Internet Explorer 11 (IE11) is not supported. For the best experience please open using Chrome, Firefox, Safari or MS Edge

Financial Regulation: Firms Must Get the Governance Right

“Governance is a key criterion by which the Central Bank of Ireland, in common with other global regulators, evaluates financial institutions” writes Liam Flynn, whose practice focuses on advising regulated financial firms on their governance and internal controls environments. In this article, recently published in Finance Dublin magazine, Liam underscores the critical importance of good governance throughout an institution. He particularly emphasises the value-add for those regulated firms that can apply best governance practices to the internal regulatory change management processes that institutions now navigate on a continuous basis.


The financial regulatory agenda is in constant flux. Since the Crisis of 2008-2011, the pendulum has moved globally towards intensive and intrusive regulation. Ireland is no exception in this regard, and Irish regulated firms can expect to implement at least one substantial cross-sectoral regulatory reform process annually while also dealing with a continuous flow of sector-specific reforms.

In 2023, firms concentrated on implementing individual accountability and senior management responsibility systems (the IAF/SEAR regime). This year firms are concentrating on cybersecurity and digital resilience, with a deadline to implement the Digital Operational Resilience Act (DORA) by 17 January 2025. In 2025, firms can, we think, expect to be faced with implementation of the CBI’s revised Consumer Protection Code (CPC), targeted for publication in early 2025. At a minimum this will require a gap analysis between firms’ current consumer-facing practices and the revised rules to identify areas for enhancement or remediation. Firms will also need to operationalise the new Standards for Businesses and to implement related training.

In addition to major cross-sectoral reforms, each regulated sector is often contending with multiple specific reforms requiring simultaneous implementation. Payment service providers were required by the CBI to undertake an external audit of their safeguarding systems in 2023 and report to the CBI accordingly. The EU revised its bank capital adequacy rules in May 2024, and aspects of the revisions will apply from January 2025. Each specific reform package requires a host of detailed rule and process changes that firms must identify, implement and road-test.

The consequences for firms that mismanage regulatory change projects can be severe. The CBI’s regulatory enforcement regime has very sharp teeth: the largest (non-tracker mortgage related) fine imposed on a firm to date is €24.5m.[1] With the recent extension of the CBI’s enforcement powers against individuals under IAF/SEAR, presiding over regulatory failures can also be career-limiting or even career-ending. In our experience, the root cause of many regulatory failures at firms can be traced back to weak governance. Firms must get governance right, at entity, team and project level, to secure acceptable regulatory outcomes.

The starting point for good governance in any regulated firm is an appropriately constituted and smoothly functioning Board of Directors, providing robust but supportive challenge to the executive management team. Board composition must be carefully considered by shareholders if good governance is to be assured. The Board needs to have access to all key skill sets identified in the Board skills matrix, while also reflecting diversity: of gender, of thought and of cultural backgrounds. Some firms have found it very helpful to appoint a Board member from a consumer advocacy background, to ensure that the consumer perspective is held at the centre of all Board discussions.

Effective Board composition is an ongoing challenge. It will need to be readdressed regularly as members retire, resign and as the firm’s business changes and new skillsets are required. The Board succession policy and processes must be continuously reviewed, and potential candidates for appointment identified. New Board members also need comprehensive induction and on-boarding processes so that they can hit the ground running.

The lynchpin of an effective Board is an appropriately assertive Chair. A Chair that dominates Board discussions will suppress vital debate and dissent. A Chair that is overly passive risks allowing individual Board members to spend too much time in the weeds of their own areas of interest, depriving the executive management team of the meaningful challenge that they need.

Turning to “challenge”, this cannot be reduced to merely raising questions at meetings and ensuring these are minuted. Effective and appropriate challenge requires Board materials to be well prepared and circulated well in advance. Points of detail, clarificatory questions and requests for additional information should be raised ahead of the meeting, so that challenge at the meeting can be more strategic. A Board discussion should be focused on ensuring that initiatives have been fully thought through and that no material risks and threats have been overlooked. Comprehensive and accurate minute-taking is essential so that the firm can verify that appropriate challenge occurred and was effectively dealt with.

Every significant regulatory change process in a firm should adopt similar best practice governance procedures when establishing its terms of reference, composing its steering body and developing its project plan. A Board can have far greater confidence that regulatory failures will be avoided if a robust and well governed internal implementation process has been followed and it can review the associated documentary record before signing off. Best practice governance procedures, applied at Board, management and project team levels, are therefore vital to ensuring that significant regulatory reform processes have successful outcomes.

Firms can find it difficult to assess their own internal governance standards, for many reasons. An element of “groupthink” is normal in all organisations, and it can require an external perspective to disrupt established thought patterns and to point out where weaknesses lie. Experienced regulatory and governance lawyers are well placed to guide firms to address these and similar issues pragmatically, sensitively and cost-effectively. While recognising the cost pressures within all commercial organisations, we think that thoughtful and selective use of external governance consultants to enhance internal processes is an obvious way for firms to cope more effectively with continuous regulatory change.

For more information, contact a member of our Financial Regulation team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

[1] Against Bank of Ireland for failures in IT continuity of service controls, imposed in December 2021.



Share this: