Banking Regulation
All banks operating in the European Union are subjected to a dizzying number of regulatory requirements. These rules and regulations are intended to improve outcomes for customers and to keep us, and the financial system as a whole, safe from harm. The laws apply to all banks equally, regardless of whether they’re digital or traditional. Understanding the rules, how they work and the rights that they afford consumers is a fundamental step in gaining comfort in using any bank, not just the ones we’re familiar with.
Reading time: 11 min
Last updated: March 31, 2026
Table of Contents:
Written by:
Dan Malone
1. EU Payment Services Directive (Directive 2015/2366)
The EU Payment Services Directive (PSD2) was transposed into Irish law under S.I. No. 6/2018 - European Union (Payment Services) Regulations 2018. It was introduced to improve payments security, boost innovation and increase competition in the banking sector. PSD2 applies to all payment service providers (i.e. banks) operating within the European Economic Area (EEA). Under PSD2, some of your key rights include:
A bank must refund you for any unauthorized transactions from your account, except where you’ve acted negligently or with an intent to defraud. For stolen cards and theft of payment data, your liability is limited to €50. If the transaction was the fault of the bank, or another third-party, you’ll have no liability. Your refund must be processed no later than one business day after the bank has been notified of the transaction. If you incurred a loss of interest or any fees and charges as a result of having a lower balance (i.e. a bounced direct debit), these too must be recouped.
A bank must refund you for any SEPA direct debit payments taken from your account for up to 8 weeks after the payment is made if you request it. Refunds must be made within 10 business days of receiving the request. If you never authorised the direct debit to begin with, you have 13 months to notify the bank and receive a refund.
A bank must apply SCA (i.e. Two Factor Authentication) when logging into your bank account, initiating electronic payments and carrying out any action remotely which implies a risk of fraud. Exemptions to SCA are permitted under Commission Delegated Regulation (EU) 2018/389:
Contactless Payments (Article 11)
Where the transaction doesn’t exceed €50 and the cumulative transactions since the last SCA doesn’t exceed €150 or the number of contactless transactions since the last SCA doesn’t exceed five.
Low Value Online or Mobile Transactions (Article 16)
Where the transaction doesn’t exceed €30 and the cumulative transactions since the last SCA doesn’t exceed €100 or the number of online or mobile transactions since the last SCA doesn’t exceed five.
Recurring Transactions (Article 14)
SCA is applied when you first create, amend or initiate a recurring transaction with a payee for a specified amount. Subsequent transactions do not require SCA.
Trusted Beneficiaries (Article 13)
SCA is applied when you create or amend a list of trusted beneficiaries, but not where you make a payment to a trusted beneficiary.
Transaction Risk Analysis (Article 18)
SCA does not have to be applied where the transaction poses a low level of risk due to specific conditions being met.
Other SCA Exemptions
Transfers between your accounts held with the same bank (Article 15), unattended payment terminals for transport fares and parking fees, such as tolls or bus fares (Article 12) and access to account balance information and 90 days worth of transactions for 180 days (Article 10a - Commission Delegated Regulation (EU) 2022/2360).
Where funds are blocked in your account to settle a future transaction with an unknown value (i.e. car rentals and paying at the pump), you must give consent for the value of funds to be blocked. Blocked funds must be immediately released once the final transaction value is known.
A bank must provide you with a breakdown of the charges and foreign exchange rate that will apply, if applicable, before a transaction is made.
Prohibits retailers from charging you fees for using a debit or credit card.
If you’ve had your bank account for longer than six months, the bank cannot charge you a fee for closing it. If you’re required to give notice before closing an account, the notice period cannot be longer than one month.
PSD2 sets a legal minimum of one business day for SEPA bank transfers. This was taken one step further by Article 5a of Regulation (EU) 2024/886 (Instant Payments Regulation), which requires banks to provide 24/7 SEPA instant transfers (i.e. within 10 seconds) at no extra charge to customers. Banks must allow you to set maximum transaction or daily limits for SEPA instant transfers and they must verify that the payee name matches the IBAN before you authorise the transfer.
Allows you to make online purchases directly from your bank account without the use of a card (i.e. Pay by Bank) and allows you to access information from your different bank accounts through one service provider (i.e. seeing all account balances in one dashboard).
2. EU Deposit Guarantee Schemes (Directive 2014/49/EU)
Directive 2014/49/EU requires every EU Member State to have a Deposit Guarantee Scheme (DGS) in place in the event that a regulated bank collapses. Every DGS exists so that savers across Europe can bank comfortably with the knowledge that their money is safe in the event of their bank’s failure.
As all EU regulated banks are covered by the DGS, there’s no difference in protection from one bank to another. If you wanted to, you could deposit with the bank that’s in the worst financial condition in the EU and your money would have the same protection as it would with the healthiest bank. That’s the whole point of the DGS. We talk about this as if major bank failures happen every day, but in reality, they’re extremely rare. Regardless, the DGS offers three key protections to customers:
Your total deposits across all accounts with a single bank are protected up to €100,000 in the event that the bank fails and your money becomes unavailable.
Your money must be returned to you within seven working days of the bank’s failure.
Certain high balances above €100,000 are protected for a period of at least 3 months but no longer than 12 months, depending on the scheme, after the amount has been received or becomes legally transferable.
To learn more about the Deposit Guarantee Scheme and how it works, you can check out our dedicated page here.
Key Insight: The Deposit Guarantee Scheme (DGS) acts as a last line of defence in keeping your money safe. In practice, there are many EU-wide rules and regulations that minimize the likelihood of a DGS claim ever being made in the first place. Some of these are explained below.
3. Capital Requirements Regulation (EU) No. 575/2013
The Capital Requirements Regulation (CRR) is a complex piece of legislation that ensures that all EU banks are able to withstand economic shocks. This protects depositors and the financial system as a whole. It’s the result of the Basel Accords, an internationally agreed set of requirements and safeguards that were to be imposed on banks in the wake of the Lehman Brothers collapse in 2008.
As CRR is an EU regulation, not an EU directive, it directly affects every EU Member State and regulated bank equally. Some of the main requirements under CRR include:
Ensures that every bank has enough cash and cash equivalents to meet a high level of withdrawals over 30 days.
Ensures that every bank is funding its assets in a sustainable manner.
Ensures that every bank has the capacity to absorb a certain amount of losses on their assets before becoming insolvent.
Ensures that every bank maintains a minimum amount of its own funding relative to its total assets, regardless of what those assets are.
4. Capital Requirements Directive (CRD) (Directive 2013/36/EU)
The Capital Requirements Directive (CRD) was transposed into Irish law via S.I. No. 158/2014 & S.I. No. 159/2014. CRD focuses on the individuals operating a bank and the powers given to the regulators supervising them. Some of the main requirements under CRD include:
Ensures that a bank’s management team acts with honesty and integrity and has the necessary knowledge, skills and experience to carry out their duties.
Requires regulators to review the arrangements, strategies, processes and mechanisms that a bank has in place to comply with CRR & CRD, including stress tests and an assessment of risks. Banks will then be assigned an SREP Score from 1 (low risk) to 4 (high risk).
Allows regulators to require a specific bank to increase its capacity to absorb losses beyond the minimum requirements laid out under CRR. This is referred to as the Pillar 2 Requirement (P2R).
Allows regulators to communicate to a specific bank on the capacity that it should have to absorb losses above their mandatory requirements under CRR & P2R. This is referred to as Pillar 2 Guidance (P2G).
Allows regulators to impose penalties, including periodic penalties, where a bank is in breach of its obligations under CRD or CRR.
5. Bank Recovery and Resolution Directive (BRRD) (Directive 2014/59/EU)
The Bank Recovery and Resolution Directive (BRRD) was transposed into Irish law via S.I. No. 289/2015. The purpose of BRRD is to ensure that bank failures can be resolved without the use of taxpayer money and with as little disruption to the economy as possible. Some of the key requirements of BRRD include:
Each bank must have a recovery plan and a resolution plan. The recovery plan sets out how the bank would restore its financial health following a crisis. The resolution plan sets out how the regulator (i.e. the Central Bank of Ireland) would deal with a failing bank in the least disruptive way possible.
Ensures the regulator can require a bank to implement its recovery plan, remove or replace its management team and change its business model or operations in times of distress.
Ensures each bank meets their Minimum Requirements for Own Funds & Eligible Liabilities (MREL). MREL takes the minimum capacity for loss-absorption under CRR and CRD, utilised at the Point of Non-Viability (PoNV), and adds an additional layer of debt that can be ‘bailed-in’ if required. Put simply, MREL exists to absorb bank losses and provide enough funds to restart the bank.
Allows regulators to ‘bail-in’ shareholders and creditors to absorb the losses of a failing bank. Deposits covered by the Deposit Guarantee Scheme can’t be bailed-in, but uncovered deposits technically can. However, for that to even be considered, billions of euros worth of MREL, all other bank debt and contributions via the DGS-bridge would have to be wiped out. If the bank has absorbed at least 8% of its total liabilities and own funds, the Single Resolution Fund (SRF) can be used to contribute up to 5% of the same. In short, it’s highly unlikely you’d ever incur a loss, even on deposits exceeding €100,000. The ‘No Creditor Worse Off’ (NCWO) principle guarantees you can’t lose more than what you would have lost if the bank had been liquidated. The law places you at the front of the queue for repayment in those circumstances.
6. Digital Operations Resilience Act (DORA) Regulation (EU) 2022/2554
The Digital Operations Resilience Act (DORA) is an EU regulation that ensures that financial entities, including banks, can withstand, respond to and recover from technological disruptions, including cyberattacks and system failures. Some of the requirements of DORA include:
Ensures that banks undergo Threat-Led Penetration Testing (TPLT) to assess how well they can detect, withstand and recover from sophisticated attacks.
Requires banks to report any major ICT-related incidents to the regulator. If the incident impacts your financial interests, they must inform you immediately and disclose the measures taken to mitigate its effects.
Ensures that banks have backup systems which can be activated to minimize downtime, disruption and loss.
Frequently Asked Questions
Yes, all regulated banks in the European Union are required to adhere to the same core rules and regulations irrespective of whether they’re a digital bank or a traditional bank with physical branches.
Yes, but you mustn’t have received at least 4 weeks’ notice of the value of the transaction and it must exceed what you could have reasonably expected to pay.
Regulators seek to ensure that banks cannot use mathematical techniques to excessively reduce their capital requirements. One example of this is the ‘Output Floor’ introduced as part of CRR3. By 2030, a bank’s internal models cannot calculate risk-weighted assets as less than 72.5% of what would have been calculated using a standardized approach.
If you hold less than €100,000 with that bank, then the chance of losing money is 0%. If you hold more than €100,000, your chance of losing money isn’t quite 0%, but it’s very close to it.
Verification of Payee (VoP) is a feature of the Instant Payments Regulation (Regulation (EU) 2024/886) which requires a bank to allow you to verify that a payee’s name matches the IBAN provided for SEPA transfers.
