08 Financial Regulation & Investigations

Sarah Lee Senior Practice Development Lawyer

2025 AT A GLANCE

The Central Bank of Ireland implemented its new supervisory approach.
Enforcement by the Central Bank of Ireland focused on detection and reporting of suspected market abuse and anti-money laundering procedures, systems and controls.
Following consultation, revised Guidance on the Fitness and Probity Standards was published.
The review of the Consumer Protection Code 2012 was completed.
New accessibility requirements for certain consumer products and services came into effect in Ireland.

The Digital Operational Resilience Act came into effect across the EU.
The EU’s new Anti-Money Laundering Authority became operational.
The Basel III reforms came into force for the EU banking sector, save for the revised market risk framework, which was further postponed until 1 January 2027.
Political agreement was reached on proposals for a third Payment Services Directive and a new Payment Services Regulation.

NEW SUPERVISORY APPROACH

In January 2025, the Central Bank of Ireland (CBI) implemented its new supervisory approach to adapt and respond to the increasingly complex, interconnected and digitalised financial services sector. The supervisory framework remains risk-based, and the supervisory objectives (referred to as ‘safeguarding outcomes’) continue to focus on consumer and investor protection, safety and soundness of firms, financial stability and the integrity of the financial system. Supervision will continue to be supported by the CBI’s full supervisory toolkit, such as direct engagement, communicating best practices, thematic reviews and firm-specific assessments.

There is now a more integrated supervisory approach whereby the CBI supervises regulated firms that are grouped into one of three Directorates (Banking and Payments, Capital Markets and Funds, and Insurance) using multi-disciplinary teams comprising expertise on all four safeguarding outcomes. The new integrated approach takes account of the risk landscape, the CBI’s risk appetite and tolerance, and the nature and scale of firms. This means the CBI will identify and prioritise risks, with a focus on material risks, such as risks most likely to impact the achievement of the safeguarding outcomes and those that are significantly beyond its risk tolerance levels.

In addition, firms that are deemed ‘significant’, based on set criteria, will be subject to close and continuous supervision at individual firm level by integrated supervision teams. These firms will be supervised and assessed across specific risk categories:

business model and strategy risk
culture
governance and risk management
operational resilience risk
financial resilience risk
financial crime risk

REGULATORY AND SUPERVISORY FOCUS

The CBI set out its regulatory and supervisory priorities for 2025 in its Regulatory and Supervisory Outlook Report and in a letter from Governor Makhlouf to the Minister for Finance. Among the CBI’s regulatory priorities were:

finalising revisions to the Consumer Protection Code 2012 (CPC)
enhancing the fitness and probity (F&P) regime
implementing the Markets in Crypto Assets Regulation
ensuring firms continue to embed the Individual Accountability Framework
enhancing operational and cyber-related resilience across the financial sector

The CBI’s industry-wide supervisory priorities focused on:

proactive risk management and consumer-centric leadership
effective change management
resilience to the challenging macro environment
addressing deficiencies in governance
risk management and control frameworks
preparing for climate change risks

Sector-specific supervisory priorities were also outlined in the Outlook Report, indicating further areas the CBI will likely focus on under its new supervisory framework.

ENFORCEMENT

The CBI’s enforcement activity in 2025 is on par with 2024, with both years reflecting a reduced number of enforcement cases since the CBI revised its Administrative Sanctions Procedure in December 2023.

In February 2025, the CBI fined Cantor Fitzgerald Ireland Limited €452,790 for breaching requirements in the Market Abuse Regulation between March 2017 and June 2023. The CBI found that the firm failed to:

properly report, document and internally escalate suspicious transactions and orders that indicated potential market abuse
put in place effective governance arrangements to detect and report suspicious transactions and orders

The CBI’s Director of Enforcement stated that firms should review their suspicious transaction and order reporting in light of the findings to ensure they are reporting all reasonable suspicions of market abuse to the CBI.

In May 2025, the CBI published the Written Decision of the Inquiry into Irish Nationwide Building Society (INBS) and five individuals previously concerned in the management of INBS. The Inquiry found that Mr John Purcell, former executive board member and secretary of INBS, had participated in regulatory breaches committed by INBS, namely, INBS’ failure to comply with its internal policies and procedures relating to commercial lending and credit risk management between August 2004 and September 2008. Mr Purcell was disqualified from being concerned in the management of any regulated financial service provider for four years and directed to pay a €130,000 fine.

Although the Inquiry accepted that Mr Purcell was not directly involved in day-to-day commercial lending, his role as board member, his involvement in correspondence with the CBI and his attendance at audit committee meetings were significant factors in him being found to have participated in the breaches by INBS. In market commentary, the CBI noted that it considered Mr Purcell’s conduct to be a significant departure from the standard required of a board member with regard to governance, commercial risk management, supervision and oversight.

In July 2025, the CBI fined Swilly Mulroy Credit Union €36,273 for conducting a cash lodgement and transfer service, for customers it had solicited, in breach of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (the 2010 Act) and Credit Union Act 1997 over a seven and a half year period. The anti-money laundering/counter-terrorist financing (AML/CFT) and risk management failures were identified by the CBI during an on-site inspection by its Anti-Money Laundering Division.

Despite the board’s awareness of the risks associated with the business service, it did not take steps to manage the risks by ceasing the service or putting in place AML/CFT measures to ensure compliance with the 2010 Act. Nor did the board or senior management notify the CBI of concerns or potential breaches. The facts and findings serve as a reminder that boards and senior management must ensure that all relevant business lines are subject to appropriate client due diligence, AML/CFT risk assessment and risk controls, and that regulatory concerns or breaches are promptly reported to the CBI.

Most recently, in November 2025, the CBI imposed a fine of €21,464,734 on virtual asset service provider, Coinbase Europe Limited (Coinbase), for its failure to comply with transaction monitoring obligations in the 2010 Act in relation to over 30 million transactions. Coinbase also failed to adopt sufficient internal policies, controls and procedures to prevent and detect the commission of money laundering and terrorist financing. Although Coinbase outsourced significant aspects of its transaction monitoring process to a sister entity based in the United States, it failed to properly oversee the transaction monitoring and remained responsible for compliance with the 2010 Act. This was the first fine imposed by the CBI on a firm in the crypto sector.

F&P REGIME

In April 2025, the CBI commenced a public consultation on revisions to aspects of its F&P regime following the independent review of the F&P approval process by Mr Andrea Enria, former chair of the European Central Bank’s Supervisory Board, to assess its transparency, efficiency and effectiveness.

Following receipt of stakeholder feedback, the CBI published revised Guidance on the Fitness and Probity Standards (revised Guidance), which took effect on 20 November 2025. The revised Guidance consolidates F&P guidance in existing CBI publications and correspondence (including FAQs) and implements targeted enhancements in a broad range of areas, such as:

inherent responsibilities
board independence
knowledge and experience
time commitments
job sharing
conflicts of interest
collective suitability, diversity and inclusion

The CBI also implemented a small number of changes to the list of prescribed pre-approval controlled functions (PCFs), namely:

the removal of PCF-24 (Head of Traded Markets) and PCF-25 (Head of International Primary Markets)
the addition of two new PCF roles: PCF-56 (Head of Safeguarding for Payment Institutions and Electronic Money Institutions) and PCF-57 (Head of Safeguarding for Crypto Asset Service Providers)

The CBI has indicated that it will conduct a more substantive review of the PCF list to coincide with its planned review of SEAR in 2027 to make the PCF list clearer and more manageable for firms.

The Fitness and Probity Standards have also updated to a November 2025 version, which consolidates the previous Fitness and Probity Standards 2023 and the Fitness and Probity Standards for Credit Unions 2024 into one set of standards, without making substantive changes to the text.

REVIEW OF THE CPC

Concluding its review of the CPC, the CBI published a feedback statement following last year’s public consultation on draft regulations and guidance documents to revise and replace the CPC.

The feedback statement was accompanied by the following final regulations and guidance documents (which are available to view via the ‘Consumer Protection Code 2025’ webpage on the CBI’s website):

Central Bank Reform Act 2010 (Section 17A) (Standards for Business) Regulations 2025 (Standards for Business Regulations)
Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Consumer Protection) Regulations 2025 (Consumer Protection Regulations)
Guidance on Securing Customers’ Interests
Guidance on Protecting Consumers in Vulnerable Circumstances
General Guidance on the CPC

The Standards for Business Regulations set out ‘Standards for Business’ for in-scope firms that build on the existing ‘General Principles’ in the CPC by introducing new and enhanced requirements. The Standards for Business are complemented by ‘Supporting Standards for Business’ that provide detail on how firms should, at a minimum, comply with the Standards for Business.

The Consumer Protection Regulations contain new and enhanced requirements to strengthen protections for consumers and reflect the changing financial services landscape and technological developments. The Consumer Protection Regulations also consolidate several existing CBI regulations and codes, namely the CBI’s Code of Conduct on Mortgage Arrears 2013, the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Licensed Moneylenders) Regulations 2020 and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Insurance Requirements) Regulations 2022.

The Standards for Business Regulations and Consumer Protection Regulations will apply from 24 March 2026.

EU ACCESSIBILITY ACT

The European Union (Accessibility Requirements of Products and Services) Regulations 2023 (the EAA Regulations), which transposed the EU Accessibility Act (Directive (EU) 2019/882) into Irish law, came into force on 28 June 2025 (subject to transitional provisions). The EAA Regulations contain requirements regarding the design, manufacture, operation and provision of certain technology-based or technology-provided products and services to ensure they are more accessible to consumers with disabilities. Most of the accessibility requirements apply to all products and services within the scope of the EEA Regulations but additional accessibility requirements apply to specific in-scope products and services, which include (from a financial services perspective) payment terminals, ATMs and ‘consumer banking services’. Providers of consumer banking services will also need to consider requirements in the Consumer Protection Regulations relating to the design and testing of digital platforms and user information.

DIGITAL OPERATIONAL RESILIENCE

The Digital Operational Resilience Act (DORA) came into effect across the EU on 17 January 2025 following a two-year implementation period. Regulations giving further effect to DORA in Ireland were published in February 2025. The European Union (Digital Operational Resilience) (No. 2) Regulations 2025 afford the CBI supervisory and enforcement powers necessary to perform its duties and functions under DORA, and designate the CBI as the competent authority in Ireland responsible for matters relating to threat-led penetration testing in the financial sector.

PAYMENT SERVICES

On 27 November 2025, it was announced that the European Parliament and the Council of the EU had reached agreement on the proposals for a third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR). At the time of writing, the agreed texts have not been published, so the precise details cannot be analysed. The most significant change proposed under PSD3 is the introduction of a sole licensing requirement for firms providing payment services or e-money services, thereby consolidating the authorisation process and regulatory regime for these firms. The proposal for PSR includes anti-fraud measures, increased transparency measures, amended safeguarding provisions and enhanced consumer protections. These proposals need to be formally adopted by both sides before they can be signed into law and published in the Official Journal of the EU.

AML/CFT

The EU’s new Anti-Money Laundering Authority (AMLA) became operational on 1 July 2025. AMLA was established to integrate and improve the effectiveness and consistency of AML/CFT supervision and enforcement across the EU’s financial and non-financial sectors. Although AMLA is operational, it has not yet commenced all of its mandated activities, which will be implemented on a phased basis up until 1 January 2028.

From 1 January 2028, AMLA will directly supervise financial sector entities that operate in at least six Member States and are identified as posing the highest money laundering risk. AMLA will indirectly supervise other financial sector entities, as well as non-financial sector entities, through the co-ordination of EU national AML/CFT supervisory authorities. AMLA’s other key tasks include risk monitoring, supporting the work of financial intelligence units, managing a central AML/CFT database and monitoring compliance with financial sanctions.

BASEL III REFORMS

The Basel III reforms came into effect for the EU banking sector on 1 January 2025 via the third Capital Requirements Regulation (Regulation (EU) 2024/1623).This does not include the revised prudential framework for market risk (known as the ‘fundamental review of the trading book’ (FRTB)), which has been postponed until 1 January 2027 pursuant to Delegated Regulation (EU) 2025/1496. In-scope institutions must continue to apply the pre-FRTB market risk framework until 1 January 2027.

LOOKING AHEAD

From 20 November 2026, in-scope firms will need to be ready to implement and comply with Irish legislation (still awaited) transposing the new Consumer Credit Directive.
From 19 June 2026, in-scope firms will need to be ready to implement and comply with Irish legislation (still awaited) transposing the new Distance Marketing Directive.
The proposal for a regulation on financial data access, which was first proposed back in June 2023, is still moving though the EU’s legislative process and interinstitutional negotiations are expected to progress next year.

Eurozone and non-eurozone payment service providers will need to continue work to implement the changes necessary to comply with requirements in the Instant Payments Regulation (Regulation (EU) 2024/886) in line with the phased implementation timeline.
The proposals for the European Commission’s Retail Investment Package are going through the EU’s legislative process. A number of areas in the proposal for an amending directive on retail investor protection rules are proving contentious (e.g. the proposals on inducements and value for money), which is contributing to slow progress towards political agreement on the text.

Privacy

Cookies Policy