FinTech Global FS Regulatory Round-up - w/e 11 April 2025

ICYMI

• February/March Data Wrap: A snapshot of key regulatory developments

• Cyber security: A month in retrospect (Australia) - March 2025

---

UK

FCA: Trading apps review – high-level observations

The FCA has published a summary of its findings from the multi-firm review of the business models, product offerings and services of 12 trading app firms of various sizes and business models. Key findings include:

• Business models: Some firms act as introducers, directing customers to other platforms or an affiliated firm. Firms are encouraged to fully understand their obligations as both manufacturers and distributors, as set out in FCA rules.
• Revenue drivers: Firms generate income in a range of ways, including transaction fees on trades, subscription fees and interest earned from cash balances. Some firms may need to reassess whether their current pricing structures provide good value for consumers.
• Digital engagement practices: All firms demonstrated awareness of the need to use digital features, such as notifications, responsibly.
• Appropriateness testing: While some firms had strong processes for assessing customer understanding of high-risk investments, others lacked adequate checks, potentially exposing consumers to unnecessary risks.

The publication aims to support new entrants, existing neo-brokers and traditional investment brokers seeking to diversify into the sector to help them understand their obligations.

Alongside the review, the FCA has published an occasional paper on how app features, particularly digital engagement practices (DEPs) like notifications and prize draws, influence consumer behaviour. The study found that apps with more DEPs tend to attract younger, lower-income users who trade more frequently and often suffer worse investment returns. [11 Apr 2025]  #TradingApps

BoE: Digital pound experiment report – offline payments

The Bank of England (BoE) has published the findings of a project aimed at assessing whether it is technically feasible to implement an offline payment functionality for a digital pound. The project found that while it might be technically feasible to implement an offline payment functionality for a digital pound, there are trade-offs, particularly around user experience and preventing double spending and counterfeiting, that make implementing it challenging.

This project explored offline payments from a technology perspective only. There are other factors, such as policy, operational, legal and commercial considerations, that will impact the design choices for offline payments. No final decision has been made on whether an offline payment functionality would be implemented for a digital pound. [10 Apr 2025]  #DigitalPound #CBDC

PSR: APP scams claims management consultation – timeline update 

The Payment Systems Regulator (PSR) has published a thought piece by its Head of Policy Claire Simpson in which she discusses the PSR's next steps on the claims management consultation and confirms its intention to adopt Reporting Standard B by December 2026.

The PSR had planned to consult in April 2025 on proposals to put in place regulatory requirements for Pay.UK’s reimbursement claims management system (RCMS) for the purpose of authorised push payment (APP) scam claim management and data reporting. However, the consultation will now be delayed so that the PSR can take account of the broad direction of travel of the National Payments Vision (NPV); the regulator anticipates being able to consult within three to six months.

In line with the PSR's previous plans, the consultation will seek views on:

• a deadline for adopting Reporting Standard B by no later than December 2026; and
• placing any additional regulatory obligations on Pay.UK that may be necessary to enable it to most effectively meet its compliance monitoring obligations in Specific Direction 19. [10 Apr 2025]  #APPFraud #Payments

FPC: AI in the financial system

The FPC has published a Financial Stability in Focus piece which provides detail on its systemic risk assessment and approach to monitoring risks from AI. Given the uncertainty around how AI will evolve, the FPC considers the potential macroprudential implications of more widespread, and changing, use of AI in the financial system.

In this context, the FPC is focused on

• greater use of AI in banks’ and insurers’ core financial decision-making (bringing potential risks to systemic institutions);
• greater use of AI in financial markets (bringing potential risks to systemic markets);
• operational risks in relation to AI service providers (bringing potential impacts on the operational delivery of vital services); and
• changing external cyber threat environment.

The FPC will continue to engage actively with domestic and international initiatives to monitor and mitigate AI-related risks. [9 Apr 2025]  #AI

BoE: Response on access to RTGS accounts for settlements

The Bank of England (BoE) has published its response to the feedback received on the February 2024 discussion paper on reviewing access to real-time gross settlement (RTGS) accounts for settlement. The response includes:

• new RTGS rules which include eligibility criteria for use of RTGS accounts for settlement as well as settlement services;
• a revised RTGS access policy combining and updating the BoE's access policies for settlement and omnibus accounts; and
• a revised guide for non-bank payment service providers (NBPSPs) seeking direct access to UK payment systems.

A significant change made is the introduction of stage gates to enable applicants seeking access to RTGS, including new and small financial market infrastructures (FMIs), to build internal capacity and confidence before launching their services externally.

Looking ahead, the BoE is exploring whether, and on what terms, it could offer NBPSPs settlement accounts (which are typically unremunerated) with safeguarding facilities. It is also supporting efforts to reform the regulatory regime for NBPSPs to support enhanced access to RTGS. [8 Apr 2025]  #Payments

---

Europe

ESMA Q&As – ECSPR and MiCAR

The European Securities and Markets Authority (ESMA) has published or updated Questions and Answers (Q&As) on the following:

• referencing the Regulation on European crowdfunding service providers for business (ECSPR), Bulletin Board - disclosure obligations and assessment of the entity to be considered as the project owner; and
• referencing the Markets in Cryptoassets Regulation (MiCAR), registered alternative investment fund managers and MiCAR and copy trading services. [11 Apr 2025]  #Crypto #MiCAR

ECB: Progress report on digital euro rulebook

The ECB has published its latest progress report outlining the progress made by the Rulebook Development Group (RDG) in developing a draft digital euro scheme rulebook since the publication of the last report in September 2024. This report covers the progress made in three key areas:

• existing rulebook sections have been updated to reflect comments received as part of the RDG’s interim review in 2024
• the contents of the rulebook sections have been further developed together with market participants in dedicated RDG workstreams; and
• expert sessions were held on latency and dispute management.

The rulebook aims to harmonise digital euro payments across the euro area through a single set of rules, standards and procedures. The next progress report is expected to be published in Q3 2025. . [9 April 2025]  #DigitalEuro #CBDC

EBA: MiCAR Guidelines – templates to assist competent authorities in performing their supervisory duties

The EBA has published the translations of the Guidelines on templates to assist competent authorities in performing their supervisory duties regarding issuers’ compliance under Titles III and IV of Markets in Cryptoassets Regulation (MiCAR). The Guidelines are addressed to competent authorities and to issuers of assets-referenced tokens (ARTs) and issuers of electronic money tokens (EMT).

The Guidelines apply from 26 May 2025. [7 Apr 2025]   #Crypto #MiCAR

---

Hong Kong

HKIMR releases report on development of responsible Gen AI adoption in financial services industry

The Hong Kong Institute for Monetary and Financial Research (HKIMR) has announced that it has published a new applied research report, titled 'Financial Services in the Era of Generative AI: Facilitating Responsible Adoption'.

The report provides an overview of the evolution of generative artificial intelligence (GenAI) and its broader implications for both the financial services industry and financial regulators.  It draws on the findings from a survey and interviews with market participants regarding the current state of GenAI adoption among local financial institutions, the expected trajectory of GenAI development in Hong Kong, and strategies for risk management and talent development.  Some of the themes were also discussed by Mr Darryl Chan (HKMA's Deputy Chief Executive) in his opening remarks at the HKMA-HKIMR-CEPR International Conference on Generative Artificial Intelligence.

• The report states that the adoption of GenAI is progressing steadily in Hong Kong's financial services industry, with 75% of the surveyed financial institutions having already implemented at least one GenAI use case, or are currently piloting and designing use cases and exploring potential investment areas.  This ratio is expected to increase to 87% within the next three to five years.                   

• The primary implementations of GenAI in financial services remain largely internal and non-customer facing (such as tools for enhancing productivity and operational efficiency), with GenAI use in complex, higher-risk, and external customer-facing applications dependent on further improvements in the accuracy of the technology.   

• There are various risk management challenges hindering adoption, including concerns regarding model accuracy, data privacy and security, as well as constraints related to resources and talent.  However, the emergence of less resource-intensive models and maturing technology, coupled with regulatory engagement, are likely to contribute to the broadening of GenAI adoption over time.

• The report also outlines some considerations for facilitating responsible GenAI adoption by the financial services industry in Hong Kong.  In the near-term, continued adjustments of financial institutions’ risk management frameworks to align with best practices can foster further adoption.  In the medium-term, the survey and interviews suggest that greater collaboration among regulators, industry players and developers, cross-jurisdiction regulatory engagement, and sustained long-term investment in digital infrastructure are crucial as GenAI adoption broadens.  [9 & 10 Apr 2024]  #AI #GenAI

SFC provides staking guidance for licensed VATPs and authorised VA funds via circulars

The SFC has provided regulatory guidance (via circulars) to licensed virtual asset trading platforms (VATPs) on their provision of staking services, and to SFC-authorised funds with exposure to virtual assets (VA) on their engagement in staking.  The SFC's Executive Director of Investment Products, Ms Christina Choi, referred to the issue of these circulars in her keynote speech at the Hong Kong Web3 Festival.

Staking refers to the process of committing or locking client VAs for a validator to participate in a blockchain protocol’s validation process based on a proof-of-stake consensus mechanism, with returns generated and distributed for that participation.  In setting out its regulatory approach, the SFC recognises the potential benefits of staking in enhancing the security of blockchain networks and allowing investors to earn yields on VAs within a regulated market environment. 

In its circular to VATPs, the SFC sets out its regulatory approach and expected standards for providing staking services to clients.  VATPs should obtain the SFC's prior written approval before providing such services (the SFC will impose specific conditions on their licences).  The key requirements include:

• Maintaining possession or control of all mediums through which client VAs may be withdrawn from the staking services;

• Maintaining effective policies to prevent or detect errors and other improper activities associated with the staking services, ensuring the 'staked' client VAs are adequately safeguarded, and implementing internal controls to manage operational risks and address any conflict of interests;

• Disclosing general information and risks associated with staking services on the VATPs' websites and (if relevant) mobile applications;

• Acting with due skill, care, and diligence when including a blockchain protocol for providing staking services; and    

• Performing proper due diligence and ongoing monitoring on third-party service providers where the provision of staking services is outsourced.

In a separate updated circular (which supersedes the previous version of 22 December 2023 – see our previous update), the SFC stated that it may allow authorised VA funds to engage in staking and other VA-related activities conducted through licensed VATPs, or where applicable, HKMA authorised institutions (AIs) (or subsidiaries of locally incorporated AIs), subject to adhering to various guiding principles, including those relating to internal controls, monitoring of counterparties and service providers, and disclosure.  Prior consultation with and approval of the SFC are required before authorised VA funds can engage in staking and other VA-related activities.

The SFC has added a new Question 20F to its FAQs on the Code on Unit Trusts and Mutual Funds, detailing the requirements that should be observed by management companies of authorised VA funds which engage in staking.  [7 Apr 2024] #Crypto

HKMA issues circular setting out standards expected of AIs regarding provision of staking services for VAs from custodial services

The HKMA has issued a circular outlining the standards expected of authorised institutions (AIs) related to the provision of staking of virtual assets (VAs) from custodial services.  The circular applies to AIs and subsidiaries of locally incorporated AIs that provide staking services from custodial services to their clients.  Locally incorporated AIs should ensure that the business conduct, practices and controls of such subsidiaries comply with the circular.

Staking services refer to any arrangements which involve the process of committing or locking client VAs for a validator to participate in a blockchain protocol’s validation process based on a proof-of-stake consensus mechanism, with returns generated and distributed for that participation.

AIs and subsidiaries of locally incorporated AIs should (among other things):

• Maintain possession or control of all mediums through which the client VAs may no longer be staked;

• Maintain effective policies to prevent or detect errors and other improper activities associated with their staking services, ensure the 'staked' client VAs are adequately safeguarded, as well as implement internal controls to manage operational risks and address any conflict of interests;

• Disclose general information about their staking services and the risks that clients may be exposed to in using their staking services;             

• Act with due skill, care and diligence when including a blockchain protocol for providing staking services;                

• Perform proper due diligence and conduct ongoing monitoring on third party service providers where staking services involve outsourcing to such providers.          

Before engaging in staking services, AIs and subsidiaries of locally incorporated AIs should implement adequate policies, procedures, systems and controls to ensure compliance with the requirements set out in the circular (and other applicable requirements), and discuss these with the HKMA in advance.  They may also test their staking-related operations and controls using the HKMA's Supervisory Incubator for Distributed Ledger Technology.  [7 Apr 2024]  #Crypto

 

---

Singapore

MAS: NBC joins Regional Payment Connectivity initiative

MAS has announced that the National Bank of Cambodia (NBC) has joined the Regional Payment Connectivity initiative, bringing the total number of signatories to nine Association of Southeast Asian Nations (ASEAN) central banks. The initiative aims to promote, faster, cheaper, more transparent and more inclusive cross-border payments.  [8 Apr 2025]  #Payments

MAS: Response to PQ on safeguards against 'finfluencers' providing financial advice

MAS has published its response to a PQ on whether it is reviewing the safeguards in place to ensure that non-licensed individuals and 'finfluencers' do not provide financial advice, and whether there has been an increase in complaints against such individuals.

MAS confirmed that it had received eight complaints against 'finfluencers' so far in 2025, already exceeding the average of five complaints per year over the last five years. The regulator says that it will be monitoring this area closely. It also reiterated that a 'finfluencer' providing advice must be regulated under the Financial Advisers Act and must first be appointed as a representative by a licensed financial advisory firm. Even if 'finfluencers' are not providing financial advice, they must not make false or misleading statements on any capital markets products, or they may be liable for an offence under the Securities and Futures Act.  [8 Apr 2025]  #SocialMedia

MAS: Response to PQ on fintech and NBFI investment risk management

MAS has published its response to a PQ on how it ensures that fintech platforms and non-bank financial institutions (NBFIs) offering high-yield investment products maintain sufficient liquidity and manage fund withdrawal risks. In response, MAS highlighted that investment platforms that operate as digital advisers managing investment portfolios on behalf of customers are required by regulation to keep customers’ assets legally separate and safekept by licensed custodians. [8 Apr 2025]  #Fintech

 

---

Malaysia

BNM and BoT sign MoU on cybersecurity

BNM has announced that it has signed a memorandum of understanding (MoU) with the Bank of Thailand (BoT) on strengthening joint efforts in cybersecurity and digital fraud protection. The MoU also promotes a closer working relationship between the two central banks, enabling more effective information sharing, capacity building, and the exchange of best practices.  [10 Apr 2025]  #Cyber

BNM: Launch of cross-border QR payment phase 2 between Malaysia and Cambodia

BNM has announced the launch of phase 2 of the cross-border QR payment linkage between Malaysia and Cambodia. With this expansion, Malaysian travellers can now pay Cambodian merchants by scanning the KHQR using native mobile payment application of participating financial institutions.  [8 Apr 2025]  #Payments

 

---

Thailand

BoT and BNM sign MoU on cybersecurity

The Bank of Thailand (BoT) has announced that it has signed a memorandum of understanding (MoU) with Bank Negara Malaysia (BNM) to enhance cooperation in cyber security and digital financial fraud prevention.  [10 Apr 2025]  #Cyber

SECT strengthens measures to combat digital asset mule accounts, money laundering

SECT has approved certain amendments to laws aimed at strengthening measures against cybercrime and mule accounts, enhancing the security of public financial transactions and improving the effectiveness of combating online scams. The amendments clarify the mechanisms for information exchange with relevant agencies and elevate measures for preventing the use of foreign digital asset exchanges as a channel for money laundering.  [8 Apr 2025]  #Crypto #Cyber

 

---

US

SEC Crypto Task Force roundtable

The SEC's Crypto Task Force held its roundtable, “Between a Block and a Hard Place: Tailoring Regulation for Crypto Trading” on 11 April 2025. 

The roundtable, announced in March as part of a series, was held at the SEC's headquarters in Washington, D.C. It was open to the public and webcast live on the SEC’s website.  [11 Apr 2025]  #Crypto

CFTC Acting Commissioner comments on DoJ policy on crypto

The CFTC has announced that Acting Chair Caroline D. Pham has welcomed a recently-announced Department of Justice's (DOJ's) policy regarding the digital asset industry, and has directed CFTC staff to comply with the President’s executive orders and Administration policy, consistent with DOJ’s digital assets enforcement priorities and charging considerations. The CFTC release explains that the DOJ policy comes as Acting Chairman Pham has similarly refocused the CFTC’s enforcement resources on cases involving fraud and manipulation.

The press release further notes that shortly after becoming Acting Chair, Ms Pham realigned the CFTC Division of Enforcement task forces and the Division of Enforcement issued a new advisory to promote self-reporting, cooperation, and remediation. Additionally, she launched an initiative aimed at expeditiously resolving a backlog of noncompliance matters that do not involve customer harm or market abuse; to date, nearly two dozen firms have reached out to participate. [8 Apr 2025]  #Crypto

OCC notifies Congress of information security incident

The Office of the Comptroller of the Currency (OCC) has announced that it has notified Congress of a major information security incident, as required by the Federal Information Security Modernization Act.

This finding is the result of internal and independent third-party reviews of OCC emails and email attachments that were subject to unauthorized access in February 2025.

The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.

The OCC has utilized third-party cybersecurity experts to perform a full review of the investigation and forensics efforts. The OCC is also launching an immediate and thorough evaluation of its current IT security policies and procedures to improve its ability to prevent, detect and remediate potential security incidents going forward. In addition, the OCC is working to engage an additional independent third-party to assess and analyze internal processes related to cyber incidents.  [8 Apr 2025]  #Cyber