Back to Insights
QFA & Brokers5 min read·May 2026·QFAs · Mortgage Brokers · Intermediaries

Central Bank Enforcement 2026: What QFAs and Brokers Are Being Sanctioned For

The Central Bank of Ireland's Administrative Sanctions Procedure has been active in 2026. The pattern of findings is not what most firms expect.

The sanctions being imposed and published are not against firms that defrauded clients. They are against firms that operated systems that were inadequate, processes that were inconsistent, and documentation that failed to demonstrate what actually happened in a client engagement. The systemic failure is the finding. The individual transaction is the evidence.

The Enforcement Framework

The ASP and How It Reaches Your Firm

Under the Central Bank (Supervision and Enforcement) Act 2013, the Administrative Sanctions Procedure allows the Central Bank to impose financial sanctions of up to €10 million per breach, or 10% of annual turnover, whichever is greater. The ASP also provides for disgorgement of profit, conditions on authorisation, and suspension or revocation of authorisation.

The significant point for QFAs and brokers is that these findings are being reached through supervisory inspections — not primarily through client complaints. The Central Bank conducts themed inspections of specific sectors and identifies failures that clients may never have noticed or complained about. You do not need a dissatisfied client to be the subject of an ASP inquiry.

Since the Individual Accountability Framework came into force in 2024, senior individuals in regulated firms can be held personally accountable under the Senior Executive Accountability Regime for systemic failures in their area of responsibility. The ASP has always targeted the firm; the IAF now also targets the individual.

Suitability

Suitability Assessment Failures: What Inspectors Are Finding

MiFID II (as implemented by SI 375 of 2017) and the Consumer Protection Code 2026 require that a suitability assessment documents the client's financial situation, investment objectives, experience and knowledge of financial products, and risk tolerance. The assessment must demonstrate why the product recommended is suitable for that specific client — not for a client profile that resembles them.

What inspectors are finding in 2026:

Recurring failures identified in Central Bank inspections

  • Template-based suitability assessments without client-specific completion — the same narrative appearing across multiple unrelated client files.
  • Risk appetite recorded as a single numerical score with no supporting narrative explaining how it was derived or what product types it constrains.
  • Assessments dated at the initial engagement with no evidence of review at subsequent client meetings, despite material changes in the client's financial position.
  • Suitability documentation completed after the product was sold — backdated or post-sale. The Central Bank treats this as a governance and culture failure, not an administrative error.

The standard the Central Bank applies is whether the documentation, read alone, would allow an independent reviewer to understand why the product was suitable for the client at the time it was sold. If it cannot, the assessment has failed — regardless of whether the product itself performed well.

Disclosure

Disclosure Obligation Failures Under Consumer Protection Code 2025

Consumer Protection Code 2025, which has been enforceable law since 24 March 2026, has tightened pre-contract disclosure requirements. A regulated firm must provide a client with sufficient information to understand the nature, risks, and costs of a product before proceeding, and that disclosure must be documented in the client file.

The specific failures being identified:

Oral disclosure not recorded. A file note stating 'client advised of risks' is not a disclosure record — it is a summary of an oral interaction that cannot be independently verified. The Central Bank expects documentary evidence that prescribed disclosures were provided.

Product Information Documents provided without receipt confirmation. A PID sent by email without a read receipt, acknowledgement, or file note confirming delivery does not constitute documented disclosure.

Outdated Initial Disclosure Documents. An IDD referencing products the firm no longer offers, regulatory authorisations that have been amended, or commission structures that have changed is a live compliance failure — not a legacy document that can be corrected at the next review cycle.

Record-Keeping

Record-Keeping Failures: The File as the Audit Trail

The Central Bank's Fitness and Probity standards and the Consumer Protection Code both require that a firm's business records are accurate, complete, and capable of producing an audit trail for any client engagement.

In practice, inspectors are finding: client files that are incomplete or stored across multiple disconnected systems without a consolidated record; email correspondence from client interactions that is not captured in the formal client file; and cases where the firm's CRM or document management system holds a materially different record from the files produced on inspection.

The standard is not 'we have records somewhere'. The standard is 'we can produce a complete, ordered file for any client engagement within the timeframe required by regulation'. Where you cannot, the question is not why the records are missing — it is why the system permitted records to go missing.

The Cost of an ASP Finding

Financial penaltyUp to €10 million or 10% of annual turnover per breach.
ReputationalCentral Bank publishes all ASP settlements and decisions on its website.
OperationalRemediation may include independent reviews, appointment of a skilled person under s.22 of the 2013 Act, or temporary restrictions on new business.
PI insuranceNotified Central Bank findings may affect professional indemnity terms at renewal.
IndividualUnder the Individual Accountability Framework (2024), senior executives can be held personally accountable for systemic failures in their area.

Immediate Action Checklist

Four tasks. Each addresses a specific category the Central Bank examines on themed inspection.

  1. 1Pull a sample of ten recent client files and confirm that the suitability documentation for each is complete, client-specific, and dated before the product sale — not after.
  2. 2Review your current Initial Disclosure Document. Confirm it reflects your current authorisation, product scope, commission disclosure, and regulatory status under Consumer Protection Code 2025.
  3. 3Audit your file management system. Confirm that all client correspondence — including email — is captured in the central client record, not only in individual staff inboxes.
  4. 4Confirm your Consumer Protection Risk Assessment has been reviewed and dated since Consumer Protection Code 2025 came into force on 24 March 2026.

The Central Bank does not announce themed inspections in advance. The file your inspector reads is the file as it exists on the day they arrive.

Oibrio covers Central Bank enforcement trends and Consumer Protection Code 2025 obligations so your practice maintains a defensible compliance record.

Bi-weekly. No marketing.