the system, from innovations which are harmful or unsuitable. In addition, we need to ensure that the way in which those innovations are implemented is such that consumers are not put at inappropriate risk. At the same time regulation should not crowd out desirable innovation.

So, Fintech is clearly on the regulatory agenda for 2018. The challenge for the Bank is to achieve a good balance in our approach to assessing innovative developments and determining an appropriate response. We have set up within the Central Bank a cross-bank Fintech Group. As part of our regulatory agenda for 2018, this Fintech group will continue to look at technological innovation across the range of sectors and activities and seek to ensure that we have a holistic view of those developments and how we are responding to them.

A recent example of how we seek to better understand issues relating to Fintech was through the Discussion Paper on the Consumer Protection Code and the Digitalisation of Financial Services. This Discussion Paper which closed on 27 October, sought views from interested parties on how consumers are or should be protected in an increasingly digital financial services environment. In particular, views were sought on:

  1. whether consumers are adequately protected under existing consumer protection rules contained in the Code;
  2. if the Code needs to be enhanced in specific areas;
  3. and whether there are impediments in the Code to firms adopting technologies that may be beneficial to consumers.

We are currently assessing feedback received and should we choose to advance any specific policy proposals as a result of this feedback, we will bring forward a consultation paper in 2018.

In addition to this we will maintain close collaboration with other agencies with key responsibilities in the digital economy and we will maintain open relationships with stakeholders engaged in Fintech. We will also continue to participate in various European and international fora in discussing these issues.

Conduct, behaviour and culture

I have saved a very important topic for last. I have spoken about a number of topics here today and in relation to some of these topics, have reiterated the need for firms to implement and to put in place, robust structures to manage these risks adequately. However, simply having the structures in place is not enough – it is the behaviors within and around these structures that will ultimately determine their success.

This is what we mean when we talk about behaviour and culture. The Libor scandal, FX rate rigging, PPI misselling, the tracker mortgage scandal; the names of recent conduct scandals at home and abroad come all too easily to mind. And beyond those examples lies the fact that a culture of low standards conduct has become far too common.

For clarity and as mentioned, I do not plan to discuss the tracker mortgage issue here. A lot has been said elsewhere. The work is continuing. And it is something that is outside my own area of responsibility.

In his recent speech to the BPFI, Deputy Governor Ed Sibley talked about culture within firms and outlined what he saw as the “overly legalistic” approach adopted by some Banks, and how some firms needed to be pushed and prodded by the Central Bank before taking the appropriate, and in some cases, long overdue, action to address failings or remediate risks – this is, to say the least, not where we want or expect firms to be almost a decade after the financial crisis. This is why this will be one of our key priorities going into the next period and beyond.

An oft-cited phrase when we talk about Culture is “tone from the top” and there is no doubt that the tone set by the top executives and management in an organization is critical in establishing core values and behaviours within that organisation. However, the tone set by the top executives and management must also permeate to other levels within any organisation – I am conscious of the audience today - I am sure that you will be aware of the critical role that you and your board of directors are required to play in setting the required tone and ensuring that it is permeated, and indeed lived by, all the staff throughout your organisation.

Concepts like culture and tone, while important and necessary as descriptors, do not lend themselves easily to assessment, accountability and enforcement. And it is clear that assessment, accountability, and enforcement are essential in addressing the continued failures of financial firms in this regard. This is of course a question of ensuring that consumers and clients are treated as they should be. And that in itself is of critical importance. But it is about more than that. It is about trust and confidence in financial firms and the financial system. Without that trust and confidence the system cannot work properly.

So over the coming period you can expect to see us enhance further our focus on this area. Work has been undertaken in banks and insurance firms from a prudential perspective, and in the consumer area we have developed a framework for the assessment of culture in regulated entities. As part of the tracker mortgage examination, we will be carrying out a review of culture in the banks. But in addressing cultural and behavioural issues we will not limit ourselves to the banks. Across all sectors we will be focusing on this aspect. We will be considering across all of the sectors how to enhance accountability for cases of behaviour falling below expected standards. And we will continue to use our enforcement powers as an essential underpinning to our expectations in this area.


Let me conclude there for now.

I have covered a lot of ground. I hope it gives you a good sense of some of the things to expect us to be focused on in the year ahead.

I look forward to your questions.