KPMG Law LLP logo

24 January 2024

The Central Bank (Individual Accountability Framework) Act 2023 (the “IAF Act”) has ushered in a new era of individual accountability within the financial services industry in Ireland. In our first Regularity Outlook this year, we look ahead to its first full year in operation, considering important requirements imposed on individuals under the IAF Act, the risks associated with those requirements, and the measures available to address those risks.

The introduction of the Conduct Standards and SEAR as parts of an individual accountability framework represents a move by the Central Bank towards placing greater emphasis on personal accountability in the financial services sector. It mirrors the introduction of similar individual accountability frameworks in other jurisdictions, including the United Kingdom, Australia and Singapore.

KPMG has experience advising clients on all aspects of their responses to the introduction and operation of each of these similar frameworks.

Requirements on individuals

The IAF Act introduced conduct standards which came into effect on 29 December 2023 (the “Conduct Standards”), and a responsibility for individuals performing controlled functions (“CFs”), including individuals performing pre-approval-controlled functions (“PCFs”), to take reasonable steps to ensure the relevant conduct standards are met. 1

It also introduced a Senior Executive Accountability Regime (“SEAR”) which will come into effect for initial in-scope firms on 1 July 2024, 2 and a SEAR duty of responsibility on PCFs within those firms to take reasonable steps to ensure that the firm does not commit a prescribed contravention.

Risks to individuals

According to the Law Society of Ireland, the IAF Act “exposes a significant number of businesspeople to relatively severe and penal sanctions of up to €1million in fines and/or lifetime work-bans…and serious public reputational damage.”

The IAF Act simplified the process by which the Central Bank can investigate suspected breaches of financial services legislation by individuals and sanction those individuals where breaches are established. 3

Under the IAF Act, the Central Bank can take direct enforcement action 4 against an individual for failing to discharge their responsibility to comply with Conduct Standards and/or their SEAR duty of responsibility. 5

Where a failure is established the individual may be sanctioned, which could have severe personal consequences.

Potential sanctions that can be imposed on individuals:

  • caution or reprimand
  • suspension or disqualification from performing any CF/PCF role
  • monetary penalty of up to €1m
  • publication of details of breach and sanction

Addressing the risks

The requirements under the IAF Act operate on the principle of reasonable steps, which means that where such steps can be shown to have been taken, the individual will have fully discharged the requirement, and this should operate as a full defence to any allegation of a breach.

Determining what steps are reasonable in a particular circumstance may, however, not always be straightforward. The IAF Act defines reasonable steps as “steps that it is reasonable in the circumstances for the person to take”, 6 and according to the Central Bank’s Guidance on the IAF (the "Guidance"), “what is reasonable is context specific and will vary according to the facts and circumstances of each case.” 7

The IAF Act sets out information to be considered when determining reasonable steps, and the Central Bank has included additional information in the Guidance. To manage the risks under the IAF Act, individuals will need to apply this information to the performance of their roles. To assist with this, many firms have developed tools to help individuals take the right actions. The most important of these is a reasonable steps framework, which is likely to be based on the information included in the image below.

Reasonable Steps Framework

reasonable steps framework

Each organisation’s reasonable steps framework should be bespoke, taking into account the unique characteristics of the organisation and in particular its structure, systems, business, people and culture.

A key feature of a successful reasonable steps framework is the assembly of evidence of compliance with IAF Act requirements through the documenting of the reasonable steps taken by individuals. It is this evidence which will be crucial in demonstrating to the Central Bank that requirements under Conduct Standards and/or SEAR have been met.

Well-developed reasonable steps frameworks will facilitate this documenting of reasonable steps in as seamless a manner as possible, with minimum impact of the performance of roles or governance.

Lawyers from KPMG Law work with our Risk Consulting colleagues in KPMG Ireland who lead large-scale regulatory change programmes supporting clients with IAF readiness assessments and implementation planning, including the development of bespoke reasonable steps frameworks.

Clients benefit significantly from this combination of expertise, which delivers end-to-end solutions to complex legal and regulatory challenges. Further details of KPMG Ireland’s Risk Consulting team are available here.

Complying with IAF

It will be of comfort to individuals performing CF and PCF roles, that the Central Bank has stated its “approach to implementation of the new framework is based on the principles of proportionality, predictability and reasonable expectations” 8 and acknowledged “human error can occur, and that perfection is not the required standard.” 9

Further comfort will be taken from the Central Bank’s confirmation that “in considering reasonable steps, it will look to the overall circumstances and environments, as they existed at the time rather than applying standards retrospectively or with the benefits of hindsight.” 10

However, individuals will still be wary of the significant potential personal consequences for them of failing to meet the requirements imposed on them under the IAF Act, which the Irish Funds Industry Association said, “could represent financial ruin for individuals.” 11

The key to managing the risks to individuals arising from the IAF Act will be for them to comply with the requirements under the IAF Act by embedding reasonable steps into the performance of their roles and ensuring appropriate evidence of this is produced and retained.

How KPMG can help

KPMG Law LLP and KPMG Ireland are uniquely placed in the Irish market to assist you with your response to the IAF Act, with our teams of industry-leading legal, regulatory, consulting, and managed services experts, as well as KPMG’s international network.

KPMG Law can provide you with legal advice on all key IAF issues, which is subject to the protection of legal professional privilege. This may include:

1. Investigations of individuals by firms

Firms may be required to investigate suspected non-compliance by CFs or PCFs with financial services legislation, including the IAF Act. 12

These investigations can have profound consequences for individuals and may be subject to legal challenge. It is vital they are carried out in accordance with the principles of natural justice, providing those impacted by the investigation (who will typically be employees) with the appropriate standard of procedural fairness, and in a manner which is consistent with relevant provisions of employment contracts.

Lawyers from KPMG Law work with colleagues in KPMG Ireland’s Forensics and Managed Services teams to assist clients with all of the legal, technological and operational aspects of their investigations.

Further details of KPMG Ireland’s Forensics team are available here.

Further details of KPMG Ireland’s Managed Services are available here.

2. Challenges in meeting requirement to carry out annual F&P certification presented by an ongoing investigation of a CF or PCF

The IAF Act led to the introduction of a requirement for each firm to undertake appropriate due diligence to certify annually it is satisfied each individual performing a CF or PCF role is fit and proper to perform that role. Firms will be devising processes by which they carry out that appropriate due diligence, while respecting the individual’s rights, including their data and privacy rights.

Firms and individuals will also have to carefully consider the serious legal challenges that could arise in circumstances where an individual performing a CF or PCF role is the subject of an investigation by the firm (such as the investigation of a complaint under the firm’s disciplinary process) which is ongoing when the firm carries out its annual certification process.

In those circumstances the firm will need to consider whether it is willing to certify the individual notwithstanding that they are the subject of an ongoing investigation or decline to certify, which could potentially result in the immediate removal of that individual from their CF or PCF role prior to the conclusion of an investigation that may establish they have not committed any breach.

Assessing these issues will require careful consideration of the relevant facts, legislation and legal principles.

Lawyers from KPMG Law’s Financial Services Regulation and Employment teams, together with colleagues from KPMG Ireland’s Regulatory Consulting team are available to provide clients with comprehensive advice and solutions on fitness and probity.

Further details of KPMG Ireland’s Regulatory Consulting team are available here.

3. Requirement for individuals to report suspected breaches to the Central Bank

PCF’s can be required to report to the Central Bank where they suspect a prescribed contravention may have occurred or be occurring 13 and a failure to comply with this reporting requirement can itself be a prescribed contravention. A breach of an individual’s requirements under the Conduct Standards or SEAR is a prescribed contravention.

This means individuals must carefully consider any instance where they suspect a breach, which could include a colleague taking or supporting a decision which they believe is not in a customer’s best interest. They must then decide whether they are required to report this to the Central Bank.

There is no de minimis threshold to this requirement which creates a risk of individuals unnecessarily reporting suspicions of breaches by colleagues to the Central Bank out of a fear of sanction for not doing so, without first becoming satisfied on reasonable grounds that their suspicions are well founded.

When assessing any such suspicions individuals must give appropriate weight to the importance of diverse views in collective decision-making, which can lead to legitimate differences of opinion.

Individuals should also be aware that established legal principles, particularly those relating to certainty, mean that because of the level of subjectivity involved in the assessment of their suspicions and the limited lawful grounds upon which they can investigate their suspicions, adverse consequences for not reporting suspected breaches should only become potentially relevant in the most egregious and obvious of circumstances.

Lawyers from KPMG Law specialising in contentious regulation are available to provide advice which is subject to legal professional privilege in connection with the assessment of reporting obligations.

4. Engagements with the Central Bank

Firms and individuals will be required to engage with the Central Bank in connection with matters which concern or could concern the IAF Act for a variety of reasons, including as part of investigations by the Central Bank into suspected prescribed contraventions by the firm, the individual, or a colleague of the individual performing a Controlled Function.

These engagements could be by way of correspondence or interview. Where the engagement is by interview, the individual will either be requested to attend on a voluntary basis or be compelled to attend under statutory powers given to the Central Bank, 12 and the complete record of the interview will usually be retained in a written transcript prepared for the Central Bank by a stenographer who will attend the interview.

Individuals must not underestimate the importance of those engagements. There are several reasons for this, aside from the imperative of developing and maintaining a positive working relationship with the regulator. These include the requirement on individuals to cooperate with the Central Bank under the Common Conduct Standards, 13 the offence that can be committed in refusing to comply with a Central Bank request, 14 and fact that the Central Bank may be entitled to use information it obtains through those engagement in the performance of any of its functions under financial services legislation, 15 including the assessment of PCF applications as part of its gatekeeper function. 16

When preparing to engage with the Central Bank on the IAF Act, firms and individuals should exercise their right to take confidential legal advice, 17 and approach those engagements with the necessary understanding of the relevant legal issues, which can include the operation of the principles of natural justice, protections against self-incrimination, and potential grounds for challenge.

KPMG Law’s financial services regulation unit specialises in advising firms and individuals on a range of legal and strategic issue concerning their engagements with the Central Bank.

See also

For further information and background on the IAF, see our articles on the KPMG website:

Contact the team

Derek Hegarty

Derek Hegarty

Head of Financial Services Regulation

aoife newton

Aoife Newton

Head of Employment and Immigration Law

Gillian Kelly

Gillian Kelly

Head of Consulting
KPMG in Ireland

Yvonne Kelleher

Yvonne Kelleher

Managing Director
Risk Consulting
KPMG in Ireland

Rosalind Norton

Rosalind Norton

Risk Consulting
KPMG in Ireland

Ian Nelson

Ian Nelson

Head of Financial Services Regulation
KPMG in Ireland

Emer O'Brien

Emer O'Brien

Partner, Head of Financial Services & Regulatory
KPMG in Ireland

Katherine Gillespie

Katherine Gillespie

Managing Director
KPMG in Ireland


  1. Common Conduct Standards for CFs (including PCFs) and Additional Conduct Standards for PCFs
  2. Initial in-scope firms are credit institutions (excluding credit unions) insurance undertakings, investment firms which underwrite on a firm commitment basis and / or deal on own account and/or are permitted to hold client assets, and incoming third country branches of these entities
  3. On 13 December 2023, the Central Bank announced enhancements to its Administrative Sanctions Procedure to give effect to the changes introduced under the IAF Act, following a consultation (CP154)
  4. the Central Bank can also take indirect enforcement action against individuals for suspected participation in breaches of financial services legislation by firms
  5. The responsibility maps and statements of responsibility introduced under the IAF Act will assist the Central Bank in identifying PCFs it may wish to investigate where it suspects prescribed contraventions have been committed
  6. Central Bank (Individual Accountability Framework) Act 2023, S53C(1)
  7. Guidance on the Individual Accountability Framework, Central Bank of Ireland, p.62
  8. Guidance on the Individual Accountability Framework, Central Bank of Ireland, p.16
  9. Guidance on the Individual Accountability Framework, Central Bank of Ireland, p.61
  10. Guidance on the Individual Accountability Framework, p.62
  11. Irish Funds Industry Association response to the Central Bank of Ireland’s Consultation paper 154, p.14
  12. Guidance on the Individual Accountability Framework, Central Bank, p.124
  13. Section 53F of the Central Bank (Reform) 2010 Act; and Section 38(2) of the Central Bank (Supervision and Enforcement) Act 2013
  14. Section 34 of the Central Bank (Supervision and Enforcement) Act 2013
  15. Section 53E(1)(c) of the Central Bank (Individual Accountability Framework) Act 2023
  16. Section 32 of the Central Bank (Supervision and Enforcement) Act 2013
  17. Section 33 of the Central Bank (Supervision and Enforcement) Act 2013
  18. Individuals should expect that records of all previous engagements with the Central Bank to be assessed as part of any PCF application process
  19. Legal costs incurred in respect of an individual’s engagement with the Central Bank regarding the IAF Act may be covered by Directors and Officers insurance