KPMG Law: The Start-Ups Path to CASP Authorisation

[00:00] Introduction

[0:13] Paul: Hello and welcome to the Blockchain Leaders Insights series from Blockchain Ireland. My name is Paul Hearns. I’m co-chair of the Events and Comms Working Group. I’m joined here today by Christopher Martin, partner with KPMG Law, and we’re going to be talking about the startup’s path to CASP authorisation. And we’re also joined by Neil Fleming, Executive Director of Fortuna Solutions, who’s going to give us some insights and experiences from the startup and founder’s perspective. So, Chris, first of all, tell us a little bit about your own background, how you came into the area, and then your current role.

[0:53] Christopher: Sure. So I’ve been working in financial regulation now for, oh God, probably 15 years plus. I started off in the central bank back in the day in their legal and policy unit and enforcement and then ultimately went on to private practice as a regulatory lawyer in A&L Goodbody. Very much came from a kind of a, what I’d say is a more traditional background, looking at things like, you know, financial regulation for banks, payment institutions, investment firms, etc. And then over the years, probably starting six, seven, eight years ago, we started getting queries in terms of crypto assets that were being issued or projects that were looking to be undertaken in the digital space. That then obviously developed over the years to obviously a decent interest I would say in DLT and its applications not just on the crypto side more generally and how that would develop from a regulatory perspective. So we saw from the very nascent start of it, right up to more recently the VASP application, so the application of anti-money laundering, which would have been one of my main areas of practice as well. And now, obviously, the upcoming CASP applications has really kind of moved the dial in terms of the level of regulation being imposed on the area. So that’s kind of where I came to it and my own personal interest on how regulation will ultimately kind of fit around these particular structures.

[2:23] Paul: And what attracted you initially, say, from a professional perspective to get into the blockchain, the crypto side of things? Because I suppose part of the early perception certainly would not necessarily have been favourable in that very traditional side of things.

[2:44] Christopher: Probably true. And I think it’s certainly one of my main areas of focus has always been kind of in and around payments. And I think kind of post the first payment services directive, we had a lot of payment service providers, a lot of new FinTech’s coming in looking at alternative ways of making payments particularly. Crypto kind of to me seemed like a potential development in that space and as a bit of a in my interest in payments was certainly peaked with some of the early potential use cases for it. As it developed and as I saw you know greater exposure to retail customers, general consumers, it very quickly became apparent to me they were going to have to put some sort of regulatory framework around this because from a consumer protection perspective you know you might say okay the original use case was for payments but it very quickly became a fairly volatile quasi-investment type situation without any clear regulation there were then a lot of scandals FTX etc where people’s money was effectively misused um and therefore from a regulatory perspective it was clear to me that money laundering was the first one because obviously we had you know the dark web being used and cryptocurrencies being used to facilitate illegal transactions but then people buying it you know normal people in the street losing money so you’re going to have to have things like client protection or client asset protections, consumer protection etc and once all that came in then we’re kind of in the situation where we are now and I expect it to develop further in the next few years as well. So it’s probably how did I get interested? Because I’m a bit of a kind of regulatory and payment nerd, I suppose, and it was a new and a novel thing to look at. I like the tech and it’s an interesting thing to look at from a regulatory and legal perspective.

[4:43] Paul: Certainly, certainly. And Neil, tell us a little bit about yourself and Fortuna and how you came into the space as well.

[4:52] Neil: Well, I’m from a traditional financial background. I was with AIB Capital Markets for close to 20 years, you know, and post-crisis, they sold off all the profitable bits. And I worked with a couple of companies through those acquisitions, you know, and then got involved in a startup to a client who came in, who was looking for servicing in the mortgage space. And we were ready to launch a brand new mortgage business in Ireland. But unfortunately there was a last minute funding hiccup. So, I’ve been very involved, let’s say, on the client side with a number of financial areas. So I’m a non-exec director of a number of different businesses, all in the financial sphere, but quite diverse. And a colleague who I used to work with in the AIB days came to me and said. He had this custodian, Fortuna, Fortuna Digital Custody, and they were going for a VASP application, as Chris has mentioned. It was a new regulatory regime. You know, he wanted me to come on board and, you know, help him out with that application process and try and move it forward and then develop the business from there. You know, so Fortuna just got registered with the Central Bank this year, back in May. You know, we’re one of the few Irish-based businesses, you know, let’s say that have been regulated or registered so far with the Central Bank. You know, the majority of them are foreign-owned. You know, we’re actually principally Irish-owned. You know, and we’re now actually started the process of the CASP application under MiCA, you know, which we will, you know, we have a very short timeframe, you know, of a year. And I’m sure Chris will go into that in more details, you know, but, you know, we’re starting the heavy lifting on that actual process as well. And we’ve been engaging with the central bank so far and sort of how to take that forward and their expectations actually, you know, which again, I know Chris will put plenty of views on, but we’ve actually had some practical experience of that, you know, and one of the realities of the MiCA process, it’s actually very truncated. You know, at the moment, you know, and there’s rumours that it might be extended, but at the moment, you know, those firms who are operating as VASPs must be registered or regulated by the central bank by the end of next year. You know, which even if you just take the existing population of VASPs, which is not very big in Ireland. But there’s an existing population, there’s quite a tight timeframe for the central bank to operate under. So it’ll be very interesting to get Chris’s insight on how that’s going to actually work out.

[7:27] Paul: Well, what I’d like to do is just take a little step back because we’re coming at this from, say, a startup’s path to CASP authorisation. However, as you pointed out, there’s already some entities that are authorised under the previous set of regulations. So let’s just take a step back for a second, first of all, and say for the section of the audience who might already be in that sort of startup mode, what exactly is a crypto asset service provider regulation set up? What are they aiming for? Who does it apply to? And then we’ll kind of take a little bit of the historical context from there.

[8:12] Christopher: Yeah, sure. And so in terms of who it applies to, so crypto asset services is obviously defined under MiCA. But for example, it will include anyone who’s exchanging fiat currencies for cryptocurrencies, cryptocurrencies for other cryptocurrencies, operating as a market, providing custody related services, execution of orders in relation to it. It’s very much in terms of the regulatory framework derived from things like the Payment Services Directive, MIFID, so that’s the Marketing Financial Instruments Directive, so dealing with investment services effectively. So they’ve used very similar language and wording in there to say if you’re doing these types of services, but in respect of crypto assets or digital assets, then you will need to be a CASP. In in terms of expectations from a kind of a startup perspective I think as you already point out there are kind of two bodies either you’re coming to MiCA as a CASP kind of cold and you’ve not had any previous operations or you’re coming to it from the perspective of a VASP who’s already gone through a fairly extensive engagement with the central bank to get the VASP registration in the first place. I still think kind of maybe turn into the VASPs i think it’s worth pointing out that currently that regime only supervises them for money laundering. Now the central bank obviously still has expectations around how that there is kind of corporate governance and how that’s managed from a an internal perspective and a compliance perspective but there will be a big step up in terms of the regulatory universe and environment and central bank expectations, on CASPs when they move from being a VASP to a CASP. The same considerations will obviously apply for someone who is a completely brand new startup. And I think, you know, what I’ve often found with startups, they can be surprised by the level of regulation already in the space and expectations that they’ll have to comply with. It’s not just MiCA. And, you know, as a regulated entity, the central bank has views in terms of how all regulated entities should work. So looking at things like consumer protection, internal governance, obviously money laundering and financial sanctions. It has expectations around operational resilience. So, you know, how do you plan for things to go wrong and how do you ensure business continuity in the event of an issue and outsourcing as well? So there’s all of these kind of disparate areas that I think people coming to it cold don’t really think about when they’re coming from an unregulated space or as a startup and they think, well, that’s a great idea. And then you kind of sit down and you say to them, well, have you thought about X and Y? So we had a very good conversation with someone recently and kind of after we had the initial sit down and we kind of went through it and I said, well, have you thought about, you know, the payment flows and who’s handling funds? There and who’s doing that bit you can use a third party provider or are you going to act effectively as a merchant you know and receive funds have you got a merchant acquirer who’ll process the card payments for you again all of these moving parts that maybe when you start up you think yes I have a really good novel idea but the actual implementation particularly in a regulated space can be quite challenging so I think that that goes for a fast and anyone coming to it cold as a brand new CASP but at least the VASPs have had some experience of it I think from their dealings with the central bank.

[11:50] Neil: But I suppose building on what Chris is saying here you know like it isn’t just MiCA you know and CASP legislation. Like a key component of that is DORA you know and DORA brings a lot of firms into scope as well. Now there’s certain carve outs depending on size and so on but it’s quite easy to get ingrained in the full requirements of DORA. You know which goes fundamentally to how you manage your technology, you know, and how you manage the risks, you know, of hacking and business resumption and all those, you know. So it is quite a broad universe of legislation and requirements that feed into setting up a business in a regulated space, you know. And even, you know, if you make that choice in your business model to outsource certain aspects, you know, you have a responsibility as a regulated business to make sure that the outsourcer is able to perform the work at the first time, is able to do it in a regulatory compliant fashion, you know, and, you know, you back up, you know, solutions, you know, if for some reason they fail, you know, so there’s a lot of moving parts that have to come into a regulated business.

[13:01] Paul: Indeed. Okay.

[13:02] Christopher: Yeah. And even, I mean, just adding to that, I think it’s important that not all people working in the DLT space or in the startup space will ultimately fall within MiCA. But they may be providing services that are supporting either MiCA authorised entities, so other CASPs or bigger institutions potentially who are looking to have either an internal DLT project. You know, I’m aware that some of the big institutions are looking at DLT for the use for liquidity management. Again, that’s not going to be regulated specifically, but if you are dealing with the big institution, they’ll be under DORA. They’ll need to understand how you’re going to support them from an operational resilience perspective. So even if you’re not regulated, you may be impacted by all of these regulations if you’re operating in that kind of adjacent space.

[13:52] Paul: And in terms of, say, some of the startups that you may have worked with already, and I know startup is a very loose term, that could be something that’s already a large organisation. It could be something that’s, you know, somebody with a keen idea. But in terms of, say, the creation of a new business, as you mentioned, that is working with a novel application of something, what’s the general kind of level of preparedness that you see for engaging with regulation?

[14:24] Christopher: I think there’s a broad scope, I would say, of preparedness. But I think overall, I think people underestimate the amount of work that needs to be done. And I think when you talk to, you know, both clients have been through the process with the central bank and also, you know, the feedback from the central bank quite frequently is people haven’t necessarily gone into the level of detail that they needed to do so, whether that be around, you know, could be payment flows, could be internal governance. So have they thought about, you know, who’s taking responsibility for, I don’t know, AML compliance specifically? That’s just by way of example. they may have for example group interactions. How are they feeding through those group interactions has group got you know an expectation in terms of running the Irish business which maybe is going to be inconsistent with the central bank’s expectations and managing those. I think when you do go for authorisation preparation is absolutely key um unfortunately we still haven’t got a formal application form from the central bank but we know broad brush strokes what’s going to be in it to be fair and if you’re working with you know third-party providers who have been through the process with investment firms payment institutions etc the process will be broadly similar but the central bank will ask hundreds of questions yeah and that’s not an underestimation and it’s not because they think your business model is bad It’s not because they, you know, have particular issues with it. But the central bank is quite, places a lot of scrutiny on regulated entities. There’s quite a high bar of entry to get past the central bank because they really need, in order to effectively supervise and oversee your business, they need to really get under the hood and really need to understand what you’re proposing to do. Does it stand up from a financial perspective? Does it stand up from a regulatory and compliance and governance perspective? And how are they going to effectively supervise that going forward? So I think people should almost put on the hat of the central bank and think to themselves, well, how are they going to effectively supervise me and I need to make sure I’ve given them sufficient information, that they can get comfortable that this is a well-run business. You know, we know what we’re doing and we’ve got, capital behind us and the support from a, you know, a technology perspective as well and operational resilience.

[17:05] Paul: And just in terms of an approach, so let’s say in an ideal situation, you get to speak to a business early to, you know, and they realise that they need to go on this authorisation path. So you get to have that initial conversation with them. What kind of approach do you take because in anticipating the type and the level of questioning that would come from the central bank obviously you have to cover a wider aspect as well say in terms of making them aware of what that process will be like but also some of the other processes that may be attendant as well. So you know what do you start with? Do you start with a checklist? Is there, you know, is it just a broad conversation first? How do you professionally approach that?

[17:54] Christopher: My own personal approach is always to say, well, first things first, you need to understand the regulatory perimeter. So which bits of your business or your proposal are in scope and which specific permissions do they fall under the relevant legislation? Whether that be MiCA, whether it’s MIFID, whether it’s payment services. You need to understand what you’re firstly going to go to the central bank and be asking for. Because ultimately the central bank won’t give you something if you’re not going to use it. And you need to be able to stand over your analysis. So the first thing is usually to say, okay, well, let’s get a legal analysis of that done because the central bank will probably say, well, have you looked at it? Do you understand your business model? The second piece is to say that there’s not just lawyers who usually get involved in these things. There’s a broader regulatory consulting piece or management piece, which is helpful in framing the broader documentation. So things like a program of operations, business plans, et cetera. I can’t do the figures. I can’t do your monetary projections. So you’ll need to get, you know, further accountants on board to look at the projections, to stand over them and do the capital projections and the year end projections. So there’s a big team of people needed to support organisations and some need more support than others, depending on who they have internally the other thing I usually make a point of saying is you need to understand which roles you’re going to have inside the organisation so what size is your board going to be what’s the composition you know central bank has expectations around independent non-executive directors.

[19:33] Christopher: Are you going to where you will definitely need a head of finance head of compliance head of risk you know amongst others chief operations officer etc have you thought about well, who’s going to do that? Have you got a hiring process in place to go and find those people and are you proposing to dual hat them and triple hatting is off the table central bank is not going to allow that anymore and so usually when they’ve come to me it’s either someone from group level or someone who is a founder who is looking to set it up and they maybe don’t have those people in place already or they haven’t thought about the broader internal governance structure. So it’s kind of first thing first, know what you’re going to apply for. Secondly, really understand how you’re going to present your internal governance model, because that’s often a big sticking point for the central bank. And it’s not that you need all these people in situ when you put the application in. But you do need to have a path and a plan and you should have a very clear internal structure in mind that you can present to central bank, which is credible.

[20:40] Paul: Very good. And Neil when you come to that process then and you start encountering these questions, what’s your experience then in terms of, as Chris said, not everything needs to be in place, but it has to be thought about and it has to be planned. How jarring an experience is that when some of those questions might be in areas you hadn’t anticipated?

[21:03] Neil: Yeah, well, as you say, it can be jarring and not planned, but also sometimes it’s not clear. And that’s the nature of legislation. And even if you look at parts of MiCA at the moment, there’s capital requirements, there’s insurance requirements, but there’s no guidance as to how the two interact. And there’s still areas of definition. So you do need to bring people in to get the view, you know, almost before you go to the central bank as to what the expectations are, you know. And even when we’re talking about the board governance there, you know, and triple hatting roles, etc, you know, directly you could have one independent director, you know, you could have two. You know, the central bank has for different sectors its preferences, you know, as to the governance structure it wants to have in place. You know and I suppose you need to get a feel for that you know by talking to people talking to people you know we’ve mentioned payments industry you know in a way you know a lot of the payments experience is being brought into the micro space yeah definitely so you know you can take a bit of guidance from people who have been involved in the payments industry as to how they have to set up their business you know you need to get that current feedback though as the expectations of the central bank as well you know from the likes of the professional advisors you know and that even goes back to the back end you know to your technology infrastructure you know and because we mentioned DORA. You know what technology infrastructure you know what testing you have to have in place so there is a number of things to pull into place having said that.

[22:39] Paul: So actually sorry just one for anybody who may not be familiar we’re using a lot of terms here. So DORA is?

[22:47] Neil: The Digital Operational Resilience Act, I think I have that right, which is a piece of EU legislation which is focused on the financial services industry, to improve resilience, basically to stop businesses falling over through collapse of their technology or through hacking or attacks on their technology. It extends a bit beyond the financial service industry though you know as Chris was sort of saying earlier because they can say well who’s your core suppliers, services you know and you know do they need to be, supervised might be the wrong word Chris probably has a better word but do they be do you need to be aware of, what sort of controls they have it, and have they certain regulatory responsibilities as well because they’re of a certain scale, you know, that the EU at that wider level will actually look and say, well, actually, this company is so important to the infrastructure of financial services firms, even though it’s a technology firm, that we want insight into what it’s doing. And there’s certain firms that believe in that space.

[23:55] Christopher: Yeah, I mean, take, for example, the likes of Google, you know, who are going to be providing.

[24:01] Paul: And even some of the large kind of merchant platforms as well have been talked about in that context as well, haven’t they?

[24:07] Christopher: Yeah, and I think it’s part of a broader kind of EU digital strategy as well, because kind of not necessarily directly relevant for financial service, but with things like the Digital Markets Act and the Digital Services Act, which are also looking to impose kind of quasi-financial regulatory type arrangements, things like independent compliance functions on big social media organisations, other big tech companies who are providing digital services. So I think DORA is certainly coming from that space as well as part of a broader EU digital services.

[24:40] Neil: Yeah. And the thing about the regulation, you know, you shouldn’t be too scared of it, you know, because when you think about it at a practical level, it’s a lot of things you should have in place anyway.

[24:51] Paul: Yeah.

[24:51] Neil: You know, if your technology fails, how will you support the customer? You know, are you marketing to that customer appropriately? You know, are they, you give them the information they need? You know so really the regulations just bringing all that together and saying look these are our standards and you know the difficulty though for a startup though is it generates a lot of paperwork, a lot of policy procedures. They are probably things that startup is thinking about though as I say you know they’ve said look we need to have resilience but they haven’t said, let’s document it clearly and then actually the next stage is actually test it you know and monitor on an ongoing basis. So it does have a resource requirement that is not just about the application process getting authorised, but very much about managing those processes after they’ve been approved. So that’s very important.

[25:46] Paul: Okay, so we’ve spoken a lot then about the kind of the broad context of regulation. So for the crypto asset service provider specifically, what’s different this time? What are the sort of specifics that we’re looking at?

[26:01] Christopher: Yeah, I think some of the key areas for, certainly for crypto asset service providers are going to be implementation of the kind of the client money.

[26:11] Christopher: Asset safeguarding provisions. I think obviously they’re inspired by MIFID and Payment Services Directive, but even providing and finding appropriate third-party custodians or credit institutions to support those entities when they go through the process. Certainly we found frictions in the payments industry with payment institutions, trying to find client bank accounts, etc. I think that’s a significant issue potentially, and I think something which people should try and get ahead of. The other broader issues are obviously going to be things around consumer protection and transparency so making sure you’re very upfront with consumers in terms of what is it we’re providing what’s the cost to the consumer for providing it so whether that’s you know if I’m purchasing crypto online what are the transaction costs associated with that if I’m engaged in staking in some way shape or form whatever terms and conditions around that and I think kind of looking at cryptocurrency service providers as a standalone is now, there are specific rules obviously under MiCA but I think it’s better to view them as the broader kind of universe of regulated entities ultimately they’re very similar to a MiFID firm and to a payment institution from the perspective of the considerations that they need to take into account. But otherwise, you know, NOVA regulations, MiCA is there, but there’ll be consumer protection requirements. There’ll be money laundering requirements, you know, financial sanctions. We’ve talked already about digital operational resilience, etc. So I think the challenges maybe from a crypto asset service provider is that it’s new. They’re coming from a space where, shall we say, the central bank has not been massively positive in terms of its exposure to the retail market, and so views it as maybe higher risk. So I think probably they will have to take greater steps to assuage the central bank’s concerns around those risks, you know, by demonstrating good compliance, by showing that they’ve got good safeguarding procedures in place for client funds and client assets and good policies, procedures, systems and controls. So maybe no super unique kind of legal and regulatory issues apart from obviously very specific in terms of MiCA, but possibly some unique challenges in terms of where they’re coming from as a sector and from a regulatory perspective.

[28:52] Neil: And to add to that actually this is new to the central bank. I think that’s a very important point. You know like the legislation has been imposed at a European level. The central bank now has to take that on board and has to upskill its own staff and it’s been doing that. Therefore it’s very important when you’re going in that you have a clear business plan. Your marketing strategy. How does that strategy differ from traditional assets, let’s say, in the crypto space? Very clear process. Outlined step by step how your product works. You know, what controls you have over it. You know, if you’re custodian, you know, how you actually do that process, you know, self-custodian, or you’re putting it out to a third-party custodian, you know, and they want to see, you know, that very clearly, because that helps educate them as well, you know, and, you know, they have a short timeline to get this in place, you know, so there’s a lot happening, you know, over the next year, you know, within the central bank, you know, and you have to be cognisant of that, so therefore, the information for MiCA that traditionally you would have given maybe at a higher level in initial stages. You know, you might have a, what’s called a key facts document which is almost like a presentation. You know, it’s almost like a business plan now. You know, that’s my reading of the expectations. You know, that they need a lot more information at an earlier stage than they traditionally would have. You know, so that when they’re doing these questions and there will be hundreds of questions.

[30:34] Paul: Yeah.

[30:34] Neil: You know, that they can tailor them much more specifically so that they can get through the process and get clients authorised. And at the end of the day, hopefully, they want to get people authorised. And that’s our feeling. They want to see people getting authorised, getting successful businesses. But you have to show them that you’re capable of being authorised, you’re capable of running the business. And while they’re not financial consultants and dare to say whether you’ll succeed as a business because otherwise, how would they approve anything you know you need to give a sense you know that the business has a certain financial strength to support it a strategy to grow it yeah so there’s quite a few aspects coming into play you know which is regulatory, it’s financial, it’s technology. All coming into play but really again talking, to the point earlier you know a lot of this when you write your business plan you should be thinking of anyway it’s just the perspective, you’re sending it into the central bank is different. You’re given more information on certain areas, but the overall concepts are the same. How you market, how you run your operation, what your governance structure is, what your financial situation is, how you’re going to fund it. All these simple points that any startup needs to think of.

[31:55] Paul: Yeah. Well, we’ve talked a lot about the central bank generally, and obviously because of their importance in this process, But they’ve had a significant increase in their level of outreach and the amount of kind of resource that they’ve put out there in terms of events and information and engagement. But what I’d like to ask is about their disposition generally and, you know, engaging with them in this kind of process. Because you mentioned, say, a preference against triple hatting, but say, you know, risk and compliance sounds like a natural fit if it’s double hatting. So just in that kind of context, tell us a little bit about the engaging with the central bank and how they like to do things.

[32:46] Christopher: I mean, I think it comes back to your point. It’s about being very clear what you want to do and how you’re going to do it. And then being realistic in terms of the resources you will need to deploy both financially, but also from a personnel perspective to effectively implement those plans. The expectations are not always written down, is what I would say. So that’s why talking to advisors, not just myself, is helpful. And getting that feedback and experience, obviously, as you say, we’re drawing very significantly on our experience in dealing with FinTech’s and payment firms who are not a million miles away in terms of the risks and the internal governance profile. So we’re expecting the central bank to take a similar approach, but this is new. And every different authorisations kind of team has a different slightly different approach slightly different expectations that aren’t always 100 clear or written down so and you’ve got to remember and again very similar to payment institutions there can be very big very variations in terms of the business type and model that you’re approaching. So what might work for you know what we might say an intermediary type entity that doesn’t handle funds as such or isn’t involved in custody, it’s going to be very different to, say a very large marketplace looking to serve a pan-European market. So what might be appropriate for one mightn’t be appropriate for another. So it’s about understanding the nature, scale, and complexity of your business and tailoring that to the application and the internal governance, so take the dual hatting. So yes, if I’m a very small, maybe locally focused entity, maybe dual hatting risk and compliance will work, and I’ve seen that numerous times, it’s not generally an issue. But if I’m going to be a massive crypto market looking to service the entire European market, I’m going to have hundreds of thousands of customers potentially, is it appropriate to have a dual-hearted risk and compliance person? Well, possibly not. Or at least you’ll have to take the central bank on a greater journey to justify that from a scale perspective.

[35:12] Paul: Interesting. Well, just kind of rounding off then, flipping it around slightly, with an organisation, say, let’s say one that has never gone through an authorisation process before. Coming to you as a professional in KPMG Law, how do they best leverage your capabilities for them? How do they come to you to get the best from what you can offer to go through the process?

[35:41] Christopher: I think it all comes back to preparedness, and I think really understanding your business model, really understanding what you want to do ultimately certainly as a business, you know, we can only help so far. We can advise you around what you need to do to get through the authorisation process, what authorisations you may require. We can assist with obviously the corporate governance to consulting, the internal management and all those things. But if you don’t have a clear understanding of where you want to get to before you come to us, there’ll be a lot of full starts. And obviously, I don’t want to talk about my fees, but the more you use a lawyer, very obviously, the more they’re going to have to end up charging you because, you know, that’s the way it is. So I think it’s important for clients to come to us when they understand. Now, that’s not to say they might come to us and say, well, we’re thinking about doing X, Y and Z. And there may be pros and cons with different approaches. And again, that’s an area we’re happy to kind of help and assist with. And I think we found out in the past that maybe someone has said, well, I want to come and I’ve had people come to me and say, I want to come and be a bank. My advice is, well, you don’t want to be a bank. You definitely don’t want to be a bank. Have you thought about going down payment institution, e-money routes and or, you know, using some of a form of retail credit firm authorisation, depending on what you’re looking for? So, again, there’s a role there, but the more developed and the better understood your own business is, the more we can help and the easier and quicker and more straightforward it is for us to help. So I think it’s all about preparedness and understanding where you want to get to.

[37:22] Paul: Okay. And Neil, in your experience then as well, because as Chris is saying, that the better prepared you are, perhaps the more intelligent questions you can ask and get to answers quicker. So in your experience?

[37:38] Neil: Yes, you know, you need to map out your business, you know, like you need to say what your product is, what technology you’re going to use, what staffing you have at the moment, even, you know, and have a picture, you know, because, for example, you know, you might know how your front end works and how you’re storing your customer data. Right but you mightn’t have let’s say the appropriate data protection policy wrapped around it you know so but if you have all that information you know at the start you know what data I have my customers where I store it what technology why I’m using it and have that just framework you can go to the advisors and then say right what are the extra pieces I need to put in place and they might say well actually yeah you have all this data but you don’t have a clear data protection policy you don’t have a you know they can start asking questions well you know do you delete that data after six years you know and questions like that but they can start asking and sort of say well now it’s clear to us you need to put this framework in place in this area and this framework in that area you know because it’s not just about the application process and the central bank it’s about your ongoing compliance you know and you know data protection is not a central bank issue per se. It’s part of their remit when they’re reviewing an application, but it’s a general requirement of all businesses here in Ireland. So map that out, have a clear view of what your business is, what type of data you have, what systems, and then you can bring that in to your advisor and say, You know. What’s the next stage, you know, in the application process. And there will be lots of questions. You know, you might be sure whether you need to be regulated. You know, like the thing about digital assets is like, you know, a lot of it is now regulated. However, there’s certain types of digital assets that are not. You know, utility tokens, you know, which have a more limited use, but, you know, might be part of your product. You know, they do not have to be regulated. You know, so, you know, you might have lots of questions in those type of areas, you know, so if you have that clear picture of what your product is, at least the advisors are able to say, right, you have an issue here, you do need to be regulated, or actually here, that’s fine, this is outside of scope. You know, and they can build up that picture for you.

[40:01] Paul: Very good. Okay. Well, just to round off then, a final thought or a word of advice from each of you?

[40:08] Christopher: I think looking and kind of reiterating understanding your business model I think, one of the things I’ve seen can be very beneficial is bringing on board say some of the key senior personnel early so someone like a head of compliance or a head of risk particularly if they’ve come from a more traditional finance background can possibly come in and do some of those things so rather than going to the you know the advisors cold if you’ve already got someone on board who has that insight can help you through the process, can be extremely beneficial so I would say that if you can get on board good staff early in the process particularly if they come from a regulated background that can be extremely beneficial can really help the process before you get to the advisors and then once you get to the advisors just remembering that as you say that the authorisation is a process that you go through but ultimately it’s all to get you ready for actually going live and providing services in a way that’s going to be consistent for the central bank and consistent with your regulatory obligations so just be prepared and understand this is a long long-term project

[41:24] Paul: Indeed, Indeed.

[41:26] Neil: Yeah and I’d say that point there is quite essential to have someone who can be that link person who’ll understand the language also of dealing with the legal team who’ll understand you know how they should communicate with the central bank you know and the legal team will support that as well but you need someone who can know what the legal person is looking for and where that can be found in the organisation. You know, who can access that linchpin, who knows enough about the organisation to bring it all together. You know, and the other thing is be prepared to change. Because in these discussions, you know, there might be refinements to your business model. There might be refinements to your product. There might be developments you have to change on your front end, you know, and be prepared for that. You know and don’t go in with a blinkered approach and say this is our product and this is what we’re going to get authorised and we don’t want to change that because that won’t work and it’s like any business you know you’re doing a full pivot but you are adapting you know to the regulatory requirements and that’s what a lot of startups in this space are having to do now. You know they’re coming a lot of them are coming from a pure technology background, who have never had to deal with regulation to quite a different space. And the hope really is that this level of regulation, which is dealing, I suppose, the world really at many levels, is going to actually enhance the development of the industry in Europe, but also as a place to do business internationally. Particularly when you’re dealing with financial institutions or other regulated businesses. So suddenly they have a lot more confidence in their, in the type of regulation that you’re subject to and they have confidence in your business. You know so it’s a key selling point as well yeah as well you know regulation is not all paperwork you know at the back end it’s actually it is a key strength you know once you’re regulated you know and you know in an Irish context you have a very strong regulator you know who is well perceived you know, so therefore there’s a very clear message to get out to your customers and your potential customers.

[43:36] Christopher: And I might just add one thing and I and I think it comes out what you’re saying in terms of if you are coming at this from a non-regulatory background you’re coming from a tech background there’s a lot of good education offerings out there which can kind of upskill you and even I think as you say regulation is almost conceptually understanding some of the key things so you know things like free lines of defence models, just understanding well that’s how compliance is expected to work it’s obviously coming from a financial institution background we’re both kind of very familiar with that but you could see someone coming in from a tech background what are you talking about? There’s lots of support out there there’s lots of online resources and there’s some very good you know professional courses you can take as well if you want to go down that route. So I think education is also an element for the businesses as well potentially.

[44:32] Paul: Very good. Okay. All right well that has been a fascinating discussion and I think that the key takeaway is be prepared so learn as much as you can and then leverage the expertise as you go. So thank you very much Chris from KPMG Law, Neil from Fortuna Solutions. Thank you very much for watching and this has been the Blockchain Ireland Leaders insights series and we’ll hopefully see you on another episode. Thank you very much.