YEARBOOK & DIRECTORY
Finance Dublin Yearbook 2024
Building a positive relationship with the Central Bank of Ireland
Relationships between regulated firms and the Central Bank of Ireland are crucial for managing risk events and regulatory breaches effectively when they inevitably occur writes Forvis Mazars’ Kian Caulwell. Establishing a constructive relationship based on mutual respect and trust makes for a smoother engagement process and better outcomes, he writes.
The relationship between regulated financial service providers (RFSPs) and the Central Bank of Ireland (CBI) is crucial for managing risk events and regulatory breaches effectively when they inevitably occur. Establishing a constructive relationship based on mutual respect and trust makes for a smoother engagement process and better outcomes.
Indeed, firms face sanctions from the CBI, penalties often result not just from the breach itself, but also from how it’s managed afterward, including the engagement with the CBI.
Engagement with the CBI typically falls into two categories: initiated by the CBI, such as routine compliance monitoring inspections, or triggered by firms notifying the CBI of a change in business strategy, regulatory breach or risk event.
In all cases, the CBI is mainly interested in certain key aspects. The first is timely notification, where the event is of such a magnitude that it warrants notification. After that, the regulator wants to know that the event or breach has been identified quickly, that a thorough root cause analysis has taken place and steps put in place to prevent recurrence, and that appropriate remediation actions have been taken including restitution of any customer losses.
The notification aspect can sometimes present problems for smaller organisations that do not have regular engagement with the CBI or do not have a dedicated supervisor within the CBI. It can be difficult for them to know what constitutes a notifiable event. Establishing internal parameters for notification, possibly with external guidance or CBI consultation, is crucial for these organisations.
When it comes to notifying the CBI, it is important to remember that no organisation is perfect and risk events and breaches will happen from time to time. What matters most is the process in place for identifying operational risk events, establishing their root cause, identifying their wider impacts, deciding on and implementing the steps necessary to prevent them from happening again, the look-back review to establish how it happened, and to identify and implement the remediation actions required.
There is an understandable nervousness on the part of many firms in relation to informing the CBI of breaches or other events. No one likes to admit failings, particularly to outsiders. However, financial service firms need to understand that they will be given the opportunity and the time to address breaches and events notified to the CBI.
On the other hand, any delay in informing the CBI will undermine trust. After all, how can the regulator trust a firm to address events and carry out remediation expeditiously if the organisation has dragged its feet in notifying them?
Worse still, if the CBI uncovers breaches and events during a routine supervisory engagement or inspection that haven’t been dealt with by the firm, the competence of the organisation and its ability to comply with regulations and prevent breaches will be called into question.
The conduct and tenor of the supervisory or regulatory engagement are critically important. In the first instance, it is essential for firms not to approach the engagement in an adversarial fashion. The CBI is not the enemy, and every effort should be made to depersonalise the situation and ensure that everyone involved understands that the CBI just wants to see effective systems and controls in place for the identification, root cause analysis, and remediation of events.
Organisations should therefore approach engagements in a spirit of openness and transparency. This means taking the process seriously and preparing for it.
The notification issued by the CBI will detail the areas that will be subject to inspection. This gives firms the opportunity to gather information and documents and to prepare staff who will be involved in the engagement. However, where documents are not explicitly requested but may be relevant, these should be provided. Firms should be proactive and not wait to be asked. In addition, where information is not available, for whatever reason, the firm provides a concise explanation of why, proposes a timeline for its provision, and offers alternative information if appropriate.
The regulator expects firms and their staff to act in good faith and to proactively make it aware of any issues it needs to know about.
And where a staff member does not have the answer to a question, they should be prepared to admit it and undertake to come back with the information required at a later point. However, they must follow up quickly and not wait to be chased by the regulator. Any perceived delay could damage the process.
This is not to say the firms should simply accept without demur everything the CBI has to say. Nothing is ever so cut and dried that there is not legitimate cause for disagreement. There should be a healthy degree of tension in the relationship, but also a high level of respect in how the parties engage with each other. When there is a dispute, the firm should put forward its argument in a respectful way and discuss it in a reasonable fashion and not go straight to legal correspondence.
The other element of the process is the feedback provided by the CBI. This can include steps to take to remediate breaches and events and areas for improvement. Organisations should respond positively to this feedback and implement the advice wherever possible. There may be differences of opinion, of course, but the time will come for the firm to stop arguing and demonstrate that it is heeding the feedback and remediating the issue in a timely manner.
Finally, it is also important for firms to take the feedback, have appropriate conversations about it internally, and put a plan in place for the implementation of the recommendations. The CBI should be informed of the plan and how and when it is to be implemented. It is critically important that these commitments are met and that the firm doesn’t find itself receiving the same feedback following a subsequent engagement – that would have a seriously negative impact on the relationship and lead to more problems down the road.
Indeed, firms face sanctions from the CBI, penalties often result not just from the breach itself, but also from how it’s managed afterward, including the engagement with the CBI.
Engagement with the CBI typically falls into two categories: initiated by the CBI, such as routine compliance monitoring inspections, or triggered by firms notifying the CBI of a change in business strategy, regulatory breach or risk event.
Kian Caulwell: A constructive relationship with the Central Bank of Ireland can make for a smoother engagement process and better outcomes for regulated entities.
In all cases, the CBI is mainly interested in certain key aspects. The first is timely notification, where the event is of such a magnitude that it warrants notification. After that, the regulator wants to know that the event or breach has been identified quickly, that a thorough root cause analysis has taken place and steps put in place to prevent recurrence, and that appropriate remediation actions have been taken including restitution of any customer losses.
The notification aspect can sometimes present problems for smaller organisations that do not have regular engagement with the CBI... Establishing internal parameters for notification, possibly with external guidance or CBI consultation, is crucial for these organisations.
The notification aspect can sometimes present problems for smaller organisations that do not have regular engagement with the CBI or do not have a dedicated supervisor within the CBI. It can be difficult for them to know what constitutes a notifiable event. Establishing internal parameters for notification, possibly with external guidance or CBI consultation, is crucial for these organisations.
When it comes to notifying the CBI, it is important to remember that no organisation is perfect and risk events and breaches will happen from time to time. What matters most is the process in place for identifying operational risk events, establishing their root cause, identifying their wider impacts, deciding on and implementing the steps necessary to prevent them from happening again, the look-back review to establish how it happened, and to identify and implement the remediation actions required.
There is an understandable nervousness on the part of many firms in relation to informing the CBI of breaches or other events. No one likes to admit failings, particularly to outsiders. However, financial service firms need to understand that they will be given the opportunity and the time to address breaches and events notified to the CBI.
On the other hand, any delay in informing the CBI will undermine trust. After all, how can the regulator trust a firm to address events and carry out remediation expeditiously if the organisation has dragged its feet in notifying them?
Worse still, if the CBI uncovers breaches and events during a routine supervisory engagement or inspection that haven’t been dealt with by the firm, the competence of the organisation and its ability to comply with regulations and prevent breaches will be called into question.
The conduct and tenor of the supervisory or regulatory engagement are critically important. In the first instance, it is essential for firms not to approach the engagement in an adversarial fashion. The CBI is not the enemy, and every effort should be made to depersonalise the situation and ensure that everyone involved understands that the CBI just wants to see effective systems and controls in place for the identification, root cause analysis, and remediation of events.
Every effort should be made to depersonalise the situation and ensure that everyone involved understands that the CBI just wants to see effective systems and controls in place for the identification, root cause analysis, and remediation of events.
Organisations should therefore approach engagements in a spirit of openness and transparency. This means taking the process seriously and preparing for it.
The notification issued by the CBI will detail the areas that will be subject to inspection. This gives firms the opportunity to gather information and documents and to prepare staff who will be involved in the engagement. However, where documents are not explicitly requested but may be relevant, these should be provided. Firms should be proactive and not wait to be asked. In addition, where information is not available, for whatever reason, the firm provides a concise explanation of why, proposes a timeline for its provision, and offers alternative information if appropriate.
The regulator expects firms and their staff to act in good faith and to proactively make it aware of any issues it needs to know about.
And where a staff member does not have the answer to a question, they should be prepared to admit it and undertake to come back with the information required at a later point. However, they must follow up quickly and not wait to be chased by the regulator. Any perceived delay could damage the process.
This is not to say the firms should simply accept without demur everything the CBI has to say. Nothing is ever so cut and dried that there is not legitimate cause for disagreement. There should be a healthy degree of tension in the relationship, but also a high level of respect in how the parties engage with each other. When there is a dispute, the firm should put forward its argument in a respectful way and discuss it in a reasonable fashion and not go straight to legal correspondence.
The other element of the process is the feedback provided by the CBI. This can include steps to take to remediate breaches and events and areas for improvement. Organisations should respond positively to this feedback and implement the advice wherever possible. There may be differences of opinion, of course, but the time will come for the firm to stop arguing and demonstrate that it is heeding the feedback and remediating the issue in a timely manner.
Finally, it is also important for firms to take the feedback, have appropriate conversations about it internally, and put a plan in place for the implementation of the recommendations. The CBI should be informed of the plan and how and when it is to be implemented. It is critically important that these commitments are met and that the firm doesn’t find itself receiving the same feedback following a subsequent engagement – that would have a seriously negative impact on the relationship and lead to more problems down the road.
Kian Caulwell is Partner and Head of Financial Services Consulting at Forvis Mazars.