Ireland Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in Ireland?

The Central Bank of Ireland (CBI) is the primary AML/CFT supervisor for credit institutions, payment institutions, e-money firms, investment firms, insurance undertakings, and registered virtual asset service providers. It operates under powers granted by the Central Bank Act 1942 and the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. In practice, the CBI supervises through on-site inspections, themed reviews across sectors, and its Administrative Sanctions Procedure (ASP), which can result in public reprimands, fines, and prohibition orders against both firms and individuals.

FIU Ireland sits within An Garda Síochána, Ireland's national police service. It's the national competent authority for receiving, analysing, and disseminating suspicious transaction reports. All designated persons file STRs electronically through the goAML platform. FIU Ireland is a full member of the Egmont Group, giving it access to financial intelligence sharing with over 160 peer units globally.

Operational financial crime investigations run through the Garda National Economic Crime Bureau (GNECB), which works alongside FIU Ireland on major cases involving fraud, market abuse, and large-scale money laundering.

The Revenue Commissioners hold a separate supervisory role for certain non-financial designated persons, including accountants, tax advisers, and estate agents. The Department of Finance leads AML/CFT policy and manages EU directive transposition. The Companies Registration Office (CRO) maintains the Register of Beneficial Owners (RBO), Ireland's central corporate beneficial ownership database.

Sources: Central Bank of Ireland AML/CFT supervision; FIU Ireland, GNECB.

What are the key AML and fraud laws in Ireland?

The foundation is the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (CJA 2010), which defines money laundering and terrorist financing offences and sets obligations for "designated persons": banks, credit unions, insurance firms, accountants, solicitors, estate agents, and others. It has been amended twice. The 2018 Amendment transposed the Fourth Anti-Money Laundering Directive (4AMLD), tightening beneficial ownership requirements and strengthening enhanced due diligence obligations. The 2021 Amendment transposed 5AMLD, adding virtual asset service provider (VASP) registration requirements and expanding high-risk third-country provisions. The full Act text is available at the Irish Statute Book.

The CJA 2010 directly embeds the FATF Rec 1 (FATF) risk-based approach. Part 3 of the Act mirrors FATF Rec 10 (FATF) customer due diligence standards. Record-keeping obligations in Section 55 align with FATF Rec 11 (FATF), requiring five-year retention after the relationship ends.

The Criminal Justice (Corruption Offences) Act 2018 consolidates anti-bribery law. The Proceeds of Crime Acts 1996-2016 give the Criminal Assets Bureau (CAB) civil asset recovery powers, allowing seizure without a criminal conviction. The CAB was established in 1996 following the murder of journalist Veronica Guerin and has recovered over €300 million to date.

GDPR, implemented through the Data Protection Act 2018, governs how designated persons handle personal data collected during AML processes. AML data-sharing obligations sit within the public interest and law enforcement exemptions in Schedule 2 of the 2018 Act.

The EU AML Package agreed in 2024 will apply directly in Ireland from 2027, including the new Anti-Money Laundering Regulation (AMLR) and a central EU supervisory authority (AMLA) based in Frankfurt. This matters for planning purposes. By contrast, the United Kingdom AML compliance framework has diverged from EU standards since 2021, which creates real differences for firms running shared policies across London and Dublin.

What controls do Ireland regulators expect?

The CBI's expectations are set out in its published AML/CFT Guidelines for Credit and Financial Institutions, supplemented by sector-specific Dear CEO letters and inspection findings. The control requirements mirror the CJA 2010 and FATF standards, but the CBI's interpretation on several points is stricter than the minimum the directives require.

Customer Due Diligence: Designated persons must conduct Know Your Customer (KYC) checks on all new customers at onboarding and on existing customers when there's a material change in circumstances. Enhanced due diligence applies to politically exposed persons, customers from high-risk third countries, and correspondent banking counterparties. Simplified due diligence is permitted only where documented low-risk conditions are satisfied. The CBI expects firms to show, in writing, how CDD risk scores drive EDD triggers. A tick-box approach without genuine risk-based rationale has been a recurring finding in CBI inspections.

Transaction Monitoring: Monitoring must be ongoing for all business relationships. The CBI has explicitly noted in supervisory communications that manual-only monitoring is inadequate for institutions above a certain transaction volume. Alert thresholds and review processes should be documented and calibrated to the firm's own risk appetite, not defaulted to statutory reporting thresholds.

Sanctions Screening: Firms must screen against the EU consolidated sanctions list, UN Security Council list, and where relevant, OFAC's SDN list. Screening must cover customers, beneficial owners, directors, and transaction counterparties, not just the named account holder.

PEP Screening: Required for all customers who are, or become, politically exposed persons. Annual EDD reviews are the CBI's minimum expectation for active PEP relationships.

STR reporting: No monetary threshold applies. All designated persons file with FIU Ireland via goAML. Delays caused by internal committee escalation processes have appeared in inspection findings as weaknesses.

Record-keeping: Five years minimum from the end of the relationship, consistent with FATF Rec 11.

What is unique about compliance in Ireland?

Several features of Ireland's regime catch foreign compliance teams off-guard.

The VASP regime is more demanding than expected. Since the 2021 Amendment Act, any firm providing crypto-asset exchange, transfer, or custody services must register with the CBI before operating. The CBI reviews governance, AML/CFT frameworks, and the fitness and probity of proposed key function holders before granting registration. Approval timelines have run 12 to 18 months for some applicants. Firms that assumed the Irish VASP regime would be comparable to lighter-touch EU member states at the time found the CBI's expectations materially higher.

Two separate beneficial ownership registers. Ireland operates distinct registers: the Register of Beneficial Owners at the CRO for companies and industrial and provident societies, and a Central Register of Beneficial Ownership of Trusts managed by Revenue. Designated persons must verify Ultimate Beneficial Owner (UBO) information independently. The CBI expects RBO data to be one input in the verification process, not a substitute for CDD. This trips up teams used to treating government registers as conclusive.

Brexit relocation pressure created a substantive operation requirement. From 2019 onward, a significant cohort of international banks moved or expanded their EU operations to Dublin. The CBI was explicit: brass-plate structures would not be approved. Substantive local management, a resident MLRO with genuine independent authority, and an empowered local board are baseline requirements, not aspirational targets. The CBI communicated this publicly and has followed through in its supervisory reviews.

Special purpose vehicle risk at the IFSC. Dublin's International Financial Services Centre concentrates structured finance, fund administration, and treasury operations. These structures carry specific beneficial ownership risks. The Danske Bank money laundering scandal, centred in Estonia but involving SPVs with Irish connections, prompted the CBI to issue specific guidance to fund administrators and custodians on reviewing their exposure to similar structures.

Data protection enforcement is serious here. Ireland is the EU base for many large US technology companies, and the Data Protection Commission handles GDPR matters for a disproportionate share of global data flows. It has issued fines exceeding €1 billion against Meta and its subsidiaries. AML data retention policies receive more scrutiny in Ireland than in most EU member states, and compliance teams should budget time to align AML and GDPR record-keeping positions.

Recent enforcement actions in Ireland

The CBI enforces through its Administrative Sanctions Procedure, and outcomes are published on the CBI's public enforcement register. This gives compliance teams a searchable record of settled cases, findings, and penalty levels.

Ireland's AML/CFT enforcement posture hardened after FATF's 2017 Mutual Evaluation Report, available at fatf-gafi.org. The report assessed Ireland's legal framework as broadly sound but flagged gaps in supervisory effectiveness, particularly for non-bank designated persons and the non-financial sector. The CBI used the findings to justify a structured programme of enhanced AML/CFT inspections across banks, payment institutions, and fund administrators from 2018 onward. Supervisory engagement moved from periodic reviews to thematic inspections with documented follow-up.

The Danske Bank 2018 enforcement action is a case the CBI has cited in supervisory communications. The €200 billion laundering scandal at Danske's Estonian branch involved structured vehicles, including entities with Irish connections, used to route suspicious funds from former Soviet states into European financial channels. Irish fund administrators and banks with correspondent exposures received specific CBI guidance on reviewing similar structures. It's a reference point for any institution administering SPVs or handling correspondent flows from Eastern Europe.

For international groups with Dublin operations, the lessons of the Deutsche Bank 2017 enforcement action apply. Deutsche Bank's Dublin entity is among the largest on the island, and the CBI has signalled that intra-group transaction monitoring, a documented weakness in the Deutsche case, is an active inspection priority for subsidiaries of large international groups.

The CBI's enforcement record consistently shows personal prohibition orders and fitness and probity sanctions against senior individuals, not just firm-level fines. That's a meaningful distinction from some peer jurisdictions.

What foreign banks operating in Ireland need to know

Ireland hosts regulated entities for JPMorgan, Citibank, Goldman Sachs, Bank of America, and dozens of other international groups. The CBI's expectations for these firms go beyond what many compliance teams initially plan for.

Licensing: Credit institutions need a full banking authorisation from the CBI. Payment institutions and e-money firms require authorisation under the European Union (Payment Services) Regulations 2018. VASPs register under the CJA 2010 as amended. Firms entering via EU passport from another member state must notify the CBI and may face enhanced host-state supervision if Irish activities are material.

The MLRO requirement: The MLRO must be resident in Ireland, directly employed by the regulated entity, and hold genuine independent authority over STR decisions and AML/CFT policy. The role is a Pre-Approval Controlled Function (PCF) requiring prior CBI review of the proposed candidate. Outsourcing the MLRO function to a parent company or shared service centre in another jurisdiction has been explicitly flagged as inadequate. A deputy MLRO must also be designated and approved.

Outsourcing: AML/CFT functions can be outsourced within limits. The CBI's Outsourcing Guidance requires that the regulated entity retain accountability, conduct due diligence on service providers, and maintain genuine oversight capability. CBI inspection teams examine outsourcing arrangements. Gaps in oversight documentation generate findings.

Reporting timelines: STRs to FIU Ireland have no fixed statutory deadline, but the CBI expects prompt submission once suspicion crystallises. Delays caused by multi-committee escalation processes before filing have appeared in inspection findings. Ireland has no separate currency transaction reporting regime; the STR framework covers all suspicious activity regardless of amount.

UK divergence: Firms also regulated by the FCA should note that Ireland's AML framework is EU-law based. The United Kingdom AML compliance regime has moved in a different direction on several points since Brexit, including risk categorisation thresholds and certain enhanced due diligence requirements. Shared policies written for London may need adjustment for Dublin.

Language and documentation: All material submitted to the CBI must be in English. Inspection teams review written risk assessments, policies, and board papers. Policies translated from other languages should be reviewed by Irish counsel to confirm they accurately reflect CJA 2010 obligations, not just the directive language they were drafted against.

How FluxForce supports Ireland compliance

FluxForce gives Ireland-supervised firms a single platform for the control stack the CBI inspects. Real-time Transaction Monitoring flags patterns against the firm's documented risk thresholds. Sanctions Screening and PEP Screening run across customers, UBO chains, and counterparties against EU, UN, and OFAC lists. Automated STR drafting produces FIU Ireland-ready reports with a full evidence trail. Every decision is logged, timestamped, and retrievable for CBI inspections. To see how FluxForce maps to your Ireland compliance programme, book a demo.