Key Regulatory Developments for CASPs Weekending 21 November

Executive Summary

The global regulatory framework for digital assets and blockchain technology has reached a key milestone during the reporting period ending 22 November 2025. We are witnessing a clear shift from the initial "framework design" stage—marked by high-level principles and legislative discussions—towards a detailed, operational "infrastructure enforcement" stage. This shift is demonstrated by regulators engaging directly with the technical stack, focusing on specific mechanisms such as gas fees, dependencies on cloud hosting, order book liquidity sharing, and algorithmic credit scoring.

In the U.S., a major shift in the federal banking system has occurred. The OCC ended the "crypto winter" through Interpretation Letter 1186, allowing national banks to hold cryptocurrency as collateral for operational "gas fees." This endorses blockchain as a settlement infrastructure, reducing reliance on intermediaries and signalling a thaw from previous aggressive regulation. Meanwhile, the SEC is addressing the balance between financial surveillance and privacy, setting the stage for a roundtable that could redefine Bank Secrecy Act limits in the age of zero-knowledge proofs.

The European Union has moved from legislation to strict enforcement with the Digital Operational Resilience Act (DORA), designating 19 Critical ICT Third-Party Providers (CTPPs). This places top tech companies, including hyperscale cloud providers and financial firms, under direct regulation for the first time. For financial institutions and VASPs in the EU, it raises third-party risk management to a regulatory level, requiring vendor compliance. The European Banking Authority (EBA) is also examining how DORA and the AI Act intersect, especially regarding liability for high-risk AI in creditworthiness assessments.

In the Asia-Pacific region, regulators are employing a sophisticated “dual-track" strategy. Hong Kong’s Securities and Futures Commission (SFC) is actively encouraging liquidity by allowing "Shared Order Books” with global affiliates, with the goal of resolving the fragmentation that hinders local exchanges. However, this liberalisation is accompanied by a harsh crackdown on illicit flows. The SFC’s issuance of strict red flags concerning "layering" and "smurfing" shows a zero-tolerance stance towards the misuse of this increased liquidity for money laundering, specifically linking these typologies to the regional scourge of "pig butchering" syndicates.

Section 1: North America – The Banking Infrastructure Pivot

The reporting period is defined by a decisive regulatory reversal in the United States banking sector, juxtaposed with a deepening philosophical conflict at the securities regulator regarding privacy.

1.1. OCC Interpretive Letter 1186: The Operational Permissibility Doctrine

On 18 November 2025, the Office of the Comptroller of the Currency (OCC) issued Interpretive Letter 1186, a document that legal analysts and banking strategists are already citing as a pivotal moment for institutional digital asset adoption. This guidance does not merely adjust existing rules; it fundamentally reinterprets the “business of banking” to include the technological requirements of distributed ledger technology (DLT).

1.1.1. The Legal Theory of “Incidental Powers”

To grasp the importance of Letter 1186, one must place it in the context of the National Bank Act, particularly 12 U.S.C. 24 (Seventh), which grants national banks “all such incidental powers as shall be necessary to carry on the business of banking.”

Historically, the “business of banking” was characterised by physical vaults, ledgers, and fiat payment systems. In 2020 and 2021, under Acting Comptroller Brian Brooks, the OCC issued a series of letters (1170, 1172, 1174) that broadly interpreted these powers to include crypto custody and the operation of stablecoin nodes. However, following the regulatory tightening of 2022-2024—often referred to as “Operation Choke Point 2.0”—banks were effectively discouraged from engaging with crypto rails, leading to a surge in application rejections.

Letter 1186 revitalises the “incidental powers” doctrine with a pragmatic, technology-neutral argument. The OCC’s legal logic proceeds as follows:

1. Permissibility of the Core Activity: It is established that banks may engage in payment facilitation, custody, and validation of financial transactions.

2. Technological Necessity: Public blockchains (e.g., Ethereum, Solana) impose a mandatory technical toll—“gas fees”—denominated in native tokens to process any transaction.

3. Incidental Necessity: Therefore, the acquisition and holding of these native tokens is not a speculative investment activity (which would be prohibited proprietary trading) but an “incidental” operational necessity required to facilitate the permissible core activity.

This legal syllogism is crucial because it reclassifies cryptocurrency on the bank’s balance sheet. It moves assets like ETH or SOL from "speculative inventory" to "operational supplies," similar to holding paper for printing statements or electricity for powering servers.

1.1.2. Operational Mechanics: Solving the “Gas Fee” Bottleneck

Before this guidance, national banks faced a debilitating operational paradox. While they were technically permitted to offer custody services, they could not hold the assets needed to cover the costs of moving custodied funds. This forced banks into inefficient workflows:

• Reliance on Third-Party Intermediaries: Banks had to contract with non-bank fintechs to pay gas fees on their behalf. This introduced third-party credit risk, operational latency, and increased costs.

• Just-in-Time Acquisition: Alternatively, banks attempted to acquire gas tokens immediately before a transaction to avoid holding them overnight. In volatile markets, this exposed the bank to price slippage and execution failure if the network became congested.

Interpretive Letter 1186 explicitly clarifies this by allowing banks to hold crypto-assets as a principal for "anticipated reasonably foreseeable needs." The guidance recognises the dynamic nature of fee markets (e.g., EIP-1559 on Ethereum), acknowledging that banks must keep a buffer of inventory to ensure transaction certainty during periods of high network demand.

1.1.3. The “Testing” Sandbox & Inventory Management

Perhaps the most forward-looking aspect of the letter is the explicit permission for banks to hold crypto assets for “testing otherwise permissible crypto-asset-related platforms.” This effectively endorses internal R&D sandboxes on mainnet blockchains. Previously, compliance departments often prevented innovation teams from engaging with live chains due to the ban on holding assets. This clearance enables banks to develop, audit, and stress-test proprietary blockchain infrastructure using real value, thereby accelerating the development of tokenised deposit systems and proprietary stablecoins.

However, this permissibility comes with strict risk management constraints. The OCC emphasises that banks must conduct these activities in a "safe and sound manner." This highlights the immediate need for new governance structures.

• Inventory Management Policies: Banks must develop quantitative models to forecast transaction volumes and strictly cap crypto inventory. Holdings in excess of “reasonably foreseeable needs” could be flagged by examiners as speculative proprietary trading.

• Cybersecurity & Custody Controls: Holding assets as principal means the bank bears the direct risk of key loss or hacking. The operational resilience standards for these internal wallets will be exceptionally high.

1.2. SEC Financial Surveillance and Privacy Roundtable: The Constitutional Tension

While banking regulators are stabilising operational frameworks, the securities regulator is engaged in a deep philosophical and legal debate about the nature of financial privacy. The Securities and Exchange Commission (SEC) has postponed its "Financial Surveillance and Privacy Roundtable" to 15 December 2025, signalling the agency’s intention to clarify—or possibly redefine—the relationship between the Bank Secrecy Act (BSA) and individual privacy rights.

1.2.1. The Agenda: Surveillance vs. The Fourth Amendment

The roundtable, led by the SEC’s Crypto Task Force, is presented as an inquiry into “technology that helps Americans protect their privacy.” This framing, especially from Commissioner Hester Peirce (who often dissents from the agency’s enforcement-heavy stance), indicates a critical examination of whether the current “third-party doctrine”—which states that users have no expectation of privacy in data shared with banks—is still applicable in the era of immutable public ledgers.

The dialogue is expected to centre on several high-stakes policy collisions:

• The “Panopticon” Effect: Unlike traditional banking, where data is siloed, public blockchains are transparent. Combining this transparency with strict Know-Your-Customer (KYC) mandates creates a “panopticon” in which every financial transaction is visible to regulators and blockchain analysts. The roundtable will explore whether this level of surveillance constitutes an unreasonable search under the Fourth Amendment.

• Technological Solutions (ZKPs): A key focus will be the viability of Zero-Knowledge Proofs (ZKPs) and other privacy-enhancing technologies (PETs). These tools theoretically allow a user to prove they are not a sanctioned entity and that their funds are clean, without revealing their identity or transaction history to the counterparty or the public. The industry is looking for signals that the SEC might accept ZKPs as a valid compliance mechanism, potentially creating a “compliance layer” for privacy coins.

1.2.2. Strategic Implications for VASPs

For C-Suite officers at digital asset firms, this roundtable is not merely academic. It serves as a bellwether for future enforcement actions against:

• Mixers and Privacy Protocols: If the consensus emerging from the roundtable is that “privacy is suspicious,” we can expect intensified actions against protocols like Tornado Cash or privacy-centric Layer 2s.

• Self-Custody Wallets: The discussion will likely touch on the “unhosted wallet” rule proposals. A shift in tone could signal whether the SEC intends to treat wallet developers as “brokers” or “exchanges”.

Section 2: European Union – DORA Enforcement & AI Convergence

In Europe, the regulatory narrative has shifted decisively from “preparation" to “active enforcement.” The combined implementation of the Digital Operational Resilience Act (DORA) and the AI Act marks the most comprehensive regime for financial technology oversight worldwide.

2.1. Operationalising DORA: The Critical Third-Party List (CTPP)

On November 18, 2025, the European Supervisory Authorities (ESAs)—comprising the EBA, EIOPA, and ESMA—executed the most significant power granted to them under DORA: the designation of the first cohort of Critical ICT Third-Party Providers (CTPPs).

2.1.1. The Mechanics of Designation

The publication of the list, which includes 19 entities, marks a historic expansion of the regulatory scope. For the first time, pure technology companies are subject to direct financial oversight. While the complete list is available on the ESMA portal, analysis confirms it targets the "infrastructure backbone" of the European financial system.

• Hyperscale Cloud Providers: Amazon Web Services (AWS), Google Cloud, and Microsoft Azure are widely recognised as the primary targets due to the sector’s extreme concentration risk.

• Financial Technology Infrastructure: The list extends to specialised providers such as the technology arm of the London Stock Exchange Group and Bloomberg, as well as major consultancy-tech hybrids such as Tata Consultancy Services (TCS).

The designation process was rigorous and data-driven, utilising a methodology that assessed:

1. Systemic Impact: The potential for a provider’s failure to trigger a cascading collapse of financial services (e.g., if AWS East goes down, do European payments stop?).

2. Concentration & Substitutability: The ESAs analysed the “registers of information” submitted by financial entities to quantify how many banks rely on a single provider and how difficult it would be to migrate to a competitor (vendor lock-in)

2.1.2. The New Oversight Regime: Direct Intervention

This designation fundamentally changes the vendor-client relationship. Previously, a bank would negotiate service level agreements (SLAs) with a cloud provider. Now, the ESAs incorporate themselves directly into that relationship with formidable powers.

• Direct Audits & Inspections: The ESAs can conduct on-site inspections of CTPP data centres and operations centres to verify cyber resilience.

• Fees: Designated CTPPs must pay annual oversight fees to fund this new supervisory architecture.

• The “Nuclear Option”: The most critical power is the ESA’s ability to issue remediation recommendations. If a CTPP fails to comply—for example, by refusing to patch a vulnerability or improve redundancy—the ESAs can order all EU financial entities to suspend or terminate their contracts with that provider. This creates a potent existential threat for tech firms and a massive continuity risk for banks.

Strategic Impact for Crypto-Natives:

For Crypto-Asset Service Providers (CASPs) licensed under MiCA, this is an immediate compliance priority. Most CASPs depend heavily on the designated cloud providers. Compliance officers must now:

1. Verify which of their vendors are on the CTPP list.

2. Monitor ESA audit outcomes regarding those vendors.

3. Develop contingency plans for the “termination scenario,” however unlikely it may seem.

2.2. The AI Act Meets DORA: The Credit Scoring Intersection

As DORA secures the infrastructure, the European Banking Authority (EBA) is simultaneously mapping the regulatory landscape for the software running on that infrastructure, specifically Artificial Intelligence.

2.2.1. High-Risk AI in Financial Services

The EU AI Act classifies AI systems used for “creditworthiness assessments” as High-Risk. This classification imposes a significant compliance burden, including requirements for data governance, transparency, human oversight, and accuracy. The EBA’s recent work concentrates on harmonising these requirements with DORA’s risk management rules.

The challenge is in the “black box” nature of machine learning models used for credit scoring. DORA requires ICT systems to be resilient and explainable to ensure continuity. The AI Act mandates that they be non-discriminatory and transparent to protect fundamental rights. The EBA is currently developing a "mapping" framework to assist institutions in navigating this dual regime.

2.2.2. The Third-Party Liability Chain

A critical insight from the EBA’s analysis is the liability trap regarding third-party AI. Many banks and fintechs “buy” rather than “build” their credit scoring AI.

• The Provider vs. Deployer Distinction: Under the AI Act, the “Provider” (developer) has distinct obligations from the “Deployer” (bank). However, DORA holds the financial entity ultimately responsible for all ICT risk.

• Due Diligence Paradox: The financial entity must perform due diligence on the AI provider to ensure the model doesn’t discriminate (AI Act) and won’t crash (DORA). However, providers often treat their algorithms as trade secrets, resisting the transparency required for such due diligence. The EBA is expected to issue guidelines on resolving this information asymmetry, likely requiring standardised “AI Fact Sheets” for financial procurement.

Section 3: United Kingdom – Tokenisation and Consumer Protection

The United Kingdom continues to pursue its post-Brexit strategy of regulatory agility, aiming to establish itself as a leading global centre for asset management innovation. The Financial Conduct Authority (FCA) is currently in the consultation phase for a radical overhaul of fund structures.

3.1. FCA Consultation CP25/28: The Blueprint for Tokenisation

Consultation Paper 25/28, “Progressing Fund Tokenisation," marks a significant technical and legal development for the UK asset management sector. The FCA is moving beyond theoretical debates to propose specific rule changes that would support the "Direct-to-Fund” (D2F) dealing model.

3.1.1. The Direct-to-Fund (D2F) Model

The current fund settlement architecture is archaic, involving a daisy-chain of intermediaries: platforms, transfer agents, settlement systems, and the fund manager. This results in slow settlement (T+2 or T+3) and high costs.

The D2F model proposed by the FCA leverages Distributed Ledger Technology (DLT) to collapse this stack. In this model, the investor (or their wallet) interacts directly with the fund’s ledger.

• Tokenised Units: The fund units themselves are tokens on a permissioned blockchain.

• Smart Contract Settlement: Subscriptions and redemptions are executed via smart contracts, potentially allowing for T+0 (instant) settlement.

• The “Blueprint": The consultation outlines a “Blueprint" for authorised funds to adopt this model without needing primary legislation, relying instead on modifications to the FCA’s COLL sourcebook.

3.1.2. Collateral and Money Market Funds (MMFs)

A key, though technical, part of the consultation involves using Tokenised Money Market Funds (TMMFs) as collateral. The industry has lobbied for the ability to use TMMF units as collateral in non-cleared derivatives transactions to enhance capital efficiency. The FCA has shown willingness to do this, provided that prudential standards regarding liquidity and valuation are upheld. This could unlock billions in capital efficiency for institutional traders.

3.2. The Financial Services Consumer Panel (FSCP) Response

On 21 November 2025, the Financial Services Consumer Panel (FSCP)—a statutory body advising the FCA—published its response to CP25/28. This document acts as a vital counterbalance to the industry’s enthusiasm, emphasising the behavioural risks linked to frictionless finance.

3.2.1. The “Gamification" and “FOMO" Risk

The FSCP’s critique concentrates on the psychological effects of instant settlement. They cited concerning data indicating that 66% of young investors (18-34) make investment decisions within 24 hours, often influenced by social media hype and “Fear Of Missing Out” (FOMO).

• The Friction Debate: The Panel argues that the current settlement friction (T+2) acts as a “cooling-off period.” Removing it via D2F could encourage impulsive, high-frequency trading in products designed for long-term holding.

• “Positive Friction”: Paradoxically, while regulators usually fight “sludge" (barriers that make it hard to cancel services), the FSCP suggested that “positive friction” might need to be engineered into D2F user interfaces—such as warnings or mandatory pauses—to ensure consumers understand the risks before execution.

3.2.2. The Consumer Duty Application

The Panel highlighted that the new “Consumer Duty” regime must be strictly applied to tokenised funds. This means firms cannot merely provide the ability to trade instantly; they must demonstrate that this capability results in "good outcomes” for retail clients. If D2F causes higher churn and loss rates among retail investors, firms could face enforcement action under the Duty, regardless of the system's technical efficiency.

Section 4: Asia-Pacific – Hong Kong’s Dual-Track Regulation

Hong Kong offers the clearest example of the “Dual-Track" regulatory strategy: vigorous market liberalisation to attract business, combined with harsh enforcement to deter crime.

4.1. The AML Crackdown: “Layering" and “Smurfing"

On 17 November 2025, the Securities and Futures Commission (SFC) issued a highly specific circular concerning "layering” activities in virtual asset markets. This was not a generic warning but a tactical alert based on supervisory data indicating that licensed exchanges are being used as conduits for laundering proceeds from regional fraud.

4.1.1. The “Pig Butchering” Connection

The circular implicitly (and more explicitly in the broader context) links these flows to “pig butchering” scams (Shazhupan). These are large-scale romance/investment frauds often run by syndicates in Southeast Asia. The proceeds, typically in USDT, need to be laundered to be helpful to the criminals. The SFC has recognised that Hong Kong’s regulated infrastructure is being targeted to “clean" these funds.

4.1.2. Operational Red Flags & Compliance Mandates

The SFC circular mandates that all Licensed Corporations (LCs) and VATPs immediately integrate specific “Red Flags” into their transaction monitoring systems. Failure to detect these patterns is now a direct liability for the firm’s “Manager-in-Charge" (MIC) of Compliance:

• Rapid-Fire Laundering: The most prominent typology identified is the “deposit-withdraw" cycle. Funds are deposited and then withdrawn almost immediately, without any trading activity, or with minimal “wash trades” to create a veneer of legitimacy.

• Smurfing: Large illicit sums are broken down into hundreds of small deposits to evade automated reporting thresholds, then aggregated in the exchange account before being withdrawn to a single external wallet.

• Pass-Through Accounts: Accounts that show no economic logic other than acting as a bridge between two external addresses.

The SFC has emphasised that “senior management... are expected to be vigilant,” signalling that future enforcement actions will target individual executives for systemic AML failures.

4.2. Market Expansion: The “Shared Order Book” Initiative

To ensure these stringent AML rules don’t choke off the market, the SFC is simultaneously loosening liquidity restrictions.

4.2.1. Solving Liquidity Fragmentation

A major complaint of Hong Kong’s licensed exchanges has been “liquidity fragmentation.” Because they are ring-fenced to serve only local or verified clients, their order books are thinner than those of global giants like Binance or Coinbase. This results in high spreads and poor execution, discouraging institutional adoption.

To address this, the SFC issued circulars on November 3, 2025 (analysed in this reporting period) that permitted "Shared Order Books.”

• The Mechanism: An SFC-licensed platform can now integrate its order book with a “Global Affiliate” exchange. This allows a user in Hong Kong to trade against a counterparty on the affiliate’s platform in another jurisdiction (e.g., Singapore or Dubai).

• Conditions: The global affiliate must be regulated in a jurisdiction comparable to Hong Kong, and the SFC must approve the arrangement. This is a critical step in the SFC’s “ASPIRe" roadmap (Access, Strategy, Product, Innovation, Resilience), effectively reconnecting Hong Kong to the global crypto liquidity grid.

4.2.2. Product Expansion

Meanwhile, the SFC is reviewing the admission requirements for “Digital Asset-Related Products.” This extends beyond basic Bitcoin and Ethereum spot trading to potentially cover tokenised securities and complex structured products, aiming to expand the range of assets available to professional investors.

Section 5: Global & Middle East – Standards and Stability

5.1. FSB 2026 Work Plan: The Shadow Banking Focus

The Financial Stability Board (FSB), the G20’s watchdog, concluded its plenary meeting in Riyadh (Nov 18-19, 2025) and published its strategic work plan for 2026. The overarching theme is the risk of “Shadow Banking,” formally known as Non-Bank Financial Intermediation (NBFI).

5.1.1. The “Dollarisation" Threat of Stablecoins

In a letter to G20 leaders, FSB Chair Andrew Bailey emphasised a particular macro-prudential risk: the “dollarisation" of Emerging Market and Developing Economies (EMDEs) through stablecoins. The concern is that widespread use of USD-backed stablecoins in countries with weak currencies could weaken local monetary policy sovereignty.

• Regulatory Response: The FSB is calling for “robust frameworks” that mandate 1:1 reserve backing and transparent audits for stablecoin issuers, effectively endorsing the legislative models emerging in the EU (MiCA) and potentially the US (the “GENIUS Act” reference).

5.1.2. Private Credit and Leverage

The FSB also highlighted the opacity of private credit markets and their growing overlap with the crypto ecosystem (e.g., RWA lending protocols). The 2026 plan includes a detailed examination of the leverage within these non-bank lenders to prevent a systemic collapse similar to the 2008 crisis, but originating in the “shadow" sector.

5.2. Dubai (DFSA) Annual Outreach 2025

The Dubai Financial Services Authority (DFSA) hosted its flagship Annual Outreach event, highlighting the rapid growth of the Dubai International Financial Centre (DIFC), which now accommodates over 1,000 regulated entities and holds $240 billion in banking assets.

5.2.1. Proactive Compliance Resourcing

The key message from the DFSA to the C-Suite was “Proactive Resourcing.” As firms expand quickly, the regulator has noticed a delay in compliance recruitment. The DFSA clearly warned that firms trying to "catch up” on compliance staffing after scaling up their operations will face supervisory action.

• Innovation Risk: A key supervisory priority for the coming year is “Innovation and Technology Risk,” specifically the governance of AI and algorithmic trading models within DIFC firms. The regulator is demanding that Boards document their oversight of these technologies, rather than delegating it entirely to technical teams.

Section 6: Strategic Analysis & Recommendations

6.1. Synthesis of Regulatory Trends: The “Infrastructure Era”

The convergence of US OCC guidance, the EU CTPP designation, and the HK SFC liquidity-sharing framework creates a straightforward narrative: We have entered the Infrastructure Era of crypto regulation.

1. Integration over Isolation: US regulators have abandoned attempts to isolate crypto from the banking system. Instead, they are integrating it under strict “incidental power” rules (OCC Letter 1186).

2. The Vendor Risk Revolution: In the EU, the regulator has realised that regulating banks is insufficient if the cloud providers holding the data are unregulated. DORA creates a “super-regulator" paradigm for Big Tech.

3. The Privacy Schism: A global divergence is emerging. While the FSB and HK SFC push for total transparency to fight financial crime, the US SEC (driven by constitutional concerns) and privacy advocates are pushing back. This creates a complex compliance environment for global firms, which may need to ring-fence data practices by jurisdiction.

6.2. Actionable Recommendations for C-Suite & Compliance Officers

The following strategic imperatives are derived from the analysis of this week’s intelligence:

Table 1: Strategic Action Matrix (November 2025)

6.3. Conclusion

The week of 15–22 November 2025 will be remembered as the moment the regulatory barrier broke. The US banking system has gained control of blockchain operations; European super-regulators have claimed oversight of the cloud; and Hong Kong has linked its liquidity to the global market while strengthening its measures against crime. For the C-Suite, the era of regulatory uncertainty is coming to an end. It is being replaced by an era of regulatory complexity, where success relies on detailed execution of infrastructure compliance.

#FinancialRegulation #OperationalResilience #DigitalAssets #DORA #TIBER #BCBS #FSB #FinTech #Compliance #RiskManagement