Consumer Protection Code 2025

The Consumer Protection Code 2025 (CPC 2025), which comes into effect on 24 March 2026, represents the most significant and far-reaching recalibration of Ireland’s consumer protection framework in more than a decade. The revised Code is the culmination of a multi-year regulatory process, marked by extensive consultation with industry, consumer representatives and other stakeholders. It is designed to address the complexities and realities of a rapidly evolving financial services landscape, characterised by accelerating digitalisation, increasing product sophistication and a growing regulatory focus on demonstrable positive consumer outcomes.

Recognising the scale of structural change required by the Consumer Protection Code 2025 (CPC 2025) and drawing on our market-leading expertise in regulatory transformation, Simmons & Simmons has developed a dedicated tool to support firms in operationalising the Code’s requirements while meeting the Central Bank of Ireland’s (CBI) evolving expectations. Further details of our CPC Tool are set out at para 7. below.

The CPC 2025 is structured around two principal pillars, with extensive supporting guidance:

• Standards for Business Regulations 2025: This is a high-level, somewhat principles-based framework comprising almost 60 provisions, which both replaces and significantly amplifies the General Principles of the 2012 Code. Notably, these standards generally apply to all customers - encompassing individuals, partnerships and corporates - rather than being confined to the narrower category of “consumers”.

• Consumer Protection Regulations 2025: This pillar introduces over 400 granular requirements. With some exceptions reflecting sector-specific protections, these requirements apply across the full spectrum of regulated activities, including banking, credit, asset finance, payments and e-money services, insurance, investments and emerging sectors such as crypto asset services.

The scope of the CPC 2025 is expansive. The definition of “consumer” has been materially broadened to include, in addition to natural persons, incorporated bodies with an annual turnover of up to €5 million (on a group or standalone basis), increased from €3 million, thereby bringing a significantly wider cohort of SMEs within the reach of the Code.

The CPC 2025 also applies to all regulated activities with some exclusions (e.g., services provided to persons outside Ireland, MiFID Schedule 1 services, reinsurance) - and entities operating in Ireland, including those authorised in the EEA and passporting into Ireland on either a branch or cross-border basis, provided they are delivering services to customers in Ireland.

Application to all customers

The Standards for Business Regulations 2025 represent a substantial extension from the 12 General Principles of the 2012 CPC to almost 60 detailed provisions. These standards are legally binding and enforceable, applying (with limited exceptions) to all dealings of a regulated entity with their “customers” - individuals, partnerships and corporates - irrespective of financial thresholds. Almost 45 of these standards either apply to all customers or relate to the firm’s own systems and controls (with the remaining standards applying to the more limited “consumer” category).

The CBI’s approach has been to treat the General Principles as fertile ground for enforcement action and there is no indication of this approach changing under the CPC 2025. The imposition of the Individual Accountability Framework (IAF) for all regulated firms and the Senior Executive Accountability Regime (SEAR) for in-scope firms means that individuals holding pre-approval controlled functions (PCFs) and, in some cases, CF1s (any individual considered to exert significant influence on the regulated firm) are directly liable under the administrative sanctions regime for breaches of the Standards for Business and the Consumer Protection Regulations 2025. A private cause of civil action at the suit of customers for breach of these requirements also exists, where this has caused loss or damage.

What’s new and what must change?

The Standards for Business retain some of the General Principles under the CPC 2012, including acting honestly, with due skill, care and diligence and in the best interests of customers. New standards imposed under the CPC 2025 include:

• Informing the customer effectively, which is given a much greater focus under the revised Code
• Controlling and managing affairs and systems sustainably, responsibly and in a sound and prudent manner
• Maintaining adequate financial resources
• Engaging and cooperating with the CBI and comparable competent authorities in good faith and without delay

Supporting obligations now require a regulated firm’s management to have appropriate knowledge of the firm’s activities and risks. The firm must comply with all applicable financial services legislation and operate in line with relevant market conduct standards, trading venue rules and any applicable market codes. In this way, what may have been regarded as “soft law” are transformed into legally enforceable requirements.

For dealings with the narrower category of CPC “consumers” (all individuals, partnerships and corporates with annual turnover not exceeding €5 million on a group or standalone basis), new obligations under the Standards for Business include securing consumers' interests - specifically requiring firms to deliver good outcomes, a core regulatory conduct priority. Firms must also control and manage their affairs and systems to counter the risks of financial abuse to their customers who are “consumers”.

While MiFID activities are largely out of scope of the CPC 2025, the extensive Securing Consumers’ Interests guidance issued by the CBI applies to MiFID activities, as does the CBI’s detailed guidance on dealing with consumers in vulnerable circumstances.

Compliance with the CBI’s Consumer Protection Risk Assessment (CPRA) framework - a mechanism for embedding consumer protection risk across all aspects of a regulated firm’s operations, from governance and control through people and culture and across the product lifecycle - is repeatedly referenced in CBI guidance.

Ensuring compliance with the Standards for Business and their supporting obligations will require a wholesale review of a firm’s risk management frameworks, governance, culture and product design structure to ensure that all applicable obligations are appropriately embedded. This task extends beyond retail business to dealings with sophisticated corporate customers, including where the regulated firms are wholesale banks. Implementation gaps will not only signal a regulated firm’s inability to adapt to the CPC 2025 but also expose underlying weaknesses in the firm’s systems and controls - an outcome the CBI is unlikely to view favourably.

What needs to change?

While still of wide application, the Consumer Protection Regulations 2025 have a more restricted reach than the Standards for Business, applying to dealings by regulated firms with the narrower category of CPC “consumers” (all individuals, partnerships and corporates with annual turnover not exceeding €5 million on a group or standalone basis). Unlike the SME Regulations 2015, no exclusion applies for borrowers under syndicated credit facilities.

Significant new requirements and changes are introduced, including:

• Sustainability Preferences: New obligations require the collection of information about consumers’ sustainability preferences related to environmental, social and governance (ESG) factors. While ESG preferences are not part of the core suitability assessment, firms must inform consumers, where relevant, how the financial service aligns with those preferences in the statement of suitability.

• Vulnerable Consumers: Obligations are expanded for identifying and supporting consumers (natural persons) in vulnerable circumstances, including the provision of ongoing, rather than simply day-one assistance, the delivery of staff training and the ability for consumers to nominate a trusted contact. As mentioned, the CBI’s supporting guidance on vulnerable consumers is also applied to MiFID activities.

• Digitalisation: New rules are introduced for user-friendly digital platforms, including the prohibition of pre-selected consents, the requirement for clear guidance and customer support, the provision of advance notice of withdrawal of access to digital systems and the issuance of reminders of withdrawal rights (cooling-off).

• Informing Effectively: New obligations are imposed for personal notifications, revised timeframes and content tailored to the “average consumer,” reflecting that over 50% of the general requirements under Part 2 of the Consumer Protection Regulations 2025 involve consumer communications. This effectively requires firms to document a baseline consumer profile for each financial service, reflecting the minimum level of financial understanding reasonably expected within the target market.

• Unregulated Activities: Stricter separation and disclosure requirements are imposed to ensure that consumers do not misunderstand unregulated activities as having regulatory protections, including the provision of prominent warnings and the maintenance of separate webpages.

• Advertising, Complaints and Errors: Obligations are introduced for the regular review and updating of advertisements for CPC 2025 compliance, error resolution requirements are strengthened by expanding remediation obligations beyond refunds to include other corrective actions and new complaints handling governance obligations are introduced, including the analysis of complaint patterns at least every six months and ensuing board reporting.

Significant sector-specific changes have also been introduced impacting on banking, credit and asset finance, insurance and investments. For example, firms must now provide personal notifications for changes that previously could be communicated via website notices such as a change in the regulated firm’s range of services. Changes to compliance timeframes also apply. In addition, new business operations-related requirements apply such as undertaking pre- and post-closure impact assessments which must be made publicly accessible when a credit institution branch is closed, with firms also required to give extended advance notice to consumers and the wider community ahead of any branch closure.

Significant overlap exists between the CPC 2025 and the UK Consumer Duty, particularly regarding the embedding of consumer interests, delivery of fair outcomes and effective communications. However, the CPC 2025 is much broader in scope, applying to a wider range of customer types and regulated activities. Under the CPC 2025, coverage extends to areas outside the UK regime, including credit to corporates, SME lending and high-net-worth lending with no monetary threshold. It also applies more widely to consumers and customers in deposit-taking and payment services than the UK Consumer Duty.

The UK regime places emphasis on “reasonableness” and “reasonable steps”, with a focus on prudent conduct and understanding customer needs. In contrast, the CPC 2025 expects firms to deploy their resources effectively to secure customers’ interests and otherwise comply with the CPC 2025, without replicating the “reasonable steps” qualification. In this way, the CBI has intentionally distinguished firm-level obligations from accountability imposed on individuals under the IAF, where a “reasonable steps” qualification applies.

So while having the procedures and policies in place to comply with the UK Consumer Duty will certainly be of assistance to domestic firms with UK operations, the granularity of the changes under the CPC 2025 requires forensic review and analysis to identify the specific requirements now imposed. Such requirements relate to matters such as the detailed contents of required customer communications and disclosures, communication methods and timeframes, completely new areas of coverage and governance obligations. These requirements must then be appropriately embedded in regulated firms’ policies, procedures and systems.

Implementing the CPC 2025 is not merely a compliance exercise. It necessitates a wholesale review of risk management frameworks, governance, culture and product design. While regulated firms must comply with the detailed changes under the Consumer Protection Regulations 2025, firms must also evidence that they are delivering improved consumer outcomes. The sheer volume of new provisions and supporting documents, coupled with the likelihood that many firms will fall under multiple regulatory categories, creates a structural risk of oversight or non-compliance.

To support regulated firms in navigating this complexity, Simmons & Simmons has developed the CPC Tool - a comprehensive, interactive solution designed to operationalise every aspect of the Code. The CPC Tool offers the following features:

• Each regulatory change is mapped to clear, practical, expert-led, actionable steps
• Triaging of impact of changes
• Templates for disclosures, consents and communications
• Practical prompts and guidance for evidencing compliance and fair outcomes
• Redline comparisons between the CPC 2012 and 2025
• Integrated Simmons analysis and commentary
• Integration into our analysis of CBI guidance, CPRA, Dear CEO letters and other regulatory materials, all of which inform resulting action points.

The CPC Tool is designed to represent a trusted “all-in-one” solution to support compliance, legal and operations teams, providing boards and senior management with assurance that regulatory expectations are being met in this significant regulatory change project.

For more information or a demonstration, please contact products@simmons-simmons.com