Consumer Protection Code 2025: Four Obligations Your Firm Must Have Closed by Now
The Consumer Protection Code 2026 has been enforceable law since 24 March 2026. Eight weeks have passed. The Central Bank's supervisory cycle is active.
If your firm has not yet actioned the four structural changes below, you are carrying live regulatory exposure today.
Obligation 1
Trusted Contact Person — Onboarding Process Amendment
Every consumer-facing firm must now offer clients the facility to nominate a Trusted Contact Person at the point of onboarding. The TCP framework under Consumer Protection Code 2025 is not optional and not discretionary — it is a mandatory process obligation.
What the Central Bank will look for on inspection
- —Evidence the TCP option was offered, documented in the client file.
- —Updated Terms and Conditions describing the TCP framework, the circumstances under which contact will be made, and the firm's limitations on acting on TCP information.
- —A written internal policy defining vulnerability indicators and the TCP invocation threshold.
- —Confirmation that where a client has a decision-making representative appointed under the Assisted Decision-Making (Capacity) Act 2015, that arrangement takes precedence over any nominated TCP.
If your onboarding pack has not been updated to include a TCP nomination section, that is your most urgent remediation task. A client file opened after 24 March 2026 without a TCP offer on record is a non-compliant file.
Obligation 2
Data Retention — Unaccepted Offers
The Consumer Protection Code 2025 reduces the mandatory retention period for records of offers or requests not taken up by a consumer from six years to one year.
This requires two immediate actions.
First, amend your data retention schedule. Any policy referencing six-year retention for unaccepted offer records is now non-compliant on its face.
Second, audit your CRM or document management system. Records held beyond 12 months for unaccepted offers must be flagged for deletion. Holding data beyond its lawful retention period is a standalone GDPR exposure under Article 5(1)(e) — separate from the CPC breach.
Obligation 3
Consumer Protection Risk Assessment
The Central Bank has restated in its supervisory guidance that the Consumer Protection Risk Assessment is a live document, not an annual tick-box exercise. Firms will be asked to produce their current CPRA on inspection.
Your CPRA must address, at minimum: where in your business model consumer interests are most at risk; what controls are in place to mitigate those risks; how those controls are tested and by whom; and the date of last review and next scheduled review.
A CPRA that has not been reviewed since before 24 March 2026 does not reflect the current Code and will not satisfy an inspector.
Obligation 4
Digital Journey Disclosure
If any part of your client-facing process operates online — an enquiry form, a quotation tool, a digital fact-find — the Consumer Protection Code 2025 imposes specific disclosure obligations on that touchpoint.
The standard applied is whether a circumspect consumer would be clearly informed of the nature of the service, the firm's regulatory status, and any limitations on the advice or information being provided. Embedding this in a terms and conditions page that loads on a separate click does not satisfy the requirement.
Review every digital client touchpoint against this standard before your next supervisory engagement.
The €5 Million Turnover Threshold
Firms with corporate clients should verify whether those clients remain within the Code's definition of consumer. Incorporated bodies with annual turnover exceeding €5 million in the prior financial year — or members of a group with combined turnover above that threshold — are excluded from consumer protections under Consumer Protection Code 2025. Your suitability assessment and documentation standards for those clients must be adjusted accordingly.
Immediate Action Checklist
Four tasks. Complete before your next client onboarding.
- —Update client onboarding documentation, adding a TCP nomination section.
- —Amend Terms and Conditions to describe the TCP framework and invocation circumstances.
- —Update your data retention schedule: unaccepted offer records, one year maximum.
- —Confirm a current, dated Consumer Protection Risk Assessment is on file.
The Central Bank does not grade firms on intent. It grades them on what is documented in the file.
Oibrio covers Central Bank enforcement trends and Consumer Protection Code 2025 obligations so your practice maintains a defensible compliance record.