error
Subscriptions are not available for this site while you are logged into your current account.
close
Skip to main content

      On 24 March 2025, following a comprehensive engagement process, the Central Bank of Ireland (“CBI”) published the finalised Consumer Protection Code (“CPC”) incorporating feedback received during the consultation phase. This comes into effect on 24 March 2026, giving firms 12 months to become compliant.

      The updated CPC represents a significant step forward in the evolution of consumer protection in Ireland. It reflects the CBI’s commitment to ensure that regulatory frameworks remain fit for purpose in a rapidly evolving financial landscape.

      The updated CPC is contained in two new regulations. The first sets out the Standards for Business and Supporting Standards for Business, which replaces the existing General Principles of the CPC. The second is the Consumer Protection Regulations, these regulations set out new and enhanced requirements across sectors and on a sector specific basis.

      Alongside these two regulations, the CBI has released supplementary guidance to support firms in implementing the requirements in the following areas: securing customers’ interests, protecting consumers in vulnerable circumstances and general code guidance.

      Our Risk Consulting team outlines the key changes in the final regulations and guidance documents compared to the draft versions which were published by the CBI in March 2024. In the coming weeks, we will be publishing further insights on the updated CPC and providing our clients with insights on how these changes impact their business.

      Below is an initial summary of the changes between the final and draft CPC:

      The CBI has published additional guidance on securing customers’ interests and this guidance articulates the CBI’s expectations of firms. Several additions have been made to include further detail on the following areas:

      • Proportionality: Firms should consider the customer outcomes resulting from their actions, factoring in their role, the nature of their products and services and the profile of their customers. While aiming for fair outcomes, firms are not responsible for all risks or guaranteeing positive results. They must ensure compliance with obligations, including suitability, and ensure customers understand and accept the risks without overriding customers’ autonomy.
      • Customer autonomy: The guidance reinforces that securing customers’ interests means respecting their decisions and preferences, not acting on their behalf, aligning with the Assisted Decision-Making (Capacity) Act (“ADMA”). Firms should empower customers to make informed decisions, while upholding their autonomy.
      • Culture and governance: The guidance clarifies that the expectations of the Individual Accountability Framework (“IAF”) align with the CPC’s focus on securing customers’ interests. The application of individual conduct standards under the IAF align with the conduct-related Standards for Business in the CPC, ensuring that the behaviour and actions of individuals within firms contribute to the firm's compliance with its obligations under the CPC.
      • Assessing compliance: The Consumer Protection Risk Assessment (“CPRA”) Guidance should be read together with the CPC to support firms in meeting consumer protection obligations. The CBI has reemphasised that CPRAs are integral to the supervisory framework for various financial institutions, helping firms evaluate if they are protecting consumer interests.
      • Market in Financial Instruments Directive (“MiFID”) firms and crowdfunding services: The Standards for Business do not directly apply to firms providing MiFID or crowdfunding services. However, these firms are expected to consider the CBI’s guidance when fulfilling their obligation to act in the best interests of customers and protecting consumers in vulnerable circumstances. However, these are not required to comply with Trusted Contact Persons or training requirements.

      • Pause statement: The draft regulations initially required firms to present a pause statement to consumers before entering into a contract on a digital platform, encouraging them to think carefully before proceeding. To avoid potential customer frustration, this has been replaced with a requirement to provide consumers with 'sufficient opportunity' to consider before entering into a contract.
      • Testing programmes and algorithms: The CBI has removed the requirements that prescribed the frequency of testing for computer programmes and algorithms used on digital platforms.
      • Product filtering: The requirement for firms to allow consumers to filter products when three or more are offered has been removed. Instead, the CBI has provided guidance on filtering as it pertains to the broader topic of digitalisation.
      • Consent methods: Consent can now be provided by digital methods, as well as 'written' consent.
      • Additional guidance on securing customers’ interests under digital delivery: In its guidance on securing customers’ interests the CBI has outlined that firms that engage with customers solely through digital channels must prioritise securing their customers' interests. This involves designing user-friendly interfaces tailored to the target market, as well as providing opportunities for additional support for example, when the digital platform is not working or where customer suspects that they are a victim of fraud. Digital platforms should be intuitive and accessible, with consideration for rapid support for customer issues.

      • Terms of Business: The regulations have been updated to specify that firms must notify affected consumers of material changes to the Terms of Business five days before the changes take effect, clarifying that only those customers impacted by the changes need to be informed.
      • Unsolicited contact: The CBI has clarified that the limit of three unsolicited communications per month regarding arrears does not apply to telephone calls that are not answered.
      • Borrowers in arrears: Enhanced notification requirements have been introduced on the consequences of three missed repayments. References must now be included to the Insolvency Service of Ireland and borrowers must be advised that being deemed non-cooperative may affect eligibility for a personal insolvency arrangement.

      • Mortgage calculators: A new requirement has been included to direct consumers to mortgage calculators on the Competition and Consumer Protection Commission (“CCPC”) website, where a firm provides information to customers by way of their own mortgage calculator e.g. calculation of total amount that could be borrowed or calculation of repayments.
      • Title deeds: Regulated entities are now required to provide the title deeds to the legal representative of borrowers within 10 working days. This requirement was introduced to ensure the timely switching of mortgages.
      • Lifetime mortgages: The requirement for firms to inform customers of the importance of obtaining legal advice prior to entering into a lifetime mortgage has been amended to also include financial advice.
      • Personal Insolvency Practitioner: Firms are required to communicate with borrowers prior to classifying them as ‘not co-operating’. As part of this communication, firms advise customers that they may wish to seek independent legal advice or financial advice. This requirement now also includes reference to a Personal Insolvency Practitioner. Additionally, there is an updated requirement to direct mortgage borrowers to a Personal Insolvency Practitioner when advising them to seek independent assistance in completing the Standard Financial Statement. 

      • Distinction between activities: Firms must establish, maintain and implement systems, controls, processes, policies and procedures to improve consumer clarity on the distinction between regulated and unregulated activities. This requirement applies only to entities offering both regulated and unregulated activities.

      • Updated definition: The definition of a consumer in vulnerable circumstances now reflects that vulnerability can be permanent or temporary.
      • Flexibility in recording: The requirement for recording information is less prescriptive than in draft regulations, acknowledging the various ways vulnerability can manifest.
      • Trusted Contact Person: The regulations for appointing a Trusted Contact Person have been updated to include a requirement that, if a firm is aware a decision-making representative has been appointed under the ADMA, this representative takes precedence over the Trusted Contact Person.
      • Additional guidance: The CBI has published additional guidance on protecting consumers in vulnerable circumstances. The changes to this offer further clarity on the meaning of 'harm', the appropriate treatment of customers in vulnerable circumstances when recording information and the role of the Trusted Contact Person. Moreover, adult safeguarding is now incorporated into staff training requirements, ensuring awareness of adults at risk of financial abuse or harm.

      • Sustainability preferences: The CPC requires that sustainability preferences be gathered where relevant and reflected in the statement of suitability. However, the suitability assessment of a financial product should not include these sustainability preferences, ensuring that they do not overshadow the consumer's actual needs, objectives, financial situation, or attitude to risk.
      • Additional guidance: The CBI has provided guidance to support firms in implementing this requirement as well as offering examples on how to effectively inform consumers on green products. 

      • Debt counselling services: The requirement for HCCPs to advise consumers of debt counselling services, including local Money Advice and Budgeting Services (“MABS”) office details, after the third missed payment has been amended to the sixth missed payment.

      • Health insurance notification: Firms must now notify all adults named on a health insurance policy if the policy or their cover ceases, previously there was no requirement to notify all adults named on a policy of these changes. This may have arisen in circumstances where, for example, an individual was covered on their partner’s health insurance policy.
      • Claim forms: The regulation has been updated to specify that if a claim form is needed, the insurance provider must provide it within five days of becoming apparent that the form is required, rather than five days after receiving the claim notice.

      • Acknowledgement of complaints: The new regulations require firms to immediately acknowledge complaints submitted electronically, using the same medium through which the complaint was made, to provide consumers with a record of their submission. The language has been amended to clarify that this applies specifically to cases where the consumer does not have evidence of their complaint submission, such as through web forms on regulated entities' websites.

      • Customers not provided with a product or service: Records for consumers not provided with a product or service must be kept for 12 months only, while records for those provided with a product or service must be retained for six years (in line with the existing CPC). The 12-month period is now subject to consumer consent, meaning it will not apply if the consumer withdraws consent for data retention. 

      • Timeline of reviews: The requirement for firms to review their advertisements for compliance every 12 months has been revised. The regulation now simply mandates that firms ensure their advertisements are regularly reviewed and updated as necessary for compliance with the regulations.
      • Risk disclosure: Risks must be disclosed ‘in writing’ alongside the benefits in advertising. 

      • Lifetime mortgages:
        • The requirements for warning statements on pre-contractual information and advertisements regarding the impact of missing repayments have been updated to clarify that they do not apply to lifetime mortgages.
        • The requirements for warning statements on advertisements regarding the impact of changes in interest rates on repayments have been updated to clarify that they do not apply to mortgages that don't make scheduled repayments of interest e.g. lifetime mortgages.
      • Interest only mortgages: An additional requirement has been added to the approval in principle for interest only mortgages to warn customers that they will be liable for any shortfall in the value of the capital lump sum or proceeds of the asset sale at the end of the interest-only term.
      • Statement on projected premiums: The requirement for firms to provide projected premiums for long-term insurance products has been removed and the text of the warning statement for these products has been amended accordingly.
      • Investment products: New warning statements are required on application forms and annual statements, urging regular consultation with a financial advisor. 

      • Ceasing operations: The requirement for regulated entities to provide at least two months' notice before ceasing operations, merging, or transferring activities has been changed. The notice period was initially increased to six months for all regulated entities; however, the six month notice requirement applies only to credit institutions leaving the Irish market.

      Other revisions to requirements

      Minor amendments have been made to the existing regulations to improve understanding and ensure appropriate application of the requirements. The CBI has provided additional clarity on areas such as the display of Terms of Business on websites, warning statements in audio advertisements and lifetime mortgages, and the use of simple language has been applied across various requirements.

      In some cases, the CBI has reverted to the original CPC 2012 requirements for areas related to annual percentage rate (“APR”), instructions received from customers, lifetime mortgages (i.e. not requiring an indication of the amount to repay), the provision of product information by phone and insurance claim processing.

      The scope of the regulations has been updated, including crypto assets in alignment with Market in Crypto Assets Regulation (“MiCAR”). Several items have been excluded or removed from the scope of specific requirements, impacting reinsurance firms, financial abuse obligations, information on regulatory status, advertising and unsolicited contact.

      The CBI’s General Code Guidance helps firms implement the revised regulations by offering detailed support and clarification on the broader requirements of the updated CPC. It offers new insights on changes, incorporating feedback from the consultation process.

      Key areas of clarification in the updated guidance include a definition for ‘customer’ and ‘consumer’, further guidance on financial abuse, digitalisation, informing customers effectively, unregulated activities, errors resolution, know your customer (“KYC”) and suitability, and branch closures, mergers or relocations. 

      What’s next?

      The updated CPC comes into effect on 24 March 2026, giving firms a 12-month period to get to grips with their obligations.

      It is imperative that firms take proactive steps to prepare for these changes, making the necessary adjustments to their processes, policies and procedures in order to meet the updated requirements. This preparation will ensure a smooth transition and help firms maintain their commitment to consumer protection.

      Our Risk Consulting team is carefully conducting a thorough review of the CBI’s final versions of the regulation and supplementary guidance. Over the coming weeks, we will be publishing insights to support firms to navigate and implement the revised regulations effectively.

      If you have any questions about how the CPC will apply to your business, or if you would like to learn more, please contact our team below. 

      Queries? Contact our Consulting team

      Discover more in Risk Consulting

      Something went wrong

      Oops!! Something went wrong, please try again