Weekly Regulatory Risk & Compliance Report Weekending 4th July

1. Executive Summary

Significant progress in digital transformation dominates this week's regulatory landscape, with ongoing focus on conduct and consumer protection, as well as the finalisation of key prudential and market structure reforms.

For UK firms, immediate priorities include preparing for the new non-financial misconduct rules, which are now confirmed and set for implementation in 2026, as well as engaging with various FCA consultations that will reshape the market structure for bonds, derivatives, and commodities. The PRA's final rules on capital buffers demand urgent attention, with a go-live date of 31 July 2025.

In the EU, the implementation of the Digital Operational Resilience Act (DORA) continues with the introduction of new technical standards on ICT subcontracting, demanding an urgent review of third-party risk frameworks. The selection of the first consolidated tape provider for bonds marks a significant milestone in improving market transparency. Banks must also prepare for major updates to the CRR, as new EBA consultations and adopted technical standards will influence credit risk models and the definition of default.

Across all jurisdictions, regulators are signalling a clear direction for AI governance, data-driven supervision, and the future of financial market infrastructure, including stablecoins and tokenisation. Firms must move beyond a reactive stance and strategically prepare for these fundamental shifts.

2. Key Developments & Considerations

Theme A: Conduct, Culture, and Consumer Protection

Key Updates:

• FCA Finalises Non-Financial Misconduct Policy (UK): The FCA has confirmed it will extend its COCON rules on non-financial misconduct to all regulated firms, with an implementation date of 1 September 2026. A further consultation (CP25/18) is open on whether additional guidance is needed.

• FOS Complaints Data Show Significant Rise (UK): The Financial Ombudsman Service (FOS) reported a substantial increase in complaints for 2024/25, driven by issues related to motor finance, fraud, and credit cards.

• APP Fraud Reimbursement Scrutinised (UK): An APPG report notes the early success of the mandatory reimbursement scheme but calls for a review of the £85,000 threshold and the application of the "consumer standard of caution."

• EU Modernises Dispute Resolution (EU): A political agreement was reached on revising the Alternative Dispute Resolution (ADR) framework, introducing a duty for traders to respond to ADR requests within 20 working days.

• FCA Proposes "Targeted Support" (UK): As part of the Advice Guidance Boundary Review, the FCA is consulting (CP25/17) on a new, regulated form of support for consumers' pension and investment decisions.

Risk & Compliance Considerations:

• Conduct Risk: The FCA's focus on non-financial misconduct is now cemented in policy. Firms must ensure that their culture, policies, and training programs explicitly address issues such as bullying, harassment, and discrimination as regulatory concerns, not just HR issues. The risk of enforcement action for firms and prohibition orders for individuals is high.

• Compliance Risk: Firms outside the banking sector must now implement processes to comply with the expanded COCON rules by the 2026 deadline. In the EU, firms must adapt their dispute resolution procedures to meet the new 20-day response timeline.

• Reputational & Operational Risk: The surge in FOS complaints highlights operational frailties in firms' handling of fraud and specific products. Firms with high uphold rates face significant reputational damage and operational strain. Failure to fairly apply APP fraud reimbursement rules will attract both regulatory and public censure.

Recommended Actions:

1. Conduct Gap Analysis: Immediately begin a gap analysis of existing conduct policies against the new non-financial misconduct rules (FCA 2025/29). Develop a project plan for implementation before the September 2026 deadline.

2. Review Complaints Root Cause: Analyse internal and FOS complaints data to identify the root causes of increased complaints, particularly in motor finance and fraud, and remediate underlying process or product issues.

3. Assess "Targeted Support" Model: Firms providing retail investment and pensions services should analyse the FCA's proposals for "targeted support" to assess the strategic opportunity and potential compliance burden.

4. Update EU ADR Procedures: Prepare to update consumer-facing dispute resolution processes to comply with the revised ADR Directive, with a focus on the new response deadlines.

Theme B: Digital Transformation, AI, and Operational Resilience

Key Updates:

• DORA ICT Sub-contracting Rules Finalised (EU): A Delegated Regulation specifying rules for sub-contracting critical ICT services under DORA will enter into force on 22 July 2025.

• FCA Launches AI Live Testing Service (UK): Following industry feedback, the FCA is moving forward with its AI testing service, reaffirming that existing frameworks (e.g., SMCR, Consumer Duty) are sufficient for AI oversight and no new rules are planned.

• BoE Signals Future of Banking Data (UK): A PRA roundtable indicated a move towards more granular data collection and the development of a standard data dictionary to reduce fragmented and duplicative reporting.

• FCA Launches New Handbook Website (UK): A beta version of the new Handbook website is now live, with a full rollout expected later in the year. Users will need to create new accounts.

Risk & Compliance Considerations:

• Third-Party Risk: The new DORA rules create stringent, legally binding requirements for due diligence, risk assessment, and contractual terms with critical ICT sub-contractors. Non-compliance presents a significant operational and regulatory risk.

• Technology Governance Risk: The FCA's stance on AI places the onus squarely on firms' governance frameworks. Firms must be able to demonstrate to the regulator how their existing systems for accountability (SMCR) and consumer outcomes (Consumer Duty) effectively manage the risks of AI.

• Operational Risk: The shift to more granular data reporting by the BoE will require significant investment in data infrastructure and processes. Firms must also manage the transition to the new FCA Handbook website, ensuring all internal links and procedures are updated to avoid compliance breaches.

Recommended Actions:

1. Prioritise DORA Compliance: Urgently review all ICT sub-contracting arrangements against the new RTS. Update third-party risk management frameworks, due diligence procedures, and contracts to ensure compliance.

2. Formalise AI Governance: Document the firm's AI governance framework, explicitly linking it to SMCR responsibilities and Consumer Duty outcomes. Consider participating in the FCA's AI Live Testing service to mitigate innovation risk.

3. Engage with Data Strategy: Appoint a lead to monitor the BoE's "Future of Banking Data" project and prepare for engagement on the data dictionary and granular reporting initiatives.

4. Manage Handbook Transition: Communicate the launch of the new FCA Handbook website to internal stakeholders. Task teams with identifying and updating all links to the Handbook in policies, procedures, and training materials.

Theme C: Market Structure and Transparency

Key Updates:

• FCA Consults on SI Regime for Bonds/Derivatives (UK): CP25/20 proposes significant changes to the systematic internaliser (SI) regime, reflecting the removal of pre-trade transparency obligations.

• FCA Consults on Ancillary Activities Test (AAT) (UK): In parallel with a draft statutory instrument from HMT, the FCA is consulting (CP25/19) on a new, simpler AAT for the commodity derivatives exemption, effective 1 January 2027.

• ESMA Selects First Bond CTP (EU): ESMA has selected the first consolidated tape provider (CTP) for bonds, a key step in creating a single view of the EU's fixed-income market.

• Market Manipulation Enforcement (UK): The Upper Tribunal upheld an FCA decision to ban and fine three traders for market manipulation (spoofing and layering), reinforcing individual accountability and the FCA's focus on market integrity.

Risk & Compliance Considerations:

• Compliance & Operational Risk: Firms operating as SIs in non-equity instruments or relying on the AAE must prepare for significant rule changes. This will require re-assessing business models, updating systems, and ensuring compliance with the new frameworks.

• Conduct Risk: The Upper Tribunal decision is a powerful reminder that sophisticated market abuse will be pursued, and trader explanations will be heavily scrutinised. It underscores the importance of robust trade surveillance and a culture of integrity.

• Strategic Risk: The introduction of the EU bond CTP will change market dynamics, increasing transparency and potentially altering competitive advantages. Firms need to adapt their trading strategies accordingly.

Recommended Actions:

1. Analyse SI and AAT Proposals: Relevant firms must engage deeply with CP25/20 and CP25/19 to understand the impact on their business and prepare for implementation.

2. Review Trading Surveillance: In light of the Upper Tribunal ruling, review the effectiveness of surveillance systems in detecting manipulative trading patterns, such as spoofing and layering. Use the case study in trader training.

3. Prepare for EU CTP: EU fixed-income trading desks should develop a strategy for integrating and leveraging data from the new bond consolidated tape.

Theme D: Prudential Regulation & Capital

Key Updates:

• PRA Finalises Capital Buffers Framework (UK): PS8/25 finalises the PRA's policy framework for capital buffers (CCyB, G-SII, O-SII, etc.), which comes into force on 31 July 2025 alongside new Treasury regulations.

• EBA Consults on Definition of Default (EU): The EBA is consulting on maintaining the current 1% threshold for what constitutes a default in debt restructuring, citing the need for consistency and stability.

• EIOPA Consults on Solvency II SRP (EU): EIOPA proposes revising its guidelines on the Supervisory Review Process (SRP) to incorporate sustainability, IT, and cyber risks.

• PRA Scrutinises BPA Termination Clauses (UK): A "Dear CRO" letter warns insurers of the risks associated with solvency-triggered termination rights (STTR) in Bulk Purchase Annuity (BPA) deals and asks firms to improve their risk management.

Risk & Compliance Considerations:

• Capital Risk: Firms must ensure their capital calculations are fully compliant with the PRA's new buffer framework by July 31, 2025. For insurers, the use of STTR clauses in BPA contracts introduces new liquidity and asset composition risks that the PRA is now actively supervising.

• Credit Risk: The EBA's proposal to maintain the current definition of default means that firms' models and processes will not require a fundamental overhaul; however, they must continue to apply the existing standard robustly.

• Regulatory Scrutiny: The updates to the Solvency II SRP signal that supervisors will be taking a wider, more integrated view of risk, explicitly including sustainability and cyber risks in their reviews. Insurers must be prepared to demonstrate effective management in these areas.

Recommended Actions:

1. Implement New Capital Buffer Rules: UK banks must immediately implement the changes outlined in PS8/25 to ensure accurate capital buffer reporting from 31 July 2025.

2. Review BPA Contracts (Insurers): Insurers engaged in the BPA market must review their use of STTR clauses and their associated risk management frameworks against the expectations outlined in the PRA's letter.

3. Enhance SRP Documentation (Insurers): Insurers should begin integrating sustainability and cyber risk more explicitly into their ORSA and other documentation in preparation for the updated SRP guidelines.

4. Engage with EBA Consultations (Banks): Banks using the IRB approach should review and consider responding to the EBA's consultations on the definition of default and credit conversion factors.

#FinancialServices #Regulation #Risk #Compliance #UKFinance #EUFinance #DORA #AIgovernance #NonFinancialMisconduct