Banking business in Ireland is regulated under both domestic legislation and the legislation of the EU, which either is directly applicable in Ireland or has been transposed into Irish law by domestic provisions. New laws and regulations applicable to Irish banks are primarily driven by developments at the EU level.

Domestic Legislation

The primary domestic legislation establishing the framework for the regulation of banking activities in Ireland is the Central Bank Acts 1942-2018 (Central Bank Acts). The Central Bank Act 1942 originally established the Central Bank of Ireland (CBI) as a central bank and since then its competence has expanded. Following the introduction of the Central Bank Reform Act 2010 (2010 Act), the CBI is the primary Irish financial regulatory body.

The Central Bank Act 1971 (1971 Act) establishes the requirement for persons carrying on “banking business” to hold a banking licence and sets out certain requirements applicable to banks.

The CBI is empowered under the Central Bank Acts to issue codes of practice and regulations to be observed by banks. The CBI has issued several codes or regulations in areas such as corporate governance, related party lending, mortgage arrears, consumer protection, minimum competency and SME lending.

European Legislation

Irish banks are also subject to extensive regulatory requirements driven by EU initiatives regulating the activities of “credit institutions” (the terms “credit institution” and “bank” are used interchangeably in this document). These include the Fourth Capital Requirements Directive (2013/36/EU) (as amended by Directive (EU) 2019/878 (CRD V)) (CRD), the Capital Requirements Regulation ((EU) 575/2013) (as amended by Regulation (EU) 2019/876 (CRR II)) (CRR) and the Bank Recovery and Resolution Directive (2014/59/EU) (as amended by Directive (EU) 2019/879 (BRRD II)) (BRRD). CRD is transposed into Irish law by the European Union (Capital Requirements) Regulations 2014 (as amended) (CRD Regulations), while the CRR, as an EU regulation, is directly applicable. BRRD is implemented in Ireland by the European Union (Bank Recovery and Resolution) Regulations 2015 (as amended) (BRRD Regulations).

Regulation (EU) 1024/2013 (SSM Regulation) establishes the Single Supervisory Mechanism (SSM), which is responsible for banking supervision in the participating Member States, such as Ireland. Under the SSM, the European Central Bank (the ECB) has exclusive competence in respect of certain aspects of the prudential regulation of Irish banks, including the granting and withdrawal of banking licences and the assessment of notifications of the acquisition and disposal of qualifying holdings in banks (except in the case of a bank resolution). The ECB also directly supervises “significant” banks (SIs), while the CBI directly supervises “less significant” banks (LSIs), subject to ECB oversight. The SSM sets out criteria for determining SIs and LSIs.

Other Regulatory Bodies

Other regulatory bodies that are also relevant to Irish banks include the following:

• the Corporate Enforcement Authority;
• the Competition and Consumer Protection Commission, which regulates competition and consumer affairs;
• the Data Protection Commission, which enforces data protection legislation in Ireland; and
• the Financial Services and Pensions Ombudsman, which handles complaints from consumers of financial services.

Banking Business

Section 7(1) of the 1971 Act prohibits the carrying on of “banking business” or accepting deposits or other repayable funds from the public without a banking licence. “Banking business” is defined as any business that consists of or includes receiving money on the person’s own account from members of the public either on deposit or as repayable funds, and the granting of credits on own account (subject to certain exceptions).

While the 1971 Act does not define “repayable funds”, section 2(2) of the Central Bank Act 1997 defines “deposit” for the purposes of the Central Bank Acts as “a sum of money accepted on terms under which it is repayable with or without interest whether on demand or on notice or at a fixed or determinable future date.”

A person may apply for a banking licence to be granted under Section 9 of the 1971 Act. Since the introduction of the SSM, the ECB is the competent authority for the granting of the licence.

It is also possible to apply for authorisation under Section 9A of the 1971 Act for an Irish branch of a bank that is authorised in a third country (ie, a non-EEA country).

Holding oneself out as a banker

Section 7(1) of the 1971 Act also restricts persons from holding themselves out or representing themselves as a banker, or from carrying on banking business unless appropriately authorised.

The 1971 Act provides that, where a person carries out business under a name that includes the words “bank”, “banker” or “banking”, or any word which is a variant, derivative or translation of or is analogous to those words, or uses any advertisement, circular, business card or other document that includes such words, they hold themselves out or represent themselves as conducting or being willing to conduct banking business.

Permitted Activities

A banking licence permits the holder to engage in a broad range of business, including deposit taking, lending, issuing e-money, payment services and investment services and activities regulated by the Markets in Financial Instruments Directive (2014/65/EU) (MiFID II).

Application Process

Applications for authorisation as a bank are made using the ECB’s Information Management System (IMAS) portal. In practice, applicants will engage in a pre-application meeting with the CBI to discuss the scope of any application. The application process for a bank licence begins with a preliminary engagement phase known as the “Exploratory Phase”. During this phase the applicant submits an initial high-level proposal for their application. The applicant will often have meetings or calls with the CBI to discuss the proposal. Following the CBI’s review of the proposal, if no issues are identified then the applicant moves to the next stage.

The next stage is known as the “Draft Application” stage. This phase involves the submission by the applicant of a draft application. The majority of the assessment work will be carried out during this phase. The assessment will be carried out by the ECB for entities seeking to establish a credit institution in Ireland. The application pack requires extensive detail regarding all material areas of the applicant’s proposed business.

Following the receipt of the application, the CBI will assess the application, in conjunction with the ECB. The process is iterative and typically involves multiple rounds of extensive comments and queries from the regulators.

The ECB indicates that the assessment will cover areas including: 

• general presentation of the applicant and its history, including background and justification for requesting the licence;
• programme of operations, including intended activities, business model and the associated risk profile;
• structural organisation of the applicant, including IT organisation and outsourcing requirements;
• financial information, including forecast balance sheet and profit and loss account projections and adequacy of internal capital and liquidity;
• suitability of shareholders; and
• suitability of the management board and key function holders and of the supervisory board.

Following the completion of the iterative query stage, the ECB will determine whether or not to grant a licence. The ECB indicates that it usually takes from six to 12 months for a decision to be taken on an application. Where a licence is granted, it may be subject to specific conditions.

There is no fee for submitting a bank application, but banks are subject to a number of ongoing levies.

Third country (non-EEA) credit institutions can seek to establish a licensed branch in Ireland to carry out banking business. The CBI will carry out an assessment for these institutions, rather than the ECB.

Other Requirements

CRD also includes requirements for certain financial holding companies and mixed financial holding companies to be authorised and, in certain cases, non-EEA groups may be required to establish an intermediate EU parent undertaking.

Certain systemic investment firms are required to seek a bank licence.

Passporting

Under the CRD mutual recognition provisions, Irish banks can both provide services on a freedom of services basis and establish a branch on a freedom of establishment basis across the EEA, subject to completing the necessary passporting processes.

Requirements Governing Change in Control

The requirements in relation to the acquisition and disposal of interests in banks are set out in Chapter 2 of Part 3 of the CRD Regulations. The CRD Regulations provide that the prior approval of the ECB is required in advance of any proposed acquisition of a qualifying holding in a bank.

A “qualifying holding” is defined as a direct or indirect holding in an undertaking that represents 10% or more of the capital or of the voting rights, or which makes it possible to exercise a significant influence over the management of that undertaking. Notification is also required in respect of direct or indirect holding increases above a prescribed percentage of 20%, 33% or 50%.

There are currently no specific restrictions on private ownership nor geographical restrictions on foreign ownership of Irish banks. However, Ireland will introduce legislation to give effect to the EU Screening Regulation (Regulation (EC) 2019/452) and to introduce a screening regime for certain foreign investment transactions that may present risks to the security or public order of Ireland. The CBI has expressed preferences in the past that banks not be owned or controlled by single private individuals or that ownership of banks should not be “stacked” under insurance undertakings. Prior ownership experience of banks or other financial institutions will be an advantage in applying for the approval of an acquisition of a qualifying holding.

The CRD Regulations provide that an application to the Irish High Court may be made to remedy a situation where a qualifying holding was inadvertently acquired without the prior approval of the ECB.

The Nature of the Regulatory Filings

Notification of the proposed acquisition of a qualifying holding is made to the CBI via the ECB’s IMAS portal. The CBI will liaise with the ECB, which is the competent authority under the SSM for the approval of acquisitions of or increases in qualifying holdings in respect of Irish authorised banks.

The maximum total period for assessment of an acquiring transaction notification is 90 working days from the receipt of a complete application. Notifications can be rejected as not complete at the outset of the process, and so in practice this process can take longer. The CBI advises that pre-application engagement and the submission of notification and supporting documentation in draft form can help minimise the risk of a notification being deemed “incomplete”, thereby delaying the approval process.

The CBI also requires any proposed acquirers to take note of the content of the May 2017 Joint Committee of the European Supervisory Authorities, which includes the European Banking Authority’s (EBA) “Joint Guidelines on the prudential assessment of acquisitions and increases of qualifying holdings in the banking, insurance and securities sectors”.

The criteria assessed by the ECB are the following:

• reputation of the proposed acquirer;
• fitness and propriety of the board members to be appointed by the proposed acquirer;
• financial soundness of the proposed acquirer;
• ability of the target to continue to comply with prudential requirements following the acquisition; and
• whether the transaction involves, or increases the risk of, money laundering or the financing of terrorism.

The CBI may also seek comfort from a proposed acquirer of a majority stake in an Irish bank that the proposed acquirer will provide such financial support as is necessary for the Irish bank to continue to meet its regulatory obligations.

The corporate governance requirements applicable to Irish banks include those set out in the CBI Corporate Governance Requirements for Credit Institutions 2015 (CBI Requirements) and the CRD provisions in respect of corporate governance.

CBI Requirements

The CBI Requirements provide that all Irish banks must have robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks to which they are or might be exposed, and adequate internal control mechanisms. The governance structure put in place must be sufficiently sophisticated to ensure that there is effective oversight of the activities of the institution, taking into consideration the nature, scale and complexity of the business being conducted.

The CBI Requirements are prescriptive, imposing minimum standards in relation to corporate governance, including the composition, role and conduct of the board of directors and the establishment of certain board committees, and also setting out requirements in relation to risk management.

An Irish bank is required to have at least five directors, or seven if it is designated as having a High Impact under the CBI’s Probability Risk and Impact System (PRISM). The board is required to have a majority of independent non-executive directors (INED), although where a bank is part of a group, the majority of the board may also be composed of group directors, provided that the bank has at least two INEDs (or three INEDs where the bank is designated as High Impact).

CRD

The CRD Regulations set out a number of rules in relation to the governance of banks, including in relation to implementation of governance arrangements that ensure effective and prudent management, board members’ knowledge and experience, the number of directorships bank directors can hold and the requirements for board committees. The EBA has built upon these requirements in its updated guidelines on internal governance (EBA/GL/2021/05) (EBA IG Guidelines). The EBA IG Guidelines specify the internal governance arrangements, processes and mechanisms that banks and certain investment firms must implement in accordance with Article 74(1) of CRD to ensure effective and prudent management of the institution.

The EBA IG Guidelines apply in relation to governance arrangements such as organisational structure, lines of responsibility, risk identification and management and the internal control framework. Guidance is given in relation to the role of the management body and its responsibilities, as well as the role of board committees and internal control functions. Arrangements in relation to risk management, outsourcing and business continuity are also addressed.

Recent Developments

Corporate governance continues to be an area of focus for the CBI. This has been evident in recent publications and supervisory focuses on areas including behaviour and culture, conduct risk, outsourcing and individual accountability. Proposed legislation to introduce a new individual accountability framework (see 10.1 Regulatory Developments) will include conduct standards for all firms and for individuals working within them.

Fitness and Probity Regime

The CBI’s Fitness and Probity Regime (F&P Regime), which was established under the 2010 Act, applies to persons in certain senior positions in Irish regulated financial service providers (RFSPs), including banks.

Controlled Functions

The F&P Regime applies to persons performing certain prescribed “controlled functions” (CFs) and “pre-approval controlled functions” (PCFs). PCFs are a sub-set of CFs and include directors, chairs of the board and committees, the chief executive and heads of certain internal control functions, amongst other functions.

An RFSP must not permit a person to perform a CF or PCF unless it is satisfied on reasonable grounds that the person complies with the CBI’s Standards of Fitness and Probity (Standards) and the person has agreed to comply with the Standards. The Standards require a person to be:

• competent and capable;
• honest and ethical, and to act with integrity; and
• financially sound.

In order to be satisfied the person complies with the Standards, due diligence must be undertaken by the RFSP.

Irish banks are also subject to the Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders (Suitability Guidelines), as well as CRD requirements.

Pre-approval for PCFs

A person cannot be appointed to a PCF position unless such appointment has been approved by the CBI. For SIs, the approval of the ECB is required for members of the management body (ie, board) and key function holders. This is also the case for members of the management body of any new bank.

PCF applicants are required to submit an individual questionnaire to the CBI, setting out details of their professional qualifications and employment history, and including various confirmations from both the applicant individual and the RFSP. The CBI/ECB may interview candidates for certain PCF roles, and this is increasingly becoming the norm for bank board members and certain other senior PCFs. SIs must submit PCF applications via the IMAS Portal, along with the corresponding declarations.

The ECB has published a Guide to Fit and Proper Assessments for its fitness and probity assessments, which are conducted in accordance with the Suitability Guidelines.

Accountability

CF and PCF holders may be the subject of an investigation or required to comply with an evidentiary notice, or may be the subject of a suspension notice or a prohibition under the 2010 Act. Applicants for PCF roles are also not guaranteed to receive approval.

The CBI operates an administrative sanctions regime in order to take enforcement actions in relation to RFSPs. Persons involved in the management of an RFSP may be subject to sanctions in certain circumstances.

In July 2022, the Irish Government published the Central Bank (Individual Accountability Framework) Bill 2022 (IAF Bill) which contains significant proposals for the reform and strengthening of the CBI’s toolkit in relation to individual accountability in the financial services industry (see 10.1 Regulatory Developments for more information on the contents of the 2022 Bill and how it will impact institutions within its scope, which includes banks).

Irish banks are subject to remuneration rules under both the CBI Requirements and the CRD Regulations, and must comply with certain principles in a manner and to the extent that is appropriate to their size and internal organisation and to the nature, scope and complexity of their activities.

The EBA “Guidelines on sound remuneration policies under Directive 2013/36/EU” (EBA Remuneration Guidelines) apply to banks, covering issues including the governance process for remuneration policies and the application of remuneration requirements in a group context.

Banks that are classified as significant are required to have a remuneration committee that complies with the requirements of the CRD Regulations. Banks with a High Impact PRISM rating are required to have a remuneration committee that complies with the CBI Requirements.

The CRD Regulations require banks to have a remuneration policy that is in line with their business strategy, objectives and long-term interests, incorporates measures to avoid conflicts of interest, is consistent with and promotes sound and effective risk management, does not encourage risk-taking that exceeds the level of tolerated risk of the institution, and is gender neutral. The policy is to apply to categories of staff whose professional activities have a material impact on the risk profile of that institution. The board is responsible for overseeing the implementation of the remuneration policy and should periodically review its general principles. Banks should review their remuneration policies at least annually. The CRD Regulations and the CRR also impose disclosure requirements relating to remuneration policies and practices.

Banks should also ensure that the remuneration of “control function” employees (note this is distinct from CF as defined in 4.2 Registration and Oversight of Senior Management) is not linked to the performance of any business areas they control, and that the remuneration of senior risk and compliance employees is suitably overseen. In respect of certain employees whose professional activities have a material impact on the risk profile of the institution, including senior management, risk takers and heads of control functions, banks are subject to extensive rules regarding variable remuneration. These rules include a “bonus cap”, which limits variable remuneration to 100% of fixed remuneration (or 200% with shareholder approval). Separately, the Irish banks recapitalised by the Irish State as a consequence of the global financial crisis of 2007/8 remain subject to additional restrictions on pay.

The prescriptive variable remuneration requirements regarding deferral, retention and payment in instruments, for staff whose activities have a material impact, are disapplied to: (a) small and non-complex institutions (as defined in the CRR) with assets on average equal to or less than EUR5 billion over the four-year period immediately preceding the current financial year; and (b) to staff members whose annual variable remuneration does not exceed EUR50,000 and does not represent more than one third of the staff member’s total annual remuneration.

Breach of the CBI Requirements and/or the CRD Regulations is an offence and may be grounds for an enforcement action by the CBI under its administrative sanctions regime, which can result in fines being imposed.

Legal Framework

The primary AML and counter-terrorist financing (CTF) legislation applicable to Irish banks is the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (CJA 2010), as amended, which transposed the Fourth EU Anti-Money Laundering Directive ((EU) 2015/849) (as amended by the Fifth EU Anti-Money Laundering Directive (2018/843/EU)) into Irish law.

The CJA 2010 imposes a range of obligations on banks, including obligations to:

• conduct a business risk assessment;
• conduct risk-sensitive due diligence on customers and their beneficial owners both at on-boarding and on an ongoing basis;
• conduct monitoring of customer relationships and transactions;
• report suspicious activity to the relevant authorities – ie, the Financial Intelligence Unit Ireland (the Irish police) and the Irish Revenue Commissioners;
• implement internal policies, controls and procedures to prevent and detect the commission of money laundering (ML) and terrorist financing (TF);
• provide AML/CTF training to persons involved in the conduct of the bank’s business; and
• keep records in relation to business risk assessments, customer due diligence and customer transactions.

The CBI published its AML/CTF Guidelines for the Financial Sector (AML Guidelines) in September 2019 to assist firms in understanding their obligations under the CJA 2010. The AML Guidelines, which were updated in June 2021, set out the expectations of the CBI regarding AML/CTF governance and the factors that firms should take into account when identifying, assessing and managing ML and TF risks, and also emphasise the importance of firms having regard to AML/CTF guidance published by the Financial Action Task Force and European supervisory authorities.

In addition to the CJA 2010, Irish banks are also required to comply with the various international financial sanctions that emanate from the EU and the United Nations, and with Regulation (EU) 2015/847, which deals with information requirements regarding wire transfers. With the imposition of EU sanctions in response to Russia’s invasion of Ukraine, there has been increased focus by the CBI on the controls implemented by Irish banks to comply with financial sanctions. 

Regulatory Supervision and Enforcement

Under the CJA 2010, the CBI is the relevant competent authority in Ireland for the monitoring and supervision of banks’ compliance with AML/CTF obligations. The CBI implements a risk-based approach to AML/CTF supervision such that the extent of supervision of a given firm is commensurate with the CBI’s assessment of ML/TF risk within the firm. The retail banking sector is considered by the CBI to be a high-risk sector, with the non-retail banking sector considered to be a medium-high or medium-low risk sector, depending on the specific activities engaged in. An individual firm’s ML/TF risk rating will be informed by the CBI’s risk rating of the sector and its supervisory engagements with the firm, such as inspections.

The CBI is empowered to take measures that are reasonably necessary to ensure that firms comply with the provisions of the CJA 2010. This may include the CBI issuing a risk mitigation programme to a firm to address identified shortcomings in the firm’s AML/CTF framework. The CBI also has the power to administer sanctions against banks for breaches of the CJA 2010 under its administrative sanctions regime, which can result in fines being imposed.

Ireland has transposed the Deposit Guarantee Schemes Directive (2014/49/EU) (DGS Directive) into domestic law through the European Union (Deposit Guarantee Schemes) Regulations 2015 (DGS Regulations), which govern the operation of a deposit guarantee scheme (DGS) for “eligible deposits” at Irish banks. Irish banks are not allowed to accept deposits without being members of the DGS.

The CBI is the designated authority for the purposes of the DGS Directive, and is responsible for the maintenance and ongoing supervision of the DGS and for ensuring that it has sound and transparent governance practices in place. The CBI is required to produce an annual report on the activities of the DGS.

The DGS provides protection to eligible deposits, which includes deposits belonging to individuals, companies, partnerships, clubs and associations. The eligible deposits that may be protected by the DGS include current accounts, savings accounts, demand notices, fixed-term deposit accounts and share accounts. The deposit element of structured deposits/tracker bonds may also be eligible if the deposit element is repayable at par.

Certain specified categories are not eligible deposits. These include deposits of “financial institutions” as defined under the CRR – and including insurance undertakings, collective investment schemes, MiFID II investment firms and other banks (subject to certain conditions). Deposits of public authorities, debt securities issued by banks and liabilities arising out of their own acceptances and promissory notes are also not eligible deposits; a bank’s “own funds” for the purposes of the CRR are also not covered.

The coverage level for aggregate eligible deposits for each depositor is EUR100,000. In certain specified circumstances, a depositor may be covered for aggregate deposits up to a level of EUR1 million as a “temporary high balance”. The DGS Regulations set out detailed provisions as to how a depositor’s aggregate deposits are to be calculated.

Examples of circumstances that give rise to increased “temporary high balance” cover include the following:

• where monies are deposited in preparation for the purchase of – or which represent the proceeds of a sale of – a private residential property;
• where the monies deposited represent certain insurance or compensation payments; or
• where funds are held by a depositor in his or her capacity as the personal representative of a deceased person for the purpose of realising and administering the deceased’s estate.

Subject to certain exceptions, this higher level of cover will be available to depositors for a period of six months after the relevant amount has been credited or from the moment when such deposits become legally transferable.

The DGS Regulations provide that the DGS is funded by participating banks. As the designated authority, the CBI is responsible for ensuring that it has adequate systems in place to determine the potential liabilities of this fund. The CBI identifies a target level for the fund and requires all banks that hold eligible deposits to pay contributions to the fund. The fund must hold at least 0.8% of the amount of eligible deposits of all banks authorised in the State.

A bank’s required contribution to the DGS is calculated primarily by reference to the proportion of eligible deposits it holds, and the DGS Regulations set out prescriptive provisions regarding how these obligations are to be calculated and levied.

The Irish DGS protects eligible deposits held at EEA branches of Irish banks. Deposits held with other EEA banks should be protected under the relevant other EEA bank’s home country deposit protection scheme.

In November 2015, the European Commission proposed a European Deposit Insurance Scheme, which, if established, would form part of the third pillar of the EU’s Banking Union.

Irish banks owe a duty of confidentiality to their customers. The duty of confidentiality has its origins in the common law and is an implied term in all contracts between banks and their customers. For the purpose of this duty, the term “customers” includes both natural and legal persons. There has also been limited judicial commentary to the effect that the Irish constitutional right to privacy may encompass a right to confidentiality in relation to banking affairs.

The duty of confidentiality is a broad one and provides that, once a contractual relationship exists between a bank and a customer, the bank must not divulge to third parties any information acquired by the bank during, or by reason of, its relationship with the customer, without the express or implied consent of the customer. Banks must also ensure that their employees and agents do not breach this duty.

In practice, the duty of confidentiality applies to the following:

• information related to the state of the customer’s account or the amount of the balance;
• information related to the securities offered to and held by the customer;
• information related to the extent and frequency of transactions; and
• any information obtained by the bank as a consequence of its relationship with the customer.

The duty of confidentiality continues to apply when the account is closed or ceases to be active.

Given the wide and increasing range of services offered by banks and RFSPs, where any business of a kind normally carried on by a bank is carried out, it is prudent to presume the imposition of this duty of confidentiality.

The duty of confidentiality is not absolute and the Irish courts have confirmed the existence of a number of qualifications and exemptions to the duty of confidentiality, including where:

• disclosure is under compulsion of law;
• there is a duty to the public to disclose;
• the interests of the bank require disclosure; or
• the disclosure is made by the express or implied consent of the customer.

Irish statutes contain a number of express statutory exceptions to the duty of confidentiality. These exemptions are included in the Companies Act 2014, the CJA 2010, criminal justice legislation and credit reporting legislation, as well as the law of evidence, including court rules providing for discovery orders.

A court or judge may authorise a member of the Irish police force to inspect bank records to investigate an indictable offence, where the court or judge is satisfied that there are reasonable grounds for believing that such an offence has been committed and the relevant material is likely to be of substantial value to the investigation.

In addition, by virtue of their statutory powers, the CBI and the Irish Revenue Commissioners have the ability to inspect customer accounts in certain circumstances.

Where the customer consents to disclosure, the duty may be dis-applied; this is relatively common where a third party seeks a reference or statement from a bank with the customer’s consent. It is best practice to obtain the customer’s prior written authorisation in these circumstances.

Where the duty of confidentiality is breached, the customer is entitled to seek damages, which may include aggravated damages.

Banks will also be subject to a requirement under the General Data Protection Regulation (Regulation (EU) 2016/679) (the GDPR) to implement appropriate security measures to protect any personal data it processes relating to its customers. Under the GDPR, banks will also be required to protect its customers’ personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, including through the use of appropriate technical or organisational measures.

The prudential requirements applicable to Irish banks, including in relation to capital and liquidity, emanate from EU legislation that is itself heavily influenced by international standards.

The current prudential requirements applicable to Irish and other EEA banks are set out in CRD and the CRR, as well as secondary EU legislation. This framework seeks to address the requirements of certain international standards of the Basel Committee on Banking Supervision and the Financial Stability Board (FSB). The EU rules also contain bespoke requirements to address particular concerns of the EU Member States.

Initial Capital

Under the 1971 Act, Irish banks must hold initial capital of at least EUR5 million before the CBI will propose to the ECB that a banking licence should be granted.

Capital Requirements – Pillar I

The CRR sets out the requirement for banks to maintain a minimum quantity of regulatory capital and rules governing the quality of that capital. The quality of regulatory capital is considered by reference to two categories:

• Tier 1 Capital, which is divided into (a) Core Equity Tier 1 (CET1) and (b) Additional Tier 1 Capital; and
• Tier 2 Capital.

CET1 includes ordinary shares and reserves, and is the highest quality capital. There are eligibility criteria and deductions that must be followed to calculate the instruments that qualify for each tier.

The minimum capital requirement is a percentage of a bank’s total risk exposure amount calculated in accordance with the CRR.

The CRR requires maintenance of the following minimum capital ratios:

• regulatory capital of 8% of total risk exposure amount;
• CET1 of 4.5% of total risk exposure amount; and
• Tier 1 Capital of 6% of total risk exposure amount.

There is also a leverage ratio of 3%, which must be met with Tier 1 Capital.

An additional leverage ratio buffer for G-SIIs will be introduced in January 2023 under CRR II.

Capital Buffers

The following four buffers are provided for under CRD:

• a capital conservation buffer, which requires banks to hold CET1 equal to a further 2.5% of their total risk exposure amount. There are restrictions on distributions where the buffer is not maintained;
• a countercyclical buffer (CCyB), based on total risk weighted exposures of a bank and the CCyB rates applicable to those exposures in the jurisdiction where they are located. This also comes with capital maintenance requirements. The CCyB rate for Irish exposures is set quarterly by the CBI and applies to all EU banks with exposures to Irish counterparties. The CCyB aims to make the banking system more resilient and less pro-cyclical, and to support the supply of credit during a downturn, at times when the CCyB is released. In June 2022, the CBI announced an increase of the CCyB rate on Irish exposures to 0.5%. This 0.5% rate will take effect in June 2023. In August 2022, the CBI announced that the rate of 0.5% announced in June 2022 would be maintained;
• a buffer applicable to global systemically important institutions (G-SIIs) and one applicable to other systemically important institutions (O-SIIs). Six banks regulated by the CBI and the ECB are currently subject to an O-SII buffer ranging from 0.5% to 1.5%; and
• a systemic risk buffer – to date the CBI has not announced any intention to begin any phase-in of the systemic risk buffer.

Institutions are restricted from using CET1 that is maintained to meet the combined buffer requirement (ie, the CET1 required to meet the buffers above) to meet Pillar I requirements or Pillar II capital.

Pillar II Capital

The CBI has the power to apply additional capital requirements to Irish banks on a case-by-case basis. Any additional requirements will be based on the CBI’s assessment under its supervisory review and evaluation process, which looks at the specific risks of the firm. Non-binding guidance may also be issued to a bank in respect of further capital it is expected to hold.

Liquidity

The CRD/CRR framework provides for two liquidity ratios. The liquidity coverage ratio requires banks to hold high-quality unencumbered liquid assets, which must be sufficient to meet net cash outflows under a 30-day stress scenario.

A separate net stable funding ratio has been introduced under the CRR to address liquidity mismatches. This aims to ensure that the level of stable funding available to a bank is aligned with the level of funding it requires over the longer term, based on the liquidity risk profiles of assets and off-balance sheet exposures. The minimum level of available stable funding must be at least 100% of the required amount of stable funding.

MREL

Under BRRD and the Single Resolution Mechanism (SRM) Regulation (806/2014) (SRM Regulation), banks must comply with a minimum requirement for own funds and eligible liabilities (MREL). The MREL should assist the bank in absorbing losses and restore its capital so that the bail-in resolution tool can be applied effectively. Under BRRD II and Regulation (EU) 2019/877 (SRM Regulation II), a number of changes align MREL with the FSB’s standard relating to total loss-absorbing capacity (TLAC) and implement the TLAC standard for G-SIIs (subject to transitional arrangements).

The CBI published its “Approach to Minimum Requirement for Own Funds and Eligible Liabilities (MREL)” in October 2021, which provides further information on the regime and CBI discretions.

Other

The CRD Regulations and the CRR provide other measures to address risks applicable to banks. These include measures in relation to credit valuation adjustment, disclosure requirements, reporting requirements, governance and remuneration requirements, credit risk adjustment and the ability of regulatory authorities to impose stricter macro-prudential measures.

The legal and regulatory framework governing the insolvency, recovery and resolution of banks in Ireland has undergone significant development since the global financial crisis of 2007/8, when Ireland implemented emergency legislation to address issues affecting domestic institutions. Since then, the EU has adopted BRRD and the SRM Regulation, which provide an EU framework for the recovery and, where necessary, resolution of EU banks.

Insolvency

One of the ways in which a failing bank can be addressed is through a liquidation process. The CBI has issued a document entitled “Central Bank of Ireland’s Approach to Resolution for Banks and Investment Firms (Second Edition) October 2021” (Approach Paper), which addresses credit institutions within the scope of the BRRD Regulations that are LSIs and are not part of a “cross-border group” as defined in the SRM Regulation, certain investment firms, holding companies and others. In the Approach Paper, the CBI comments that, in fact, the most likely method for the majority of failing institutions is through a CBI-involved winding-up (liquidation) procedure. Under the BRRD Regulations, where resolution conditions are met but the resolution authority considers a resolution action would not be in the public interest, it must be wound-up.

The Central Bank and Credit Institutions (Resolution) Act 2011 (Resolution Act) provides that the Irish Companies Acts will apply to the winding-up of an Irish bank. However, the CBI has an important role under the Resolution Act. No person other than the CBI can present a petition to the High Court to wind up a bank, unless they have given the CBI notice and the CBI has confirmed that it does not object. In the latter case, the CBI will be a notice party to court applications and may make representations in court.

The Resolution Act sets out a number of specific grounds under which the CBI may present a petition for a winding-up order, such as where:

• it would be in the public interest;
• the bank is unable to meet obligations to creditors;
• the bank has failed to comply with a CBI direction;
• the bank’s licence has been revoked; or
• it is in the interests of depositors.

Under the Resolution Act, only a liquidator approved by the CBI may be appointed. Objectives for the appointed liquidators are set out in the legislation, with the protection of eligible depositors under the DGS being a priority.

Recovery and Resolution

BRRD and the SRM Regulation set out an alternative mechanism to resolve failing banks in a more orderly way, and seek to implement the original “Key Attributes of Effective Resolution Regimes for Financial Institutions” published by the FSB. BRRD provides authorities with tools to intervene at an early stage and in a swift manner in relation to a failing institution, to ensure the continuity of critical functions and minimise the impact of the institution’s failure on the economy and financial system. In its Approach Paper, the CBI states that burden-sharing is a driving principle of the resolution framework in order to mitigate moral hazard by ensuring that shareholders and investors bear losses from an institution’s failure.

As Ireland is part of the SSM, the SRM is applicable to Irish banks, and the SRM Regulation is directly applicable in Ireland.

The CBI is designated as the national resolution authority under the SRM and the national competent authority under the SSM. Broadly speaking, the Single Resolution Board (SRB) has responsibility in relation to the resolution of SIs or institutions that are subject to direct ECB oversight, and the CBI will have responsibility for the key resolution processes for LSIs that are subject to SRB oversight.

Resolution Tools and Powers

The framework includes the following elements:

• in order to prepare for or prevent failure:
1. recovery plans are to be prepared by banks, setting out measures to be taken by the institution to restore its financial position following a significant deterioration of its financial position;
2. resolution plans are to be prepared by resolution authorities, setting out the resolution options for the particular institution; and
3. powers are available to remove impediments to resolution;
• powers for authorities to take steps at an early stage, including requiring the implementation of recovery plans or replacing management; and
• where certain conditions are met, the availability of resolution tools to manage the resolution of a failing institution, including the sale of business tool, the bridge institution tool, the asset separation tool and the bail-in tool. The resolution tools and associated resolution powers available are subject to procedural requirements.

Resolution authorities are also afforded write-down and conversion powers in respect of certain capital instruments. These can be implemented as part of a resolution action or separately, where certain conditions are met. BRRD II introduced a moratorium power that allows a resolution authority to suspend any payment or delivery obligations pursuant to any contract to which an institution is a party, where certain conditions are met.

BRRD provides requirements for institutions to include contractual provisions in certain contracts governed by non-EEA law in respect of powers under BRRD.

In its Approach Paper, the CBI has commented that resolution tools are generally used where, for example, a bank’s failure could cause financial instability or disrupt critical functions. Resolution tools would be used by the CBI where certain conditions for resolution are met, including, for example, where the CBI considers resolution to be in the public interest.

Resolution funds have been established in Ireland and at the EU level, in order to provide funding for the cost of resolution.

Protection for Depositors

The DGS protects eligible depositors in the event of a bank authorised by the CBI being unable to repay deposits. Objectives related to the protection of deposits eligible under the DGS are also built into both the liquidation and resolution frameworks.

DGS eligible deposits up to an amount of EUR100,000 are exempted from bearing losses in a bail-in process. Eligible deposits of natural persons and small and medium enterprises exceeding EUR100,000 receive a preferred status over certain other unsecured liabilities in a resolution process. Amendments have also been made to the Irish Companies Act 2014 to provide for preference to certain depositors in a liquidation of a BRRD institution so as to implement the Bank Creditor Hierarchy Directive ((EU) 2017/2399).

Individual Accountability and the Senior Executive Accountability Regime

The culture within the Irish financial services industry has been a key issue for the CBI and RFSPs following a number of instances of banks and firms engaging in practices and activities that did not meet the standards expected of the sector, including in relation to the treatment of customers with tracker mortgages following the global financial crisis of 2007/8. In 2018, the CBI published a report entitled “Behaviour and Culture of the Irish Retail Banks”, which identified that consumer-focused cultures in banks remained underdeveloped. The report also recommended the introduction of an enhanced framework for individual accountability.

As referenced in 4.2 Registration and Oversight of Senior Management, the IAF Bill was published on 28 July 2022, by the Department of Finance, following the publication of the General Scheme of the IAF Bill (General Scheme) in July 2021. The main purpose of the IAF Bill is to improve accountability and trust in the financial sector by creating a framework which contributes to bringing about cultural and practical change in the banking sector and throughout the financial services industry at large. 

The IAF Bill proposes to overhaul the allocation of accountability in Irish financial services legislation and empower the CBI to hold those in management roles at RFSPs accountable for contraventions that occur under their supervision.

The IAF Bill proposes:

• the introduction of a Senior Executive Accountability Regime (SEAR);
• the introduction of conduct standards for all individuals within RFSPs, additional conduct standards for senior executives and conduct standards for RFSPs;
• enhancements to the existing Fitness & Probity regime; and
• amendments to the CBI’s Administrative Sanctions Procedure.

It is expected that SEAR will initially apply to a limited range of RFSPs, including banks, and will impose obligations on both in-scope institutions and their senior executives.

Under SEAR, in-scope RFSPs will be required to:

• specify the responsibilities that are inherent to each PCF-holder;
• specify the responsibilities of each PCF-holder that are allocated to them by the RFSP (eg, through statements of responsibility);
• implement arrangements and documentation to ensure the proper conduct of the RFSP’s affairs;
• implement arrangements and documentation to monitor the performance of PCF-holders; and
• implement arrangements and documentation which identify and clarify the management and governance structure of its lines of authority and accountability (eg, responsibility maps).

The IAF Bill also seeks to introduce enforceable prescribed Standards for Business, which apply to all RFSPs; Common Conduct Standards, which apply to individuals performing CF and PCF roles; and Additional Conduct Standards, which apply to individuals performing PCF roles and other functions with significant influence on the conduct of an RFSP’s affairs. Amongst other things, under the Business Standards, RFSPs must act in the best interests of customers and of the integrity of the market, while CF holders must act with honesty and integrity and with due skill, care and diligence under the Common Conduct Standards. The Additional Conduct Standards include a requirement for PCFs to ensure that the business of the RFSP is controlled effectively.

The CBI issued a statement accompanying the publication of the IAF Bill, confirming it will launch a public consultation on the implementation of the individual accountability framework once the IAF Bill has been passed.

European Commission AML Legislative Package

On 20 July 2021, the European Commission presented a package of legislative proposals to strengthen the EU’s AML/CFT framework, elements of which will impact banks. A new EU AML Authority (AMLA) is to be established, which will directly supervise certain high-risk, cross-border institutions and act as the central authority co-ordinating national supervisory authorities.

The legislative package also included a new regulation that will contain directly applicable rules, including in relation to customer due diligence and beneficial ownership, and a revised regulation on transfer of funds, which will make it possible to trace transfers of crypto-assets.

The European Commission expects the AMLA to be operational in 2024 and to commence supervisory work slightly later.

Departures from the Irish Banking Market

In 2021, both Ulster Bank Ireland DAC and KBC Bank Ireland plc announced strategic plans to wind down Irish operations and exit the Irish market. Since the announcement by both entities of their plans to withdraw from the Irish market, they have both entered into arrangements to transfer existing assets to the remaining retail banks operating in Ireland and have been engaging with customers to arrange account closures. At the time of writing, in December 2022, this process remains ongoing. This reduces the already small and concentrated retail banking sector in Ireland.

Application of Client Asset Requirements to Credit Institutions

The Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2022 (the Investment Firms Regulation 2022) were published on 23 June 2022. Part 6 of the Investment Firms Regulation 2022, contain the revised version of the Client Asset Requirements (CAR 2022), extending the application of the CAR 2022 to banks that perform MiFID II investment business.

The CBI expects credit institutions to commence preparations to ensure they will be able to fully comply with the CAR 2022 at the end of the transitional period, on 1 January 2024.

EU Banking Package 2021

On 27 October 2021, the European Commission adopted its Banking Package 2021 (the Package), which consists of legislative proposals to amend the CRD and the CRR – including a separate legislative proposal to amend the CRR and the BRRD in the area of resolution (known as the “daisy chain” proposal).

The Package aims to implement the Basel III agreement, including by ensuring internal models used by banks to calculate their capital requirements do not underestimate risks, and thus ensuring banks hold sufficient capital. The Package also aims to strengthen resilience without resulting in significant increases in capital requirements, and to lower compliance costs, particularly for smaller banks, without loosening prudential standards.

The Package seeks to increase the focus on sustainability in banking supervision, including proposals for regular climate stress testing by both supervisors and banks, consideration of ESG risks as part of regular supervisory reviews, and requirements on banks to disclose the degree of ESG risk exposure.

Another objective of the Package is to strengthen supervision powers, including establishing clear, robust and balanced “fit-and-proper” rules, for supervisors to assess whether senior bank staff have the requisite skills and knowledge. As a response to the WireCard scandal, the Package proposes to equip supervisors with better tools to oversee fintech groups, including bank subsidiaries.

The Package also seeks to harmonise EU rules on the establishment of EU branches of third-country banks, which is at present largely subject to national legislation with limited harmonisation across the EU.

Regulation (EU) 2022/2036, relating to prudential treatment of G-SIIs and implementing the daisy chain proposal, was published in the Official Journal of the EU on 25 October 2022, and will enter into effect on a phased basis, becoming fully effective from 1 January 2024. The Regulation will introduce amendments to MREL and TLAC provisions in the CRR and to provisions of BRRD.

Protected Disclosures

On 21 July 2022, the Protected Disclosures (Amendment) Act 2022 (Protected Disclosures Act) was enacted, and it will enter into force on 1 January 2023.

The Protected Disclosures Act introduces amendments to the Protected Disclosures Act 2014 (2014 Act) by transposing Directive (EU) 2019/1937 (EU Whistle-Blowing Directive). Amongst the changes to be introduced by the transposition of the EU Whistle-Blowing Directive will be an expansion of the range of disclosures that can potentially avail of protections and will include financial services, products and markets, prevention of money laundering and terrorist financing, consumer safety and protection of privacy and personal data, and security of network and information systems.

Outsourcing and resilience

Outsourcing and operational resilience have been hot topics for the CBI for some time and the subject of recent discussion papers and consultations. In December 2021, the CBI published its Cross-Industry Guidance on Outsourcing and its Cross Industry Guidance on Operational Resilience, demonstrating the CBI’s focus in these areas. As banks are already subject to the EBA Guidelines on Outsourcing, the impact of the outsourcing guidance is somewhat lessened, although banks will need to be alive to the CBI’s own focus areas.

Irish Developments

Environmental, social and governance considerations are becoming an increasing area of regulatory focus. In November 2021, the CBI published a Dear CEO Letter addressed to RFSPs setting out the CBI’s expectations in relation to climate and broader ESG issues. The CBI will focus their supervisory expectations in five key areas: governance, risk management, scenario analysis, strategy and business analysis risk, and disclosures.

The CBI also announced the establishment of its Climate Risk and Sustainable Finance Forum, which seeks to bring together stakeholders to share knowledge and understanding of the implications of climate change for the Irish financial system. The Climate Risk and Sustainable Finance Forum held its inaugural meeting on the 29 June 2022.

EU Developments

Significant ESG developments also continue to impact the financial services regulatory framework at European level.

In 2018 the European Commission released its Action Plan for financing sustainable growth which sets out the regulatory roadmap of the EU in relation to ESG and sustainable finance. The action plan contains four legislative pieces: the Taxonomy Regulation, the Sustainable Finance Disclosure Regulation (SFDR), a regulation amending the benchmark regulation, and further amendments to delegated acts under MiFID II.

In June 2021, the EBA published a report on the management and supervision of ESG risks for credit institutions and investment firms, which sets out recommendations on how credit institutions can integrate ESG risks into business strategies, governance and risk management. This report should be considered in line with the disclosure publications under the CRR, the Taxonomy Regulation and the SFDR.

In accordance with Article 434a of the CRR, the EBA published, in January 2022, its final draft implementing technical standards (ITS) on Pillar 3 disclosures on ESG risks, which set out requirements for quantitative disclosure on ESG risks and provides for qualitative information on how institutions are imbedding ESG considerations.

Developments in ESG affecting banking include the finalisation of the Corporate Sustainability Reporting Directive (CSRD), which will amend the existing reporting requirements of the Non-Financial Reporting Directive (Directive 2014/95/EU) (NFRD). CSRD aims to make businesses more accountable by obliging them to disclose their impact on the environment and human rights. The reporting obligations will be introduced on a phased basis, with companies already subject to the NFRD falling within scope from 2024.

The European Commission has also adopted a proposal for a Corporate Sustainability Due Diligence Directive, requiring certain companies to identify and, where necessary, prevent, end or mitigate adverse impacts of their activities on human rights, such as child labour and exploitation of workers, and on the environment.