Risk & Compliance Report: week ending 11 July 2025

Executive Summary

This week's global regulatory developments signal a significant push across three core areas: operationalising next-generation financial frameworks (Open Finance, AI, Crypto-Assets), reinforcing foundational risk management, and holding firms accountable through stringent enforcement.

In the UK, the FCA is accelerating its Open Finance and AI agendas, moving from ideation to implementation with new TechSprints and live testing initiatives. Firms must engage proactively to avoid being left behind. Simultaneously, a joint BoE/PRA cyber stress test and a landmark BoE fine against a financial market infrastructure (FMI) firm underscore the critical importance of operational and cyber resilience. The FCA's £21 million fine against Monzo for systemic financial crime failures serves as a stark warning that control frameworks must scale with business growth.

Across the EU, regulators are building out the rulebooks for major legislative packages. ESMA has released a suite of guidance to operationalise the Markets in Crypto-Assets (MiCA) Regulation, focusing on staff competence, market abuse prevention, and managing the "halo effect" of offering unregulated services. The EBA continues to refine prudential rules under CRD VI/CRR III and is expanding its focus on third-party risk management beyond just ICT, while also embedding ESG and greenwashing considerations directly into product governance.

Globally, the FSB and BCBS are intensifying their scrutiny of the non-bank financial intermediation (NBFI) sector, signalling future work to address risks from leverage and interconnectedness with the traditional banking system.

Key Risk & Compliance Considerations by Theme

1. Technology, Data & Operational Resilience

• Open Finance & Smart Data (UK): The FCA's outcomes report from its Open Finance sprint and the launch of the Smart Data Accelerator indicate a clear direction of travel beyond Open Banking.

  • Risk: Firms not participating in upcoming TechSprints (SME Finance, Mortgages) risk falling behind on innovation and influencing future standards. Business models may become uncompetitive if they cannot leverage broader data sets.

  • Compliance Action: Monitor the FCA's development of the Open Finance roadmap (due March 2026). Evaluate the use cases identified in the sprint (e.g., financial wellbeing, digital ID) and assess their strategic relevance. Allocate resources to engage with the Smart Data Accelerator.

• Artificial Intelligence (UK): The FCA is moving to formalise its approach to AI supervision with its "AI Live Testing" initiative.

  • Risk: Deploying AI solutions without robust governance, testing, and validation exposes firms to risks of model bias, unfair consumer outcomes, and regulatory sanctions.

  • Compliance Action: Firms actively using AI should review the eligibility criteria and consider applying for the FCA's testing cohorts. This provides an opportunity to collaborate with the regulator and shape best practices. Review internal AI governance frameworks to ensure they align with the FCA's emerging expectations.

• Cyber Resilience (UK): The findings from the 2024 cyber stress test are a critical resource for all firms, not just participants.

  • Risk: An inability to process critical transactions, coordinate with the sector, or communicate effectively during a significant cyber incident could threaten a firm's viability and contribute to systemic instability.

  • Compliance Action: Review and enhance incident response and recovery plans based on the test's findings. Specifically, test workarounds for data integrity attacks, ensure clear communication protocols are in place, and understand the implications of disconnection from and reconnection to key FMIs.

• Third-Party & Cloud Risk (EU): The EBA is consulting on new guidelines for managing third-party risk for non-ICT services, aiming for consistency with DORA. ESMA has also updated its cloud outsourcing guidelines for non-DORA entities.

  • Risk: Inconsistent or siloed oversight of third-party arrangements (separating ICT from non-ICT) can create significant blind spots. Over-reliance on cloud providers without adequate contractual protections and oversight remains a key supervisory concern.

  • Compliance Action: Firms must adopt a holistic, life-cycle approach to third-party risk management that covers all critical functions, regardless of whether they are ICT-based. Review existing non-ICT outsourcing arrangements against the principles in the EBA's draft guidelines. Ensure a single, comprehensive register of all third-party arrangements is maintained.

2. Financial Crime & Enforcement

• Politically Exposed Persons (PEPs) (UK): The FCA has finalised its updated PEP guidance.

  • Risk: Incorrectly applying the PEP definition (either too broadly or too narrowly) and failing to implement a genuinely risk-based approach can lead to poor consumer outcomes and breaches of the MLRs.

  • Compliance Action: Update internal policies, procedures, and training to reflect the finalised guidance. Specifically, ensure that non-executive board members are not automatically treated as PEPs and that the process for senior manager sign-off on PEP relationships is flexible and practical, rather than merely a formality.

• AML Enforcement (UK): The FCA's £21 million fine against Monzo Bank underscores the consequences of failing to scale financial crime controls in tandem with rapid business growth.

  • Risk: Weaknesses in customer onboarding, risk assessment, and transaction monitoring, particularly during periods of expansion, can be exploited by criminals and may result in severe regulatory penalties.

  • Compliance Action: Re-assess the adequacy of the entire financial crime framework. Ensure that automated onboarding and monitoring systems are effective and subject to rigorous testing and quality assurance. Verify that due diligence processes are robust enough to identify beneficial owners and confirm customer location to manage risk appetite effectively.

• FMI Compliance (UK): The BoE's first-ever fine against an FMI firm (£11.9 million against Vocalink) demonstrates a low tolerance for failing to comply with regulatory directions.

  • Risk: An ineffective risk management framework that fails to identify, manage, and escalate risks associated with critical remediation programmes can lead to significant fines and reputational damage.

  • Compliance Action: Ensure that the board and senior management have complete visibility of progress on regulatory remediation programmes. Risk management functions must be empowered and integrated into all critical projects to provide adequate oversight and challenge.

3. Prudential Regulation & Governance

• Loan-to-Income (LTI) Rules (UK): The PRA is reviewing the LTI flow limit and offering a modification by consent to allow firms to exceed the 15% limit for high-LTI lending.

  • Risk: Increasing the proportion of high-LTI lending without commensurate adjustments to risk appetite and underwriting standards could increase credit risk exposure.

  • Compliance Action: Firms wishing to use the modification must notify the PRA and provide details of changes to their business plan and risk framework. Enhanced monthly reporting on high-LTI lending volumes will be required.

• ESG & Greenwashing (EU): The EBA is revising its product oversight and governance (POG) guidelines to incorporate ESG features and explicitly address the risk of greenwashing.

  • Risk: Making unsubstantiated, unclear, or misleading sustainability claims about products constitutes greenwashing and will be a key area of supervisory focus, posing significant reputational and litigation risk.

  • Compliance Action: Integrate ESG factors and greenwashing risk into the product design, approval, and review process. Ensure all sustainability-related communications are fair, precise, accurate, and substantiated. The interests and ESG objectives of the target market must be a central consideration.

• Non-Bank Financial Intermediation (NBFI) (International): The FSB and BCBS continue to focus on the risks posed by NBFIs.

  • Risk: Banks face potential contagion risk from their exposures to and interconnections with the NBFI sector, which may have higher leverage and less regulatory oversight.

  • Compliance Action: While policy changes are still developing, banks should proactively enhance their ability to monitor and manage counterparty risk with NBFIs. Pay close attention to the FSB's work on data gaps, as this will likely translate into future reporting requirements.

4. Markets, Investments & Consumer Protection

• Crypto-Assets (MiCA) (EU): ESMA has issued crucial guidelines on the assessment of knowledge and competence for CASP staff, market abuse prevention, and managing the risks of offering unregulated services alongside regulated ones.

  • Risk: The "halo effect"—whereby a firm's regulated status lends undue credibility to its unregulated offerings—is a major investor protection risk. Inadequate staff knowledge, poor governance, and weak market abuse surveillance will lead to swift supervisory action under MiCA.

  • Compliance Action: CASPs must implement rigorous training and competence assessment programmes for all relevant staff. Client communications must clearly distinguish between regulated and unregulated products and the protections that apply (or do not apply). Firms must establish robust systems to detect and report suspected market abuse in crypto-assets. Review the peer review report's recommendations on governance, conflicts of interest, and ICT architecture.

#FinancialRegulation #RiskManagement #Compliance #PrudentialRegulation #AML #CFT #MiCA #DORA #OpenFinance #Regtech #FCA #EBA #ESMA #FSB #FinancialServices #CorporateGovernance