So, can we infer the size and scale of the breach based on the word 'significant' alone? Unfortunately not. Matters both big and small would be described as 'significant'. If I was looking for a silver lining here I would point out that the AML enforcement highlighted abovewas described as a significant concern, yet only resulted in a €280,000 fine.
The CBI’s concerns relate to PCSIL’s Anti-Money Laundering / Counter TerrorismFinancing (‘AML/CTF’), risk and control frameworks and governance. TheCorrespondence states that the CBI is minded to issue directions to PCSIL pursuant to section 45 of the Central Bank (Supervision and Enforcement) Act 2013.
This confirms the CBI's concern relates to AML/CTF. From a bit of Googling we find that this has been a specific area of focus for the CBI in recent times. Back in December 2020 the CBI issued a 'Dear CEO' letter to Irish businesses reminding them of their obligations under the legislation. Perhaps this has become an area of specific focus in recent times?The Correspondence does not concern EML’s Australian or North American operations, or the operations of PFS’ UK subsidiary (‘Prepaid Financial ServicesLimited’ which is incorporated in England and regulated by the FCA), or EML’s other Irish regulated subsidiary (‘EML Money DAC’).
This confirms the focus of the concern is limited to PFS' Irish operations. The bear case might suggest that CBI's action here might prompt other regulators to look more closely into other EML subsidiaries. The bull case suggests the reason other regulators have not raised similar concerns is that the other parts of EML have better risk management and compliance.Prior to 19 December 2020, PFS’ European business primarily operated through its FCA regulated subsidiary. However, as a result of Brexit, PFS was required to transfer non-UK programs out of the UK. On 19 December 2020, all of PFS’ European programs were transferred to its CBI regulated subsidiary PSCIL.
This is an interesting paragraph. This suggest that prior to 2021 PFS was regulated by the FCA (Financial Conduct Authority - the UK regulator) without issues or concerns. This changed in 2021 when CBI took over and subsequently uncovered something it didn't like.The directions, if made, could materially impact the European operations of thePrepaid Financial Services business, including potentially restricting PCSIL’s activities under the Irish authorisation.
This is an important ass covering statement that I guarantee would have required a heated conversation between management and their lawyers. It's basically saying that CBI has the power to make directions that *could* result in PFS shutting up shop. If that happened, there would be obviously be a material impact to PFS' business. Can we infer that this is likely to happen? Absolutely not. It's basically saying "We don't know what the regulator is going to hit us with yet, but it has the potential to be bad. Don't say we didn't warn you".During the period from 1 January 2021 to 31March 2021, EML estimates that approximately 27% of EML’s global consolidated revenue (unaudited) derived from programs operating under PCSIL’s Irish authorisation.
This is a really curious statement. Why was this included and why was that date range chosen? Is this simply informing us of the first quarters revenue split for this year It's interesting they have stated a the period immediately following CBI taking control of regulation responsibilities. Did the breach occur during this period? Again, reminding us that the core business of EML has operated across multiple jurisdictions over many years with no other incident of serious breach. The bull in my would like to believe this is the result of good governance, rather than good luck, and the issues being uncovered in Ireland are evidence of a lower maturity cowboy operation, but only time will tell.Things I really want to understand:
- What period does the concern relate to?
- Was the concern self-reported, or uncovered in another way?
- What's the average turnaround for a direction following response to a concern?
How could this play out- Bull case: The breach was self-reported, and related to poor monitoring and supervision activities. PFS resolve (or have already resolved) the issue and receive a fine of anywhere between €100,000 and €3.325,000 (the smallest and largest fines I've been able to find for breaches of the CBI AML / CTF Act).
- Bear case: The breach was the result of proactive, systemic money laundering activity, that PFS management was both aware of and encouraged as a juicy revenue channel. They are stripped of their licence to operate, and are hit with the largest fine on record for an Irish business in breach of the Act. EML loses a quarter of revenue, and I suspect would commence legal action against the Moran's to claw back the sale. Not pretty.
As I've started in the other thread, my gut feel (hope) is that we are going to land closer to the bull case than the bear case, but we simply don't have enough data to know for sure. It'll certainly be a few interesting weeks ahead while this plays out.