Seller Beware - A modernised Consumer Protection Code

InsightsNews & opinions

A modernised Consumer Protection Code 2025

27 March 2025
TagsFinancial services
On 24 March 2025, the Central Bank of Ireland (CBI) concluded its review of the Consumer Protection Code 2012 (CPC 2012). Following this update, the CNI has published a number of updates.

The CBI has now published:

  • CP158 Feedback Statement on the Consumer Protection Code;
  • Central Bank Reform Act 2010 (Section 17A) (Standards for Business) Regulations 2025
  • Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Consumer Protection) Regulations 2025;
  • Guidance on Securing Customers’ Interests;
  • Guidance on Protecting Consumers in Vulnerable Circumstances; and
  • General Guidance on the Consumer Protection Code.

The final regulation and guidance (collectively, consumer protection requirements) are broadly aligned with the draft regulation and guidance published in March 2024. Albeit there have been some minor refinements, to reflect feedback provided in the consultation period as outlined in the Feedback Statement. In addition, the supporting tools made available by the CBI assist in identifying these refinements, including a track change version of the March 2024 draft regulation.

Now the focus of firms must turn to the implementation of the new requirements, including quantifying the impact it has on its existing systems and controls before 24 March 2026.

Many firms will be familiar with the Financial Conduct Authority’s (FCA) Consumer Duty requirements, rather than being as prescriptive as the FCA, to avoid a “tick-box” approach, the CBI has incorporated scope for firms to implement the requirements, relevant to their operations and customer base. This is a positive as it will allow firms to implement the CPC such that it reflects its business and operations. It does also present a significant regulatory risk for firms that do not take the time to assess, understand and implement the requirements.

Three key implementation challenges, facing firms now are as follows:

  • Defining and agreeing on key terms (not prescriptively defined in the consumer protection requirements) and key interpretations to ensure consistent and defensible implementation across the three lines of defence.
  • When do you flag a customer as a consumer on your systems and when does a consumer become a customer? Identify the scope and impact of the new regulations on their business from a customer, product, policy, and IT systems perspective.
  • Understanding the relationship between regulation and guidance in the context of consumer protection and the firm’s approach to implementation.

While we explore these challenges and impacts in more detail below, our recurring recommendation is that throughout your CPC 2025 implementation project, it is vital to document your firm’s key definitions and interpretations of the requirements. These will be the drivers for ensuring your approach is consistent and defensible in the months and years post-implementation. The decisions your firm makes during the implementation of the consumer protection requirements may also be the cause of your firm dealing with suspected or actual CPC contraventions in the future. An intended or unintended bad decision during implementation may only be identified years post-implementation, at which point the issue will have compounded itself.

From a personal perspective, these post-implementation issues may arise after you depart the firm. As a result, it is also important to ensure the implementation, key definitions and interpretations are documented to evidence your reasonable steps.

Key implementation challenges facing firms

Challenge 1

Defining and agreeing key terms (not prescriptively defined in the consumer protection requirements) and key interpretations, to ensure a consistent and defensible implementation across the three lines of defence.
Consumer Protection Code 2025

The definitions that each firm will set for itself and work within will have the greatest impact on their CPC implementation, specially in the following areas:

Definitions of Customers and Consumers
Across, the final documents published the definition of a consumer[1] remains consistent (albeit that it is broader compared to CPC 2012[2].

An enhancement to the CPC 2025 is that it now provides for a definition of customer . Which is broader than “consumer”[3]. However, Firms will need to be mindful that across the relevant final documents the definition of “customer” changes.

For example, within the Regulation and General Guidance the definition is consistent. However, in the Securing Customers Interests’ Guidance, the CBI notes that the definition of customer equates to the definition of consumer (as outlined in the regulation).

In addition, within the General Guidance, there other customer type terms referenced that are undefined specifically users and clients.

Securing Customers’ Interests
The CBI has noted that the purpose of the guidance along with the 2017 A Guide to Consumer Protection Risk Assessment (CPRA) is to “assist firms by setting out what firms need to consider” rather than prescriptive in the customers’ interests that firms should be seeking to secure.

Protecting Consumers in Vulnerable Circumstances
Within the regulation and guidance the CBI has defined, “consumer in vulnerable circumstances” [4].  Similar to the Guidance on Securing Customers’ Interests the CBI is not prescriptive as to what firms must do to ensure the fair treatment of customers in vulnerable circumstances or what is considered fair treatment.

Potential Impact and Interpretation Required

Definitions of Customers and Consumers 
Firms should document and apply their approach to applying the broader definition of “consumer” and their approach to applying the requirements of CPC 2025 to consumers that fall in-scope because of the newly expanded definition. For example, in areas such as communications and complaints. 

With respect to the definition of customer for the first time in CPC2025. Firms will now need to set its own definition of a “potential” customer and “former” customer. Similarly, firms will also need to define “user” and “clients” in the context of adhering to the General Guidance.

In addition, firms will need to carefully assess (and document interpretations) the impact of these changing definitions across the different CPC documents.

Securing Customers’ Interests
It is important that firms document their interpretation of and approach to addressing the guidance and 2017 CPRA. For many firms this will be a case of updating their implementation of CPRA. Again the focus will be on how firm’s can demonstrate they are securing customers’ interests, throughout:

  • Product and customer lifecycle;
  • Employee lifecycle and remuneration; and
  • Decision making at a Board of Directors and senior management committee level.

Protecting Consumers in Vulnerable Circumstances
Similar to securing customers’ interests, firms should clearly:

  • Define the key terms in the guidance; and
  • Their perspective and interpretation of the guidance.

 Internally, at a Board and management level, it is important that the above definitions and interpretations are agreed upon and then utilised when developing your CPC 2025 Impact Assessment and Implementation Plan. 

Challenge 2

When do you flag a customer as a consumer on your systems and when does a consumer become a customer? - Identifying the scope and impact of the new regulations on their business, from a customer, product, policy and IT systems perspective
Consumer Protection Code 2025

As outlined in the initial consultation in March 2025, the proposed enhancements to CPC generally have not changed materially compared with the final requirements. If firms were at a stage of having a mature Consumer Protection Framework from a design and operating effectiveness perspective, the existing systems and controls will require an enhancement rather than an overhaul. 

However, Regulation 116 [5] , that requires firms to, “identify in its records those customers that are consumers”.

Impact and Interpretation Required

CPC 2025, will place an increased focus on the accuracy and consistency of data governance and management within firms.

To address Regulation 116, firms will need to be clear in respect of their customer and consumer definitions and how these are applied consistently across the firm and maintained. Particularly considering that the type of relationship a firm may evolve from being a customer to consumer to former customer over a short or long period of time.

Challenge 3

Understanding the relationship between regulation and guidance in the context of consumer protection and the firm’s approach to implementation
Consumer Protection Code 2025

A positive development in the CPC 2025 is how the industry can interact with the requirements on the CBI website, it is now dynamic and interactive.

The benefit of this is that the for the first time, we have clarification as to what is regulation (R) and what is guidance (G).

However, when considering the impact of the CPC 2025 on your firm the (G) should be taken seriously and considered to be a R, than G.

Impact and Interpretation Required

As firms are now working with two distinct levels of consumer protection requirements, the G, should be treated in the context of comply or explain.

As a result documenting your interpretation of the R and G and your approach to implementing continues to be important throughout the CPC 2025 implementation project.

Many firms will already have an established consumer protection implementation project in place. Whether you have a project already in place or you are about to establish one, we can support you.

How are we working with clients?

Our financial services consulting team continues a unique blend of experience in the area of consumer protection through leading compliance functions in retail financial services firms and supporting regulatory change initiatives.

In respect of consumer protection, our team support clients through:

  • Acting as consumer protection subject matter experts to support their regulatory change initiatives. In this role, we support the regulatory change project team and assist with interpreting the consumer protection requirements.
  • Understand and identify the impact of changing consumer protection requirements by performing gap analysis and impact assessments.
  • Provide ongoing Quality Assurance support to consumer protection change projects to benchmark proposed enhancements against regulatory requirements and good practice.
  • Providing training to senior management and Boards of Directors on the consumer protection requirements.

Footnotes

1 Per Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Consumer Protection) Regulations 2025,  “consumer” means, subject to paragraph (4), a customer that is -

  1. A natural person,
  2. A group of natural persons, including a partnership, club, charity, trust or other unincorporated body, or
  3. An incorporated body, that is not –
  4. An incorporated body that had an annual turnover in excess of €5 million in the previous financial year, or
  5. An incorporated body that is a member of a group of companies having a combined turnover greater than €5 million.

2 Per CPC 2012, “consumer” means any of the following: a) a person or group of persons, but not an incorporated body with an annual turnover in excess of €3 million in the previous financial year (for the avoidance of doubt a group of persons includes partnerships and other unincorporated bodies such as clubs, charities and trusts, not consisting entirely of bodies corporate); or b) incorporated bodies having an annual turnover of €3 million or less in the previous financial year (provided that such body shall not be a member of a group of companies having a combined turnover greater than the said €3 million)

 3 Per Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Consumer Protection) Regulations 2025,  “customer” means, subject to paragraph (3) –

  1. Any person to whom a regulated entity provides or offers financial services,
  2. Any person who requests the provision of financial services from the regulated entity,
  3. A relevant borrower in a case where a regulated entity undertakes credit servicing in respect of the credit agreement concerned, or
  4. A hirer in a case where a regulated entity undertakes credit servicing in respect of the consumer-hire agreement or hire-purchase agreement concerned, and includes, where appropriate, a potential “customer” and former “customer” within the above meaning.

4 Per Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Consumer Protection) Regulations 2025 “consumer in vulnerable circumstances” means a consumer that is a natural person and whose personal circumstances, whether permanent or temporary, make that consumer especially susceptible to harm, particularly where a regulated entity is not acting with the appropriate levels of care, and “vulnerable circumstances” shall be construed accordingly.

5 Regulation 116 of Consumer Protection Code Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Consumer Protection) Regulations 2025.

Contact

Contact us

+353 1 449 4400
Meet our local team
Discover our offices
Or use our contact form