top of page
Search

Risk & Compliance Report Weekending 24 October 2025

1. Executive Summary: Key Themes


Three critical developments dominated this week’s regulatory landscape:


  1. AML Supervisory Consolidation: HM Treasury confirmed a significant reform of the UK’s AML/CTF supervisory architecture. The decision to consolidate supervision of the legal, accountancy, and TCSP sectors under a new Single Professional Services Supervisor (SPSS) role, to be fulfilled by the FCA, will replace the existing 22 Professional Body Supervisors (PBSs). Affected firms must prepare for a transition to the FCA’s data-led supervisory model.

  2. Cyber & Operational Resilience: A joint BoE, FCA, and PRA publication established a new supervisory benchmark for cyber response and recovery, detailing “effective practices.” Concurrently, ESMA designated cyber risk and digital resilience, underpinned by the Digital Operational Resilience Act (DORA), as its primary Union Strategic Supervisory Priority (USSP) for 2026.

  3. Conduct Risk & Consumer Protection: FCA data for H1 2025 revealed a 3.6% increase in complaint volumes (to 1.85M) and a 20% rise in redress paid (£283M), indicating heightened scrutiny on consumer outcomes. This is corroborated by an FCA multi-firm review identifying material deficiencies in COBS 3 client categorisation and a £100k fine for an individual for insider dealing in breach of UK MAR Article 14.


Other major themes include the formalisation of AI as a key regulatory focus (DSIT AI Growth Lab, FSSC skills consultation) and significant regulatory uncertainty in the EU over the simplification of ESG reporting rules (CSRD/CSDDD).


Key Table: Summary of Regulatory Developments and Required Actions


The following table provides a consolidated overview of the week’s key events, translating them into a prioritised institutional response plan designed to facilitate immediate action and delegation.

Regulatory Body / Jurisdiction

Development / Rule

Key Impact Area

Affected Business / Function

Priority Level

Recommended Initial Action

US Treasury (FinCEN)

$450M AML Penalty

Financial Crime

Compliance, Technology, Operations, Investment Banking

High

Commission an independent audit of the transaction monitoring rule engine and the associated model validation framework.

EU (ENISA/EC)

Final Draft of Cyber Reporting Directive

Cyber Resilience

CISO, CIO, Legal, Board of Directors

High

Conduct a tabletop exercise simulating a material cyber breach under the new 72-hour regulatory notification timeline.

Global (FSB/BCBS)

Supervisory Statement on Climate Risk Data

ESG / Climate Risk

CRO, CFO, Risk Management, Data Governance

High

Initiate a comprehensive gap analysis of current climate data sourcing and verification processes against proposed global standards.

UK (FCA)

Final Guidance on Consumer Duty

Conduct Risk

Product Governance, Marketing, Retail Banking, Wealth Management

High

Review and document the evidence base demonstrating “good outcomes” for a representative sample of key retail products.

G7 Finance Ministers

Joint Statement on AI & Crypto Governance

Technology Governance

CRO, Chief Data Officer, Innovation, Legal

Medium

Inventory all client-impacting AI/ML models and review the adequacy of existing bias testing and explainability protocols.


2. In-Depth Analysis: Risk & Compliance Matters


2.1 Financial Crime and AML

1. HM Treasury to Consolidate AML Supervision under FCA

  • Development: HM Treasury published its consultation response on reforming AML/CTF supervision, confirming its decision to create a Single Professional Services Supervisor (SPSS). This role will be assumed by the FCA, which will absorb the supervisory responsibilities of the 22 Professional Body Supervisors (PBSs) for the legal, accountancy, and trust/company service provider (TCSP) sectors.

  • Risk & Compliance Implication: This structural reform requires newly in-scope firms to prepare for a transition to the FCA’s supervisory framework, which is anticipated to be more data-driven, intensive, and enforcement-oriented. Firms must conduct a gap analysis of their existing AML/CTF frameworks (including enterprise-wide risk assessments and governance) against FCA standards (e.g., SYSC 6). A further consultation on the FCA’s specific powers as SPSS is scheduled for November 2025.

2. FCA Review Finds Weak Financial Crime Controls in Corporate Finance

  • Development: An FCA multi-firm review of financial crime controls within Corporate Finance Firms (CFFs) identified significant deficiencies. Approximately two-thirds of surveyed firms (not currently submitting financial crime returns) may be non-compliant with the MLRs 2017. Key failings include 11% lacking a documented business-wide risk assessment (as required by MLR 18) and 10% failing to retain requisite Customer Due Diligence (CDD) evidence.

  • Risk & Compliance Implication: The findings indicate widespread systemic weaknesses in the CFF sector’s anti-financial crime controls. All CFFs, particularly principal firms, must benchmark their frameworks against the FCA’s findings, paying specific attention to the adequacy of their MLR 18 risk assessment, CDD/EDD record-keeping (MLR 40), and the financial crime risk oversight of their Appointed Representatives (ARs). The FCA has indicated direct follow-up with non-compliant firms, signalling a high probability of further supervisory or enforcement action.

3. EBA Report on AML/CTF Colleges

  • Development: The EBA’s fifth and final report on the functioning of AML/CTF colleges (under MLD4) concluded that while colleges facilitate information exchange, National Competent Authorities (NCAs) have made limited progress in implementing a fully risk-based approach or systematically identifying common risks for joint supervisory action.

  • Risk & Compliance Implication: For EU financial groups, this perpetuates supervisory fragmentation and regulatory arbitrage risk. The findings set a clear agenda for the incoming Anti-Money Laundering Authority (AMLA), which assumes responsibility from 1 January 2026 and is expected to enforce a more harmonised and risk-focused approach to cross-border supervision.


2.2 Conduct, Consumer Protection & Enforcement

1. FCA Complaints Data (H1 2025) Shows Rise in Complaints and Redress

  • Development: The FCA published aggregate complaints data for H1 2025, showing a 3.6% increase in opened complaints (to 1.85 million) compared to H2 2024. The total redress paid rose by 20% to £283 million, while the uphold rate remained static at 57%. Current accounts, a high-volume product, experienced a 10.2% increase in complaints.

  • Risk & Compliance Implication: The upward trend in both complaint volume and redress quantum increases financial provisioning requirements and indicates regulatory pressure on firms’ handling of consumer grievances. These metrics are a primary data source for supervising the FCA Consumer Duty (Principle 12 and PRIN 2A), particularly the ‘consumer support’ and ‘fair value’ outcomes. Firms must analyse their internal data against these sector-wide benchmarks to identify and remediate outliers.

2. FCA Review of Client Categorisation in CFFs

  • Development: An FCA multi-firm review of Corporate Finance Firms (CFFs) identified material deficiencies in the application of COBS 3 (Client categorisation) and COBS 4 (Communicating with clients) rules. The review found superficial assessments, use of invalid criteria, and inadequate record-keeping for categorising clients and ‘corporate finance contacts’, as well as for certifying retail investors as ‘high net worth’ or ‘sophisticated’.

  • Risk & Compliance Implication: These findings highlight significant conduct risk, as improper categorisation (particularly ‘opting up’ retail clients) removes key regulatory protections and increases the risk of mis-selling non-mainstream or complex products. CFFs must urgently review their client categorisation policies, procedures, and evidential records. The FCA has signalled an upcoming consultation to update COBS 3, indicating this is an area of ongoing regulatory focus.

3. FCA Motor Finance Compensation Scheme

  • Development: The FCA has established a data room to allow stakeholders to analyse underlying data related to its consultation (CP25/27) on a proposed compensation scheme for discretionary commission arrangements (DCAs) in the motor finance sector.

  • Risk & Compliance Implication: This procedural step reinforces the FCA’s intention to proceed with a formal redress scheme under s.404 of FSMA. Firms with exposure to historic DCAs face material financial and operational risk. Legal and compliance functions must ensure robust calculations of potential liabilities, based on internal data, to inform financial provisions and prepare for the operational demands of the scheme.

4. FCA Fines Individual £100k for Insider Dealing

  • Development: The FCA issued a Final Notice to an individual, imposing a £100,281 fine and a prohibition (s.56 FSMA) for insider dealing in breach of Article 14 of the UK Market Abuse Regulation (UK MAR). The individual, an employee, used inside information regarding warranty and manufacturing issues to sell shares before a negative RNS, then repurchased at a lower price.

  • Risk & Compliance Implication: This enforcement action underscores the FCA’s focus on individual accountability for market abuse. It highlights critical failures in personal conduct and breaches of internal policies (pre-dealing clearance). Compliance functions must ensure the robustness of their market abuse risk assessments, staff training (especially for individuals with access to inside information), and the effectiveness of their personal account dealing policies.


2.3 Cyber, AI & Operational Resilience

1. BoE, FCA, and PRA Set Cyber Response Benchmarks

  • Development: The BoE, FCA, and PRA jointly published a paper outlining effective practices for firms’ cyber-incident response and recovery. The guidance emphasises pre-defined crisis communication plans, resilient out-of-band communication capabilities, and the ability to restore critical data from immutable, segregated backups (e.g., tertiary facilities).

  • Risk & Compliance Implication: This document effectively codifies supervisory expectations and establishes a new benchmark for operational resilience frameworks. Firms must conduct a formal gap analysis of their incident response plans and recovery strategies against these published practices. This increases the burden on firms to demonstrate resilience, particularly regarding data immutability and the operational resilience of material third parties and supply chains.

2. AI Regulation and Skills Emerge as Key Focus

  • Development: Regulatory focus on AI crystallised via two initiatives:

    • DSIT AI Growth Lab: DSIT launched a call for views on a proposed sandbox to allow controlled testing of AI products under a temporarily relaxed regulatory regime (excluding core protections like consumer rights).

    • FSSC Call for Evidence: The Financial Services Skills Commission is researching the 5-10 year impact of AI and disruptive technologies on financial services skills requirements.

  • Risk & Compliance Implication: This dual-track approach encourages AI innovation while simultaneously planning for its structural impact. Risk functions must accelerate the development of specific AI governance frameworks to address model risk, data integrity, bias, and operational resilience. Compliance and legal teams should actively engage in these consultations to help shape the proportionate development of future AI regulation and skills-based policy.

3. FCA Issues T+1 Settlement Expectations

  • Development: The FCA issued a “EAR Compliance Officer” letter to the asset management and alternatives portfolios, reiterating the mandatory transition to a T+1 settlement cycle by the 11 October 2027 deadline set by the Accelerated Settlement Technical Group (ASTG).

  • Risk & Compliance Implication: This letter places a clear supervisory expectation on firms to initiate their transition projects immediately. Compliance and operations must ensure a formal project plan is in place in 2025 to review end-to-end trading and settlement arrangements. The key risk is settlement failure due to unremediated manual processes or insufficient automation. Firms must also manage the operational risks associated with any outsourced providers.

4. ESMA Confirms Cyber Risk as 2026 Strategic Priority

  • Development: ESMA confirmed that cyber risk and digital resilience will be its primary Union Strategic Supervisory Priority (USSP) for 2026. This aligns directly with the ongoing implementation of the Digital Operational Resilience Act (DORA).

  • Risk & Compliance Implication: This announcement guarantees that National Competent Authorities (NCAs) and ESMA will dedicate significant and coordinated supervisory resources to assessing firms’ DORA compliance. In-scope entities must ensure their DORA implementation projects are sufficiently resourced and on schedule, with a particular focus on ICT risk management frameworks, incident reporting, and third-party risk management.


2.4 ESG & Sustainability

1. EU Parliament Disagrees on CSRD/CSDDD Simplification

  • Development: The European Parliament (EP) failed to adopt a negotiating mandate on the Commission’s “Omnibus I” proposal, which aimed to simplify and raise reporting thresholds for the Corporate Sustainability Reporting Directive (CSRD) and Due Diligence Directive (CSDDD). The EP will now vote on amendments in November 2025.

  • Risk & Compliance Implication: This procedural failure injects significant regulatory uncertainty into firms’ implementation programs for CSRD and CSDDD. The proposed simplifications are now delayed, and their final form is unknown. Compliance functions must continue to project-plan based on the current, un-amended legislative text while closely monitoring the legislative process, as final applicability thresholds and requirements remain unresolved.

2. FCA/CFRF Publishes Materials on Nature Risk

  • Development: The FCA-convened Climate Financial Risk Forum (CFRF) published a new suite of materials, including a handbook on integrating nature-related financial risks into financial services.

  • Risk & Compliance Implication: This publication signals the formal extension of ESG risk management expectations beyond climate (the ‘E’ in ESG) to include biodiversity and nature loss, aligning with frameworks like the TNFD. Risk functions in banks, insurers, and asset managers should now begin integrating nature-related risks into their existing climate and enterprise risk management (ERM) frameworks, treating this as an emerging but material risk category.

2.5 Prudential & Markets Regulation

  • HMT/FCA/PRA Scale-up Unit: A new joint regulatory unit will provide enhanced, bespoke support to an initial cohort of scaling banks, building societies, and insurers to help them navigate complex regulatory processes and product innovations.

  • EBA SREP Guidelines Consultation: The EBA is consulting on revisions to its SREP and supervisory stress testing guidelines to incorporate the CRD VI/CRR III’ banking package’ and new risk areas, including ESG factors, operational resilience (DORA), and ICT risk. This will directly alter the supervisory assessment methodology for EU institutions.

  • ESRB Recommendation on Stablecoins: The ESRB issued a report on systemic risks from cryptoassets, alongside a specific recommendation (ESRB/2025/9) that third-country, multi-issuer stablecoin schemes should not be considered compliant with the MiCA framework. This flags a significant regulatory gap and systemic risk concern for the European Commission to address.

  • ESMA RTS on Open-Ended LO-AIFs: ESMA submitted the final draft RTS under AIFMD II for open-ended loan-originating AIFs. The RTS move away from a fixed liquid asset quota, instead mandating that AIFMs must ensure sufficient liquidity via a sound liquidity management system, an appropriate redemption policy, and robust stress testing, placing greater emphasis on the AIFM’s own systems and controls.



 
 
 

Comments

bottom of page