CBI Regulatory and Supervisory Outlook 2026 spotlights

The report highlights that geopolitical risks, technological advancements and changing consumer behaviour are reshaping the Irish financial system.

Within this report, the CBI has included three “spotlights” that explore the emerging challenges facing Ireland. These spotlights highlight key areas where the CBI expects financial institutions to strengthen their risk governance frameworks.

Spotlight 1: Approaching artificial intelligence from a supervisory perspective

The first spotlight examines the adoption of artificial intelligence (AI) within the financial sector. In our understanding, financial institutions have been using AI in areas such as customer engagement, data management and risk analysis. Some institutions appear to use AI chatbots to handle customer queries and may use it as a data management tool for fraud detection and transaction monitoring.

In addition, in our opinion, AI may be used as a risk analysis tool for credit scoring and market risk modelling. The CBI has emphasised that the ever-increasing use of AI will lead to more risks that will require careful supervision and governance. This is particularly significant as emerging forms of AI, such as agentic AI, can operate with minimal human supervision.

In our view, while such innovations can offer significant productivity improvements, they may also pose potential risks for regulators and financial institutions. For example, in our understanding, without proper oversight, chatbots can provide inaccurate information when they are not trained on up‑to‑date policies.

Another key risk facing firms is their reliance on digital supply chains providing complex technological services such as cloud technology and external AI services. Disruptions to these supply chains, arising from geopolitical tensions, could affect access to or the security of, AI systems designated as high-risk under the EU AI Act. As a result, the CBI will not only monitor the internal controls of these AI systems but also assess their resilience to external stress scenarios.

In a regulatory context, frameworks such as the EU AI Act are expected to work in tandem with other regulations, including the EU’s DORA (Digital Operational Resilience Act), to integrate themselves into the mainstream prudential and risk frameworks of regulated firms. Furthermore, the EU AI Act will create an AI-focused structure around governance, risk management and accountability to create principles that guide firms in using AI responsibly.

To manage AI-related risks, the CBI outlined the following core standards:

1.    Strategic alignment: Firms must ensure use of AI is appropriate.

2.    Accountability and explainability: Clear responsibility should be established for oversight.

3.    Proportionate governance: Complex AI systems should have stronger oversight and risk controls.

4.    Compliance: Processes must be in place to ensure compliance with EU AI Act obligations.

Overall, the approach outlined by the Central Bank encourages firms to explore AI but in a transparent and well-governed manner.

Spotlight 2: Supporting resilient service provision

The CBI has highlighted operational resilience across the financial sector as a core priority in its Regulatory and Supervisory Outlook 2026. Institutions have become reliant on complex Information and Communication Technologies (ICT) and digital systems along with third-party service providers, such as cloud computing platforms. Any disruptions, either through cyber-attacks, technology failures or geopolitical tensions can have a negative impact on the wider financial system.

As a result, being resilient has become a critical priority for the CBI. For example, a ransomware attack on a bank’s payment infrastructure could prevent customers from accessing funds, while an outage at a major cloud provider could disrupt mobile banking services.

A key driver of implementing resilience is DORA, a regulatory framework to manage ICT and digital disruptions across the financial sector. CBI regulators have highlighted areas where firms still need to strengthen their implementation of DORA requirements.

The following key gaps have been identified:

1.    Designing and operationalising ICT risk management frameworks: End-to-end implementation remains incomplete and requires urgent attention.

2.    Strengthening governance and management body oversight: Roles, responsibilities and reporting lines are unclear and ICT risks are still not receiving sufficient senior management focus.

3.    Improving ICT security: Baseline security controls and policies must be regularly strengthened to match evolving threats.

4.    Maturing incident management: Firms are improving classification and escalation processes, but under-reporting of incidents to regulators is still a concern.

5.    Developing ICT third-party risk management: Firms must enhance due diligence, monitoring and exit planning to address vendor and concentration risks.

The spotlights also highlight that due to the growing reliance on third-party cloud service providers, it has now become imperative for institutions to develop a deep understanding of their supply chains. Any failure in the external providers’ systems could disrupt essential customer services of a bank such as payment services or access to customer accounts.

Altogether, it has now become important for regulated entities to map and test the ability of their critical delivery channels against disruptions, identify gaps in ICT management and fully implement the DORA framework to their systems. This may include, for example, scenario testing, such as simulating a cyber-attack or system outage to identify vulnerabilities.

Spotlight 3: Supporting better outcomes for consumers and investors

Spotlight 3 of the Regulatory and Supervisory Outlook focuses on preserving the consumer protection framework across the financial system. In an increasingly complex and digitised system, the CBI has emphasised the importance of ensuring that institutions’ governance, risk and operational processes prioritise the interests of consumers and investors.

A key theme of the supervisory approach is the implementation of the revised Consumer Protection Code, which is effective from March 2026. The revised code will include how financial services are delivered, particularly through digital channels and aims to provide guidance for firms regarding their obligations to consumers.

This spotlight also highlights areas where consumer risks are evolving, particularly services that are provided through online channels. This has led to an increase in financial scams, including phishing emails, which pose a threat to the integrity of the financial system and consumer confidence. The CBI has stated that it will engage with financial firms and other stakeholders, such as technology platforms and public institutions, to implement safeguards against such risks.

The CBI will continue to build the consumer and investor protection framework for the future, provide customers with analysis on schemes such as Buy Now, Pay Later and support the common standards in the European Supervisory Authorities’ Consumer Protection Code. This includes discussion on improving fraud detection systems, enhancing customer authentication measures and ensuring clearer communication with customers.

For banks and other financial institutions, there will be an increase in supervisory scrutiny over their customer services. They will need to demonstrate that their digital platforms do not cause any consumer harm. For example, poorly designed algorithms that approve loans without sufficient checks or app interfaces that mislead users about fees or risks could lead to regulatory intervention.

To prevent fraud, it is important that transactional monitoring and customer protection mechanisms are integrated into financial institutions’ governance and risk frameworks. Spotlight 3 highlights the need for firms to align their commercial objectives with the best interests of their customers and investors.

How Forvis Mazars can help

Our risk experts recognise that the objectives in the CBI’s Regulatory and Supervisory Outlook 2026 remain a pivotal driver for the strategic priorities of financial institutions.

Our team excels at helping clients within the financial services sector navigate the intricate regulations and meet similar regulatory reporting requirements under DORA, AI Act and other regulations such as the Consumer Protection Code. We work closely with our clients to identify their regulatory responsibilities and support firms in achieving full compliance.