Payments

CBI RSO 2026: Payment Institutions & E-Money Institutions

The CBI's RSO is a direct statement of supervisory intent. This briefing covers all five focus areas, Finvisor's independent assessment, and the questions your Board, CEO, and Head of Compliance should be asking now.

What the RSO Signals for Regulated Firms in 2026

The Central Bank of Ireland's Risk and Supervisory Outlook (RSO) for 2026 is not a advisory document. It is a direct statement of supervisory intent. For payment institutions and e-money institutions operating under CBI authorisation, the RSO sets out precisely where the regulator will focus its attention — and where it expects to find firms ready.

This briefing maps the CBI's key messages to your compliance obligations and gives your Board, CEO, and Head of Compliance the questions they should be asking right now.

Why This RSO Matters More Than Previous Years

The CBI has materially increased its supervisory resources for the payments and e-money sector. The 2026 RSO reflects a regulator that has moved from a build-out phase into an active assessment mode. Firms that treated previous RSOs as background reading are now finding themselves subject to direct supervisory engagement.

Three factors make 2026 different:

  • Increased firm population. The number of CBI-authorised payment and e-money firms has grown significantly, bringing greater supervisory scrutiny across the sector.
  • EU regulatory convergence. PSD3, the Payment Services Regulation, and DORA are all progressing. The CBI is aligning its supervisory expectations with incoming EU standards ahead of formal implementation.
  • Lessons from enforcement. The CBI has drawn on enforcement actions across the EU to sharpen its focus areas. Firms in Ireland are expected to learn from findings against firms in other jurisdictions.

The Six Focus Areas

1. Governance & Accountability

The CBI expects boards and senior management to demonstrate active, informed oversight of risk and compliance. This is not a box-ticking exercise. The regulator is looking for evidence that governance structures are operational — that boards receive meaningful management information, challenge executive decisions, and hold accountability holders to account.

What this means for your firm:

  • Board packs must include substantive risk and compliance reporting
  • PCF holders must be able to demonstrate their individual accountability
  • Governance frameworks should be reviewed and stress-tested against CBI expectations

2. AML/CTF Frameworks

Financial crime risk remains the CBI's highest supervisory priority for payment and e-money firms. The 2026 RSO makes clear that the regulator views many firms' AML/CTF frameworks as insufficiently mature for the scale and complexity of their business.

What this means for your firm:

  • Business-Wide Risk Assessments must be current, granular, and genuinely risk-based
  • Transaction monitoring systems must be calibrated and regularly reviewed
  • MLRO resourcing must be proportionate to the firm's risk profile
  • Customer Due Diligence and Enhanced Due Diligence procedures must reflect actual business activity

3. Safeguarding

The CBI introduced a dedicated PCF role for the Head of Safeguarding in 2026. This signals that safeguarding is now treated as a senior accountability function, not an operational back-office task. Firms must have a named, qualified individual responsible for safeguarding compliance at board level.

What this means for your firm:

  • Safeguarding arrangements must be reviewed for operational effectiveness
  • Segregated accounts must be properly maintained and reconciled daily
  • Insurance or guarantee arrangements must meet regulatory standards
  • The Head of Safeguarding PCF role must be filled and notified to the CBI

4. Operational Resilience & DORA

For in-scope firms, DORA has applied since January 2025. The CBI is now in active assessment mode and expects firms to have completed their initial implementation work. The 2026 RSO signals that operational resilience will be a supervisory priority throughout the year.

What this means for your firm:

  • ICT risk management frameworks must be documented and tested
  • Registers of Information covering third-party ICT providers must be complete
  • Incident classification and reporting procedures must be operational
  • Business continuity and disaster recovery plans must be current

5. Consumer Protection

The CBI's consumer protection supervisory priorities reflect a broader EU-wide focus on fair treatment, transparency, and complaints handling. Payment and e-money firms are expected to demonstrate that consumer outcomes are embedded in their business model — not bolted on.

What this means for your firm:

  • Complaints handling procedures must meet CBI requirements and be actively monitored
  • Fee structures and terms must be clearly communicated to customers
  • Vulnerable customer policies must be in place and operational
  • Consumer protection must be a standing Board agenda item

6. Data & Regulatory Reporting

Accurate, timely regulatory reporting is a baseline expectation. The CBI has signalled increased scrutiny of data quality and reporting accuracy across the payments sector. Firms with recurring reporting errors or late submissions should treat this as a significant supervisory risk.

What this means for your firm:

  • REQ submissions must be accurate, complete, and submitted on time
  • Data governance frameworks must ensure the integrity of regulatory data
  • Reporting processes must be documented and subject to internal review