FinTech Global FS Regulatory Round-up - w/e 14 March 2025

ICYMI

• OpRes: UK regulators' proposals for more reporting on operational incidents and material third party arrangements
• ASIC pursues AFS licensee, FIIG, for inadequate cybersecurity risk management (Australia)
• SaaS Contracting Guide - Things you need to know when SaaS contracting

---

Global

BCBS meeting: Strengthening supervisory effectiveness, ICT risk management, NBFI

The Basel Committee on Banking Supervision (BCBS) has published a report on its virtual meeting held on 12 and 13 March 2025 to discuss a range of initiatives. The BCBS took stock of its work to develop a suite of practical tools to support supervisors in their day-to-day work as part of its efforts to strengthen supervisory effectiveness in light of the lessons learned from the 2023 banking turmoil. This work covers the supervision of liquidity risk and interest rate risk in the banking book, the assessment of the sustainability of banks' business models, and the importance of effective supervisory judgment. An update on the outcome of this work is expected to be published by mid-2025. 

The BCBS also agreed to analyse recent developments and global practices related to banks' information and communication technology (ICT) risk management. It plans to publish in 2026 a range of practices report summarising its findings.

In addition, the BCBS agreed to further investigate banks' interconnections with non-bank financial intermediation (NBFI), with a particular focus on synthetic risk transfers (SRTs). The investigation will seek to better assess the benefits and risks posed by SRTs.  [14 Mar 2025] #ICT

IOSCO launches 2025 Work Programme

The International Organisation of Securities Commissions (IOSCO) has announced its Work Program for 2025, outlining key priorities to enhance financial resilience, market effectiveness and investor protection in global markets. Among the fintech-related work which IOSCO has in plan is:

• taking targeted action to address risks posed by imitative and copy trading, poor digital engagement practices, potential conflicts by neo-brokers and the activities of finfluencers;
• actively engaging with social media companies and search engines to combat online scams;
• launching a new investor alert portal, the IOSCO I-SCAN;
• launching a pilot crypto and digital assets (CDA) implementation monitoring initiative in cooperation with the FSB;
• further developing work on the use of AI; and
• continuing to monitor how asset tokenisation is evolving. [12 Mar 2025] #SocialMedia #Crypto #AI #Tokenisation #NeoBrokers #FinFluencers

IOSCO: Consultation report on AI in capital markets

IOSCO has published a consultation report on AI in capital markets. The report identifies five key findings following engagement with IOSCO members and stakeholders:

• Firms are increasingly using AI to support decision-making processes in applications and functions such as robo-advising, algorithmic trading, investment research, and sentiment analysis, and also to enhance surveillance and compliance functions, particularly in anti-money laundering (AML) and counter-terrorist financing (CFT) measures.
• Firms are using recent advancements in AI to support internal operations and processes through task automation; to enhance communications; and to improve risk management functions.
• The risks most commonly cited include: malicious uses of AI; AI model and data considerations; concentration, outsourcing, and third-party dependency; and interactions between humans and AI systems.
• Industry practices are evolving, with some financial institutions incorporating AI into existing risk management and governance structures, and others making bespoke arrangements.
• Regulatory responses to the use of AI in the financial sector are also evolving, with some applying existing regulatory frameworks, while others are developing new regulatory frameworks.

Comments on the report are requested by 11 April 2025. [12 Mar 2025] #AI #Algos #RoboAdvice

IOSCO consults on neo-brokers

IOSCO has published a consultation on neo-brokers, which are a subset of brokers characterised by providing online-only investment services and by the absence of physical operating branches, thereby using technology to facilitate those services and access to financial markets.

The paper sets out IOSCO’s understanding of the business model developed by neo-brokers and the potential issues that may arise because of the activities of these neo-brokers. In this respect, it identifies two areas which require specific action: potential risk of conflicts of interest mainly due to business models inducing retail clients to trade more frequently; and need for solid IT infrastructure, given the online-only business model.

The report then sets out a list of potential recommendations provided as guidance. These relate to:

• the provision of appropriate disclosure of fees and charges from neo-brokers to retail investors and the way neo-brokers advertise themselves;
• the disclosure and consent that neo-brokers should provide and obtain from clients when offering them ancillary services to core trade execution services;
• the potential impact of non-commission related trading revenue (such as payment for order flow) on the best execution of neo-brokers’ customer orders; and
• the robustness of neo-brokers’ IT infrastructure.

Responses to the consultation are requested by 12 May 2025. [12 Mar 2025] #NeoBrokers #OpRes

---

UK

FCA seeks views on removing £100 contactless limit

The FCA has published an engagement paper on contactless payment limits. It sets out how the FCA could approach contactless payment limits in the future, to give greater flexibility to payment service providers (PSPs), consumers and businesses to decide contactless limits which work for them, while also reducing the risks of fraud. Options include allowing PSPs to take a risk-based approach to contactless payments, as well as significantly increasing the existing regulatory contactless limits, or even removing them entirely.

Feedback on this paper will help inform further development of proposed rules or changes, which the FCA will consult on formally in due course. Comments are requested by 9 May 2025.  [14 Mar 2025] #Payments

HMCTS: Master of the Rolls discusses UK LawTech progress and new initiatives

HM Courts and Tribunals Service (HMCTS) has published a speech by Sir Geoffrey Vos, Master of the Rolls and Head of Civil Justice in England and Wales, delivered at the LawTech UK Conference 2025. Sir Geoffrey touched on the existing work products of the UK Jurisdiction Taskforce (UKJT), which was established with the objective of educating and providing initiatives to grow the UK’s LawTech market. He then discussed three new work products the UKJT is planning to work on in the next year:

• control in relation to third category digital assets – the UKJT has established an expert group under the chairmanship of Lord Justice Zacaroli to produce non-binding guidance on the legal concept of ‘control’ in relation to third category digital assets;
• liability for harms caused by AI – the UKJT will produce a fourth legal statement on redress for harms caused by AI, also with an eye to whether or not statutory intervention or underpinning is required; and
• the International Jurisdiction Taskforce – the UKJT is embarking on the formation of an International Jurisdiction Taskforce. The idea would be to bring together some of best legal thinkers in the digital space from the main private law jurisdictions around the world, with a view to understanding how much common ground exists between their approaches to digital assets and digital trading.

Sir Geoffrey also emphasised the importance of LawTechUK, suggesting three rationales for its journey: the legal sector is the UK’s unique selling point (USP); AI will transform the legal sector; and LawTechUK has a role in global leadership.  [14 Mar 2025] #DigitalAssets #Crypto #AI

Government announces PSR will be 'abolished'

The Government has announced that it will legislate to 'abolish' the PSR and to transfer the bulk of its responsibilities into the FCA. The announcement notes that businesses have complained that the regulatory environment is too complex. A letter from Economic Secretary Emma Reynolds, MP to the TSC sets out more detail on the plan, including the intention to consult in the Summer. The PSR has responded to the announcement, indicating that it will work with the Government and its peer regulators on a smooth transition; the FCA Chair Nikhil Rathi has also issued a statement.  [12 Mar 2025] #Payments

FCA Innovation Digital Sandbox: APP Fraud Dataset evaluation report

The FCA Innovation Digital Sandbox has published its authorised push payment (APP) dataset evaluation report. The report covers the development of a synthetic dataset over the course of 2022 to 2024. The APP Fraud Dataset is available on the FCA Innovation Platform, with an expanded profile dataset released in November 2024. Updates planned for 2025 include financial product insights and enhancements to credit scoring and outcomes data. Alongside fraud detection, Digital Sandbox users can utilise the dataset to support Consumer Duty compliance and improve outcomes. [12 Mar 2025] #Sandbox #APPFraud

PSR: Publication of 2024 APP scams data

The Payment Systems Regulator (PSR) has issued Policy Statement 25/3 –  Publication of 2024 (APP) scams data (PS25/3). PS25/3 sets out the PSR's approach to publishing APP scams data for 2024 and includes its considerations for future reporting.

Given the introduction of the reimbursement requirement, the PSR proposes to publish two separate updates for 2024: Cycle 3 APP scams pre-reimbursement requirement; and Cycle 3 ‘a snapshot of industry performance post reimbursement'.

The PSR is also planning to carry out a call for views in spring 2025, where it will engage with stakeholders to ensure that its future reporting aligns with consumer needs, regulatory requirements, and its commitment to transparency. [12 Mar 2025] #APPFraud #Payments

FCA Consumer Panel response to consultation on safeguarding regime for payments and e-money firms

The FCA has published the Financial Services Consumer Panel's response to CP24/20: Changes to the safeguarding regime for payments and e-money firms. The panel reiterates its reservations, as stated in previous responses, about the existence of a ‘money’ and payments regime which distinguishes between forms of money and payment providers. The panel takes the view that all money is systemic to those that hold it, and all payment providers are systemic to those that depend on them; the risk to consumers who hold their funds at smaller e-money firms which might fail should not be ignored. The panel also makes a number of comments in relation to consumer confidence and consumer understanding, and sets out principles by which it believes firms should be guided to ensure that they are acting in the best interests of consumers. [10 Mar 2025] #Payments #EMoney

FCA and ICO announce industry roundtable – supporting AI, innovation and growth in financial services

The FCA and Information Commissioner's Office (ICO) have published a joint letter to trade association chairs and CEOs on supporting AI, innovation, and growth in financial services. The letter explains that the FCA and ICO will be holding a roundtable with industry leaders on 9 May 2025. The initiative follows on from feedback to an FCA and Bank of England (BoE) survey, which identified data protection and the Consumer Duty to be among the top regulatory constraints to AI deployment.

The roundtable will provide the opportunity to discuss:

• the broad areas of regulatory uncertainty and challenge that firms face in respect of AI adoption and wider innovation;
• how the ICO and FCA can work together with industry to provide greater regulatory certainty and support growth; and
• the specific areas of data protection and financial regulation in which firms need greater regulatory support to enhance their ability to innovate and adopt new technologies. [10 Mar 2025] #AI 

FRC launches public beta of digital tool to transform access to company data

The Financial Reporting Council (FRC) has announced the public beta launch of its digital reporting Viewer, a new tool designed to improve free access to structured company reporting data. The project, led by the FRC, aims to accelerate and support the use of structured company and organisational data across both public and regulatory sectors, and is supported by key regulatory partners including Companies House, the Charity Commission, the FCA and HM Revenue and Customs (HMRC).

The FRC welcomes feedback from users during the public beta phase. [10 Mar 2025] #Data #Reporting

SI: The Digital Markets, Competition and Consumers Act 2024 (CMA Consumer Enforcement Rules) Regulations 2025

The Digital Markets, Competition and Consumers Act 2024 (CMA Consumer Enforcement Rules) Regulations 2025 has been made. This statutory instrument (SI) confirms the Secretary of State's approval of procedural rules for the Competition and Markets Authority’s (CMA's) new consumer law direct enforcement powers.

The regulations come into force on 6 April 2025. An explanatory memorandum accompanies the regulations. [10 Mar 2025] #DigitalMarkets

---

Europe

OJ: Commission Delegated Regulations supplementing MiCAR

The following Commission Delegated Regulations supplementing the Markets in Cryptoassets Regulation (MiCAR) have been published in the Official Journal of the EU (OJ):

• Commission Delegated Regulation (EU) 2025/416 supplementing MiCAR with regard to regulatory technical standards (RTS) specifying the content and format of order book records for cryptoasset service providers (CASPs) operating a trading platform for cryptoassets; and
• Commission Delegated Regulation (EU) 2025/417 supplementing MiCAR with regard to RTS specifying the manner in which CASPs operating a trading platform for cryptoassets are to present transparency data.

The Regulations will enter into force on the twentieth day following their publication in the OJ.  [14 Mar 2025] #Crypto #CASPs

ECB: Eurosystem to offer verification of payee service

The European Central Bank (ECB) has announced that it has concluded its exploratory work for offering a Verification of Payee (VoP) service for payment service providers (PSPs), building on the services developed by two Eurosystem central banks. The solutions will achieve Single Euro Payments Area (SEPA)-wide reach and will benefit from the coordination by the Eurosystem. Any PSP in the euro area will be able to fulfil its obligation to offer a VoP service to their customers by 9 October 2025, using one of the two solutions.

The introduction of a VoP service is expected to reduce the risk of fraud and payment errors by allowing payers to verify the account details of the intended recipients before payments are initiated. This service will be available for instant payments, including those settled in TARGET Instant Payment Settlement (TIPS), as well as for SEPA credit transfers. [11 Mar 2025] #Payments #SEPA #VoP

ESMA: Translated guidelines on explanations and opinions, and the standardised test for cryptoassets under MiCAR

The European Securities and Markets Authority (ESMA) has published translations of its Guidelines on explanations and opinions, and the standardised test for cryptoassets under Article 97(1) of MiCAR.

Within two months of the date of publication of these guidelines, National Competent Authorities (NCAs) must notify the relevant regulator as to whether they comply or intend to comply with these guidelines, or otherwise give reasons for non-compliance. [10 Mar 2025] #Crypto #MiCAR

---

Australia

APRA: Therese McCarthy Hockey's remarks to COBA CEO and Directors Forum

The Australian Prudential Regulation Authority (APRA) has released Executive Board Member Therese McCarthy Hockey's remarks to the Customer Owned Banking Association's CEO and Director forum, outlining key strategic risks which banks may wish to consider. Among the risks which are of interest from a fintech perspective are:

• the threat from cyber criminals and the need to develop and upgrade websites and applications with sufficient cyber security features, whilst maintaining 'sound operating systems' which would allow consumers and businesses to seamlessly and confidently undertake their daily finances and operation of their businesses (to meet the evolving expectations of consumers); and
• the ability for banks to identify, recruit and retain the right people so as to guide banks in a modern banking environment - notably individuals who possess sufficient technology skills.

Therese McCarthy Hockey stressed the need for banks of all sizes to be agile in developing products and services to meet customer demand, but to also remain strong enough to be resilient in a crisis; in part, this requires banks to develop and adopt long-term business strategies with detailed and deliverable plans that allow banks to identify and recover from threats in the future.  [14 Mar 2025] #Cyber 

ASIC sues FIIG Securities for systemic and prolonged cyber security failures

The Australian Securities and Investments Commission (ASIC) has announced that it has commenced proceedings in the Federal Court against FIIG Securities Limited (FIIG), alleging that FIIG failed to have adequate cyber security measures between March 2019 to 8 June 2023. ASIC alleges that this failure by FIIG contravened its obligations as an AFS licensee to take adequate steps to protect itself and its clients from cyber security risks, which contravened ss 912A(1)(a), (d),(h) and 912A(5A) of the Corporations Act 2001 (Cth).

Specifically, ASIC alleges that FIIG failed to:

• have appropriately configured and monitored firewalls to prevent cyber attacks;
• update and patch software and operating systems to address security vulnerabilities;
• provide mandatory training to staff on cyber security awareness; and
• have adequate human, technological and financial resources to manage cyber security.

ASIC alleges that the gap in cyber security measures enabled the theft of approximately 385GB of confidential data beginning on 19 May 2023, with around 18,000 clients being notified that their personal information (names, addresses, birth dates, driver's licences, passports, bank accounts and tax file numbers) may have been compromised. ASIC Chair Joe Longo shared: 'All companies need to proactively and regularly check the adequacy of their cyber security measures and follow the advice of the ASD’S ACSC … Advancing digital safety and resilience is a strategic priority for ASIC, and we have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices'.

ASIC is seeking declarations of contraventions, civil penalties and compliance orders, and has reiterated that ensuring adequate cyber security protections remains an enforcement priority for ASIC. Please find Herbert Smith Freehills’ note on the commencement of these proceedings here. [13 Mar 2025] #Cyber 

 

---

Singapore

MAS: Collaboration with Viet Nam SSC on capital markets regulation and digital assets regulatory framework

The Monetary Authority of Singapore (MAS) and the State Securities Commission of Viet Nam (SSC) have announced a collaboration, via a Letter of Intent (LOI), on capacity building in support of the development of a digital asset regulatory framework for Viet Nam. The LOI facilitates the sharing of information on regulatory frameworks for capital markets and digital assets, sharing of experience in anti-money laundering (AML) and counter-terrorism financing (CTF), and building of capacity. [12 Mar 2025] #Payments #DigitalAssets 

MAS: Enhanced cooperation with Viet Nam on financial innovation

MAS has announced that it has agreed with the State Bank of Viet Nam (SBV) to enhance their existing Memorandum of Understanding (MoU) to further cooperate on financial innovation. The upgraded MoU will facilitate an expanded scope of cooperation on joint digital innovation projects, promote payment connectivity between Singapore and Viet Nam, and support fintech operations in both markets. [12 Mar 2025] #Payments

MAS: Joint advisory on scams involving digital manipulation (deepfakes)

MAS, the Singapore Police Force (SPF), and the Cyber Security Agency of Singapore (CSA) have issued a joint advisory on scams involving AI-created or AI-manipulated synthetic media, or 'deepfakes'. AI may be used to assist in the impersonation of executives of companies for which the victims work; the scams typically see victims instructed to transfer funds from company accounts. Businesses are advised to adopt the following precautionary measures:

• Establish protocols for employees to verify the authenticity of video calls or messages, particularly those purportedly from senior executives or key stakeholders. Train employees to be vigilant about unsolicited video calls or messages, even if they appear to come from known business contacts.
• Be mindful of any sudden or urgent fund transfer instructions and verify the authenticity of the instructions with the relevant departments or personnels directly through established communication channels.
• Analyse the audio-visual elements of the video call. Check for tell-tale signs that could suggest the manipulation of the audio or video through AI technology.
• Never disclose confidential or personal information or send money to unknown persons.
• Alert employees to this scam, especially those that are responsible for making fund transfers.
• In the event of suspicion that the company has fallen victim to a scam, call the associated bank immediately to report and block any fraudulent transactions, and make a police report. [12 Mar 2025] #AI #Deepfakes

 

---

Malaysia

BNM: Progress on DITO license applications

Bank Negara Malaysia (BNM) has announced that it has received encouraging interest from various parties in submitting applications for Digital Insurers and Takaful Operators (DITO) licence(s) just three months into the start of the two-year application window, which began on 2 January 2025. The planned consultation sessions with interested applicants are currently underway. The application period will remain open until 31 December 2026 and BNM may announce successful applicants during or after this period. [10 Mar 2025] #DITO #Insurance

 

---

Thailand

SECT adds USDC and USDT to the cryptocurrencies list

The Securities and Exchange Commission Thailand (SECT) has specified the list of eligible cryptocurrencies to be used for investment in digital tokens through the initial coin offerings (ICOs) process and as base trading pair against digital asset exchanges. Currently, there are five listed cryptocurrencies: Bitcoin (BTC), Ethereum (ETH), Ripple (XRP), Stellar (XLM), and cryptocurrencies used for testing settlement with Bank of Thailand‘s (BoT's) Programmable Payment Sandbox. Following consultation, the SECT has issued a notification adding two additional cryptocurrencies: USDT and USDC.  

The Notification regarding the amended criteria will take effect as from 16 March 2025.  [6 Mar 2025] #Crypto #Tokenisation #Payments #Sandbox

 

---

India

RBI: Digital Payments Awareness Week 2025

The Reserve Bank of India (RBI) has announced the inauguration of the 5th Digital Payments Awareness Week, an initiative to highlight the impact and importance of digital payments and to create awareness about safe usage of digital payment products. During the period 10 to 16 March, the RBI, payment system operators, banks and other stakeholders conducted nationwide awareness activities, including multimedia campaigns, on-ground educational programs and social media-based outreach. Governor Shri Sanjay Malhotra delivered an address at the inauguration event; he spoke about the safety and security of digital payments and how the RBI's soft touch approach to regulating the payments ecosystem and fintechs serves to promote innovation. [10 Mar 2025] #Payments

IFSCA: Guidelines on cyber security and cyber resilience

The International Financial Services Centres Authority (IFSCA) has published guidelines on cyber security and cyber resilience for regulated entities in the IFSC. The guidelines cover five key areas: governance; the cyber security and cyber resilience framework; third party risk management; communication and awareness; and audit. IFSCA expects regulated entities to implement the guidelines in accordance with the principle of proportionality, taking into consideration:

• the scale and complexity of operations;
• the nature of the activity in which the entity is engaged;
• its interconnectedness with the financial ecosystem; and
• the corresponding cyber risks to which the entity is exposed.

The guidelines come into effect on 1 April 2025. Some categories of regulated entities are exempted from the requirements in the guidelines for a period of three years. [10 Mar 2025] #Cyber

 

---

US

OCC announces May 2025 virtual Office Hours for fintechs and banks

The Office of the Comptroller of the Currency (OCC) has announced virtual Office Hours with its Office of Financial Technology on May 6-8, 2025. Office Hours provide an opportunity for banks and fintechs to engage with OCC staff on matters related to bank-fintech partnerships, cryptocurrency activities, or other matters related to responsible innovation in the federal banking system.  [12 Mar 2025] #Banking #Crypto

OCC clarifies bank authority to engage in certain crypto activities

The OCC has advised that a range of cryptocurrency activities are permissible in the federal banking system.  The OCC has published Interpretive Letter 1183 to confirm that cryptoasset custody, certain stablecoin activities, and participation in independent node verification networks such as distributed ledger are permissible for national banks and federal savings associations. The letter also rescinds the requirement for OCC-supervised institutions to receive supervisory nonobjection and demonstrate that they have adequate controls in place before they can engage in these cryptocurrency activities.

Consistent with Interpretive Letter 1183, the OCC also withdrew its participation in the joint statement on crypto-asset risks to banking organizations and the joint statement on liquidity risks to banking organizations resulting from crypto-asset market vulnerabilities.  [7 Mar 2025] #Crypto

FINRA fines firm and orders restitution to customer for AML, disclosure and compliance failures

The Financial Industry Regulatory Authority (FINRA) has ordered a financial services firm to pay $3.75m to its customers, and fined it $26m for violating various FINRA rules, including failing to respond to red flags of potential misconduct. The firm consented to the entry of FINRA’s findings, without admitting or denying the charges. It also agreed to certify that issues identified in the letter of acceptance, waiver and consent (AWC) were remediated.  

Among FINRA's findings were:

• the firm failed to establish and implement reasonable anti-money laundering (AML) programs, and therefore failed to detect, investigate or report suspicious activity, including manipulative trading, suspicious money movements and instances where customers’ accounts were taken over by third-party hackers;
• the firm failed to establish a reasonable customer identification program, which resulted in it opening thousands of accounts when it had not reasonably verified the customer’s identity;
• it failed to reasonably supervise its clearing technology system and failed to reasonably respond to several red flags of processing delays due to increased demand on the system – this led to the clearing system experiencing severe latency in January 2021 due to a surge in trading volume and volatility, which, in turn, impacted the firm's clearing operations and its ability to satisfy certain regulatory obligations;
• the firm failed to reasonably supervise and retain social media promotions that were posted by paid social media influencers, some of which included statements that were promissory or not fair and balanced;
• it failed to comply with numerous aspects of the reporting obligations for blue sheets (securities trading information), FINRA trade reporting facilities and the Consolidated Audit Trail (CAT).

FINRA found that in each of these areas and others described in the AWC, the firm failed to establish a reasonable system for compliance. [7 Mar 2025] #Hacking #FinFluencers #Cyber