Business Risk Services

CPRA Model - moving to a more consumer-focused culture

Sheila Duignan Sheila Duignan


It’s an unfortunate truth that risks to consumers are complex and multi-faceting and stem from a variety of sources which potentially include an entity’s ‘strategy, business model, culture, governance and other internal structures, its systems and processes and the behaviours of individuals at any level within the firm’. The Central Bank of Ireland (‘CBI’) has made its position clear through its Consumer Outlook Reports of 2016 and 2017, calling out that it expects firms to develop consumer risk frameworks that go above and beyond minimum compliance with relevant legislation or codes of conduct, by focusing on consumer interests and positive consumer outcomes. Against this background the CBI has recently published its Consumer Protection Risk Assessment (CPRA) Model (‘the Model’). The Model establishes a new and more intrusive approach for supervisory assessments of regulated firms in relation to conduct and consumer protection risk management.


The CBI set out its expectation in its 2016 and 2017 Consumer Protection Outlook Reports that regulated entities should develop consumer protection risk management frameworks, which reflect the nature, scale and complexity of their business. The CBI also highlighted its supervisory expectation that firms should implement the right internal support structures and embed a culture that generates fair outcomes for consumers. The CBI’s recently launched Model was designed to take this approach a step further, providing the CBI with further enhancements to its supervisory framework, enabling it to comprehensively assess firms in relation to how they manage their consumer risk.

The new CPRA Model will be deployed throughout 2017 in a series of targeted assessments. These assessments will particularly focus on culture, performance management, sales incentives and product governance. The CPRAs will be in addition to and support the CBI’s regular programme of consumer-focused thematic inspections, which examine compliance with regulatory requirements. They will also continue to engage with the boards and senior management of regulated firms to ensure a top-down approach to embedding and measuring the regulated entity’s cultural change initiatives.

Firm-specific CPRAs will form a key part of the CBI’s supervisory framework for non-bank lenders, insurance undertakings, investment firms, large retail intermediaries, payment institutions and e-money institutions.

What CPRA means for your organisation

The CBI expects boards and senior management in regulated financial services firms to fully recognise their responsibilities in relation to the governance and management of Consumer Protection Risks and to place these responsibilities among their top priorities. All regulated firms must implement Consumer Protection Risk management frameworks that are proportionate to the nature, scale and complexity of the firm and the risks they are designed to manage. The CBI will assess the design and effectiveness of firms’ Consumer Protection Risk management frameworks through targeted CPRAs.

How the Central Bank will engage with your organisation

  • Each selected firm will receive a formal communication from the CBI in the first instance, notifying it of the planned CPRA and informing the firm of the timing and intended duration of the on-site assessment, the documentation request and other required information, as appropriate.
  • Prior to commencing the on-site assessment, notice will be given in relation to proposed observation by supervisors at board and/or committee meetings; proposed interviewees and timeline for interviews and relevant contact personnel in the firm, who should be available during the on-site assessment. It is possible that as a CPRA progresses, supervisors may wish to observe further meetings and/or interview further personnel.
  • On-site assessments will typically range from two days to one week in duration but may extend beyond this in some cases depending on the size of the firm and the breadth of the CPRA scope. At the end of the on-site assessment, the supervisors will meet with relevant personnel to discuss any outstanding issues that require clarification.
  • Formal feedback will be issued to the firm after the supervisors’ findings and recommendations have been considered and signed off within the CBI. Firms will be provided with the final risk ratings. Where risks are identified which are deemed unacceptable, the CBI will typically impose a risk mitigation programme on the firm, explaining the nature of the risk identified and requiring it to perform outcome-focused action(s) to mitigate the risk within a prescribed timeframe.