Central Bank introduces new Consumer Protection Risk Assessment Model

28 March 2017 Press Release



  • Following successful pilot, a new consumer protection risk assessment model for regulated firms is introduced.
  • Central Bank’s oversight of firms’ consumer protection risk management frameworks will be more intrusive under the model.
  • Firms required to identify and manage risks to consumers to achieve sustainable, consistent and fair consumer outcomes.

The Central Bank of Ireland today published its Consumer Protection Risk Assessment (CPRA) Model. The Model establishes a new and more intrusive approach for supervisory assessments of regulated firms in relation to conduct and consumer protection risk management. The publication of the Model follows a cross-sectoral pilot-testing exercise in a limited number of banks, insurance and investment firms in 2016.

Director of Consumer Protection, Bernard Sheridan said:

“A positive consumer-focused culture is one in which consumers can be confident that firms are acting in their best interests, throughout their entire relationship with the firm. To establish this culture, we have been clear in our expectation of firms that they must understand the sources of risks to consumers, in the context of their operating environment and business model, to enable them to pre-emptively identify and proactively manage these risks. Our new supervisory model enables supervisors to assess how firms’ consumer protection risk management frameworks are designed and governed and, importantly, how effective they are in practice at delivering fair consumer outcomes.”

The Central Bank has continued to highlight the risk to consumers from the absence of a consumer-focused culture within financial services firms. The CPRA pilot-testing exercise focused on culture and performance management, reward and incentive. The key findings from the pilot are:

  • Some financial services firms have introduced structures and processes that are designed to influence a consumer-focused culture, primarily led from the boards and senior management. However, the firms tested are at various stages of maturity on their culture journey and there is some way to go; and
  • In general, firms were unable to provide sufficient evidence of a strong link between performance management and reward/ incentives (which are key structural drivers of conduct risk) and firms’ stated values and behaviours, as they relate to consumer protection.

The Model will be used throughout 2017 in a series of targeted assessments across retail sectors, with a particular focus on culture, performance management, sales incentives and product governance.

The CPRAs will be in addition to and support our regular programme of consumer-focused thematic inspections, which examine compliance with regulatory requirements. We will also continue to engage with the boards and senior management of regulated firms to ensure there is a very clear focus from the top on embedding and measuring the firms’ cultural change initiatives.

A Guide to CPRA is available here.


In our 2015, 2016 and 2017 Consumer Protection Outlook Reports, the Central Bank set out its expectation that regulated financial services firms must develop consumer protection risk management frameworks, reflecting the nature, scale and complexity of their businesses, and that they must implement the right internal support structures, thus embedding a culture that generates fair outcomes for consumers.

About the CPRA Model

The purpose of the CPRA Model is to provide the Central Bank with a framework to assist supervisors in planning and carrying out an assessment of how consumer risk is identified and managed within regulated firms. It will also enable supervisors to assess the extent to which firms have embedded the concept of fair consumer outcomes in the way they run their business.

As firms vary in size and complexity, it is the responsibility of each regulated firm to effectively manage and mitigate consumer protection risks as they see fit. However, where the Central Bank identifies gaps in firms’ risk management frameworks it will not hesitate to use its supervisory toolkit, in line with its risk-based supervisory approach.

About the pilot-testing

The primary purpose of the pilot-testing exercise was to test how the CPRA Model works in practice. The pilot assessments focused primarily on culture, including leadership and performance management, reward and incentive structures.

Six on-site assessments were undertaken across the banking, insurance and investment sectors and involved:

  • review of retail strategies, consumer protection risk appetites, the firms’ values and behavioural expectations that impact on consumer protection, selected policies, management information, employees’ performance management files, various key board and committee meeting minutes etc. and
  • interviews with a selection of board members, senior management, team lead and sales staff in the firms.