Speech by Gerry Cross, Director, Capital Markets and Funds, Central Bank of Ireland at Compliance Institute AGM - Supervising for success: some themes for a time of change

14 January 2026 Speech

Gerry Cross

Introduction

Good morning and thank you to Michael for inviting me to speak at the Compliance Institute’s Annual General Meeting. It is always a real pleasure to engage with compliance professionals.

At the Central Bank, we recognise the essential role played by the compliance community in ensuring that financial firms are well-run and contributing to a financial system that is trusted and resilient.

We also recognise the important role played by the compliance institute, equipping those working in compliance with the necessary competence and skills to undertake their roles in a professional manner. We also appreciate the collaborative ethos that you instil and the constructive two-way engagement that you support.

The Central Bank serves the public interest by maintaining monetary and financial stability while ensuring that the financial system operates in the best interests of consumers and the wider economy. For us, delivering on our four safeguarding outcomes, the protection of consumer and investor interests, the integrity of the financial system, the safety and soundness of firms, and financial stability, guides all our work.

The Central Bank is a risk-based, outcome-focused regulator and we constantly challenge ourselves to ensure that we can continue on our journey to ever more effectively deliver in a changing world.

Regulators and compliance professionals have significant common ground in this regard:

The compliance function plays a hugely important role in linking the regulatory framework to the culture, approach and decision making of their firms;
Technology continues to transform how businesses operate, and compliance professionals must support firms to navigate this evolution, staying within the guardrails set by financial regulation;
Compliance can apply a risk-based approach to its monitoring activities, that fully considers the business model of the firm, thus ensuring that efforts are directed towards those areas that pose the greatest potential risks to consumers or investors, to market integrity or to safety and soundness.

Done well, both regulation and compliance support businesses to be well run and sustainably successful over the medium and longer term.

My remarks today will address a number of important topics of relevance to compliance professionals and regulators:

The important objective of securing customers’ interests;
Individual accountability;
Simplification;
Resilience;
Leveraging technology; and
The Central Bank’s evolving approach to supervision.

Together these aspects represent critical components in a system of regulation that is seeking to become more outcomes focused, more straightforward, and more effectively supportive of the economy and the financial wellbeing of citizens.

We expect that, as compliance professionals, you will be at the heart of your firm’s engagement with these important topics.

Simplification, Securing customers' interests, Accountability, Resilience and Technology

Securing customers’ interests

A regulatory and supervisory framework focused on delivering good outcomes is essential to ensuring the financial system is operating in the best interest of consumers and the wider economy

The Central Bank’s Consumer Protection Code is the cornerstone of consumer protection in financial services in Ireland. The recent review of the Code was a significant initiative for the Central Bank. The revised Code will come into force in March this year.

Our review of the Code included extensive engagement with industry, with other organisations and with individuals. I want to thank the Compliance Institute and its members for your valuable contribution to that process.

Over the last 10 months since the publication of the revised Code we have continued that engagement, which has included cross-sectoral and sector specific workshops and meetings on some of the key themes of the Code. Topics have included informing customers effectively, supporting customers in vulnerable circumstances,¹ digitalisation, data protection requirements, etc.

Through that engagement and the queries that have arisen on particular aspects of the Code, we have recognised that in some instances we needed to provide further clarification or guidance. To that end, in December, we updated our General Code Guidance and also published a number of FAQs to support industry in implementing the revised Code.

We recognise the commitment that we have seen across firms in the sectors that we regulate to ensure readiness to implement the revised Code from 24 March 2026. And we want to see this effort continue as the revised Code is further embedded and as firms apply its provisions on an ongoing basis in their operations.

With that in mind, I want to call out the new Standards for Business which are now being introduced. There are nine of these Standards. They bring together in one place a clear high-level statement of the overall regulatory expectation of firms. They are of course essential material for the compliance community to fully engage with, internalise and help give effect to within their firms

One of these Standards for Business is that a regulated entity shall at all times secure its customers’ interests. This standard is designed to ensure that good outcomes for customers is always the driver of firms’ business models and decision-making. (And for clarity, “customers” is explicitly stated to include potential customers.)

In a previous engagement with members of the Compliance Institute, I discussed some key aspects of the Securing Customers’ Interests requirement.² There I noted that, amongst the important aspects of this new articulation of firms’ consumer obligations, is that the “how” is as important as the “what”—it is not enough to comply with the process, there needs to be a clear focus on the outcome. If a disclosure is being made for example, it needs to be done in a way that is effective in really supporting customer understanding.

I also noted that the new standard ensures that where firms are faced with new or complex situations or decisions “the obligation to secure their customers’ interests provides a robust and helpful reference point by which firms can orient themselves”.

As compliance professionals you play an essential role in assessing the impact of the Standards for Business on your firms’ current activities, as well as confirming on an ongoing basis that new products and procedures are aligned with them.

Ensuring that these standards are embedded across financial services firms is hugely important to support trust and confidence in the financial system, and ultimately the achievement of good outcomes for consumers of financial services.

Individual Accountability

When we introduced the Individual Accountability Framework (IAF) 18 months ago, we said that it would be underpinned by proportionality and reasonable expectations; that it was fundamentally about supporting good governance and well run financial firms - and not about more enforcement in itself; and that it was not something that would be the focus of compliance supervision but rather something that would support the further maturing of our supervisory approach and the delivery of regulatory outcomes.

While we are still in the relatively early stages of the implementation of the IAF framework, we are already seeing the positive effects that it is having. These include:

Enhanced clarity as to who is responsible for what within financial firms;
Support for the effectiveness of collective and individual decision making within firms;
Providing an underpinning of responsibilities and accountability which is supporting our new approach to supervision (see below) and its ongoing evolution;
Contributing to a context where the improvement and simplification of other areas of regulation can be envisaged - for example in the area of our fitness and probity framework.

For compliance professionals, the introduction of the Individual Accountability Framework has been a significant development. Representing a change in how regulatory outcomes are delivered by financial firms, with more responsibility and more expectation accruing to firms and in particular their senior leadership, it means that the role of the compliance function should be evolving to respond to those changes. It means that an enhanced focus on outcomes and on judgement in support of senior management and the firm as a whole should be increasingly at the heart of what the compliance function does.

And this of course is consistent both with the Securing Customers’ Interests duty discussed above and with the overall simplification approach which is designed to be less detailed rules-focused and more outcomes focused.

Significant engagement with stakeholders was a hallmark of the development of the Individual Accountability Framework. This engagement was very valuable. It is important that it continues and we very much welcome the ongoing views and perspectives of the Compliance Institute and its members, as well as stakeholders more generally, on this issue as we continue with its implementation.

Simplification

An outcomes-focused approach is also an essential ingredient in engagement with the simplification agenda.

Given the productivity and innovation challenges identified in the Draghi and Letta reports, policymakers are placing a renewed focus on the productivity and resilience of our economy. And one aspect of that is simplification of regulatory frameworks.

This is not about regulatory standards having been set too high or expectations being too great. It is however a recognition that the proliferation of too many detailed or overlapping rules can have the opposite effect to what is intended. Rather than bringing about better outcomes, too many detailed rules can lead to an undue focus on the rules themselves.

Rather than demanding judgement and responsibility from economic actors, too many detailed rules can lead them to see rule compliance as an end in itself. It can result in a perception that the elimination of risk is the ultimate outcome, rather than a sustainably successful economy and the financial wellbeing of citizens.

For the Central Bank, this entails an openness to reviewing and considering existing frameworks to assess whether the same outcomes can be delivered in different, and simpler, ways. Achieving robust and high-quality regulation and supervision means being both effective and efficient. We see the drive for simplification as an opportunity to remove unnecessary complexity and undue burden without compromising the resilience and the consumer and other protections that have been established over the years since the global financial crisis.

In addition to being engaged on this topic at European level, we are also proactively considering simplification in the domestic context. Our recent publication “Regulating & Supervising well – a more effective and efficient framework”³ explains how we think about simplification. It also provides an overview of European initiatives to simplify and enhance the regulatory and supervisory framework in financial services, and sets out a domestic programme spanning supervision, regulation, gatekeeping, and reporting.

Simplification is an important topic for compliance professionals, you understand the purpose of regulation and have first-hand experience of the businesses that you operate within and where the compliance burden is most significant. You are well placed to identify possibilities for simplification that can meaningfully reduce burden while not compromising on the important outcomes that financial regulation and supervision are designed to achieve. While we may not always agree with you, we very much welcome your engagement on this important topic.

Resilience

Resilience is at the heart of a successful financial system.

For financial firms and the financial system, financial resilience has always been critical to success. We saw this to the huge cost of society and individuals during the Great Financial Crisis. Since then, significant work has been done to reform the regulatory regime and rebuild financial resilience. That a good deal of success has been achieved in this area can be seen from the way in which the financial system has weathered a number of recent periods of turbulence and stress.

Financial resilience will always be a focus of our regulatory and supervisory work. This is to ensure that it remains firmly at the top of firms’ agenda, without continuing attention it can quickly be eroded. Moreover the nature and dynamics of financial risks in the system continue to change and evolve - for example in the non-bank sector. It is important that firms and regulators continue to assess and respond to these changing risks.

Operational resilience is rightly a key priority at the current time. The combination of the centralisation of digital processes in the functioning of the financial system, rapidly evolving technology, the major role of third-party providers, and the consequence of the threat landscape makes it a critical concern for firms and for regulators.

The Digital Operational Resilience Act (which came into application almost 1 year ago today) represented a major policy response from the EU to growing cyber and ICT risks in an increasingly digital and interconnected financial system.

At the firm level, it requires institutions to strengthen their operational resilience frameworks. Importantly it also seeks to address operational resilience at a system level, taking a holistic view of the ecosystem within which firms operate. At the system level, it enhances incident reporting and intelligence sharing and establishes a new oversight framework for critical ICT third-party providers which takes into account the dimensions and nature of the financial sector’s reliance on such providers.

Much has been achieved over the past 12 months with the commencement of incident and cyber threat reporting, the collection of registers of information on contractual relationships with ICT third party providers, the national identification of firms subject to Threat Led Penetration Testing, the identification of critical ICT third-party providers and preparation for their direct oversight by the ESAs. Now firms are getting ready for the second collection of DORA registers of information and the first TLPTs are about to begin.

We have approached this work keeping in mind that DORA recognises that removing all risk is not achievable, and that therefore the objective is to strengthen the digital operational resilience of the financial system as a whole. This is not a once and done exercise, firms will need to actively ensure their digital operational resilience on an ongoing basis, deepening the maturity of their practices as new norms become embedded and new risks emerge, in a spirit of continuous improvement.

This is reflected in the finding from our recent thematic work on operational resilience in the MiFID investment firm sector.⁴ Through this piece of work we observed a maturing of operational resilience frameworks in this sector. We identified areas where some firms need to make enhancements, including in important areas like identifying their critical or important business services and mapping how these services are delivered.

More broadly, rising cyber threats, coupled with concentrated reliance on a relatively small number of third parties for ICT services, increase the risks of technological disruption. I therefore want to emphasise the need for firms to continue to build on these foundations especially in the area of digital operational resilience.

Leveraging technology

The importance of operational resilience reflects the extent to which the financial system has become wholly integrated with digital technology.

More broadly, one of the key challenges for firms, compliance professionals and regulators is to ensure that as digital technology rapidly evolves and becomes ever more the basis of new and changed business models, processes and practices, this happens in a way that is aligned with the sound running of firms, consumers’ interests and financial stability.

AI is an innovation that will be transformative. AI tools and technologies have the potential to deliver significant benefits for consumers, investors and for the financial sector. We are also looking to how AI can assist us in our work as supervisors.

However risks arise that could adversely affect firms, their customers and wider society. One of the Central Bank’s supervisory objectives is to be close to how AI is being used by the firms that we regulate, with the overarching aim of seeking to ensure that its adoption is beneficial and done in a way that supports our regulatory objectives.

Before deploying AI, firms need to understand the technology itself and how its adoption is aligned with the firm's overall strategy, risk tolerance, and compliance framework. And whether AI is an appropriate tool in each circumstance taking into account its characteristics, including challenges around the explainability of the output produced.

The model inputs need to be right. if data inputs include an element of bias, that may feed through to model output. Ethical use of data and consideration of data privacy is also hugely important to avoid erosion of trust in this new technology.

The model itself needs to be correct for the use case and model outputs must be used in a well-considered manner.

In some cases AI has the potential to interact with an existing risk, causing it to evolve in a new or a different way. Consideration must be given to how the adoption of AI interacts with the firm’s operational risk profile or its cyber resilience.

All of this must be underpinned by effective governance and oversight. When using AI to deliver products or services, firms need to adhere to the same standards expected when deploying more traditional technology.

Both the new EU AI Act and much of the existing relevant technology-neutral regulation will be important for firms and their compliance functions as this journey continues.

Delivering supervision under our new approach

The final topic that I want to address today is the Central Bank’s supervisory approach. During 2025 and continuing into 2026 we have been introducing a revised approach that continues to be risk-based, that is more outcomes focused, less process driven, and integrated across all our safeguarding outcomes—financial stability, protection of consumer and investor interests, safety and soundness and the integrity of the system.⁵

This evolution of our supervisory approach will enable us to deliver ever more effectively on our regulatory objectives. Amongst the ways it seeks to do this are the following:

By being more integrated it allows us:
- To take a holistic view of the risk landscape and allocate our resources accordingly;
- To act more efficiently and effectively so that our supervisory activities and interventions support multiple outcomes at the same time;
- To really focus on the outcomes we seek, and not unduly on the process.
By being more outcomes focused, it allows us:
- To have better engagement with regulated firms, through clearer communication of our concerns and the outcomes we want to see;
- To enhance the degree to which firms and their leadership and staff internalise the regulatory objectives;
- To focus more on delivering outcomes, rather than simply addressing point risks; proportionately using our supervisory toolkit to achieve our aims.
By being more efficient, it allows us:
- To prioritise better;
- To deploy scarce resources to maximum effect;
- To contribute optimally to delivering on our mandate for our citizens.

The implementation of our revised approach to supervision is an ongoing effort. We continue to value stakeholders feedback and engagement on it.

Conclusion

I will conclude here. I hope that my remarks today have provided a useful insight into how we at the Central Bank think about some of the topics that are likely to be on your agenda. Many thanks for your attention. I now look forward to our Questions and Answers.

[1] Remarks by Deputy Governor Colm Kincaid to Central Bank of Ireland’s Consumer Protection Code Workshop - Modernising how we protect consumers in vulnerable circumstances

[2] Remarks by Director Gerry Cross, Director Financial Regulation - Policy and Risk: Regulating for Better Outcomes

[3] Central Bank, Regulating & Supervising well – a more effective and efficient framework, December 2025 (PDF 440.55KB)

[4] Thematic Assessment: Operational Resilience in the MiFID Investment Firm Sector (PDF 452.97KB)

[5] Central Bank: How we Regulate – Supervision