FinTech Global FS Regulatory Round-up - w/e 11 July 2025

 

ICYMI

• Cyber security: Two months in retrospect (Australia) - May and June 2025

 

---

Global

BIS: Second phase of Project Leap launched – quantum-proofing the financial system

The Bank for International Settlements (BIS) Innovation Hub has announced the launch of the second phase of Project Leap. Phase 2 builds on the findings of the first phase of the project and focuses on quantum-proofing payment systems by exploring the implementation of post-quantum cryptography in a European payment system. It involves sending liquidity transfers between Project Leap's central bank partners using post-quantum digital signatures.

Project Leap was launched by the BIS Innovation Hub's Eurosystem Centre together with the Bank of France and Deutsche Bundesbank, the project partners within the Eurosystem, to prepare central banks and the global financial system for a transition towards quantum-resistant encryption. [9 Jul 2025]  #Quantum #Payments

 

---

UK

FCA: Open Finance Sprint 2025 Outcomes report

The FCA has published the Open Finance Sprint 2025 Outcomes report. The report summarises the outputs of the March 2025 Sprint, which focused on developing practical data-sharing use cases ideas to support four opportunity areas: financial wellbeing; financial growth; financial resilience; and better consumer empowerment through digital verification. It does not present the FCA's own views.

Sprint participants identified adaptive regulation and governance, flexible frameworks supporting innovation while ensuring consumer protection, and enhanced data security protocols as fundamentals for open finance. They also observed the need for data to be portable across sectors, standardised, and traceable. There was also consensus among participants on the potential benefits of integrating AI-driven data analysis, agentic AI and strong digital verification solutions.

In terms of next steps, by the end of 2025, the FCA will release a roadmap for open finance with the outcomes of FCA's research into developing open finance. The regulator is also launching a Smart Data Accelerator to test high impact use cases which employ AI, blockchain and cloud. With regard to immediate next steps, these include TechSprints on SME finance and mortgages in the second half of 2025 with 'a big announcement' soon.  [11 Jul 2025]  #OpenFinance #AI #SmartData

BoE: Inaugural meeting of AIC

The Bank of England (BoE) has published the minutes of the inaugural meeting of the AI Consortium (AIC), held in May 2025.  The AIC provides a platform for public-private engagement on AI.

AIC members discussed a range of challenges and risks to explore, including:

• the growing reliance on third-party providers which raises issues around concentration and accountability;
• how widespread use of similar AI models could amplify systemic vulnerabilities, particularly under market stress;
• risks of contagion, where flaws in one model might spread through the system to another model;
• the potential for gen AI to introduce misleading information onto financial markets, creating distortion;
• the risk of unfairness, for example, biased credit scoring; and
• the threat of AI-driven fraud and cyberattacks.

Members also shared insights on the benefits and opportunities likely to dominate in the coming year, including: improving operational efficiency; enhancing customer experience; and driving organisational transformation through task automation.

Members noted that the Bank and the FCA have taken a pragmatic yet flexible approach to regulation so far; the need to coordinate across other regulators, jurisdictions and sectors was highlighted. [11 Jul 2025] #AI #Cyber

FCA: Application window opens for AI live testing

The FCA has announced that the window to apply for AI live testing is open until 20 August 2025. To be eligible, participants must demonstrate that they:

• produce and distribute financial products and services or provide AI models that are material to financial services and markets;
• actively use AI within their specific use case;
• have a material AI use case that is relevant to financial services and markets;
• have a use case that is likely to further one or more of the FCA’s operational objectives and has the potential to positively contribute to UK economic growth;
• have already developed an AI solution proof of concept and have plans to deploy it;
• have already considered pre-deployment testing and are willing to share their approach and findings to ensure readiness for live market rollout;
• have considered post-deployment monitoring plans, including demonstrating how this would be carried out; and
• are open to working collaboratively with, and sharing findings with, the FCA during live testing.

The FCA has published its full Terms of Reference alongside the announcement. [10 Jul 2025]  #AI

PSR: Annual Report and Accounts 2024/25

The Payment Systems Regulator (PSR) has published its Annual Report and Accounts 2024-25 for the year ended 31 March 2025.

The PSR highlights the following:

• confirmation of payee adoption increased to cover 99% of Faster Payments transactions;
• reforms to address authorised push payment (APP) fraud have been successfully implemented;
• the PSR has continued to drive forward open banking, working closely with the FCA; and
• major milestones have been reached on card fee reviews, recognising that the costs faced by retailers, including many small businesses, directly affect their ability to grow and invest. [10 Jul 2025]  #Payments #APPFraud #OpenBanking

PRA: Thematic findings from 2024 Cyber Stress Test

The PRA has published the template version of its letter to regulated firms and relevant financial market infrastructures (FMIs) outlining the thematic findings from the 2024 Cyber Stress Test. The 2024 Cyber Stress Test was a voluntary, exploratory test which asked providers and users of wholesale services to model the impact of a suspected cyber-attack affecting transaction settlement.

The findings are relevant across a range of scenarios and can be used to: improve individual firm and sector response and recovery capabilities; mature firms’ understanding of the potential impacts to financial stability from operational disruption; and inform firms’ impact tolerances for financial stability where appropriate.

Among the key messages in the letter are:

• that is important for systemic firms to consider the Financial Policy Committee's (FPC's) tolerance for disruption to payments and settlement, and how the decisions they make in response to operational disruption may affect financial stability;
• firms may wish to consider whether they have the data and processes in place to identify and prioritise transactions where this could play an important role in maintaining financial stability;
• given the importance of clear and timely communication in maintaining confidence, further work to improve awareness of Sector Response Framework (SRF) processes and, where appropriate, firms' own operational resilience contingency procedures would be beneficial;
• as ensuring firms have liquidity to transact is a key mitigant to impacts from failed settlement, firms would benefit from considering their ability to understand customer firms’ demand for liquidity and their own appetite to provide it, including how this appetite may change over time; and
• working with FMIs, firms should ensure their disconnection (and reconnection) options are understood across business functions, are aligned to their risk appetites, and that playbooks reflect the potential financial stability impacts of a loss of key connections

Firms are expected to consider these findings as part of their implementation of operational resilience policies. [9 Jul 2025]  #Cyber #OpRes

 

---

Europe

ESMA: Guidelines for criteria on assessment of knowledge and competence under MiCAR

The European Securities and Markets Authority (ESMA) has published its final guidelines specifying the criteria for assessing the knowledge and competence of staff at cryptoasset service providers (CASPs), who provide information or advice on cryptoassets and services under the Markets in Cryptoassets Regulation (MiCAR). The guidance includes:

• information on the minimum level of knowledge and competence of staff (including professional qualifications and appropriate experience for the provision of information or advice); and
• information that addresses specific features and risks of cryptoasset markets and services (e.g. high volatility and cyber security risks) through the criteria for the assessment of the relevant staff’s knowledge and competence. 

The guidelines are intended to help CASPs to meet their obligations and act in the best interest of their clients. They also support national competent authorities (NCAs) in adequately assessing how CASPs meet these obligations.

In terms of next steps, the guidelines will be translated into all official EU languages and will start applying six months after publication on ESMA’s website. [11 Jul 2025]  #Crypto #DigitalAsset #MiCAR 

ESMA statement: Risks of unregulated products offered by regulated cryptoassets entities

ESMA has published a statement warning investors of the ‘halo effect’ that can lead to overlooking risk when authorised CASPs offer both regulated and unregulated products and/or services.

The statement also reminds CASPs of the issues that they should consider when providing unregulated products and services and recommends that they should be particularly vigilant about avoiding any client confusion regarding the protections attached to unregulated products and/or services. CASPs are expected to clearly communicate the regulatory status of each product or service in all client interactions and at every stage of the sales process. 

In addition, ESMA reminds cryptoassets entities of their obligation to act fairly, professionally and in the best interests of their clients, ensuring that all information, including marketing communications, is fair, clear and not misleading.  [11 Jul 2025]  #Crypto #DigitalAsset

ESMA: Revised guidelines on outsourcing to cloud service providers

ESMA has published its final report, which contains revisions to its 2021 guidelines on outsourcing to cloud service providers. The revised guidelines amend the scope of application of the 2021 guidelines to exclude financial entities covered by the Digital Operational Resilience Act (DORA); the content of the guidelines is not substantively changed.

The guidelines will be translated in the official EU languages and published on ESMA’s website. The publication of the translations in all official languages of the EU will trigger a two-month period during which NCAs must notify ESMA whether they comply or intend to comply with the guidelines.  [11 Jul 2025]  #Cloud #DORA #OpRes

ESMA: Review of authorisation of CASPs in Malta and wider application to all NCAs

ESMA has published the results of a peer review looking at the authorisation of CASPs in Malta under MiCAR. The peer review analyses the approaches adopted by the Malta Financial Services Authority (MFSA) in the authorisation and early supervision of a CASP and provides recommendations to strengthen these processes.

While focused on an individual country, the review aims to foster the sound authorisation of CASPs by all national competent authorities (NCAs). ESMA expects all NCAs to take account of its conclusions, to ensure that the authorisations they grant are well assessed in what is a new and high-risk sector, where supervisory knowledge is still being built. [10 Jul 2025]  #Crypto #DigitalAsset

ESMA: Guidelines on supervisory practices to prevent and detect market abuse under MiCAR

ESMA has published a set of guidelines (with translations) on supervisory practices for competent authorities to prevent and detect market abuse under MiCAR. They aim to establish consistent, efficient and effective supervisory practices among competent authorities to prevent and detect insider dealing, unlawful disclosure of inside information and market manipulation.

The guidelines apply from three months from the date of their publication on ESMA’s website in all official EU languages. [9 Jul 2025]  #Crypto #DigitalAsset #MiCAR 

EBA consults on guidelines on third-party risk management

The EBA has published a consultation on its draft guidelines on the sound management of third-party risk. The guidelines focus on third-party arrangements in relation to non-ICT related services provided by third-party service providers and their subcontractors, with a particular focus on the provision of critical or important functions. They revise and update the previous EBA guidelines on outsourcing, published in 2019, to ensure consistency with the requirements under the Digital Operational Resilience Act (DORA) framework to the extent possible.

Financial entities falling under the scope of the updated guidelines will have a transitional period of two years to review and amend their existing third-party arrangements (TPA) and to update the register for non-ICT TPA.

Responses to the consultation are requested by 8 October 2025. The EBA will hold a virtual hearing on the draft guidelines on 5 September 2025. [8 Jul 2025]  #Cloud #DORA #OpRes

 

---

Australia

ASIC: Tokenised asset research project reaches new milestone

The Reserve Bank of Australia and the Digital Finance Cooperative Research Centre have announced the industry participants selected for their tokenised asset settlement research project (Project Acacia). Project Acacia aims to explore how innovations in digital money and settlement infrastructure could support the development of tokenised assets in financial markets.

To support this research, the Australian Securities and Investments Commission (ASIC) is providing regulatory relief to participants. This ensures that Project Acacia can proceed without the usual regulatory constraints, allowing for a more flexible and innovative approach.

Project Acacia is a significant step towards understanding and potentially integrating tokenised assets into the financial system. The goal is to achieve more efficient and secure settlement processes, which could revolutionize the way financial transactions are conducted.  

Testing of use cases will occur over the next six months, with a report on the findings from the project expected to be published in the first quarter of 2026.  [10 Jul 2025]  #Tokenisation #DigitalAsset

 

---

Hong Kong

Banking rule amendments to implement prudential treatment of cryptoasset exposures and miscellaneous updates to be tabled before LegCo on 16 July 2025

The HKMA has announced that the following amendments to the rules under the Banking Ordinance have been gazetted to implement the new prudential standard promulgated by the Basel Committee on Banking Supervision (BCBS) in Hong Kong.  They will be tabled before the Legislative Council (LegCo) on 16 July 2025 for negative vetting, subject to which they are targeted to take effect on 1 January 2026:

• Banking (Capital) (Amendment) Rules 2025;
• Banking (Disclosure) (Amendment) Rules 2025; and
• Banking (Exposure Limits) (Amendment) Rules 2025.

The amendments seek to implement the capital standards and the associated requirements on disclosure and exposure limits promulgated by the BCBS in relation to the prudential treatment of cryptoasset exposures, which are scheduled to take effect on 1 January 2026 in accordance with the BCBS timeline.  [11 Jul 2025]  #Crypto #DigitalAsset

SFC convenes second Digital Asset Consultative Panel meeting with licensed VATPs

The SFC has held the second meeting of its Digital Asset Consultative Panel (see our previous update for the inaugural meeting), continuing its engagement with licensed virtual asset trading platforms (VATPs).

The meeting covered a broad range of issues relating to market and regulatory developments in the digital asset realm, particularly initiatives in Pillars A (Access) and P (Products) of the SFC’s ASPIRe roadmap issued in February 2025 (see our previous update), including:

• Proposals to introduce regulatory regimes for virtual asset dealing and custodian providers (see our previous update); and

• Market accessibility and product offerings

The panel, formerly known as the Virtual Asset Consultative Panel, has been renamed to align with the term used in the Government’s Policy Statement 2.0 on the Development of Digital Assets in Hong Kong issued on 26 June 2025 (see our previous update).  

Dr Eric Yip, the SFC's Executive Director of Intermediaries and chair of the panel, stated that the SFC remains committed to maintaining global competitiveness while ensuring robust investor protection and local safeguards within the digital asset sector.

The SFC will continue to proactively collaborate with licensed VATPs via the panel as part of the initiative in Pillar Re (Relationships) of the ASPIRe roadmap.  [7 Jul 2025]  #DigitalAsset

---

US

CSBS issues money transmitter guidance on virtual currency and capital

The Conference of State Bank Supervisors (CSBS) has issued guidance which clarifies the treatment of virtual currency when calculating a licensee’s tangible net worth under the Money Transmission Modernization Act (MTMA). The guidance is advisory in nature.  [26 Jun 2025]  #DigitalAsset