The letter provides firms with the opportunity to stand back, reflect on their current frameworks and controls and make necessary enhancements.

Many firms will need an uplift in their existing frameworks to meet supervisory expectations. Firms should adopt a proactive and risk-focused culture to support the business during times of growth or challenge.

The CBI identified five key areas with supervision deficiencies across the industry. Below, we set out points to consider when shaping your response to the letter.

1. Safeguarding

Ensuring the protection of users’ funds is one of the CBI’s most important objectives. Deficiencies identified indicate that firms may not have robust safeguarding arrangements in place.

Points to consider:

• Is my current board-approved risk management framework robust? Have I performed a detailed gap analysis against the relevant regulatory requirements?
• Has internal audit or an independent firm assessed and tested my framework’s design and operating effectiveness?
• What proactive steps can I take to prepare for the external assurance of my compliance with safeguarding requirements required by the CBI? 

2. Governance, risk management, conduct and culture

The CBI expects a mature and customer-centric approach to regulatory compliance.

Points to consider:

• Are my governance, risk management and internal control frameworks appropriately aligned and tailored to the supervised entity? Has my business outgrown existing frameworks, or are they still fit for purpose?
• Is my board reporting optimised? Is the information presented sufficient to allow for appropriate risk-based decision-making?
• Are the compliance, risk management and internal audit functions adequately resourced and focused on the legal entity and its risks?

3. Business model, strategy and financial resilience

A core objective of the CBI is to ensure systemic stability in financial service sectors.

Points to consider:

• Is my business strategy tailored to the Irish regulated entity?
• Do I have a process for board approval and CBI notification for material changes to my business model? Is my stress-testing fit for purpose? Have I considered an appropriate range of stress/downside scenarios to address regulatory expectations fully? 
• Is my exit/wind-up strategy up-to-date and fit for purpose?

4. Operational resilience and outsourcing 

Firms are expected to recognise the risks associated with technology, anticipating the disruptions that might be possible and preparing measures to mitigate those issues should they arise.

Points to consider:

• Have I performed a comparative assessment of the adequacy of my current operational resilience frameworks in the context of the CBI’s guidelines?
• Where I rely on third parties, do I have the skills and knowledge to understand the associated risks and assess whether these are adequately mitigated?
• What processes are in place for incidents and outages, including those of third-party providers?

5. Anti-money laundering (AML) and countering the financing of terrorism (CFT)

The CBI has stated its expectation that AML/CFT frameworks are based on a comprehensive risk assessment. However, weaknesses remain evident from the CBI’s supervisory engagements.

Points to consider:

• Are my AML/CFT controls robust, risk-sensitive and appropriately tailored? 
• How do I assess the appropriateness of the operation of controls by distributors and agents on my behalf? How do I ensure that controls are operated in line with my risk assessment, policies and procedures?
• Where I am availing of derogations have I performed and documented a robust and appropriate assessment for their use?

The three key actions to take now

1. Use the ‘Dear CEO’ letter as an opportunity to take stock

Early engagement is critical. While the CBI identifies a range of areas requiring attention, the letter provides boards with the opportunity to stand back and take stock of entity-specific governance, risk management and control frameworks. Boards should challenge themselves and management and proactively identify areas for enhancement and develop plans to monitor progress. Swiftly addressing issues identified will help in meeting supervisory expectations.

2. Don’t ignore the broader context of the ‘Dear CEO’ letter— be proactive across risk and compliance

While there is a clear focus on safeguarding, the ‘Dear CEO’ letter reaffirms a broader supervisory agenda. Boards should consider where AML/ CFT, financial and operational resilience, outsourcing, business model and conduct risk appear on planned activities for 2023. Boards should ensure that internal audit, compliance assurance and risk assurance plans for 2023 are aligned with the CBI’s focus areas.

3. Prepare for intensive scrutiny of your compliance with safeguarding requirements

The CBI has identified a broad range of areas to consider as part of the safeguarding review before the 31 July deadline. Ensure that safeguarding is top of your agenda. You must demonstrate that your documented safeguarding process is fully embedded in your business and facilitates compliance with regulatory expectations.