Consumer Protection Code 2025 – Application to MiFID Firms

New Consumer Protection Code

Following a comprehensive review of the Consumer Protection Code, the Central Bank of Ireland (the “Central Bank”) published the Consumer Protection Code 2025, together with a feedback statement which outlines the rationale for the approach adopted by the Central Bank in updating the Consumer Protection Code.

The revised Consumer Protection Code comprises the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Consumer Protection) Regulations 2025 (the “Consumer Protection Regulations”) and the Central Bank Reform Act 2010 (Section 17A) (Standards for Business) Regulations 2025 (the “Standards for Business Regulations”) (together, the “Revised Code”). The Central Bank has also published the following guidance to support firms in complying with their obligations under the Consumer Protection Regulations and the Standards for Business Regulations. These include:

(a) General Guidance on the Consumer Protection Code;

(b) Guidance on Securing Customer’s Interests; and

(c) Guidance on Protecting Consumers in Vulnerable Circumstances.

The Revised Code will take effect on 24 March 2026 following a 12-month implementation period. Until then, the existing Consumer Protection Code 2012 continues to apply to regulated firms.

Application of Consumer Protection Code to MiFID Firms

Pursuant to Regulation 2(2) of the Standards for Business Regulations and Regulation 15 of the Consumer Protection Regulations, the Revised Code does not apply to firms who engage in any service or activity set out in Schedule 1 of the European Union (Markets in Financial Instruments) Regulations 2017 (the “MiFID Regulations”), but not including any service or activity of a person to whom such Regulations do not apply by virtue of Regulation 4(3) of the MiFID Regulations (“MiFID Firms”).

However, paragraph 1.4.3 of the Guidance on Securing Customer’s Interests provides that the Central Bank expects “firms providing MiFID services to consider and apply this guidance in the context of fulfilling their obligation to “act honestly, fairly and professionally in accordance with the best interests of [their] clients” in accordance with Regulation 31 of the MiFID Regulations”.

Similarly, paragraph 1.4.2 of the Guidance on Protecting Consumers in Vulnerable Circumstances provides that “the guidance, direction and learning for firms set out in this Guidance on Protecting Consumers in Vulnerable Circumstances should also be considered by firms when providing MiFID services and crowdfunding services, where it explains how firms can act in the best interests of consumers in vulnerable circumstances.”

Securing the Customer’s Interests

As set out above, the Central Bank expects MiFID Firms to consider and apply the Guidance on Securing Customer’s Interests when providing MiFID services to their clients in accordance with their obligations under Regulation 31 of the MiFID Regulations. Under the Guidance on Securing Customer’s Interests, to secure customer’s interests means to ensure that as a firm pursues its commercial interest, it does so in a manner that is cognisant of the best interest of its customers. Some of ways in which a MiFID Firm can secure its customer’s interests include:

(a) ensuring that its culture, strategy, business model, decision-making, systems, controls, policies, processes and procedures take into account its customers’ interests;

(b) acting in accordance with the reasonable expectations of its customers;

(c) taking into account the interests of its customers when designing products and services, and the methods of delivery;

(d) ensuring that its products and services are not designed to unfairly exploit the behaviours, habits, preferences or biases of customers leading to customer detriment;

(e) resolving any complaints received from customers efficiently, fairly and in a timely manner;

(f) resolving errors and mistakes affecting customers efficiently, fairly and in a timely manner, and disclosing errors or mistakes to customers affected in a timely manner;

(g) ensuring errors and mistakes identified for one customer that may reasonably have affected other customers are resolved for all affected customers efficiently, fairly and in a timely manner;

(h) clearly distinguishing for customers between the entity’s regulated activities and its unregulated activities including by taking all appropriate steps to mitigate the risk that a customer will understand an activity to be, or to carry the protections of, a regulated activity where this is not the case; and

(i) delivering fair outcomes for customers.

Whilst the obligation to secure customer’s interest under the Standards for Business Regulations and the Consumer Protection Regulations applies to in-scope firms when dealing with consumers alone¹, in the context of MiFID firms, this obligation seems to apply generally to MiFID Firms when dealing with their clients² (whether or not they could be classified as a consumer under the Revised Code) in the context of their obligations under Regulation 31 of the MiFID Regulations ie the obligation to act honestly, fairly and professionally in accordance with the best interest of their clients.

However, the Central Bank in its Guidance on Securing Customer’s Interest recognized that consumer protection requirements could be unduly burdensome and costly and notes that a firm’s approach to securing the customer’s interests should be proportionate and should reflect the nature of its business, the profile of its customer base and the products and services it provides.

Further, the Guidance on Securing Customer’s Interest notes that this obligation to secure customer’s interests does not mean that that individual customers will always achieve positive outcomes or will always be protected from poor outcomes. It does not also impose an open-ended duty that goes beyond the scope of the firm’s role and its ability to determine or influence customer outcomes or protect customers from all potential harms. For instance, firms are not expected to protect customers from risks inherent to a product, such as the counterparty risk associated with an investment product. It is not also the role of a firm to step in or override a customer’s decision, even where it believes this to be a bad decision.

Rather, firms should be satisfied they have complied with all their obligations, including relevant suitability requirements, and have confidence, to the extent they can, taking account of the nature of the relationship (e.g. advisory vs execution only), that the customer understands and accepts the risks associated with their decision.

Protecting Consumers in Vulnerable Circumstances

As set out above, the Central Bank expects MiFID Firms to consider the guidance, direction and learning for firms set out in the Guidance on Protecting Consumers in Vulnerable Circumstances when providing MiFID services to their clients.

Under the Guidance on Protecting Consumers in Vulnerable Circumstances, while firms are not expected to be able to identify all consumers in vulnerable circumstances³, or to categorise or label consumers as such, firms are expected to understand and take account of the drivers of vulnerability that are relevant to their business, and to design their systems, processes and procedures so that consumers in vulnerable circumstances are reasonably protected.

Pursuant to the Guidance on Protecting Consumers in Vulnerable Circumstances, the following are some of the Central Bank’s expectations in this regard:

(a) a firm’s directors and senior management should ensure that securing the fair treatment of consumers in vulnerable circumstances is embedded as part of a consumer-focused culture throughout the firm’s operations and processes;

(b) consideration of vulnerability should influence the design of a firm’s products, policies and processes and should be reflected in all aspects of the customer journey;

(c) staff should be enabled and encouraged to identify how they can reduce the potential for harm to consumers in vulnerable circumstances;

(d) firms that distribute products via a digital platform should consider the potential differences in consumers’ understanding and capability to use such digital platforms;

(e) firms should ensure that complaints mechanisms and procedures take account of the fact that consumers in vulnerable circumstances may be particularly deterred by complex or difficult processes or procedures for complaining to the firm;

(f) firms should provide a customer identified as being vulnerable with reasonable assistance in order to facilitate the customer in their dealings with the firm; and

(g) record relevant information on vulnerability in an appropriate way that is accessible by other staff who may need it in the context of the ongoing customer relationship.

It should be noted, however, that the Central Bank does not expect MiFID Firms to comply with the Trusted Contact Persons requirements and training requirements in respect of vulnerable consumers as set out in the Consumer Protection Regulations.

What can my business or organisation do now?

Steps should be taken to ensure that you are prepared for the Revised Code. MiFID Firms should take action now to ensure that they can apply the Central Bank’s Guidance on Securing Customer’s Interests in the context of fulfilling their obligation to “act honestly, fairly and professionally in accordance with the best interests of [their] clients” in accordance with Regulation 31 of the MiFID Regulations. Similarly, MiFID Firms should consider and factor in the Central Bank’s Guidance on Protecting Consumers in Vulnerable Circumstances into their policies and procedures. In order to ensure that MiFID Firms do not fall foul of these expectations, steps should be taken now by MiFID Firms. Please discuss with your usual contact in McCann FitzGerald LLP or any of the contacts below as to how we can assist with this process.