knowledge 23 June 2025 |

Central Bank of Ireland’s Authorisations Report (Second Edition): Key Updates for Applicants

This is the second edition of the Authorisations and Gatekeeping Report by the CBI, following the first edition in 2023 (the “First Edition”).  The Report follows the commitment by the CBI to publish such authorisations and gatekeeping reports on an annual basis. The aim of the Report is to provide additional clarity as regards supervisory expectations for firms seeking authorisation, build on the First Edition’s findings, identify areas in which improvements have been made in 2024 and target areas for further enhancement.

This briefing outlines the key updates following the First Edition, with the goal to assist applicants seeking authorisations in understanding what they can do to minimise the length of time the authorisation process lasts for. For an overview of the key takeaways from the First Edition, which remain relevant for consideration by applicants, please see our original briefing here.

What additional information for applicants has been provided in the Report?

1. Authorisation expectations

In line with the CBI’s commitment in the First Edition to continue to improve the authorisation process¹ and in line with the CBI’s ‘Open and Engaged Charter 2024-2026’², the Report notes that the CBI released it’s ‘Guidance on expectations for applicants seeking authorisation from the CBI to operate as a regulated Firm’³ (“the Guidance”) in November 2024.

The Report provides that the aim of the Guidance is to build on existing CBI guidance on the CBI’s website and other publications and to foster clarity and transparency around the authorisation process by providing additional information on a cross-industry basis. The CBI recommends in the Guidance that applicants should familiarise themselves with the Guidance, as it demonstrates the CBI’s expectations in regard to the information to be used for applications. This includes information on current sectoral and legal requirements, the demonstration of effective risk management, compliance and governance measures, evidencing capital and financial resources, clarifying ownership structures and showing sufficient substance in Ireland. It also includes information in relation to ownership structure, environmental, social and governance (ESG) and anti-money laundering and countering the financing of terrorism (AML&CFT) requirements which applicants should note.  The Guidance makes clear that the CBI expects applicants to be aware of principles and guidelines detailed in the Guidance when making their application.

The Report also sets out that the timeline of the application process for authorisation/registration is largely influenced by the following factors:

• application quality;
• how complex the application or proposed business is; and
• the time it takes for applicants to respond to CBI queries.

The sectoral breakdown of authorisation activity which is contained in the Report also includes additional information on ways to improve the application process and issues the CBI is seeing in specific sectors during the authorisation process, which can affect timelines for authorisation. While we have noted the sector(s) that the CBI has made the comments in relation to, all applicants seeking any type of authorisation should have regard to these matters as they have broader application:

• incomplete applications (retail intermediary and debt management firms, MiFID firms, crowdfunding service providers, insurance undertakings);
• failure to demonstrate that proposed pre-approval controlled function role holders (“PCFs”) meet the fitness and probity (“F&P”) requirements, including the minimum competency requirements, and errors or inaccuracies in individual questionnaires (“IQs”) (retail intermediary and debt management firms);
• delays in the submission of the IQ (retail intermediary and debt management firms, MiFID firms);
• significant changes to the applicant’s business or governance structure during the application process (MiFID firms); and
• transparency and engaging with supervisory teams on the nature, scale and proposed timing of a proposed change and availability of resources in the entity that can provide information to the CBI (insurance undertakings post authorisation applications).

2. Effects of MiCAR on the regulatory framework

In light of the entering into force of the Markets in Crypto-Assets Regulation (“MiCAR”) in 2024, the Report contains a dedicated chapter on MiCAR. The Report notes that as the CBI is classed as the National Competent Authority (“NCA”) in Ireland for the purposes of authorisation and supervision under MiCAR, the CBI has set up a dedicated team to deal with the authorisation process for crypto-asset service providers (“CASPs”).The Report also emphasises that the CBI is committed to ensuring the successful implementation of MiCAR in Ireland.

Central to the CBI’s focus in respect of authorisation in this area are good culture and well organised conduct risk management systems by applicants. The Report states that the evidencing by applicants of both of these, in delivering obligations under MiCAR, is essential. Further, the CBI states that the safeguarding of customer funds and governance will be critical factors for the CBI when assessing applications.

The overall underlying theme relating to MiCAR is that applicants must be risk aware, prepared to manage risk and evidence this clearly when making an application for authorisation as a CASP. This is undoubtedly due to the risk volatility and high levels of risk in this area, along with the relatively new regulatory framework.

3. Further progress made in respect of fitness & probity gatekeeping

The Report details the CBI’s activity in relation to F&P during 2024, which included the publishing of Andrea Enria’s ‘Fitness and Probity Review’⁴ (the “F&P Review”), taking a number of actions following the recommendations in the F&P Review and employing revised metrics to enhance the CBI’s F&P assessment process.

In relation to the recommendations made in the F&P Review, the Report notes that the CBI is committed to enhancing the F&P gatekeeping process and that the CBI has shown this through the following:

• establishment of a dedicated F&P Unit with central responsibility for the assessment of PCFs;
• creation of a Gatekeeping Decisions Committee within the CBI to specifically deal with refusal cases for PCFs;
• release of a public consultation paper on amendments to the F&P regime including a proposed F&P guidance document, consolidating current guidance into a single document (CP160); and
• enhancement of statistical information for greater accountability and transparency around the F&P process.

The Report also provides statistical data on the F&P application process for 2024. This includes, the number of applications received by the CBI, the level of approvals and refusals by the CBI, the number of application withdrawals and incomplete applications, the average timeframe for application processing by the CBI and the number of interviews conducted by the CBI as part of the F&P assessment.  

The CBI aims to complete assessments within a 90-day timeframe and in 2024, 82% of all PCF applications were completed within this timeframe. However, this number drops to 37% where the PCF is linked to an application for new firm authorisation. The Report also refers to the European Central Bank’s role in the approval of senior roles in some financial institutions, owing to Ireland’s membership of the Single Supervisory Mechanism (SSM), but these decisions were not included in the Report’s metrics.

4. Spotlight section on DORA

The final section of the Report is a new ‘spotlight’ on the Digital Operational Resilience Act (“DORA”). DORA, which has been in effect since January 2025 and applies to a wide range of financial entities, is cited as a key component of the CBI’s authorisation assessment process.

The CBI sets out in the Report that its approach in relation to DORA in the context of authorisation assessments is one based on proportionality and focused on the nature, scale and complexity of the particular firm. The CBI expects applicants who fall under DORA’s remit to be compliant and if not, to evidence plans to become compliant. In-scope financial entities must also demonstrate that they have considered and documented their own critical functions, their dependence on in house or contracted information and communication technology (“ICT”) systems and services and the implication of a total or severe loss in their ICT systems.

Similar to the chapter on MiCAR, the Report emphasises that risk management is a critical factor for the CBI in its assessment of applications. Among other things, applicants will be expected to show the monitoring and control of ICT systems, the implementation of ICT response and recovery plans and the availability of resources to analyse cyber threats or vulnerabilities. The Report suggests that by introducing well-structured ICT risk management and mitigation strategies, applicants will be in a better position to show that their obligations under DORA have been fulfilled as part of the application process.

How Can McCann FitzGerald LLP Help?

McCann FitzGerald LLP is a premier law firm in Ireland and advises on the full range of legal, tax and compliance activities undertaken by regulated financial service providers in Ireland. We have substantial experience in successfully guiding applicants through the regulatory authorisation process for all types of authorisations, and in helping them to comply with their legal obligations, once established.  If you are considering seeking CBI authorisation, please contact us for further information as to how we can help guide you through the process.

Also contributed to by Ben Robertson