YEARBOOK & DIRECTORY
Finance Dublin Yearbook 2025
The 2025 Consumer Protection Code – what has changed and why it matters
The 2025 Consumer Protection Code (CPC) is a major landmark body of regulatory guidance that updates the CPC of 2012 introduced in Ireland in the wake of the Great Financial Crisis. Its philosophical approach, key provisions, and the changes it fosters are described by KIAN CAULWELL, Partner and Head of Financial Services Consulting at Forvis Mazars.
On 24 March 2025, the Central Bank of Ireland (CBI) completed its long-awaited review of the Consumer Protection Code 2012 (CPC 2012). The result is a package of new regulations and guidance that together comprise a modernised framework for protecting financial services consumers in Ireland.
The Central Bank has now published:
• CP158 Feedback Statement on the Consumer Protection Code
• Consumer Protection Regulations 2025
• Standards for Business Regulations 2025
• Guidance on Securing Customers’ Interests
• Guidance on Protecting Consumers in Vulnerable Circumstances
• General Guidance on the Consumer Protection Code
This update aims to strengthen consumer protections while giving financial firms flexibility in how they apply the rules. The final documents are largely in line with the draft version published in March 2024, with some refinements following public consultation and firms had until 24 March 2026 to comply with the new requirements. The focus shifted to assessing how the changes affect their current systems, policies, and day-to-day operations.
Why it matters
At its core, CPC 2025 sets out how regulated financial firms should act to protect consumers. It introduces broader definitions of who qualifies as a consumer and a customer, strengthens expectations around how firms treat those in vulnerable circumstances and brings a renewed focus on securing customer interests across all areas of a firm’s operations.
While the Code is aimed at firms, the intended outcome is better protection for the public: clearer information, fairer treatment and stronger accountability.
A principles-led approach
Unlike the Financial Conduct Authority’s (FCA) Consumer Duty in the UK – which is highly prescriptive – CPC 2025 maintains a principles-led approach. The Central Bank deliberately avoided a “tick-box” model, instead giving firms discretion to tailor their implementation to their business model and customer base.
This flexibility is welcome but brings with it added responsibility. Firms will need to carefully document how they interpret and apply the rules, particularly in areas where terms are undefined or left open to judgement. Missteps or unclear decision-making could lead to regulatory issues further down the line – sometimes years after the fact.
Key implementation challenges
Below are some of the key challenges that firms must now navigate as they implement the new framework:
1. Defining key terms
A central challenge in CPC 2025 is interpreting and applying key terms that are not defined consistently across the documents. For example:
• The definition of consumer is broader than in CPC 2012 and captures a wider group of individuals.
• For the first time, a definition of customer is provided – but it varies slightly between documents. In some cases, customer is synonymous with consumer, while in others it is broader.
• Other terms – like users and clients – are referenced in the guidance but remain undefined.
Firms must decide how to apply these terms consistently across their business and ensure these definitions are understood and used correctly in all internal systems, policies, and training materials.
2. Protecting consumers in vulnerable circumstances
The new regulations place a clear emphasis on the fair treatment of consumers in vulnerable circumstances. While the Code provides a definition, it does not prescribe what fair treatment looks like in practice.
This means each firm must determine how to:
• Identify consumers in vulnerable circumstances.
• Define what appropriate or fair treatment means.
• Document how these decisions are applied in areas such as communications, complaints handling and product design.
3. Securing customers’ interests
Firms are expected to act in customers’ interests throughout the entire lifecycle of the relationship. This includes not only the design and distribution of products but also how staff are incentivised, how decisions are made at Board level, and how customer needs are considered over time.
Again, while the guidance sets out areas for consideration, it does not mandate a single way to comply. This increases the importance of firms clearly documenting:
• Their interpretation of “securing customers’ interests”.
• Their approach to implementation across governance, remuneration and customer interaction.
• Any updates to their existing Consumer Protection Risk Assessment (CPRA) frameworks.
4. Capturing customer status accurately
A new regulatory requirement (Regulation 116) states that firms must identify in their records which customers are considered consumers. This seemingly simple requirement will have practical consequences for IT systems, data management and front-line processes.
Firms will need to define when a consumer becomes a customer, how these statuses change over time (e.g., potential customer, current customer, former customer), and how to capture this accurately and consistently.
5. Understanding regulation vs guidance
For the first time, the Central Bank’s website presents CPC 2025 in an interactive format that clearly distinguishes between:
• Regulations (R), which are legally binding.
• Guidance (G), which is not legally binding but is expected to be followed unless the firm has a sound, documented reason not to.
This introduces a “comply or explain” expectation. Firms should not treat the guidance as optional. Instead, they must decide whether to follow it or take a different approach – and in either case, maintain a clear record of their rationale.
What should firms do now?
Many firms will already have consumer protection initiatives underway. For others, this may be the starting point. Either way, the following actions are critical:
• Perform a detailed impact assessment: Map the requirements against your existing frameworks.
• Define and agree on internal interpretations: Especially around customer status and key terms.
• Update systems and controls: Including training, communications, data management, and governance.
• Document everything: Your decisions during implementation may be scrutinised years from now.
Looking ahead
The modernised Consumer Protection Code marks a significant step forward in how financial services firms must protect consumers in Ireland. For the public, it promises stronger safeguards and clearer accountability. For firms, it presents both a challenge and an opportunity – to build trust, demonstrate fairness and strengthen their customer relationships.
The Central Bank has now published:
• CP158 Feedback Statement on the Consumer Protection Code
• Consumer Protection Regulations 2025
• Standards for Business Regulations 2025
• Guidance on Securing Customers’ Interests
• Guidance on Protecting Consumers in Vulnerable Circumstances
• General Guidance on the Consumer Protection Code
This update aims to strengthen consumer protections while giving financial firms flexibility in how they apply the rules. The final documents are largely in line with the draft version published in March 2024, with some refinements following public consultation and firms had until 24 March 2026 to comply with the new requirements. The focus shifted to assessing how the changes affect their current systems, policies, and day-to-day operations.
Kian Caulwell: "this flexibility is welcome but brings with it added responsibility".
Why it matters
At its core, CPC 2025 sets out how regulated financial firms should act to protect consumers. It introduces broader definitions of who qualifies as a consumer and a customer, strengthens expectations around how firms treat those in vulnerable circumstances and brings a renewed focus on securing customer interests across all areas of a firm’s operations.
While the Code is aimed at firms, the intended outcome is better protection for the public: clearer information, fairer treatment and stronger accountability.
A principles-led approach
Unlike the Financial Conduct Authority’s (FCA) Consumer Duty in the UK – which is highly prescriptive – CPC 2025 maintains a principles-led approach. The Central Bank deliberately avoided a “tick-box” model, instead giving firms discretion to tailor their implementation to their business model and customer base.
This flexibility is welcome but brings with it added responsibility. Firms will need to carefully document how they interpret and apply the rules, particularly in areas where terms are undefined or left open to judgement. Missteps or unclear decision-making could lead to regulatory issues further down the line – sometimes years after the fact.
Key implementation challenges
Below are some of the key challenges that firms must now navigate as they implement the new framework:
1. Defining key terms
A central challenge in CPC 2025 is interpreting and applying key terms that are not defined consistently across the documents. For example:
• The definition of consumer is broader than in CPC 2012 and captures a wider group of individuals.
• For the first time, a definition of customer is provided – but it varies slightly between documents. In some cases, customer is synonymous with consumer, while in others it is broader.
• Other terms – like users and clients – are referenced in the guidance but remain undefined.
Firms must decide how to apply these terms consistently across their business and ensure these definitions are understood and used correctly in all internal systems, policies, and training materials.
Unlike the Financial Conduct Authority’s (FCA) Consumer Duty in the UK – which is highly prescriptive – CPC 2025 maintains a principles-led approach. The Central Bank deliberately avoided a “tick-box” model, instead giving firms discretion to tailor their implementation to their business model and customer base.
2. Protecting consumers in vulnerable circumstances
The new regulations place a clear emphasis on the fair treatment of consumers in vulnerable circumstances. While the Code provides a definition, it does not prescribe what fair treatment looks like in practice.
This means each firm must determine how to:
• Identify consumers in vulnerable circumstances.
• Define what appropriate or fair treatment means.
• Document how these decisions are applied in areas such as communications, complaints handling and product design.
3. Securing customers’ interests
Firms are expected to act in customers’ interests throughout the entire lifecycle of the relationship. This includes not only the design and distribution of products but also how staff are incentivised, how decisions are made at Board level, and how customer needs are considered over time.
Again, while the guidance sets out areas for consideration, it does not mandate a single way to comply. This increases the importance of firms clearly documenting:
• Their interpretation of “securing customers’ interests”.
• Their approach to implementation across governance, remuneration and customer interaction.
• Any updates to their existing Consumer Protection Risk Assessment (CPRA) frameworks.
4. Capturing customer status accurately
A new regulatory requirement (Regulation 116) states that firms must identify in their records which customers are considered consumers. This seemingly simple requirement will have practical consequences for IT systems, data management and front-line processes.
Firms will need to define when a consumer becomes a customer, how these statuses change over time (e.g., potential customer, current customer, former customer), and how to capture this accurately and consistently.
5. Understanding regulation vs guidance
For the first time, the Central Bank’s website presents CPC 2025 in an interactive format that clearly distinguishes between:
• Regulations (R), which are legally binding.
• Guidance (G), which is not legally binding but is expected to be followed unless the firm has a sound, documented reason not to.
This introduces a “comply or explain” expectation. Firms should not treat the guidance as optional. Instead, they must decide whether to follow it or take a different approach – and in either case, maintain a clear record of their rationale.
What should firms do now?
Many firms will already have consumer protection initiatives underway. For others, this may be the starting point. Either way, the following actions are critical:
• Perform a detailed impact assessment: Map the requirements against your existing frameworks.
• Define and agree on internal interpretations: Especially around customer status and key terms.
• Update systems and controls: Including training, communications, data management, and governance.
• Document everything: Your decisions during implementation may be scrutinised years from now.
Looking ahead
The modernised Consumer Protection Code marks a significant step forward in how financial services firms must protect consumers in Ireland. For the public, it promises stronger safeguards and clearer accountability. For firms, it presents both a challenge and an opportunity – to build trust, demonstrate fairness and strengthen their customer relationships.
Kian Caulwell is a Partner and Head of Financial Services Consulting, Forvis Mazars