Ireland is home to a wide variety of financial services providers. To support both providers and their customers, there is an array of financial services legislation, regulations and codes that apply, including many EU frameworks. Some of these are sector-specific, while others apply across many different sectors.

Banking

The regulation of banks in Ireland is entwined with EU requirements. The Single Supervisory Mechanism (SSM), encompassing both the SSM Regulation (1024/2013/EU) and the SSM Framework Regulation (468/2014/EU), divides the supervision of banks between the European Central Bank (ECB) and the Central Bank of Ireland (CBI). Significant institutions are supervised purely by the ECB, while less significant institutions are supervised by the CBI with oversight from the ECB.

The EU capital requirements framework (encompassing the Capital Requirements Regulation (575/2013/EU) (CRR) and the Capital Requirements Directive (2013/36/EU) (CRD)) also applies to banks in Ireland and sets out rules for banks, including on capital, liquidity, governance and risk. The CRD was transposed into Irish law by the European Union (Capital Requirements) Regulations 2014, while the CRR is directly applicable in Ireland. These sit alongside the Central Bank Acts 1942 to 2018 and other cross-sectoral law governing, inter alia, conduct of business, fitness and probity.

Bank recovery and resolution is provided for under the Bank Recovery and Resolution Directive (2014/59/EU) (BRRD). The BRRD and BRRD II (2019/879/EU) have been transposed into Irish law by the European Union (Bank Recovery and Resolution) Regulations 2015 (as amended). The Central Bank and Credit Institutions (Resolution) Act 2011 is also applicable to the resolution framework of Irish credit institutions.

Payments and E-Money

Irish authorised payment institutions are governed by the European Union (Payment Services) Regulations 2018 (PSR), which transposed the Revised Payment Services Directive (2015/2366/EU) (PSD2) into Irish law. Irish authorised electronic money (“e-money”) institutions are governed by the European Communities (Electronic Money) Regulations 2011 (EMR), which transposed the E-Money Directive (2009/110/EC) into Irish law. Where an e-money institution is also providing payment services, it will need to comply with PSD2/the PSR. The PSR and EMR set out various requirements for payment and e-money institutions respectively, including the authorisation requirements, application process, safeguarding requirements and governance requirements.

Investment Firms

Investment firms in Ireland are typically authorised under the European Union (Markets in Financial Instruments) Regulations 2017 (“MiFID II Regulations”) which transposed the Markets in Financial Instruments Directive (2014/65/EU) (MiFID) into Irish law. MiFID firms are permitted to passport their authorisations throughout the EU with CBI approval.

There is a separate domestic regime for investment firms authorised under the Investment Intermediaries Act 1995 (IIA). IIA services are similar but broader than MiFID services and can include recommending an investment service provider, acting as a fund administrator and/or deposit broking. There is no ability to passport under the IIA.

Funds Service Providers

Ireland is a major funds hub. A number of service providers operate in Ireland, including fund administrators, Undertakings for Collective Investment in Transferable Securities (UCITS) management companies and alternative investment fund managers (AIFMs). Fund administrators are authorised under the IIA and are subject to, inter alia, the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2023.

UCITS management companies are authorised under the European Communities (Undertakings for Collective Investment in Transferable Securities) Regulations 2011 and are also subject to the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Undertakings for Collective Investment in Transferable Securities) Regulations 2019 (“CBI UCITS Regulations”). UCITS management companies are subject to the wider EU UCITS regime.

AIFMs are authorised under the European Union (Alternative Investment Fund Managers) Regulations 2013 and adhere to the CBI’s AIF Rulebook. They are subject to the wider EU Alternative Investment Fund Managers Directive (AIFMD) regime.

Both UCITS management companies and AIFMs are subject to the CBI’s Fund Management Companies Guidance 2016 (governing organisational requirements and delegation frameworks).

Insurance

Insurers and reinsurers are authorised and regulated under the European Union (Insurance and Reinsurance) Regulations 2015 (“SII Regulations”), which implemented the Solvency II Directive (2009/138/EC). In addition, insurance undertakings and insurance intermediaries are regulated under the European Union (Insurance Distribution) Regulations 2018, which transpose the Insurance Distribution Directive (2016/97/EU) into Irish law.

Consumer Protection and Lending

Consumer credit is governed by Irish consumer credit legislation, including the Consumer Credit Act 1995 (CCA) and relevant EU law such as the European Communities (Consumer Credit Agreements) Regulations 2010 (“Consumer Credit Regulations”). Credit servicing and retail credit firms require CBI authorisation and are regulated under the Central Bank Act 1997 (“CBA 1997”).

The CBI’s Consumer Protection Code 2012 (CPC) is the core code setting out rules for how regulated financial services providers (subject to certain exceptions) operating in Ireland interact with certain customers. It includes rules on fairness, transparency, suitability, complaints, vulnerable customers and advertising.

In addition, there are specific CBI codes for mortgage arrears (the Code of Conduct on Mortgage Arrears 2013) (CCMA) and for regulated entities lending to small and medium-sized enterprises (the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Lending to Small and Medium-Sized Enterprises) Regulations 2015). The Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Consumer Protection) Regulations 2025 (“CP Regulations”), will, from 24 March 2026, replace the CPC. The CCMA will be subsumed within the new CPC.

Anti-Money Laundering and Combating the Financing of Terrorism

Anti-money laundering (AML) and countering the financing of terrorism (CFT) is governed by the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended (CJA), implementing the various EU AML directives. Parts of the CJA apply to “designated persons”, which includes regulated entities. Further, unauthorised entities providing certain products and services, including lending, can come within the CJA requirements where they provide certain services – in particular, lending to corporates. These firms are required to register with the CBI as “Schedule 2 Firms”. Obligations for designated persons under the CJA include risk assessments, customer due diligence, ongoing monitoring and reporting suspicious transactions.

Data Protection and Digital Resilience

The General Data Protection Regulation (2016/679/EU) (GDPR) and Ireland’s Data Protection Act 2018 govern the processing of personal data by financial firms.

Operational resilience and information and communications technology (ICT) risk are now harmonised under the Digital Operational Resilience Act (Regulation (EU) 2022/2554) (DORA), which applies across a range of entities including banks, payment and e-money institutions, insurers, investment firms, funds and key ICT providers.

Other Notable Legislation and Regulations

There is a range of other legislation and regulations that may be relevant, depending on the type of entity and the products and services being offered. These include:

• the Credit Reporting Act 2013;
• the Consumer Rights Act 2022;
• the Consumer Protection (Regulation of Credit Servicing Firms) Act 2015;
• the Consumer Protection (Regulation of Retail Credit and Credit Servicing Firms) Act 2022;
• the Financial Services and Pensions Ombudsman Act 2017;
• the European Union (Crowdfunding) Regulations 2021;
• the Credit Union Act 1997; and
• the Central Bank (Individual Accountability Framework) Act 2023.

Ireland has a strong financial services ecosystem, with a diverse range of financial products and services. Whether those products and services are regulated and, if so, how they are regulated will depend on the specific case in question, including the type of customer.

Banking and Deposit-Taking

• Banks: Under the Central Bank Act 1971 (“CBA 1971”), a banking licence or authorisation is required to carry on banking business and accept deposits or other repayable funds from members of the public.
• Credit unions: Deposit taking is also regulated under the Credit Union Act 1997, a separate domestic regime with specific authorisation and prudential standards for credit unions.

Payments and E-Money

• Payment service providers: Under the PSR, an entity must be authorised as a payment institution to provide regulated payment services, unless it is otherwise permitted to provide payment services or falls within one of the exemptions under the PSR/PSD2.
• Electronic money institutions (EMIs): The issuing of e-money is regulated under the EMR. Unlike banks, e‑money and payment institutions cannot take deposits from customers.
• Agents and distributors: Notification to the CBI in relation to agents and distributors of payment/e-money institutions is required under the PSR and EMR.

Lending, Credit and Servicing

• Retail credit firms: A person that meets the definition of a “retail credit firm” is required to obtain authorisation from the CBI or to otherwise hold a relevant authorisation such as a bank or credit union authorisation. Unless a relevant exclusion under the definition of a retail credit firm applies, where a person’s business consists of directly or indirectly providing credit to natural persons in Ireland, that person needs to be authorised as a retail credit firm.
• Consumer credit: Consumer hire purchase/personal contract plans, consumer hire agreements and housing loans (where the credit is provided to a consumer on the security of a mortgage) are all regulated under the CCA.
• Credit servicing firms: Under the CBA 1997, an entity needs to be appropriately authorised as a “credit servicing firm” where it carries out “credit servicing”. Pursuant to Section 28 of the CBA 1997, credit servicing includes holding the legal title to the rights of the creditor under a credit agreement, managing or administering the credit agreement or communicating with a relevant borrower on certain matters. The European Union (Credit Servicers and Credit Purchasers) Regulations 2023 are also applicable in the credit servicing context.
• High-cost credit providers: Previously termed moneylenders, high-cost credit providers are regulated under the CCA and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Licensed Moneylenders) Regulations 2020. As discussed further below, a new Consumer Protection Code will be applicable in Ireland from March 2026. This will include regulations for high-cost credit providers, consolidating the existing requirements.

Investment Services

Under Regulation 5(1) of the MiFID Regulations, a person is prohibited from acting as an investment firm in Ireland without an appropriate authorisation. Investment services include reception and transmission of orders, execution of orders, investment advice and portfolio management in respect of financial instruments. The MiFID Regulations also regulate the provision of ancillary services such as safekeeping and administration of financial instruments (but only in cases where the entity is also carrying out an investment service).

The provision of investment services relating to certain instruments that are not otherwise covered by the MiFID II Regulations may be regulated under the IIA (for example, deposits and tracker bonds).

Insurance and Reinsurance

Writing (re)insurance in Ireland is a regulated activity under the SII Regulations.

Intermediaries

A person is prohibited from carrying on the activities of a “credit intermediary” or “mortgage credit intermediary” without holding the necessary authorisation to do so. A credit intermediary is required to be authorised under Section 116(1) of the CCA or, as applicable, the Consumer Credit Regulations. A mortgage credit intermediary is required to be authorised pursuant to the European Union (Consumer Mortgage Credit Agreements) Regulations 2016.

Investment intermediaries are authorised under the IIA.

Crowdfunding

The provision of crowdfunding services, as defined in the EU Crowdfunding Regulation (2020/1503/EU), requires authorisation as a crowdfunding service provider.

Trust or Company Service Provider

Under Section 87 of the CJA, trust or company service providers (TCSPs) require authorisation. Pursuant to Section 24(1) of the CJA, TCSPs provide services relating to the formation, management and administration of companies and trusts.

1. Intra-Group Exemptions

MiFID II Regulations

Regulation 4(1)(b) of the MiFID II Regulations provides that the MiFID II Regulations do not apply to persons that provide investment services exclusively for their parent undertakings, subsidiaries or other subsidiaries of their parent undertakings.

A similar intragroup exemption is available in the IIA.

Payment Services Regulations

Regulation 4(1)(n) of the PSR provides that the PSR do not apply to payment transactions and related services between a parent undertaking and its subsidiary or between subsidiaries of the same parent undertaking, without any intermediary intervention by a payment service provider other than an undertaking belonging to the same group.

2. Reverse Solicitation

Pursuant to Regulation 51 of the MiFID II Regulations, where a retail client or an opt-up professional client established or situated in Ireland initiates, at its own exclusive initiative, the provision of an investment service or the performance of an investment activity by a third-country firm, the authorisation requirements under the MiFID II Regulations do not apply to the provision of that service or the performance of that activity by the firm to that person, including a relationship specifically relating to the provision of that service or the performance of an activity.

The MiFID II Regulations are silent on whether reverse solicitation is permitted for per se professional clients. Typically, non-EEA firms rely instead on the MiFID II Safe Harbour Exemption (as defined below), which provides greater flexibility to the firm.

3. Safe Harbour Exemptions

MiFID II Safe Harbour Exemption

Regulation 5(4) of the MiFID II Regulations (“MiFID II Safe Harbour Exemption”) provides that an entity is not regarded as operating in Ireland (and thus not required to be authorised by the CBI) when providing MiFID investment services to per se professional clients located in Ireland where the following criteria are satisfied:

• the investment firm does not have a branch or any permanent establishment in Ireland;
• the investment firm provides MiFID II investment services to per se professional clients only in Ireland; and
• either:
1. in respect of EEA firms, the investment firm:
1. does not provide any investment services in respect of which it is required to be authorised in its home member state for the purposes of MiFID II; or
2. provides only investment services in Ireland of a kind for which authorisation under MiFID II is not available during the provision of the investment services; or
2. in respect of third-country firms:
1. the firm is authorised/supervised in the relevant third country and authorised so that its competent authority pays due regard to any recommendations of the Financial Action Task Force in the context of AML and CFT; and
2. co-operation arrangements are in place between the CBI and the relevant third-country competent authorities regulating the exchange of information for the purpose of preserving the integrity of the market and protecting investors.

IIA Safe Harbour Exemption

There is a territorial safe harbour in the IIA which provides that an investment business firm shall not be regarded as operating in Ireland and therefore will fall outside the scope of the IIA where:

• the firm has no branch or any permanent establishment in Ireland;
• the firm provides IIA investment business services only to per se professional clients or retail clients that are not individuals (unless the individual also provides investment business services pursuant to the IIA or investment services under MiFID II); and
• either:
1. the firm’s head or registered office is in a state outside of the EU; or
2. the firm’s head or registered office is in an EEA member state and:
1. the firm is not providing investment business services in its home member state requiring authorisation under MIFID II; or
2. the firm is authorised under MIFID II but provides investment business services of a kind for which authorisation under MIFID II is not available when it is providing such services.

4. Dealing on Own Account Exemption

Regulation 4(1)(c) of the MiFID II Regulations provides for an exemption from the MiFID II Regulations for entities that do not provide any investment services or activities other than dealing on own account. Certain conditions, however, must be met.

5. Commercial Agency Exemption

Regulation 4(1)(b) of the PSR provides that the PSR do not apply to payment transactions from a payer to a payee through a commercial agent authorised under an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of the payer only or the payee only.

It should be noted that there are proposals to amend the PSD2, and, at present, these proposals include a proposal to narrow the applicability of the commercial agency exemption.

6. Limited Network Exclusion

Regulation 4(1)(k) of the PSR provides that the PSR do not apply to services based on specific payment instruments that can be used only in a limited way, that meet one of the following conditions:

• the instruments allow the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer;
• the instruments can be used only to acquire a very limited range of goods or services; or
• the instruments are valid only in a single EEA member state provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer.

7. ICT Exclusion

Regulation 4(1)(j) of the PSR provides that the PSR do not apply to services provided by technical service providers, which support the provision of payment services, without them entering at any time into possession of the funds to be transferred, including processing and storage of data, trust and privacy protection services.

The Markets in Crypto-Assets Regulation (2023/1114/EU) (MiCA) sets out the main requirements for issuers of asset-referenced tokens and e-money tokens and for crypto-asset service providers (CASPs), and is directly applicable in Ireland. MiCA includes requirements in relation to authorisation, conduct, governance and disclosure. At an Irish level, the European Union (Markets in Crypto-Assets) Regulations 2024 provide for the CBI to be Ireland’s competent authority in respect of MiCA.

Before MiCA was applicable in Ireland, virtual asset service providers (VASPs) in Ireland were regulated by the CBI for AML and CFT purposes only, under the CJA. This required VASPs to register with the CBI and be subject to the requirements on designated persons in the CJA, as discussed in 1.1 Key Financial Services Law.

Owing to the transitional period provided for under MiCA, VASPs that were operating in Ireland before 30 December 2024 were permitted to operate after 30 December 2024, until the earlier of receipt of their CASP authorisation from the CBI (or refusal if applicable) or 30 December 2025.

The main financial services regulators in Ireland are:

• CBI: The CBI is the primary regulator for financial services in Ireland and regulates and supervises a wide range of entities including banks, retail credit firms, payment and e-money institutions, crowdfunding service providers, CASPs and credit unions. As well as authorising such entities, it sets out conduct and prudential rules, supervises firms for ongoing compliance with requirements such as AML/CFT, and is responsible for the assessment and approval of certain individuals proposed to hold senior roles in regulated entities (pre-approval controlled function roles, or PCFs).
• Department of Finance (DoF): The DoF sets the overall policy and legal framework for financial services in Ireland, while respecting the CBI’s operational independence.
• Competition and Consumer Protection Commission (CCPC): The CCPC is a statutory body which, among other things, provides information to consumers on their rights and enforces compliance with certain consumer protection laws in Ireland related to financial services. The CCPC also has responsibility for authorising credit intermediaries under the CCA.
• Pensions Authority (PA): The PA is also a statutory body and has responsibility for overseeing compliance with the Pensions Act, including by employers and occupational pension scheme trustees.
• Financial Services and Pensions Ombudsman (FSPO): The FSPO is an independent, impartial, fair and free service that helps resolve complaints from consumers, including small businesses and other organisations, against financial service providers and pension providers.

The primary Irish financial services regulator, the CBI, is very open and transparent, and strives to assist those that are authorised/registered or those seeking to be authorised/registered in understanding the requirements applying to them. The CBI does this by publishing several different types of documents on its website (www.centralbank.ie), which is where the CBI’s main rules and guidance can be located.

Authorisation Requirements

The CBI provides helpful information pages in relation to each type of entity it regulates, including information on the specific legislation and regulatory requirements relevant for each. Application forms, related documents and information on the process involved are also included on the CBI website. Application forms for each type of entity include helpful guidance on how to approach the application form, and some are supplemented with additional guidance from the CBI, such as the CBI’s “Expectations for Authorisation as a Payment Institution or Electronic Money Institution, or Registration as an Account Information Service Provider”.

Dear CEO Letters

The CBI sends “Dear CEO” letters to CEOs of regulated entities on an ad hoc basis, and these are also available on the CBI’s website. These letters can cover a wide variety of matters and seek to set out the CBI’s views and expectations on different topics. For example, in June 2023, the CBI released a “Dear CEO” letter to high-cost credit providers which included the output of the CBI’s supervisory engagements with that sector.

AML and CFT

From an AML and CFT perspective, the CBI releases AML Bulletins on an ad hoc basis. These are very useful for those that are subject to the CJA as they set out key information and guidance from the CBI. For example, the CBI has previously published an AML Bulletin on transaction monitoring. In addition to this, the CBI has published “Anti-Money Laundering and Countering the Financing of Terrorism Guidelines for the Financial Sector” (June 2021), which detail the CBI’s expectations on AML and CFT compliance in accordance with the CJA. While only applicable to credit and financial institutions, this document is a helpful guide to any entity subject to the CJA.

Outsourcing

In addition to the “Guidelines on Outsourcing Arrangements” published by theEuropean Banking Authority (EBA), the CBI has published its own “Cross-Industry Guidance on Outsourcing”, which applies to a broader range of entities than the EBA’s guidelines and sets out the CBI’s expectations with regard to outsourcing, including outsourcing agreements, service-level agreements, due diligence and assessments of criticality or importance.

Quarterly Bulletins

The CBI releases quarterly reports to industry which set out updates on the Irish economy and developments in the market, together with the CBI’s views on matters.

Insurance Updates

The CBI publishes quarterly insurance updates by way of newsletters published on its website. These include CBI updates, insurance-specific updates/insights and supervisory insights.

Consultation Papers

Where a change is proposed by the CBI, such as to the fitness and probity (F&P) framework as discussed below, the CBI will carry out a consultation with industry. The CBI will publish both the consultation paper and then a report on that consultation setting out the key findings and next steps.

Other Resources

The CBI also publishes speeches it has given at various industry events, discussion papers, markets updates, an annual report and performance statement, and details of enforcement actions including settlement notices. Rules and guidance from the DoF, CCPC, PA and FSPO can be found on their respective websites.

The Banking Package, consisting of:

• the Capital Requirements Directive VI (2024/1619/EU) (“CRD VI”);
• the Capital Requirements Regulation III (2024/1623/EU) (“CRR III”); and
• the Daisy Chain Regulation (2022/2036/EU),

finalises the implementation of the Basel III agreement in the EU. The CRR III has applied in Ireland from 1 January 2025, and the Daisy Chain Regulation has applied in Ireland from 14 November 2022, with certain sections applying from 1 January 2024.

The European Union (Capital Requirements) (No. 2) (Amendment) Regulations 2024, which give further effect to the CRR III, came into operation on 1 January 2025. The European Union (Bank Recovery and Resolution) (Amendment) Regulations 2023, which give further effect to the Daisy Chain Regulation, came into operation on 15 November 2023.

In the context of CRD VI, Ireland must transpose CRD VI into national law by 10 January 2026. Subject to specified exceptions, CRD VI requirements come into effect the following day. Ireland is currently in the process of implementing CRD VI, with a public consultation having been completed on 14 February 2025 which focused on key national discretions. The final Irish approach regarding the transposition of CRD VI is still pending.

Ireland has not yet implemented a T+1 settlement cycle. The EU’s T+1 settlement cycle will apply in Ireland from 11 October 2027, as mandated by Regulation 2025/2075/EU, which is directly applicable to all EU member states.

Ireland’s national competent authority, the CBI, has previously stated that it continues to monitor developments pertinent to the move to T+1 settlement.

ESG Investment

Ireland’s ESG-related legal framework has largely been driven by EU policy initiatives. The most significant regulatory measures in the context of ESG investment and funds are the following:

• the Taxonomy Regulation (2020/852/EU); and
• the Sustainable Finance Disclosure Regulation (2019/2088/EU) (SFDR).

The Taxonomy Regulation sets out EU-wide criteria for determining whether an economic activity qualifies as environmentally sustainable. For an activity to qualify as environmentally sustainable, it (a) must contribute substantially to one or more of the six environmental objectives set out in Article 9 of the Taxonomy Regulation, (b) must not significantly harm any of the environmental objectives, (c) must be carried out in compliance with the minimum safeguards, and (d) must comply with technical screening criteria that have been established by the European Commission. The Taxonomy Regulation also provides for a number of obligations, including an obligation for in-scope entities to disclose how and to what extent their activities are associated with economic activities that qualify as environmentally sustainable.

The SFDR sets out disclosure requirements for financial market participants and financial advisers relating to the integration of sustainability risks and the consideration of adverse sustainability impacts in their processes. The SFDR also provides for the provision of sustainability‐related information with respect to financial products.

Greenwashing

At EU level, supervisory focus has intensified under SFDR, the Taxonomy Regulation and the European Securities and Markets Authority’s guidance, with national authorities (including the CBI) signalling enforcement attention to sustainability claims in disclosures and marketing. Firms should ensure:

• product-level and entity-level sustainability statements are substantiated and consistent across the prospectus/PPM, website, KIIDs/KIDs and periodic reports;
• use of ESG labels or Article 8/9 designations aligns with actual investment strategy, asset selection and KPIs; and
• robust governance over ESG data sources, data quality and methodologies.

AI is a key talking point in Ireland at present, including as regards its use in financial services.

CBI

As the primary regulator of financial service providers and markets in Ireland, and having since been designated as a Market Surveillance Authority by the Irish Government under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) (“EU AI Act”) in relation to AI in financial services, the CBI expressed, in its Regulatory & Supervisory Outlook issued for both 2024 and 2025, its key supervisory objectives in balancing the transformative potential and the risks pertinent to the use of AI technologies and tools in financial services in light of the EU AI Act.

The CBI’s 2025 report noted its strong support of the implementation of the EU AI Act and emphasised further supervisory engagement with regulated firms for 2025/2026. In both reports, the CBI spotlighted the opportunities to bring positive benefits to the economy arising from AI tools and innovative technologies while concurrently urging financial services firms to be cognisant of the potential adverse impacts to individuals and society arising from the use of AI in the financial services sector.

The CBI’s 2025 report, published in February 2025, highlights key points in identifying and addressing the risks of AI in the financial sector including:

• identifying, managing and mitigating the changing and amplified risks occurring at various parts of the AI systems;
• understanding clearly what business challenge is being addressed by the use or proposed use of specific types of AI and why AI-related technologies are an appropriate response to the business challenge;
• ensuring the transparency of the decision-making process surrounding judgements relating to appropriate AI usage; and
• ensuring that when engaging in AI-enabled processes, whether in parallel with existing systems or transitioning to an AI-enabled process, readiness for the consequent risks to their operational resilience.

Department of Finance

In June 2024, the DoF accompanied by the Department of Enterprise, Trade and Employment (now called the Department of Enterprise, Tourism and Employment) published a series of reports entitled “Artificial Intelligence: Friend or Foe?”, consisting of:

• a high-level summary of research undertaken by both Departments relating to the potential implications of AI technologies for the economy and policy considerations;
• a review of the potential macroeconomic impacts of rapidly evolving AI technologies; and
• an analysis of the potential impacts of AI on Ireland’s labour market.

The DoF’s reports emphasise the potential for the realisation of extraordinary benefits for society emanating from evolving AI systems; however, as with prior industrial revolutions, technological developments will give rise to both challenges and risks.

The CBI, as the primary financial services regulator in Ireland, is supportive of fintech and the benefits it can bring, which the CBI notes include offering a better choice of products and services for consumers, better access to products and services for consumers and possibly providing money savings for consumers, as fintech providers do not have the same costs as providers with physical premises.

However, the CBI also warns of a number of risks with fintech products, including from the use of technology, such as data protection breaches, consumers taking less time to consider options due to the ‘instant’ nature of online products and services and a lack of clarity regarding the regulated status of some providers, leaving consumers with a misunderstanding of what their rights are where issues arise.

As a means of encouraging innovation in the sector, the CBI has an “innovation hub” where entities developing new innovative technologies can engage with the CBI for information on how they may be able to operate in Ireland and what regulatory considerations may apply.

The CPC details the general requirements of operating as a regulated entity in Ireland.

In the context of vulnerable consumers, the CPC provides that where a regulated entity has identified that a personal consumer (ie, a natural person acting outside his or her business, trade or profession) is a vulnerable consumer, the regulated entity must ensure that the vulnerable consumer is provided with such reasonable arrangements and/or assistance that may be necessary to facilitate him or her in his or her dealings with the regulated entity.

A “vulnerable consumer” for the purposes of the CPC is a natural person who:

• has the capacity to make his or her own decisions but who, because of individual circumstances, may require assistance to do so (for example, hearing impaired or visually impaired persons); or
• has limited capacity to make his or her own decisions and who requires assistance to do so (for example, persons with intellectual disabilities or mental health difficulties).

The CP Regulations, mentioned in 1.1 Key Financial Services Law, will provide for new requirements relating to protecting consumers in vulnerable circumstances.

In the context of the CP Regulations, regulated entities will be required to, inter alia:

• provide consumers in vulnerable circumstances with such ongoing reasonable assistance as may be necessary to facilitate that consumer in their dealings with the regulated entity;
• ensure that any information received from a consumer in vulnerable circumstances and maintained as a record by the regulated entity is, where appropriate and in accordance with the law, accessible to the staff; and
• have clear procedures for their employees to report concerns that a customer, who is a personal consumer, is the victim, or is at risk of being the victim, of a fraud or scam or other financial abuse.

The CBI has also issued “Guidance on Protecting Consumers in Vulnerable Circumstances” (March 2025), which sets out the CBI’s expectations of firms in meeting their obligations under the CP Regulations.

The push to strengthen oversight and regulation of the shadow banking system (ie, bank-like activities that take place outside the traditional banking sector) is mainly driven by EU policy initiatives. Regulatory measures that have been taken in the context of shadow banking include, inter alia:

• the Money Market Funds Regulation (2017/1131/EU) relating to money market funds established, managed or marketed in the EU;
• the Securities Financing Transactions Regulation (2015/2365/EU) laying down rules on the transparency of securities financing transactions and of reuse;
• Commission Delegated Regulation (EU) 2023/2779 with regard to regulatory technical standards specifying the criteria for the identification of shadow banking entities referred to in Article 394(2) of the CRR; and
• Regulation (EU) 1075/2013 concerning statistics on the assets and liabilities of financial vehicle corporations engaged in securitisation transactions. In addition, Irish incorporated Section 110 companies are required to report quarterly data to the CBI under the CBA 1971.

The CBI recently noted in “The Central Bank of Ireland’s response to the European Commission’s consultation assessing the adequacy of macroprudential policies for non-bank financial intermediation (NBFI)” that the development of macroprudential policy for the non-bank sector remains a key priority for the CBI.

Applying to the CBI for authorisation in Ireland is an involved process. It will require an applicant to really know their intended business, including financials and proposed governance arrangements. However, the exact application process will ultimately depend on what type of authorisation or registration is being applied for, and the nature, scale and complexity of the proposed business.

Credit Institutions

The application for authorisation as a credit institution in Ireland falls into two categories. The first is those applying for authorisation as a credit institution under Section 9 of the CBA 1971, and the second is those applying for authorisation as a third-country branch credit institution in Ireland under Section 9A of the CBA 1971. Both have similar application processes, with the difference being the involvement of the ECB and CBI for Section 9 applications, and only the CBI for Section 9A applications. The application process involves an initial meeting with the CBI, an exploratory phase, further meetings with the CBI, a draft application and then a full application.

Guidelines and checklists for both applications are available on the CBI’s website.

Retail Credit Firms

The application process for authorisation as a retail credit firm under Section 28 of the CBA 1997 involves submission of an application to the CBI, with additional documentation, a “key information check” (KIC) stage, completion of individual questionnaires (IQs) for pre-approval controlled function (PCF) roles (senior roles in the entity), and engagement with the CBI by way of comments and information requests.

The application form and guidance note, and the CBI’s “Authorisation Requirements and Standards for Retail Credit Firms”, are available on the CBI’s website.

Electronic Money Institutions and Payment Institutions (Including Account Information Service Providers (AISPs))

While these are different authorisations (with an application for only account information services being for registration rather than authorisation), the application process for EMIs, payment institutions (PIs) and AISPs is very similar. The application process involves a pre-application meeting with the CBI, completion of a “key facts document” (KFD), a KIC review by the CBI, the formal submission of the application and further engagement with the CBI by way of comments and information requests.

Application forms for EMIs, PIs and AISPs, together with the CBI’s guidance note on completing an application for an EMI/PI/AISP and the CBI’s “Expectations for Authorisation of Payment and Electronic Money Institutions and Registration of Account Information Service Providers”, are available on the CBI’s website.

MiFID Firms

The application for MiFID firms involves a three-stage process: a preliminary meeting with the CBI; a KFD process (involving several rounds of Q&A); and the formal authorisation application (when the KFD is clear of comment – this begins the statutory review clock).

The MiFID application form, “Authorisation Guidance Note for MiFID Investment Firms – Preliminary Meeting Pre-Application Presentation”, “Authorisation Guidance Note for MiFID Investment Firms – Key Facts Document” and “Authorisation Guidance Note on Completing an Application Form for Authorisation as a MiFID Investment Firm” are available on the CBI’s website.

IIA

The process for applying for authorisation as an IIA Firm involves a preliminary meeting with the CBI, submission of an application form with supporting documents and engagement with the CBI – it is similar to the MiFID application.

The “Application for Authorisation under the IIA” and the “Guidance Note on Application for Authorisation under the IIA” are available on the CBI’s website.

Intermediaries

The process for applying for authorisation as an insurance intermediary, reinsurance intermediary, ancillary insurance intermediary, investment intermediary, mortgage credit intermediary and/or mortgage intermediary (“retail intermediaries”) involves submission of the relevant application form to the CBI (note: there are two different types depending on the activities the applicant proposes to provide), a KIC of the application, submission of IQs for all proposed PCFs and any vetting forms required and engagement with the CBI by way of questions.

All relevant documents including application forms and the CBI’s ‘Guidance Note for the Completion of an Application for Authorisation as a Retail Intermediary” are available on the CBI’s website.

Application Length and Fees

The length of time it will take for a firm to become authorised or registered in Ireland will depend on a number of factors. These include the type of authorisation being applied for, the nature, scale and complexity of the proposed business, how advanced the applicant is with its business plan, the quality of the application submitted, and how quickly the applicant can provide adequate responses to the CBI’s queries and requests for information during the application process.

Processing Times

Since 2024, the CBI has released an annual “Authorisations and Gatekeeping Report” which provides information on authorisations and registrations in the previous year, including the processing times. Some of the average processing times for authorisations/registrations, as set out in the CBI’s 2025 Authorisations and Gatekeeping Report (based on 2024 data), include:

• Funds authorisation: 88 days
• Retail intermediaries/debt management firms: 119 days
• Retail credit firms/credit servicing firms: 854 days (the CBI notes this length of time is due to one business which took considerable time to meet pre-authorisation requirements)
• Trust or company service providers: 75 days
• Fund service providers: 202 days
• Insurance undertakings: 21 days (for all insurance types)
• MiFID investment firms: 256 days
• Payment and e-money institutions: 688 days
• Prospectus approval: 15 days

Please note, however, that some of these figures are skewed by a small number of applications that have taken a significant period of time, thereby impacting the overall average time.

Fees

There are currently no fees payable to the CBI for submitting applications for authorisation/registration. However, there are other fees which should be considered post-authorisation. These include an annual industry funding levy payable to the CBI. The specific amount payable will depend on the type of entity and specific calculations applying for that entity.

There is also an annual industry levy payable to the FSPO. This amount will depend on the type of entity concerned and is based on different factors.

Senior individuals within authorised financial services firms are subject to certain obligations, which differ depending on the exact role held.

Controlled Functions

Certain roles in regulated entities are referred to as “controlled function” (CF) roles in accordance with the Central Bank Reform Act 2010. This includes those who can exercise a significant influence on the conduct of the affairs of a regulated entity (CF1) and those who give advice to a customer of the regulated entity. Before allowing a person to commence such a role, the regulated entity must carry out an assessment of the person to determine whether they are fit and proper to hold that role.

Pre-Approval Controlled Functions (PCFs)

Certain senior roles require the approval of the CBI before the person can commence the role – these include CEO, CCO, Head of Compliance, CRO, HoAF and directors. This is in addition to the regulated entity carrying out its own assessment of the person. This involves the submission of an IQ to the CBI which contains a variety of information, including on education, experience and any criminal convictions, to allow the CBI to assess the person’s F&P. Such persons may be called for interview with the CBI before the CBI decides whether the person is fit and proper to carry out the role.

IAF

In Ireland, CFs and PCFs in regulated firms are directly subject to obligations and potential enforcement by the CBI under the Individual Accountability Framework (IAF). The IAF was introduced in Ireland under the Central Bank (Individual Accountability Framework) Act 2023. The IAF contains several parts, most notably the Senior Executive Accountability Regime (SEAR) and the Conduct Standards.

SEAR

The SEAR has to date been introduced on a phased basis, currently only applying to credit institutions (excluding credit unions), certain insurance undertakings and investment firms and third-country branches of those and requires all in-scope firms to clearly detail where responsibly and decision-making sits within the entity.

Conduct Standards

The IAF sets out several common conduct standards that apply to CFs and PCFs and additional conduct standards that only apply to those carrying out the CF1 role and PCFs. Common conduct standards include acting with honesty and integrity and in the best interests of clients. Additional conduct standards include ensuring the business of the regulated financial service provider is controlled effectively and ensuring delegated tasks are assigned to an appropriate person with effective oversight. The relevant person is required to take “reasonable steps” to comply with the conduct standards.

Minimum Competency Code

The Minimum Competency Code 2017 and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48 (1)) Minimum Competency Regulations 2017 apply certain minimum standards for persons providing particular financial services in regulated entities.

Annual Certification

There is an annual certification requirement in respect of CF and PCF roles. A regulated financial service provider or its holding company must not allow a person to perform a CF/PCF role unless the regulated entity has certified in writing that it is satisfied the person complies with the applicable standards of F&P. Additionally, since 1 January 2025, and annually thereafter, a regulated entity must submit confirmation of compliance with such certification requirements to the CBI.

The financial services landscape in Ireland is constantly evolving. We set out below the key financial services reforms expected in the coming year.

Consumer Protection

As referenced in 1.1 Key Financial Services Law, the CPC in Ireland is being replaced by the CP Regulations and the Central Bank Reform Act 2010 (Section 17A) (Standards for Business) Regulations 2025 (together, the “revised CPC”). The revised CPC will apply to regulated entities operating in Ireland when dealing with certain types of consumers, namely, natural persons and incorporated bodies with a turnover of under EUR5 million (an increase from the EUR3 million threshold under the CPC).

The revised CPC is supplemented by three guidance documents published by the CBI. These are: (i) General Guidance on the Consumer Protection Code; (ii) Guidance on Securing Customers’ Interests; and (iii) Guidance on Protecting Consumers in Vulnerable Circumstances.

The revised CPC builds on the existing version of the CPC but includes new provisions regarding digitalisation, addressing financial abuse, protecting vulnerable consumers and securing customers’ interests.

The revised CPC comes into operation on 24 March 2026.

Crypto-Assets

The transitional period provided for under MiCA allows VASPs that were operating in Ireland before 30 December 2024 to operate until receipt of their CASP authorisation from the CBI (or refusal if applicable) or 30 December 2025, whichever is earlier. Therefore, from 30 December 2025, the VASP regime will no longer be applicable in Ireland.

Fitness and Probity

In April 2025, the CBI published a consultation paper (“CP 160”) seeking industry feedback on its proposals to amend the Irish F&P regime by consolidating F&P guidance into a single document and amending the list of PCF roles.

A review of the CBI’s F&P process was carried out by former chair of the Supervisory Board of the ECB Andrea Enria and a report on such review published in 2024. The report urged for greater clarity, transparency and fairness of supervisory expectations regarding the application by the CBI of the F&P standards. CP 160, accompanied by supplementary materials, seeks to address those recommendations.

The consultation concluded on 10 July 2025, and we expect the CBI to provide an update on the outcome of the consultation and next steps regarding the F&P guidance either in late 2025 or during 2026, but no date has been provided at the time of publication.

AIFMD II

In September 2025, the CBI published consultation papers on proposed amendments to:

• the CBI UCITS Regulations and the CBI’s Guidance on performance fees for UCITS and certain types of Retail Investor AIFs (“CP 161”); and
• the CBI’s AIF Rulebook (“CP 162”).

The CBI proposes aligning the Irish position more closely with European frameworks as amended by Directive 2024/927/EU (“AIFMD II”), which is required to be transposed into Irish law by 16 April 2026. Among other things, CP 161 proposes repealing and replacing the CBI UCITS Regulations, and CP 162 proposes:

• detailing AIF reporting requirements on the CBI’s website rather than in the AIF Rulebook;
• removing the loan-originating Qualifying Investor Alternative Investment Fund (QIAIF) section of the AIF Rulebook and the prohibitions on QIAIFs granting loans and acting as guarantors to third parties;
• revising the rules regarding intermediary investment vehicles; and
• clarifying that capital commitments can be used to meet minimum investment requirements.

Both consultations closed on 5 November 2025. We expect the CBI will publish feedback on the consultations during 2026, but no date has been provided at the time of writing.

International Financial Services Strategy

In June 2025, the Irish Government published its “Ireland for Finance Action Plan 2025”. The action plan outlines actions that stakeholders have committed to taking, grouped under five themes: “sustainable finance”, “fintech and digital finance”, “diversity and talent”, “regionalisation and promotion” and “operating environment”, with the aim of boosting Ireland’s competitiveness as a recognised global location for international financial services.

The updated action plan also flags that a new international financial services strategy will be developed in 2025 (to be launched in 2026) for the period 2026 to 2030. The DoF launched a public consultation on the Ireland for Finance Strategy for 2026–2030 on 21 July 2025. The consultation concluded on 19 September 2025, and the new revised strategy is intended for publication by mid-2026.