Focus on Fintech: Key Themes for the Next 12 Months

What You Need to Know

The Central Bank of Ireland (“CBI”) has made clear that payment institutions (“PIs”) and e-money firms (“EMFs”) (together, “Firms”) are a top supervisory priority for the next 12 months.

This reflects the sector’s rapid growth and innovation, the increasing complexity of its operations and deficiencies by Firms to address CBI concerns as identified in Dear CEO Letters issued to Firms in both 2021 and 2023.

The CBI has announced that they have implemented a new, more robust supervisory approach, with a strong emphasis on consumer protection, operational resilience and financial stability.

CBI Key Focus Areas

Firms should expect the CBI to focus this new supervisory capacity on the following key areas:

• Safeguarding of User Funds – the CBI continues to observe weaknesses in safeguarding arrangements, which heighten the risk that users’ funds are not appropriately identified, managed and protected on a day-to-day basis. The CBI will focus on the completion of a sectoral thematic inspection on safeguarding arrangements, review of board attestations on safeguarded funds and implement remediation actions identified in the 2023 safeguarding themed inspections.
• Governance, Risk Management, Conduct and Culture – the CBI has stressed that “it is critical that a Firm’s business ambitions do not outpace the strength of their governance, risk management and internal control arrangements” and that Firms must ensure that their boards and executives are accountable for governance, risk management and internal controls, and that these are appropriate for the scale and complexity of their operations. The CBI expects decision-making to be led from Ireland, with sufficient local resources and senior management presence to ensure effective oversight and compliance.
• Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) – the CBI has stressed that given the nature, volume and international reach of Firms, the sector faces an inherent risk of being exploited for money laundering and terrorist financing. They have identified that some Firms’ understanding of financial crime risk and the robustness of their controls is not commensurate with the higher inherent risk exposure of the sector. Firms must invest in and maintain strong AML/CFT compliance frameworks, driven by a risk assessment tailored to their business model. The CBI will continue to engage with firms to assess the adequacy and effectiveness of their AML/CFT frameworks and will intervene where elevated risks or breaches are identified.
• Business Model and Financial Resilience – the CBI will focus on board and executive accountability and ensure Firms have: (a) a well thought out and sustainable business plan (with robust financial projections and capital planning frameworks); (b) demonstrate appropriate governance, risk management and internal controls (including appropriate exit and wind-up strategies), as well as the operational and financial capacity to deliver their business plans, recover from shocks and absorb losses; and (c) have continued focus on financial and operational resilience.
• Operational Resilience and Outsourcing – the sector has experienced an elevated number of major incidents and service outages, often linked to failures of outsourced service providers and weaknesses in monitoring and oversight.The CBI is focused on the implementation of the Digital Operational Resilience Act (“DORA”) requiring firms to enhance their ICT risk management, incident reporting and resilience testing. Firms must ensure that critical and important functions outsourced to third parties are subject to robust oversight, and that the Irish entity retains ultimate responsibility for compliance.

New Regulatory Rules

Fintechs operate in a fast-changing regulatory environment where horizon scanning and being ready to implement new rules is critical to ensuring ongoing compliance. As new payment regulations and directives are soon to be implemented, the CBI will monitor Firms’ readiness for the following regulatory changes and will expect proactive engagement and transparent communication with relevant supervisors:

• Payment Services Directive 3 (“PSD3”) and Payment Services Regulation (“PSR”) – PSD3 largely deals with the authorisation and supervision of payment institutions, while PSR introduces a series of measures to: (a) increase market competition; (b) improve client protection (with a focus on combatting authorised push payment fraud); (c) enhance security and fraud prevention; and (d) streamline the regulatory framework for e-money firms.
• Instant Payments Regulation (“IPR”) – applies to payment service providers (“PSPs”) operating within the Euro-zone, who send / receive instant credit transfers. By October 2025, PSPs must be able to send instant euro payments, which means addressing a variety of challenges including, verification of payees and liquidity management.
• Consumer Protection Code – this revised code, coming into effect in March 2026, will require Firms to take greater ownership of consumer protection, particularly in respect of digitalisation, effective communication, fraud prevention and support for vulnerable customers. We have previously published a dedicated update on some of the key changes.

Central Bank Supervision and Engagement

The supervisory model of the CBI is undergoing change. Among these changes is the establishment of a Payment and E-Money Institutions Supervision Division which will be responsible for overseeing compliance with regulations and maintenance of sound governance and risk management practices.

The CBI’s approach remains risk-based and is expected to be more assertive, data-driven and outcomes-focused, with a strong expectation that firms demonstrate proactive risk management, robust internal controls and a consumer-centric ethos. Firms should expect more robust supervisory contact.

Firms with outstanding risk mitigation plans or self-identified issues should ensure these are fully addressed, with supporting documentation to evidence how issues have been addressed, and demonstrating board ownership and oversight, readily available. The CBI has said they will intervene where elevated risks or breaches of regulatory requirements are identified (including financial crime risk), using their full suite of supervisory and enforcement power where necessary.

Conclusion

Given the increased focus on this sector, Firms are advised to review and strengthen their frameworks in the areas of safeguarding, outsourcing / operational resilience, governance, risk management, conduct and culture, and AML CFT (and financial sanctions), and expect increased regulatory supervisory engagement and ensure they have addressed any findings from the previously issued Dear CEO Letters, and if not, close any outstanding gaps as a matter of priority.

How we can Help

Our dedicated Irish Financial Services Regulatory Group offers the full range of services to Fintech clients, including advice on M&A and capital raising, establishment, authorisation and change of control services,

ongoing compliance support and assurance, error reporting and guidance through supervisory and enforcement processes with the Central Bank and advice in relation to corporate governance, conduct and culture, compliance with the regulatory regime applicable to payment and emoney firms, and assistance guidance and advice through risk mitigation programmes. Full details of the services we provide is available on our website and in our Irish Financial Services Regulatory and FinTech brochures.

If you would like further information, please liaise with your usual Maples Group contact or the persons on this page.