Consumer Protection Code 2025

The CBI has published additional guidance on securing customers’ interests and this guidance articulates the CBI’s expectations of firms. Several additions have been made to include further detail on the following areas:

• Proportionality: Firms should consider the customer outcomes resulting from their actions, factoring in their role, the nature of their products and services and the profile of their customers. While aiming for fair outcomes, firms are not responsible for all risks or guaranteeing positive results. They must ensure compliance with obligations, including suitability, and ensure customers understand and accept the risks without overriding customers’ autonomy.
• Customer autonomy: The guidance reinforces that securing customers’ interests means respecting their decisions and preferences, not acting on their behalf, aligning with the Assisted Decision-Making (Capacity) Act (“ADMA”). Firms should empower customers to make informed decisions, while upholding their autonomy.
• Culture and governance: The guidance clarifies that the expectations of the Individual Accountability Framework (“IAF”) align with the CPC’s focus on securing customers’ interests. The application of individual conduct standards under the IAF align with the conduct-related Standards for Business in the CPC, ensuring that the behaviour and actions of individuals within firms contribute to the firm's compliance with its obligations under the CPC.
• Assessing compliance: The Consumer Protection Risk Assessment (“CPRA”) Guidance should be read together with the CPC to support firms in meeting consumer protection obligations. The CBI has reemphasised that CPRAs are integral to the supervisory framework for various financial institutions, helping firms evaluate if they are protecting consumer interests.
• Market in Financial Instruments Directive (“MiFID”) firms and crowdfunding services: The Standards for Business do not directly apply to firms providing MiFID or crowdfunding services. However, these firms are expected to consider the CBI’s guidance when fulfilling their obligation to act in the best interests of customers and protecting consumers in vulnerable circumstances. However, these are not required to comply with Trusted Contact Persons or training requirements.

• Pause statement: The draft regulations initially required firms to present a pause statement to consumers before entering into a contract on a digital platform, encouraging them to think carefully before proceeding. To avoid potential customer frustration, this has been replaced with a requirement to provide consumers with 'sufficient opportunity' to consider before entering into a contract.
• Testing programmes and algorithms: The CBI has removed the requirements that prescribed the frequency of testing for computer programmes and algorithms used on digital platforms.
• Product filtering: The requirement for firms to allow consumers to filter products when three or more are offered has been removed. Instead, the CBI has provided guidance on filtering as it pertains to the broader topic of digitalisation.
• Consent methods: Consent can now be provided by digital methods, as well as 'written' consent.
• Additional guidance on securing customers’ interests under digital delivery: In its guidance on securing customers’ interests the CBI has outlined that firms that engage with customers solely through digital channels must prioritise securing their customers' interests. This involves designing user-friendly interfaces tailored to the target market, as well as providing opportunities for additional support for example, when the digital platform is not working or where customer suspects that they are a victim of fraud. Digital platforms should be intuitive and accessible, with consideration for rapid support for customer issues.

• Terms of Business: The regulations have been updated to specify that firms must notify affected consumers of material changes to the Terms of Business five days before the changes take effect, clarifying that only those customers impacted by the changes need to be informed.
• Unsolicited contact: The CBI has clarified that the limit of three unsolicited communications per month regarding arrears does not apply to telephone calls that are not answered.
• Borrowers in arrears: Enhanced notification requirements have been introduced on the consequences of three missed repayments. References must now be included to the Insolvency Service of Ireland and borrowers must be advised that being deemed non-cooperative may affect eligibility for a personal insolvency arrangement.

• Mortgage calculators: A new requirement has been included to direct consumers to mortgage calculators on the Competition and Consumer Protection Commission (“CCPC”) website, where a firm provides information to customers by way of their own mortgage calculator e.g. calculation of total amount that could be borrowed or calculation of repayments.
• Title deeds: Regulated entities are now required to provide the title deeds to the legal representative of borrowers within 10 working days. This requirement was introduced to ensure the timely switching of mortgages.
• Lifetime mortgages: The requirement for firms to inform customers of the importance of obtaining legal advice prior to entering into a lifetime mortgage has been amended to also include financial advice.
• Personal Insolvency Practitioner: Firms are required to communicate with borrowers prior to classifying them as ‘not co-operating’. As part of this communication, firms advise customers that they may wish to seek independent legal advice or financial advice. This requirement now also includes reference to a Personal Insolvency Practitioner. Additionally, there is an updated requirement to direct mortgage borrowers to a Personal Insolvency Practitioner when advising them to seek independent assistance in completing the Standard Financial Statement. 

• Distinction between activities: Firms must establish, maintain and implement systems, controls, processes, policies and procedures to improve consumer clarity on the distinction between regulated and unregulated activities. This requirement applies only to entities offering both regulated and unregulated activities.

• Updated definition: The definition of a consumer in vulnerable circumstances now reflects that vulnerability can be permanent or temporary.
• Flexibility in recording: The requirement for recording information is less prescriptive than in draft regulations, acknowledging the various ways vulnerability can manifest.
• Trusted Contact Person: The regulations for appointing a Trusted Contact Person have been updated to include a requirement that, if a firm is aware a decision-making representative has been appointed under the ADMA, this representative takes precedence over the Trusted Contact Person.
• Additional guidance: The CBI has published additional guidance on protecting consumers in vulnerable circumstances. The changes to this offer further clarity on the meaning of 'harm', the appropriate treatment of customers in vulnerable circumstances when recording information and the role of the Trusted Contact Person. Moreover, adult safeguarding is now incorporated into staff training requirements, ensuring awareness of adults at risk of financial abuse or harm.

• Sustainability preferences: The CPC requires that sustainability preferences be gathered where relevant and reflected in the statement of suitability. However, the suitability assessment of a financial product should not include these sustainability preferences, ensuring that they do not overshadow the consumer's actual needs, objectives, financial situation, or attitude to risk.
• Additional guidance: The CBI has provided guidance to support firms in implementing this requirement as well as offering examples on how to effectively inform consumers on green products. 

• Debt counselling services: The requirement for HCCPs to advise consumers of debt counselling services, including local Money Advice and Budgeting Services (“MABS”) office details, after the third missed payment has been amended to the sixth missed payment.

• Health insurance notification: Firms must now notify all adults named on a health insurance policy if the policy or their cover ceases, previously there was no requirement to notify all adults named on a policy of these changes. This may have arisen in circumstances where, for example, an individual was covered on their partner’s health insurance policy.
• Claim forms: The regulation has been updated to specify that if a claim form is needed, the insurance provider must provide it within five days of becoming apparent that the form is required, rather than five days after receiving the claim notice.

• Acknowledgement of complaints: The new regulations require firms to immediately acknowledge complaints submitted electronically, using the same medium through which the complaint was made, to provide consumers with a record of their submission. The language has been amended to clarify that this applies specifically to cases where the consumer does not have evidence of their complaint submission, such as through web forms on regulated entities' websites.

• Customers not provided with a product or service: Records for consumers not provided with a product or service must be kept for 12 months only, while records for those provided with a product or service must be retained for six years (in line with the existing CPC). The 12-month period is now subject to consumer consent, meaning it will not apply if the consumer withdraws consent for data retention. 

• Timeline of reviews: The requirement for firms to review their advertisements for compliance every 12 months has been revised. The regulation now simply mandates that firms ensure their advertisements are regularly reviewed and updated as necessary for compliance with the regulations.
• Risk disclosure: Risks must be disclosed ‘in writing’ alongside the benefits in advertising. 

• Lifetime mortgages:
  • The requirements for warning statements on pre-contractual information and advertisements regarding the impact of missing repayments have been updated to clarify that they do not apply to lifetime mortgages.
  • The requirements for warning statements on advertisements regarding the impact of changes in interest rates on repayments have been updated to clarify that they do not apply to mortgages that don't make scheduled repayments of interest e.g. lifetime mortgages.
• Interest only mortgages: An additional requirement has been added to the approval in principle for interest only mortgages to warn customers that they will be liable for any shortfall in the value of the capital lump sum or proceeds of the asset sale at the end of the interest-only term.
• Statement on projected premiums: The requirement for firms to provide projected premiums for long-term insurance products has been removed and the text of the warning statement for these products has been amended accordingly.
• Investment products: New warning statements are required on application forms and annual statements, urging regular consultation with a financial advisor. 

• Ceasing operations: The requirement for regulated entities to provide at least two months' notice before ceasing operations, merging, or transferring activities has been changed. The notice period was initially increased to six months for all regulated entities; however, the six month notice requirement applies only to credit institutions leaving the Irish market.