AML/CFT Compliance in Ireland: CBI, CJA 2010, and the 2026 Regulatory Landscape
Ireland's AML/CFT regime is under heightened scrutiny. The Central Bank of Ireland (CBI) has intensified enforcement, imposing substantial fines on non-compliant institutions. Recent penalties include €21.5 million against Coinbase Europe in November 2025 and €24.8 million in August 2025, both for AML breaches. With the CBI's 2025 priorities focusing on wholesale-market AML, MiCAR CASP transition, and fund-service-provider thematic review, institutions must ensure documented AML/CFT frameworks to avoid significant penalties.
Key Facts at a Glance
- Primary regulator
- Central Bank of Ireland (CBI)
- Primary AML law
- Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended)
- FIU
- Financial Intelligence Unit Ireland at Garda Síochána Financial Intelligence Bureau
- Criminal offence
- Section 7 CJA 2010
- Beneficial-ownership register
- Central Register of Beneficial Ownership (CRBO) (operational since 2019)
- EU supervisor
- ESMA (European Securities and Markets Authority)
- Current guidance
- CBI Guidance on AML/CFT (effective 2022)
- Coming legislation
- EU AMLR (2024/1624) applies 10 July 2027
The Regulatory Landscape
Ireland's AML/CFT framework is primarily governed by the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (CJA 2010), as amended by the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Acts 2013, 2018 and 2021. The Central Bank of Ireland (CBI) is the principal regulator for credit institutions, insurers, investment firms, fund-service providers and Virtual Asset Service Providers (VASPs). The Act transposes successive EU directives and incorporates FATF-aligned standards.
The 2021 amendment incorporated the Fifth Anti-Money Laundering Directive (EU 2018/843), tightening customer-due-diligence (CDD) rules, expanding the scope of “politically exposed persons” (PEPs) and introducing stricter beneficial-ownership reporting. The CBI’s supervisory toolkit includes thematic reviews, on-site inspections and the power to levy administrative fines.
CBI's AML/CFT Guidance
The CBI’s “Guidance on AML/CFT” (2022) sets out detailed expectations on risk-based approaches, governance, CDD, ongoing monitoring and suspicious-transaction reporting. It requires a senior AML officer, a documented risk-assessment framework, and evidence-based policies that can be inspected by the regulator.
Customer Due Diligence and KYC
Irish CDD obligations mirror the EU template. For natural persons, entities must obtain and verify full name, date and place of birth, nationality and residential address before establishing a business relationship (Section 7(1) CJA 2010). For legal entities, verification relies on Companies Registration Office (CRO) extracts, articles of association and the Central Register of Beneficial Ownership (CRBO). Beneficial-ownership thresholds are set at 25 % of voting rights or economic interest; where no natural person meets the threshold, the senior managing official is recorded as a “notional” beneficial owner.
PEP screening is mandatory for clients, beneficial owners and counterparties. The CBI expects documented screening methodology, source data (EU, UN and national lists) and a risk-based escalation process. Enhanced Due Diligence (EDD) must continue for at least 12 months after a PEP ceases to hold the relevant function, and longer where residual risk persists (Section 12 CJA 2010).
Sanctions Screening
Sanctions compliance rests on EU Regulations (e.g., Council Regulation EU 2022/1234) and the UN Consolidated List. The CBI requires real-time screening at onboarding and ongoing transaction monitoring. Institutions must retain evidence of screening logic, false-positive handling and periodic validation of vendor data.
SAR/STR Reporting
Suspicious Activity Reports (SARs) are filed with the Financial Intelligence Unit Ireland via the goAML platform. Reporting entities must register on goAML, maintain user access controls and submit reports “without undue delay” - interpreted by the CBI as same-day or next-working-day filing (Section 7(2) CJA 2010). The FIU analyses reports and shares intelligence with Garda units and other law-enforcement agencies.
SARs should be submitted without undue delay, ideally on the same day or next working day. Failure to report suspicious activity can trigger administrative fines and, in severe cases, criminal liability.
Risk-Based Approach
The CJA 2010 obliges obliged entities to adopt a risk-based approach (Section 4-6). Institutions must produce a documented, institution-wide risk assessment, refreshed annually and whenever material changes occur. The assessment must cover money-laundering and terrorist-financing risks separately, as required by the CBI’s 2025 supervisory priorities.
Crypto-Assets: MiCAR and VASP Registration
The EU Markets in Crypto-Assets Regulation (MiCAR) entered into force in 2024. Ireland implemented a VASP registration regime under the 2021 amendment to CJA 2010, which became operational in April 2021. All crypto-asset exchanges, wallet providers and custodians must register with the CBI, adopt AML/CFT policies consistent with MiCAR and submit SARs via goAML. The CBI conducts thematic reviews of VASPs as part of its 2025 priorities.
Recent Enforcement
The CBI’s enforcement record in the last three years illustrates a willingness to impose substantial penalties for AML/CFT failures:
| Date | Institution | Penalty | Basis |
|---|---|---|---|
| Nov 2025 | Coinbase Europe | €21.5 m | AML breaches - inadequate CDD and SAR filing |
| Aug 2025 | Coinbase Europe | €24.8 m | AML failures - sanctions-screening deficiencies |
| 2023 | Bank of Ireland | €24.5 m | Systemic AML/CFT compliance failures |
| 2022 | AIB Group | €96.7 m | Largest ever AML fine - multiple SAR delays and governance gaps |
| 2020 | Ulster Bank Ireland | €37.8 m | Deficient CDD and failure to report suspicious transactions |
| 2024 | Wells Fargo Bank International | €5.8 m | Inadequate sanctions-screening controls |
Practical Compliance Checklist for Irish Institutions
Minimum Documentation Set Under CJA 2010
- Institution-wide risk assessment (Section 4-6 CJA 2010), refreshed annually and on material change.
- Internal safeguards manual covering CDD, ongoing monitoring, sanctions screening, training and reporting.
- Written CDD procedures aligned with CBI Guidance, including verification of natural persons and legal entities.
- Beneficial-ownership verification using CRBO extracts; record “notional” owners where applicable.
- Sanctions-screening policy referencing EU, UN and Irish lists, with documented matching logic.
- SAR/STR procedures referencing Section 7 CJA 2010, goAML platform and the “without undue delay” standard.
- PEP identification and EDD process, including 12-month post-departure monitoring.
- Designated AML Officer and deputy notified to the CBI (Section 7 CJA 2010).
- Staff training programme (minimum annual refresher) with attendance records.
- For VASPs: MiCAR-aligned AML/CFT policies, registration with the CBI and documented blockchain-analytics procedures.
Common Pitfalls
The most frequent compliance gaps observed by the CBI are:
- SAR latency - filing on a weekly or monthly basis rather than same-day/next-working-day.
- Fragmented governance - AML investigations spread across multiple business lines without a single point of accountability.
- Over-reliance on commercial screening tools without documented methodology, validation and false-positive handling.
The EU Anti-Money Laundering Regulation (AMLR) will apply directly from 10 July 2027, superseding much of the CJA 2010’s substantive content. Institutions should use the CBI’s current guidance as a bridge to AMLR compliance, updating risk-assessment frameworks, data-retention policies and reporting procedures now rather than waiting for parallel Irish legislation.
How RegMantle Helps
RegMantle generates jurisdiction-specific AML/CFT documentation for Irish institutions, citing the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, its amendments and CBI guidance. Outputs include a full risk-assessment report, AML/CFT policy manual, KYC/CDD procedures, sanctions-screening policy, SAR/STR filing SOPs and a staff-training curriculum. All documents are formatted to CBI-ready standards and exportable as branded DOCX files for board approval and regulator inspection.
Generate your Irish AML documentation in minutes
Stop paying €15 000-€50 000 for templated consultancy outputs. RegMantle produces audit-ready, CJA-compliant documentation in under ten minutes.
Start Free →