Ireland’s financial systems are a ‘changing ecosystem’ that ‘reflect new preferences’ but also ‘create new challenges and new risks for the consumers we protect’. This was the view of governor of the Central Bank of Ireland (CBI) Gabriel Makhlouf as he announced the publication of the CBI’s updated Consumer Protection Code (CPC) in March – its first substantial revision since 2012.
Borne of extensive public and stakeholder consultation, the CPC is notable for its significant strengthening and expansion of protections to consumers, and follows an OECD review of the CBI’s approach last year.
‘Placing consumer protection at the core of regulatory oversight’
The signs of the times are evident in new and enhanced requirements across sectors and on a sector-specific basis, covering digitalisation, effective informing, mortgages and switching, unregulated activities, frauds and scams, as well as consumers in vulnerable circumstances and climate risk (see boxout).
Culture change
Notable in the CPC’s definition of ‘consumers’ is the inclusion of smaller businesses, a definition expanded to cover SMEs with an annual turnover of €5m. (Previously the limit was €3m.) If protection is the key aim of the new CPC, the goal is also, Makhlouf says, to ‘enhance clarity and predictability for firms on their consumer protection obligations’.
Enhanced consumer protections
The updated Consumer Protection Code requires businesses to make a number of enhancements:
- Digitalisation – firms must be customer focused in the design and implementation of digital services.
- Informing effectively – this is a shift from requiring firms to simply disclose information.
- Mortgage switching – firms must meet new disclosure requirements on switching options and the impact of incentives on the overall cost of credit
- Provision of unregulated activities by regulated firms – firms must ensure customers can have no impression or misunderstanding that they are purchasing regulated products and services, where that is not the case.
- Firms must be vigilant to the evolving risks of frauds and scams, and take appropriate action to protect customers.
- Protecting consumers in vulnerable circumstances – an updated definition of vulnerability recognises that customers can move in and out of circumstances that make them vulnerable.
- To tackle the risk of greenwashing, firms will be required to ensure they communicate clearly on climate and sustainability features of products.
- There are enhanced requirements in the areas of consumer credit, small and medium-sized enterprises protections, insurance and investments and pensions.
Source: Central Bank of Ireland
Any such clarity should not be confused with a straightforward implementation process. Colm Freeman, partner, EY, says the CBI’s determination to inculcate a cultural change in financial services provision is not to be underestimated. ‘These changes are not just regulatory updates. The CPC will fundamentally reshape how the CBI supervises financial firms, placing consumer protection at the core of regulatory oversight,’ he says.
Russell Burke, senior consultant at fscom Ireland, notes the broad church of firms required to sit up and take notice. ‘Over 10,000 firms, regulated by the CBI, are providing financial services in Ireland. That number is growing all the time with the establishment of many indigenous businesses and a steady follow of international providers,’ he says.
Guidance and interpretation
With the new provisions applying from 24 March 2026, there is much to digest in the financial services community. The CBI provides in-depth guidance in key areas such as securing customers’ interests and protecting consumers in vulnerable circumstances, while also cautioning that the new obligations should not be viewed as box-ticking exercises but something more holistic and purposeful.
‘Firms that fail to understand requirements may face significant regulatory challenges’
Kian Caulwell, partner at Forvis Mazars, says that while the CPC gives firms some flexibility in applying the new rules, that flexibility comes with increased regulatory risk. ‘Firms that fail to thoroughly assess, understand and implement the new requirements in a defensible and consistent manner may face significant regulatory challenges, including potential CPC contraventions in the future,’ he says.
Areas where work is likely to be needed on an industry-wide basis include the ‘customer focus’ required in the design and implementation of digital services; the clarity expected for customers regarding the regulated nature of products and services they purchase; and the vigilance and appropriate measures expected around the risk of frauds and scams. The issue of greenwashing is also in scope, and financial service providers will need to communicate clearly on the climate and sustainability features of their products.
An update of the definition of ‘vulnerable circumstances’ recognises that customers can move in and out of circumstances that make them vulnerable.
The holistic approach also extends beyond implementing the CPC itself. The CBI says firms need to ensure they integrate their approach to CPC with other regulatory requirements, for example payment regulations, the Digital Services Act and the Digital Markets Act.
Challenges and scrutiny
As is often the case with new regulations in Ireland, the changes have a UK precursor – in this case the Consumer Duty rules introduced by the Financial Conduct Authority in 2023. Freeman recommends close scrutiny of the UK approach, ‘especially in areas like financial literacy, digitalisation and the treatment of vulnerable customers’.
Caulwell says that firms face three key implementation challenges in the coming year: ‘defining and agreeing on key terms not prescriptively defined in the consumer protection requirements’; the question of ‘when to flag a customer as a consumer on a business’s systems’; and how to ‘identify the scope and impact of the new regulations on their business from a customer, product, policy and IT systems perspective’.
Next steps in compliance
In order to comply with the updated Consumer Protection Code (CPC), financial services organisation must take a holistic approach that involves:
- Assessing the reforms – be clear on what requirements are entirely new and which others are enhancements to previous requirements.
- Mapping your current compliance – identify what aspects of your business are designed to ensure compliance with the CPC today.
- Gap analysis – understand what aspects of these governance, systems and controls, policies, procedures, processes and documentation are impacted by the new requirements and enhancements.
- Designing and upgrading – plan the necessary changes to your governance, systems and controls to meet these new and enhanced requirements.
- Overseeing appropriately – ensure you have the the right governance and programme structure from the start so that the changes and mindset required are fully embedded.
Source: A&L Goodbody
Advisory firms will undoubtedly have a role to play in some of this, with gap assessments, risk analysis and training services already on offer by the major firms. PwC describes the new CPC as ‘aiming to deliver a modernised and integrated framework’ in financial services, while EY says it puts financial services ‘on the cusp of a regulatory transformation’.
One of the smaller changes in the new CPC is telling of the overall culture shift it aims to bring about. Customers of dental, pet, gadget and travel insurance will now have to explicitly opt in to auto-renew these products. The financial services industry must also opt in to an approach that puts consumers’ actual needs front and centre at all times.
