On 26 February 2026, the Central Bank of Ireland (Central Bank) published its 2026 Regulatory and Supervisory Outlook (RSO) report, outlining its perspectives on the key trends and risks shaping the financial sector and its supervisory priorities for the year ahead.

For further information on the Financial Regulation Priorities 2026, the global and domestic risk environment, risk themes and related drivers and supervisory priorities, please see our related article here and for other sector specific information in the RSO please refer to our knowledge page on the William Fry website.

Sectoral Focus – Payments and Electronic Money

In our sector specific articles, trends, risks and vulnerabilities are considered from a sectoral perspective in line with the Central Bank’s supervisory approach. In this article we consider the payments and electronic money sectors.

Focus Area 1: Safeguarding of customers’ funds

Protection of customer monies remains one of the most important objectives for the Central Bank and firms are reminded that there is no tolerance for weaknesses in safeguarding arrangements. It is vital that firms have effective and appropriate safeguarding frameworks to ensure that customers’ funds are protected on an ongoing basis. The Pre-Approved Control Function (PCF) regime has been extended to include a new PCF Head of Safeguarding, effective from February 2026.

For further information on the updated PCF list including new Head of Safeguarding roles, please see out article here.

Work on safeguarding in recent years has been extensive, including inspections and third-party audits of all firms’ safeguarding processes, with findings and expectations clearly communicated. A thematic inspection assessing the operational effectiveness of firms’ safeguarding processes and control infrastructure was completed in 2025. While the inspection identified some good practices, significant deficiencies were identified despite the supervisory work previously undertaken and the feedback provided. These were set out in the recent Payment and E-Money Newsletter.

For further information on the newsletter and safeguarding, please see our articles here and here.

Firms must keep safeguarding frameworks and processes under constant review, including consideration of all findings and supervisory expectations communicated, irrespective of whether an individual firm was directly included in the work. Where firms identify gaps or weaknesses in their frameworks or processes, they should take appropriate and timely remediation actions to ensure that customer funds are always protected.

The main planned activities relating to this supervisory focus area in 2026 are:

• Assessment of the actions taken by firms to address identified gaps in safeguarding processes and procedures.
• Assessment of firms’ implementation of the new Head of Safeguarding PCF role.

Focus Area 2: Financial crime

The use of technology and innovative ways to serve the needs of consumers is welcome for reasons of both efficiency and convenience. However, this exposes firms to heightened risks of criminals laundering the proceeds of crime, financing terrorism and perpetrating fraud and scams. Firms need to remain vigilant and keep pace with financial crime risks and typologies associated with new technologies.

There has been an expansion of cybercrime and fraud in recent years, with AI driven social engineering becoming a primary threat and this continues to challenge the sector’s defensive capabilities. The level of fraud relative to transactions is increasing for both e-money transactions and money remittance in recent times. Firms must ensure they have robust systems for detection and prevention of fraud and are putting customer needs first, especially customers in vulnerable circumstances.

The inherent ML/TF risk facing firms is high and continues to increase given the changing nature of sector. Further work is required across the sector to build and strengthen frameworks, particularly by new entrants. A key concern is firms’ inadequate understanding of ML/TF risks and the need for adequate mitigating measures commensurate with the risks. Firms’ governance arrangements, systems and controls, including reporting mechanisms, need to be effective and proportionate to the nature, scale and complexity of their business and the risks to which they are exposed.

The main planned activities relating to this supervisory focus area in 2026 are:

• Assessment of the adequacy and effectiveness of AML/CFT risk management frameworks through AML inspections, targeted and thematic reviews and financial crime review meetings.
• Assessment of individual firm and aggregated sectoral data from the enhanced AML/CFT Risk Evaluation Questionnaire (REQ) submissions. The enhanced REQ will capture detailed quantitative and qualitative risk information on ML/TF risk and the quality of AML/CFT controls. This data will be used to: (a) identify firm and sector-specific issues and emerging trends; (b) guide supervisory strategy; and (c) satisfy incoming data requirements for the EU’s Anti-Money Laundering Authority (AMLA).
• Cross-sectoral thematic review of controls on certain types of fraud as well as the fair treatment of customers who fall victim to fraud.

Focus Area 3: Business models and financial resilience

There is a high level of material change in business models requests and acquiring transaction notifications reflecting the number of firms adapting their business models to respond to increased competition. However, high operating costs and limited sustainable funding options make some firms financially vulnerable. The financial risks facing the sector are exacerbated by the uncertain macroeconomic and geopolitical environment and a potentially saturated market.

Financial resilience challenges are likely to lead to sectoral consolidation, or the exit or failure of certain firms, reinforcing the need for bespoke, effective and actionable wind-down plans. Wind-down plans are not always

consistently aligned to a firm’s risk management framework and have inadequate triggers to ensure, where required, an orderly and solvent wind-down. The Central Bank expects firms to have credible plans which, inter alia, prioritise the return of customer money in an efficient and timely manner in the event of an exit or wind-down situation. Under the National Payment Strategy the Department of Finance will examine the need to provide the Central Bank with liquidation powers in relation to payment firms.

For further information on the National Payments Strategy, please see our article here.

The European Commission has clarified the conditions under which e-money exists in its response to a question on the definition of electronic money. EMIs should assess what implications the Q&A may have for their business model or products, if any and what potential actions they will need to take to comply. Firms seeking authorisation as an EMI should also assess the implications of the Q&A for the activities they are proposing to undertake within their authorisation application.

For further information on the Central Banks’ Dear CEO letter on Electronic Money Definition, please see our article here.

The main planned activities relating to this supervisory focus area in 2026 are:

• Thematic review of financial resilience, including strategic planning and wind down planning.
• Engagement with firms in the sector regarding the EBA Q&A 2022_6336.

Focus Area 4: Operational and cyber resilience

The Central Bank continued to see increased levels of system outages reported as major incidents in 2025, including cross-industry disruption impacting the payment system as whole and subsequently causing customer disruption.

Firms must prioritise robust cybersecurity measures, including data encryption, multi-factor authentication and regular penetration testing to safeguard their systems and customer data.

Firms need to ensure that they have appropriate governance, management and oversight of outsourcing arrangements, together with rigorous contingency and exit planning. The Central Bank commenced a thematic review of the governance and effectiveness of IT outsourcing across several firms in the sector last year, which will conclude in 2026 and the findings and its expectations will be outlined in due course.

The main planned activities relating to this supervisory focus area in 2026 include:

• Issue feedback on the thematic review of the governance and effectiveness of IT outsourcing.
• Targeted follow-up on remediation strategies for those firms where issues have been identified in relation to their management of operational and cyber risks and resilience.
• Supervisory assessment of DORA reporting, including Registers of Information (RoI) and major incident reporting, to inform the Central Bank’s assessment of operational resilience at a sectoral and firm specific level.
• Focus on the implementation and development of incoming regulations and initiatives, in particular the Payment Services Directive (PSD3) and Payment Services Regulation.
• Continued work with industry and government to establish a collective action approach to system-wide operational resilience for payment services (including cash).

Focus Area 5: Culture, governance and risk management

The Central Bank’s supervisory work has regularly identified the absence of a customer-centric culture whereby customers’ interests are not being consistently placed at the heart of decision making and are neglected in the pursuit of new business growth. Firms are expected to maintain both perspectives in equilibrium, ensuring that business models and practices are centred on customers’ interests while being sustainably profitable.

A 2025 thematic review examining customer experience through the lens of customer complaints highlighted that some firms are still failing to appropriately identify complaints when consumers express a grievance or dissatisfaction. This is a requirement of the Consumer Protection Code and leads to unnecessary progression of complaints to the Financial Services and Pensions Ombudsman.

Firms, including those who operate as part of a wider group, must be able to demonstrate that they have effective governance and risk management arrangements in place to respond to the range of risks facing firms and to ensure customer interests are secured.

The main planned activities relating to this supervisory focus area in 2026-2027 include:

• Cross-sectoral thematic review of whether customers are being informed effectively.
• Cross-sectoral review of how firms are carrying out root cause analysis of errors and applying learnings to their wider product and service suite.
• Cross-sectoral thematic review of the identification and treatment of vulnerable customers.
• Assessment of board composition, resourcing levels and governance structures.
• Thematic review of the operation of distributors and agents models.

Contact Us

For more information, please contact Shane Kelleher, Louise McNabola, John O’Connor or your usual William Fry contact.

Contributed by Jane Balfe