Risk and Compliance Report For the week ending 22 August 2025
- James Ross
- Aug 23
- 6 min read
Executive Summary
This week's key regulatory developments demand immediate attention from risk and compliance functions, with significant implications for capital, technology governance, and market conduct.
In the United Kingdom, the Financial Conduct Authority's (FCA) multi-firm review of algorithmic trading controls has exposed material deficiencies in compliance with MiFID's RTS 6. Firms must urgently review their self-assessments, surveillance systems, and the technical expertise of their compliance functions. Concurrently, the FCA's report on synthetic data signals a move towards formalising governance in this area, requiring firms to expand existing Model Risk Management frameworks to address the entire synthetic data lifecycle, including vendor management and algorithmic bias.
In the European Union, the European Banking Authority's (EBA) final draft RTS on off-balance sheet items will have a direct capital impact. Firms must commence analysis to re-map commitments and re-calculate Risk-Weighted Assets (RWAs) under the Standardised Approach. For the crypto-asset sector, the publication of the market abuse RTS under MiCA mandates a significant operational build-out of surveillance and reporting capabilities for all Crypto-Asset Service Providers (CASPs) ahead of the September 2025 implementation.
Across both jurisdictions, the focus on sustainable finance continues to intensify. The UK's new transition finance guidelines and the ESMA/EEA collaboration in the EU both point towards more data-driven supervision and a lower tolerance for greenwashing, requiring firms to ensure the integrity and auditability of their ESG data and assessment frameworks.
United Kingdom Developments
FCA Report on Synthetic Data Governance
Development: The FCA, in conjunction with its Synthetic Data Expert Group (SDEG), has issued its second report, focusing on governance paradigms for the use of synthetic data. The report articulates nine governance principles, advocating for the integration of synthetic data controls within existing Model Risk Management (MRM) and AI Ethics frameworks.
Technical Risk and Compliance Implications:
Expansion of Governance Frameworks: Firms must augment existing data governance policies to address the synthetic data lifecycle explicitly. This includes establishing protocols for data generation methodologies, utility assessments (e.g., Train-Synthetic-Test-Real benchmarks), and privacy evaluations to prevent re-identification risk.
Vendor Risk Management: Due diligence protocols for third-party data and model providers must be updated. This requires specific attestations regarding the statistical accuracy, bias mitigation techniques, and privacy-preserving methodologies (e.g., differential privacy) employed in their synthetic data generation processes.
Algorithmic Fairness and Bias: The risk of perpetuating or amplifying biases from source data is a critical compliance concern. Firms are expected to implement advanced statistical tests to detect and mitigate bias in synthetic datasets. This includes demographic parity checks and equalised odds assessments, particularly for models influencing credit and insurance underwriting.
Data Protection Compliance: While designed to be anonymised, the generation process itself falls within the scope of data protection regulations. Firms must document the legal basis for processing the original data for synthesis and ensure the resulting data is demonstrably anonymous to a high statistical threshold, thereby not constituting personal data under UK GDPR.
Transition Finance Council Consultation on Entity-Level Guidelines
Development: The Transition Finance Council has initiated a consultation on voluntary guidelines for assessing the credibility of corporate net-zero transition plans. The framework is structured around four principles: Credible Ambition, Action into Progress, Transparent Accountability, and Addressing Dependencies.
Technical Risk and Compliance Implications:
Mitigation of Greenwashing Risk: Adherence to these guidelines can serve as a key defence against allegations of greenwashing. Compliance functions should map the proposed principles to their existing ESG risk frameworks to identify gaps and ensure due diligence processes are sufficiently robust to substantiate transition finance claims.
Operationalisation Policy: Firms must translate these high-level principles into granular policies and operational procedures. This necessitates the development of quantitative and qualitative metrics to assess transition plans, along with training for relationship managers and credit risk teams on their application.
Framework Interoperability: A key compliance task will be ensuring seamless integration with mandatory disclosure frameworks, such as those from the Transition Plan Taskforce (TPT) and the International Sustainability Standards Board (ISSB). This requires a unified data strategy for collecting, verifying, and reporting transition-related information.
FCA Multi-Firm Review of Algorithmic Trading Controls (RTS 6)
Development: The FCA's review of principal trading firms' compliance with MiFID's Regulatory Technical Standard 6 (RTS 6) revealed material inconsistencies. Deficiencies were noted in conformance testing, market abuse surveillance systems, and the technical proficiency of second-line-of-defence functions.
Technical Risk and Compliance Implications:
RTS 6 Self-Assessment Rigour Firms must conduct a thorough, evidence-based review of their annual RTS 6 self-assessments. This includes ensuring all articles of the regulation are addressed, particularly those concerning testing methodologies (Article 9) and market abuse monitoring (Article 16). External validation of these assessments is highlighted as good practice.
Compliance Function Competency: The findings underscore a regulatory expectation that compliance personnel possess sufficient technical expertise to credibly challenge the design, testing, and control environment of algorithmic trading systems. Investment in specialised training on market microstructures and algorithmic strategies is imperative.
Market Abuse Surveillance System Efficacy: Firms are required to enhance their Market Abuse Regulation (MAR) surveillance systems beyond generic alert scenarios. Systems must be calibrated to detect sophisticated, algorithm-specific manipulative behaviours, such as momentum ignition or spoofing, across multiple venues and asset classes.
Governance and System Documentation: A complete and current algorithm inventory is a baseline requirement. Firms must ensure clear ownership of pre- and post-trade controls, with formally documented procedures for algorithm deployment, emergency kill-switch functionality, and periodic review.
Pensions Regulator & FCA Dialogue on Retirement Support
Development: A joint podcast clarified the intended synergy between the FCA's proposed "targeted support" framework and the "guided retirement" duties under the Pension Schemes Bill 2025, which will mandate default decumulation solutions.
Technical Risk and Compliance Implications:
Regulated Activities Boundary: The "targeted support" proposal aims to create a new, limited-scope regulated activity. Firms must analyse this proposal closely to understand how it modifies the advice/guidance boundary as defined in the Regulated Activities Order (RAO), and what operational controls will be required to deliver this support compliantly.
Product Governance for Decumulation: The "guided retirement" mandate imposes significant product governance obligations on trustees. This requires a structured process for designing, stress-testing, and monitoring default solutions to ensure they meet the needs of the target market and deliver fair value.
European Union Developments
EBA Final RTS on Off-Balance Sheet Items under CRR
Development: The EBA has finalised its draft RTS under Article 111(8) of the Capital Requirements Regulation (575/2013). The RTS establish criteria for classifying off-balance sheet items and defines factors that negate the "unconditionally cancellable" status of commitments.
Technical Risk and Compliance Implications:
Impact on RWA Calculation: These RTS will directly affect the calculation of Risk-Weighted Assets (RWAs) under the Standardised Approach for Credit Risk (SA-CR). Risk modelling and regulatory reporting teams must immediately assess the capital impact by re-mapping off-balance sheet items according to the new criteria.
Re-evaluation of Unconditionally Cancellable Commitments (UCCs): Firms must systematically review their portfolio of UCCs against the four constraining factors (risk management processes, commercial considerations, reputational risk, litigation risk). Commitments found to be constrained must be reclassified from a 0% to a higher Credit Conversion Factor (CCF), leading to increased capital requirements.
COREP Reporting Adjustments: The integration of the notification process into the COREP framework necessitates adjustments to regulatory reporting systems and processes to ensure accurate and timely submission of data on newly classified items.
Delegated Regulation on Market Abuse under MiCA (2025/885)
Development: Commission Delegated Regulation 2025/885, supplementing MiCA with RTS on market abuse, has been published in the Official Journal and enters into force on 9 September 2025.
Technical Risk and Compliance Implications:
Mandatory System Implementation: Crypto-Asset Service Providers (CASPs) are now mandated to implement comprehensive technical and procedural systems to prevent, detect, and report market abuse. This is a significant operational build for many firms.
Surveillance System Specifications: The RTS implicitly require sophisticated surveillance capabilities, including order book replay, transaction pattern analysis, and automated alert generation for activities such as insider dealing and market manipulation specific to crypto-assets.
Enhanced Cross-Border Supervision: The regulation codifies procedures for cooperation between National Competent Authorities (NCAs). Firms with cross-border operations should anticipate coordinated supervisory actions and an increase in information requests from multiple regulators.
ESMA and European Environment Agency (EEA) MoU
Development: ESMA and the EEA have formalised their collaboration on sustainable finance through a Memorandum of Understanding, focusing on data sharing and supervisory capacity building.
Technical Risk and Compliance Implications:
Data-Driven Supervision of ESG: This MoU signals a regulatory shift towards more empirical and data-driven supervision of sustainability disclosures under SFDR and CSRD. Firms should prepare for heightened scrutiny of the underlying data and methodologies used in their ESG reporting and product classifications.
Data Integrity and Assurance: The emphasis on data exchange elevates the importance of robust data governance for non-financial information. Firms must ensure the accuracy, completeness, and auditability of their reported environmental data to withstand this intensified level of regulatory examination.
ESMA Guide to Registration Process
Development: ESMA has published a guide clarifying its registration, authorisation and recognition procedures for entities like CRAs, TRs, and benchmark administrators.
Technical Risk and Compliance Implications:
Procedural Clarity for Applicants: The guide outlines the distinct phases of ESMA's assessment (completeness, compliance, and final decision). Applicants can leverage this to structure their submission projects more effectively, ensuring all requisite information mandated by the relevant Regulatory and Implementing Technical Standards (RTS/ITS) is provided upfront.
Unchanged Substantive Requirements: It is critical to note that this guide is procedural and does not alter the substantive legal and technical requirements for registration under the applicable sectoral legislation (e.g., CRA Regulation, EMIR). Compliance remains contingent on meeting these foundational requirements in full.
Comments