What the new anti-corruption directive means for Irish financial firms

The new directive must be implemented by EU member states before June 2028, although some provisions have a further year’s grace before coming into effect. It is the most significant overhaul of EU anti-corruption law in more than two decades, replacing a previously fragmented patchwork of national and EU rules. 

The new directive consolidates a host of previous legislation across the member states, introducing common definitions for offenses and minimum rules on sanctions and enforcement to create a consistent approach to dealing with bribery and corruption throughout the bloc.

For financial services firms, it signals higher enforcement risk, broader liability and more prescriptive compliance expectations, and companies must prepare now for the impact it will have on them.

What the new regime entails

The directive has a broad scope in terms of the offences it covers, including bribery – both public and private – misappropriation, illicit enrichment and obstruction of justice, along with a wide definition of who constitutes a public official that extends to those employed in private organisations who nonetheless perform public functions.

Within the financial sector, bodies which may previously not have been factored into anti-corruption rules now fall within the scope of the directive, including regulated entities and state-owned enterprises, meaning those working in those sectors must now be fully aware of their obligations.

The new directive also brings a ‘failure to prevent’ model into closer proximity, with companies now liable where misconduct has been committed by individuals in leading positions, or through a failure to supervise employees found to have been conducting activities in breach of the legislation.

For financial institutions with complex structures in particular, this brings an increased risk of exposure if governance is not appropriately managed.

Penalties and enforcement

Under the directive, individuals who are found in breach of the new rules face serious criminal sanctions, ranging from fines and disqualification from professional activities to imprisonment of up to five years, depending on the severity of the offence.

Companies and entities in breach of the directive also face significant sanctions. Member states are required to impose turnover-based fines of up to 5% of global turnover or, alternatively, an amount up to €40 million for serious offences. Organisations may also be banned or restricted from being involved in public procurement rounds, or face licencing and operating restrictions.

For those operating in the financial sector, such as banks, funds and insurers, these sanctions may also result in separate regulatory consequences imposed by financial supervisors, such as withdrawal of authorisations or fitness and propriety reviews, in addition to criminal penalties.

The directive also expressly preserves the possibility of parallel criminal proceedings against both the corporate entity and the individuals involved, meaning firms face a risk of concurrent liability at both institutional and individual level.

The directive allows for enforcement to be taken against non-EU companies which operate within EU member states or have business activities within the bloc. This means cross-border operations will need to ensure compliance right across the group to avoid falling foul of the new restrictions.

The EU-wide scope of the directive is also likely to lead to more coordinated and multi-jurisdictional investigations and enforcement action, particularly in complex financial crime cases, with the directive opening the door for greater collaboration between both national investigative bodies and pan-European organisations such as Europol to crack down on criminal activity.

What this means for you

The Irish government's 30-point action plan - launched this month by the Tánaiste and the Minister for Justice alongside Ireland's National Risk Assessment on Money Laundering, Terrorist Financing and Proliferation Financing - signals a significant intensification of Ireland's domestic response to financial crime, encompassing stronger intelligence sharing between state agencies, enhanced oversight of crypto assets and gambling, and improved coordination between financial crime, tax and customs investigations.

This national initiative will operate in parallel with Ireland's obligation to transpose the directive by June 2028, meaning firms operating in Ireland now face converging enforcement pressure from both EU and domestic sources.

The directive’s increased focus on compliance means companies within its scope should start reviewing their programmes now, as failure to prove measures have been taken to develop effective compliance programmes are likely to be factored into any enforcement and punishment.

Regulators will look more closely at how governance and oversight programmes are both established and managed, and what due diligence is being performed on transactions. High-risk ventures will also face increased scrutiny.

Financial firms operating in Ireland should seek expert input and conduct a gap analysis against the expanded framework of the directive as an essential first step, to assess their current position and identify and address any areas of potential non-compliance.

In practice, this should include reviewing third-party and intermediary arrangements, particularly where there is a risk of improper influence, as well as assessing policies around gifts, hospitality and supervision. Firms should clearly document steps taken should it be necessary to demonstrate mitigation.

Although national implementation will determine the precise contours of the regime, the new directive sets a clear direction of travel across Europe: stricter, more harmonised, and more aggressively enforced anti‑bribery rules will start to make their presence felt over the next two years.

Co-written by Helen Sparrow of Pinsent Masons.