FCA speech on supporting economic growth

On 27 February 2025, the FCA published a speech by Nikhil Rathi, FCA Chief Executive, covering how the FCA is supporting growth initiatives. Key points include:

• From 27 February 2025, firms are no longer expected to have a Consumer Duty champion. The FCA's rules still mandate that firms integrate their obligations under the Consumer Duty into their strategies, governance, leadership policies and incentives at all levels.

• The FCA plans to expedite around 50 growth proposals that were recently presented to the Prime Minister, addressing various areas such as: mortgage affordability, digital payments, reducing redundant data returns, promoting UK financial services internationally, encouraging innovation in firms, and reducing regulatory barriers.

• The FCA is collaborating with the government on its financial and professional services strategy and has asked the government to articulate clearly its risk appetite, particularly in relation to consumer harm. 

• The FCA would value metrics against which it can be held to account. 

• The FCA received 170 responses to its CfI on its review of retail conduct requirements from July 2024, and the FCA is currently reviewing the feedback.

• Rathi noted that there were differing opinions when addressing industry concerns on the speed of regulatory change. He suggested the potential for the FCA to move quickly with extended transition periods, where consensus on the pace of change is not reached.

FSB letter to G20 finance ministers and central bank governors: February 2025 

On 24 February 2025, the Financial Stability Board (FSB) published a letter from Klaas Knot, FSB Chair, to G20 finance ministers and central bank governors ahead of their meeting on 26 and 27 February 2025.

The letter highlights several areas of focus for the FSB in 2025 including:

• Cross-border payments: The FSB acknowledges that significant work is required up to and beyond 2027 to address structural issues identified in the G20 roadmap to enhance cross-border payments, which was published in October 2020. A report on progress towards making cross-border payments faster, cheaper, more transparent, and accessible will be published in October 2025.

• Digital innovation: The FSB will finalise the format for operational incident reporting exchange (FIRE), including cyber incidents, by April 2025. In October 2025, it will release a peer review report on the implementation of its global regulatory framework for cryptoasset markets, stablecoin arrangements, and a report on AI vulnerabilities in finance.

PRA confirms approach to policy

On 20 February 2025, the PRA published a policy statement on its approach to policy (PS3/25), containing the final version of the PRA's approach to policy document. The approach document explains how the PRA develops policy under the Financial Services and Markets Act 2000 (FSMA) and the Financial Services and Markets Act 2023 (FSMA 2023). The document serves three purposes:

• enhancing transparency and accountability, including to Parliament, by detailing the PRA's goals and methods

• helping firms and the public understand the PRA's policy-making process and the role of firms within it

• meeting the statutory requirement for the PRA to provide guidance and advance its statutory objectives.

The PRA previously consulted on its proposed approach in December 2023 (see our January 2024 update). In PS3/25, it summarises feedback from the consultation, with respondents generally supporting the proposals. The PRA made targeted adjustments, particularly to its secondary objectives, such as secondary competitiveness and growth objective (SCGO), taking into account consultation responses and recommendations from the Bank of England (BoE) Independent Evaluation Office (IEO).

Respondents also sought clarifications, which the PRA addresses in Chapter 2 of PS3/25.

The approach document takes effect immediately upon publication and will serve as a standing reference, subject to revision in response to significant legislative or other developments.

FCA explains new email retention policy to enhance regulatory efficiency

On 19 February 2025, the FCA published a webpage detailing its new email management policy, effective from 1 April 2025.

Under the policy, emails in staff inboxes will be deleted after one year, with important communications saved to a central shared drive. This aims to improve data management, ensure the General Data Protection Regulation (GDPR) and the Data Protection Act compliance, and improve regulatory efficiency. Regulatory records will still be retained for 25 years, and operational processes using shared mailboxes are exempt from this policy. The FCA has implemented safeguards, including extended access to deleted emails for select staff if necessary, and has assured that transparency will be maintained. The policy aligns with the record-keeping standards for regulated firms and is supported by guidance and expected of regulated firms and practical workshops for staff.

Statement following third meeting of joint UK-EU Financial Regulatory Forum

On 13 February 2025, HM Treasury published a statement following the third meeting of the joint UK-EU Financial Regulatory Forum on 12 February 2025, co-chaired by the HM Treasury Director General for Financial Services and the European Commission Director General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA). Participants included representatives from the Bank of England (BoE), the FCA, the European Central Bank (ECB), the European Supervisory Authorities (ESAs) and the EU Single Resolution Board (SRB).

Key discussion points include:

• Banking regulation: Participants reaffirmed the significance of high international standards for global financial stability, and the full, consistent implementation of the Basel III framework by Basel Committee on Banking Supervision (BCBS) members.

• Digital and technology: Participants agreed to collaborate on understanding AI’s benefits and risks in the financial services sector.

• Cryptoassets regulation: Participants highlighted the importance of global implementation of the Financial Stability Board (FSB) regulatory framework for cryptoasset markets and activities, and global stablecoin arrangements.

• T+1 securities settlement cycle: Participants discussed progress towards implementing the T+1 cycle, agreeing on a target date of 11 October 2027, and committed to continued co-ordination between EU and UK taskforces. 

• Capital markets regulation: Participants discussed progress on the development of the EU and UK consolidated tapes and agreed to continue liaising on this topic, as appropriate.

• Money market funds (MMFs): Participants highlighted the need for timely implementation of the FSB’s MMF resilience recommendations and continued reform efforts.

• Sustainable finance: Participants exchanged views on promoting international coordination for consistent sustainable finance standards.

PRA policy statement on streamlining firm-specific capital communications 

On 12 February 2025, the PRA published a policy statement (PS2/25), outlining its final rules to simplify the content and process of the firm-specific capital communications used to set the Pillar 2A capital framework, the systemic buffers and the additional leverage ratio buffer (ALRB). The changes do not impact firms' capital requirements.

In Chapter 3 of PS25/25, the PRA provides feedback on responses to its September 2024 consultation (CP9/24) on streamlining the Pillar 2A framework. No substantial changes were made to the proposed rules.

The appendices include the final version of the PRA Rulebook: CRR Firms: Buffers Instrument 2025 (PRA2025/1), along with a revised version of the PRA supervisory statement on the internal capital adequacy assessment process (ICAAP) and the supervisory review and evaluation process (SREP) (SS31/15) and a revised version of the PRA supervisory statement on the UK leverage ratio framework (SS45/15).

The new policy and rules will take effect on 31 March 2025, with no specific actions required from firms.

Treasury Committee requests information from FOS and FCA about departure of FOS Chief Executive

On 11 February 2025, the House of Commons Treasury Committee published the letters it has sent to the Financial Ombudsman Service (FOS) and the FCA, following Abby Thomas' recent departure as FOS Chief Executive and Chief Ombudsman. The FOS announced her resignation on 6 February 2025, with interim arrangements in place.

At an evidence session on 11 February 2025, the committee questioned FOS Chair Baroness Manzoor and Interim Chief Ombudsman James Dipple-Johnstone. However, the committee stated that the circumstances of Ms. Thomas' departure were not fully disclosed, preventing a clear understanding of the situation and its impact on the FOS.

In its letter to the FOS, the committee asks when the board was informed of Ms. Thomas' departure, requests details on severance or other payments, and inquires if the board had concerns about her performance or the FOS executive team.

In its letter to the FCA, the committee points out that under the Financial Services and Markets Act 2000 (FSMA) and the memorandum of understanding (MoU) between the FOS and the FCA, the FCA is required to ensure the FOS can perform its statutory functions. It asks when the FCA was first informed of Ms. Thomas' departure, whether FCA board members discussed it, and what role the FCA played. It also requests information on how the FCA ensured the FOS's operational effectiveness following her departure.

The committee requested a response from the FOS and the FCA by 18 February 2025.

European Commission 2025 work programme: financial services aspects 

On 11 February 2025, the European Commission published a communication outlining its 2025 work programme, along with annexes and a related factsheet.

The annexes include, amongst others, the following:

• Annex I, which sets out new initiatives. Simplification initiatives or initiatives with a strong simplification dimension are presented in the table in this annex with a blue background.

• Annex III, which sets out the pending proposals where the Commission wants the co-legislators (the European Parliament and the Council of the EU) to reach an agreement. Amongst those include the Proposed Regulation on a framework for financial data access (FiDA). The Commission adopted its legislative proposal in June 2023. FiDA aims to extend customer data sharing requirements to a wide range of financial products, although it remains a contentious topic with significant industry pushback and rumours prior to the publication of the Commission's work programme that the legislation was to be dropped.

• Annex IV details 37 proposals set for withdrawal, such as the directive on credit servicers and purchasers.

The Commission has also published a communication on implementation and simplification and a related factsheet. The communication outlines the Commission's agenda to deliver fast and visible improvements for a more prosperous, competitive, decarbonised and resilient EU. The omnibus packages on sustainability and investment simplification that are outlined in the 2025 work programme will be the first deliverables, with ongoing collaboration with stakeholders throughout the mandate. 

FCA financial promotions Q4 2024 data and examples of intervention

On 7 February 2025, the FCA published a webpage containing its financial promotions quarterly data for Q4 2024, detailing key findings and intervention examples for both authorised and unauthorised firms.

Some of the most common breaches involved claims management companies and section 21 approvers for crypto firms.

The FCA provided two examples of interventions relating to crypto firms:

• A section 21 approver provided clarity on the topics covered by a client's appropriateness assessment, which is required when firms offer high-risk investments. 

• As a result of the FCA's intervention, a cryptoasset firm with non-compliant and potentially misleading financial promotions on its websites and across a number of social media platforms amended its promotions to comply with the relevant FCA Handbook rules.

Individual sentenced for illegally operating crypto ATMs

On 28 February 2025, the FCA announced that an individual had been sentenced to four years in prison for illegally operating crypto ATMs, marking the UK's first sentence for unregistered cryptoasset activity. The individual pleaded guilty on 30 September 2024 to five charges involving illegal crypto activities worth over £2.5 million. Between December 2021 and March 2022, the individual operated crypto ATMs at 28 locations (through his company), despite being refused FCA registration under the Money Laundering Regulations 2017. At the hearing, the FCA asked the court to initiate confiscation proceedings under the Proceeds of Crime Act 2002 (POCA).

MiCA updates

European Commission adopts Delegated Regulations on RTS under MiCA

On 27 February, the European Commission adopted three Delegated Regulations to supplement the Regulation on markets in cryptoassets (MiCA). These regulations focus on:

• Record-Keeping: Specifying records that must be kept for all cryptoasset services, activities, orders, and transactions.

• Conflicts of Interest for Service Providers: Defining requirements for policies and procedures to manage conflicts of interest for cryptoasset service providers and detailing disclosure methodologies.

• Conflicts of Interest for Issuers: Outlining requirements for policies and procedures to handle conflicts of interest for issuers of asset-referenced tokens.

These regulations are based on the draft RTS developed by the EBA and ESMA. The Council of the EU and the European Parliament will review these Delegated Regulations; if there are no objections, they will be published in the Official Journal and take effect 20 days later.

ESMA publishes official translations of MiCA guidelines

On 26 February 2025, ESMA published the following official translations of its guidelines on:

• Situations in which a third-country firm solicits clients in the EU and methods to prevent misuse of the reverse solicitation exemption. The guidelines reflect a mandate under Article 61 of MiCA.

• The procedures and policies, including clients' rights, in the context of transfer services for cryptoassets, as reflected in a mandate under Article 82 of MiCA. The guidelines apply to competent authorities and cryptoasset service providers offering transfer services for cryptoassets on behalf of client. They aim to establish consistent, efficient, and effective supervisory practices to ensure uniform application of Article 82. Cryptoasset service providers are not required to report their compliance status

• On EU standards for maintaining systems and security access protocols for offerors and persons seeking admission to trading of cryptoassets, excluding asset-referenced tokens and e-money tokens. The guidelines fall under the mandate of Article 14(1) of MiCA. They aim to clarify the required systems and security access protocols to those seeking admission to trade cryptoassets, who are not subject to the same operational resilience standards as those regulated under MiCA and DORA.

NCAs must inform ESMA by 26 April 2025, two months after the publication date, whether they comply with these guidelines or plan to do so. The guidelines become effective from 27 April 2025.

EBA opinion on European Commission's partial rejection of RTS on authorisation for issuers of ARTs

On 20 February 2025, the EBA published an opinion regarding the European Commission's partial rejection of its regulatory technical standards (RTS) on authorisation for issuers of asset-referenced tokens (ARTs) under Article 18(6) of MiCA.

The EBA accepts the changes proposed by the Commission, and asks them to consider amending the level one text to include the elements that were set out in the draft RTS (published in May 2024). These include the requirements for:

• An internal policy to prevent market abuse and one to prevent whistleblowers. The EBA suggests that issuers, offering to the public or seeking admission to trading of ARTs, may voluntarily adopt such measures as part of effective governance.

• An independent third-party audit to assess the technical and security aspects of Distributed Ledger Technology, operated by issuers or third parties, to mitigate related risks.

• Proof of good repute of members of the management by supervisors, necessitated by recent experiences in the cryptoasset environment. 

Commission Regulations on notification of intention to provide cryptoasset services under MiCA published in OJ

On 20 February 2025, the following Delegated and Implementing Regulations supplementing the Regulation on markets in cryptoassets (MiCA) were published in the Official Journal of the European Union:

• Commission Delegated Regulation specifying regulatory technical standards (RTS) for information to be included by certain financial entities in the notification of their intention to provide cryptoasset services. The Regulation has been made under Article 60(13) of MiCA.

• Commission Implementing Regulation setting out implementing technical standards (ITS) for standard forms, templates and procedures for the notification by certain financial entities of their intention to provide cryptoasset services. This Regulation has been made under Article 60(14) of MiCA.

Both Regulations come into force on 12 March 2025. The European Commission adopted these Regulations on 31 October 2024 (see our November 2024 update).

ESMA consults on guidelines for criteria to assess knowledge and competence under MiCA

On 17 February 2025, ESMA published a consultation paper outlining guidelines for assessing knowledge and competence under the Regulation on markets in cryptoassets (MiCA).

Article 81(15) of MiCA mandates ESMA to issue guidelines specifying the criteria for assessing knowledge and competence of individuals advising or providing information about cryptoassets or cryptoasset services.

The draft guidelines cover several key areas:

• Cryptoasset service providers (CASPs) should ensure that staff providing information about cryptoassets, or cryptoasset services, have the knowledge and competence to understand the characteristics, risks (including volatility and cybersecurity), and market dynamics of cryptoassets and services they offer.

• CASPs should ensure that staff giving advice comply with the guidelines.

• CASPs' organisational requirements should ensure that the knowledge and competence of the staff giving information and advice on cryptoassets, or cryptoasset services, is assessed, maintained and updated appropriately.

Annex II contains the draft text of the guidelines.

The deadline for responses is 22 April 2025. ESMA intends to publish a final report and guidelines in Q3 2025.

Seven Delegated Regulations under MiCA published in Official Journal of the European Union

On 13 February 2025, the following Delegated Regulations supplementing the Regulation on markets in cryptoassets (MiCA) were published in the Official Journal of the European Union:

• Delegated Regulation supplementing MiCA with regard to regulatory technical standards (RTS) establishing a template document for co-operation arrangements between competent authorities and supervisory authorities of third countries under Article 107(3).

• Delegated Regulation supplementing MiCA with regard to RTS specifying the requirements, templates and procedures for the handling of complaints relating to asset referenced tokens (ARTs) under Article 31(5).

• Delegated Regulation supplementing MiCA with regard to RTS specifying the requirements, templates and procedures for the handling of complaints by cryptoasset services providers (CASPs) under Article 71(5).

• Delegated Regulation supplementing MiCA with regard to RTS specifying the procedure for the approval of a cryptoasset white paper under Article 17(8).

• Delegated Regulation regarding to RTS specifying the conditions for the establishment and functioning of consultative supervisory colleges under Article 119(8).

• Delegated Regulation supplementing MiCA with regard to RTS specifying the methodology to estimate the number and value of transactions associated to uses of asset-referenced tokens and of e-money tokens denominated in a currency that is not an official currency of a member state as a means of exchange under Article 22(6).

• Delegated Regulation supplementing MiCA with regard to RTS on continuity and regularity in the performance of cryptoasset services under Article 68(10).

The Delegated Regulations will enter into force on 5 March 2025.

EBA opinion on European Commission amendments to draft RTS on conflicts of interest for asset-referenced token issuers under MiCA

On 5 February 2025, the European Banking Authority (EBA) published an opinion on the European Commission's proposed amendments to its draft regulatory technical standards (RTS) on conflicts of interest for issuers of asset-referenced tokens (ARTs) under Article 32(5) of MiCA.

The EBA submitted its final draft RTS to the Commission in June 2024. In November 2024, the Commission informed the EBA of its intention to endorse the draft RTS with amendments and sent the EBA a modified version outlining these changes.

The EBA has no concerns about most substantive amendments, except for the deletion of the reference to "risk alignment mechanisms" for remuneration in Article 5. The Commission has agreed to reinstate this reference in the adopted RTS, ensuring consistency with similar provisions for cryptoasset service providers (CASPs).

The EBA supports non-substantive changes which clarify text, including regrouping some provisions and reducing the number of Articles from 11 to 9.

The amended draft RTS was submitted back to the Commission for endorsement. Following this, they will be scrutinised by the European Parliament and the Council of the EU before publication in the Official Journal of the European Union. They will come into force 20 days later.

FSB thematic peer review on global regulatory framework for cryptoassets: consultation and terms of reference

On 21 February 2025, the Financial Stability Board (FSB) published summary terms of reference for its thematic peer review on its global regulatory framework for cryptoasset activities. The framework includes high-level recommendations for the regulation, supervision and oversight of both cryptoasset activities and markets and global stablecoin arrangements.

In an accompanying press release, the FSB explains that it is seeking feedback from stakeholders as part of its thematic peer review of implementation of the global regulatory framework by FSB member and certain non-member jurisdictions. The summary terms of reference outline the review's objectives, scope and process.

The FSB has sent a questionnaire to relevant jurisdictions and also invites feedback from stakeholders on several issues, including:

• how jurisdictional regulatory frameworks influence decisions by cryptoasset issuers and service providers relating to locating and structuring their business

• experiences and challenges for cryptoasset market participants in meeting the regulatory and supervisory requirements

• how financial stability vulnerabilities of cryptoasset activities differ across jurisdictions and how vulnerabilities are evolving as jurisdictions implement relevant regulatory and supervisory frameworks

• potential market practices or trends that may threaten financial stability.

Feedback is due by 28 March 2025. The FSB plans to publish the peer review report in October 2025. The FSB's final framework for regulating cryptoasset activities was released in July 2023, and an update on progress was presented to the G20 in October 2024 (see our November 2024 update).

FCA and PSR feedback statement on BigTech and digital wallets

On 19 February 2025, the FCA and the Payment Systems Regulator (PSR) published a feedback statement (FS25/1) on responses received to their joint call for information (CfI) on big technology firms (BigTech) and digital wallets. The CfI, issued in July 2024, aimed to gather input on the benefits and potential issues of digital wallets.

FS25/1 highlights that most stakeholders view digital wallets as beneficial for consumers, particularly in terms of innovation and non-card forms of payment. It also summarises potential issues identified by stakeholders, alongside proposed next steps, including:

• Deficiencies in competition between digital wallets. In response, the regulators will work closely with the Competition and Markets Authority (CMA) as it reviews digital wallets within its investigations into Apple and Google.

• Barriers to effective competition between payment systems within digital wallets. The regulators will work with the CMA to understand how interventions addressing competition between digital wallets could impact competition between payment systems.

• The impact of operational failures of digital wallets on financial system resilience, as well as gaps in the current regulatory framework. Some stakeholders suggested bringing digital wallets under the FCA's regulatory perimeter, whilst others warned against over-regulation. The FCA will engage with HM Treasury to review relevant payment services and electronic money regulations. 

The regulators have also shared their findings in a letter for the CMA in response to its investigations into Apple and Google. Whilst not planning new in-depth work, the regulators will monitor develops with the CMA and HM Treasury. Chapter 4 of FS25/1 provides more detail on the next steps.

FS25/1 also explores opportunities arising from the adoption of digital technologies, such as digital identity verification and a digital pound.

Next steps to APP scams reimbursement claims management system 

On 11 February 2025, the Payment Systems Regulator (PSR) published a webpage providing an update on the implementation of requirements related to Authorised Push Payment (APP) scams and outlined next steps for the reimbursement claims management system (RCMS).

Whilst a claims management process is already in place, the PSR is working towards establishing a more consistent approach. The PSR advocates for a centralised system, to be implemented by Pay,UK, that all directed payment service providers (PSPs) would be required to use.

As part of this initiative, the PSR plans to publish a consultation in April 2025, seeking views on potential regulatory requirements for Pay.UK’s RCMS and its role in APP scam claims and data reporting. The consultation will run for at least eight weeks.

In previous consultations, the PSR has recognised the benefits of Pay.UK’s RCMS, but decided not to impose regulatory requirements at that time. The upcoming consultation will explore the implementation timeline, with an anticipated earliest possible date for requirements to come into effect in late 2025.

The PSR also recognised the role of existing claims management systems, including the contributions of UK Finance, and the operational challenges PSPs face, particularly as some APP claims are still being processed manually. Stakeholder input is crucial to the process, and the PSR encourages ongoing engagement. 

ECB decision on non-bank PSPs' access to central bank operated payment systems and central bank accounts published in OJ 

On 6 February 2025, the European Central Bank (ECB) published its Decision in the Official Journal (OJ) of the European Union, addressing access by non-bank payment service providers (NB-PSPs) to ECB operated payment systems and central bank accounts.

In July 2024, the ECB and Eurosystem introduced a policy to harmonise the approach to access by NB-PSPs (which include payment institutions (PIs) and electronic money institutions (EMIs)) to all central bank operated payment systems, including TARGET and retail systems run by euro-area national central banks. The policy defined the approach on the access to accounts. The policy document noted the ECB's plans to publish a related ECB legal act.

The decision gives effect to that policy and:

• Sets out the conditions an NB-PSP must meet to qualify for access to Eurosystem central bank operated payment systems.

• States that Eurosystem central banks will not offer safeguarding accounts to NB-PSPs, since it is not a core function of central banks to act as a substitute for credit institutions in providing safeguarding services.

• Specifies rules relating to maximum balance on the account holder's settlement account at the close of each business day.

The ECB adopted the decision on 27 January 2025.

The decision entered into force on 26 February 2025. It will apply in member states from 9 April 2025. The application date aligns with the transposition deadline for amendments to the Settlement Finality Directive and revised Payment Services Directive under the Instant Payments Regulation.

PSR new compliance monitoring framework

On 4 February 2025, the Payment Systems Regulator (PSR) published a policy statement containing its new Compliance Monitoring Framework (PS25/2).
This framework details the structure of the Compliance Monitoring team's work, and outlines:

• The scope of its monitoring work, which focuses on firms that are subject to directions (directed parties) to identify potential compliance issues and address them directly.

• Its proportionate and risk-based approach to compliance monitoring, including the monitoring principles that inform its work. This requires acting quickly on identified failures and ensuring clear engagement with firms.

• A three-stage monitoring process: identification and assessment, action, and escalation to the Enforcement team for further investigation and potential enforcement.

• Communication and engagement strategies with firms through an annual plan and co-ordination with other regulatory bodies.

In a related thought piece, the PSR announces plans to update its Process and Procedures Guide later in 2025, as well as publish a similar document for its enforcement work.

The Compliance Monitoring team is part of the PSR's Supervision and Compliance Monitoring division, which also includes the Supervision and Enforcement teams.

Motor finance: FCA granted permission to intervene

On 17 February 2025, the Supreme Court published a press release granting the FCA permission to intervene in the landmark car-finance case. 

The Supreme Court will hear the three appeals (Hopcraft v Close Brothers Ltd, Johnson v FirstRand Bank Ltd and Wrench v FirstRand Bank Ltd) together, from 1 to 3 April 2025.

In contrast, the Supreme Court has denied intervention requests from the Finance & Leasing Association (FLA) and HM Treasury. The court did not disclose any reasons for rejecting the HM Treasury's request to take part in the appeals. The government had expressed concern that the ruling could have a significant and potentially damaging impact on the market and confirmed that it would monitor the case closely.

The case's outcome is critical for the industry, as upholding the Court of Appeal’s ruling could lead to billions in redress claims. Moody’s estimates the cost to the sector at £30 billion. On 12 February 2025, Close Brothers announced it would set aside £165 million for the ongoing investigation.

FCA research note on role of AI in credit decisions

On 24 February 2025, the FCA published a research note on AI's role in credit decisions.

The note discusses AI explainability in the context of algorithm-assisted decision-making, using consumer credit decisions as a case study to test out different approaches. The authors tested whether participants were able to identify errors caused either by incorrect data used by the algorithm or by flaws in the algorithm's decision logic itself.

The study found that providing more information about the algorithm's inner workings boosted consumer confidence in challenging the algorithm's decisions. However, too much information could harm decision-making and impair consumers' ability to challenge errors.

The findings highlight:

• the importance of testing accompanying materials that are provided to consumers when explaining AI, machine learning or algorithmic decision-making

• the importance of testing consumers' decision-making within the relevant context, rather than relying solely on self-reported attitudes.

A related webpage suggests future research could explore how to best explain AI-assisted decisions in other financial services contexts and examine how explainability methods impact consumers.

Draft guidelines on AI system definition published under EU AI Act

On 6 February 2025, the European Commission published draft guidelines on the definition of an AI system under the EU AI Act. The guidelines are non-binding and clarify which AI systems fall under the Act's scope.

Article 3(1) of the EU AI Act defines an AI system as:

"a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments".

The guidelines break down this definition into seven key elements, including autonomy, adaptiveness and inference. To fall within the scope of the AI systems definition, all seven elements must be present at some point during the system's development and use. The guidelines provide examples to illustrate each element.

The guidelines focus on the meaning of inference, recognising that organisations may struggle to differentiate between software automation and AI decision making. For example, a system optimising computational performance with predefined rules is not an AI system, whilst a system which permits adjustments to its overall decision-making model would be.

The Commission says that no automatic or exhaustive lists of systems that either fall within or outside the definition of an AI system are possible. It will update the guidelines from time to time in the light of practical experiences.

The guidelines are an approved draft, but no formal adoption timetable has been provided.

Guidelines on prohibited AI practices published under EU AI Act

The European Commission has published guidelines on the prohibited AI practices under Article 5 of the EU AI Act, which started to apply on 2 February 2025.

Article 5 outlines eight types of banned AI practice, including social scoring, emotion recognition, biometric classification and real-time remote biometric identification (RBI) in publicly accessible places for law enforcement purposes.

The guidelines provide explanations and examples of terminology used in each of the Article 5 prohibitions to help organisations interpret how these apply in practice. For example, the guidelines provide a variety of real-life RBI situations to help understand phrases such as "for the purposes of law enforcement" and "targeted search".

The guidelines are non-binding, but the Commission says that they provide a valuable insight on how to interpret the Article 5 prohibitions. The Commission says the guidelines are intended to promote the consistent and uniform application of the EU AI Act across the EU and are aimed at competent authorities, and providers and deployers of AI systems.

The guidelines also address the relationship between the Article 5 prohibitions and high-risk AI systems covered by Article 6 (and Annex III). Some high-risk AI systems may qualify as prohibited practices if they meet Article 5 criteria, whilst AI systems that fall under exceptions from prohibition are likely to be considered high-risk. 

The guidelines are an approved draft, as the Article 5 prohibitions are already in effect, and will formally adopt them once all language versions are available.

BIS speech on foundations of trustworthy AI in financial sector

On 11 February 2025, the Bank for International Settlements (BIS) published a speech by Denis Beau, First Deputy Governor of the Bank of France, on the foundations of trustworthy AI in the financial sector.

Key points include:

• AI, combined with available data, is transforming the financial sector by enhancing user experience, automating processes, and controlling risks such as fraud, money laundering and terrorist financing. Generative AI is also boosting innovation within firms.

• AI still presents risks for individual players in the financial system and for the stability of the system as a whole. Key risks include that the technologies will be put to improper use and that AI amplifies cyber risk (although, conversely, AI can improve IT security by helping to detect suspicious behaviour). Another risk, which could become increasingly significant in the future, is environmental risk, since training the most recent generative AI models is a very energy-intensive process and regular use by large numbers of customers will increase this.

• The EU AI Act will not disrupt financial sector risk management, as financial institutions already have strong risk management culture, robust governance and internal controls. The Regulation on digital operational resilience for the EU financial sector (DORA) further supports resilience and IT risk management. 

• AI challenges, such as explainability and fairness, require financial institutions to invest in new human and technical resources, to also comply with the AI Act regulatory requirements.

• Financial supervisors must enhance skills and adapt their tools. They must also collaborate with other AI supervisors domestically and across the EU to address shared challenges.

Commission Regulations on notifications and reports of major ICT-related incidents and cyber threats under DORA published in the Official Journal of the European Union

On 20 February 2025, the following Delegated and Implementing Regulations supplementing the Regulation on digital operational resilience for the financial sector (DORA) were published in the Official Journal of the European Union:

• Commission Delegated Regulation specifying content and time limits for initial notifications of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats. This Regulation is made under Article 20(3) of DORA.

• Commission Implementing Regulation setting out implementing technical standards (ITS) for the application with regard to the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat. This Regulation has been made under Article 20(4) of DORA.

Both Regulations take effect on 12 March 2025. The European Commission adopted these Regulations in October 2024.

ESAs outline roadmap for designating critical ICT third-party providers under DORA

On 18 February 2025, the three European Supervisory Authorities (the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) (ESAs) published a roadmap for implementing a pan-European oversight framework for critical information and communication technology (ICT) third-party service providers (CTPPs) under the Regulation on digital operational resilience for the financial sector (DORA). An online workshop will clarify the designation process and oversight approach in the second quarter of 2025. Effective from 17 January 2025, DORA enhances the digital operational resilience of the EU financial sector.

Key steps include:

• Collection of registers of information: Competent authorities must submit information on ICT third-party arrangements from financial entities to the ESAs by 30 April 2025.

• Criticality assessments: The ESAs will assess and notify ICT third-party service providers by July 2025. Providers have six weeks to object with a reasoned statement and supporting information.

• Final designation: After objections, the ESAs will designate CTPPs and begin oversight engagement. Providers not initially classified as critical can request reclassification once the list is published.

European Commission adopts Delegated Regulation on RTS on threat-led penetration testing under DORA 

On 13 February 2025, the European Commission adopted a Delegated Regulation, with accompanying annexes 1-8, supplementing the Regulation on digital operational resilience for the financial sector (DORA) in relation to regulatory technical standards (RTS) on threat-led penetration testing (TLPT).

Article 26(11) of DORA mandates the European Supervisory Authorities (ESAs), in agreement with the European Central Bank (ECB), to develop joint draft RTS aligned with the ECB's European framework for threat intelligence-based ethical red teaming (TIBER-EU framework) to specify:

• criteria to identify financial entities required to perform TLPT

• requirements for test scope, methodology and results of TLPT

• standards for using internal testers

• rules on supervisory cooperation for implementation of TLPT and mutual recognition of testing. 

The ESAs published a final report containing the final draft RTS in July 2024, which they submitted to the Commission for adoption.

The Delegated Regulation will enter into force 20 days after its publication in the Official Journal of the European Union. On 11 February 2025, the ECB updated its TIBOR-EU framework to align with DORA RTS on TLPT.

ECB updates TIBER-EU framework to align with DORA RTS on threat-led penetration testing

On 11 February 2025, the European Central Bank (ECB) published an updated version (dated January 2025) of its European framework for threat intelligence-based ethical red teaming (TIBER-EU framework). The framework provides guidance on collaborative cyber resilience how authorities, entities, threat intelligence providers and red-team testers can collaborate to improve cyber resilience of entities through controlled cyberattacks.

The update aligns with the regulatory technical standards (RTS) on threat-led penetration testing (TLPT) under the Regulation on digital operational resilience for the financial sector (DORA).

The updates include:

• Aligning the process steps with the deliverables derived from the DORA RTS on TLPT. The timelines for completing the deliverables have now been incorporated.

• Making "purple-teaming" mandatory, as prescribed in the DORA RTS.

• Changing terminology for consistency with DORA, such as renaming "white team" to "control team."

• Developing TIBER-EU guidance documents and templates to facilitate the implementation of different parts of the TIBER-EU framework and ensure a secure and controlled TLPT execution. Each document accompanying the main framework document includes requirements for complying with the TLPT under DORA, clearly describing the required actions under every step of the process. In addition, the documents include operational TIBER-EU guidance based on best practices and experience derived from numerous previous TIBER-EU tests. Links to the guidance documents and templates are set out on a dedicated webpage.

• Providing advice on how to assess the quality of a provider in an updated version of the TIBER-EU guidance for service provider procurement.

• Allowing authorities to reference the TIBER-EU documentation and publish a short implementation document instead of publishing a full national implementation guide.

The Eurosystem encourages authorities to adopt and implement the updated TIBER-EU framework to assist them and financial entities in meeting the requirements for TLPTs under DORA. In September 2024, the ECB published a paper on this subject.

EBA amends final guidelines on ICT and security risk management in context of DORA application

On 11 February 2025, the EBA published a final report amending its guidelines on information and communication technology (ICT) and security risk management, which have been in force since 2020.

The EBA explains that the Regulation on digital operational resilience for the financial sector (DORA), which took effect from 17 January 2025, introduced harmonised requirements on ICT risk management frameworks (RMFs), incident reporting and third-party risk management and testing that apply to financial entities across the banking, securities and markets, and insurance and pensions sectors. The European Supervisory Authorities (ESAs) were mandated to develop regulatory technical standards (RTS) to supplement DORA.

Due to the overlap between entities subject to DORA and those covered by the EBA's guidelines, the EBA reviewed and decided to:

• narrow the entity scope of the guidelines to include only payment service providers (PSPs) within DORA's scope (credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions)

• reduce the scope of the guidelines to guideline 3.8 on relationship management of payment service users (PSUs) regarding the provision of payment services

• repeal the other guidelines.

The security and operational risk management requirements under the revised Payment Services Directive (PSD2) continue to apply to other types of PSPs, like post office giro institutions and credit unions, which are not within DORA's scope. Competent authorities wishing to retain these guidelines for those PSPs can continue to do so under their national legal framework or supervisory measures.

The amending guidelines are set out in section 2 of the final report. They will be published in official EU languages and on the EBA website, taking effect two months after publication.

House of Commons Treasury Committee asks banks for information about IT failures

On 10 February 2025, the House of Commons Treasury Committee published letters it has sent to the CEOs of several banks and a building society relating to the impact of IT failures.

The letters reference the 31 January 2025 Barclays IT system failure, which caused problems for customers, including payment failures and balances being incorrect.

The Committee recognises the critical role of payment systems in the UK economy and the potential consumer detriment from IT failures, like the one at Barclays. Therefore, it has asked CEOs to respond to questions about the state of their IT systems supporting banking services in the UK, covering:

• the number and duration of services outages over the past two years, by delivery channel

• the number of customers affected by each of the IT failures

• the compensation paid to customers due to IT failures over the last two years

• the reason for the IT failures.

The Committee asked for responses to these questions by 26 February 2025.

Second FATF consultation document on payment transparency

On 24 February 2025, the Financial Action Task Force (FATF) published a second consultation document on revisions to recommendation 16 (R16), its interpretive note (INR 16) and the related Glossary specific terms. The revisions aim to update FATF standards in response to changes in payment business models, messaging standards, and evolving risks.

The updated proposals consider feedback from stakeholders received during the first consultation in February 2024, notably:

• structural changes to R 16 and INR 16, emphasising differences in responsibilities for different types of payments

• updated objectives section, clarifying that R 16 does not mandate real-time sanctions screening in all cases to reduce friction in payments

• clarifying the scope of the de minimis threshold for cross-border and domestic transfers.

• revised checks for beneficiary financial institutions.

Responses are requested by 18 April 2025. FATF plans to finalise revisions by June 2025 and develop guidance on payment transparency for consistent implementation of the new standards. Most new requirements are expected to be effective by the end of 2030.

Wolfsberg Group FAQs on defining digital assets for AML and CTF purposes

On 21 February 2025, the Wolfsberg Group, an association of 12 global banks developing frameworks and guidance for managing financial crime risks, published FAQs to help financial institutions assess the risks generated by the emergence of digital assets for anti-money laundering (AML) and counter-terrorist financing (CTF) purposes.

The group explains that the definitions can help financial institutions, policymakers, supervisors and regulators understand the characteristics of digital assets, and the money laundering, terrorist financing and operational risks that they present. They can also assist financial institutions in policy development and control measures. 

The Q&As cover:

• defining digital assets

• defining stablecoins and tokenised deposits

• defining anonymity-enhanced cryptocurrency

• digital asset industry stakeholders

• digital assets as a product or service

• architecture of digital assets.

The group intends to provide periodic updates through FAQs, guidance, case studies and deep dives to support ongoing risk profiling as digital assets usage evolves.

Wolfsberg Group provides guidance to supplement payment transparency standards

On 21 February 2025, the Wolfsberg Group published a document providing guidance to supplement its payment transparency standards.

The document outlines the roles and responsibilities of key actors in a payment chain, ensuring adherence to payment transparency standards across a sample of common payment flows. It serves as a reference guide that can be used by all payment service providers (PSPs), regulators and standard setters.

The guidance includes two tables: one illustrating a cross-border payment between two counties, between two parties with no intermediaries and the second showing three examples of intermediary involvement, highlighting available information and responsibilities for payment transparency. 

The Wolfsberg Group published the latest version of its payment transparency standards in October 2023.

UK Finance guidance for financial services sector on failure to prevent fraud

On 11 February 2025, UK Finance published guidance for the financial services sector on failure to prevent fraud (FtPF).

Section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduces a corporate criminal offence for FtPF, effective from 1 September 2025. The guidance complements the Home Office's November 2024 guidance on FtPF.

The guidance, developed with UK Finance members, aids firms in the financial services sector in understanding and interpreting:

• ECCTA and the FtPF offence: Part 1 explains the application of the FtPF offence in the financial services context, with a decision tree in Appendix A.

• Reasonable prevention procedures: Part 2 offers examples of prevention procedures for the defence under section 199(4)(a) of ECCTA), based on the FCA control framework principles: 

• Circumstances where it is not reasonable to expect firms to have prevention procedures in place: Part 3 discusses risks where it is unreasonable to expect firms to have procedures in place, allowing them to rely on the defence under section 199(4)(b) of ECCTA).

Appendix C lists examples of third-party relationships not considered "associated persons," and the schedule includes 20 examples of the FtPF offence.

UK Finance clarifies that the guidance is advisory and non-exhaustive. Firms are not required to follow it.

The answer to last month's question:  According to data from Open Banking Limited, there were approximately 12 million active users of Open Banking at the end of 2024.

This month's question:  According to the FCA's financial promotions data for Q4 2024, how many promotions were amended or withdrawn following its intervention?

• 1,358

• 3,697

• 4,302

• 10,593.