The Central Bank of Ireland’s (the “Central Bank“) May 2026 thematic assessment of compliance functions in the MiFID investment firm sector is a clear reminder that compliance is not simply a control function; it is central to governance, culture and customer outcomes. The review focused on whether firms had adequate compliance frameworks, effective planning, monitoring and testing processes, and high-quality compliance reporting to boards and sub-committees.
The findings are not uniformly negative. The Central Bank found that firms generally understood their obligations and that many compliance functions were actively involved in strategic decisions, including decisions on new business lines and new financial products. It was also positive that compliance functions appeared, in general, to be resourced in a manner proportionate to firms’ nature, scale and complexity.
However, the report identifies gaps that boards and senior management should treat as priority remediation items. Many firms could not demonstrate robust succession planning or contingency arrangements for compliance roles, creating a risk to the permanence and effectiveness of the compliance function. The Central Bank also noted limited direct compliance-led training in some firms, even though it views active compliance involvement in training as important to embedding regulatory awareness and an appropriate compliance culture across the organisation.
Compliance monitoring is another area requiring attention. Although most firms had risk-based compliance monitoring programmes, some had weaknesses in their compliance risk assessment process, insufficiently detailed compliance plans or compliance universes, and, in one case, no annual compliance plan at all. The Central Bank’s favorable reference to linking monitoring findings to targeted training is particularly useful, because it shows that compliance monitoring should not be treated as a static assurance exercise but as a source of practical business improvement.
Board oversight is likely to be a key supervisory focus. The Central Bank found that compliance reports were generally well documented, but that board and committee minutes did not always evidence substantive discussion, scrutiny or challenge of compliance matters. Firms should therefore ensure that minutes do more than record that a report was tabled; they should provide evidence regarding the questions asked, challenges raised and actions agreed.
All MiFID investment firms are expected to conduct a comprehensive self-assessment against the report’s findings, Article 22 of the MiFID II Delegated Regulation and the related ESMA Guidelines. The report must also be discussed at the next board meeting, with that discussion recorded in the minutes. Firms that identify gaps should develop and implement proactive, timely remediation actions, particularly around succession planning, compliance-led training, risk-based monitoring, horizon scanning and board challenge.
