“The Consumer Protection Code is the cornerstone of the Irish consumer protection framework. It has served consumers well, and the time has come to update the protections to support the financial system of today and into the future.”

(Derville Rowland, CBI Deputy Governor)

Key takeaways

• The CBI has released its consultation paper on the Consumer Protection Code (CP158), setting out its proposals for the development of a modernised Code and seeking feedback from stakeholders.
• Firms will be supported in meeting their existing fundamental obligation to act in the best interests of customers through introduction of an overarching, specific Securing Customers’ Interests Standard for Business, along with a range of Supporting Standards for Business and Guidance on Securing Customers’ Interests. This will be key to delivering positive and fair consumer outcomes.
• The CBI emphasises that the aim of Securing Customers’ Interests – which is a particular focus of the accompanying CBI press release and speech - is to provide firms and their customers with increased clarity and predictability on already existing requirements to support effective implementation.
• In addition, a package of new and updated protections to deal with the transformation in financial service is proposed including:
  • on fraud and scams, a new Standard for Business that will require firms to control and manage their affairs and systems to counter the risks to customers of ‘financial abuse’, complemented by Supporting Standards for Business outlining further obligations (eg to monitor financial abuse trends and ensure appropriate escalation processes where there is an increased risk);
  • specific requirements on training, reporting and disclosure, and the recognition of Trusted Contact Persons will be introduced in relation to vulnerable customers, along with new Guidance on Protecting Consumers in Vulnerable Circumstances;
  • new digitalisation requirements (and planned additional guidance) to ensure that all firms have a customer focus when designing and implementing digital services and delivery channels.
• There will be an integrated regulatory format, with existing – but updated and enhanced – requirements reflected in two new CBI regulations: the draft Central Bank Reform Act 2010 (Section 17A) (Standards for Business) Regulations and the draft Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Conduct of Business) Regulations.
• The revised Code will also address structural fragmentation by consolidating a number of existing CBI codes and requirements into the Code.

What do firms need to be thinking about and how can Hogan Lovells help?

• This is a comprehensive set of reform proposals which not only enhance or clarify existing requirements (eg in relation to acting in the best interests of customers) but also introduce new ones (eg in relation to tackling fraud and scams). In-scope firms will need to get to grips with what this means for their business.

• For example, in the Guidance on Securing Customers’ Interests the CBI states that it expects all firms to take the principles and learnings highlighted in each of the examples provided within the document and consider how they apply to the culture, strategy, business model, decision-making and systems, controls, policies, processes and procedures of the firm.
• Several of the CBI’s proposals echo changes already implemented or in the process of being implemented in the UK, for example the Financial Conduct Authority’s Consumer Duty and its Guidance for firms on the fair treatment of vulnerable customers.
• We have significant experience in supporting firms on related implementation projects, from undertaking initial gap analysis work, project managing and supporting the implementation of a rolling program of enhancements and operational changes.
• The combination of our legal and consulting teams provides you with a full range of services, and clear guidance on how the solutions can be applied within the business.

What’s next?

• The consultation closes on 7 June 2024. The CBI expects to publish the revised Code in early 2025 and is proposing a 12-month implementation period, so the revised Code could apply from early 2026.

Read on for a more detailed look at the Code consultation.

Background: Why was the Consumer Protection Code 2012 review needed?

In the context of the CBI’s own 2022 to 2026 Strategy, in October 2022 it announced that it was carrying out a comprehensive review of the Code and issued a discussion paper calling for feedback and views from consumers and stakeholders on key discussion topics before considering and publishing proposed revisions to the Code. The discussion paper focussed on the themes of availability and choice and firms acting in consumers’ best interests. For more on the discussion paper, take a look at our Engage article ‘Central Bank of Ireland launches review of its Consumer Protection Code 2012’. An overview of the feedback to the discussion paper was published in an Engagement Update in July 2023.

The review was required due to:

• The need to clarify firms’ fundamental customer best interests obligation: The understanding of consumer protection has evolved in response to recent developments including those arising from the tracker mortgages failure, business interruption insurance during COVID and differential pricing. A main aim of the Code review is therefore to reflect these developments to provide enhanced clarity and predictability to both firms and their customers in the CBI’s framing and explanation of the demands and limits of consumer protection. In particular, both firms and their customers are seeking increased clarity on how to ensure that the interests of customers are effectively incorporated into firms’ culture, strategy, business model and decision-making.
• The need to address structural fragmentation: The Code was developed by the CBI under section 117 of the Central Bank Act 1989 and other sectoral legislation and there has not been a substantive review of its provisions since 2012. Instead, both EU and domestic consumer protection developments have resulted in structural fragmentation across the regulatory framework, leading to a number of amending addenda being added to the Code.
• Financial services undergoing transformation not reflected in the existing Code: In wider terms, the financial services industry in Ireland has changed significantly since the previous Code review. Ongoing transformation is expected, driven by innovation and technology, climate change and the evolving expectations and needs of consumers and businesses. The CBI’s aim in relation to the financial system is to ensure that it is positioned so that consumers and the broader economy can realise the benefits of this transformation while also ensuring risk mitigation.

What are the key consultation proposals?

There is no plan to rip up the existing Code principles and requirements. Instead, these will form the basis of the revised Code. However, the requirements will be clarified and modernised to reflect the evolution in financial services as well as learnings from the CBI’s supervisory work.

Integrated regulatory format

There will be an integrated regulatory format, with existing – but updated and enhanced – requirements reflected in two new CBI regulations:

• The draft Central Bank Reform Act 2010 (Section 17A) (Standards for Business) Regulations, setting out Standards for Business, complemented by Supporting Standards for Business, replacing the existing General Principles of the Code, and covering:
  • Governance, resources and risk management requirements;
  • Code conduct standards including requirements for firms to secure customers’ interests, act honestly, fairly and professionally, act with due skill, care and diligence and inform customers effectively.
• The draft Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Conduct of Business) Regulations, setting out existing, enhanced and new General Requirements and covering:
  • Cross-sectoral requirements including digitalisation, informing effectively, vulnerable customers, advertising and complaints resolution; and
  • Sector specific requirements for consumer banking, credit and arrears, insurance, investments and crowdfunding.

The new regulations will be supplemented by the Guidance on Securing Customers’ Interests and Guidance on Protecting Consumers in Vulnerable Circumstances (see below), in addition to other general guidance.

The revised Code will also address structural fragmentation by consolidating a number of existing CBI codes and requirements into the Code. This includes the Code of Conduct on Mortgage Arrears (CCMA), the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Licensed Moneylenders) Regulations 2020 (High Cost Credit Providers Regulations) and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Insurance Requirements) Regulations 2022. Annex 2 to the consultation links to a document that maps the existing codes and regulations to the draft new regulations.

Scope

The Standards for Business will apply to all regulated financial service providers, other than those providing MiFID services and crowdfunding services (which have equivalent EU regimes), and credit union savings and lending activities (although the revised Code will continue to apply to credit unions when acting as insurance intermediaries).

Similarly, the General Requirements will apply to all regulated financial service providers, other than reinsurance undertakings, firms providing MiFID services, and credit union savings and lending activities.

The Standards for Business and Supporting Standards for Business of the Code apply in respect of all of a firm’s customers (and potential customers). The Standard for Business and Supporting Standards for Business addressing Securing Customers' Interests (see below ‘Principal policy proposals’) apply to firms when doing business with individuals and small businesses, defined as customers who are natural persons, or groups of natural persons, or incorporated entities with a turnover of up to €5m (see also ‘Additional policy proposals – SME protections’ under ‘Principal policy proposals’ below). The General Requirements will apply when providing services to individuals and small businesses.

Principal policy proposals

The principal policy proposals are for a set of targeted protections reflecting how financial services are delivered today, and for proportionate requirements that recognise customer autonomy, to enhance firm ownership of consumer issues with a focus on securing customers’ interests. This includes:

• Securing Customers’ Interests: an overarching, specific Securing Customers’ Interests Standard for Business setting out – on a non-exhaustive basis - how firms should approach meeting their overall fundamental obligation to act in the best interests of their customers (while preserving customers’ decision-making autonomy), along with a range of Supporting Standards for Business and Guidance on Securing Customers’ Interests. The proposed Standards and Guidance recognise the importance of positive customer outcomes, with the CBI emphasising the need for firms to focus on delivering those outcomes for consumers in all their actions and decisions.
• Digitalisation: new digitalisation requirements (and planned additional guidance) to ensure that both incumbent firms and new entrants have a customer focus when designing and implementing digital services and delivery channels. This will include requirements on firms when using digital platforms to sell financial products and services to:
  • slow the digital transaction process to ensure review of key information by customers before decisions are executed;
  • avoid the use of certain pre-ticked boxes; and
  • provide customers with reminders of ‘cooling-off’ options,

The revised Code will also reflect recommendations of the report of the Government’s 2022 Retail Banking Review (RBR) relating to bank branch closures or withdrawals of services including increasing the minimum notice period for banks to six months where they intend to close, merge or move a branch and to four months where they intend to significantly change services in a branch.

• Informing effectively: new disclosure requirements that, rather than just requiring firms to disclose information to customers, will require them to meet their disclosure obligations in a way that informs effectively. This will include a new requirement for product producers to monitor and review customer communications to assess their effectiveness with regard to the target market, to facilitate customers’ decision-making.
• Mortgage credit and switching: a number of new and enhanced requirements in relation to mortgages, including disclosure requirements on switching options, the cost of incentives and lifetime mortgages. The CCMA will be consolidated into the Code with a number of enhancements to existing CCMA requirements. For example, a requirement to ensure firms consider an appropriate and sustainable range of Alternative Repayment Arrangements (ARAs) broad enough to meet the needs of impacted borrowers will be added to the revised Code. The CBI also plans to issue updated guidance on what it means by appropriate and sustainable within the revised Code.
• Unregulated activities: new requirements on the provision of unregulated activities by regulated firms to tackle the so-called ‘halo effect’ when regulated firms undertake unregulated activities. In addition, the Guidance on Securing Customers’ Interests includes guidance to firms on the use of branding to ensure that it doesn’t contribute to confusion on the regulatory status of products and services (including in the case of similarly branded sister companies). The new requirements will also apply to firms providing MiFID services (to which the revised Code does not otherwise apply – see ‘Scope’ above) through an amendment to the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2023.
• Fraud and scams: new requirements on fraud and scams to ensure firms are alert to the evolving risks to the system and their customers, and that they take appropriate actions to protect customers, particularly in a digital context. There will be a new Standard for Business that will require firms to control and manage their affairs and systems to counter the risks to customers of ‘financial abuse’. This is defined as any of the following:
  • the wrongful or unauthorised taking, withholding, appropriation, or use of a customer’s money, assets or property;
  • any act or omission by a person, including through the use of a power of attorney, guardianship, or any other authority regarding a customer, to:
    • obtain control, through deception, intimidation or undue influence, over the customer’s money, assets or property; or
    • wrongfully interfere with or deny the customer’s ownership, use, benefit or possession of the customer’s money, assets or property.

The Standard for Business will be supplemented by Supporting Standards for Business outlining further obligations on firms to mitigate the risks to customers of financial abuse including that they

• Put reasonable systems and controls in place;
• Monitor financial abuse trends and in particular vulnerabilities in process and distribution channels, and ensure appropriate escalation processes where there is an increased risk; and
• Communicate clearly to customers the risk of financial abuse, the supports available to customers and the actions that customers can take in the event of financial abuse, connected to the regulated entity’s product or service.

There is also a proposal to introduce a specific obligation in the Supporting Standards for Business to ensure that firms notify customers through clear and timely communication of any digital frauds or deception connected to the firm’s affairs, or specifically relevant to the sector in which the regulated financial services provider is operating, and of which it is aware.

The CBI acknowledges other ongoing EU and national work, particularly in relation to authorised push payment (APP) fraud, with reference to the EU’s Payment Services Regulation/PSD3 proposals and new Regulation on instant credit transfers in euro, as well as the Irish government’s National Payments Strategy work. For more on the National Payments Strategy, take a look at our Engage article ‘Irish government consults on a future National Payments Strategy’.

• Vulnerability: an updated definition of vulnerability and improved requirements, supported by Guidance on Protecting Consumers in Vulnerable Circumstances, to better reflect the dynamic nature of vulnerability and ensure alignment with international thinking in this area.

In the revised Code, a ‘consumer in vulnerable circumstances’ will be defined as ‘a consumer that is a natural person and whose individual circumstances make that consumer especially susceptible to harm, particularly where a regulated entity is not acting with the appropriate levels of care and ‘vulnerable circumstances’ shall be construed accordingly.’

Specific requirements on training, reporting and disclosure, and the recognition of Trusted Contact Persons will be introduced. A Trusted Contact Person will be someone who a firm may communicate with where there may be difficulty in dealing with a customer, or where financial abuse, including fraud, is suspected. The CBI notes that this initiative has already been successfully introduced in the United States and Canada, and that it received ‘significant support’ in the feedback to the 2022 discussion paper.

The CBI’s approach to vulnerability is based on an expectation of ‘reasonable steps and proportionality’. It is looking to embed an understanding of vulnerability within the operation of a firm, and to ensure that the needs of consumers in vulnerable circumstances, and a commitment to addressing these needs, is integral to a firm’s customer focus.

The draft vulnerability Guidance outlines how the proposed requirements align with those under the existing Assisted Decision-Making (Capacity) Act 2015.

• Climate: new suitability and advertising requirements for firms on product sustainability features to tackle greenwashing risks alongside broader, existing EU climate-related requirements including ongoing implementation of the Sustainable Finance Disclosures Regulation, the Taxonomy Regulation and work being undertaken by the European Supervisory Authorities. The Guidance on Securing Customers’ Interests also sets out the CBI’s broader expectations of firms when providing ‘green’ or ‘sustainable’ products and services to customers.
• Additional policy proposals: a number of new and enhanced requirements in the areas of:
  • Consumer credit: The CBI is proposing that the revised Code will apply in full to Buy-Now Pay-Later agreements (BNPL), Hire Purchase agreements (HP), Personal Contract Plans (PCP) and consumer hire agreements, which is a departure from the previous limited application of the Code to these products. Following research on BNPL in 2023, this year the CBI is planning to carry out further consumer-based research and study of indirect credit products to establish if additional requirements might be needed to enhance consumer awareness and protection. As mentioned above (see ‘Integrated regulatory format’), the CBI also highlights that it will consolidate the High Cost Credit Providers Regulations within the revised Code.
  • SME protections: The RBR recommended that the CBI review and amend the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Lending to Small and Medium-Sized Enterprises) Regulations 2015 (SME Regulations) to take account of legislative changes and developments in the Code. The CBI proposes to carry across the approach to the scope of application in the existing Code to the revised Code through the application of the Standards for Business to all customers that the regulated firm does business with including all SMEs. The Standard for Business and Supporting Standards for Business on securing customers' interests will apply to firms when doing business with individuals and small businesses.

Also, to ensure that a similar population of small businesses benefit from the protections of the Code to the firms that were protected when the Code was introduced in 2006, the CBI is proposing to update the threshold in the definition of consumer under the revised Code to apply the General Requirements to small businesses, to include incorporated bodies with an annual turnover of less than €5m per annum (currently €3m). See also ‘More changes to come…’ (below) on plans to consolidate the SME Regulations into the revised Code.

• • Insurance: Explicit opt-in for automatic renewal will apply in respect of gadget insurance, travel insurance, dental insurance and pet insurance policies. There will be no change to automatic renewal arrangements for motor, home, and health insurance. However, in all cases consumers can choose to opt-out of automatic renewal at any time. In relation to switching, as well as the ‘renewal notice’ currently issued to holders of non-life insurance policies 20 days in advance of their renewal date, an additional ‘pre-renewal’ notification will now be required for consumers a further 20 days before issuing of the ‘renewal notice’. The CBI will also consider whether research to understand barriers to health insurance switching is needed.
  • Investments and pensions: Strengthening of current Code requirements so that firms inform their customers of the importance of considering the ongoing suitability of investment and pensions products for their needs at the point of sale, and in annual statements. In particular, where the firm does not provide ongoing suitability assessments, it will be required to explain the reasons for this to the customer.

A range of ‘miscellaneous’ modifications and enhancements to current requirements are also proposed, designed to contribute to the modernisation of the Code and assist with effective implementation. These include enhancements relating to the handling of errors and complaints, and record keeping.

Interaction with Individual Accountability Framework (IAF)

Regarding the interaction of the Code and the IAF, the CBI explains that the application of individual conduct standards under the IAF aligns with the Code’s conduct-related Standards for Business by ensuring that the behaviour and actions of the individuals working in firms contributes to firms’ adherence to their obligations under the Code.

Increased accessibility

The modernised Code will also be made more accessible, with new digital tools, explainers and guides including a planned Consumers’ Guide to the Consumer Protection Code.

International influence

The proposals have also been guided by international best practice including the G20/OECD High Level Principles on Financial Consumer Protection (G20/OECD Principles) which have recently been reviewed and updated to introduce new principles in relation to access and inclusion and the quality of financial products, as well as new cross-cutting themes relating to digitalisation, sustainable finance and financial well-being.

Next steps

The consultation closes on 7 June 2024. The CBI expects to publish the revised Code in early 2025 with a feedback statement. It is proposing a 12-month implementation period from the date of publication of the final revised Code, which will be underpinned by guidance and other supporting material to assist firms with ongoing implementation. This means that the new Code could apply from early 2026.

If you would like to discuss this development and how we can help, please get in touch with one of the people listed above or your usual Hogan Lovells contact.

More changes to come…

Once the revised Code is finalised, the CBI will continue to consider further enhancements in a number of specific areas, including in response to ongoing national and EU legislative developments, eg anticipated access to cash changes, the National Payments Strategy, the EU Retail Investment Strategy, the EU MiCA Regulation and changes to the EU payment services framework.

There will also be a consideration in due course of the full application of the revised Code to credit unions, which will be carried out in conjunction with further work to consolidate the SME Regulations into the Code.

In addition, there are plans for further work in a number of areas highlighted in the RBR recommendations, which will include further work on payment account switching.