IRELAND Law and Practice Contributed by: Niall Esler, Shane Martin, Laura Whitson and Coleen Wegmann, Walkers
DORA and the Central Bank’s Guidance on Outsourc - ing and on Operational Resilience also set out spe - cific requirements for certain financial institutions in the context of the security of network and information systems. Other cybersecurity and criminal legislation or guidance may also be relevant. Furthermore, the technical, operational and organi - sational cybersecurity measures contained in Direc - tive (EU) 2022/255 (NIS2) are applicable to in-scope essential and important entities, which include cloud computing service providers. Data Privacy Fintech firms will need to comply with data privacy laws, including the European Union General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR), in respect of any processing of personal data. The GDPR is broad in application, such that the vast majority of companies are impacted regardless of their regulatory status or the services being provided. CPC 2025 On 24 March 2025, the Central Bank published the Consumer Protection Code 2025 (CPC 2025), com - prising: • the Consumer Protection Code Central Bank Reform Act 2010 (Section 17A) (Standards for Business) Regulations 2025 (Standards for Busi - ness Regulations); and • the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Consumer Protection) Regu - lations 2025 (Consumer Protection Regulations). The new provisions came into effect on 24 March 2026. The Standards for Business Regulations set out governance, resource, risk management and con - duct standards for regulated financial service provid - ers, and the Consumer Protection Regulations set out cross-sectoral requirements and other sector-specific requirements for regulated entities providing certain financial services. Fitness and Probity (F&P) Regime The Central Bank’s F&P Regime was established under the Central Bank Reform Act 2010 and applies to persons performing certain roles in regulated finan -
cial service providers (RFSPs). It applies to persons performing certain prescribed “controlled functions” (CFs) and “pre-approval controlled functions” (PCFs). PCFs include directors, chairs of the board and com - mittees, the chief executive and heads of certain internal control functions, amongst other functions. A regulated firm must not permit a person to perform a CF or PCF unless it is satisfied on reasonable grounds that the person complies with the Central Bank’s Standards of Fitness and Probity. Individual Accountability Framework and the Senior Executive Accountability Regime (SEAR) Amongst other things, the Central Bank (Individual Accountability Framework) Act 2023 (IAF Act) intro - duced a requirement for persons in CF and PCF roles in regulated firms to take any steps reasonable in the circumstances to ensure that certain prescribed con - duct standards are met. The SEAR, which imposes additional requirements on firms, applies to credit institutions, insurance under - takings and certain investment firms. 2.3 Compensation Models The permissible compensation models and disclosure requirements will depend on the type of service firms provide, their customer base and regulatory status, and the rules applicable to those services or customer types. 2.4 Variations Between the Regulation of Fintech and Legacy Players As a general rule, there is no differentiation between services provided by fintech firms or legacy players, but some regulated activities are more likely to be per - formed by fintech firms. 2.5 Regulatory Sandbox The Central Bank has established an Innovation Sand - box Programme to inform the early-stage develop - ment of selected innovative initiatives and provide regulatory advice and support to firms on their inno - vative projects. The Sandbox Programme framework comprises workshops, ongoing bespoke engagement with dedicated Sandbox Relationship Managers, and access to data platforms.
419 CHAMBERS.COM
Powered by FlippingBook