.svg)
Persistent weaknesses in governance and internal controls have led the Central Bank of Ireland (CBI) to put safeguarding of customer funds at the top of its regulatory and supervisory agenda for 2025.
In its Regulatory & Supervisory Outlook report for 2025, published in February, the CBI has emphasised that, despite improvements following supervisory interventions, payments and e-money firms still have significant deficiencies in their safeguarding arrangements.
These deficiencies include poor account reconciliation, co-mingling of funds and failures to properly designate safeguarding accounts.
For such firms, the message is clear: regulatory scrutiny is intensifying, and the CBI expects stronger safeguarding measures, improved governance structures and more robust financial crime controls to protect consumers and maintain trust in the sector.
The CBI’s intervention follows the Malta Financial Services Authority’s (MFSA) Dear CEO letter, covered by Vixio, which also highlighted safeguarding compliance deficiencies.
Although the MFSA took a more advisory tone, it also warned that many firms shifting to investment-based safeguarding struggle to meet risk assessment and liquidity requirements, increasing compliance risks.
Growth, but improvements needed
The CBI’s report highlights the strong growth of the payments and e-money sector in Ireland, with the number of authorised firms increasing to 56 at the end of 2024, up from 51 the previous year.
The value of safeguarded funds surged by 26 percent to €10.2bn, and payment transactions grew 17 percent to €613bn.
However, the CBI flagged that alongside this expansion have come heightened risks related to financial crime, operational resilience and governance weaknesses.
It warned that anti-financial crime controls remain inadequate, with firms continuing to prioritise technological growth over investment in compliance frameworks.
In addition, it noted that outsourcing risks are escalating, with firms overly reliant on a small number of third-party providers, creating potential systemic vulnerabilities.
The CBI also raised consumer protection concerns, particularly where firms offer both regulated and unregulated services, such as crypto, without clear distinctions, increasing the risk of customer confusion.
The central bank said it expects firms to maintain segregated safeguarding accounts or equivalent protections, reinforcing its zero-tolerance approach to deficiencies in this area.
It also warned that governance and accountability will be under scrutiny, and has said that supervisory efforts will assess whether boards and senior executives are properly overseeing their firms’ operations and ensuring that compliance and risk management receive adequate attention.
The fight against money laundering and financial crime is another central concern for the regulator, with ongoing assessments of firms' anti-money laundering and counter-terrorism financing (AML/CTF) risk management frameworks.
As with safeguarding, the CBI says that it has repeatedly found weaknesses in this area and has warned that it will escalate supervisory actions where firms fail to meet regulatory expectations.
Here, the Irish regulator appears to be aligned with its UK counterpart the Financial Conduct Authority (FCA).
The FCA’s recent Dear CEO letter stresses the need for improved financial crime controls and warns that weak governance is making firms vulnerable to bad actors, leading to potential loss of critical services for customers.
Risk-based, outcomes-focused supervisory approach
As part of its broader supervisory strategy, the CBI has refined its risk-based, outcomes-focused approach to better anticipate and mitigate emerging risks across the financial system.
Although financial failures cannot be entirely prevented, the regulator aims to limit their impact on consumers and financial stability through proactive oversight, data-driven risk assessments and faster intervention when necessary.
The revised framework builds on the CBI’s existing risk-based supervision model, Probability Risk and Impact System (PRISM), but incorporates a more integrated and forward-looking supervisory approach.
The regulator will adopt sectoral supervision to assess risks across different industries, with a stronger emphasis on significant firms that pose systemic risks. It also plans to escalate enforcement actions where firms fail to meet regulatory expectations.
“This new supervisory approach is an important contribution to enhancing the effectiveness of our supervisory processes so that we can continue to ensure the financial system is operating in the best interests of consumers and the wider economy,” said CBI governor Gabriel Makhlouf.
What should firms do now?
With these priorities in place, payments and e-money firms operating in Ireland should prepare for greater regulatory scrutiny in 2025.
Following the CBI’s latest report, firms licensed in the country, such as TrueLayer and Remitly, need to consider taking immediate steps to strengthen their safeguarding protocols, as well as governance and financial crime controls.
These firms need to guarantee that customer funds are properly safeguarded by keeping them in dedicated accounts or securing an approved insurance policy or guarantee.
To mitigate concentration risk, they should establish multiple safeguarding arrangements and regular reconciliation of safeguarded funds, along with maintaining accurate documentation.
Firms also need to ensure that there is awareness throughout the company, from board-level down, and prepare for scrutiny to be intensified.
Payments and e-money firms should be prepared for thematic inspections and board attestations focused on safeguarding compliance, as well as other issues.
Their policies and procedures should be aligned with upcoming regulatory changes, including the EU’s Digital Operational Resilience Act (DORA) and Instant Payments Regulations (IPR), as well as regulations still being negotiated, such as the Payment Services Regulation (PSR).
