Risk and Compliance Report Week Ending September 19, 2025)

Executive Summary

This briefing analyses key regulatory developments for the week ending 19 September 2025. The environment is a “polycrisis” for global financial institutions, with rapid technological disruption, systemic risks, regulatory fragmentation, and scrutiny of complex products and consumer chains. Senior leadership must adopt a sophisticated, integrated response beyond siloed compliance to comprehensive risk management.

The analysis is organised around five key themes that emerged this week. First, the strategic tension between the UK’s explicit “pro-growth” regulatory agenda and the concurrent demand for increased resilience creates both opportunities and notable governance challenges. The Financial Conduct Authority (FCA) is actively promoting innovation in fintech, artificial intelligence (AI), and crypto-assets. However, it is also emphasising that firms will be held to strict standards under existing, principles-based frameworks.

Second, operational resilience has been clearly raised from a firm-level business continuity issue to a macroprudential, systemic concern. Regulators are now concentrating on the integrity of the entire financial ecosystem, with a particular focus on the concentration risks posed by critical third-party technology providers.

Third, the profound operational and capital costs of regulatory divergence are becoming starkly apparent. The staggered and uncoordinated global implementation of the Fundamental Review of the Trading Book (FRTB) is creating significant complexity and cost for international banks. Similarly, the divergent paths being taken by the UK and the European Union (EU) on crypto-asset regulation necessitate distinct and costly strategic choices for firms operating in both markets.

Fourth, supervisors are intensifying their focus on specific sectors, challenging complex financial engineering in the insurance market through a crackdown on funded reinsurance, and applying the full force of the Consumer Duty to investigate the pure protection product value chain. Finally, long-term, existential technological threats, most notably the advent of quantum computing, are moving from the theoretical to the practical, demanding immediate strategic planning to mitigate the risk of future data compromise.

Table 1: Key Regulatory Initiatives at a Glance

1. The Regulator’s Dual Mandate: Balancing Innovation with Financial Stability

Recent UK regulator statements show a balanced approach: promoting the UK as a finance innovation hub while enforcing a principles-based supervision. This creates a challenge for firms. The FCA fosters experimentation and growth but expects more accountability. Firms can innovate without new tech rules, judged by their commitment to governance, consumer protection, and market integrity.

1.1. The UK’s ‘Regulating for Growth’ Agenda

On 17 September 2025, Jessica Rusu, FCA’s Chief Data, Information, and Intelligence Officer, delivered a keynote that outlined the UK’s regulatory philosophy, positioning innovation and technology as key to the UK Government’s growth plans and the FCA’s five-year strategy. The regulator aims to foster a competitive financial sector, especially post-Brexit, citing UK fintech investment exceeding France and Germany combined in early 2025 as proof of success.

To translate this philosophy into practice, the FCA is deploying a suite of initiatives designed to create a supportive ecosystem for firms to innovate, grow, and scale. The launch of a new Scale-up Unit is intended to provide targeted support for high-growth firms, while the Smart Data Accelerator is laying the groundwork for Open Finance, aiming to unlock new products and better consumer outcomes through secure data sharing.

Financial institutions face a key challenge in adapting their regulatory approach. The passive, compliance-focused interactions have ended. The FCA now requires proactive dialogue, collaboration, and engagement in innovation programmes. Remaining passive risks being seen as slow adopters and misaligned with the regulator’s goals, which could lead to more reactive oversight, increased scrutiny, and less influence over regulatory change. The call to innovate also demands engagement; silence may appear lacking in strategic foresight.

1.2. AI Adoption: Innovation Under an Existing Rulebook

The FCA’s approach to AI shows its dual mandate. It encourages firms to adopt AI via key initiatives. The Supercharged Sandbox, built with Nvidia, offers firms advanced GPU resources, synthetic datasets, and regulatory support to develop AI proofs-of-concept. Alongside, the AI Live Testing service provides a collaborative space for firms ready to deploy AI-powered services. Its goal is to jointly assess if AI systems are safe and responsible, boosting industry confidence and reducing first-mover hesitation.

Crucially, however, the FCA has been clear that it will not establish a new, bespoke regulatory regime for AI. Instead, it will apply its existing technology-agnostic, principles-based, and outcomes-focused framework. This means the use of AI will be regulated by current rules such as the Consumer Duty, which requires firms to deliver good outcomes for retail customers, and the Senior Managers and Certification Regime (SMCR), which assigns personal accountability to senior individuals for their areas of responsibility.

This approach creates a ‘governance chasm' that firms must urgently address, due to a mismatch between the technology’s complexity and the accountability framework. For example, a senior manager like the SMF24 Chief Operations Officer can be personally liable for harms caused by opaque AI systems, such as discriminatory lending or flawed investment advice, which even developers may not fully understand. Using complex models can heighten risks of consumer harm and market issues. Integrity, and the speed and scale of AI deployment mean that these risks can manifest rapidly.

This creates an implicit but vital “know-your-tech” (KYT) duty for senior management. To close this governance gap and protect managers from liability, firms must establish a strong governance layer beyond standard risk frameworks. This involves investment in tools and processes for model validation, performance monitoring, bias detection, and explainability. These are now essential legal and regulatory defences, demonstrating to regulators that a firm has taken reasonable steps to understand and control AI systems, which will be crucial in future reviews or enforcement.

1.3. The UK Crypto-Asset Frontier: A Bespoke Approach

The UK aims to be a global “crypto hub” through balanced regulation that fosters innovation while ensuring oversight. The FCA has started a consultation on its crypto-asset rules, building on powers from the Financial Services and Markets Act 2023. The proposals aim to integrate crypto into mainstream regulation, focusing on operational resilience, combating economic crime, and potentially extending the Consumer Duty to crypto firms.

The UK’s approach differs from the EU’s. While the EU has a comprehensive MiCA regulation, the UK uses a phased, activity-based strategy, incorporating specific crypto-activities into FSMA. This allows flexibility and gradual development but creates regulatory uncertainty as firms await clarification through consultations and policies.

A key risk in the UK’s proposals is the strict regulatory boundary for retail activities. The draft states non-UK crypto firms serving UK retail customers must establish a UK-licensed subsidiary, not just a branch. This requires significant structural, operational, and financial commitment, forcing firms to decide how much to invest in the UK market. While the UK welcomes business, it will maintain strict supervision and consumer protection standards.

2. The New Architecture of Resilience: From Firm-Level Continuity to System-Wide Integrity

Regulators’ view of resilience is shifting from individual firm plans to the stability of the entire financial system, driven by a highly interconnected digital financial environment. Single failures—like cyber-attacks or outages—can cause systemic disruptions. Regulators now emphasise designing firms and the system to withstand and recover from inevitable disruptions while maintaining essential services.

2.1. A Systemic Perspective on Operational Risk

A speech delivered on 18 September 2025 by Liz Oakes, an external member of the Bank of England’s Financial Policy Committee (FPC), marks a pivotal moment in this shift. The FPC, the UK’s macroprudential authority, was established after the 2008 financial crisis with an initial focus on bank capital and unsustainable credit growth. Oakes’s speech explicitly indicates that the FPC’s focus is now increasingly on operational risk, elevating it to the same level of strategic importance as capital and liquidity in maintaining financial stability.

This change is driven by two factors: a structural shift in the financial industry and evolving threats. Digitalisation and interconnection mean operational disruptions can now spread faster and more unpredictably. This is worsened by a rise in external threats, notably cyber-attacks. In 2023, a study found that financial firms were over six times more likely to face a cyber incident than other firms in advanced economies (25% vs. 4%).

This perspective shifts regulatory focus. The PRA and FCA policies do not aim to prevent all disruptions but assume they will happen. Firms must identify “important business services” that, if disrupted, would cause severe harm, and ensure they stay within “impact tolerances” during major disruption scenarios. This represents a move from risk prevention to impact mitigation.

The evolution of regulatory handling of operational risk mirrors the management of credit risk after 2008. Before the crisis, credit risk was seen as a firm-specific issue managed through controls and diversification. The crisis exposed its systemic, interconnected nature, where a single institution’s failure could trigger widespread collapse via complex exposures. This led to the development of macroprudential tools, including stress testing, interconnectedness analysis, and capital buffers, to absorb shocks.

Today, operational risk is described using macroprudential language, emphasising interconnectedness, shock amplification, and contagion, similar to post-crisis credit risk talks. The PRA links operational risk and resilience to ICAAP. Regulators may start quantifying financial impacts of resilience failures with Pillar 2 capital add-ons. Firms with weak resilience, poor testing, or reliance on vulnerable third parties could face capital charges. This makes operational resilience a key aspect of capital and balance sheet management.

2.2. Managing Critical Third-Party (CTP) Dependencies

A key aspect of the new systemic risk perspective is the intense focus on dependencies on critical third parties (CTPs), especially the small number of large technology companies that deliver essential cloud computing and software services to the financial sector. The FPC speech clearly highlights this increasing reliance as a significant systemic vulnerability, since an incident at a single CTP could simultaneously affect many financial institutions, causing a correlated shock across the system.

In response, the regulatory perimeter is effectively being widened to include these critical technology providers. This reflects a global trend, as seen in the EU’s Digital Operational Resilience Act (DORA), which creates a direct oversight framework for designated CTPs, and in the UK’s own operational resilience framework. The UK’s Financial Services and Markets Act 2023 grants UK regulators new powers to supervise the services that CTPs provide to the financial sector.

For financial firms, responsibility for resilience extends beyond their own operations. The PRA’s outsourcing and third-party risk management policy (SS2/21) complements its operational resilience rules (SS1/21). Firms must do more than basic vendor checks: map essential services, identify dependencies, rigorously test resilience, and develop tested exit and recovery plans. Recent PRA proposals will require firms to maintain a detailed register of material third-party arrangements and inform regulators before significant changes. This helps regulators assess sector-wide risks and systemic impacts early.

2.3. The Role of Collective Action: CMORG

In her speech, Liz Oakes emphasised that building system-level resilience cannot be achieved by firms acting alone, and she pointed to collective action initiatives as a key tool. The primary example provided was the Cross Market Operational Resilience Group (CMORG). This public-private partnership has become the strategic centre for coordinating sector-wide resilience efforts across the UK.

CMORG is co-chaired by the Bank of England and the industry body UK Finance, and its membership includes senior operational and risk executives (CRO, COO, or SMF24 level) from systemically essential banks, financial market infrastructures (FMIs), and insurers, along with representatives from HM Treasury, the FCA, and the National Cyber Security Centre. This structure is designed to facilitate trusted and effective collaboration between the industry and authorities.

The work of CMORG is practical and delivered through several specialist technical subgroups. These groups concentrate on vital areas such as Third Party Resilience, Sector Exercising (coordinating large-scale, cross-sector simulation exercises), developing a standard Sector Response Framework, and Cyber Coordination. The outputs of these groups—which may include best practice guidance, response playbooks, and contingency tools—are created on a voluntary, collaborative basis for the benefit of the entire sector.

For financial institutions, participation in CMORG and its subgroups is no longer an optional “good practice” but a strategic necessity. It offers an invaluable source of intelligence on emerging threats and vulnerabilities that are only visible at a sector-wide level. It also provides a vital forum for shaping the collective response mechanisms that will be activated during a real-world systemic incident. In the new interconnected world of operational risk, the ability to collaborate effectively with peers and authorities is a crucial part of a firm’s resilience framework.

3. Navigating a Fragmented World: The Operational Burden of Regulatory Divergence

For global financial institutions, the fragmented international regulatory landscape increases operational risk, strategic complexity, and costs. The goal of a harmonised rulebook has shifted to dealing with divergent timelines, national approaches, and different philosophies on regulating new technologies. Recent developments in market risk rules, crypto-asset regulation, and shorter settlement cycles highlight the challenges firms face in this fragmented environment.

3.1. The Staggered Rollout of the Fundamental Review of the Trading Book (FRTB)

The global rollout of FRTB, part of Basel III reforms to boost market risk capital, has become uncoordinated, with major jurisdictions progressing on different schedules. The EU delayed its FRTB implementation to January 2027 to ensure a level playing field amid global uncertainty. The UK’s PRA proposed a split approach: standardised methods from January 2027, but the more complex IMA would be delayed until January 2028. The US’s final rules and timing remain uncertain, with no final decision yet.

This staggered rollout creates operational complexity for global banks, especially those with trading in London, New York, and Europe. For some time, these firms will operate various capital calculation and reporting systems. A trading business may run legacy Basel 2.5 models in the US, adopt new approaches in the UK, and use mixed frameworks in the EU. This impacts not just reporting but also front-office strategy, including trading desk structure, capital allocation, and risk management. Challenges with the IMA, such as passing the daily PLA test and managing punitive capital for NMRFs, are exacerbated by the presence of multiple rule versions.

The combination of operational complexity, high costs, and divergent timelines will likely cause a significant strategic shift in how banks approach the FRTB. The IMA, designed to be more risk-sensitive and capital-efficient for sophisticated firms, carries a heavy operational burden. The PLA test requires a bank’s front-office pricing models and independent risk models to produce highly correlated daily figures, which is challenging due to differences in data sources, valuation times, and assumptions. A trading desk that repeatedly fails this test must revert to the Standardised Approach.

Many banks will need to analyse costs and benefits at each trading desk to manage infrastructure across different regulations. For desks with fewer liquid products or complex risks, operational costs and risks of maintaining IMA eligibility may outweigh capital savings, leading to a possible shift to the more straightforward Standardised Approach. This could reduce market liquidity, as higher capital charges discourage market making. The varied implementation timelines also create chances for regulatory arbitrage, with firms booking trades in jurisdictions with more favourable or delayed rules.

3.2. Crypto-Assets: A Tale of Two Regimes (UK vs. EU MiCA)

The divergence in regulatory approaches is equally pronounced in the emerging field of crypto-assets. The EU and the UK, the two main regulatory centres in Europe, have taken notably different paths, creating a complex compliance landscape for firms wishing to operate across both markets.

The EU’s Markets in Crypto-Assets (MiCA) Regulation creates a harmonised, product-focused framework. It sets uniform rules for crypto-asset issuers and Service providers, emphasising consumer protection through disclosure, including a mandatory white paper for most assets. MiCA excludes a “third-country regime,” so non-EU firms must establish authorised entities to operate in the EU.

In contrast, the UK is adopting a more flexible, phased, and activity-based approach, building on its existing Financial Services and Markets Act (FSMA) framework. Instead of establishing a single, all-encompassing regulation, the UK is specifying particular crypto-asset activities (e.g., issuance, custody, trading) as regulated activities, which rules developed by the FCA will then govern. This method provides greater flexibility but also introduces more uncertainty for firms during the development phase. This fundamental divergence in regulatory philosophy and structure has significant practical implications for firms, as detailed in the table below.

Table 2: Comparative Analysis: UK Crypto-Asset Regulation vs. EU MiCA

3.3. The T+1 Transition: The Risk of Asynchronous Settlement

The global shift to a shorter settlement cycle for securities highlights how a lack of harmonisation creates operational risk. While the United States, Canada, and India have already adopted a “trade date plus one day” (T+1) settlement cycle, the EU is progressing more slowly. Following a political agreement to amend the Central Securities Depository Regulation (CSDR), the EU now aims to implement T+1 by October 11, 2027.

This results in a multi-year period of asynchronous settlement across major capital markets. For global financial institutions, this misalignment presents significant operational and liquidity challenges. The shortening of the settlement cycle from two days to one significantly reduces the time available for all post-trade processes, such as trade allocation and affirmation, clearing, and settlement instructions. When a transaction involves both a T+1 and a T+2 jurisdiction—for instance, a US dollar-funded purchase of a European security—the complexities increase.

Risks mainly occur in foreign exchange settlement, securities lending, and cross-border collateral management. Firms may need FX on a T+1 basis to settle security trades paying on T+2, creating funding gaps and more settlement risk. The tight timeframe pressures operational teams, especially across time zones, increasing settlement failures. While the EU aims for harmonisation with the UK and Switzerland, timelines may not align, leaving firms to navigate a complex transitional period.

4. Horizon Scanning: Preparing for Quantum-Era Threats

Although much of the regulatory focus is on immediate and medium-term risks, a high-impact, long-term strategic threat is emerging that demands immediate planning and attention from risk and compliance teams. The development of fault-tolerant quantum computing, while still several years away, poses an existential risk to the cryptographic foundations supporting the entire global financial system. Failing to prepare for this transition represents a serious shortcoming in long-term strategic risk management.

4.1. The Post-Quantum Imperative

Quantum computers can solve certain problems exponentially faster than classical supercomputers. Unfortunately, public-key cryptography like RSA and ECC rely on these problems. When quantum computers reach 'Q-Day”, much secure data—financial transactions, customer info, digital signatures, and communications—will become vulnerable.

The most immediate and insidious threat, however, does not need a functioning quantum computer to be present today. It is the threat of “Harvest now, decrypt later” (HNDL) attacks. Adversaries, including nation-states and sophisticated criminal organisations, are believed to be actively capturing and storing large amounts of encrypted data from financial institutions and other targets. Their plan is to keep this data until Q-Day, when they will be able to decrypt it at their convenience.

Data with long lifecycles is at risk of exposure, as sensitive info like mortgage agreements, government bonds, trade secrets, and personal data could be compromised by vulnerable encryption algorithms. Transitioning to Post-Quantum Cryptography (PQC)—designed to resist classical and quantum attacks—is urgent. Standards bodies like NIST in the US are finalising PQC algorithms, e.g., FIPS 203, 204, and 205.

4.2. Risk and Compliance Considerations for PQC Migration

The migration to PQC represents one of the most significant and complex technological transitions the financial industry has ever faced. The challenges are immense and touch every part of a financial institution’s operations. They include:

• Legacy Systems Assessment: Identifying and assessing every system, application, and piece of hardware across the enterprise that uses public-key cryptography—a monumental task in a large, complex organisation.

• Strategic Planning: Developing a multi-year migration strategy in the face of an evolving technological landscape and uncertainty about the exact timing of Q-Day.

• Migration Complexity: Managing the sheer scale of the migration, which involves addressing issues of interoperability between new and old systems, potential performance impacts from the latest algorithms, resource constraints, and ensuring backward compatibility during an extended transition period.

• Regulatory and Compliance: Navigating emerging regulatory and compliance expectations for “quantum readiness.”

Risk and Compliance functions must be at the forefront of their organisation’s response to this threat. Waiting for Q-Day to be imminent is not a viable strategy; the migration process will take years to complete. Immediate action is required in four key areas:

1. Build a Cryptographic Inventory: The first and most critical step is to begin the process of creating a comprehensive, enterprise-wide inventory of all cryptographic assets. The firm must understand what algorithms are being used, where they are being used, who owns the systems, and what data they are protecting. This inventory is the foundational map for any migration strategy.

2. Develop a Strategic Roadmap: In collaboration with technology and business leaders, Risk and Compliance must help develop a multi-year strategic roadmap for the transition to PQC. This should include prioritising systems based on the sensitivity and lifecycle of the data they protect, planning for phased rollouts, and securing the necessary budget and resources.

3. Establish Governance: A clear governance structure for the PQC migration program is essential. This includes assigning executive ownership, establishing a cross-functional steering committee, and defining roles and responsibilities for oversight and execution.

4. Monitor and Engage: Risk and Compliance must actively monitor the development of PQC standards, the evolution of the quantum threat, and emerging regulatory expectations. As part of their operational resilience and cybersecurity dialogues, regulators will inevitably begin to ask firms about their PQC transition plans. Being able to demonstrate a proactive, well-governed, and risk-based approach will be critical.

#FinancialRisk #RegulatoryCompliance #RiskManagement #OperationalResilience #FRTB #MiCA #AIgovernance #QuantumComputing #RegTech #SMCR #FinancialServices #Leadership