ARTICLE
22 August 2025

FinTech Global FS Regulatory Round-up - W/e 15 August 2025

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
In this edition we round up FinTech-related financial services regulatory developments for the week ending 15 August 2025.
Worldwide Technology
Cat Dankos,Rashid Ahmed, and Vasuki Balasubramanian
Your Author LinkedIn Connections

Global

BIS: An approach to AML compliance for cryptoassets

The Bank for International Settlements (BIS) haspublishedabulletinentitledAn approach to anti-money laundering compliance for cryptoassets. The key takeaways include:

  • existing anti-money laundering (AML) approaches relying on trusted intermediaries have limited effectiveness with decentralised record-keeping in permissionless public blockchains;
  • the public transaction history on blockchains can enable AML and other compliance efforts, such as FX regulations, by leveraging the provenance and history of any particular unit or balance of a cryptoasset, including stablecoins; and
  • an AML compliance score based on the likelihood that a particular cryptoasset unit or balance is linked with illicit activity may be referenced at points of contact with the banking system ('off-ramps'), preventing inflows of the proceeds of illicit activity and supporting a culture of 'duty of care' among crypto market participants.

The views expressed in this publication are those of the authors and not necessarily those of the BIS. [13 Aug 2025]#crypto

UK

FCA: Cyber Coordination Group insights 2024

The FCA haspublishedinsights on cyber resilience based on discussions held throughout 2024 with industry members of the regulator's Cyber Coordination Group (CCG) programme. The publication focuses on three key areas: the reconnection framework and third-party management; threat and vulnerability management and threat-led penetration testing; and AI and other emerging technologies, including quantum computing.

The FCA has highlighted the following as of particular interest for firms:

  • 'Threat-led penetration testing is an extremely effective tool for identifying previously-unknown cyber vulnerabilities.'
  • 'The threat from combined non-critical vulnerabilities can potentially cause as much or more harm than a single critical vulnerability.'
  • 'Legacy technologies, especially end-of-life systems, should have effective security risk management, as with any other system.'
  • 'Cross-industry information sharing forums, such as Cross Market Operational Resilience Group (CMORG) or the Financial Services Information Sharing and Analysis Centre (FS-ISAC), can be highly effective in enabling collective communication with third-party suppliers during significant outages.'
  • 'Implementing AI into cyber domains without taking steps to fully understand all potential impacts can lead to increased exposure to new or unidentified risks. [14 Aug 2025]#Cyber #AI #Quantum #CMORG #OpRes

BoE webpages: National Payments Vision and Vision Engagement Group

The Bank of England (BoE) has published new webpages on theNational Payments Vision(NPV) and theVision Engagement Group. The NPV sets out the Government's ambition for a trusted, world-leading payments ecosystem delivered on next-generation technology, where consumers and businesses have a choice of payment methods to meet their needs. The Vision Engagement Group brings together sector representatives to support delivery of the NPV. [14 Aug 2025]#Payments

FMLC: Response to FCA consultation on stablecoin issuance and cryptoasset custody

The Financial Markets Law Committee (FMLC) haspublisheditsresponseto the FCA'sConsultation Paper 25/14 – Stablecoin Issuance and Cryptoasset Custody(CP25/14). The response builds on the FMLC's May 2025letterto HM Treasury in which it set out a number of concerns on the scope and drafting of the Financial Services and Markets Act 2000 (Regulated Activities and Miscellaneous Provisions) (Cryptoassets) Order 2025. The current paper identifies concerns which may lead to the creation of legal uncertainty in the financial markets and/or result in legal consequences which are seemingly unintended. [11 Aug 2025]#Stablecoins #Crypto

Europe

EBA: Q&A – DORA

The European Banking Authority (EBA) haspublishedits response to a question on whether Article 28(3) of the Digital Operational Resilience Act (DORA) requires a separate and specific communication in addition to the registers of information.

The EBA confirmed that provision to the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) on a yearly basis the registers of information referred to in Article 28(3), in accordance with the reporting timelines set out in Article 4 and 5, will in general fulfill the requirement, and no second specific communication is needed.

Financial entities must also inform competent authorities in a timely manner regarding any planned ICT third party contractual arrangements supporting critical or important functions or if a function supported by ICT third parties becomes critical or important. [15 Aug 2025#DORA #OpRes

EBA reports on current SupTech use for AML/CFT across the EU

The European Banking Authority (EBA) haspublishedareporton the use of technology tools in anti-money laundering and countering the financing of terrorism (AML/CFT) supervision (SupTech).

The report presents insights garnered from a survey of national competent authorities (NCAs) and a workshop organised in conjunction with the new Anti-Money Laundering and Countering the Financing of Terrorism Authority (AMLA). It provides an overview of current SupTech use across the EU and includes examples of effective practices in, for example, change management, data and technology, and supervisory and regulatory strategies.,

The report indicates that, while SupTech deployments in the space are still evolving, nearly half of the tools or projects identified (47%) are already in production, with a further 38% under development and 15% in exploratory phases.

It is also reported that NCAs are already experiencing tangible benefits, including improved data quality, enhanced collaboration, and more efficient risk identification. However, several challenges remain, such as limited resources, legal uncertainty, and data governance constraints. [12 Aug 2025]#SupTech #AML #CFT

ESRB: Compliance report on implementation of EU-SCICF

The European Systemic Risk Board (ESRB) haspublisheda compliance report on sub-recommendation A(1) of the ESRB's Recommendation of 2 December 2021. The overarching recommendation A relates to the establishment of a pan European systemic cyber incident coordination framework (EU-SCICF) for relevant authorities; the sub-recommendation A(1) recommended that the European Supervisory Authorities (ESMA, EBA and EIOPA – the ESAs), the European Central Bank (ECB), NCAs and the ESRB begin to prepare for the gradual development of an effective EU-level coordinated response in the event of a cross-border major cyber incident or related threat that could have a systemic impact on the EU's financial sector. The ESAs delivered a final report on establishing the EU-SCICF in July 2024. Although published in August 2025, the compliance report reflects the implementation status as at December 2024.

Overall, there was largely found to be compliance with sub-recommendation A(1). However, two points were identified as areas for improvement:

  • ensuring that the necessary resources are either in place or that those responsible for allocating the necessary resources in the European and national authorities seek to address any constraints; and
  • the need to ensure that the EU-SCICIF can be activated and operational from January 2025 onwards and further developed in a timely manner to ensure a robust framework that supports an effective EU level response. [12 Aug 2025]#Cyber

Australia

APRA releases notes on superannuation CEO roundtable

The Australian Prudential Regulation Authority (APRA) hasreleasedits notes from the superannuation industry roundtable it hosted in July 2025 which focussed on the recent cyber incidents impacting several superannuation entities.

APRA outlined its key observations and expectations on cyber resilience including:

  • reinforcing its recently communicatedexpectationson authentication controls; and
  • highlighting the value of a proactive cyber security approach, including a clear understanding of control environments and clear accountability for member protection.

The roundtable also included commentary from key government agencies and reflections from impacted superannuation entities. Some key reflections included:

  • the importance of clear and timely communications and having a well-developed incident response plan;
  • the value of third-party experts in providing the necessary skills and knowledge to enable a collaborative and rapid response; and
  • the assistance of the National Office of Cyber Security's Financial Sector playbook which outlines how it can support entities impacted by a cyber incident. [11 Aug 2025]#Cyber

Hong Kong

SFC issues circular to set out expected standards on custody of virtual assets by VATP operators

TheSFChas issued acircularto licensed virtual asset trading platforms (VATPs), outlining its expected standards for the safe custody of client virtual assets by SFC-licensed VATP operators and their associated entities (collectively, platform operators). This initiative is part of the SFC's 'ASPIRe' roadmap (see ourprevious update), specifically Pillar 'S' (Safeguard), aimed at laying a solid foundation for the industry's transition to more advanced custody technologies.

The SFC notes that multiple cases of custody vulnerabilities have arisen overseas, and that its review aimed at evaluating VATPs' resilience against cybersecurity threats earlier this year had revealed inadequacies in some operators' controls. It therefore sees the need for platform operators to critically review and strengthen their custody practices.

Multiple cybersecurity incidents at overseas virtual asset platforms, resulting in significant client asset losses, have highlighted key weaknesses in wallet infrastructures and controls, such as compromised third-party wallet solutions, insufficient transaction verification processes, and inadequate access controls over approval devices.

In its circular, which takes immediate effect, the SFC provides examples of good practices along with its expected minimum standards which platform operators must meet, covering the following areas:

  • Senior management responsibilities;
  • Client cold wallet infrastructure and operation;
  • Use of wallet solution and third-party provider;
  • Ongoing real-time threat monitoring; and
  • Training and awareness.

Platform operators should critically assess their virtual assets custody framework, procedures, and controls to ensure compliance with the expected standards. Adherence to these requirements should form part of platform operators' annual external compliance and technology assessment. [15 Aug 2025]#VirtualAssets #VATP

SFC and HKMA issue joint statement in light of recent abrupt market movements linked to stablecoin concept

TheSFCand theHKMAhave issued a joint statement regarding recent market movements in relation to stablecoins.

The two regulators have noted recent abrupt market movements linked to the stablecoin concept, which appear to follow corporate announcements, news reports, social media posts or speculations regarding plans to apply for stablecoin issuer licences, engage in related activities or explore the feasibility of stablecoin initiatives in Hong Kong. Some of these claims also mentioned recent engagements with Hong Kong financial regulatory authorities.

The HKMA reiterates that it adopts a robust and prudent approach (with a reasonably high bar) in considering applications for stablecoin issuer licences. An indication of interest or application for a stablecoin licence and communications with the HKMA are just part of the licensing process. The granting of a stablecoin licence will ultimately be determined by the fulfilment of the relevant licensing criteria. Market participants are reminded to exercise responsibility in public communications and refrain from making statements that could mislead investors or create unrealistic expectations.

The HKMA and the SFC urge the public to exercise caution, conduct thorough research, and refrain from making irrational investment decisions based solely on market hype or price momentum.

The SFC's dedicated market surveillance team will closely monitor trading activities in Hong Kong and will take stringent actions against any manipulative or deceptive practices that may compromise the integrity of the market. [14 Aug 2025]#Stablecoins

HKMA Executive Director discusses operational resilience and cybersecurity initiatives in opening remarks at WISE 2025

Ms Carmen Chu, Executive Director (Banking Supervision) of the HKMA, deliveredopening remarksat the kick-off workshop for the Whole Industry Simulation Exercise (WISE) 2025.

Ms Chu stated that operational resilience is a top supervisory priority for the HKMA, and the HKMA is working with the industry on a multi-year journey to uplift banks' capabilities in this regard. The HKMA's regular surveys and industry outreach show that banks in Hong Kong are generally on track to meet the target of becoming operationally resilient by May 2026. All banks have already developed operational resilience frameworks, and most have progressed from the mapping phase to scenario testing phase.

Ms Chu cautioned that the 'last mile' of the journey is often the most challenging. While this may vary based on the circumstances of each bank, the last mile will generally involve mitigating and overcoming known vulnerabilities, planning for post-May 2026 (such that operational resilience becomes a 'business as usual' concept that is embedded in all financial activities), and having a process that is continuous and iterative, with constant refinements to ensure that a bank's operational resilience arrangements stay up-to-date and relevant.

The HKMA plans to issue further industry guidance in the coming months to set out good practices for the remediation and management of vulnerabilities. It is aware of the feedback from the industry that there is strong interest in obtaining more guidance around third-party and cyber risk management. The HKMA's supervisory agenda includes (among others):

  • A cyber mapping exercise to understand network interconnections, interdependencies, as well as potential systemic concentration risk in the financial sector;
  • Cyber Resilience Assessment Framework (C-RAF) – now in its third cycle – to enhance the banking industry's cyber defence maturity;
  • A new Cyber Resilience Testing Framework to further step-up banks' response and recovery capabilities, building on the strong foundation already developed for defence and protection; and
  • Priming the industry to get prepared for the Basel Committee on Banking Supervision's upcoming new Principles for the Sound Management of Third Party Risk.[12 Aug 2025]#Cyber #OpRes

India

SEBI launches radio campaign to combat securities fraud perpetrated through social media platforms

The Securities and Exchange Board of India (SEBI) haslauncheda campaign specifically on frauds related to the securities market taking place through social media platforms. [14 Aug 2025]#Fraud #SocialMedia

Philippines

BSP suspends in-app gambling access in mobile payment apps and websites

The Bangko Sentral ng Pilipinas (BSP) hasissueda directive to all BSP-Supervised Institutions (BSIs) to remove links providing in-app gambling access from their payment apps and websites within 48 hours.

The directive has been issued in light of the surge in online gambling transactions. The suspension will remain in place until the BSP finalises its policy on online gambling payment services. [13 Aug 2025]#Payments #Mobile #Apps

US

FinCEN urges vigilance on CVC kiosks

The Financial Crimes Enforcement Network (FinCEN) hasissuedaNoticewhich reminds financial institutions to be vigilant in identifying and reporting suspicious activity involving convertible virtual currency (CVC) kiosks. While noting that such kiosks can be convenient for consumers, FinCEN comments that CVC kiosks may also be exploited by illicit actors. The risk of illicit activity is exacerbated if CVC kiosk operators fail to meet their obligations under the Bank Secrecy Act (BSA).

The Notice provides an overview of typologies associated with illicit activity involving CVC kiosks and highlights red flag indicators. [4 Aug 2025]#VirtualCurrency #FinCEN #Fraud

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Cat Dankos
Cat Dankos
Photo of Rashid Ahmed
Rashid Ahmed
Photo of Vasuki Balasubramanian
Vasuki Balasubramanian
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More