Introduction
"An ounce of prevention is worth a pound of cure."
A quote attributed to Benjamin Franklin in the context of fire-threatened Philadelphia in 1736, this could equally be applied to online harm in the financial services space, which is a growing concern for regulators given digitalisation and the growth of retail participation in capital markets.
To date, regulators have found it difficult to enforce against the perpetrators of fraud, unauthorised business and misleading advertisements facilitated through social media. This is due to the international dimension to the activities of many offenders and practical difficulty of taking action before investors have been exposed to such content. As a result, regulators are increasingly turning to platform providers (ie, internet search engines, social networks and providers of apps) to help them identify, prevent and mitigate such issues at an early stage.
It was in this context that, on 21 May 2025, the International Organization of Securities Commissions (IOSCO) published a statement highlighting measures used in certain jurisdictions that disrupt online harm arising from financial misconduct. This was followed, on 28 May 2025, by the European Securities and Markets Authority (ESMA) announcing that it had written to several social media and platform companies encouraging them to take proactive steps to prevent the promotion of unauthorised financial services and highlighting IOSCO's initiative.
This article explores the key aspects of IOSCO's and ESMA's statements and what they mean for platform providers.
Online harm in the financial services sector
The use of mobile apps, social media and online platforms for the promotion and purchase of financial products and services has become increasingly common in recent years . While certain technological developments, such as mobile banking and share dealing apps have benefited consumers through, for example, more competition and reduced costs, the growth of social media has increased the prevalence of investment fraud orchestrated through paid-for advertisements and user generated content.
In the absence of concerted action by regulators and social media platforms, there is a fear that these risks will grow as fraudsters become more sophisticated, deploying AI and other advanced techniques to target vulnerable consumers. To combat this, the IOSCO International Securities and Commodities Alerts Network (I-SCAN) was launched in March 2025 – a global database of unlicensed firms providing investment services or engaging in illegal financial activities. This follows legislative initiatives such as the EU Digital Services Act and UK Online Safety Act, the latter of which imposes various requirements in relation to fraudulent advertisements, including for Category 1 service providers to implement proportionate systems and procedures to prevent users from encountering fraudulent advertisements, following campaigns by high profile figures such as Martin Lewis.
It was in this context that both IOSCO and ESMA released statements setting out how platform providers might support them in preventing consumer harm.
Unpacking IOSCO's statement
IOSCO's statement sets out its high level suggestions on best practice for platform providers in combatting online harm across financial services and markets. While IOSCO welcomed the efforts made by some platform providers to disrupt the misuse of their products and services by bad actors who seek to target retail investors, it stressed that a "continually improving approach" was needed to achieve tangible success and that was why it had chosen to set out its recommendations.
IOSCO's key recommendations include:
- Internal processes: implementation of systematic processes to detect, assess and mitigate risks related to harmful content, particularly those involving financial fraud, market manipulation, and misleading investment advice.
- Due Diligence obligations: deployment of enhanced verification procedures on users posting financial content, with special scrutiny for those offering investment advice or promoting financial products.
- User compliance: rigorous enforcement of applicable terms of service by monitoring and swiftly removing investment scam content or advertisements which violate platform policies.
- Cross-border and regulatory co-operation: international co-ordination and mechanisms for information sharing between platform providers and regulatory bodies to address the inherently global nature of online platforms, including referrals of identified fraudulent activity.
ESMA's follow up
One week later, ESMA followed up with an announcement that it had written to several social media companies outlining its intention to collaborate in order to mitigate the harm caused by unauthorised firms promoting financial products and services through online tools and applications. While ESMA encouraged platform providers to consider the IOSCO's initiative alongside its correspondence and recognised that international co-operation was essential to safeguarding investors, it noted that a "focused European approach" was necessary to address EU-specific investor protection requirements.
ESMA highlighted the increasing spread of online scams targeting retail investors and the exploitation of digital platforms by fraudulent actors to advertise unlawful financial services. It also urged technology companies to take proactive steps to prevent the promotion of unauthorised financial services by, for example, using the ESMA register of MiFID II investment firms to verify whether a company wishing to promote via a platform has been authorised to provide investment services by a relevant EU supervisory authority.
ESMA invited these platform providers to arrange a meeting to further discuss these topics, given their importance for citizens and public trust.
What does this mean?
For social media providers that are not regulated by financial services authorities, it is important to note that neither IOSCO, ESMA or national financial services regulators have technical jurisdiction over these providers, except where they are touching on the regulatory perimeter or otherwise separately conducting regulated activity. For example, under UK law it is an offence for an unauthorised person to communicate a financial promotion unless it has been approved by an authorised person or an appropriate exemption applies. For this reason, various platform providers already verify users who conduct promotional activity by, for example, checking authorisation status. However, the direct nexus between financial regulators and platform providers remains limited. The statements from IOSCO and ESMA therefore reflect their desire to engage platform providers directly in order to facilitate the desired levels of co-operation.
Regulators have expressed their frustration about this – most recently FCA Chief Executive Nikhil Rathi, who at a Treasury Committee hearing on 10 June noted that, "we can’t force the tech firms to take down promotions that we see as problematic. We rely on co-operation from them."
Regulators have acknowledged that there has been good and bad practice in this space – praising the contribution of some firms while noting that others could do more. There is however an acknowledgment that the global nature of many platform providers and volume of customers create significant challenges.
Therefore the statements can be best seen as opening salvos in what we expect will be an ongoing dialogue between regulators, platform providers and legislators as the role of technology companies in facilitating the promotion and delivery of financial services continues to grow.
Implications for platform providers
The statements from IOSCO and ESMA are a call for co-operation. While they do not impose any prescriptive requirements, it is clear that regulators want platform providers to adopt proactive measures to mitigate risks in this space.
In the view of policymakers, this should not only protect users but also reduce the need for heavy handed legislative actions in future. Regulators have however also been keen to stress that many platform providers are already doing great work in this space.
Examples of actions which may be considered by platform providers looking to front-run any future legislative action in this space include:
- auditing platform compliance against online harm prevention standards (eg, under the Online Safety Act in the UK or Digital Services Act in the EU)
- documenting risk assessment and mitigation strategies;
- using AI powered monitoring systems to identify potentially harmful financial content
- designation of governance, oversight and management information reporting over online harm prevention strategies
- integration of harm prevention into product development processes
- engaging proactively with regulators and industry working groups to share best practice and influence future regulatory developments
- training programmes for staff on identifying and addressing online harm.
It is clear that as the digital and financial worlds continue to converge, policymakers remain focused on online harm prevention and are turning their attention to platform providers to support them in this quest. For the moment, policymakers remain reliant on the voluntary co-operation of the largest providers in this space, although we anticipate that the expectations on platform providers, both formal and informal, will continue to grow.
