20/05/2026
Insights Blog

The Central Bank of Ireland (CBI) has published a Thematic Assessment of the Compliance Function in the MiFID Investment Firm Sector (the Report).

The CBI’s Regulatory & Supervisory Outlook publications for 2025 and 2026 (as to which see our insights posts here and here) identified weaknesses in culture, governance and risk management as key risks for the MiFID investment firm sector. This has led to an increased supervisory focus on MiFID investment firms’ compliance functions in light of their key role in reducing firms’ compliance risk, and supporting firms in securing customers’ interests. The CBI’s recent thematic assessment of the compliance function, which was carried out with a cohort of MiFID investment firms, is the latest output of this supervisory work.

Objectives of the assessment

The CBI’s assessment was carried out in two phases. Phase one involved a questionnaire and desk-based review, and phase 2 involved in-depth assessments and in-person sessions with Heads of Compliance at a selected subset of firms. The key objective of the thematic assessment was to assess firms’ adherence to the compliance function requirements set out in Article 22 of  Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 (the MiFID II Delegated Regulation) and the related ESMA Guidelines, with the CBI examining three core requirements:

  • the adequacy of the compliance function and related compliance framework;
  • the effectiveness of the compliance planning, monitoring and testing process; and
  • the quality of compliance reporting to the board / sub-committee(s).

The Report aims to outline the key findings from the assessment, remind firms of their regulatory obligations, and highlight the CBI’s expectations for firms and boards in respect of their compliance functions.

Identified good practices

  • Resourcing and strategic integration: Firms generally had a good understanding of their obligations, and well established compliance functions with appropriate resources considering the nature, scale and complexity of their business. Furthermore, the compliance function was actively involved in strategic initiatives and decision-making.
  • Risk-based monitoring: Most firms had established risk-based compliance monitoring programmes with calibrated tools, methodologies, scope and frequency. Some firms had extended their monitoring activity to include on-site inspections, providing a more meaningful verification of how policies and procedures operate in practice. The CBI also highlighted a positive example of one firm linking compliance monitoring findings directly to training needs, before conducting follow-up monitoring to assess whether the training had been effective.
  • Board reporting and horizon scanning: All firms were found to regularly provide mandatory compliance reports to boards and sub-committees, with those reports generally robust in content. On horizon scanning, most firms demonstrated that they recognise its importance in enabling the compliance function and fulfilling regulatory obligations.

Areas for improvement

  • Succession and contingency planning: Several firms could not show that responsibility for compliance would be effectively maintained in the event of key personnel absence or departure.
  • Compliance-led training: While training was generally being provided, the CBI was concerned by the absence in some firms of training designed and delivered directly by the compliance function, which it views as a visible indicator of compliance culture and senior management commitment.
  • Monitoring and board reporting: Some firms’ compliance risk assessments and monitoring plans lacked sufficient rigour and detail to allow boards to meaningfully scrutinise compliance activities. The CBI also found that board minutes were often failing to evidence the substantive discussion and challenge that should be taking place at board level.

Regulatory expectations and next steps

The CBI is clear on what it expects firms to do in response to the Report. In summary:

  • Self-assessment: Conduct a thorough review of the compliance function against the Report’s findings and the requirements of the MiFID II Delegated Regulation and ESMA Guidelines. Gaps should be identified and addressed promptly.
  • Board engagement and documentation: The Report must be tabled at the next board meeting, and the discussion must be recorded in the board minutes. Going forward, firms should ensure that board and committee minutes accurately capture the discussions and challenges raised at meetings in relation to the compliance function.
  • Training: The compliance function should be actively involved in designing and delivering compliance training across firms, embedding an appropriate compliance culture at all organisational levels.
  • Horizon scanning: Firms should treat horizon scanning as a priority, enabling the compliance function to get ahead of regulatory change and keep the board and senior management appropriately informed. Arthur Cox’s monthly Horizon Scanner is a useful, practical resource for tracking upcoming legal and regulatory developments in financial services.
  • Consumer protection: Firms should consider the revised Consumer Protection Code and related Guidance on Securing Customers’ Interests and the Protection of Consumers in Vulnerable Circumstances (see our insights post here), and how the compliance function can support embedding these standards across the business.

To discuss the Report in more detail please contact a member of the Financial Regulation Group or your usual Arthur Cox contact.