KPMG Law LLP logo

8 May 2024

On 7 March 2024, the Central Bank of Ireland published its Consumer Protection Code Review, CP158. The Review proposes an updated and modernised Code which will be effected through two Statutory Instruments, referred to as ‘Standards for Business Regulations’[1] and ‘Conduct of Business Regulations[2]. Chris Martin and our Financial Services Regulations team explain below.

The Central Bank has published accompanying guidance documents on Securing Customers’ Interests and Protecting Consumers in Vulnerable Circumstances which provide additional colour on the requirements under the proposed Regulations. The consultation is open for feedback until 7 June 2024. Additional information on the consultation is available in our insights piece here.

A fundamental part of the revised framework will be centred on the concept of ‘Securing Customers’ Interests’ which requires Regulated Financial Service Providers (RFSPs) to incorporate customers’ interests into their decision making as a means of delivering positive consumer outcomes.

This builds on the existing general principles contained in the CPC, including to act honestly, fairly and professionally, and with due skill, care and diligence, in the best interests of customers, and will place an increased onus on RFSPs and individuals to be able to demonstrate that customers’ interests were taken into account as part of decision-making by the RFSP and its senior management.

The Standards

The proposed Standards for Business outlined in CP158, place an obligation on firms to act in the best interest of their customers[3]. In particular, an RFSP must at all times:

  1. secure its customers’ interests;
  2. act with honesty and integrity;
  3. act with due skill, care and diligence;
  4. act in the best interests of customers and treat them fairly and professionally;
  5. ensure that all information it provides to customer is presented in a way that seeks to effectively inform the customer;
  6. control and manage its affairs and systems sustainably, responsibly and in a sound and prudent manner; (this extends to a RFSP’s risk management systems, internal control mechanisms and governance arrangements)
  7. maintain adequate financial resources;
  8. control and manage it affairs and systems to counter the risks to customers of financial abuse;
  9. engage and cooperate with the Bank and comparable competent authorities in good faith and without delay;”

Importantly, the standard of securing customers’ interests (at paragraph (a)) only applies to an RFSP when dealing with consumers in the State; reflecting the heightened protection for individuals and small businesses and the commensurate need, having regard to the parties’ imbalance of power, for RFSPs to actively seek to secure their customers’ interests where they are consumers.

It should be noted that the definition of a “consumer” will be expanded and will now include incorporated entities or entities within a group with an annual turnover of €5 million or less (increased from €3 million).

However, unlike the existing CPC, no turnover threshold is set for unincorporated entities / groups of persons including partnerships, clubs, charities, trusts or other unincorporated bodies. This means that under the current proposal all unincorporated bodies, even those with very significant turnovers (e.g. large partnerships, or trusts), will benefit from full consumer protection under the Regulations[4].

Enforcement action around securing customers’ interests

As Regulations issued under designated enactments[5], breach of the requirements under the Standards for Business Regulations (or Conduct of Business Regulations) will be prescribed contraventions for the purposes of the Central Bank’s administrative sanctions regime.

Where the Central Bank suspects an RFSP may have committed a prescribed contravention under these Regulations, it will be entitled to commence an investigation, which may lead to an enforcement action against the RFSP.

Under the Senior Executive Accountability Regime (SEAR), individuals to whom duties of responsibility are allocated are responsible for taking reasonable steps to ensure that, while the person has that responsibility, the relevant aspect of the RFSP’s business is conducted in such a way as to avoid contraventions, as well as comply with the common and additional conduct standards.

Accordingly, if an RFSP failed to act in a way which sought to secure customers’ interests, and the relevant senior management did not take reasonable steps to prevent this, this could give rise to enforcement action against the RFSP and/or the relevant individual.

Given the potentially broad scope of the obligation to secure customers’ interests, as well as its interaction with existing corporate obligations (e.g. to act in the interests of shareholders), additional guidance has been provided in both Part 3 of the Business Standards Regulations (Supporting Standards for Business) and in the Guidance on Securing Customers’ Interests.

In particular, to secure customers’ interests, an RFSP must:

The subjective and potentially retrospective nature of any assessment of compliance with the above requirements, however, creates potential uncertainty for both RFSPs and their senior management. Where decisions have been taken in respect of specific individuals, rather than customers more generally, the precise circumstances of the customer will also be relevant in considering whether the RFSP sought to secure that customer’s interest, for example by delivering a fair outcome in a particular case.

In this regard, the attitudes, ages, financial literacy, level of understanding and expectation of individual customers will necessarily be varied and particular to the relevant co nsumer. It may also be difficult to accurately assess the potential impact on, or interests of, consumers when looking at long-term products or developments; a decision at the outset to achieve a fair outcome for a consumer might be very different when viewed in retrospect in ten, twenty or thirty years once a product has matured or has potentially been subject to unexpected market or environmental pressures or challenges.

It will therefore be important that decisions which could impact on consumers (both individually and collectively) are properly assessed, and a record of the assessment of the impact on customers, and how their interests were ultimately secured, will be crucial in defending any future action by the Central Bank in the event that it considered that the RFSP or its senior management may have failed to properly secure customers’ interests.  Read our thought leadership on the development of appropriate processes to record these decisions here and here.

Notwithstanding the potentially subjective nature of the obligation, as has been previously seen in respect of the General Principles under the CPC, the Central Bank will take enforcement action where it considers that the standard has not been met.

RFSPs should therefore expect the Central Bank to scrutinise RFSPs’ decision-making processes, and should be prepared to demonstrate how customers’ interests were secured. It will be interesting to see how this obligation is ultimately interpreted by the Central Bank, and the courts in the event of challenge, and how it may be deployed as part of its enforcement action in the future.  

How we can help

KPMG’s multidisciplinary teams of lawyers and consultants works with organisations to support them through regulatory change. KPMG is able to draw upon an array of subject matter experts with backgrounds in legal and consulting, as well as our international network, to assist firms with understanding the impact of changes, including firms’ and individuals’ exposures and responsibilities, as well as assisting with the implementation of those changes.

We are also able to assist with and advice on engagements with the Central Bank in the event of enforcement or other regulatory action.

Please do not hesitate to contact our team below.

Contact the team

Derek Hegarty

Derek Hegarty

Head of Financial Services Regulation

Gillian Kelly

Gillian Kelly

Head of Consulting
KPMG in Ireland

Yvonne Kelleher

Yvonne Kelleher

Managing Director
Risk Consulting
KPMG in Ireland

Rosalind Norton

Rosalind Norton

Risk Consulting
KPMG in Ireland

Donata Halpin

Donata Halpin

Risk Consulting
KPMG in Ireland

Discover more in Financial Services Regulation


[1] Issued under section 17A of the Central Bank Reform Act 2010, which was inserted by the Central Bank (Individual Accountability Framework) Act 2023

[2] Issued under section 48 of the Central Bank (Supervision and Enforcement) Act 2013

[3] Regulation 4 (1)(d) of the draft Central Bank Reform Act 2010 (Section 17A) (Standards for Business) Regulations.

[4] It is not clear if the inclusion of such entities within the new definition of “consumer” was intentional.

[5] Namely the Central Bank Reform Act 2010 and the Central Bank (Supervision and Enforcement) Act 2013