Employment in Financial Services

The Central Bank of Ireland (CBI) is responsible for the authorisation and supervision of regulated financial service providers (RFSPs) in Ireland. RFSPs can include credit institutions, credit unions, brokers/retail intermediaries; and other RFSPs such as electronic money institutions, insurance and reinsurance undertakings, investment firms and payment institutions. The regulatory regime applies in a bespoke way to each sector and its employees and tailored legal advice should be taken for a specific situation. The general principles of the regulatory framework are set out below.

Fitness and Probity

The primary regulatory regime applicable to employees of RFSPs is the Fitness & Probity ("F&P") framework under the CBI Reform Act 2010 (2010 Act) as amended. Its function is to assess and monitor the suitability of individuals for certain key positions, known as Controlled Functions (CFs), including Pre-approved Controlled Functions (PCFs). The general rule is that an RFSP cannot permit a person to perform a controlled function unless the RFSP is satisfied on reasonable grounds that the person complies with the F&P Standards prescribed under the 2010 Act and further set out in the regulations and Guidance prescribed by the CBI. A link to resources governing the F&P Standards is here.

Fitness relates to an individual's competency, experience, qualifications and capacity to perform the role (including time commitments and being free from conflicts of interest).

Probity relates to an individual's honesty, diligence, independence, ethics and integrity in performing their role.

Employers are required to perform due diligence to confirm that individuals they propose placing in CF roles are fit and proper. Employers are also required to hold a certificate of compliance in respect of each in scope employee, certifying that the employee complies with the F&P Standards. Employees of RFSPs must agree in writing to comply with the F&P Standards.

A breach of an individual's F&P obligations can result in criminal and administrative sanctions for the RFSP and suspension and disqualification for the individual from holding a controlled function.

Minimum Competency Requirements

The CBI also operates a minimum competency regime under the Minimum Competency Code 2017 and the CBI (Supervision and Enforcement) Act 2013 (section 48(1)) Minimum Competency Regulations 2017, which set out professional standards and competencies, and continuing professional development (CPD) requirements, for persons providing certain financial services and products across certain sectors e.g., credit union and insurance services.  The aim is to protect consumers by ensuring a minimum acceptable level of competence from individuals acting for or on behalf of RFSPs providing advice and information and associated activities (such as dealing with insurance claims or complaints), in connection with in-scope financial products.

The Individual Accountability Framework

The CBI (Individual Accountability) Act 2023 (the "2023 Act") was signed into law on 9 March 2023. The 2023 Act introduced a new Individual Accountability Framework ("IAF"):

• An enhanced Fitness and Probity Framework;
• New Common Conduct Standards, including Additional Conduct Standards for PCFs, applicable to employees and officers of RFSPs as well as Business Conduct Standards;
• The Senior Executive Accountability Regime ("SEAR"); and
• Administrative Sanctions Procedures ("ASP") which empowers the CBI to investigate and sanction individuals for breaches of their obligations under the IAF including the Conduct Standards and their F&P obligations.

The IAF commenced in Ireland from 29 December 2023. The F&P Framework and the application of the new Conduct Standards became effective from this date. Other parts of the IAF will be effective later in 2024.

Conduct Standards

Under the 2010 Act, both CFs and PCFs must take any step that is reasonable in the circumstances in the performance of their role, to ensure that they meet the requirements of the Common Conduct Standards. The Common Conduct Standards are explained in Guidance published by the CBI here. The Conduct Standards include the requirement to act with honesty and integrity, due skill and care, co-operate in good faith with the CBI, act in the best interests of customers and comply with applicable rules governing market conduct and trading as applicable to the relevant RFSP's sector. The F&P Standards set a standard that CFs and PCFs must meet to ensure that they are sufficiently skilled and have the competence and capability to perform their roles. Whereas the Common Conduct Standards impose positive, enforceable legal obligations on individuals in those roles, governing their conduct and requiring them to act in accordance with a single set of standards of expected behaviour. Employers must train their employees on the applicable Conduct Standards. Employees are required to attend at that training and to fully understand and comply with the Conduct Standards. Additional Conduct Standards apply to PCFs.

Senior Executive Accountability Regime

SEAR which applies to senior managers/officers holding PCF and CF1 roles, will be applicable from 1 July 2024. SEAR will come into force in respect of Non Executive Directors (NEDs) and Independent Non Executive Directors (INEDs) with effect from 1 July 2025.

In terms of the scope of application, SEAR will be introduced on a phased basis and will initially apply from 1 July 2024 to credit institutions, insurance undertakings (excluding reinsurance undertakings, captive (re)insurance undertakings and insurance special purpose vehicles) and investment firms that underwrite on a firm commitment basis, deal on own account, or are authorised to hold client monies or assets; and third-country branches of the above.

However, the CBI has noted in its Consultation Paper 153 (CP153) that "there is much in the spirit of the SEAR that firms not initially failing within scope should consider as aligned with good quality governance". RFSPs which are not in Phase 1 of SEAR should therefore consider the presence of the new regime and whether it may be appropriate to comply with the spirit of SEAR by ensuring that individual responsibilities for senior managers are mapped and clearly allocated across the firm's senior management. This is to ensure that it is very clear who is individually accountable for what and in order to ensure that the business and its risks are being properly managed.

Business Standards

The 2023 Act provides for the ability of the CBI of Ireland (CBI) to prescribe the "Business Standards" for the purposes of ensuring that in the conduct of its affairs a firm:

1. acts in the best interests of customers and of the integrity of the market;
2. acts honestly, fairly and professionally; and
3. acts with due skill, care and diligence.

The Business Standards are obligations which apply to the RFSP.

Protected Disclosures Legislation – Whistleblowing

The Protected Disclosures Act 2014 as amended provides that all employers (with 50 or more employees) and most RFSPs regardless of head count (including MiFID firms, UCITS management companies, AIFMs, externally managed UCITS and externally managed AIFs)  have and maintain secure, confidential and effective internal reporting channels and investigation procedures that comply with its requirements. Employees and other workers, including INEDS and NEDS as well as contractors have significant anti retaliation protection in connection with making a protected disclosure. Employers are required to appoint a designated person to acknowledge a report within 7 days, make diligent inquiries and to follow up with the reporter within three months in relation to the progress/outcome of the investigation. The Central Bank (Supervision and Enforcement) Act, 2013 as well as the European Union (Market Abuse) Regulations, 2016 set out whistleblowing requirements for in scope employees and anti retaliation protection.

In the UK, there are two main regulators responsible for the supervision of financial institutions. These are:

• The Prudential Regulation Authority (the PRA) – The PRA supervises over 1,500 financial institutions, including banks, building societies, credit unions, insurance companies and major investment firms. It creates policies for these institutions to follow and watches over aspects of their business.
• The Financial Conduct Authority (the FCA) – The FCA regulates the conduct of approximately 50,000 firms, prudentially supervises 48,000 firms, and sets specific standards for around 18,000 firms.

Some financial institutions are regulated by both the PRA and FCA (dual-regulated). Those financial institutions must comply with rules set down by the PRA in its rulebook (the PRA Rulebook) and by the FCA in its handbook (the FCA Handbook). Other firms are regulated solely by the FCA (solo-regulated) and must comply with the FCA handbook alone. Different rules can apply depending on the nature and size of the firm. The PRA and FCA work closely on certain issues and firms, but the FCA focuses specifically on ensuring fair outcomes for consumers.

The Senior Managers and Certification Regime (SM&CR) sets out how the UK regulators oversee people in businesses supervised and regulated by them, and how those people must act. As the FCA has summarised, “The SM&CR aims to reduce harm to consumers and strengthen market integrity by making individuals more accountable for their conduct and competence” (https://www.fca.org.uk/firms/senior-managers-certification-regime).

SM&CR consists of three elements:

• The Senior Managers Regime (SMR) – This applies to the most senior people in a firm (senior managers) who perform one or more senior management functions (SMFs). These functions are specified in the PRA Rulebook and the FCA Handbook. Senior managers must be pre-approved by the PRA or FCA before starting their roles. Each senior manager must also have a “Statement of Responsibilities” (that sets out what they are responsible and accountable for), which may include (depending on the firm) certain responsibilities prescribed by the regulator known as “Prescribed Responsibilities”. Every year, senior managers must be certified as fit and proper to carry out their role by their firm.
• The Certification Regime (CR) – This applies to employees who, because of their role, could pose a risk of significant harm to the firm or its customers, such as employees who offer investment advice (certified staff). For solo-regulated firms, these roles are generally called certification functions. Firms must certify that these employees are fit and proper for their roles both at the outset of their employment and continuously.
• The Conduct Rules – The Conduct Rules set minimum standards of individual behaviour in financial services in the UK. They apply to almost all employees of a firm. They also include particular rules applicable only to senior managers.

Certain parts of SM&CR apply to particular firms only. This is outside the scope of this note, which sets out the general position under SM&CR.

RFSPs must satisfy themselves that all CF and PCF candidates or employees comply with the F&P Standards. Pre-employment due diligence must be performed, including asking the candidate to certify they will comply with the F&P Standards and notify the RFSP immediately of any change in circumstance that may mean they no longer comply. Employers must continue to ensure that in scope employees comply with the F&P Standards and must complete an annual declaration to this effect. This means that due diligence must continue throughout the employment relationship and not just at the recruitment stage.

Candidates for PCF roles must complete an online individual questionnaire, which is submitted to the CBI in advance of appointment to the role through the Central Bank portal. The CBI must grant its approval for the PCF appointment before a candidate can take up the role. Any PCF offer of employment must be conditional on that approval being obtained. The CBI may request applicants attend an interview as part of the approval process.

Employers should take all reasonable steps to secure references from previous employers in order to due diligence the candidate's compliance with the F&P Standards and their suitability for the role. However, an employer is not obliged to issue a reference in respect of a former employee which means that a prospective employer may not be able to secure a reference from a previous employer.  The CBI does not oblige employers to either issue or obtain a reference as part of screening checks, however employers must make good efforts to do so.

There are material obstacles from a data privacy and practical perspective to employers conducting criminal background checks in relation to prospective employees. Data relating to criminal convictions is special category data under the GDPR. Employers would need to satisfy both Article 6 and Article 9 requirements under the GDPR to justify the processing of this data. In terms of Article 9, this means employers would need to show reasons of substantial public interest or that they are carrying out their legal obligations in processing the data.  In terms of Article 6 the employer will need to show that the processing is necessary to comply with a legal obligation to which the employer is subject or the processing is necessary for the employer's legitimate interests for example to ensure the suitability and honesty of its employees and to protect its reputation. Employers are also prevented from asking candidates about "spent convictions" which are usually minor criminal offences dating back over seven years.

Pre-employment medical checks must also have a clear legal basis justifying the processing of an employee's medical and health information.

For employees subject to the SMR, anyone performing an SMF must be pre-approved by the relevant regulator before they can start their role. Generally, firms that wish to employ a senior manager must first carry out sufficient due diligence to satisfy themselves that the candidate is a fit and proper person to perform their proposed functions. In this regard, firms must consider the individual’s qualifications, training, competency and personal characteristics. The firm must also carry out a criminal records check. They may then apply to the relevant regulator for that candidate’s pre-approval. In the firm’s application, all matters relating to the candidate’s fitness and propriety must be disclosed. The firm must also enclose a statement of that individual’s proposed responsibilities and (depending on the firm) the latest version of the firm’s management responsibilities map.

For employees subject to the CR, before the appointment and annually thereafter, these employees must be certified by the employing SM&CR firm as being fit and proper. Certification does not involve pre-approval by the FCA or PRA.

Additionally, firms must comply with the regulatory reference rules for all candidates subject to either the SMR or CR before their employment. These rules require employing firms to request a regulatory reference from all previous employers covering the past six years of employment. Information must be shared between regulated firms using a particular template, which includes information relevant to assessing whether a candidate is fit and proper. Firms are also expected to retain records of disciplinary and fit and proper findings going back six years for their employees (or longer for findings of gross misconduct), and they must update regulatory references that they have previously given where new significant information comes to light that would impact the content of a previously given regulatory reference.