The Central Bank has announced the launch of its new Consumer Protection Risk Assessment model (the Model) and published a Guide to Consumer. The Central Bank had signalled the imminent launch of the Model in its Consumer Protection (see our February 2017 Client Briefing here).


Banks, non-bank lenders, insurance undertakings, investment firms, large retail intermediaries, payment institutions and e-money institutions.


Importance of a strong risk management framework

The Model is part of the Central Bank's work in the area of promoting strong risk management frameworks for regulated firms that deal with consumers. From now on, when it carries out a consumer protection risk assessment (a CPRA), the Central Bank will use the Model

as a benchmark for assessing how consumer protection risk is being managed by the relevant regulated firm. The Central Bank's supervisors will examine how the firm is dealing with particular risks by reference to the relevant elements of the Model

(see below for further details).

Intrusive supervision

The Model heralds more intrusive supervision by the Central Bank for regulated firms in the area of consumer protection risk management. When carrying out a CPRA by reference to the Model, the Central Bank will attend board meetings and committee meetings in an observer capacity, test systems and controls, interview staff from all relevant business areas and review policies and procedures.


The Model was successfully tested, on a pilot basis, on certain banks, insurance companies and investment firms in 2016. It will be used in 2017 in targeted assessments of regulated firms across retail sectors, with a particular focus on culture, performance management, sales incentives and product governance. It will not replace thematic inspections, and the Central Bank will continue to engage with regulated firms to ensure a focus on cultural change at the highest levels in those organisations.


The Model is divided into five sections (known as modules):

  • governance and controls: this module considers whether the firm's organisational structure can effectively identify and manage risks to consumer protection. It covers board and management committees, strategy, risk appetite and risk management, controls, consumer monitoring and consumer reporting;
  • people and culture: this module considers what structures the firm has in place to promote consumer-focused attitudes and hold staff accountable for their behaviour. Emphasis is given to the setting of examples by management, and to training and internal communications;
  • product development: clear, fair and non- misleading marketing and advertising is a key focus area of this module, as are product governance and product distribution;
  • sales/transaction process: this module focuses on the quality of this process with a view to ensuring that management information is sufficient to ensure that the outcome for consumers is fair; and
  • post-sales handling: again, quality assurance and the sufficiency of management information are key focus areas.

Each module is comprised of a number of different elements, and each of those elements is linked to a particular consumer protection risk. When the Central Bank carries out a CPRA, it will likely concentrate on a particular module or modules, or specific elements of one or more modules, depending on the business model of the relevant regulated firm.


Advance notice

If the Central Bank plans to carry out a CPRA on a regulated firm, it will formally notify the firm of when this will happen, the expected duration of the CPRA and any documents and information that it may need. Notice of meetings that it plans to observe, and details of staff that it would like to interview, will also be provided in advance.


The CPRA will generally last between two days and one week but could be longer depending on its scope.


The CPRA will examine how the firm is identifying and managing risks to consumers. It will look behind the scenes, rather than focusing only on the engagement between the regulated firm and the consumer, to assess how the risk of adverse outcomes can be reduced.

When the Central Bank carries out a CPRA, it will do so in two stages. Its design review will look at how the controls in place to reduce risk are designed. Its effectiveness review will then look at whether those controls are effective.


On concluding a CPRA, the Central Bank will rate each relevant element, and record it (together with a written explanation of the rating) on the Central Bank's PRISM system. Those ratings are expected to be particularly important in identifying trends.

Formal feedback and risk ratings will be provided to the firm once the CPRA has been completed.

If the Central Bank identifies unacceptable risks, it will impose a remediation programme on the firm and, depending on the nature of the risks involved, may also use other regulatory powers at its disposal.


Implement a consumer protection risk management framework

The Central Bank expects each firm to develop and embed a consumer protection risk management framework that is fit for purpose and identifies the risks posed to consumer protection by the market within which the firm operates, its strategy, its business model and its internal procedures.

A firm's consumer protection risk management framework need not be a stand-alone framework. Instead, the Central Bank's preference is that the framework forms part of the firm's wider risk management and internal control framework.

Align with the Model

The Central Bank expects that those risk management frameworks will ultimately be aligned with the Model set out in the CPRA Guide. Boards and senior management are expected to prioritise their responsibilities in relation to the management of consumer risk.

Action points for firms

In developing a consumer protection risk management framework, the Central Bank expects firms to:

  • identify risks to consumerprotection posed by the firm's business;
  • set out the firm's risk appetite in the area of consumer protection;
  • document the governance, systems and controls that will manage and reduce consumer protection risks;
  • promote awareness of consumer protection within the firm;
  • allocate ownership and accountability for consumer protection risks;
  • monitor consumer protection risks;
  • put in place a specific Consumer Protection Policy;
  • set up a Consumer Protection Committee, or allocate responsibility for consumer protection to another governance structure within the firm;
  • appoint a Head of Consumer Protection/Conduct or allocate responsibility for consumer protection to one or more other existing roles;
  • regularly monitor management information;
  • regularly monitor consumer outcomes; and
  • regularly monitor and test controls through its internal audit function, or through its compliance and risk management function.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.