Risk & Compliance Report For the Week Ending July 25, 2025
- James Ross
- Jul 26
- 6 min read
1. Executive Summary
This week saw significant regulatory movements with immediate and future compliance implications for financial institutions. Key developments include the commencement of substantial provisions of the UK's Data (Use and Access) Act 2025, which will require firms to update data protection and breach notification protocols by August 20, 2025. The path to implementing the UK-Switzerland Berne Financial Services Agreement (BFSA) has been clarified, presenting strategic opportunities and requiring firms to prepare for new cross-border frameworks in early 2026.
Financial crime remains a top priority, with the UK's NCA, OFSI, and HM Treasury issuing critical new priorities, threat assessments, and consultation responses. Firms, particularly in the cryptoasset sector, must immediately review and align their risk assessments and controls with this new guidance. In the EU, the ECB has finalised revisions to its supervisory policies, and EIOPA continues to drive convergence in insurance regulation, focusing on outsourcing and the integration of climate risk into ORSAs. In the UK, the FCA has provided crucial feedback on general insurance pricing and claims handling, signalling sustained focus on fair value under the Consumer Duty.
2. Data Protection & Privacy
Development: The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 were made, bringing several key provisions of the Act into force on August 20 2025.
Risk and Compliance Considerations:
Breach Notification Deadline Change: The notification period for personal data breaches under PECR is extended to "not later than 72 hours," aligning it with the UK GDPR.
Action: Firms must immediately update their incident response plans, internal procedures, and staff training to ensure they can meet the new 72-hour reporting deadline for PECR breaches.
New Special Categories of Data: The Secretary of State now has the power to add new "special categories" of data.
Risk: Firms processing new types of data (e.g., from emerging technologies) may find that this data is re-categorised as "special," requiring a higher standard of care, explicit consent, and updated Data Protection Impact Assessments (DPIAs). Compliance teams must monitor for any such additions.
Data Subject Access Requests (DSARs): A new court procedure for DSARs is being established.
Action: Legal and compliance teams must familiarise themselves with this new procedure, as it could alter litigation risk, response strategies, and potential costs associated with contentious DSARs.
3. UK-Switzerland Financial Services Agreement (BFSA)
Development: Progress towards implementing the BFSA has accelerated, with draft UK regulations laid before Parliament, a new FCA webpage providing guidance, and equivalence determinations for OTC derivatives published. The agreement is expected to take effect in early 2026.
Risk and Compliance Considerations:
Market Access: The BFSA establishes new frameworks for UK insurers and investment firms to access the Swiss market, as well as for Swiss firms to provide services to UK high-net-worth and professional clients.
Action: Firms with business interests in either jurisdiction should begin strategic planning. Eligible Swiss firms are invited to express their interest to the FCA now. UK firms should prepare for an FCA consultation on Handbook changes in September 2025.
Regulatory Exclusions: A new exclusion in the UK's Regulated Activities Order (RAO) will allow registered Swiss firms to provide specific investment services without full UK authorisation.
Action: Compliance teams in UK firms dealing with Swiss counterparties, as well as in Swiss firms targeting the UK, must understand the scope of this exclusion and the associated registration requirements to ensure they operate within the correct regulatory perimeter.
OTC Derivatives (UK EMIR): The HM Treasury has determined that Switzerland's regime for non-cleared OTC derivatives and CCPs is equivalent to the UK's, effective January 1, 2026.
Action: Firms trading OTC derivatives with Swiss counterparties must update their UK EMIR compliance frameworks to ensure compliance. This will impact risk mitigation, reporting, and clearing obligations, potentially reducing the compliance burden where rules were previously duplicated.
4. Financial Crime & Sanctions
Development: A series of critical updates were issued by UK and international bodies, signalling heightened expectations for financial crime risk management.
Risk and Compliance Considerations:
NCA System Priorities 2025: The National Crime Agency (NCA) published nine key priorities for tackling economic crime, including cryptoasset abuse, sanctions evasion, and fraud. This is described as a "critical document."
Action: This document must be reviewed at a senior level. Firms are expected to align their financial crime risk assessments, transaction monitoring systems, and resource allocation with these priorities. This will undoubtedly inform future regulatory guidance and the focus of supervisory efforts.
OFSI Cryptoasset Threat Assessment: OFSI's report states it is "almost certain" that UK crypto firms have under-reported suspected sanctions breaches. It highlights specific risks related to Russia (GARANTEX), North Korea, and Iran.
Action: Cryptoasset firms must immediately review and enhance their sanctions compliance frameworks to ensure they are practical and up-to-date. The red flags provided by OFSI should be integrated into monitoring systems to ensure adequate oversight and compliance. A review of past activity for potential unreported breaches is strongly advised.
HM Treasury MLRs Response: HM Treasury will amend the Money Laundering Regulations (MLRs), with a draft statutory instrument expected to be published in the coming months.
Action: Firms should prepare for upcoming changes to rules on enhanced due diligence for high-risk countries, pooled client accounts, and information sharing. Cryptoasset firms must anticipate new registration and change-of-control requirements.
Wolfsberg Group RBA Statement: The Group reaffirmed its commitment to a risk-based approach (RBA) focused on proportionality, prioritisation, and effectiveness.
Action: This statement provides a global benchmark for FIs to assess their financial crime risk management programs. It can be used to validate that the firm's RBA is not merely a procedural exercise, but is genuinely focused on achieving effective outcomes.
5. Insurance Regulation
Development:
Regulators in the UK and EU have issued key findings and policy changes related to pricing, claims handling, outsourcing, and risk management.
Risk and Compliance Considerations:
FCA Findings on Pricing and Claims (UK): The FCA's evaluation found its general insurance pricing remedies were effective in reducing "loyalty penalties" but noted poor practices in home and travel insurance claims handling and potential negative impacts on product quality (e.g., higher excesses).
Action: Insurers must scrutinise their claims handling processes, especially where outsourced, to ensure they meet Consumer Duty standards for fair value and good outcomes. The findings on the inappropriate use of cash settlements and lack of oversight serve as a clear warning of potential future supervisory action.
PRA Policy on ISPVs (UK): The PRA has finalised its more flexible and attractive framework for Insurance Special Purpose Vehicles (ISPVs), effective immediately.
Action: Firms seeking to transfer risk via insurance-linked securities (ILS) can now utilise a streamlined application process, which will make it easier and faster to set up UK-based Insurance-Linked Securities Vehicles (ILSVs).
EIOPA on Climate Scenarios in ORSA (EU): EIOPA found that while most firms now include climate scenarios in their ORSA, the application of long-term scenarios is challenging and inconsistent.
Action: Insurers must move beyond a superficial assessment of climate risk. There is a clear regulatory expectation to improve the integration of long-term physical and transition risk scenarios into strategic decision-making and capital planning.
6. Markets & Investments
Development: Regulators are implementing changes to market structure rules and have flagged persistences in regulatory reporting.
Risk and Compliance Considerations:
ESMA Single Volume Cap (EU): The current double volume cap will be replaced by a single, EU-wide 7% volume cap on October 9, 2025.
Action: Trading venues and investment firms must prepare their systems and trading strategies in anticipation of this change. Venues will be required to suspend the use of the reference price waiver for instruments that breach the new threshold.
FCA Market Watch 82 (UK): The FCA has observed "persistent inefficiencies" in how firms remediate and back-report errors in MiFIR transaction reporting.
Action: This is a direct warning. Firms must review their transaction reporting error remediation processes to ensure accuracy and completeness. Delays caused by resourcing, internal processes, or governance issues are no longer acceptable. The FCA's ability to monitor for market abuse is compromised by poor data quality, and enforcement action is a likely next step for those who fail to meet these standards.
7. Enforcement Actions
Development: The FCA published final notices against two former senior executives: James Staley (former Barclays CEO) and Jean-Noël Yves Alba (former H2O AM LLP Deputy CEO).
Risk and Compliance Considerations:
Senior Manager Accountability: Both cases reinforce the high standards of integrity and openness expected of senior managers.
The Staley case demonstrates that misleading the regulator, even recklessly, regarding personal conduct relevant to a firm's assessment of fitness and propriety, can lead to a ban and a substantial fine.
The Alba case serves as a stark reminder that deliberately providing false information and obstructing an FCA investigation can result in severe penalties, including industry prohibition.
Action: These cases should be utilised as timely and effective training materials for all staff, particularly those in Senior Management Functions, to emphasise the importance of personal integrity and transparent cooperation with regulators.
Comments