Regulatory and supervisory outlook report 2026

On 26 February 2026, the Central Bank of Ireland (CBI) published its Regulatory and Supervisory Outlook Report (Outlook Report), a letter from Governor Makhlouf to the Minister for Finance and a Dear CEO Letter.

The Outlook Report, which is published annually, sets out the CBI’s supervisory priorities and key regulatory initiatives for 2026 and outlines its perspective on the key risks that are shaping the financial services sector. It also contains three ‘Spotlight’ chapters on artificial intelligence (AI), operational resilience and consumer and investor protection, areas of continued significance for the sector. Governor Makhlouf’s letter succinctly sets out the economic, geopolitical and societal challenges impacting regulated firms, while the Dear CEO Letter reinforces the CBI’s industry-wide supervisory priorities.

This insight highlights the industry-wide and sector-specific supervisory priorities for the year ahead, including the CBI’s planned supervisory activities. In relation to sector-specific priorities and activities, the insight focuses on credit institutions, payments and e-money institutions, MiFID investment firms, the securities market (including crypto asset service providers (CASPs)) and retail credit firms. A standalone update addressing the CBI’s supervisory priorities for the Irish funds sector will be available separately.

It is important that regulated firms carefully consider all priorities relevant to their businesses, as they provide a clear indication of the areas where firms will face heightened supervisory attention during the course of the year. If your firm has any queries or concerns around compliance in these areas, please reach out to the authors of this article.  The CBI, having published these priorities, will expect any firms that it supervises to be able to demonstrate full compliance or otherwise face potential sanctions.

Overview

It is clear from the Outlook Report that there are key supervisory themes that apply on an industry-wide basis:

• financial resilience
• operational resilience
• consumer and investor protection
• financial crime
• climate and environmental related (C&E) risks
• AI

While the industry-wide supervisory priorities for 2025 were the same as those for the previous year, the priorities for 2026 have developed. There is a stronger emphasis on consumer and investor protection and addressing risks arising from new technologies (including AI) and societal changes. Notwithstanding this, there is also a continued focus on financial and operational resilience, financial crime and C&E risks, along-side the mainstays of risk management and governance.

On a sectoral level, it is notable that there is a renewed focus on market abuse for the investments and securities markets and on the fair treatment of consumers in vulnerable circumstances in the retail credit and intermediaries markets.

It is also notable that this year’s Outlook Report contains more planned supervisory activities per sector than in the reports for the previous two years. This may be a reflection of the CBI’s revised supervisory approach.

Industry-wide supervisory priorities

The Outlook Report identifies five industry-wide supervisory priorities for 2026 that aim to build resilience in the financial sector and achieve the CBI’s four safeguarding outcomes (consumer and investor protection, safety and soundness, integrity of the financial system and financial stability).

The CBI’s supervisory priorities for all regulated firms in 2026 are:

• Maintaining and building resilience to geopolitical risks and macro-financial uncertainties – involving work on operational resilience, cyber security and financial resilience and assessing how firms are embedding C&E factors into risk management, business models and governance.
• Securing consumer and investor interests – focusing on firms’ approach to the customer experience and digitalisation (including balancing the benefits of innovation with risks of customer harm) and addressing financial crime.
• Responding to technology-driven transformations – focusing on the use of AI, digital money and tokenisation and their implications for firms and the financial system.
• Addressing environmental and societal transitions – working in partnership with stakeholders to help address these longer-term structural transitions and assessing firms' responses to C&E risks and the increasing frequency of severe weather events (including with respect to protection gaps, retail investment participation and sustainable finance).
• Enhancing regulatory and supervisory practices – implementing further enhancements to the CBI’s supervisory approach to ensure its continued effectiveness, improving the gatekeeping process and progressing and developing the roadmap for delivering simplification.

Sector-specific supervisory priorities

For each sector, the Outlook Report identifies its supervisory priorities through ‘supervisory focus areas’, under which the CBI’s planned supervisory activities for 2026 are set out.

A) Credit institutions

Focus area 1: Business model and strategy

• Reviews of corporate strategy setting, alignment with risk appetite and the credibility of the underlying assumptions.
• Assessments of strategies given the evolution in payments, the National Payments Strategy, access to cash requirements, roll-out of ‘P2P payments’ (e.g. Zippay), digital euro, stablecoins and tokenisation.
• Assessment of the impact of Article 21c of CRD 4 (as inserted by CRD 6) on banks’ balance sheets.
• Assessment of new bank licence applications in collaboration with the European Central Bank.
• Assessment of bank-specific growth strategies and/or new business lines to understand growth ambitions and if they appropriately consider consumer and investor interests and are underpinned by effective governance and risk management arrangements, and operational and financial capacity.

Focus area 2: Treatment of customers

• Cross-sectoral review of how banks are carrying out root cause analysis of errors and applying learnings to their wider product and service suite.
• Thematic review of the sale of products via banking apps with a focus on how banks identify and mitigate risk to consumers on a sample of products sold.
• Cross-sectoral thematic review of customer service standards including, in the banking and lending sector, a review of the impact on customer service of supervisory actions arising from previous conduct-related thematic reviews.
• In light of the revised Consumer Protection Code, cross-sectoral thematic reviews on:
  • how customers are being informed effectively
  • treatment of customers in vulnerable circumstances.
• Review of how banks are securing customers’ interests in the operation of current accounts.
• Enhancing CBI data to support retail conduct supervision, including enhancing the conduct of business return and data on areas of elevated risk such as fraud.
• Cross-sectoral thematic review of buy-now-pay-later (BNPL) arrangements.
• Cross-sectoral thematic review of mortgage lending to include an analysis of credit, loan origination and risks to borrowers (including monitoring for early signs of over-indebtedness or distress).

Focus area 3: Operational and cyber resilience

• Key focus areas for ‘significant’ credit institutions include:
  • Targeted follow-up on remediation strategies for banks that report material shortcomings in ICT security/cyber-security resilience and ICT outsourcing.
  • On-site inspections on cyber security management and third-party risk management, in line with the requirements in the Digital Operational Resilience Act (DORA).
  • Threat-led penetration testing to identify vulnerabilities and improve cybersecurity resilience.
  • Targeted review of ICT change management.
  • Deep dive into banks’ dependency on cloud service providers to assess their preparedness for potential service disruptions.
• Firm-specific follow up from the 2025 thematic review on operational resilience for international ‘less significant’ credit institutions.
• Supervisory assessment of cyber resilience remediation programmes.
• Tracking remediation of outsourcing deficiencies identified in previous reviews.
• Continued engagement with banks and interventions where outages occur, including focus on communications, customer service and customers in vulnerable circumstances.
• Continued work with industry and government to establish a collective action approach to system-wide operational resilience for payment services (including cash).

Focus area 4: Financial resilience

• SREP risk assessments (including incorporating C&E aspects under CRR 3 and CRD 6).
• Qualitative and quantitative analysis of credit (including C&E aspects), loan origination, vulnerable sectors, short-term lending (e.g. BNPL) mortgage lending, and risks to borrowers, including customer indebtedness.
• Follow up on issued credit risk management risk mitigation programmes.
• Assessment of Pillar 1 capital requirements for ‘standard approach’ in credit risk and market risk, along with planned internal model investigation work responding to submissions of updated/new IRB models.
• Financial resilience assessments, incorporating capital position assessments, distribution strategies, securitisation, provisioning, liquidity, market risk and recovery planning.
• Identification and assessment by the CBI of transmission channels, cross-cutting risks and cross-sectoral interlinkages arising from macroeconomic and geopolitical risks.
• Reviews of the remediation of shortcomings in the integration of C&E risks into banks’ risk management frameworks, in addition to consideration of ESG transition plans.
• Remediation of deficiencies in risk data aggregation and risk reporting previously identified in reviews.
• Assessment of the AI landscape in the banking sector to build supervisory knowledge on AI use and support the CBI’s work in developing its supervisory approach on AI applications and the EU AI Act.

Focus Area 5: Financial crime and market integrity

• Assessment of individual banks and aggregated sectoral data from the enhanced AML/CFT risk evaluation questionnaire (REQ) submissions.
• Cross-sectoral thematic review of controls on certain types of fraud, and the fair treatment of customers.
• Cross-sectoral thematic review of conflicts of interest management in wholesale market banks.
• Cross-sectoral thematic review of market abuse frameworks and surveillance.
• Cross-sectoral thematic review of unauthorised trading and trading controls.

B) Payments and e-money institutions

Focus area 1: Safeguarding of customers’ funds

• Assessment of the actions taken to address identified gaps in safeguarding processes and procedures.
• Assessment of the implementation of the new ‘Head of Safeguarding’ pre-approved controlled function role.

Focus area 2: Financial crime

• Assessment of the adequacy and effectiveness of AML/CFT risk management frameworks through inspections, targeted and thematic reviews and financial crime review meetings.
• Assessment of individual firm and aggregated sectoral data from the enhanced AML/CFT REQ submissions.
• Cross-sectoral thematic review of controls on certain types of fraud, and the fair treatment of customers.

Focus area 3: Business models and financial resilience

• Thematic review of financial resilience, including strategic planning and wind-down planning.
• Engagement regarding the EBA Q&A 2022_6336, which discusses the definition of ‘electronic money’ in Article 2(2) of the E-Money Directive.

Focus area 4: Operational and cyber resilience

• Feedback on the thematic review on the governance and effectiveness of IT outsourcing.
• Targeted follow-up on remediation strategies for firms where issues have been identified in relation to their management of operational and cyber risks and resilience.
• Supervisory assessment of reporting under DORA, including registers of information and major incident reporting.
• Focus on the implementation of the Payment Services Directive 3 and Payment Services Regulation.
• Continued work with industry and government to establish a collective action approach to system-wide operational resilience for payment services (including cash).

Focus area 5: Culture, governance and risk management

• Cross-sectoral thematic review of whether customers are being informed effectively.
• Cross-sectoral review of how firms are carrying out root cause analysis of errors and applying learnings to their wider product and service suite.
• Cross-sectoral thematic review of the identification and treatment of vulnerable customers.
• Assessment of board composition, resourcing levels and governance structures.
• Thematic review of the operation of distributors and agents model.

C) MiFID investment firms

Focus area 1: Operational and cyber resilience

• Engagement and risk assessments across certain firms. This will include engagement in response to findings from previous thematic work and targeted engagement in relation to the establishment and maturity of operational resilience frameworks in line with the CBI’s cross industry guidance.
• Engagement with certain firms in relation to IT risk management frameworks, DORA implementation and cyber resilience. This will include firms’ self-assessment via the CBI’s IT risk questionnaire.
• Supervisory assessment of incident reporting and registers of information under DORA.

Focus area 2: Conflicts of interest

• Participation in a common supervisory action (CSA) on conflicts of interest in the distribution of financial instruments, including firm-specific feedback and an industry communication on the findings of the CSA.

Focus area 3: Treatment of investors

• Cross-sectoral thematic review on the identification and treatment of customers in vulnerable circumstances.
• Work relating to the thematic review of complaints handling which began in Q4 2025.
• Embedding the revised Consumer Protection Code and related guidance into supervisory practices.
• An enhanced conduct of business return to support a data driven approach to supervision.

Focus area 4: AI

• Engagement with firms to develop the CBI’s understanding and assessment of AI use cases in the sector to inform its supervisory approach and expectations. An AI focus will be applied to all thematic reviews.
• Support future work / surveys undertaken by the European Securities and Markets Authority (ESMA) on AI.

Focus Area 5: Financial crime

• Firms will be required to complete the enhanced AML/CFT REQ.
• Reviews of venue and firm trade surveillance implementations and frameworks working with industry to improve ‘STOR’ submission and quality.
• Thematic review of a sample of MiFID investment firms regarding market abuse frameworks and surveillance.

D) Securities market and CASPs

Focus area 1: Operational and cyber resilience

• Sector-wide reviews and firm-specific engagements on technology risk and resilience, operational resilience maturity, market outages and DORA compliance.
• Targeted work in relation to DORA compliance.
• Thematic review by ESMA in respect of cyber risk as part of a CSA on the new CASP sector.

Focus area 2: Treatment of customers

• Build awareness through ongoing industry engagement, including at the CBI’s annual CASP event where its supervisory priorities will be outlined.
• Given increasing risks associated with the rapid transformation of the crypto-asset sector, the CBI will engage with ESMA’s work on the Markets in Crypto Assets Regulation (MiCAR).

Focus area 3: Custody of crypto-assets

• Follow-up work to examine CASPs’ compliance with the custody requirements in MiCAR and related authorisation conditions.

Focus area 4: Financial integrity

• Trading firms and CASPs will be required to complete an enhanced AML/CFT REQ.
• Targeted assessment of certain CASPs, which will include on-site engagement to ensure that AML controls and processes are effective.

Focus area 5: Market abuse and market surveillance

• Review of venue and firm trade surveillance implementations and frameworks, and work with industry to improve ‘STOR’ submission and quality.
• Cross-sectoral thematic review of market abuse frameworks and surveillance.
• Targeted inspections on compliance with requirements in the Market Abuse Regulation for persons discharging managerial responsibilities.

Focus Area 6: Conflicts of interest and controls

• Continue to examine firms’ governance structures and the controls in place to ensure conflicts of interests are prevented and managed to protect the interests of investors, consumers and market stability.
• Cross-sectoral thematic review of conflicts of interest management in wholesale firms.
• Cross-sectoral thematic review of unauthorised trading and trading controls.

Focus area 7: AI

• Collect sectoral AI intelligence and conduct targeted inspections where AI materially affects trading or surveillance.
• Integrate governance reviews into SREP assessments of MiFID investment firms.

E) Retail credit sector

Focus area 1: Treatment of customers

• Assessment of the largest retail credit firms’ progress against their long-term mortgage arrears reduction targets.
• Introduction of an enhanced sector-specific ML/TF REQ.
• Cross-sectoral thematic review of customer service, including in the banking and lending sector.
• Cross-sectoral thematic review of the identification and treatment of customers in vulnerable circumstances.
• Cross-sectoral review of how firms are carrying out root cause analysis of errors and applying learnings to their wider product and service suite.

Focus area 2: Operational and cyber resilience

• Sector-specific targeted review of operational resilience, incorporating an operational resilience maturity assessment to gain an understanding of the level of preparedness and maturity in firms to be able to respond to, recover and learn from operational disruptions.
• Industry session on operational resilience and CBI expectations for the sector.
• Targeted review of outsourcing registers to gain an understanding of the firms’ outsourcing universe and determine levels of interconnectedness across the sector and broader financial system.

Focus area 3: Over-indebtedness

• Cross-sectoral thematic review of BNPL arrangements.
• Review of hire purchase terms and conditions, with an initial desk-based focus.
• Cross-sectoral thematic review of mortgage lending to include an analysis of credit, loan origination and risks to borrowers (including monitoring for early signs of over-indebtedness or distress).

Focus area 4: Business models and strategy

• Cross-sectoral review of data collections to ensure all reporting requirements have a clear purpose.
• Industry engagement to commence a review of existing conduct of business returns.
• Targeted sectoral assessment of business model viability and sustainability of the sector.

For further information, please contact Dario Dagostino, Partner, Eoin O’Connor, Partner Patrick Brandt, Partner, Mark Devane, Partner, Chloe Culleton, Partner, Eimear O’Brien, Partner, Louise Hogan, Partner, Sarah Lee, Senior Practice Development Lawyer or your usual ALG contact.

Date published: 27 February 2026