On 7 March 2024, the Central Bank of Ireland (Central Bank) published its consultation paper (CP 158) on the revised draft Consumer Protection Code (Revised Code) and connected areas.
The consultation period closed on 7 June 2024. Feedback on the consultation and the implementation of the final requirements is expected during 2025 and 2026. Firms will have one year from finalisation to put the new processes in place.
This article (divided into Parts 1 and 2) provides a general overview and background on key changes affecting (re)insurers and intermediaries. Although in the consultation phase (now closed), the final form of the Revised Code is likely to remain largely unchanged. Regulated firms, including (re)insurers and intermediaries, will need to start a gap analysis and other planning.
An important point is that whilst titled a ‘Consultation Paper on the Consumer Protection Code’ the Central Bank’s new documents include a proposed statutory instrument on so-called ‘Standards for Business’ and ‘Supporting Standards’ (together known as the ‘Business Standards’). These ‘standards’ will have broader application than just consumers. Therefore, with certain exceptions, all forms of (re)insurer and intermediary will be impacted. Attention will be needed not just for those conducting exclusively consumer business. There will then be other areas through which the Revised Code will supersede the existing Consumer Protection Code (i.e. affecting B2C only).
The interplay between each of the Central Bank’s papers, coupled with the fact that other materials are still to follow, means understanding aspects of the proposed requirements and applying them to business models will be complex.
General
At its core, the Central Bank’s consultation documents include its proposed new version of the Consumer Protection Code and then its new ‘Business Standards’ (with their constituent elements). The Revised Code consolidates existing provisions that have built up over many years. The current Consumer Protection Code originally dates from 2012.
A lot of what appears in the Revised Code will be familiar to those in scope of the existing Consumer Protection Code. The duty to act in the best interest of customers remains at the centre of the Revised Code but will be further developed through a new express duty to ‘secure customers’ interests’ and the accompanying guidance which sets out practical ways firms can discharge this enhanced obligation.
In structuring the changes, whereas the existing Consumer Protection Code is (broadly speaking) made up of an initial ‘general’ set of requirements, coupled then with individual sections for each financial services market sector, the new approach is two distinct regulations (statutory instruments). It will operate as follows:
- The ‘Business Standards’: The ‘general’ cross-sectoral overarching ‘principles’ within the existing Consumer Protection Code are to be superseded now by so-called ‘Business Standards’. These are themselves made up of the core Standards for Business’ and then supplementing detail in the ‘Supporting Standards’. This is the first of the regulations. It lays out the key overriding principles of appropriate conduct by firms (note: both B2B and B2C).
- The ‘General Requirements’: This is the closest approximation to what was the main detail in the prior Consumer Protection Code document. We will then have the Business Standards as well. The sector-by-sector elements, such as for insurance or intermediaries, are set out in these so-called ‘General Requirements’ coupled with some limited cross-sectoral pieces. These are all sitting in their own new set of regulations. There are individual ‘parts’, with Part 4 being specific to insurance.
As a broad comment, the new split-outs and the terminology used can be confusing to the initial reader. For example, the ‘General Requirements’ include the application text, not just ‘generally’, i.e., that is just for an individual industry sector. The Business Standards also include some conflation for firms between B2C and now B2B businesses. The text needs to be worked through quite carefully.
There are also then supplemental papers. To start with, the Central Bank has provided its proposed papers on ‘securing customers’ interests’ (referenced above) and another on the treatment of vulnerable customers. These documents might be described more as broader guidance. They are an expansion of the Central Bank’s ‘expectations’ rather than ‘core’ regulation itself. The Central Bank has flagged that there are other papers on areas to follow.
Prior Signalling
The proposed ‘Standards for Business’, as developed in the supplementing ‘Supporting Standards’, will have a familiar feel. Indications of the areas to be covered were flagged in the lead-up to implementation of the Individual Accountability Framework (IAF) and Senior Executive Accountability Regime (SEAR) via the Central Bank (Individual Accountability Framework) Act 2023. The new Standards for Business mirror many of the requirements under the Conduct Standards and Additional Conduct Standards already applied since the end of 2023 for individuals in Pre-Approval Controlled Functions (PCFs) and Controlled Functions (CFs) (i.e. affected natural persons working in firms). The Standards for Business then complement these and attach at the level of the firm itself.
The new approach integrates into it lessons learned from the past. For example, the Standards for Business (i.e. outlining conduct standards expected by regulated firms) have been developed in reaction to lessons from the supervisory experience during and after the financial crash. The Central Bank references areas such as the failures by banks to deal with mortgage holders on tracker rates, as well as perceived difficulties concerning insurers honouring claims for business interruption cover during Covid.
The modernisation of the financial services industry, including trends in digitalisation, the increasing reliance on tech, AI and outsourcing in business models, as well as changes in customer patterns and behaviours since Covid, are all acknowledged in the Revised Code. A dedicated section of the Revised Code is given over to digitalisation. In keeping with the EIOPA commitment in its ‘Digital Strategy’ document (September 2023) to remain “technology neutral and people first” it does not have prescriptive detail and is more ‘purposive’ in nature. It will be relevant for many insurers and intermediaries, such as in the design of ‘customer journeys’ for online sales.
Other additions to the Revised Code will be around fraud and scams as well as vulnerable customers.
Insurance and Reinsurance
For those in the insurance sector, as can be seen, there is extensive reading on getting on top of the new regime. This will include regard to the cross-sectoral dimensions that must be complied with by all financial services firms as well as the specific pieces under the Revised Code, including the Business Standards, applicable to insurers (and, in some cases, reinsurers) and intermediaries. The assessments, gap analyses and related adjustments will need to be done between now and 2025/2026.
Given the cross-sectoral nature of much of the Revised Code, readers are addressed to William Fry’s broader overview of the regime changes prepared by our Financial Regulation Unit here.
In Part 2 of this article, with the above broader themes in mind, we deal with some specific key areas for (re)insurers and intermediaries.
If you would like to know more about the Revised Consumer Protection Code or the new Business Standards, please contact Marguerite Sinnott, Eoin Caulfield, Ian Murray or a member of the Insurance team.