Financial consumer protection changes shifting mass claims landscape in UK and Ireland

In both jurisdictions, enhanced regulatory obligations on financial service providers are requiring firms to play an increasingly proactive role in protecting consumers from fraud and financial abuse.

As Ireland prepares for a new financial services Consumer Protection Code and the country’s first mass action lawsuit gains momentum, 2026 is expected to significantly reshape consumer rights and regulatory expectations for the sector.

We explore below how developments across the UK and Ireland are expected to influence the consumer protection landscape and the implications for firms that operate across these jurisdictions.

Enhanced consumer protection

UK: ‘Leeds Reforms’

In the UK, the government has kickstarted an ambitious package of financial services reforms – known as the ‘Leeds Reforms’ – which are expected to modernise the UK’s financial services regulatory framework and significantly improve consumer protection.

In July 2025, in line with its ‘Financial Services Growth & Competitiveness Strategy’, the government announced the reforms would aim to simplify regulation, broaden access to financial advice, and stimulate growth in the UK financial services industry. The government said the ultimate goal of the reforms was to “position the UK as the number one destination for financial services companies by 2035”.   

Broadly speaking, these reforms are also designed to provide greater certainty for firms, streamline complaints handling, and maintain strong consumer safeguards while reducing unnecessary regulatory overlap.

In one consultation, which closed in October 2025, the government proposed reforms to clarify the role of the Financial Ombudsman Service (FOS) to ensure it operates as a dispute resolution body rather than a ‘quasi-regulator’. This includes aligning the FOS’s “fair and reasonable” test with FCA rules, introducing a 10-year longstop for complaints, and creating clearer processes for handling large-scale redress events. The government has now confirmed it will legislate to take forward these reforms, and a further consultation is underway.

The Financial Conduct Authority (FCA) confirmed its consumer duty as the central regulatory standard, shifting into supervision and assessment of consumer outcomes, particularly fair value, consumer understanding, and support for vulnerable customers. This marks progress beyond the FCA’s core regulatory requirement of ‘treating customers fairly’, which requires firms to evidence positive results rather than good processes alone.

Some of the reforms came into force on 19 January 2026, but others are due to come into effect throughout 2026 following a series of consultations. Both the proposed reforms and any subsequent changes resulting from the consultations are expected to form an important part of the consumer protection landscape across the UK this year and beyond.

Ireland: enhanced consumer duties

In 2026, Ireland welcomes a new Consumer Protection Code (CPC) that will place enhanced obligations on financial service providers, with associated regulatory and litigation risk in the event of non-compliance.

The CPC governs entities that are financially regulated by the Central Bank of Ireland in the provision of services to consumers. A new, modernised CPC comes into force on 24 March 2026 (CPC 2025), replacing the 2012 iteration (CPC 2012) in its entirety and introducing stricter rules for the digital age. The revised CPC 2025 aims to deliver a modernised framework reflecting changes and developments in the financial services sector and consumer protection context.

The CPC 2025 encompasses the Standards for Business Regulations 2025 and Consumer Protection Regulations 2025, supplemented with guidance to assist users in navigating the code. The introduction of the formal Standards for Business elevates the general principles of the old code into specific obligations, namely:

• securing consumers’ interests – a regulated entity will be explicitly required to secure customers’ interests in all decision-making, strategy and business models;
• informing effectively and transparently – shifts focus from meeting disclosure requirements as a ‘tick box’ exercise to communicating information to consumers effectively;
• raises the bar on compliance – compliance will not just be a checklist of rules but a culture. Senior leaders may also be held accountable if their systems result in poor consumer treatment as this ties into the Individual Accountability Framework, which was enacted in 2023 to strengthen and enhance accountability and governance within regulated financial service providers in Ireland.

The CPC 2025 also broadens the definition of ‘consumer’ to keep pace with inflationary changes. Under CPC 2012, the protections applied to personal consumers and small businesses with an annual turnover under €3 million. However, under CPC 2025, this threshold will be increased to €5m, bringing more small and medium-sized enterprises (SMEs) under the “consumer” umbrella.

CPC 2025 addresses the digitalisation of financial services. The CPC 2012 was technology neutral, with the same principles applied regardless of how a firm engages with its customers. CPC 2025 changes this by introducing new requirements to ensure financially regulated entities deploy a customer focus in the design and implementation of digital services and delivery channels.

In terms of financial abuse, although CPC 2012 did not explicitly task financial firms with anti-fraud duties, many regulated entities already have these policies in place. By contrast, CPC 2025 requires firms to play a more proactive role in protecting consumers from fraud and financial abuse, including notifying customers of significant fraud incidents, monitoring financial abuse trends, monitoring internal vulnerabilities and ensuring appropriate escalation processes.

The new code also requires enhanced customer support, reflecting the growing recognition that firms must take extra care to take account of the needs of certain vulnerable customers “who are more likely to suffer financial detriment or harm” (19 pages / 815KB PDF). It will be mandatory for regulated firms to have policies and procedures in place to identify consumers who may be vulnerable within data protection limits. This is an area where significant work may be required in many businesses to ensure internal processes and policies are aligned with the newly expanded definitions.

UK: mass claims in the financial sector

The evolving, global mass claims landscape is becoming increasingly relevant for the financial services sector in both the UK and Ireland.

In the UK, mass claims have evolved significantly from the earlier financial services-led PPI mass litigation which consisted of high-volume individualised claims. While fewer than 10 mass litigations were seen in the late 2010s, 47 new mass litigations were filed in 2024 alone, making it the most litigious jurisdiction in Europe for mass actions.

UK financial institutions are also increasingly facing claims as defendants or defenders in group litigation in other areas, such as mass data breach claims.

Group litigation orders (GLOs) in England and Wales represent a shift towards collective management of claims. The rise of these GLOs reflects broader trends in access to justice, funding reform, and judicial willingness to facilitate collective redress.

The Competition Appeals Tribunal provides another route for claimants to bring group proceedings. It has the power to manage ‘opt-out’ collective proceedings brought on behalf of consumers or businesses. While primarily a forum for determining cases involving alleged anti-competitive behaviour, it has adopted a permissive approach to which claims fall within its remit, including the certification of a data-related claim. This broadening of scope could pose a threat to the financial services sector through offering a potential route for consumers if they are able to base a case on an abuse of a dominant position.

In Scotland, the Scottish Civil Justice Council (SCJC) announced group procedure as a priority for 2025-26. A SCJC consultation was subsequently launched concerning the introduction of ‘opt out’ group proceedings in Scotland and closed on 23 January 2026. If the ‘opt out’ mechanism is brought in, Scotland will face a shift towards US-style mass claims with the potential for larger claimant groups and higher value claims.

If introduced in Scotland, this could increase the presence of litigation funders in Scotland, the risk to businesses of operation within Scotland, and contribute towards a climate of speculative or entrepreneurial litigation.

Ireland: mass claims in the financial sector

Even more change is afoot in mass claims in Ireland in the coming year, as there has been a growing risk of collective action against financial service providers since the enactment of the Representative Actions for the Protection of Collective Interests of Consumers Act 2023 (Representative Actions Act).

The Representative Actions Act transposed the EU Collective Redress Directive (EU) 2020/1828, enabling “mass action” lawsuits in Ireland for the first time. This allows a qualified entity (QE) to bring a High Court action on behalf of a group of consumers affected by the same alleged wrongdoing and applies to both domestic and cross-border infringements.

The EU directive’s preamble named “financial and investment services” as a priority area for strong consumer protection. Its scope spans a wide range of consumer protection laws, including the General Data Protection Regulation (GDPR), consumer credit, funds and insurance regulations and applies to infringements occurring on or after 25 June 2023.

In Ireland, the enactment of the Representative Actions Act in April 2023 opened the door for collective challenges on issues including hidden fees, unfair terms, data breaches and other systemic issues. ‘Relevant enactments’ can be enforced via representative action. Such enactments relevant in the financial services context include the GDPR, Consumer Rights Act 2022, Consumer Protection Act 2007, Distance Marketing of Consumer Financial Services Regulations 2004, Cross Border Payments Regulations 2010 and the Consumer Credit Agreements Regulations 2010.

Only QEs can initiate a representative action. In Ireland, an organisation can apply to the Minister for Enterprise, Trade and Employment to be designated as a QE if it satisfies certain requirements, including being able to establish 12 months of actual public activity in the protection of consumer interests; that it is non-profit making; that it is independent; and that is has a legitimate interest in the protection of consumer interests. Three QEs have been designated in Ireland: the Irish Council for Civil Liberties (ICCL), the European Center for Digital Rights (NOYB), and Digital Rights Ireland, which focus on data protection rights. Further designations are expected in due course.

The first set of proceedings under the Representative Actions Act were issued in May 2025 after the ICCL successfully applied to the High Court to launch a lawsuit against Microsoft for alleged breaches related to GDPR and online advertising data. The proceedings are expected to have major implications for technology companies which manage data under the GDPR.

Financial service providers in Ireland may now be exposed to civil class-action style lawsuits for wrongs which may have previously been dealt with by regulators or through individual proceedings. Firms will no longer be confined to isolated complaints and could face potentially hundreds or thousands of customer complaints in a single action. Mass actions attract media attention and can sow distrust in financial institutions, leading to reputational damage.

As the mass claims landscape continues to develop, financial services firms in the UK, Ireland and across Europe will be required to navigate increasing collective redress risks by keeping abreast of changing legislation and regulation and ensuring adequate consumer protection.

Co-written by James Ferguson of Pinsent Masons