Fintech 2025

Last Updated March 25, 2025

Ireland

Law and Practice

Authors



Walkers is a leading international firm that provides legal, corporate and fiduciary services to global corporations, financial institutions, capital markets participants and investment fund managers. Clients include Fortune 100 and FTSE 100 companies, and some of the most innovative firms and institutions across the financial markets. The firm has ten offices, in Bermuda, the British Virgin Islands, the Cayman Islands, Dubai, Guernsey, Hong Kong, Ireland, Jersey, London and Singapore. It regularly advises innovative fintech firms on legal and regulatory considerations arising from offering their products to the Irish and European market, often for the first time and in novel areas. It leverages its expertise in multiple areas of regulated financial services when assessing fintech proposals to provide clear mapping of product features that could trigger regulatory issues. It has also assisted start-up clients in engaging with the Central Bank of Ireland's Innovation Hub, which is only open to innovative services.

Ireland is home to well-developed and globally recognised technology and financial services sectors, and is one of the leading European jurisdictions for fintech activity. The Central Bank of Ireland (Central Bank) has recognised that the fintech sector is of increasing importance to both the Irish and EU financial services landscape, and that the industry has seen significant growth in recent years.

Key Trends Over the Past 12 Months

Fintech activity continues to be particularly prevalent in the payments sector, although it is not limited to this area. The 2023 update published by the Central Bank's Innovation Hub notes that, by the end of 2023, it had held 389 engagements across a number of sectors, including payments, regtech, blockchain, crypto and insurtech.

Four new e-money or payment institutions were authorised by the Central Bank in 2024. Significant growth has appeared in the virtual asset service provider (VASP) sector, with 22 VASPs registered with the Central Bank since the regime came into effect in April 2021.

Regulatory Developments

Fintech developments in Ireland are expected to continue to focus on the payments sector, regtech, AI and blockchain over the next 12 months, among other areas. The Markets in Crypto-Assets Regulation (MiCAR) came into application at the end of 2024 and is expected to generate market activity with existing Irish-registered VASPs and new entrants alike choosing Ireland as their EU base and seeking authorisation as a crypto-asset service provider (CASP) under MiCAR in Ireland.

Crypto-assets

On 30 December 2024, MiCAR became applicable to CASPs as well as offerors and persons seeking admission to trading of crypto-assets in the EU. Stablecoin issuers have been subject to MiCAR since 30 June 2024.

Entities providing certain crypto-asset services within the EU are required to be authorised as CASPs. CASPs authorised under MiCAR will be subject to a range of obligations, including the prudential and conduct of business requirements under MiCAR as well as other requirements, such as in relation to anti-money laundering.

VASPs that were registered with the Central Bank and operating in Ireland as a VASP by 30 December 2024 may avail of a transitional period of 12 months or until they are granted a CASP authorisation, whichever is sooner. These entities can continue to provide services in Ireland during the transitional period.

Offerors and persons seeking admission to trading of a crypto-asset in the EU are now subject to obligations under MiCAR.

A person cannot make an offer to the public or seek admission to trading of an asset-referenced token (ART) or an electronic money token (EMT) unless that person is the issuer and:

  • in the case of an ART, that issuer is established in the EU and authorised under MiCAR, or alternatively is authorised as a credit institution; or
  • in the case of an EMT, the issuer is authorised as a credit institution or an e-money institution, unless an exemption applies.

Digital Operational Resilience Act

Of broader application is the EU Digital Operational Resilience Act (DORA), which entered into force in January 2023 and became applicable from 17 January 2025. DORA applies to certain financial services firms with the objective of ensuring that entities operating in the EU financial services industry can withstand, respond to and recover from all types of disruptions and threats relating to information and communication technology (ICT). DORA also applies to critical ICT third-party service providers to the financial services industry, and provides a framework for the oversight of such entities by the European Supervisory Authorities (ESAs) – ie, the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).

Payments

In response to the advancements in payments and financial services technologies and the increasing challenges faced by the industry with instances of fraud and financial crime, the European Commission evaluated the Payment Services Directive (PSD2) and found a number of positives and some shortcomings. The review culminated in the publication of proposals for an updated Payment Services Directive (PSD3) and Payment Services Regulation (EU PSR). The proposed amendments include:

  • the strengthening of measures to combat payment fraud;
  • improving the functioning of open banking;
  • reinforcing the enforcement powers;
  • further improving consumer information and rights; and
  • merging the legal frameworks applicable to electronic money and payment services.

The PSD3 and EU PSR are expected to take effect by the end of 2026, although the timeline is not yet clear.

The Instant Payments Regulation entered into force on 8 April 2024, with a phased implementation schedule extending from January 2025 to July 2027. It aims to ensure that instant euro payments are accessible to both consumers and businesses throughout the EU by amending existing EU payments regulations.

Artificial intelligence

On 9 December 2023, the European Parliament and the Council of the EU reached a provisional agreement on the AI Act, which was subsequently approved in its final form on 21 May 2024. The AI Act entered into force on 1 August 2024, with most of its provisions set to apply two years after this date, although certain exceptions apply. The ban on prohibited AI systems applies from 2 February 2025. The AI Act establishes a regulatory framework aimed at harmonising rules for AI across the EU. It seeks to regulate providers who market or deploy AI systems within the EU, as well as users of these systems.

The Central Bank has commented that there was a greater than four-fold growth in the number of payment firms authorised in Ireland between 2018 and 2022.

Outside of payments business, which has driven the majority of fintech activity, it is notable that the number of registered VASPs and authorised crowdfunding service providers has increased. Existing VASPs and new entrants are expected to be interested in seeking authorisation in Ireland as a CASP under MiCAR.

Other areas for innovation include regtech, insurance, digital identity and asset management. Firms are also looking to incorporate new technology such as blockchain and AI into their operations.

Fintech firms must look to the existing regulatory regimes that may be applicable to their business model on a case-by-case basis.

Payments

In relation to the provision of payment services or the issuance of electronic money, the primary rules to be considered are:

  • the European Union (Payment Services) Regulations 2018 (PSR), which transpose PSD2 into Irish law; and
  • the European Communities (Electronic Money) Regulations 2011 (EMR), which transpose Directive 2009/110/EC (the “Electronic Money Directive”) into Irish law.

The domestic Irish regime governing money transmission businesses under the Central Bank Act, 1997 (CBA 1997) may be relevant to a money transmission service falling outside the PSR.

Banking

Challenger banks seeking to undertake “banking business” or accept deposits from the public require a bank licence under the Central Bank Act, 1971 (CBA 1971) and will be subject to the Irish implementation of the EU Capital Requirements Directive (Directive 2013/36/EU) (as amended) and the directly applicable EU Capital Requirements Regulation (Regulation 575/2013/EU).

Credit institutions authorised in other European Economic Area (EEA) jurisdictions may passport their authorisation into Ireland, which requires notification to their regulator in the first instance. All companies that are not licensed banks (or passported credit institutions) must avoid including “bank” or similar in their name or advertising and certain other materials.

Investment Services/Asset Management

Depending on the services provided, a fintech firm providing investment services or asset management solutions may be subject to regulation. For example, if the activities constitute “investment services” in respect of “financial instruments” for the purposes of the European Union (Markets in Financial Instruments) Regulations 2017 (the “MiFID Regulations”), an investment firm authorisation will be required, unless an exemption applies. The MiFID Regulations implement Directive 2014/65/EU (MiFID II) into Irish law. Investment services include:

  • the provision of investment advice;
  • the receipt and transmission of orders;
  • the execution of orders on behalf of clients; and
  • the provision of portfolio management services.

Firms appointed to manage a collective investment undertaking (such as a UCITS fund or an alternative investment fund) will require authorisation under the European Communities (Undertakings for Collective Investment in Transferable Securities) Regulations 2011 or the European Union (Alternative Investment Fund Managers) Regulations 2013, as appropriate, unless an exemption applies.

Crowdfunding

The operation of a loan or investment-based crowdfunding platform is a regulated activity under Regulation (EU) 2020/1503 (the “Crowdfunding Regulation”).

Blockchain and Crypto-Assets

In relation to the application of MiCAR to CASPs, stablecoin issuers and offerors/person seeking admission to trading of crypto-assets, please see 1.1 Evolution of the Fintech Market.

Anti-Money Laundering (AML)

The applicability of AML rules, including customer due diligence and ongoing monitoring requirements, will depend primarily on whether a fintech company falls within the categories of “designated persons” under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended (CJA 2010). Designated persons include a wide range of financial services companies as well as certain other entities – eg, casinos, or persons trading or acting as an intermediary in the trade of works of art.

The Transfer of Funds Regulation (Regulation (EU) 2023/1113) (TFR) became applicable on 30 December 2024 and extends the obligation to include information about the originator and beneficiary (the so-called “travel rule”) to CASPs. The TFR also subjects CASPs to the same AML/CFT requirements and AML/CFT supervision as credit and financial institutions.

Security Requirements

Fintech firms will also need to be aware of and comply with specific security requirements introduced under PSD2 (eg, strong customer authentication) if they provide payment services, and, more broadly, cross-industry and industry-specific guidance from the Central Bank and EU regulators in relation to ICT and cyber-risks.

DORA and the Central Bank's Guidance on Outsourcing and on Operational Resilience also set out specific requirements for certain financial institutions in the context of the security of network and information systems. Other cybersecurity and criminal legislation or guidance may also be relevant.

Furthermore, the technical, operational and organisational cybersecurity measures contained in Directive (EU) 2022/255 (NIS2), once transposed, will be applicable to in-scope essential and important entities, which include cloud computing service providers.

Data Privacy

Fintech firms will need to comply with data privacy laws, including the European Union General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR), in respect of any processing of personal data. The GDPR is broad in application, such that the vast majority of companies are impacted regardless of their regulatory status or the services being provided.

Fitness and Probity (F&P) Regime

The Central Bank’s F&P Regime was established under the Central Bank Reform Act 2010 and applies to persons performing certain roles in regulated financial service providers (RFSPs). It applies to persons performing certain prescribed “controlled functions” (CFs) and “pre-approval controlled functions” (PCFs). PCFs include directors, chairs of the board and committees, the chief executive and heads of certain internal control functions, amongst other functions. A regulated firm must not permit a person to perform a CF or PCF unless it is satisfied on reasonable grounds that the person complies with the Central Bank’s Standards of Fitness and Probity.

Individual Accountability Framework and the Senior Executive Accountability Regime (SEAR)

The Central Bank (Individual Accountability Framework) Act 2023 (the “IAF Act”) introduced, amongst other things, a requirement for persons in CF and PCF roles in regulated firms to take any steps reasonable in the circumstances to ensure that certain prescribed conduct standards are met. Business standards will also be imposed on regulated firms in due course.

The SEAR, which imposes additional requirements on firms, will initially apply to a limited range of regulated firms from July 2024, including credit institutions, insurance undertakings and certain investment firms; certain requirement under the SEAR will apply from July 2025. Fintech firms will generally not be in these categories, but the SEAR will be applied to other sectors on a phased basis.

The permissible compensation models and disclosure requirements will depend on the type of service firms provide, their customer base and regulatory status, and the rules applicable to those services or customer types.

As a general rule, there is no differentiation between services provided by fintech firms or legacy players but some regulated activities are more likely to be performed by fintech firms.

The Central Bank has recently established an Innovation Sandbox Programme to inform the early-stage development of selected innovative initiatives and provide regulatory advice and support to firms on their innovative projects. The Innovation Sandbox Programme will take a thematic approach, with the theme of the first programme being “Combatting Financial Crime”. The Sandbox Programme framework comprises workshops, ongoing bespoke engagement with dedicated Sandbox Relationship Managers, and access to data platforms.

As part of the Digital Finance Package, the EU DLT pilot regime commenced in March 2023, creating a sandbox for successful applicant operators of market infrastructure to conduct the trading and settlement of DLT financial instruments.

The Central Bank is the financial services regulator in Ireland, with responsibility for the authorisation and supervision of financial services providers. It supervises Irish firms from both a prudential and conduct of business perspective. For EEA passporting firms, the Central Bank will generally have a level of competence in relation to conduct of business requirements, rather than prudential requirements.

The European Central Bank is the competent licensing authority for new Irish credit institutions (banks), and supervises significant credit institutions directly.

The Data Protection Commission is the Irish supervisory authority for the GDPR.

The Irish Digital Services Act 2024 (Irish DSA) designates Coimisiún na Meán as the designated Digital Services Co-ordinator in Ireland, implementing and enforcing the Irish DSA in Ireland. The Competition and Consumer Protection Commission is also designated for certain matters relating to online marketplaces.

The Central Bank does not issue “no-action” letters as part of its enforcement regime.

Nonetheless, the ESAs have a legal basis to issue no-action letters if they consider that the application of one of the relevant legislative acts is liable to raise significant issues as provisions contained in such act may directly conflict with another relevant act, and if they have received relevant information and consider on the basis of that information that the application of the relevant provisions raises significant exceptional issues pertaining to:

  • market confidence;
  • consumer, customer or investor protection;
  • the orderly functioning and integrity of financial markets or commodity markets; or
  • the stability of the whole or part of the financial system in the EU.

Where the ESAs issue a no-action letter stating that competent authorities should not prioritise any supervisory or enforcement action in relation to a certain legislative act, this may indirectly influence actions taken by the Central Bank.

If a regulated function is outsourced, the vendor is likely to require authorisation to provide that service, unless it can rely on an exemption.

Separately, a number of rules and requirements may apply to already regulated firms that are engaged in the outsourcing of regulated and unregulated functions. These are generally sector-specific – eg, the PSR and MiFID II contain outsourcing requirements that are relevant to in-scope firms.

By contrast, the Central Bank Cross-Industry Guidance on Outsourcing (the “CBI Outsourcing Guidance”) applies across sectors to all regulated firms and must be considered alongside specific outsourcing rules under the various sectoral legislation. The CBI Outsourcing Guidance is heavily influenced by the EBA Guidelines on outsourcing arrangements (the “EBA Outsourcing Guidelines”), which are applicable to credit institutions, certain investment firms, payment institutions and electronic money institutions.

ESMA has also implemented guidelines on outsourcing to cloud service providers (the “ESMA Cloud Guidelines”), which apply to a broad range of RFSPs falling under ESMA's remit. The EIOPA has also published guidelines on outsourcing to cloud service providers (the “EIOPA Cloud Guidelines”).

In addition, DORA applies to in-scope financial entities and requires that all contracts between financial entities and ICT third-party service providers for the use of outsourced ICT services must meet certain minimum contractual requirements.

The extent to which any fintech provider is deemed a “gatekeeper” for activities on its platform will depend on its activities or the services it provides. Fintech providers may be subject to various authorisation requirements or may fall within the scope of Irish AML legislation.

The Criminal Justice Act 2011 imposes a reporting obligation on a person who has information that said person “knows or believes might be of material assistance” in preventing or prosecuting a “relevant offence”, who must disclose this information to the Garda Síochána (the Irish police force).

The Digital Markets Act (Regulation (EU) 2022/1925) (DMA) entered into force on 1 November 2022 and became applicable from May 2023. It requires gatekeepers that have established a “core platform service” – search engines, social networking services, app stores, web browsers, etc – to abide by various requirements around fairness and transparency.       

The Central Bank has taken enforcement actions in a broad range of areas where breaches of financial services legislation have been committed by regulated entities. In 2024, the Central Bank took enforcement actions against three entities relating to breaches of the PSR, funds legislation and market abuse rules.

Firms will need to ensure that they operate in accordance with non-financial services requirements in Ireland, including data protection laws, cybersecurity requirements, consumer protection legislation, company law and intellectual property law.

The Digital Services Act (Regulation (EU) 2022/2065) (DSA) and the DMA form a single set of rules to create a fairer digital space for users. The DMA applies to online gatekeepers that reach certain turnover volumes. The DSA regulates online intermediaries and platforms.

Where companies are required to produce audited financial statements, their statutory auditors will review their financial accounts. In 2023, the Central Bank required Irish payment and e-money firms to obtain a safeguarding audit.

As part of its supervisory expectations, the Central Bank expects CASPs to ensure that independent third-party assurance is provided on an annual basis, confirming that the safeguarding framework CASPs have in place is compliant with requirements.

A broad range of authorities may be relevant during a firm's life cycle, including tax authorities, the Office of the Director of Corporate Enforcement, exchanges and the Financial Services and Pensions Ombudsman.              

For the most part, it is possible for a regulated entity to offer regulated and unregulated services, unless it is restricted by its financial services licence. Under both the PSR and EMR, the Central Bank is empowered to require firms that undertake additional activities to establish separate entities.

In their Joint Report on recent developments in crypto-assets, the EBA and ESMA highlighted examples of regulated entities providing both regulated and unregulated services.

The applicability of AML rules will depend primarily on whether a fintech company falls within the categories of “designated persons” under the CJA 2010. Where a fintech firm is regulated by the Central Bank, it will typically be a designated person.

EU and Irish financial sanctions rules will apply to all fintech firms regardless of authorisation status.              

Ireland has been a member of the Financial Action Task Force (FATF) since 1991. The AML and sanctions rules in Ireland closely follow the laws issued by the EU, which in turn are heavily influenced by the FATF standards.

The legislative framework under MiFID II and MiCAR provides for a reverse solicitation regime.

MiFID II

Under the MiFID Regulations, a third-country firm, as defined, will generally need to establish a branch in Ireland and obtain prior authorisation from the Central Bank before providing investment services or activities to retail clients and opted-up professional clients. However, there is an exemption where retail clients or opted-up professional clients initiate the provision of an investment service by a third-country firm, at their own exclusive initiative. Where a third-country firm solicits clients or potential clients in the EU, including through an entity acting on its behalf or having close links with it, it is not deemed a service provided at the own exclusive initiative of the client. Reverse solicitation does not entitle the third-country firm to market new categories of investment products or investment services to that individual.

The Markets in Financial Instruments Regulation (MiFIR) requires third-country firms that deal with certain “per se” professional clients or eligible counterparties to register with ESMA, unless the service was provided at the exclusive initiative of the client. The registration requirement only applies following the adoption of an equivalence decision by the European Commission and is not currently in force, as no equivalency determinations yet exist. As a result, national laws govern the access of third-country firms to these client types.

MiCAR

MiCAR also provides for a reverse solicitation exemption for the provision of CASP services by third-country firms to EU clients. In December 2024, ESMA published its final report on the guidelines on reverse solicitation under MiCAR, providing a non-exhaustive list of examples of solicitation.

It is generally accepted that the reverse solicitation rules contained in MiFID II and MiCAR will be interpreted very strictly.

Once the activities of a robo-adviser constitute MiFID II “investment services” in respect of “financial instruments”, the robo-adviser will require authorisation as a MiFID II investment firm under the MiFID Regulations, unless an exemption applies.

The MiFID II investment services most likely to be triggered by robo-adviser activity are portfolio management and/or the provision of investment advice. MiFID II financial instruments include:

  • transferable securities;
  • units in collective investment undertakings;
  • certain options, futures, swaps and other derivatives; and
  • emissions allowances.

The MiFID Regulations requirements in relation to suitability assessments will also affect robo-advisers, and certain of the ESMA Guidelines on MiFID Suitability are stated to be particularly applicable to robo-advisers, given the limited amount or total absence of human involvement.

Developers of robo-advisers involving crypto-assets will also need to consider their licensing and related conduct requirements under MiCAR, including in relation to suitability assessments where providing advice or providing portfolio management services.

No information is available in this jurisdiction.

A robo-adviser that is authorised under the MiFID Regulations and executes orders on behalf of clients is subject to the MiFID II rules, including the client order handling rules and best execution requirements. MiFID II and the MiFID Regulations also set out related requirements for portfolio managers placing orders or where firms receive and transmit orders. MiCAR introduces best execution requirements for CASPs.

There are significant differences between the regulation of lending to individuals and to companies in Ireland.

Commercial Lending

Commercial lending (ie, lending to corporates) does not generally require a financial services licence in Ireland, although AML registration and reporting to the Central Credit Register may be required.

Loans to Individuals and SMEs

By contrast, lending to individuals may require a retail credit firm authorisation under the CBA 1997, subject to certain exemptions. The scope of the Irish retail credit regime captures credit agreements, including buy-now-pay-later products or other indirect credit, as well as hire-purchase agreements and consumer-hire agreements. The Consumer Credit Act, 1995 contains another domestic-only regime for persons providing “high-cost credit” to consumers.

Lending to consumers is subject to a range of consumer protection requirements.

RFSPs (including EEA lenders operating in Ireland on a cross-border basis) may also be subject to certain conduct of business rules when lending to individuals, certain small companies or SMEs. These rules include the Consumer Protection Code 2012 (CPC) and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Lending to Small and Medium-Sized Enterprises) Regulations 2015 (the “SME Regulations”).

Credit Servicing

Credit servicing (including legal title loan ownership, managing or administering a credit agreement and related borrower communications) in relation to loans to individuals and SMEs requires authorisation in certain circumstances under the CBA 1997. This regime also applies to hire-purchase agreements and consumer-hire agreements.

Separately, the EU-wide credit servicers directive (Directive (EU) 2021/2167) has been introduced and regulates credit servicers in certain circumstances.

Crowdfunding

The Crowdfunding Regulation facilitates peer-to-peer business lending, with regulated crowdfunding service providers being authorised to facilitate the granting of loans. Crowdfunding service providers can also perform individual portfolio management of loans for investors within certain criteria.

Irish conduct of business rules and legislation require creditworthiness or suitability assessments in certain circumstances; for example, the European Communities (Consumer Credit Agreements) Regulations 2010, the CPC and the SME Regulations are relevant in this regard.

Ireland has established a Central Credit Register under the Credit Reporting Act 2013, which lenders must check before advancing in-scope credit; the Act also requires lenders to report lending information.

Credit institutions such as banks raise funds for their lending activities from a wide range of sources, including deposits, inter-bank lending, issuing debt and securitisations. Deposit-taking in Ireland triggers a requirement for a banking licence, and securitisations are subject to a number of Irish and EU rules.

Dedicated lending entities (eg, a retail credit firm) may raise funds for their lending activities from securitisations or lending from other investors or institutions. Funds may also be sourced through peer-to-peer lending (eg, via a crowdfunding service provider).

It is not typical for consumer loans or loans to small businesses to be syndicated. The Crowdfunding Regulation provides a European framework for peer-to-peer lending platforms.

Payment processors may use existing payment infrastructure or create or implement new payment rails, as long as they operate within the bounds of their financial services authorisation and adhere to relevant regulatory requirements.

Cross-border payments may be regulated under the PSR. There are also requirements in respect of wire transfers, credit transfers and direct debits (eg, the Single Euro Payments Area). The oversight framework for electronic payment instruments, schemes and arrangements (the “PISA Framework”) is also relevant to companies enabling or supporting the use of payment cards, credit transfers, direct debits, e-money transfers and digital payment tokens, including e-wallets.

Crowdfunding Platforms

The activity of operating a peer-to-peer crowdfunding platform is regulated under the Crowdfunding Regulation, which provides a European framework for loan and investment-based crowdfunding.

Investment Services, Exchanges and Trading Platforms

The provision of investment services, exchanges and trading platforms in respect of MiFID II financial instruments is primarily regulated by the Central Bank under the MiFID Regulations, which provide for the regulation of market operators and investment firms operating various types of trading venues, such as regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs).

Crypto-Asset Exchanges

The operation of a crypto-asset exchange from Ireland involving exchange services between crypto-assets and/or crypto-assets and fiat currencies and/or the operation of a trading platform for crypto-assets will require authorisation as a CASP under MiCAR.

MiCAR applies only to crypto-assets that are not covered by existing EU legislation. MiCAR categorises in-scope crypto-assets into ARTs, EMTs and other type of crypto-assets, including utility tokens.

The provision of investment services (such as operating a trading venue) in relation to MiFID financial instruments (including those issued through DLT) is regulated under the MiFID Regulations.

MiCAR regulates the provision of crypto-asset exchange services and the operation of a trading platform for crypto-assets. MiCAR will apply to persons and to the crypto-asset services and activities performed, provided or controlled, directly or indirectly, by them, including when part of such activities or services is performed in a decentralised manner.

Where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of the MiCAR authorisation requirement, although each model will need to be considered separately.

No formal listing standards exist for unregulated platforms. General contractual principles should apply, and certain general consumer protection rules may also apply. Trading venues established under MiFID or MiCAR are required to have detailed operating rules.

No formal order handling rules apply for unregulated platforms; general contractual principles should apply. Detailed order handling rules apply to MiFID II investment firms of MiCAR CASPs when executing orders.

No information is available in this jurisdiction.

The MiFID II inducements, conflicts of interest and best execution rules will apply to all MiFID II investment firms, including in the context of payment for order flow, which is the practice of brokers receiving payments from third parties for directing client order flow to them as execution venues.

MiFIR prohibits financial intermediaries, when acting on behalf of retail clients or clients that have opted up to the professional client, from receiving a fee, commission or non-monetary benefit from any third party for their execution on a particular execution venue, or for forwarding orders of those clients to any third party for their execution on a particular execution venue.

Under MiCAR, CASPs receiving and transmitting orders for crypto-assets on behalf of clients are prohibited from receiving any remuneration, discount or non-monetary benefit in return for routing orders received from clients to a particular trading platform or to another CASP.

In addition to domestic requirements, Ireland has implemented EU securities markets legislation, some of which is directly applicable. This legislation includes:

  • the Prospectus Regulation;
  • the Market Abuse Regulation;
  • the Transparency Directive;
  • the Short Selling Regulation;
  • the Securities Financing Transaction Regulation;
  • Regulation 648/2012 on OTC Derivatives, Central Counterparties and Trade Repositories (EMIR); and
  • MiFID II.

The Market Abuse Regulation (Regulation (EU) 596/2014 – MAR) establishes a common EU regulatory framework on insider dealing, the unlawful disclosure of inside information and market manipulation (“market abuse”), and measures to prevent market abuse. It applies to MiFID II financial instruments admitted to trading on an EU-regulated market or for which a request for admission to trading has been made, as well as any MiFID II financial instruments traded on an MTF, admitted to trading on an MTF or for which a request for admission to trading on an MTF has been made, or traded on an OTF and certain other financial instruments, the price or value of which depends or has an effect on the price or value of the above and emission allowances. MAR can apply to other instruments and is not limited to transactions, orders or behaviour on a trading venue.

Market manipulation, as defined under the European Union (Market Abuse) Regulations 2016 (the “MAR Regulations”), is an offence in Ireland.

MiCAR introduces provisions to prevent and prohibit market abuse involving certain crypto-assets, as well as white paper requirements for crypto-asset issuances.

The primary method of regulating these technologies is under the MiFID Regulations. The definition of algorithmic trading contained in the MiFID Regulations is limited to trading in MiFID II financial instruments.

For asset classes outside the scope of regulation under the MiFID Regulations, it would be important to consult the requirements applicable to the particular asset class.

Market makers in financial instruments will generally require authorisation under MiFID and must comply with specific rules if engaging in algorithmic trading to pursue a market-making strategy.

No information is available in this jurisdiction.

If programs or programmers are carrying out regulated activities, the applicable regulations will be relevant, but this will need to be assessed on a case-by-case basis. The AI Act will apply to providers who place on the market or put into service AI systems in the EU, and to users of AI systems located or with establishments within the EU.

Only authorised insurance companies are permitted to underwrite insurance contracts in Ireland. Some insurtech companies are authorised as insurance companies, while others act as insurance intermediaries and require authorisation for that activity.

Insurance companies must be authorised as a life insurer or a non-life insurer but not both (with limited exceptions). Life and non-life insurers are subject to different requirements.

Specific requirements in relation to motor insurance are set out in the European Union (Motor Insurance) Regulations 2023 due to the requirement for minimum compulsory cover for third-party motor insurance. There are a limited number of other kinds of compulsory insurance – eg, in relation to aircrafts and shipping.

Insurance products with an investment component are treated differently to other insurance products and are subject to the Packaged Retail and Insurance Based Investment Products (PRIIPs) Regulation.

Commercial and consumer insurance products are treated differently. Additional obligations apply when dealing with consumers, including the Central Bank's CPC, the Consumer Protection Act 2007 and the Consumer Insurance Contracts Act 2019.

Generally speaking, the provision of regtech services is less likely to be a regulated activity, but this will depend on the nature of the regtech service performed and the nature of the entity to which such services are provided.

When outsourcing or sourcing ICT services, regulated entities may be obliged to impose certain contractual provisions on their service providers.

The CBI Outsourcing Guidance

Outsourcing is a particularly topical issue for the Central Bank. The CBI Outsourcing Guidance applies to all Irish regulated firms and is to be implemented alongside any specific sectoral legislative outsourcing requirements. It imposes similar contractual requirements to the EBA Outsourcing Guidelines (which apply directly to credit institutions, certain investment firms and payments/e-money institutions).

The EBA Outsourcing Guidelines

The EBA Outsourcing Guidelines require, inter alia, that outsourcing agreements specify service levels and precise quantitative and qualitative performance targets to allow for the timely monitoring of the performance of the outsourced function. Specific termination rights, provisions around business continuity, data and access and audit rights for the regulated firm and its regulators are also required. The ESMA Cloud Guidelines and the EIOPA Cloud Guidelines may also be relevant to applicable entities where services are provided on a cloud basis.

DORA

A key requirement of DORA is that all contracts between financial entities (as defined in DORA) and ICT third-party service providers for the use of ICT services must meet certain minimum contractual requirements. Additional contractual requirements are placed on arrangements with ICT third-party service providers that support a critical or important function of the financial entity.

Traditional domestic and international institutions operating in Ireland are investigating the use of blockchain, and certain institutions have conducted trials in this area. Ireland is also home to a number of crypto-led businesses, and this population is expected to grow.

The Central Bank's Approach

Firms providing certain services in relation to crypto-assets are required to obtain a CASP authorisation (see 1.1 Evolution of the Fintech Market). In December 2024, the Central Bank released its supervisory expectation for CASPs, outlining its risk appetite for crypto-asset services in Ireland.

Outside of these processes, the Central Bank has issued consumer explainers and warnings, and remains cautious on the benefits and risks of crypto. However, it has acknowledged that technological innovation is a key feature of the environment in which it seeks to deliver its mandate.

On 22 October 2024, the Department of Finance published its final report on the review of the “Funds Sector 2030”. One of the areas being examined is how technological change and innovation will influence future development, including mapping a pathway for the broader adoption of tokenisation.

The Central Bank has confirmed in a consumer warning that virtual currencies are not legal tender.

Crypto-Assets in Scope of MiCAR

MiCAR defines crypto-assets as “a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology”. It applies only to crypto-assets that are not covered by existing EU legislation, and categorises in-scope crypto-assets into ARTs, EMTs and other type of crypto-assets, including utility tokens.

Significance of MiFID II Definition of Transferable Securities to Regulatory Approach

The MiFID Regulations apply to financial instruments, including those issued by means of DLT.

One area of focus has been whether a particular blockchain asset qualifies to be considered as a MiFID II financial instrument, typically focused on the definition of a transferable security.

Certain types of crypto-assets could instead qualify as other MiFID II financial instruments, such as units in collective investment undertakings, money-market instruments or derivatives; a case-by-case analysis is required. Depending on classification, a range of other regimes could be triggered – eg, a transferable security falls within the regulatory scope of, inter alia, MiFID II, the Prospectus Regulation and MAR.

In December 2024, ESMA published its Final Report on the Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments, which provides further clarity on the approach to be taken.

Crypto-Assets and Payment Services Under the Electronic Money Directive

Only electronic money institutions authorised under the Electronic Money Directive and credit institutions can issue EMTs – ie, crypto-assets that purport to maintain a stable value by referencing the value of one official currency.

If a person performs a “payment service” as listed in PSD2 with a blockchain asset that qualifies as “electronic money” under the Electronic Money Directive, such activity would fall within the scope of PSD2 by virtue of constituting “funds”.

In a recent letter to the EBA and ESMA, the European Commission called for a “no-action letter” with regard to the enforcement of the requirements on authorisation in PSD2 in terms of services with EMTs provided by CASPs that may be inadvertently covered by the PSD2.

Assuming the blockchain assets are not governed by any existing EU legislation, the issuance of crypto-assets is governed by MiCAR.

See 1.1 Evolution of the Fintech Market regarding the regulatory framework in MiCAR for issuers of crypto-assets, including issuers of ARTs and EMTs.

Where blockchain assets constitute MiFID II financial instruments such as transferable securities, the operation of a trading platform will be in the scope of existing regulatory regimes.

The operation of a trading platform may involve the issuance of electronic money or the provision of payment services, in order to facilitate wallet and payment features.

MiCAR imposes requirements on CASPs operating a trading platform for crypto-assets or engaging in exchange services between crypto-assets and/or crypto-assets and funds.

MiCAR does not contain provisions specific to staking and therefore does not create specific requirements or licensing obligations for staking. However, the European Commission confirmed that where the staking service provider holds the private keys to the staked crypto-assets, the service provider is required to be authorised under MiCAR to provide custody and administration of crypto-assets on behalf of clients. Depending on the arrangements between staking service providers and customers, other MiCAR CASP services may be relevant.

Providing staking services may fall within existing regulatory regimes depending on the legal classification of the crypto-asset in question.

MiCAR does not specifically address the lending and borrowing of crypto-assets, including EMTs; instead, it proposes that the Commission shall present a report to the European Parliament containing an assessment of the necessity and feasibility of regulating lending and borrowing of crypto-assets. To assist the European Commission with this report, the EBA and ESMA have published a Joint Report on recent developments in crypto-assets, including lending and borrowing of crypto-assets.

Lending services relating to crypto-assets may fall within existing regulatory regimes depending on the legal classification of the crypto-asset in question.

In December 2024, ESMA published its Final Report on the Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments, which provides further clarity on the classification of crypto-assets as derivative contracts.

Firstly, with regards to crypto-assets as an underlying asset for derivatives, ESMA notes that national competent authorities and financial market participants should consider the possibility for crypto-assets to be eligible underlying assets in derivative contracts for the purposes of MiFID II.

Secondly, ESMA notes that crypto-assets themselves can be qualified as derivatives. In this regard, national competent authorities and financial market participants should consider the following as part of their assessment:

  • whether the rights of the crypto-asset holders are contingent upon a contract based on a future commitment, creating a time-lag between the conclusion and performance of the obligations under such contract;
  • whether the crypto-asset's value is derived from that of an underlying asset; and
  • whether the crypto-asset follows the settlement modalities as referred to in MiFID II.

Where the crypto-asset serves as an eligible asset in derivative contracts for the purposes of MiFID, or where the crypto-asset itself amounts to a derivative contract within scope of MiFID II, entities providing investment services, as defined in MiFID II, in relation to such crypto derivatives may need to consider the impact of MiFID II on their business.

DeFi presents challenges for EU regulatory authorities, as it does not sit neatly within the existing regulatory landscape.

DeFi transactions will require a case-by-case analysis to determine the regulatory categorisation of the activities involved and jurisdictional questions regarding applicable legislation and relevant regulatory bodies. This is a rapidly developing area, and there is expected to be increasing regulatory interest in DeFi.

MiCAR should not apply where crypto-asset services are provided in a fully decentralised manner without any intermediary. MiCAR instead proposes that the Commission shall present a report to the European Parliament containing an assessment of the development of DeFi in the crypto-assets markets and of the adequate regulatory treatment of decentralised crypto-asset systems without an issuer or CASP, including an assessment of the necessity and feasibility of regulating DeFi. In January 2025, the EBA and ESMA published a Joint Report on recent developments in crypto-assets, including DeFi.

Irish regulated investment funds are authorised either as UCITS or as alternative investment funds (AIFs).

Distinctions Between Digital Assets

The Central Bank has provided guidance on investment in digital assets, which are generally considered to be assets that exist in digital form and that attach ownership rights that depend primarily on cryptography and distributed ledger or similar technology. This guidance recognises that the nature and characteristics of digital assets vary considerably, and distinguishes, for example, between digital assets that are tokenised traditional assets and digital assets that are based on intangible or non-traditional underlying assets.

For the purposes of its requirements, the Central Bank considers “digital assets” to be the latter type of digital asset. Its guidance states that the Central Bank is highly unlikely to approve a UCITS or an AIF marketed to retail investors proposing any exposure (either direct or indirect) to digital assets.

In April 2023, the Central Bank increased the investment limits for QIAIFs seeking exposure to the latter type of digital assets, as follows:

  • where a QIAIF is open-ended, it can gain exposure to digital assets of up to 20% of NAV; and
  • where a QIAIF is closed-ended or is open-ended with limited liquidity, it can gain exposure to digital assets of up to 50% of NAV.

In order to avail of these limits, AIF managers must ensure the following requirements are satisfied:

  • an effective risk management policy is implemented to address all risks relevant to investment in digital assets, at a minimum addressing risk relating to liquidity, credit, market, custody, operational, exchange risk, money laundering, legal, reputational and cyber-risk;
  • appropriate stress testing on the proposed investment in digital assets, reflecting the asset price volatility of digital assets, including the potential entire loss of value in the investment;
  • an effective liquidity management policy is in place, which includes a sufficient suite of tools to enable the AIF manager to manage liquidity events arising in the QIAIF;
  • the prospectus of the QIAIF must contain clear disclosure in relation to the nature of the proposed investment in digital assets and a clear articulation of the risks associated with that investment; and
  • the QIAIF should assess the overall construction of its portfolio to ensure that there is alignment between the redemption profile, the level of investment in digital assets and the likelihood of illiquidity (in both normal and stressed conditions) in the types of digital assets invested in.

Direct exposure by QIAIFs to digital assets continues to be prohibited by the Central Bank, pending satisfactory demonstration that the depositary safekeeping obligations can be complied with in accordance with the Alternative Investment Fund Managers Directive (Directive 2011/61/EU). The Central Bank provides for a pre-submission approval process in the event a QIAIF proposes to invest indirectly in digital assets in excess of the thresholds outlined above or to seek to make any direct investment in digital assets.

On 7 May 2024, ESMA issued its Call for Evidence on the review of the UCITS Eligible Assets Directive (2007/16/EC) to assess possible changes to the eligibility rules under which UCITS may gain direct and indirect exposures, including in respect of certain asset categories that may give rise to divergent interpretations and/or risk for retail investors, including crypto-assets. With respect to indirect exposures, ESMA is particularly interested in stakeholder input on exchange-traded products, including ETFs with crypto-assets as an underlying. ESMA is due to deliver its technical advice to the European Commission by April 2025.

The legal treatment of any cryptocurrency or other blockchain asset will be determined by whether that particular asset’s features come within the scope of existing legislative and regulatory regimes. Typically, a pure cryptocurrency will not be considered a financial instrument under MiFID II but would be considered a crypto-asset within the scope of MiCAR.

MiCAR will not apply to crypto-assets that are unique and not fungible with other crypto-assets. The recitals to MiCAR state that the fractional parts of a unique and non-fungible crypto-asset should not be considered unique and non-fungible, and that the issuance of crypto-assets as NFTs in a large series should be considered as an indicator of their fungibility. Therefore, categorisation will depend on the individual characteristics of an NFT.

A case-by-case analysis is also required to understand if an NFT would be considered a financial instrument under MiFID.       

PSD2 introduced two new regulated payment services which, in summary, allow customers to use third parties to obtain payment initiation services, and enable third parties to access payment data to provide account information services. This facilitates open banking. Application programming interfaces are to be used for third-party access to online payment accounts.

As part of the review of PSD2, the Commission carried out a targeted consultation on open finance framework and data sharing in the financial sector. PSD3 will seek to improve the functioning of open banking through the removal of the remaining obstacles to the provision of open banking services, by improving customers' control over their payment data and by enabling new innovative services to enter the market.

PSD2 imposes certain conditions on access to and use of data by firms providing a payment initiation service or account information service. This includes a requirement for customer consent and other requirements in relation to security and the use of data.

In addition, the GDPR requires customers to be made fully aware – in a clear, concise and transparent fashion – of how their personal data will be used and by whom. It also provides for the rights to withdraw consent, to access data and for information to be erased. In sharing data with third parties such as account information service providers, banks will need to be aware of the potential for fraud or other risks.

Fintech firms are at the forefront of fraud-related incidents, with the most common examples being credit card fraud, identity fraud and scam-related activity. Many firms, including VASPs, have reported concerns relating to transactions and access or ownership of virtual asset wallets, prominent use of fake identification documents or stolen KYC data, and the involvement of shell companies and bank accounts opened by a third party.

Given the increasing prevalence of fraud in the fintech space, it has been paramount to address through regulation. PSD2 actively addressed account takeover fraud via Strong Customer Authentication (SCA), but steps are now being taken to update PSD2 to help stem the tide of the emerging types of fraud.

The Central Bank noted in its Regulatory Supervisory Outlook Report 2024 that, while digitalisation continues to deliver concrete benefits for consumers, it also introduces new risks in terms of frauds and scams. The Central Bank sees smishing, phishing and push payment fraud increasing in frequency and becoming more sophisticated. The Central Bank wrote to regulated firms, communicating its expectations with respect to their effective measures to mitigate the risks of fraud or scams and, in particular, Authorised Push Payment fraud.

Under the MiFID Regulations, investment firms that safeguard client financial instruments and funds must introduce adequate organisational arrangements to minimise the risk of the loss or diminution of client assets, or of rights in connection with those assets, as a result of misuse of the assets, fraud, poor administration, inadequate record-keeping or negligence.

Investment firms are required to participate in investor compensation schemes. Such schemes compensate investors, for instance, if an investment firm goes bankrupt and is unable to return financial instruments belonging to an investor.

PSD2 provides that, in the case of an unauthorised payment transaction, the payment service provider should immediately refund the amount of that transaction to the payer. However, in certain circumstances, the payment service provider should be able to conduct an investigation, within a reasonable time, before refunding the payer.

The payer may be obliged to bear the losses relating to any unauthorised payment transactions, up to a maximum of EUR50, resulting from the use of a lost or stolen payment instrument or from the misappropriation of a payment instrument. There should be no liability where the payer is not in a position to become aware of the loss, theft or misappropriation of the payment instrument. The payer shall bear all of the losses relating to any unauthorised payment transactions if they were incurred by the payer acting fraudulently.

MiCAR provides that CASPs providing custody and administration of crypto-assets on behalf of clients shall be liable to their clients for the loss of any crypto-assets or of the means of access to the crypto-assets as a result of an incident that is attributable to them. The liability of the CASP shall be capped at the market value of the crypto-asset that was lost, at the time the loss occurred. Incidents not attributable to the CASP include any event in respect of which the CASP demonstrates that it occurred independently of the provision of the relevant service, or independently of the operations of the CASP, such as a problem inherent in the operation of the distributed ledger that the CASP does not control. In contrast to the rules under the MiFID Regulations for investment services, crypto-assets will not be covered by an investor compensation scheme.

Regulated financial service providers may also be subject to fines and compensation requests for contraventions of financial services legislation as part of the administrative sanction procedure or pursuant to a private right of action for damages by customers who suffered loss or damage as a result of such contraventions.

Walkers (Ireland) LLP

The Exchange
George's Dock
IFSC
Dublin 1
Ireland

+353 1 470 6600

+353 1 470 6601

info@walkersglobal.com www.walkersglobal.com
Author Business Card

Trends and Developments


Authors



KPMG Law is a corporate law firm based in Ireland, and is part of KPMG’s wider legal services global network that comprises over 3,000 legal professionals across 84 jurisdictions. The corporate team works closely with other KPMG teams such as tax, accounting, and consulting, both in Ireland and internationally, as well as with international legal colleagues, to provide a global multi-disciplinary approach for clients. The firm is comprised of leading lawyers with a sophisticated and commercial approach to advice and transactions. Its teams have significant experience advising fintechs and other financial institutions on various matters, including M&A, corporate structuring, employment, financial regulation, data protection, technology and commercial contracts, as well as providing company secretarial services. This includes recent advice on new and upcoming developments and regulatory requirements for fintechs, for example under SEPA instant and DORA, and authorisation applications, including for e-money institutions and CASPs.

The fintech market in Ireland is currently on an upward trajectory with increased investment and regulation in the area. The regulatory framework for fintech in Ireland has been the subject of much change in the last few years, with 2025 looking to be no exception.

As a response to the age of digital finance, the EU has been focused on improving regulation of financial service providers who operate in the digital sphere, as well as implementing and improving the regulation of new financial products such as crypto-assets. The Irish financial regulator, the Central Bank of Ireland (Central Bank), is similarly focussed on ensuring that the Irish regulated market is ready for these new and upcoming regulatory changes.

The fintech sector in Ireland includes a broad range of both regulated and unregulated providers in the payments, e-money and virtual/crypto-assets space, as well as technical service and technology providers, who support the broader fintech ecosystems. It includes both traditional and established institutions that have expanded their services overtime to adapt to the changing landscape, as well as new players entering the market. The sector has strong backing from the State, with the government and government agencies, such as the Industrial Development Agency (IDA Ireland) and Enterprise Ireland providing various incentives and funding to startups.

Legal and Regulatory Updates

Operational resilience

The Digital Operational Resilience Act (DORA) took affect across the EU on 17 January 2025. DORA includes both a Regulation (2022/2554) (DORA Regulation) and Directive (2022/2556) (DORA Directive). DORA brings in various new requirements for financial services providers in terms of information and communications technology (ICT), and the approach to risk management.

The EU recognises that the financial services sector has become more digitised and that more stringent procedures and protections need to be put in place to prevent and respond to cyber-attacks and related incidents. In Ireland this is also supported by the Cross Industry Guidance on Operational Resilience, which the Central Bank published in 2021, and which complements the measures under DORA, and including measures applicable outside of just digital operation resilience.

The Central Bank has been actively engaging with industry in preparation for DORA, and will continue to work closely with regulated entities, including fintechs, to ensure its full implementation.

This has included the following.

  • Providing specific website updates for DORA Major ICT-related Incident and Significant Cyber Threat submissions, a template for submissions, and a system “How To” guide, to assist financial institutions.
  • Providing for the submission of Registers of Information (RoIs) for all contractual arrangements on the use of ICT services provided by ICT third-party service providers (institutions will need to submit RoIs to the Central Bank through its online portal during the window of 1 to 4 April 2025).
  • Engagement with a limited number of firms in respect of advanced Threat-Led Penetration Testing.

In its communications on DORA implementation the Central Bank has been clear that:

  • whilst recognising that certain elements will become clearer in terms of practical implementation, firms should have already laid much of the groundwork for implementation;
  • the Central Bank is ultimately aiming for “high quality implementation”, and is therefore committed to working with firms from their initial implementation through to a richer more fully achieved compliance over time;
  • where possible gaps in compliance have been identified, firms will be expected to have identified these and have a clear plan to close those gaps, and key aspects such as incident identification and reporting, are required without delay;
  • the Central Bank will continue to promote a convergent approach to supervision and implementation with other competent authorities across the EU;
  • the Central Bank will continue to develop and transform its supervisory approach with an integrated supervisory framework for oversight of specific sectors, as well as cross-sectoral supervision teams, including for DORA; and
  • the new oversight regime for critical ICT third-party service providers represents a significant and ground-breaking approach.

Accordingly, regulated entities and ICT service providers working with them should have already taken significant steps to comply with DORA. The Central Bank’s approach to implementation and supervision means that firms should expect significant regulatory scrutiny and engagement over the next year to ensure that all firms have place comprehensive risk management, reporting and operational resilience frameworks.

Markets in Crypto-Asset Regulation (MiCAR)

MiCAR fully entered into force from 31 December 2024, with the requirements relating to stablecoin issuers coming into effect in June 2024. MiCAR aims to provide greater transparency, clarity and investor protection in Ireland and the EU, while also allowing for the provision of cross-border services across the EEA.

MiCAR introduces significant new rules for crypto-assets (including asset referenced tokens (ARTs), electronic money tokens (EMTs) and non-ARTs/EMTs), issuers of crypto-assets and crypto-asset service providers (CASPs). Certain types of crypto-assets are, however, exempt (for example unique non-fungible tokens), and these may continue to be issued without the need to comply with MiCAR.

For issuers, authorisation as a credit institution or e-money institution is required to issue EMTs, and authorisation as a credit institution or under a new MiCAR issuer authorisation is required to issue ARTs. No authorisation is required to issue non-ARTs/EMTs. Tokens which are offered to the public or traded on a trading platform will also need to produce white papers which, in Ireland, will be notified to the Central Bank. The white paper is similar to a prospectus, setting out key information, prescribed under MiCAR, in relation to the relevant token.

Separately, authorisation as a CASP will be required in respect of certain crypto-asset services including, in respect of crypto-assets covered by MiCAR:

  • custody and administration;
  • operation of a trading platform;
  • exchange of crypto-assets for funds;
  • exchange of crypto-assets for other crypto-assets;
  • execution of orders;
  • placing;
  • reception and transmission of orders;
  • providing advice;
  • providing portfolio management; and
  • providing transfer services.

These permissions broadly mirror those in relation to financial instruments under the Markets in Financial Instruments Directive (MiFID), with some additions / modifications. The provision of transfer services in respect of EMTs will however require authorisation as a payment institution, or e-money institution, as EMTs are deemed e-money.

New and existing CASPs will now need to obtain authorisation in Ireland from the Central Bank. For existing virtual asset service providers (VASPs), who were previously registered for the purposes of AML/CFT supervision, there is a 12 month transitional period, during which they will need to obtain authorisation as a CASP to continue providing services. The key stages of the Central Bank CASP application process are:

  • an initial engagement stage;
  • submission of the key facts document (KFD);
  • formal applications submission stage;
  • potential refusal review;
  • assessment stage; and
  • decision.

In practice, there will be significant engagement with the Central Bank prior to the submission of the formal application. Once the formal application is submitted, the Central Bank will have three months (excluding pauses for responses to questions) to make a decision on the application.

Once authorised, CASPs will be able to provide crypto-asset services on a passported basis across the EU/EEA in a similar matter to other EU-regulated financial institutions.

MiCAR ultimately represents a sea-change in the nature and extent of regulation of crypto-assets and associated services. For both new and existing CASPs there will be significant work required to obtain authorisation and to align existing entities’ process, procedures, governance and controls with applicable legal and regulatory requirements, not only under MiCAR, but also under the broader universe of financial regulation (eg, DORA, Consumer Protection Code, Fitness and Probity). In Ireland, this will need to be completed before the end of 2025 in order for those firms to continue providing services (other Member States have implemented shorter or longer transitional periods under MiCAR of between six and 18 months). 

SEPA instant payments

The Instant Payments Regulation (Regulation (EU)2024/886), which amends the SEPA Regulation (Regulation 260/2012/EU), is a very significant step in modernising the EU fintech landscape, driven by consumer demand and an increasingly digitised economy. The instant payments scheme was initially launched in 2017 as an optional SEPA scheme. However, due to varying uptake (Ireland being at the lower end with only 5% coverage at the time), it was decided that the scheme should become mandatory in the form of a Regulation.

The Instant Payments Regulation therefore aims to enhance the speed and efficiency of transactions between participating financial institutions, allowing for credit transfers to be completed in less than ten seconds and 24 hours a day, and seven days a week, and will mark a very significant change in how payments are processed and provided in the Irish market.

While the speed and efficiency of transfers will be improved, the Instant Payments Regulation does have the potential to increase risks relating to fraud/anti-money laundering, and terrorism financing. However, it’s implementation in conjunction with the EU AML Package and related legislation, and the verification/screening safeguards within the Instant Payments Regulation itself aim to mitigate this risk. All payment service providers (PSPs) who send or receive credit transfers in euro will be within scope of the Instant Payments Regulation, with different categories of PSPs being obliged to comply under varying timeframes.

Credit institutions in the Eurozone receiving instant payments must comply with the requirements for receiving instant payments from 9 January 2025, and for sending instant payments from 9 October 2025. Other PSPs, eg, payment institutions and e-money institutions, as well as PSPs outside of the Eurozone will need to comply on a phased basis for receiving and making instant payments during the course of 2027.

Compliance with the Instant Payments Regulation will require significant technical and operational changes on behalf of PSPs. However, it equally provides opportunities for PSPs to enhance and increase their offerings for customers, as well as ensuring smoother payments in Ireland and across the EU.

Artificial intelligence

On 12 July 2024, the EU adopted Regulation (EU) 2024/1689 (AI Act). The AI Act entered into force on 1 August 2024, and in coming into force on a phased basis from 2 February 2025 until 2 August 2026.

The AI Act takes a risk-based approach to AI Systems, differentiating between different use cases, with varying levels of restrictions and requirements. There are five levels of AI Systems identified.

  • Unacceptable risk – These are prohibited (from 2 February 2025) and include systems which look to manipulate or exploit vulnerabilities, evaluate or categorise people with social scores leading to unfavourable treatment.
  • High-risk – These are subject to various obligations including risk management, human oversight, data quality and accuracy, cybersecurity, and transparency. Use cases could, amongst other, involve biometrics, as well as access to essential services, and where used in decision-making.
  • Limited risk – The focus for these AI Systems is on ensuring that people are aware the AI is being used (ie, transparency). This will include, for example, the use of chatbots or ChatGPT, or other AI-generated content.
  • Minimal risk – For other AI Systems involving minimal risk, eg, spam filers, these will generally fall outside of the scope of act.

Whilst the AI Act is of general application, it will have a significant impact on financial institutions and fintech providers where AI Systems are used. This may include, for example, in connection with AML/CFT requirements, credit assessment, risk assessment and quantification, complaints handling, customer communications, advertising, fraud prevention, and to facilitate new and novel areas or products.

Regulated entities will need to understand the risks associated with the deployment of AI systems, both from a business, governance, operational, and customer perspective. Caution will need to be taken to ensure that AI systems do not give rise to discrimination, and that a level of human oversight is maintained. Over-reliance on external service providers, both from a concentration perspective (where certain AI Systems are provided by only a few providers) as well as a digital operational resilience perspective (ie, in accordance with DORA), also creates risks.

The Central Bank is likely to be the competent authority for overseeing compliance with obligations under the AI Act for financial institutions, as well as the interaction with the broader financial services legislation.

As part of its own engagement on the use of AI, and aligned with Ireland’s National AI Strategy, the Central Bank last year announced a collaboration with the Insight Research Ireland Centre for Data Analytics at University of Limerick. This programme, which opens in 2025, will see the Central Bank funding a dedicated PhD programme in AI and data science to run for over six years. It will focus on research that builds public trust, improves policy outcomes and cultivates the next generation of AI talent, including through safer financial systems and better outcomes for consumers of financial services, as well as addressing issues such as responsible AI, financial crime, and cyber and climate risk.

Whilst the use of AI Systems potentially offers significant benefits in terms of the provision of financial services, both customer-facing and back office, these will need to be effectively balanced against the potential risks to the business and its customers. Ireland, both nationally and within the Central Bank, looks to focus efforts on developing these products and solutions, and positioning Ireland as a centre of excellence for the development and implementation of AI solutions.

Payment services and access to cash

PSD3 and PSR

The EU is currently in the process of reviewing and overhauling the existing payment services framework, with a particular focus on the increasingly digital nature of payments in the EU, as well as providing greater consistency in application and approach to the regulation of payment services across the EEA. The Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR), which are likely to be adopted in 2025 and come into effect 18 months later, will build on and recast many of the rules currently set out in the Second Payment Services Directive (PSD2). These will be implemented in the context of a broader retail payments strategy, including SEPA Instant and FiDAR.

There are six key objectives of the reform:

  • combatting and mitigating payment fraud;
  • improved consumer rights;
  • levelling the playing field between banks and non-banks;
  • improved functioning of open banking;
  • improved availability of cash in shops through ATMs; and
  • strengthening harmonisations and enforcement.

Key changes to the existing requirements under PSD2 will include the following.

  • Reform of the existing list of payment services, including merging services enabling cash to be placed on and/or withdrawn from a payment account, and the execution of payment transaction (both generally and covered by a line of credit), and the differentiating between the payment services of issuing payment instruments and acquiring payment transactions.
  • The removal of the e-money authorisation as distinct from a payment institution authorisation.
  • Greater clarity on the nature and scope of exemptions (eg, in respect of commercial agents).
  • Enhancements to strong customer authentication requirements.
  • Co-operation and information exchange between payment service providers (PSPs) on fraud, as well as customer education on fraud.
  • In the context of open banking, mandatory data access interfaces for account servicing PSPs, dashboards to manage permissions to access open banking, and detailed specification for data interfaces.
  • Allowing direct participation for payment institutions in all payment systems, as well as enhanced rights to access bank accounts to provide services.
  • A registration regime for independent ATM providers.

Existing payment institutions and e-money institutions may also need to go through a re-authorisation process with the Central Bank (similar to what occurred when PSD2 was introduced).

The Central Bank is expected to engage with local PSPs in due course to ensure their preparation for the implementation of PSD3 and the associated reauthorisation application.

Access to Cash Bill

In Ireland, in advance of PSD3 and PSR, a number of similar measures will be introduced through the Finance (Provision of Access to Cash Infrastructure) Bill 2024, which is likely to be passed during the course of 2025.

This legislation followed the Retail Banking Review Report, published in November 2022, which recommended that the Department of Finance develop access to cash legislation. The Central Bank is supportive of the Bill, particularly in the context of the Eurosystem’s cash strategy 2030, and as part of the development of the National Payments Strategy. In particular, the Central Bank considers it an important public policy intervention to ensure that cash remains available to households and businesses as an effective means of payment. The ECB will also be consulted on the Bill.

The Bill provides for:

  • an assessment of Reasonable Access to Cash (RAC) with criteria for lodgement and withdrawal facilities based on proximity (percentage of population within 10km of an ATM and ATMs per capita (minimum number of ATMs per 100,000 people));
  • based on the assessment, specific requirements on certain Irish banks to provide ATMs to facilitate local access to cash (and a power for the Central Bank to require actions where deficiencies in coverage are identified; and
  • the registration of ATM providers and cash in transit services with the Central Bank, for the purposes of supervision by the Central Bank (although they will not be subject to the full panoply of requirements applicable to regulated financial service providers).

The Financial Data Access and Amending Regulations Proposal

The Financial Data Access Regulation (FiDAR), was published in parallel with the PSD3/PSR proposals and while currently still in the proposal stage, is expected to be adopted in early 2025. The proposal aims to give customers of financial institutions, both consumers and corporates, control over their financial data. The proposal covers specific data relating to financial services and products, for example loans, and payment accounts, investments, and crypto-assets. Data holders and data users will include most regulated entities.

The proposal requires the data holder to make data available to both the customer and a data user without undue delay, continuously, and in real-time, when requested by the customer. The data must be made available to the customer free of charge, but the data holder may charge data users subject to a data sharing scheme. The data user can only access customer data if they have prior authorisation by a competent authority as a financial institution or under a new authorisation for financial information service providers (FISPs), and only under the permission given by the customer and the customer can withdraw this permission.

FiDAR has the potential to radically alter the way customer data is shared and aims to help in developing innovative new products and solutions by empowering consumers and encouraging digitalisation. It also has the potential to improve customer experience in both face-to-face and online advice processes through the effective use of customer data. Fintechs should be well-positioned to take advantage of the new rules under FiDAR. Effective and early engagement with internal stakeholders, including the board, compliance teams, product teams, and IT department, to explore how best opportunities under FiDAR can be leveraged effective access and use of customer data can help them develop and provide services to customers will therefore be key.

Central Bank innovation sandbox

The Central Bank launched its Innovation Sandbox Programme in December 2024 with the theme of combatting financial crime. It aims to provide a platform to help develop technologies to minimise fraud and further enhance the established AML/CFT frameworks through the use innovative technology solutions. The purpose of this new programme is to provide early-stage development to innovative initiatives that help increase consumer and financial outcomes.

The reasons that that this programme was launched is that the financial system is a key aspect of the economy of Ireland, and an efficient and resilient financial system is a fundamental aspect of providing consumers and investors with trust; financial crimes erode and undermine stability and trust in the financial system. With technology growing at such a fast race there is a concern that this growth is outpacing the Central Bank’s ability to provide stability and safety. With over EUR1 trillion lost to scams globally in 2023 alone, and EUR9.9 million lost Authorised Push Payment scams lost in Ireland in 2022, the sandbox looks to provide an innovative and collaborative approach for finding solutions to increasingly inventive acts of fraud by scammers.

Seven selected participants have been chosen to participate, with focussing on a separate area of concern. For example, AMLYZE is developing an AML/CFT information sharing framework that will help detect and prevent fraudulent activities.

The sandbox aims to encourage collaboration across the financial ecosystem to help minimise financial crime. It will do so through structured programme workshops each month presented by the participants on relevant topics. The Programme will also offer bespoke engagement with dedicated Sandbox Relationship Managers. These managers will have the ability and access to liaise with broad range of the Central Banks teams, such as those working in Consumer and Investor Protection or Monetary and Financial Stability. The participants will be given access to a Data Platform that is offering data sets and tools to help combat areas of financial crime, while also allowing participants to test the progress and effectiveness of their innovations.

Whilst the current sandbox programme has already commenced, it is hope that future programmes will build on its success; providing a platform for new and innovative fintechs to engage with the Central Bank and develop effective solutions to the challenges facing consumers, financial markets, and institutions.

KPMG Law

1 Stokes Place
St. Stephen’s Green
D02DE03
Ireland

+353 1 410 8000

info@kpmglaw.ie www.kpmglaw.ie
Author Business Card

Law and Practice

Authors



Walkers is a leading international firm that provides legal, corporate and fiduciary services to global corporations, financial institutions, capital markets participants and investment fund managers. Clients include Fortune 100 and FTSE 100 companies, and some of the most innovative firms and institutions across the financial markets. The firm has ten offices, in Bermuda, the British Virgin Islands, the Cayman Islands, Dubai, Guernsey, Hong Kong, Ireland, Jersey, London and Singapore. It regularly advises innovative fintech firms on legal and regulatory considerations arising from offering their products to the Irish and European market, often for the first time and in novel areas. It leverages its expertise in multiple areas of regulated financial services when assessing fintech proposals to provide clear mapping of product features that could trigger regulatory issues. It has also assisted start-up clients in engaging with the Central Bank of Ireland's Innovation Hub, which is only open to innovative services.

Trends and Developments

Authors



KPMG Law is a corporate law firm based in Ireland, and is part of KPMG’s wider legal services global network that comprises over 3,000 legal professionals across 84 jurisdictions. The corporate team works closely with other KPMG teams such as tax, accounting, and consulting, both in Ireland and internationally, as well as with international legal colleagues, to provide a global multi-disciplinary approach for clients. The firm is comprised of leading lawyers with a sophisticated and commercial approach to advice and transactions. Its teams have significant experience advising fintechs and other financial institutions on various matters, including M&A, corporate structuring, employment, financial regulation, data protection, technology and commercial contracts, as well as providing company secretarial services. This includes recent advice on new and upcoming developments and regulatory requirements for fintechs, for example under SEPA instant and DORA, and authorisation applications, including for e-money institutions and CASPs.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.