Central Bank enforcement on safeguarding – BlueSnap Payment Services Ireland Limited

Background

The Central Bank of Ireland (CBI) recently reprimanded and fined BlueSnap Payment Services Ireland Limited (BlueSnap) for contraventions of the European Union (Payment Services) Regulation 2018 (PSR 2018) between 1 January 2021 and 1 December 2022. A 30% settlement scheme discount was applied to the fine, bringing the monetary penalty to €324,240.

BlueSnap, a provider of merchant acquiring services, was authorised as a payment institution by the CBI in 2020 on the basis that: (i) it had established a designated safeguarding account in Ireland; (ii) all funds received in respect of payment transactions would be segregated from all other BlueSnap funds until payment was made to the recipient and the transaction was thereby settled; and (iii) funds would be reconciled on a daily basis.

In what is the second settlement to have been reached under the revised Administrative Sanctions Procedure (ASP), the CBI found that BlueSnap allowed the co-mingling of funds and knowingly provided payment services to users prior to the requisite safeguarding account becoming operational.

This enforcement action highlights the importance that the regulator places on timely and accurate reporting by firms, as well as its focus on potential rather than actual loss and detriment to consumers when assessing the gravity of regulatory contraventions.   

Facts and findings

Under the PSR 2018, payment institutions are obliged to have in place a number of safeguarding mechanisms in order to protect customers’ funds pending a payment being made. Such measures ensure that, if a firm were to become insolvent, there would be sufficient funds to reimburse customers fully and promptly.

BlueSnap admitted to allowing users’ funds to be mixed with non-users’ funds (Prescribed Contravention 1) and to failing to deposit users’ funds in a designated safeguarding account (Prescribed Contravention 2).

The investigation was prompted by two notifications made by BlueSnap to the CBI for safeguarding breaches in April 2021 and February 2022. In January 2022, the CBI issued a Risk Mitigation Plan (RMP) and separately required BlueSnap to: (i) undertake a third-party review of safeguarding; (ii) hold an additional 20% of its own funds; and (ii) facilitate a third-party review of the effectiveness of its internal controls and governance structures.

Although BlueSnap had opened a designated safeguarding account in December 2020 in line with the submissions made in its authorisation application, users’ funds were not being deposited in this account until June 2021 – in part because BlueSnap had not yet fully transferred its EEA merchant customers from BlueSnap UK to the Irish entity. EEA customer funds were therefore being deposited in and paid out of accounts belonging to BlueSnap UK. Due to inter-company arrangements, the mixing of funds as between EEA and UK users continued for a further 18 months after the designated safeguarding account became operational.

BlueSnap additionally admitted to delaying to notify the Central Bank of: (i) the issues in Prescribed Contraventions 1 and 2 by five and three months respectively; and (ii) that its designated safeguarding account was not reconciled in the manner set out in the application for authorisation by seven months (Prescribed Contravention 3).

Prescribed Contravention 3 specifically included:

• The failure to report to the CBI “without undue delay” the fact that the designated safeguarding account was not operational. While BlueSnap appears to have argued that the CBI was informed of this in tandem with BlueSnap’s board, the CBI noted that two board members were aware of the issues from January and February 2021.
   
• The delay in furnishing the CBI with an independent audit report. The CBI noted that there had been a number of engagements between the regulator and BlueSnap on the topic of safeguarding between the date on which the report was finalised (December 2021) and when it was provided to the CBI (February 2022). Furthermore, the issues confirmed in the report had been identified by BlueSnap itself when it was considering the appointment of an independent auditor. On that basis, the CBI took the view that BlueSnap was “aware” of the issues at the time of instructing the auditor.

The CBI asserts in the Settlement Notice that “[a]ny change in the information provided by BlueSnap in its application for authorisation should have been notified to the Central Bank without delay.”

Conclusion

With this investigation, the CBI has indicated that “the safeguarding of customer funds has been, and will continue to be, a key area of supervisory focus for the Central Bank." It is also evident from this enforcement action that, when calculating sanctions under the new ASP, the CBI will have regard to potential loss and damage caused to consumers. More generally, the CBI has reaffirmed the importance of providing accurate information in regulatory reporting processes as well as its expectation that firms will take opportunities to disclose relevant information without being formally prompted to do so.

For more information, and how ALG can assist your business, please contact Dario Dagostino, Partner, Patrick Brandt, Partner, Mark Devane, Partner, Chloe Culleton, Partner, Ciarán Rogers, Partner, Laura Mulleady, Partner, Sinéad Lynch, Partner, Laura Corrigan, Senior Associate, Louise Hogan, Associate, Sarah Lee, Senior Knowledge Lawyer, or your usual ALG contact.