On 4 September 2025, the Australian Prudential Regulation Authority (APRA) published two letters it sent to Treasurer Hon Dr Jim Chalmers MP and Minister for Finance, Senator the Hon Katy Gallagher on 31 July 2025 and 12 August 2025. The letters outline nine actions APRA is taking to support productivity while maintaining the strength and stability of the financial system in a balanced and efficient way. These actions are further described in APRA’s 2025-26 Corporate Plan. In summary, the nine actions APRA is taking are: introducing further proportionality , including a proposal to formalise a third tier into APRA’s proportionality framework for banks and then focusing on the insurance and superannuation frameworks; simplifying the bank licensing framework with a goal of reducing the time taken to process new bank license applications; promoting access to internal capital modelling, by consulting on changes that aim to simplify and clarify APRA’s accreditation process that allows banks to use internal modelling for regulatory capital purposes; promoting access to cost-effective reinsurance; reducing capital requirements for annuities; removing unnecessary or duplicative rules as part of APRA’s consultation on governance standards; coordinating with peer agencies on payments reform; providing greater clarity of supervisory expectations relating to adjustments for banks to minimum capital requirements; and strengthening data sharing with other regulators, helping to reduce duplicative requests on entities.

On 4 September 2025, the Australian Prudential Regulation Authority (APRA) published a speech from its Executive Director of Cross-industry Risk, Chris Gower. The title of the speech is Finding balance at a time of rising risk. In his speech, Mr Gower runs through APRA’s assessment of the current financial risk landscape and how its latest Corporate Plan balances keeping the Australian financial system safe and resilient but also efficient and competitive. Mr Gower also notes that internationally there continues to be significant geopolitical uncertainty and that geopolitical unrest has also correlated with an increase in cyber-attacks. Domestically, while the global outlook presents downside risks, growth in the Australian economy is expected to pick up slightly in the next year. Mr Gower discusses APRA’s 2025-26 Corporate Plan which is built around the following four pillars: maintaining financial and operational resilience;  responding to significant and emerging risks; getting the regulatory balance right; and improving our organisational effectiveness. In the context of maintaining financial and operational resilience, Mr Gower notes that: APRA will this year finalise revisions to the bank capital framework to phase out Additional Tier 1 capital instruments over coming years and will also engage with industry on potential revisions to the bank liquidity framework; in July this year, CPS 230, APRA’s first prudential standard focused on operational risk management, came into force. Over the next year, APRA will focus on assessing how effectively entities are meeting these new obligations; and APRA will provide an interim update in the next few months following the release of eight proposals in March 2025 to strengthen governance across all APRA-regulated industries. Another pillar of the 2025-26 Corporate Plan that Mr Gower discusses is responding to significant and emerging risks. This includes strengthening institutions’ cyber resilience and stepping up monitoring of AI practices across larger institutions, including the appropriateness of risk management and oversight. Perhaps the most notable change to APRA’s Corporate Plan is the inclusion of the third strategic objective of getting the balance right. Mr Gower explains that whilst at one level this is business as usual for APRA, its elevation to a strategic objective reflects the scrutiny on the costs of regulation that, driven by stubbornly low productivity growth, has been an increasing focus in recent years. Like other Australian regulators, APRA received a letter from the Federal Treasurer asking it to identify specific, measurable actions to reduce regulatory compliance costs without compromising standards. Mr Gower runs through some of the actions that APRA has taken since receiving this letter including removing outdated or duplicative rules from our governance prudential standards.

On 3 September 2025, the Australian Securities and Investments Commission (ASIC) issued a Regulatory Simplification Report which seeks input on range of multi-year initiatives aimed at making regulation clearer, more accessible and easier to navigate, while maintaining robust consumer protections.   Key initiatives The report outlines ASIC’s initiatives in the following key areas: improving access to regulatory information, including a redesigned ASIC website and regulatory roadmap pilots for small-company directors and providers of financial advice, to help them understand their regulatory obligations; reducing complexity in regulatory instruments; and making it easier to interact with ASIC, including transitioning paper-only documents to email lodgement and enabling electronic signatures on all forms by 1 October 2025. Next steps ASIC will review and consider all feedback (which must be received by 15 October 2025) to inform the prioritisation and development of its simplification initiatives.  Following this consultation period, ASIC will refine its work plan and begin implementing further improvements.  Ongoing engagement with stakeholders will remain a key part of the process, ensuring that future changes continue to address the needs of businesses, consumers, and the broader economy while upholding strong regulatory standards.

On 28 August 2025, the FCA published a press release and updated its reporting rules webpage to confirm that firms with a reporting period ending after 31 August 2025 will no longer need to submit certain nil returns if there are no breaches of the conduct rules to report under the Senior Managers and Certification regime (SMCR) during the relevant reporting period. The FCA explained that this change has been made as part of its transforming data collection programme, which aims to make regulatory reporting more proportionate.

On 28 August 2025, the FCA published a webpage setting out that they intend to make it easier for firms to find up-to-date supervisory communications on the FCA website. The FCA explained that they will be labelling pre-2022 multi-firm and thematic reviews as historical, while still making these accessible.  The FCA have stated that they are doing this to make their supervisory priorities clearer. The FCA also set out that they will soon be publishing market reports, instead of Dear CEO and portfolio letters, and that these reports will include information relevant to different types of firms, but that until these reports are published firms should continue to refer to existing supervisory communications.

On 27 August 2025, the Financial Conduct Authority (FCA) published a statement intended to provide clarity for stakeholders (such as employers, platforms, payroll and savings providers) on how workplace saving schemes can be successfully set up and implemented to comply with current rules and legislation. The statement focuses on ‘opt-in’ schemes (i.e. schemes where employees choose to save via payroll, rather than schemes where employees are automatically enrolled) and explains how employers and savings providers can approach perceived regulatory barriers: National Minimum Wage: Employers should seek to avoid certain risks that could breach National Minimum Wage Regulations 2015 and ensure that workers receive the national minimum wage in the relevant period notwithstanding any deductions. FCA regulated activities: The statement mentioned the FCA’s view that workplace savings schemes can be structured in a way that does not involve the employer carrying out a regulated activity, particularly where the funds are transferred to the savings provider. However it mentioned that employers should consider their models in line with the Financial Services and Markets Act 2000 (FSMA) and other legislation, including financial promotions. Financial Promotions: The FCA provided further guidance for employers on when they might be communicating a financial promotion in relation to a scheme, such as encouraging employees to join, and that therefore such a communication would need to (i) be issued by a FSMA authorised person to the employees, or (ii) be approved by a person authorised under FSMA who has the required permission to approve, or (iii) come within an exemption from the restriction. Banking: Conduct of Business Sourcebook (BCOBS) compliance for saving providers: The FCA highlighted the relevant requirements in BCOBS when employees open a workplace savings account, which apply like any other savings account and encourages providers to engage wih how to meet relevant BCOBs requirements without discouraging saving. Customer Due Diligence (CDD): When carrying out due diligence as per the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017, specifically Regulation 28, the FCA mentioned examples of good and poor practice in Financial Crime Guidance (3.1) and how savings providers can receive the necessary information to carry out CDD leveraging information from employers’ pre-employment checks. Data protection considerations: The statement outlined relevant UK GDPR lawful bases for responsible data sharing by employers, payroll providers or benefits companies. These included processing data to deliver contractual services with consent, or where use is expected or justified with minimal privacy impact. It also referred to ICO guidance to help stakeholders identify the appropriate legal basis. Financial Services Compensation Scheme (FSCS): The statement made clear that employees must receive an information sheet on deposit protection when contracting with a savings provider. The FCA mentioned this can be incorporated into the savings account application process or onboarding for new joiners. It also noted that funds held with e-money institutions are not directly FSCS protected. Consumer Duty: The statement also made clear that savings providers are in scope of the Duty whereby requirements apply to workplace savings products as they do to any other product and services. Next steps The FCA will continue to collaborate with stakeholders and the government to promote the implementation of workplace savings schemes to help consumers start saving more regularly.

In the latest episode of our mini-series on the Chancellor’s Mansion House speech and Leeds Reforms, Katie Stephen, Matthew Gregory, Haney Saadah and Catherine Pluck discuss the proposals in relation to the Senior Managers and Certification Regime, as well as the proposals around authorisations. Listen to our podcast here.

The Australian Prudential Regulation Authority (APRA) has released its 2025-26 Corporate Plan, which details APRA’s objectives and activities for the period 2025 to 2029. The Plan outlines APRA’s role in protecting the financial interests of Australians by promoting the safety and stability of the financial system. A few of APRA’s top strategic priorities in the plan have been extracted by way of summary: Strengthening cyber resilience across APRA’s regulated industries given the recent escalation of attacks. In 2025–26, APRA will prioritise targeted supervisory engagements to assess entities’ progress in uplifting cyber resilience. These engagements will focus on evaluating specific cyber control areas and identifying potential single points of failure within entity systems, processes and dependencies. Initial efforts will concentrate on superannuation trustees, insurers and smaller banks. In the superannuation sector, a key focus will be assessing funds’ responses to APRA’s concerns outlined in its June 2025 letter on Information Security Obligations and Critical Authentication Controls. Assessing the degree to which regulated entities are complying with APRA’s new prudential standard CPS 230. On 1 July 2025, Prudential Standard CPS 230 Operational Resilience (CPS 230) came into effect, introducing enhanced requirements for operational risk management across all regulated entities. Given the growing reliance on third parties, rapid technological advancements and geopolitical uncertainty, effective implementation of CPS 230 is critical to maintaining financial safety and stability. Over 2025-26, APRA will engage with entities to ensure they are meeting their new obligations. APRA’s supervision program will initially focus on the largest entities (significant financial institutions), including through targeted prudential reviews of some entities. Updating APRA’s prudential standards for governance. In the second half of 2025-26, APRA plans to consult on draft standards and guidance to update core governance requirements. These changes aim to address persistent poor practices and establish clear expectations for all regulated entities – almost 80 per cent of entities currently under heightened supervision by APRA exhibit underlying governance issues. To inform these revisions, APRA is continuing to engage extensively with stakeholders to gather diverse perspectives. Publishing the results of APRA’s inaugural System Stress Test. In the second half of 2025-26, APRA will publish the results of its inaugural system stress test, designed to evaluate risks to financial stability arising from interconnectedness in the financial system. The test scenario assesses the impact and potential feedback loops between the banking and superannuation sectors from a significant financial market disruption alongside a major operational risk event. APRA will collaborate with industry and regulatory peers to address any vulnerabilities identified through this exercise. Intensifying scrutiny of superannuation fund expenditure. Fund-level expenditure will remain a key focus to ensure superannuation trustees act in the best financial interests of their members. Over the next 12 months, APRA will undertake targeted assessments of expenditure data, and where deficiencies are identified, trustees will be required to make improvements. Reviewing the investment governance and member outcomes of major platform providers. APRA is currently undertaking a review to assess the quality and soundness of trustees’ governance and oversight of investments offered via platforms. The review focuses on key areas including due diligence, onboarding, monitoring, and removal of investment options, as well as strategic planning and practices to promote member outcomes. APRA will assess current practices against relevant prudential standards. APRA’s findings will be shared with the superannuation industry, highlighting areas where enhancements are expected. Releasing the results of APRA’s Climate Vulnerability Assessment for the general insurance sector. In the second half of 2025-26, APRA plans to release the results of its Climate Vulnerability Assessment for the general insurance sector. This assessment has involved Australia’s five largest general insurers and has included detailed analysis of granular, modelled premium data. The findings will provide governments, insurers, policyholders, and the broader community with a clearer understanding of how general insurance affordability may evolve over the medium term in response to the physical and transition risks associated with climate change. A few other key takeaways from the Plan are that APRA: is carefully monitoring potential cyclical risk in the banking system as inflation and interest rates decline, which can give rise to faster rises in house prices, borrowers taking on more leverage, and lenders relaxing their lending standards; continues to position itself as a forward-looking regulator, primarily focused on preventing harm before it occurs; aims to “get the balance right” to ensure its regulation is efficient and proportionate and is working on nine initiatives to minimise regulatory burden and support productivity, but not at the cost of its safety and stability objectives; and is focused on new risks emerging in the system – including potential risks from geopolitical tensions, cyber-attacks, interconnections, an ageing population, and climate change.

Background The Australian Securities and Investments Commission (ASIC) has released its Enforcement and Regulatory Update Report 812, outlining its ongoing focus on consumer and retail investor protection. The reports provide data and analysis from January to June 2025, highlighting key trends in misconduct, enforcement actions, and regulatory priorities. Key ASIC Initiatives in 2025 Some of ASIC’s key initiatives so far in 2025 include: ASIC’s first discussion paper Australia’s evolving capital markets: A discussion paper on the dynamics between public and private markets; ASIC’s Inquiry into the ASX group, led by an expert panel focusing on governance, capability and risk management frameworks and practices across the group; and ASIC’s action against Choosi for allegedly making false representations to customers, claiming it compared products from a range of funeral and life insurers. 2025 Enforcement Priorities Moving forward, ASIC has foreshadowed its 2025 enforcement priorities: Misconduct involving superannuation savings; Unscrupulous property investment schemes; Failures by insurers to deal fairly and in good with customers; Strengthening investigation and prosecution of insider training; Business models designed to avoid consumer credit protections; Misconduct impacting small businesses and their credits; Debt management and collection misconduct; Licensee failures to have adequate cyber-security protections; Greenwashing and misleading conduct involving environmental, sustainability and governance (ESG) claims; Member services failures in the superannuation sector; Auditor misconduct; and Used car finance sold to vulnerable consumers by finance providers

The Australian Securities and Investments Commission (ASIC) has increased its focus on the lodgement of financial reports, following a review of 1,166 ‘grandfathered’ large proprietary companies, after more than half failed to lodge financial reports over FY23 or FY24.  Certain large proprietary companies that were established prior to 1995 and had their financial statements audited were previously exempt from the financial reporting framework in the Corporations Act 2001 (Cth), though these grandfathering arrangements came to an end following the enactment of the Treasury Law Amendment (2022 Measures No. 1) Act 2022 on 10 August 2022. In response, ASIC has foreshadowed taking regulation action to ensure companies to lodge their financial reports moving forward. ASIC has also indicated that it will launch a broader surveillance focused on non-lodgement of financial reports by large proprietary companies, to be completed by Q1 2026. Key takeaway: Companies relying on historical exemptions should not assume they are exempt from current financial reporting obligations.

On 22 August 2025, the Pensions Regulator and Financial Conduct Authority (FCA) published a joint podcast discussing how the FCA’s targeted support proposals complement provisions in the Pension Schemes Bill 2025 related to guided retirement. In June 2025, the FCA launched a consultation on the proposals for a new form of targeted support for consumers’ pensions and retail investment decisions. The Pensions Regulator have urged trustees to respond to the FCA’s consultation, which closes on 29 August 2025.

On 21 August 2025, the FCA published a multi-firm review assessing principal trading firms’ (PTFs) algorithmic control frameworks and set out good practices and are where there was room for improvement from firms. Background Investment firms engaged in algorithmic trading are required to comply with MiFID regulatory technical standards specifying (RTS) 6 in relation to organisational requirements. In February 2018, the published a multi-firm review of Algorithmic Trading in Wholesale Markets. In August 2023, the FCA also sent PTFs a Dear CEO letter outlining its focus on this area. This most recent review included 10 PTFs with varying approaches to algorithmic trading and looked at certain data requested and information gathered from meetings with firms. Findings The FCA set out the follow examples of areas where firms could improve their approach, including: Governance: in completing a self-assessment some firms did not address all elements of RTS 6, some compliance functions did not have strong technical knowledge of algorithmic trading or weren’t sufficiently involved in processes limiting the ability to challenge, in some cases the algorithmic inventory did not specify who was approved to operate the algorithm, some firms did not have clear policies and procedures from testing and deploying algorithms including where these were developed by a third party. Development and testing: some firms had poorly defined conformance testing leading to poor records, simulations sometimes lack sophistication and there was a focus on operating effectiveness rather than conduct risks, some firms didn’t have formal procedures for adoption and had unclear ownership of key elements of this process. Risk controls: ownership of pre and post trade controls was sometimes poorly defined; compliance staff also had a lack of oversight of these controls leading to poor understanding. Market abuse surveillance: in certain firms there was not enough done to invest in market surveillance systems or update them, and so firms did not have formal procedures and governance structures or were under resourcing pressure in relation to market abuse alerts leading to a longer time to investigate these chases. Next steps The FCA set out that it encourages PTFs engaged in algorithmic trading to consider how they might improve their algorithmic control frameworks in light of these findings. The FCA also explained that it will continue to assess these controls as part of its ongoing supervision.

In the fourth episode of our new mini-series covering UK cryptoasset regulation, Jonathan Herbst, Hannah Meakin and Charlotte Carnegie discuss the FCA’s proposed prudential requirements. Listen to our podcast here.

On 20 August 2025, Commission Delegated Regulation 2025/885, supplementing the Regulation on markets in crypto-assets 2023/1114 (MiCA) with regard to regulatory technical standards (RTS) on market abuse, was published in the Official Journal of the European Union. The RTS specify regulations regarding systems and controls, templates for reporting, and co-operation between competent authorities in relation to market abuse. The Delegated Regulation will enter into force on 9 September 2025.

On 20 August 2025, the European Securities and Markets Authority (ESMA) and the European Environment Agency (EEA) signed a Memorandum of Understanding (MoU) to strengthen collaboration between the two institutions in relation to sustainable finance. The MoU notably incorporates the integration of environmental factors into the EU sustainable finance framework, including the supervision of the framework. Key areas covered by the MoU include that parties will seek to: Strengthen and develop cooperation in areas of mutual competencies while considering relevant responsibilities; Co-operate in relation to the application and supervision of EU sustainable finance legislation; Facilitate collaboration at a national level; Share information in line with confidentiality requirements, internal policies and relevant laws. The MoU once signed by both parties will remain in effect for four years and be automatically extended for an unlimited period of time unless objected from either party.

Woodford (a prohibition and a fine) and on the investment management firm he founded (a fine).  Both Mr Woodford and the firm have referred the decisions to the Upper Tribunal.  Key takeaways are set out below but for more details see our Notice in a Nutshell. Although the decisions are made in the context of investment management, they have broader lessons for internal governance and dealing with emerging issues. In terms of practical steps for firms and senior managers: Compliance and risk are first line issues: The decision underscores the responsibility that senior managers have to inform themselves and take proactive steps to manage risks in an area of the business for which they are responsible.  Those involved in the first line cannot simply leave such matters to risk or compliance – as the FCA commented: “a responsible professional should not disregard risk because he does not consider it to be part of his role”.  In particular, the FCA will not tolerate a ‘pick and choose’ approach to compliance where senior managers are only willing to challenge aspects of compliance they may not like whilst taking advantage of inadequate controls that might suit them.  The senior management team has a responsibility to ensure that the internal policies and controls are adequate rather than accepting them “in an unquestioning fashion”. It also illustrates the need for senior managers to work together with risk and compliance functions, other relevant parties including advisers and service providers to achieve the right balance in terms of managing the risks whilst allowing opportunities for growth.   Growth must be pursued with appropriate skill and care:  Any business involved in activity that could give rise to harm to retail investors or consumers more broadly should factor in the potentially severe consequences that may arise from failures to act with appropriate skill, care and diligence and within appropriate limits and controls.  A key reason for the proposed uplifts to the fines in these cases (and reflected in the scope of the proposed prohibition) is the losses suffered by retail investors following the suspension of the fund.  The FCA regards such investors as more vulnerable than other investors and considers that the scale of the losses increases the importance of deterring others managing big, high-profile funds with large numbers of retail investors from taking similar risks.  This has led them to propose increasing the firm’s penalty from around £5 million (based on 15% of the firm’s relevant revenue) to £40 million and doubling Mr Woodford’s.  This is a stark reminder that the FCA remains serious about deterring misconduct in financial services, even where it involves negligence rather than dishonesty, particularly in the context of potential harm to consumers. Firms pursuing growth strategies need to ensure that this is achieved with the appropriate degree of skill and care. Contractual terms may give rise to regulatory exposure: Part of the case made by the firm and Mr Woodford involved seeking to absolve themselves from regulatory responsibility for compliance with FCA rules on the basis that the firm was not within scope of relevant FCA rules (which applied to a third party entity acting as the firm’s Authorised Corporate Director (ACD).  However, the FCA relied on contractual provisions between the firm and its ACD which included obligations on the firm to comply with rules. The FCA considered these were of fundamental importance in assessing compliance with the requirement to act with due skill and care.   Dominant individuals and heeding red flags: This is another case involving a firm founded by a senior individual who was “the dominant director and majority shareholder”.  He was apparently “more bullish than consensus” on the prospects of the UK economy following the Brexit vote in 2016 and continued to pursue an investment strategy in the face of worsening performance and numerous warning signs. The FCA comments that the relationship between the firm and its ACD was “clearly fractious” with the ACD seeking to express concerns and impose controls but frequently being met with “intransigence or obstinacy” and its warnings being ignored.  Acting with skill, care and diligence involves heeding warnings from others and reacting appropriately to adverse developments.  The FCA comments that one of the reasons for the proposed prohibition is that Mr Woodford continues to declare publicly in the media that he has done nothing wrong which is relevant to consideration of his fitness and propriety.    If you would like any more information on the issues raised in this blog please do not hesitate to contact the author. For further knowledge resources in this area, please see our dedicated Financial services interventions and investigations hub.

With under two weeks to go until the new UK failure to prevent fraud offence comes into force, this blog discusses the priority actions companies can take in preparation. On 1 September 2025, the UK’s new “Failure to Prevent Fraud” (FtPF) offence will come into force, reshaping corporate liability for fraud and effectively requiring companies to put in place “reasonable procedures” to prevent fraud.  Fraud is also an enforcement priority for the UK government, as Nick Ephgrave, the Director of the Serious Fraud Office, made clear: “Now is the time to take action. Corporations must get their house in order or be ready to face investigation.” Companies may be at different stages in preparing for the offence and putting in place “reasonable procedures”, with some having conducted risk assessments and compliance enhancement projects over the last two years and others with implementation projects which are likely to continue past 1 September. In this blog, we work through some of the short and longer term actions companies can take to prepare. What Is the Offence? Further details about the offence are available in this feature article which explains in greater detail explains how the new FtPF offence works and what is expected in terms of putting in place reasonable procedures.   In short, the FtPF offence applies when: a person associated with a large organisation (i.e. an employee, subsidiary or agent) commits an underlying fraud offence intending to benefit the large organisation or its clients; and the large organisation does not have “reasonable procedures” in place to prevent such fraud (this is the only defence to the FtPF offence). This marks a shift from companies having to focus on inward fraud (i.e. as a victim) to outward fraud (i.e. as the beneficiary) and is intended to make it significantly easier for authorities to prosecute fraud.  What constitutes “reasonable procedures” is not defined in the law, and companies are likely to seek to align as far as possible with UK government expectations as set out in published guidance as well as any sector specific guidance (for example the UK Finance guidance for the financial services sector).   Who Is Affected? The offence applies: A) To “large organisations,” defined as those having two of the following criteria: more than 250 employees; turnover over £36 million; and assets over £18 million B) To large organisations based either inside or outside the UK.  This is because the offence applies to any conduct which gives rise to one of the underlying UK fraud offences and these can be committed in some circumstances where there is a UK nexus irrespective of where the company itself is located or whether some of the conduct took place outside the UK.  A UK nexus may be triggered (depending on the underlying offence) where: one of the acts to commit the fraud took place in the UK; the gain or loss occurred in the UK; or the victims targeted are in the UK. Smaller organisations may also be impacted if they are part of groups which are or contain large organisations or where they act for larger firms, which may require them to adopt anti-fraud procedures.  It is also important to note, as recently published UK government guidance makes clear, that a large or small organisation may face prosecution for the underlying substantive fraud offence where the conduct can be attributed to the company through other means (e.g. the  actions of a company’s senior manager).  Five key priorities We recommend that companies take stock of their risk assessments and how effectively their existing fraud prevention procedures manage risks in relation to the FtPF offence including in response to any newly emerging risks that may have arisen since implementation projects commenced. For those whose projects are ongoing, this may mean prioritising efforts in particular areas, with a more detailed risk assessment and compliance enhancement to be completed in the following months (noting that the compliance enhancement should be tailored to the outcome of the risk assessment).  Such priority areas might include: 1. Evaluate the offence and brief senior leadership As a first step, companies should urgently ascertain if they are within scope (in terms of size, and also with regard to their risk level based on the likelihood of any UK nexus – assessing jurisdiction is not black and white and will turn on the facts of the underlying offence committed). Senior management should be briefed on the outcome of this evaluation exercise, the offence and what is required in terms of risk assessments and procedures. Specified senior individuals should be designated as owners of the risk assessment/anti-fraud procedures. 2. Review and Enhance Policies and Procedures Most organisations have policies and procedures which assist in covering fraud risk, but these often focus on protecting the company from fraud rather than preventing fraud committed for its benefit. In the short-term companies in scope may want to confirm that the following documents have been reviewed, and the new FtPF offence incorporated to the extent possible or that there is a plan for doing so or a rationale for not doing so fraud policies/relevant sections of codes of conduct; financial crime clauses in contracts or relevant supplier codes; and adding relevant questions to the third-party risk rating/due diligence process (if the company has such a process in place). If a company does not have a fraud policy, or a supplier code focused on highest risk suppliers, we recommend consideration is given to issuing these documents before the deadline if possible. 3. Senior Communication To date, most companies have focused anti-fraud policies and messaging on preventing the company from becoming the victim of fraud.  A key foundation for effective FtPF prevention procedures is to educate employees on how the new offence is different and emphasise the company’s zero-tolerance approach to fraud.  Over the next few weeks we recommend that companies consider publishing at least one communication from senior UK leadership which includes the following key points: how important it is to act ethically and the risks of not doing so; an explanation of the broader scope of this new offence; and guidance on what employees should look out for (and to whom they should escalate any concerns). 4. Deliver Training A further point of focus before the FtPF offence comes into force is training.  It is vital to ensure, taking a risk-based approach, that relevant staff understand the types of conduct that could constitute fraud. In the short-term, companies may wish to consider providing townhall training to all UK employees, followed by detailed e-learning and function-specific training.  Messaging from senior and middle management within functions to reinforce this training can have a further beneficial effect.  Retaining records of such communications so that they can easily be accessed if needed in future as part of establishing a defence will also be helpful.  5. Target the highest risk areas A further priority for companies in this window is to consider any known high fraud risk areas and take steps to manage these.  This might be in response to an historic or ongoing issue, issues faced by peer companies or a function that is known to pose a higher fraud risk even without a risk assessment. If there are any such issues, considering the immediate steps that can be taken to control and mitigate these risks even before completing a full risk assessment is recommended. Looking forward Once these immediate priorities have been achieved the focus will shift to the medium and long term for companies Once companies are further along the track, their time may be best spent: Conducting a thorough risk assessment and control-mapping/gap analysis exercise in the medium term, continuing to fine-tune these in the long term. Following the risk assessment:documenting where existing controls adequately address identified risks;reviewing and enhancing fraud prevention procedures for areas identified as needing improvement; and conducting risk-weighted due diligence on third-parties based on the company’s risk appetite, applying additional controls as appropriate. Considering their global operations, because the offence has broad jurisdictional reach. Non-UK companies may be caught if part of the underlying fraud occurs in the UK or if UK victims are involved. Multinationals must decide whether to implement global procedures, expanding the steps described above beyond the UK, or limit them to UK-facing operations. Testing their fraud prevention procedures in the medium term and conducting structural audits of their fraud prevention framework over the long term. Further information For those companies evaluating the FtPF offence, additional resources are available here: What’s the current status and what should organisations be doing now?  What do you need to do now?  Webinar: Preparing for 1 September 

On 18 August 2025, the Transition Finance Council issued a consultation on draft entity-level Transition Finance Guidelines (the draft Guidelines), which aim to address the current absence of a consistent framework capable of application across asset classes for identifying and evaluating credible transition finance at entity-level. Background The draft Guidelines would be voluntary and are designed to complement existing frameworks such as those developed by the Transition Plan Taskforce and the Internation Sustainability Standards Board. The existing frameworks help companies to communicate their transition plans, whereas the draft Guidelines build on this with a focus of how to assess the credibility of an entity’s ambition, and near-term transition planning and progress. Guidelines The draft Guidelines are divided into four Principles in relation to assessing the credibility of transition finance: Credible Ambition – sets interim targets to reduce emissions and having metrics and actions to achieve them. Action into Progress – sets out how it can progress implementation actions with the purpose of meeting any interim targets and metrics it has set. Transparent Accountability – entities will integrate their implementation actions and interim targets and metrics into its business planning, organisational processes, and governance. Addressing dependencies – the entity will analyse and consider any material dependencies in determining its implementation actions and interim targets and metrics; managing these in relation to which it has leverage, by prioritising the most material. These principles are then intended to be supported by Universal Factors containing practical criteria which are evidence points for assessing whether the principles have been satisfied. Next steps The consultation will close at 12pm on 19 September 2025. The Transition Finance Council intends to release a second consultation later in 2025, with final Guidelines being issued in 2026.  

On 19 August 2025, the Financial Conduct Authority (FCA) published the Synthetic Data Expert Group’s Report, providing insights on assessing and mitigating common challenges associated with synthetic data use. Background Recognising synthetic data’s potential within the UK’s financial system, the FCA set up the Synthetic Data Expert Group (SDEG) in March 2023, bringing together 20 experts across different industries to explore synthetic data and use in financial markets. This report builds on the considerations outlined in the SDEG’s first paper responding to key feedback from the FCA’s 2022 Call for Input. Summary Although the report does not offer guidance, it highlights starting points for firms to embed synthetic data into existing governance controls and sets out certain good practices summarised below: Existing Governance Frameworks: In the absence of a dedicated governance framework for synthetic data, practitioners are encouraged to build on existing model risk management (MRM) and Data & AI Ethics structures. The SDEG distils nine governance principles which firms may wish to consider when developing their own approaches and identify considerations that overlap or are unique to synthetic data governance. The 9 principles mentioned were: (1) Accountability (2) safety (3) transparency (4) explainability and interpretability (5) security and privacy (6) fairness (7) agency (8) suitability and (9) continuous monitoring and improvement. Assessing governance and strategic readiness: The report further mentions three key governance foundations for firms to consider before launching a synthetic data project: frameworks, roles and responsibilities, and continuous monitoring. In relation to pre-project considerations, it also mentions the importance of defining clear objectives and conducting a structured value-risk assessment. Regulatory, ethical and compliance considerations: SDEG members further emphasised that the generation and use of synthetic data requires consideration of key regulatory, ethical and compliance obligations such as data protection, non-discrimination and bias, oversight, and engaging with relevant compliance. It is also suggested that firms carefully consider generation methodologies and downstream implications. Generating synthetic data phase: SDEG identified three areas that are relevant during the generation phase: auditability controls and monitoring, data privacy or risks and managing bias. While these issues are not exclusive to generation, early and deliberate considerations of them can help practitioners make informed design decisions and better manage risks across the synthetic data lifecycle. Using synthetic data in models: Once generated, synthetic data’s impact on models ought to be validated methodically according to the SDEG report. This can be through a quality assessment using statistical comparison or techniques like performance benchmarking and Train-Synthetic-Test-Real to assess how well synthetic data supports model objectives. Next steps The report explains that this is intended to be a foundation and that practitioners and regulators intend to keep working together as this area develops further.

On 18 August 2025, the European Banking Authority (EBA) published its final draft Regulatory Technical Standards (RTS) on the allocation of off-balance sheet items and also set out the factors that might constrain institutions’ ability to cancel unconditionally cancellable commitments. Background As explained by the EBA in its final report, the draft RTS have been developed as required by Article 111 of Regulation (EU) No 575/2013 (CRR). The EBA consulted on the draft RTS in March 2024 and has made certain changes to the draft standards in the light of comments received. The feedback and related changes are summarised in section 4.2 of the final report. Summary In these RTS, the EBA has introduced assignment criteria for off-balance sheet items not already assigned to any buckets under Annex I of the CRR. These assignment criteria aim at distinguishing between different levels of conversion probability, taking into consideration: (1) the existence of financial covenants, (2) conditions related to non-credit related events, and (3) the optionality the obligor has in drawing or not the off-balance sheet item. The EBA also provided non-exhaustive list of examples to support institutions to make this classification. The final draft RTS also introduce four factors to be considered as constraining institutions’ ability to cancel an unconditionally cancellable commitment, which relate to: (1) risk management processes, (2) commercial considerations, (3) reputational risks, and (4) litigation risks. The EBA also proposed to implement a notification process of off-balance sheet items not already included in Annex I, via the COREP framework. Next steps The draft RTS will be submitted to the European Commission for endorsement, they will then be scrutinised by the European Parliament and the Council, before being published in the Official Journal.