Important update for the banking, payments and lending sectors: the Central Bank of Ireland (CBI) highlights its key risks and supervisory priorities for 2025/2026

Banking Sector – Key risks

Financial risks and resilience

Adverse developments in the unpredictable geopolitical and macroeconomic conditions could impact profitability and bring about risks relating to market and liquidity. Due to the increased use of significant risk transfer (SRT) tools, such as synthetic securitisations, this might put additional pressure on a bank’s capital position. 

Data, AI and modelling capabilities

Deficiencies in data aggregation reporting and modelling can undermine a bank’s understanding of its risk exposure. AI driven automation is still in its infancy stages which presents black box risks.

Data, AI and modelling capabilities

Deficiencies in data aggregation reporting and modelling can undermine a bank’s understanding of its risk exposure. AI driven automation is still in its infancy stages which presents black box risks.

Culture, governance and risk management

Shortcomings in governance structures can lead to operational inefficiencies.

Business model and strategic risks 

Competition from fintech’s and non-bank financial institutions (NBFIs) is reshaping the sector. The level of investment to deliver necessary change may heighten existing cost pressures. It may be badly managed resulting in poor outcomes for consumers, including IT outages and service disruption.

Operational risks and resilience

Increasing reliance on critical third party service providers, with some having a dominant global position creating concentration vulnerabilities.

Financial Crime 

Strengthening AML/CTF procedures is important as banks remain targets for fraud, money laundering and terrorist financing.

Climate and ESG risks

Physical and transition risks can impact on the credit worthiness of borrowers and other counterparties, collateral and asset values and a bank's own level of operational risk. The purchasers of financial products from banks labelled as sustainable or as meeting certain ESG standards, face the risk of misrepresentation if the reality is not the same as that claimed.

The CBI noted the following key supervisory activities for the Banking Sector:

• Board oversight of risk management and governance should be strengthened;
• Continued compliance with ECB supervisory expectations on climate and environmental risks;
• Assessment of the adequacy and effectiveness of AML/CTF risk management frameworks;
• Financial resilience assessments, including the 2025 EU stress test, capital and liquidity management, and recovery planning;
• Assessment of the adequacy and effectiveness of AML/CFT risk management frameworks; and
• Assessment of banks’ proactivity in identifying and assessing transmission channels, cross-cutting risks, and cross sectoral interlinkages arising from macroeconomic and geopolitical risks.

Payment and E-Money Sector Key Risks

Safeguarding of user funds

Weaknesses continue to be observed in safeguarding arrangements across the sector, which heightens the risk that users’ funds are not appropriately identified, managed and protected on a day-to-day basis

Culture, governance and risk management

Poor business practices and weak processes, in addition to a lack of an embedded consumer focused culture, giving rise to deficiencies in a firm’s strategic and operational effectiveness leading to the risk of consumer detriment

Financial risks and resilience

Some firms are facing viability and funding availability challenges, due to firm-specific factors and the operating environment.

Financial Crime

There is evidence that some firms' understanding of financial crime risk, including money laundering and terrorist financing risk, and the robustness of their controls, is not commensurate with the higher inherent risk exposure of this sector.

Operational risks and resilience

The number of major incidents and service outages experienced across the sector are at an elevated level. Many are a result of outsourced service provider failures, coupled with weaknesses in monitoring and oversight. These factors result in increased risk of operational disruption and of harm to customers.

The CBI noted the following key supervisory activities for the Payments and E-money sector:

• Continue inspections on safeguarding arrangements, review of board attestations on safeguarded funds and completion of 2023 audit remediation actions and industry communications on sectoral findings;
• Ensure firms have appropriate strategies, risk management, governance and internal controls as well as the operational and financial capacity to deliver their strategy or business plan;
• Ensure firms are compliant with payments regulation including DORA, PSD3, PSR and Instant Payments;
• Engage with firms to assess the adequacy and effectiveness of their AML/CTF risk management frameworks; and
• Supervisory intervention where elevated risks or breaches of regulatory requirements are identified, including financial crime risk, using our full suite of supervisory powers where required.

Credit Union Sector – Key risks

Business model and strategic risks

The sector is at risk of not keeping pace with digitalisation and members’ needs and expectations, nor taking advantage of the opportunities provided through legislative and regulatory changes. Longer term sustainability challenges remain, in particular continuing low loan to asset ratios.

Financial risks and resilience

While credit unions maintain strong reserves, falling interest rates and adverse developments in the macro environment could adversely impact on surpluses, and credit, market and liquidity risks, which in turn could weaken financial resilience.

Culture, governance and risk management

Weaknesses in some credit unions’ board oversight, their consideration of the impact of risks, and deficiencies in the effectiveness of risk management frameworks and practices, could threaten their members’ interests if risks were to crystallise.

Operational risks and resilience including cyber-related

Operational risk arises from the sector's dependence on a limited number of critical third party outsourced service providers, particularly for, but not limited to, technology and payment services. There has been an upward trend in reported IT and cybersecurity incidents. Credit Unions are exempt from DORA until 2028 but cybersecurity risks should still be addressed.

Climate change and  other ESG risks

Credit unions are still at an early stage of understanding how climate related physical and transition risks impact on the sector overall and their credit union specifically and the required plans/ risk mitigants that need to be in place.

The CBI noted the following important key supervisory activities for the Credit Union Sector:

• Engage with credit unions considering voluntary restructuring through transfers of engagement;
• Continuing the sectoral supervisory focus on financial and operational resilience. Concluding the thematic review of IT risk and the engagement with credit unions and other sector stakeholders on required actions to mitigate risk;
• Enable the commencement of remaining provisions of the Credit Union (Amendment) Act 2024 and consider the full application of the revised CPCto credit unions to ensure that their members are afforded the same protections as other consumers of financial services, particularly as the range of products and services offered increase;
• Commencing the implementation of recommendations included in the Peer Review Report by the International Credit Union Regulators’ Network into the Central Bank’s performance of its regulatory functions in relation to credit unions published in 2023.

Retail Credit Sector Key Risks

Culture, governance and risk management

There is a heightened risk that firms’ culture and incentives lead to an inadequate focus on the interests of consumers.

Operational risks and resilience

Systematic and individual operational errors, linked to cultural issues at firms, are increasing the risk of customer detriment. The complexity of operating models and reliance on third parties and intra-group service providers heightens operational risk. Deficiencies in operational resilience frameworks, including IT outsourcing and cyber security, contribute to these risks.

Borrowers in arrears or risk of arrears

23% of loans serviced by credit servicing firms are in default compared to 3% with Irish retail banks. This could be due to operational constraints within firms limiting their capacity to engage with borrowers, or affected borrowers themselves being reluctant to engage.

Over-indebtedness

For short-term credit, for example Buy Now Pay Later arrangements, there is a particular risk of over-indebtedness and poor consumer understanding of risk. Multiple small borrowed amounts can build up to an unaffordable larger debt.

The CBI noted the following key supervisory activities for the Retail Credit Sector:

• Reviewing how some firms are continuing to meet Central Bank expectations in resolving distressed debt, and the appropriate and sustainable nature of Alternative Repayment Arrangements (ARAs);
• Continue focus on operational capacity as part of loan sales/transfers, expectations set in November 2022 Dear CEO letter and April 2023 publication Protecting consumers in a changing economic landscape and engage with in scope firms of both the thematic review on early arrears and credit cards;
• Reviewing some firms’ overall operational resilience;
• Commencing a targeted review of some firms’ governance structures with a focus on boards’ strategic oversight, independence and accountability; and
• Enhancing regulatory returns to support the increasingly data-driven approach to supervision.

High Cost Credit Provider Sector Key Risks

Excessive Lending

Consumers may be granted excessive credit due to the lending practices of some firms, which may not be in customers' best interests. Remuneration models for collection agents can also be based on incentives loan issuance to increase collections which would drive agents to issue loans not suitable.

Short term credit used to meet long term needs

The use of short term loans on a continuous basis to meet customers’ longer term credit needs increases the risk that consumers fall into a cycle of high cost debt. This risk of consumer harm exists even when credit is being provided responsibly by a firm. This is because, in some cases, while the consumer can afford the repayments, better alternatives may be available

Structural changes in the sector

Changes in the regulatory framework covering the provision of high cost credit introduced in 2022 (which included a cap on the interest rate that can be charged) sought to protect consumers by limiting the interest they will pay. The introduction of the cap has impacted the viability of some business models.

The CBI noted the following key supervisory activities for the High Cost Credit Provider Sector:

• Continuing to engage with industry following the onsite inspections undertaken in 2024 which focused on the adequacy of firms’ complaints handling procedures. Using enhanced supervisory data to monitor the sector, in particular the outcome of the onsite inspections in 2024 which focused on ensuring that firms have policies and procedures in place to encourage responsible lending, robust affordability assessments take place and records are maintained; and
• Reviewing the impact of the interest rate cap and providing a report to the Minister for Finance.

Authored by Eimear O’Brien, Eoin O’Connor, Bill Laffan, Hannah Vero, and Sheharyar Nawaz.