Ireland CBI Complaint Handling: Consumer Protection Code, FSPO Referral, and EEA Hub Considerations

What this guide covers

This guide provides a practical walkthrough of complaint handling requirements for financial services firms operating in Ireland under Central Bank of Ireland (CBI) supervision. It is written for complaint operations teams, compliance officers, and quality assurance staff at payment institutions, e-money issuers, and fintech firms licensed or passporting through Ireland.

Ireland has become one of the two most popular EU licensing jurisdictions for fintech firms that previously operated under a UK licence, alongside the Netherlands. The Central Bank of Ireland has authorised a significant number of payment institutions and e-money firms since 2018, many of which use their Irish licence to passport services across the EEA. This guide covers both the core Irish requirements and the practical considerations that come with operating Ireland as an EEA hub.

The Irish complaint handling framework is built on the modernised Consumer Protection Code (effective 24 March 2026), the European Communities (Payment Services) Regulations 2018, and the Financial Services and Pensions Ombudsman Act 2017. Together, these create a detailed set of obligations that are more prescriptive than many firms expect. The 40 business day complaint resolution deadline, the specific complaint registration requirements, and the FSPO's broad jurisdiction and binding decision-making power make Ireland's framework one of the more demanding in the EEA.

Central Bank of Ireland Consumer Protection Code

The modernised Consumer Protection Code, which came into force on 24 March 2026, is the centrepiece of Ireland's consumer protection framework for financial services. Chapter 10 of the code sets out detailed complaint handling requirements that apply to all regulated financial services providers authorised by the Central Bank of Ireland. These requirements go beyond the general principles in the Joint Committee Guidelines and include specific operational mandates.

Under Chapter 10 of the code, a regulated firm must have a written procedure in place for the proper handling of complaints. The procedure must be available to consumers on request and must be published on the firm's website. The procedure must set out how the firm will handle complaints, including the timeframes for acknowledgement, investigation, and resolution.

The code requires firms to acknowledge complaints within five business days of receipt. The acknowledgement must include the name and contact details of the person handling the complaint and must inform the complainant about the firm's internal complaint process. This is more prescriptive than the Joint Committee Guidelines, which call for "prompt" acknowledgement without specifying a day count.

The core deadline under the code is 40 business days. The firm must attempt to resolve the complaint and issue a final response within 40 business days of receipt. If the complaint cannot be resolved within 40 business days, the firm must inform the complainant in writing of the anticipated timeframe for resolution and of their right to refer the complaint to the Financial Services and Pensions Ombudsman (FSPO). The firm must also inform the complainant about any applicable time limits for FSPO referral.

A critical code requirement is the complaint register. The firm must maintain a complaints register that records the details of each complaint, the actions taken, and the outcome. The register must be available for inspection by the Central Bank. Firms that maintain inadequate complaint registers are at risk of supervisory findings during CBI inspections.

• Acknowledge every complaint within five business days of receipt, naming the handler and providing contact details.
• Issue a final response within 40 business days of receipt, or send a holding response before day 40 explaining the delay and advising of FSPO referral rights.
• Maintain a comprehensive complaint register that records intake details, investigation steps, outcomes, and dates.
• Publish the complaint handling procedure on the firm's website and make it available to consumers on request.
• Ensure the complaint procedure covers all channels including email, phone, letter, online form, and social media.

The 40 business day deadline and PSD2 interaction

The CPC's 40 business day deadline is the general complaint resolution timeline for Irish-regulated firms. However, for payment institutions and e-money firms, an additional layer applies: the PSD2 payment complaint deadline of 15 business days, transposed into Irish law through the European Communities (Payment Services) Regulations 2018.

This creates a dual-deadline system. For complaints that relate to payment services (transaction execution, unauthorised payments, fees, exchange rates, and related matters), the 15 business day PSD2 deadline applies. For complaints about non-payment matters (general account administration, marketing, non-transactional product features), the 40 business day CPC deadline applies. In all cases, the firm must apply whichever deadline is shorter for the type of complaint at hand.

If the 15 business day PSD2 deadline cannot be met, the firm must send an interim response within 15 business days explaining the reason for the delay and specifying a final response date no later than 35 business days from receipt. For the 40 business day CPC deadline, the firm must inform the complainant before day 40 of the anticipated timeframe and of the right to refer to the FSPO.

Operationally, the dual-deadline system requires firms to classify complaints at intake as either payment-related or non-payment-related. This classification determines which deadline applies and must be recorded in the complaint register. Firms that apply a single deadline to all complaints will either breach the shorter PSD2 deadline for payment complaints or create unnecessary urgency for non-payment complaints.

The Central Bank of Ireland monitors deadline compliance and has taken enforcement action against firms with persistently poor complaint handling timeliness. Firms should treat both deadlines as hard controls, not aspirational targets, and build escalation mechanisms that trigger well before the deadline is reached.

• Classify every complaint at intake as payment-related (15 BD deadline) or non-payment-related (40 BD deadline).
• Set up the complaint management system to track and alert on both deadlines separately.
• Send interim responses before the applicable deadline if the investigation is not complete.
• Build escalation triggers at the midpoint of each deadline period to prevent last-minute scrambling.
• Record the deadline classification and compliance status in the complaint register for each case.

FSPO ombudsman referral process

The Financial Services and Pensions Ombudsman (FSPO) is Ireland's statutory dispute resolution body for financial services complaints. It was established under the Financial Services and Pensions Ombudsman Act 2017, merging the former Financial Services Ombudsman and the Pensions Ombudsman into a single body. The FSPO has broad jurisdiction covering banking, insurance, investment, payment services, and pensions complaints.

The FSPO can investigate complaints from consumers, including individuals, small businesses, and certain other categories of complainants. Its investigation powers are substantial. The FSPO can require firms to produce documents, attend hearings, and provide evidence under oath. At the conclusion of an investigation, the FSPO can issue a legally binding decision that may direct the firm to pay compensation, rectify conduct, or take other specified actions.

The FSPO referral timeline is notably different from the UK's FOS. While the FOS requires referral within six months of the firm's final response, the FSPO applies a longer limitation period: six years from the date of the conduct complained of, or three years from the date the complainant became aware of the conduct, whichever is later. This means firms may face FSPO complaints about conduct that occurred years earlier, making record retention particularly important.

The FSPO process is free for consumers. Firms do not pay case fees in the same way they do with Kifid in the Netherlands, but the Central Bank of Ireland levies a financial services industry levy that funds the FSPO's operations. The FSPO publishes selected decisions, which provides useful guidance on how the FSPO interprets consumer protection requirements and what outcomes firms can expect in different categories of disputes.

When a complaint is referred to the FSPO, the firm should prepare a comprehensive case file including all complaint correspondence, investigation notes, evidence reviewed, and the final response. The FSPO expects firms to cooperate fully with its investigation process and to respond to requests for information within specified deadlines. Firms that are unresponsive or uncooperative risk adverse inferences in the FSPO's decision.

• Inform complainants about the FSPO in every final response and in every holding response where the deadline is being extended.
• Include the FSPO's name, postal address, website, and phone number in complaint response templates.
• Do not use language that discourages or obstructs FSPO referral.
• Prepare a comprehensive case file when a FSPO referral is notified, including all communications and evidence.
• Designate a single point of contact within the firm for FSPO correspondence and cooperation.
• Retain complaint records for at least six years, reflecting the FSPO's limitation period, not just the CPC's minimum.

Complaint registration requirements

The Central Bank of Ireland places particular emphasis on complaint registration. The CPC requires firms to maintain a complaints register that is more than a simple log of complaint numbers and dates. The register must contain enough detail to allow the Central Bank to understand the nature of each complaint, the handling process, and the outcome.

The register should include, at minimum: the date of receipt, the identity of the complainant, the nature and subject of the complaint, the product or service involved, the complaint category, all correspondence and communications, internal investigation notes, the outcome (upheld, partially upheld, rejected), any redress offered, the date of resolution, and whether the complainant was informed of FSPO referral rights.

The Central Bank inspects complaint registers during its supervisory engagement with firms. Inspection findings related to complaint registration are common, particularly for firms that are relatively new to Irish regulation. The most frequent findings relate to incomplete entries (missing dates, missing outcomes, or missing FSPO referral records), inconsistent categorisation of complaints, and the use of multiple disconnected systems that make it difficult to reconstruct the handling timeline for any given case.

Firms should implement their complaint register as a single system of record rather than relying on a combination of spreadsheets, email folders, and case management tools. The register should be designed so that every required data field must be completed before a complaint can be marked as resolved, creating a structural control that prevents incomplete records.

The Central Bank has also indicated that it expects firms to use complaint register data for management information purposes. A register that is only used for recording individual cases, without any aggregate analysis or reporting to senior management, does not meet the CBI's expectations. The complaint register should feed into regular management reporting that identifies trends, systemic issues, and areas for improvement.

• Maintain a single, centralised complaint register that captures all CPC-required data fields.
• Require completion of all mandatory fields before a complaint can be closed in the system.
• Record whether the complainant was informed of FSPO referral rights in each case.
• Use the register data for management reporting, including trend analysis and root-cause identification.
• Prepare the register for Central Bank inspection at all times, not only when an inspection is announced.

EEA hub considerations for Irish-licensed firms

Ireland's role as a major EU licensing hub for fintech firms creates specific complaint handling challenges that go beyond the core CPC and FSPO requirements. Firms that hold an Irish licence and passport into other EEA markets must manage complaint flows from consumers in multiple jurisdictions while maintaining a complaint handling framework that satisfies the Central Bank of Ireland as home state supervisor.

The Central Bank of Ireland has been clear that Irish-authorised firms are expected to maintain adequate complaint handling resources in Ireland, not simply route all complaints to a centralised hub in another jurisdiction. The CBI expects firms to have substance in Ireland, including staff with the competence and authority to handle complaints. Firms that use Ireland as a brass-plate operation with minimal local staff will face supervisory challenges.

For cross-border complaint flows, the same dual-deadline principles apply. Payment complaints from consumers in any EEA market must be resolved within the PSD2 15 business day deadline. Non-payment complaints should be resolved within the timeframe expected by the host state regulator, with the CPC 40 business day deadline as the baseline. Firms should map the host state requirements for each market they serve and apply the applicable deadline.

Language is a practical consideration. While the firm's relationship with the Central Bank and the FSPO operates in English, consumers in other EEA markets may have a right to receive complaint responses in their local language. Firms should assess the language requirements for each host market and build the necessary capacity, whether through multilingual staff, translation services, or local complaint handling partners.

ADR referral is another area of complexity. When an Irish-licensed firm serves consumers in France or Germany, the firm may be required to direct the consumer to the local ADR body in addition to informing them about the FSPO. The FIN-NET network facilitates cross-border ADR referrals within the EEA, and firms should ensure their complaint response templates include the correct ADR body based on the consumer's location.

The Central Bank of Ireland has also focused on outsourcing arrangements for complaint handling. Firms that outsource complaint handling to a group entity or third party must ensure that the outsourcing arrangement does not compromise the quality of complaint handling or the firm's ability to meet its CPC obligations. The outsourcing arrangement must be documented, monitored, and subject to the Central Bank's outsourcing framework.

• Maintain adequate complaint handling substance in Ireland, including competent staff with authority to resolve complaints.
• Map host state complaint requirements for every EEA market served under the Irish licence.
• Ensure complaint responses are provided in the language required by the host state.
• Include the correct local ADR body information in complaint responses for cross-border consumers.
• Document and monitor any outsourcing of complaint handling functions, in line with CBI outsourcing expectations.
• Conduct an annual review of cross-border complaint flows to identify gaps in coverage or compliance.

Checklist: Irish complaint handling at a glance

Use this table as a quick reference for the core steps, the applicable rule or guideline, and the key requirement at each stage of complaint handling under CBI supervision.