ARTICLE
6 March 2026

Central Bank 2026 Regulatory And Supervisory Outlook – Banking

WF
William Fry

Contributor

William Fry logo
William Fry is a leading corporate law firm in Ireland, with over 350 legal and tax professionals and more than 500 staff. The firm's client-focused service combines technical excellence with commercial awareness and a practical, constructive approach to business issues. The firm advices leading domestic and international corporations, financial institutions and government organisations. It regularly acts on complex, multi-jurisdictional transactions and commercial disputes.
Explore Firm Details
On 26 February 2026, the Central Bank of Ireland (Central Bank) published its 2026 Regulatory and Supervisory Outlook (RSO) report...
Ireland Finance and Banking
Shane Kelleher,Louise McNabola, and Jane Balfe
Your Author LinkedIn Connections
Shane Kelleher’s articles from William Fry are most popular:
  • with readers working within the Securities & Investment industries
William Fry are most popular:
  • within Environment, Insolvency/Bankruptcy/Re-Structuring and Transport topic(s)

On 26 February 2026, the Central Bank of Ireland (Central Bank) published its 2026 Regulatory and Supervisory Outlook (RSO) report, outlining its perspectives on the key trends and risks shaping the financial sector and its supervisory priorities for the year ahead.

For further information on the Financial Regulation Priorities 2026, the global and domestic risk environment, risk themes and related drivers and supervisory priorities, please see our related article here and for other sector specific information in the RSO please refer to our knowledge page on the William Fry website.

Sectoral Focus – Banking

In our sector specific articles, trends, risks and vulnerabilities are considered from a sectoral perspective in line with the Central Bank’s supervisory approach. In this article we consider the banking sector.

Focus Area 1: Business model and strategy

The domestic and international banking sector is evolving and growing strongly because of new entrants, the expansion of business activities and the arrival of cross-border providers from other EEA member states. Article 21c of the Capital Requirements Directive (CRD6), which contains new third country branch provisions operative in January 2027, will result in new entrants to the Irish banking sector and material business transformations for some existing operations.

For further information on CRD6, please see our articles here and here.

The rapidly evolving payments ecosystem is bringing benefits for consumers and banks but also challenges. As incumbent players adapt and transform legacy IT platforms and new entrants seek to grow, each must

ensure that their change management, governance and financial arrangements keep pace with the complexity of their operations and the risks they take on.

For further information on PSD3/PSR, please see our article here.

It is important that the strategies and plans of new entrants and incumbents have the interests of customers as a focal point and that firms have the financial and operational resources to deliver them safely.

Both established and new providers should prioritise consumer interests (including those in vulnerable circumstances) throughout any changes to existing products and services, the introduction of new ones and in how these are delivered and serviced.

The main planned activities relating to this supervisory focus area in 2026 are:

  • Reviews of banks’ corporate strategy setting, alignment with risk appetite and the credibility of the underlying assumptions.
  • Assessments of banks’ strategies given the evolution in payments, the National Payments Strategy, access to cash requirements, roll-out of P2P payments (e.g. Zippay), digital euro, stablecoins and tokenisation. with a targeted engagement depending on the nature, scale and complexity of any impacts.
  • Assessment of the impact of CRD6 Article 21c  on banks’ balance sheets. Supervisors will undertake tailored engagements with impacted banks depending on the nature, scale and complexity of any impact.
  • Assessment of new bank licence applications  in collaboration with the European Central Bank (ECB) as part of the Single Supervisory Mechanism (SSM).
  • Assessment of bank-specific growth strategies and/or new business lines  to understand growth ambitions and if they appropriately consider consumer and investor interests and are underpinned by effective governance and risk management arrangements and operational and financial capacity.

Focus Area 2: Treatment of customers

The Central Bank continues to see instances where actual harm or the heightened risk of harm arises because customers’ interests are not being fully embedded in board-level and day-to-day decision-making manifesting in poor customer service and errors, unclear customer information, or the failure to properly identify customers in vulnerable circumstances and treat them appropriately. Poor governance and oversight are often a root cause of these issues and banks need to prioritise reviewing and ensuring products are suitable for their customers and proactively engaging with borrowers in or facing arrears.

During times of business and operational change, moving from in-person to digital or remote service provision, strong governance and appropriate oversight are essential. The obligations banks have under the updated Consumer Protection Code, the Access to Cash regime and the Individual Accountability Framework, if properly embedded, are designed to help mitigate these risks, but ultimately it is the culture within the bank that is the key mitigant.

The main planned activities relating to this supervisory focus area in 2026/2027 include:

  • Cross-sectoral review of how banks are carrying out root cause analysis of errors  and applying learnings to their wider product and service suite.
  • Thematic review of the sale of products via banking apps  with a focus on how banks identify and mitigate risk to consumers on a sample of products sold.
  • Cross-sectoral thematic review of customer service standards  including, in the banking and lending sector, a review of the impact on customer service of supervisory actions arising from previous conduct-related thematic reviews.
  • Cross-sectoral thematic reviews on how customers are being informed  effectively and the treatment of customers in vulnerable circumstances.
  • Review of how banks are securing customers’ interests in the operation of current accounts.
  • Enhancing Central Bank data to support retail conduct supervision, including enhancing the conduct of business return  and data on areas of elevated risk such as fraud.
  • Cross-sectoral thematic review of BNPL arrangements.
  • Cross-sectoral thematic review of mortgage lending  to include an analysis of credit, loan origination and risks to borrowers (including monitoring for early signs of over-indebtedness or distress).

Focus Area 3: Operational and cyber resilience

Banks’ growing use of technology to deliver services and to improve efficiency, together with the sector’s pivotal role in the economy, increase their risk exposure to operational outages and malicious cyber-attacks. Examples of risks cited by the Central Bank are growing dependencies on third-party service providers and the rise in cyber threat levels via reported bank-related rise in distributed denial of service (DDoS) attacks.

Banks must have effective ICT and operational risk management frameworks and executable contingency plans in place to cover both their own operations and those delivered by their outsourced service providers (including those on which their key outsourced service providers rely).

The sector’s growing dependence on digital channels to deliver services to customers is placing increasing demands on banks’ capacity to manage significant and complex IT change programmes. Banks must also consider the impact on their customers, be timely and clear in their communications and remediate promptly and appropriately.

The main planned activities relating to this supervisory focus area in 2026 include:

  • For significant institutions:
    • Targeted follow-up on remediation strategies  for those banks that report material shortcomings in ICT security/cyber-security resilience  and ICT outsourcing.
    • On-site inspection campaigns on cyber security management  and third-party risk management, in line with the new DORA
    • Threat-led penetration testing  to identify banks’ vulnerabilities and improve their cybersecurity resilience.
    • Targeted review of ICT change management.
    • Deep dive into banks’ dependency on cloud service providers  to assess their preparedness for potential service disruptions.
  • Firm-specific follow up from the 2025 thematic review on operational resilience  for international LSIs.
  • Supervisory assessment of cyber resilience remediation programmes.
  • Tracking remediation of outsourcing deficiencies  identified in previous reviews.
  • Continued engagement with banks and interventions where outages  occur, including focus on communications, customer service and customers in vulnerable circumstances.
  • Continued work with industry and government to establish a collective action approach to system-wide operational resilience  for payment services (including cash).

Focus Area 4: Financial resilience

The banking sector has demonstrated financial resilience against a challenging economic backdrop and increased competition from the non-banking sector and specialist providers. Domestic banks’ profitability is supported by interest income, increased income diversification and a deposit base that is currently very stable. Asset quality has, on aggregate, been maintained. International banks’ profitability has benefited from an environment that is supportive of their primarily cross-border wholesale activities such as corporate and investment lending, markets and treasury trading, structured finance and securitisation.

Sustained financial resilience requires banks to ensure that their capital and liquidity management is aligned to their risk exposures, appropriately calibrated and sufficiently risk sensitive. Banks need to adopt prudent risk-taking and sound underwriting standards recognising the uncertainties of the external environment. This requires a forward-looking perspective with the use of scenario analysis to consider in a structured way the implications of different possible futures.

The effects of climate change are affecting banks and their customers through their impact on credit lines or the value of real assets exposed to physical and transition risks in Ireland and overseas. While crystallised physical risks, are more visible, the second-round effects – such as disruptions to supply chains, reduced economic activity, input price increases, or increased credit defaults – are less well understood. Some banks have made material progress on embedding the assessment and the management of short, medium and long-term risks stemming from the climate and nature crises into their risk management frameworks in a way that is commensurate with the risks they face, but others need to keep building on progress to date.

Sound financial management can be undermined if deficient data management and reporting capabilities hamper a bank’s ability to monitor and manage risks across the business. The weaknesses the Central Bank sees in some banks’ Risk Data Aggregation and Reporting Requirements (RDARR) frameworks can impede a holistic view of individual and total risk exposures. As the use of more sophisticated models to support decision making increases and AI capabilities are deployed (for example in connection with lending and trading strategies) any deficiencies in a bank’s model risk management and oversight practices need to be addressed.

The main planned activities relating to this supervisory focus area in 2026 include:

  • SREP risk assessments  (incorporating CRR3/CRD6 climate and nature aspects), including for significant institutions the implementation of the new P2R methodology.
  • Supervisory assessment, qualitative and quantitative analysis of credit  (including climate and nature aspects), loan originationvulnerable sectorsshort-term lending e.g. BNPL, mortgage lending and risks to borrowers  including customer indebtedness. Follow up on issued credit risk management Risk Mitigation Programmes  (RMPs).
  • Assessment of Pillar 1 capital requirements for SA under CRR3 in credit risk and market risk, along with planned internal model investigation  work responding to banks’ submission of updated/new IRB models.
  • Financial resilience assessments, incorporating capital position assessments, distribution strategies, securitisation, provisioning (IFRS9), liquidity, market risk and recovery planning.
  • Identification and assessment by the Central Bank of transmission channelscross-cutting risks  and cross-sectoral interlinkages  arising from macroeconomic and geopolitical risks (including geopolitical reverse stress test coordinated by the SSM).
  • Reviews of the remediation of shortcomings  in the integration of climate and environmental risks  into banks’ risk management frameworks, in addition to consideration of ESG transition plans.
  • Remediation of RDARR deficiencies  identified from reviews in previous years.
  • Assessment of the AI landscape in the banking sector  to build supervisory knowledge on AI use and support the Central Bank’s work in developing its supervisory approach on AI applications and the EU AI Act. Support SSM work to strengthen supervisory understanding of how banks use generative AI applications.

Focus Area 5: Financial crime and market integrity

Thanks to efforts over the past decade, traditional banks’ Anti-Money Laundering (AML)/ Countering the Financing of Terrorism (CFT) frameworks are generally mature and well embedded. As the banking sector diversifies in Ireland, there is a need for newer entrants to continue to build and strengthen their AML/CFT frameworks, in line with national and European requirements, including those of the AMLA. Boards and senior management must be able to demonstrate an understanding of their bank’s key Money Laundering (ML) and Terrorist Financing (TF) risks and the adequacy of their risk management and control frameworks.

Banks need to be particularly vigilant and responsive to criminals exploiting new technologies and practices to abuse the system and firms within it. While developments in digitally enhanced business models provide benefits there is a corresponding increase in the risk of exploitation by criminals to launder the proceeds of crime or perpetrate scams and fraud, as well as increased risks of mis-selling and misrepresentation.

International fraud networks are becoming more sophisticated and banks must do more to strengthen their controls, including improving data and management information and enhancing transaction monitoring and IT security systems to reduce the likelihood of frauds and scams occurring. Where fraud does occur, banks need to provide appropriate and timely support to affected customers.

In wholesale financial markets, increased electronification and the application of AI to business models are driving structural changes and technological innovation which places greater demand on bank’s frameworks for the management of market conduct risk. The Central Bank continues to observe deficiencies in banks’ frameworks for the monitoring and mitigation of market conduct risk. The failure of banks to comprehensively identify all market conduct risks emanating from their business activities can manifest in conflicts of interest not being appropriately identified and mitigated, surveillance frameworks for the detection of potential market abuse not keeping pace with business activities and deficiencies in first line of control frameworks.

The main planned activities relating to this supervisory focus area in 2026/2027 are:

  • Assessment of individual banks and aggregated sectoral data from the enhanced AML/CFT Risk Evaluation Questionnaire (REQ) submissions. The enhanced REQ will capture detailed quantitative and qualitative risk information on ML/TF risk and the quality of AML/CFT controls. This data will be used to: (a) identify firm and sector-specific issues and emerging trends; (b) conduct desk-based supervisory reviews of firms and guide supervisory strategy; and (c) input into the development of a new EU AML Risk Assessment Methodology (led by the AMLA).
  • Targeted supervisory engagements, including inspections, desk-based reviews and review meetings.
  • Cross-sectoral thematic review of controls  on certain types of fraud  as well as the fair treatment of customers  who fall victim to fraud.
  • Cross-sectoral thematic review of conflicts of interest  management in wholesale market banks.
  • Cross-sectoral thematic review of market abuse frameworks  and surveillance.
  • Cross-sectoral thematic review of unauthorised trading  and trading controls.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Shane Kelleher
Shane Kelleher
Photo of Louise McNabola
Louise McNabola
Photo of Jane Balfe
Jane Balfe
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More