Decision
Mr X and Central Bank of Ireland
From Office of the Information Commissioner (OIC)
Case number: OIC-153841-R1N3B8
Published on
From Office of the Information Commissioner (OIC)
Case number: OIC-153841-R1N3B8
Published on
Whether the Bank was justified in refusing access to records relating to the outsourcing of operational functions by a named credit servicing firm on the basis that the FOI Act does not apply to them, pursuant to Schedule 1, Part 1(b)(i) of the Act
4 September 2025
In a request dated 10 October 2024, the applicant sought access to records relating to a named credit servicing firm, ‘Company A’. He broke the request down into three constituent parts as follows:
1) all records related to the notification of outsourcing of operational functions by Company A to any external parties,
2) documentation regarding the granting of Power of Attorney to external parties by Company A, including the nature of the functions outsourced and the oversight measures in place, and
3) any guidelines or regulations issued by the Central Bank of Ireland concerning the outsourcing of operational functions by credit servicing firms.
On 24 October 2024, the Bank issued a decision wherein it refused the request. It refused parts 1 and 2 on the ground that it is not an FOI body in respect of the records sought, pursuant to Schedule 1, Part 1(b)(i) of the FOI Act. It refused part 3 under section 15(1)(d) of the Act, on the basis that the requested records are publicly available. It provided links to its website containing the records it considered to fall within the scope of part 3.
On 28 October 2024, the applicant sought an internal review of the Bank’s decision to refuse access to records pursuant to Schedule 1, Part 1(b)(i) of the Act. On 20 November 2024, the Bank affirmed its refusal of the request. On 20 November 2024, the applicant applied to this Office for a review of the Bank’s decision.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the communications between this Office and both the applicant and the Bank on the matter. I have decided to conclude this review by way of a formal, binding decision.
This review is concerned solely with whether the Bank was justified in refusing the applicant’s request on the ground that the FOI Act does not apply in respect of the records sought pursuant to Schedule 1, Part 1(b)(i).
Section 6(2)(a) of the FOI Act provides that an entity specified in Part 1 of Schedule 1 shall, subject to the provisions of that Part, be a public body for the purposes of the Act. Part 1 of Schedule 1 contains details of bodies that are partially included for the purposes of the FOI Act and details of certain specified records held by such bodies that are excluded. Part 1(b)(i) provides that the Bank is not a public body in respect of certain types of records as described in that Part. In other words, if the records sought are of a type that is described in Part 1(b)(i), then the FOI Act does not apply and no right of access exists to those records.
Part 1(b)(i) provides that the Bank is not a public body for the purposes of the FOI Act in relation to:
(i) records held by it containing—
(I) confidential personal information relating to the financial or business affairs of any individual, or
(II) confidential financial, commercial or regulatory information relating to the business affairs of any person who holds or has held or who has applied for a licence, authorisation, approval or registration from the Central Bank of Ireland, or is otherwise regulated by the Central Bank of Ireland,
that the Central Bank of Ireland has received for the purposes of performing, or in the discharge of, any of its statutory functions (other than when that information is contained in records in summary or aggregate form, such that persons cannot be identified from the record).
It is important to note here that under Part 1(b)(i)(II), the records concerned must contain information relating to the business affairs of “any person”. As the term "person" is not defined in the FOI Act, this Office considers it appropriate to apply the definition provided in the Statutory Interpretation Act 2005. Section 18(c) of that Act provides that when constructing an enactment, “person” shall be read as importing a body corporate (whether a corporation aggregate or a corporation sole) and an unincorporated body of persons, as well as an individual.
The Bank said Company A is authorised by the Bank as a credit servicing firm and that evidence of this authorisation is available on the Central Bank Registers on its website. It said the Registers contain individual registers for all financial service providers and collective investment schemes (CIS) regulated by the Central Bank. It said its Consumer Protection Directorate holds records it describes as comprising confidential correspondence between the Bank and Company A as part of the Bank’s conduct of its regulatory and supervisory role in relation to Company A. It said it holds further records containing confidential information regarding the application for authorisation by Company A, and confidential information received by the Bank regarding proposed changes to the business operations of Company A that was communicated to the Bank in the course of its supervisory work.
It said it considered the nature and contents of the records at issue and the contextual and technical information provided by the subject matter experts within the Bank and concluded that the records are the type of records described in Schedule 1, Part 1, paragraph (b)(i) of the FOI Act, namely that:
(i) the records contain confidential commercial, financial, and regulatory information relating to the business affairs of Company A;
(ii) Company A is regulated by the Bank;
(iii) the Bank holds the records at issue for the purposes of performing, or in the discharge of, its statutory functions, i.e. in this case the regulation of credit servicing firms; and
(iv) the information in the records relates to a named financial services provider and so is clearly not in summary or aggregate form.
The Bank said the records are in its possession due to its role as the authorising and supervisory authority for credit servicing firms under relevant legal enactments. It said the records consist of the following:
• queries and requests for clarification, including responses from Company A, on its application for authorisation as a credit servicing firm;
• email correspondence with Company A regarding changes to its operating model, in line with supervisory requirements;
• a presentation provided by Company A to the Bank;
• memo regarding authorisation decision on Company A;
• responses from Company A to queries raised by the Bank as part of its supervision of the financial services provider; and
• Company A, Programme of Operations.
The Bank said that considering the nature and content of the specific records, it is of the view that the records requested in parts 1 and 2 of the request clearly consist of financial, commercial and regulatory information relating to the business affairs of a regulated entity, i.e. Company A. It said that given the records comprise of supervisory and regulatory engagement directly between Company A and the Bank, and this financial and commercial information is shared with the Bank solely because of its role as supervisory authority, the records are clearly the confidential information of Company A. It said all of the above records were provided to the Bank by Company A in the course of its regulatory and supervisory engagement with the firm and the information is therefore that which “the Central Bank of Ireland has received for the purposes of performing, or in the discharge of, any of its statutory functions”.
In his correspondence with the Bank, the applicant said he did not consider Part 1(b)(i) of Schedule 1 of the Act to apply to the records sought. Among other things, he argued that the records sought are of a factual and operational nature, and Company A is not a banking or deposit-taking institution and the information is unlikely to meet the criteria for sensitive, proprietary financial data covered by the banking confidentiality provision in Part 1(b)(i). He argued that the confidentiality provisions under Schedule 1 are intended to protect the sensitive commercial information of banks and deposit-taking institutions and that Company A is a credit servicer and not a licensed bank. He argued that this distinction implies that Company A’s outsourced operational functions and oversight documentation are not the type of confidential regulatory information intended for protection under the Schedule. He went on to cite a number of sections of the FOI Act which, in his view, provide for the release of the records, in whole or in part. He argued that there is a public interest in the release of the records which outweighs any confidentiality considerations.
I wish to clarify at the outset that the question of whether other provisions of the FOI Act provide for the release of the records sought or whether the public interest favours their release is of no relevance in this case. As I have outlined above, if the records sought are of a type that is described in Part 1(b)(i), then none of the provisions of the FOI Act apply and no right of access exists to the records under the Act.
For Part 1(b)(i)(II) to apply to the records at issue, a number of requirements must be met:
1) the records must contain confidential financial, commercial or regulatory information relating to the business affairs of Company A, and
2) Company A must hold, or have held, or have applied for, a licence, authorisation, approval or registration from the Bank, or is otherwise regulated by the Bank, and
3) the Bank must have received the records for the purposes of performing, or in the discharge of, any of its statutory functions, and
4) the information in the records must not be in summary or aggregate form such that persons cannot be identified from the records.
On the matter of the applicant’s assertion that the confidentiality provisions under Schedule 1 are intended to protect the sensitive commercial information of banks and deposit-taking institutions and that Company A is a credit servicer and not a licensed bank, I note that there is no requirement in Part 1(b)(i)(II) that the financial service provider must be a licensed bank or deposit taking institution. Moreover, while I make no finding on the applicant’s assertion that the information in the records may be of a factual and operational nature, this does not mean that the information cannot comprise confidential financial, commercial or regulatory information. The question I must consider is whether the information comprises confidential financial, commercial or regulatory information relating to Company A.
The records sought in his case concern the outsourcing of operational functions by Company A. I am satisfied that such records would contain financial, commercial or regulatory information relating to the business affairs of Company A. On the matter of whether such information can be regarded as confidential information, I am satisfied that it can. I accept that the information was shared with the Bank solely because of its role as supervisory authority and that the information concerns the private affairs of Company A. I am satisfied that the information has the necessary quality of confidence about it.
I am also satisfied that Company A holds an authorisation from the Bank and that the Bank received the records for the purposes of performing, or in the discharge of, any of its statutory functions. I find therefore, that the second and third conditions for Part 1(b)(i)(II) to apply are met. Finally, as the request was for information specifically related to a single named entity, I am satisfied that the information in the records is not in summary or aggregate form such that persons (which includes Company A) cannot be identified from the records.
Accordingly, I find that the records are covered by paragraph (b)(i)(II) of Part 1 of Schedule 1 and that the FOI Act does not apply to the records at issue.
Having carried out a review under section 22(2) of the FOI Act, I hereby affirm the Central Bank’s decision. I find that it was justified in refusing access to the records sought pursuant to paragraph (b)(i) of Part 1 of Schedule 1 of the FOI Act.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.
Stephen Rafferty
Senior Investigator