On 15 April 2025, the European Commission (Commission) launched a targeted consultation on the integration of European Union (EU) capital markets. The aim of the consultation is to collect feedback on obstacles to financial market integration across the EU and it is part of the Savings and Investments Union (SIU) strategy. The Commission is looking for feedback from a wide range of stakeholders. The Commission consultation covers a broad range of topics and issues. The need and appetite for more harmonised rules across the EU and the necessity to reduce regulatory barriers to the cross-border provision of financial services are overarching themes of the consultation. The possible benefit of more centralised supervision is one of the topics that reoccurs throughout the consultation as well, which has been a highly controversial issue among the Member States and the industry alike. In terms of content, the consultation is divided into seven distinct sections. These are: Simplification and burden reduction This section looks for views on simplification and burden reduction of the EU regulatory framework in the trade, post-trade and asset management and funds sectors. Among other things, the Commission asks whether there is a need for greater proportionality in the financial services regulatory framework. Through a serious of detailed questions about the current market structure, it also asks respondents to identify barriers that should be addressed within the Markets in Financial Instruments Directive (MiFID II) and Alternative Investment Fund Managers Directive (AIFMD) frameworks. Respondents are also asked to list any other policy areas that would in their view benefit from simplification, especially seen in the light in the interplay between different EU regulatory frameworks. Finally, the Commission asks for views on whether more EU level supervision could contribute to simplification and burden reduction for firms. Trade The second section is dedicated to trading issues and contains a large number of questions. It looks for views on the nature of barriers to integration, modernisation and digitalisation of liquidity pools, as well as barriers to cross-border operations and regulatory and non-regulatory barriers to liquidity aggregation and deepening. Some of the issues that the Commission seeks stakeholders’ views on include prospective measures to improve consolidation of liquidity across trading venues through better interconnections and access to trading venues, including by retail investors. It also discusses issues relating to access to market infrastructure and quality of execution. The final topic the Commission asks for views on in this section is the impact of recent trends on EU liquidity. Among other things, respondents are asked about their opinions on dark trading for equity instruments, 24-hour trading, the role of multilateral as opposed to bilateral trading, single market maker venues, and ghost liquidity. Post-trading Post-trading is the main topic of the third section of the consultation paper. The Commission identified three main issues it would like to receive stakeholder views on, being (1) barriers to cross-border settlement; (2) barriers to the application of new technology and new market practices; and (3) unharmonised and inefficient market practices and application of law, as well as disproportionate compliance costs. More concretely, the first section addresses the cross-border provision of central security depository (CSD) services and the freedom of issuance, links between EU CSDs, settlement services in the EU, legal certainty, the Settlement Finality Directive (SFD), and new technology and new market practices. On this last topic, the Commission seeks feedback on the applicability of the Central Securities Depositories Regulation (CSDR) and the SFD to distributed ledger technology (DLT)-based CSDs. Finally, the section on post-trading considers CSDR-related compliance costs, information sharing and authorisation procedures. Horizontal barriers to trading and post-trading infrastructures Following two sections on vertical topics, this section addresses horizontal barriers to trading and post-trading infrastructures in four main areas. These areas include the 2017 European Post Trade Forum Report (EPTF), cross-border operational synergies between entities, issuance, and innovation. On the EPTF, the Commission asks respondents to assess the continuing importance of the barriers identified by the EPTF report. The Commission also asks for views on the current regulatory set-up for the supervision of outsourcing and the treatment of group structures. It also seeks views on the functioning of the DLT Pilot Regime and on the issue of asset tokenisation, including whether prudential treatment of credit institutions’ exposures to tokenised assets should differentiate between permissioned and permissionless DLTs. Asset management and funds With this section, the Commission aims to identify obstacles experienced by EU funds and asset managers to accessing the single market. In addition, it looks to gather stakeholder insights on barriers and experiences in managing cross-border investment funds, to explore the effectiveness of existing authorisation and passport systems, and to explore possibilities for simplifying current requirements. Supervision The final two sections of the consultation dive deeper into the supervisory framework.  Whereas the first part discusses the current framework in general, the second part goes deeper into the supervision framework of specific sectors, such as central counterparties, CSDs, trading venues, asset managers and crypto-asset service providers. The final section addresses the governance framework for new direct supervisory mandates, supervisory convergence, data and funding. The Commission asks respondents to indicate which parts of the trading framework would benefit from more harmonised or direct EU-level supervision, and considers various criteria that could prospectively be used for the purpose of identification of entities that would be subject to such more integrated EU supervision.  The prospective introduction of integrated EU supervision has been a contentious topic of discussion over the past year. Whereas some Member States are in favour of moving supervisory tasks from the national to the EU level, at least for certain financial institutions, others are opposing the idea. Views amongst the industry are also divided. That said, the SIU Communication published on 19 March 2025 shows that the Commission is still looking at more unified supervision of capital markets, including by transferring certain tasks to the EU level. It will be interesting to see how this debate evolves over the coming months. Next steps Responses to the consultation should be made through an online questionnaire, which will be published on the consultation webpage on 22 April 2025. The deadline for feedback is 10 June 2025. The Commission is expected to use the responses received to the consultation to direct its overall policy approach towards the further development of its capital markets regulatory framework, the contours of which were presented in the SIU Communication.

On 16 April 2025, a Corrigendum to Regulation (EU) 2024/1623 of 31 May 2024 (CRR3) amending Regulation (EU) No 575/2013 as regards requirements for credit risk, credit valuation adjustment risk, operational risk, market risk and the output floor was published in the Official Journal of the EU. The Corrigendum concerns an amendment to Article 1(252) of CRR3.

On 16 April 2025, Directive (EU) 2025/794 of 14 April 2025 amending Directives (EU) 2022/2464 and (EU) 2024/1760 as regards the dates from which Member States are to apply certain corporate sustainability reporting and due diligence requirements was published in the Official Journal of the EU. The Directive, which is known as the ‘Stop-the-clock’ Directive, is part of the Omnibus I package and was formally adopted by the Council of the EU on 14 April 2025.

On 16 April 2025, the Financial Conduct Authority (FCA) published a speech entitled ‘Working together to deliver our enforcement priorities’, which was delivered by its joint executive director of enforcement and market oversight, Therese Chambers, at the Spring Conference of NYU’s Program on Corporate Compliance and Enforcement. Key points covered in the speech include: The FCA has a strong and productive history of working with partner agencies in the US and intends to continue doing so. Its enforcement action is about deterrence and it is working to speed up its investigations, as action to deter misconduct needs to be timely and visible. The FCA’s enforcement priorities for the next 5 years include keeping dirty money out of the financial ecosystem, taking swift action where it sees regulated firms being used as vehicles for fraud, protecting the integrity of UK markets, and developing a safe crypto regime that protects consumers. Individual accountability and responsibility is important, in addition to enforcement against firms. Ms Chambers flags the need for senior leaders at regulated firms to be open, transparent and honest with the FCA, and to be held to account where their actions or omissions result in harm.

On 16 April 2025, the Financial Conduct Authority (FCA) published a consultation paper, CP25/9, on further proposals on product information for consumer composite investments (CCIs). Background The FCA consulted in CP24/30 on a new product information regime for CCIs, which is intended to be a simpler and more flexible system tailored to the UK to replace current rules that were introduced across the EU when the UK was a member state. The responses to CP24/30 are currently being analysed and the FCA notes that CP25/9 is not intended to respond to the feedback it received to that previous consultation. Proposals In CP25/9, the FCA is consulting on some remaining issues to support the CCI regime, including proposals for: Removing the requirement for firms to calculate and disclose implicit transaction costs – the FCA explains that this would remove a significant compliance burden for firms while ensuring that consumers are still provided with the most relevant information about the transaction costs of their chosen product. Simplifying current cost disclosure rules reflecting assimilated requirements of the Markets in Financial Instruments Directive Organisation Regulation (MiFID Org Reg) and bringing them into line with the proposals for CCIs. Transitional provisions to allow firms flexibility to move across to the new regime as soon as they are ready. Consequential amendments to other parts of the FCA Handbook that result from the new CCI rules. Next steps The consultation closes on 28 May 2025. The FCA plans to issue a policy statement with final rules in late 2025, and will include its response to any feedback to CP24/30 and CP25/9 together in that policy statement. It also intends to continue its detailed engagement with a range of stakeholders on the issues discussed in both CCI consultations, with the aim of creating a regime that works for consumers and the wider market. For more information on the CCI regime, please listen to our podcast mini-series, the first episode of which is available here.

On 16 April 2025, the Financial Conduct Authority (FCA) published a consultation paper, CP25/8, on data decommissioning: removing reporting and notification requirements. Background The FCA explains that it is reviewing the information it collects regularly from firms, as part of its commitment to improving regulatory reporting. Its aim is to streamline the data collection process so that it collects only what is necessary to effectively supervise firms, and to achieve a balance between regulatory oversight and data efficiency. Proposals In CP25/8, the FCA proposes to remove data collection requirements that it considers are no longer needed. In particular, the proposals include: Removing the requirement to provide the FCA with data related to three different reports and notifications: Form G (the Retail Investment Adviser Complaints Notifications Form), FSA039 (Client Money and Assets) and Section F RMAR. Removing information from the Handbook about other reporting forms that the FCA no longer requires to be submitted. Tidying up some of the guidance on reporting, deleting guidance about data collections that are no longer used, and completely deleting forms that already appear in Annexes to SUP 16 marked ‘[deleted]’. The FCA notes that its proposals should help to reduce the data reporting burden on firms and support economic growth. Next steps The consultation closes on 14 May 2025. Once it has considered all feedback, the FCA plans to publish a policy statement finalising its rules later in 2025.

Recent regulatory activity and enforcement outcomes have highlighted the obligations on auditors to make reports to regulators in certain circumstances.  Given the web of relevant provisions, the number of bodies potentially requiring notification, the client confidentiality overlay and the pressures to which busy professionals are subject, keeping track of who should say what to whom in the context of the audit can be challenging and decisions on reporting (or not) may require careful judgment, a robust support framework and a clear audit trail.  Questions may be asked in the context of enquiries and investigations long after the event (and sometimes with the benefit of hindsight) when memories of what was known to whom and when will have faded.  We set out below (1) a ‘Quick Reference Guide’ to serve as a high level checklist for auditors to have front of mind with regards to their reporting obligations when carrying out audits of regulated firms; (2) potential red flags that might trigger an obligation to report to one or more regulator; and (3) some considerations to bear in mind when determining whether to report.  Many scenarios will not be straightforward and so this high level guidance is intended to act as a reminder and prompt so that specialist advice can be sought where appropriate.  Auditors’ reporting obligations:  Quick Reference Guide   Do you need to make a SAR? Under the Proceeds of Crime Act 2002 (‘POCA’) auditors may commit an offence if, in the case of the MLRO they fail to report a SAR to the NCA, or in the case of any other auditor they fail to report a suspicion to the MLRO, where (1) they know or suspect or have reasonable grounds for knowing or suspecting that another person is involved in money laundering or terrorist financing, (2) the information on which their knowledge or suspicion is based, or which gives reasonable grounds for such knowledge or suspicion, came to them in the course of business in the regulated sector, and (3) they can identify, or the information they have may assist in identifying, the person suspected of money laundering or the whereabouts of the laundered property.  The threshold for reporting a suspicion is low, and fact specific.  The test involves asking not just if you have a suspicion (the subjective test) but if you ought to have a suspicion (the objective test).   Our ‘red flags’ list below might assist firms and individuals in their considerations as to whether submitting a SAR might be appropriate. Are you under an obligation to report to the FCA?:  Depending on the circumstances, auditors may have an obligation to report to the FCA pursuant to Principle 11, SUP 15 and/or under the FSMA 2000 (Communications by Auditors) Regulations 2001 (the 2001 Regulations), as well as having personal obligations to report where they are subject to the FCA’s COCON rules: (i)  Principle 11 requires that an audit firm which is authorised must, as with any other authorised firm, “deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice” and this may include matters in respect of both regulated and unregulated activities.  Chapter 15 of the FCA’s Supervision Handbook sets out rules and guidance in relation to matters which a firm must or should consider self-reporting in accordance with Principle 11.  Given the obligations relate to self-reporting these are less likely to be triggered by an audit of a regulated entity but consideration should be given to the potential impact on the auditor such as a matter that could have a significant adverse impact on the auditing firm’s reputation. (ii)  The 2001 Regulations impose an obligation on auditors of authorised firms, who are or were appointed as a result of a statutory provision to report to the FCA if, in summary, one of the following tests is satisfied: the “Relevant Requirement Test” which requires that there is (or may be) or has (or may have) been (a) a contravention of a “relevant requirement” (which includes any breach of requirements which relate to the firm’s permission to conduct regulated activity) and also any criminal offence that could be prosecuted by the FCA or PRA such as insider dealing), and (b) that contravention may be of “material significance” to the exercise of the FCA’s functions in relation to the audited entity; or the “Threshold Conditions Test” which requires that the auditing firm has information of material significance to the FCA’s determination of whether the audited firm continues to satisfy the Threshold Conditions. For the purposes of both the Relevant Requirement Test and the Threshold Conditions Test, the FRC’s International Standard on Auditing (UK) 250 provides some guidance on determining whether a matter might be of “material significance” to the relevant regulator, in particular highlighting that it does not have the same meaning as materiality in the context of the audit of financial statements.  The FRC also provides examples of “relevant requirements” or matters of concern which require “particularly close consideration” when considering whether a duty to report potentially arises.  The duty to report may arise in circumstances where there may have been a rule breach by the firm or where matters arise that may have a detrimental effect on the firm’s fitness and propriety such as serious misconduct committed by senior individuals.    (iii) Individual Conduct Rule 3 requires that senior managers and employees subject to the FCA’s COCON rules must be open and cooperative with the FCA, PRA and other regulators.  Auditors should therefore be mindful of their personal responsibilities to the regulator when carrying out audits and considering any potential ‘red flags’ which might give rise to reporting obligations.  Do you have any other external reporting obligations?  For example the FRC’s International Standards of Auditing (UK) 250 (as revised) provide that if the auditor has identified or suspects non-compliance with laws and regulations, the auditor must determine whether law, regulation or relevant ethical requirements require the auditor to report to an appropriate authority outside the entity. For any audit concerning a public interest entity, where that entity does not go on to investigate the matter raised with them by the auditor (where permissible), the auditor must inform the authorities responsible for investigating such irregularities.  Appropriate authorities outside the entity might include the SFO, CPS, the police, the FCA, the PRA, OFSI, the Takeover Panel, Lloyd’s and/or HMRC, for example. Potential ‘red flag’ indicators Potential red flag indicators that might give rise to the above reporting obligations include: A transaction in connection with an audited firm becomes the subject of an FCA or other formal enquiry or investigation. Unexpected complexity and risk in conducting the audit by comparison to initial expectations when scoping and agreeing the engagement.   Unusually obstructive behaviour by the client firm resulting in serious delays or inability to obtain the information required (contrary to expectations). Unreasonable pressure from the client to complete the audit whilst basic or significant information remains outstanding. An auditor becomes aware of information indicating an individual may have committed a criminal offence, for example in connection with a share transaction. The behaviour of senior individuals at the client firm gives rise to concern regarding their integrity or competence to conduct the business for which they are responsible. Significant discrepancies in documents provided or between internal documents and market facing materials. IT systems failures or weaknesses that could cause significant detriment or risk of significant detriment to the firm’s operational resilience, the business, its employees and/or its customers.   Lack of access to certain employees or information being funnelled through one individual or a small group of individuals without good reason. Indication of a lack of knowledge, skills and/or experience of staff who manage the affairs of the business such that it might impact the firm’s ability to meet the “fit and proper” test relevant to the suitability threshold. Multiple instances that individually may not give rise to a red flag but collectively might be considered particularly serious.  Considerations to bear in mind when determining whether and what to report Auditors should consider internal governance including how they manage internal communications between colleagues when conducting an audit of a regulated firm, as some communications may become disclosable to a regulator or other third party for example in the event of an investigation or in the context of litigation.  Additional care may be needed when determining whether and what to report. Points to bear in mind include: Legal privilege: Confidential communications between external or internal legal counsel and members of the audit team for the purposes of seeking or giving legal advice (for example in relation to concerns raised during the audit or suspicions relating to potential financial crime) may be legally privileged and protected from disclosure.  Loss of privilege: The protection afforded to privileged communications may be lost in certain circumstances, such as where they are circulated too widely, so think carefully about who is included in communications and be particularly alive to the risks of forwarding emails. Record-keeping: Ensure that clear records are made of decision-making, such as whether to make a report, including with regards to the information available and the factors taken into account.  It can be difficult to reconstruct after the event the rationale for steps taken or, importantly, not taken. Tipping off and prejudicing an investigation:   Two key offences under POCA that apply to entities in the UK regulated sector are:  ‘tipping off’ and ‘prejudicing an investigation’; the first relates to disclosing a SAR (or information about that report); the second relates to disclosing an investigation is being contemplated/carried out.  Where there are concerns around money laundering, communications with the client (i.e. the firm being audited) must be approached with caution. Internal policies: Ensure actions are consistent with internal policy and procedure.  Seek advice: In case of doubt seek advice from relevant in-house professionals and consider whether external advice would be appropriate.  We provide support to advisers and service providers in navigating their professional and regulatory obligations so please get in touch if you would like to discuss. 

Here are four items of interest for regulatory investigations lawyers from the newly published Regulatory Initiatives Grid (RIG), two to look forward to before summer and two for the second half of the year: ‘Name and shame’ proposal: The new RIG reflects the FCA’s 11 March 2025 letter to the Treasury Select Committee confirming they will not take forward the proposal to shift from an exceptional circumstances test to a public interest test for announcing investigations into regulated firms; but will take forward other aspects of their proposals including reactively confirming investigations already in the public domain; notifications focussed on activities potentially outside the regulatory perimeter; and more detailed anonymised information on issues under investigation. A ‘key milestone’ is planned for Q2 (i.e. by end of June 2025).  Non-financial misconduct: The FCA reiterates its continued prioritisation of work to tackle non-financial misconduct so that all regulated firms are subject to the same standards. In order to align with changes to legislation they are taking some further time to get this right and will set out next steps by the end of June 2025. Redress Guidance: In last year’s update to the RIG, the FCA said that it was planning to publish a Consultation Paper (CP) in Q1 on proposed rules and guidance relating to expectations of firms identifying and conducting firm led redress exercises. The new RIG references the joint call for input it published with the FOS in November 2024 seeking views on how to modernise the redress system with a deadline for responses of 30 January 2025 and indicates that the FCA now intends to issue a CP on any proposed changes in H2 2025 (i.e. by the end of the year).    Money Laundering: The Treasury is developing a package of changes to the MLRs 2017 in response to the 2024 consultation on improving their effectiveness (which closed on 9 June 2024). The consultation included consideration of strengthening coordination through, for example, information sharing by supervisors on risks and threats; clarifying how regulated firms should complete and use risk assessments; and also reviewing the role of the Trust Registration Service including in the investigation of money laundering and terrorist financing.  The RIG indicates that the Government will bring forward a package of changes to the MLRs “in 2025” and that a “key milestone” is planned for Q4 (i.e. between October and the end of the year).  We are closely following these topics and will continue to keep an eye on developments including the key milestones flagged. For further information on the Grid please see here.

On 15 April 2025, the European Commission (“the Commission”) launched a public consultation on a review of Directive 2003/87/EC establishing a system for greenhouse gas emission allowance trading within the Union (ETS Directive) and Decision (EU) 2015/1814 concerning the establishment and operation of a market stability reserve for the Union greenhouse gas emission trading scheme (MSR Decision). By way of background, the ETS Directive introduces a cap on emissions from the energy, industry, maritime and aviation sectors in Europe (“cap and trade” principle); the MSR removes allowances from EU ETS auction volumes and adds them to the reserve when the amount of allowances in the market exceeds a fixed threshold. Companies falling within the scope of the ETS Directive obligations must monitor and report their emissions on an annual basis and surrender enough allowances to fully account for their emissions. The current consultation is dictated by the fact that both the ETS Directive and the MSR Decision are scheduled for review; in line with the “evaluate first” principle the relevant legislation must be evaluated before being subject to review. The consultation consists of two substantive parts: Assessment of past performance: this part focusses on backward-looking questions relevant for the evaluation of certain aspects of the ETS. The Commission is looking for stakeholders’ views on a variety of issues, including the effectiveness and efficiency of the ETS system to date, as well as its relevance to addressing the current and future EU objectives in the area of climate change, and coherence between the various initiatives. The consultation is also looking at the EU added value, i.e. whether the results of the ETS and the MSR operation could have been achieved without EU intervention, i.e. via national actions by the Member States. Assessment of possible future policy options: this part focusses on forward-looking questions. The Commission is putting forward a number of policy options for the purpose of the impact assessment, including on (a) geographical scope of ETS application to flights outside Europe, (b) changes to the ETS rules applicable to maritime transport, (c) the design of measures to address the risk of carbon leakage for emissions not covered by CBAM post 2030, (d) the parameters for the operation of the MSR in addition to other elements of the design of the MSR, (e) the potential inclusion of carbon removals into the ETS, (f) the treatment of the capture and use of carbon in non-permanent applications, (g) the inclusion of municipal waste incineration installations and of other waste management processes, (h) the potential inclusion of installations with total rated thermal capacity below 20MW into the ETS and (i) the potential linkage of the ETS market with other international carbon markets. The consultation is open until 8 July 2025. Following that, the Commission is expected to put forward a legislative proposal in Q3 2026.

On 15 April 2025, the European Banking Authority (EBA) published its benchmarking report on remuneration and gender pay gap for institutions and investment firms. Background The EBA collects remuneration and gender pay gap data from national competent authorities for benchmarking under the Capital Requirements Directive and the Investment Firms Directive (IFD), both of which include requirements on the variable remuneration of identified staff who have a material impact on a bank’s or investment firm’s risk profile or the assets managed by them. Findings The report concludes that there was a material gender pay gap in 2023, with women earning less than men. It notes that remuneration practices in institutions remained stable between 2021-2023, but the ratio between the variable and fixed remuneration in investment firms increased significantly after the IFD was introduced. The EBA states that the data highlights a need for entities and competent authorities to analyse more closely the reasons for the observed gender pay gap and to address gender pay and gender representation disparities. In light of this, the EBA is also revising its internal governance guidelines with the aim of further improving the monitoring of gender aspects in institutions and investment firms.

On 14 April 2025, the Council of the EU formally adopted the ‘Stop-the-clock’ Directive under the Omnibus I package. The Directive postpones the dates of application of certain corporate sustainability reporting and due diligence requirements, as well as the transposition deadline of the due diligence provisions. The Omnibus I package was adopted by the European Commission at the end of February 2025, with the aim of simplifying EU legislation relating to sustainability. The Council of the EU notes that it and the European Parliament have treated the proposal for a Stop-the-clock Directive as part of Omnibus I with ‘utmost priority’ in order to give EU companies legal certainty regarding their reporting and due diligence obligations. The Directive seeks to postpone: By two years, the entry into application of the Corporate Sustainability Reporting Directive (CSRD) requirements for large companies that have not yet started reporting, as well as listed SMEs. By one year, the transposition deadline and the first phase of the application (covering the largest companies) of the Corporate Sustainability Due Diligence Directive (CSDDD). The Council of the EU explains that its and the European Parliament’s agreement to the proposal will allow them time to agree on substantive changes to the CSRD and CSDDD, which have also been proposed by the Commission as part of the Omnibus I package. Next steps The Directive entered into force on 15 April 2025 and must be transposed by Member States into their national legislation by 31 December 2025.

On 15 April 2025, the Financial Stability Board (FSB) published its finalised Format for Incident Reporting Exchange (FIRE), a global standardised format aimed at streamlining cyber and operational incident reporting and enhancing cross-border cooperation. FIRE is a common framework that financial firms can use to report operational incidents, including cyber incidents. It provides a set of standardised information items and the FSB explains that it has been designed to maximise flexibility and interoperability. FIRE covers a broad range of operational and cyber incidents and can also be used by third-party service providers and organisations beyond the financial sector. The FSB notes that for jurisdictions without a standardised reporting framework, FIRE offers a strong foundation to build on, while for those with existing frameworks it supports phased implementation and is designed to integrate seamlessly with current systems, with the aim of enabling a smooth transition and fostering widespread adoption. A downloadable taxonomy package has been released to facilitate adoption of FIRE. The FSB plans to hold a workshop with industry and authorities in 2027, to review their experiences with FIRE and any implementation challenges.

On 15 April 2025, the European Securities and Markets Authority (ESMA) published draft regulatory technical standards (RTS) and a final report on its guidelines on liquidity management tools (LMTs). Background The revised Alternative Investment Fund Managers (AIFMs) Directive (AIFMD) and Undertakings for Collective Investment in Transferable Securities (UCITS) Directive require ESMA to develop: Draft RTS to determine the characteristics of LMTs available to AIFMs managing open-ended AIFs and to UCITS. Guidelines on the selection and calibration of LMTs by UCITS and AIFMs of open-ended AIFs, for liquidity risk management and for mitigating financial stability risks. ESMA published a consultation paper on its proposed draft RTS and guidelines in July 2024. Final draft RTS and guidelines The final draft RTS and guidelines are intended to better equip EU fund managers to manage the liquidity of funds, particularly in the event of market stress. The draft RTS also aim to provide clarity on the functioning of LMTs, such as the use of side pockets for which rules currently vary significantly across the EU. ESMA flags that, through their role in mitigating financial stability risks, these rules are an important contribution to the ongoing debate on Non-Bank Financial Intermediation.  Next steps The draft RTS have been submitted to the European Commission for adoption. The Commission must decide whether to adopt the RTS within 3 months (although that period may be extended by 1 month). ESMA will translate the guidelines once the draft RTS have been adopted by the Commission. If the Commission amends the draft RTS in a way that would impact the guidelines, ESMA will adjust the guidelines accordingly. Once the translations have been published on ESMA’s website, national competent authorities will have 2 months to notify ESMA whether they comply or intend to comply with the guidelines. The guidelines will start to apply on the date the RTS enter into force. Funds established before the RTS enter into force will have 12 months to comply with the guidelines.

On 15 April 2025, the Financial Conduct Authority (FCA) announced that it is establishing a presence in the United States and Asia-Pacific (APAC) for the first time, in accordance with its new strategy for 2025-2030. In the United States, the FCA’s Tash Miah has started working at the British Embassy in Washington, DC, where she will work closely with the Department for Business and Trade to advance UK-US financial services policy and regulatory cooperation, and to support US financial firms in navigating UK regulation. In APAC, Camille Blackburn of the FCA will establish a regional office (based in Australia) from July 2025, where she will focus on helping financial services firms to navigate regulation when entering the UK market or raising capital, as well as providing UK firms with support when expanding into the APAC region. The FCA’s aim in establishing a presence in these regions is to help deliver on its mission to support growth through the export of UK financial services and attracting more inward investment into the UK.

On 14 April 2025, the Financial Conduct Authority (FCA) published the findings from its multi-firm review of how retail banks and building societies approach the treatment of customers in vulnerable circumstances that involve bereavement and power of attorney (PoA), highlighting examples of good practice and areas for improvement. Background As part of its review of how firms support customers in vulnerable circumstances, the FCA looked at how banks and building societies handled customer bereavement and PoA, considering in particular what outcomes customers received (in light of the Consumer Duty) based on its review of cases, firms’ governance, management information, staff training and outcome testing. Findings Overall, the FCA found that the firms reviewed had taken steps to refine their approach to the treatment of customers in vulnerable circumstances since the Consumer Duty was introduced. There was evidence of good practice in the support provided to customers, and that the Duty and the FCA’s Vulnerability Guidance had had a positive impact, but this was not universally the case and there were also areas in which all firms needed to improve. The FCA sets out its findings, along with positive examples found during the review, in relation to: policies and procedures; identifying and responding to customer needs; outcomes testing and monitoring; and customer journeys. Next steps The FCA notes that it has written to all firms that were part of the review, highlighting its findings and the expected next steps. It warns that while most firms displayed good practices, there were also many areas for improvement and no firm should be complacent in this area.

On 14 April 2025, the Financial Conduct Authority (FCA) published the latest edition of the Regulatory Initiatives Grid from the Financial Services Regulatory Initiatives Forum. The Forum is made up of representatives of the Bank of England, the Competition and Markets Authority, the FCA, the Financial Reporting Council, HM Treasury, the Information Commissioner’s Office, the Payment Systems Regulator, the Prudential Regulation Authority (PRA) and the Pensions Regulator. The Regulatory Initiatives Grid The Grid sets out the planned regulatory initiatives for the next 24 months, to help the financial services industry and other stakeholders to understand and plan for the timing of the initiatives that may have a significant operational impact on them. It is available in three different formats (an interactive dashboard, as well as PDF and Excel) to help users interact with the underlying data. The Grid includes a ‘multi-sector’ section covering initiatives that span more than one sector, as well as sector-specific sections covering Banking, credit and lending; Payments and cryptoassets; Insurance and reinsurance; Investment management; Pensions and retirement income; Retail investments; and Wholesale financial markets. New multi-sector initiatives In addition to new sector-specific initiatives, the Grid sets out 18 new multi-sector initiatives across-a broad range of sub-categories including ESG, conduct, cross-cutting measures and competition and innovation. They include: An FCA consultation paper (CP) on updating outdated rules and guidance, planned for Q2 2025, with a further feedback statement (FS) and action plan expected in September 2025. The creation of a long-term regulatory framework for Open Banking, with a CP expected from HM Treasury (HMT) in 2025 and a statutory instrument due in Q4 2025. Reviewing the FCA’s non-Handbook communications, including retiring (almost) all Dear CEO letters and portfolio letters issued before April 2022. The first changes are expected by the end of Q2 2025, with a further FS and action plan expected in Q3 2025 and a CP on retiring specific pieces of outdated guidance planned for Q4 2025. A review of Politically Exposed Persons (PEPs) by the FCA, with an industry report and potential CP on the PEP Guidance during Q2 2025. Modernising the redress framework and external redress guidance – the FCA is reviewing its rules and guidance for firms when identifying harm and conducting firm-led redress exercises, and intends to issue a CP on any proposed changes in H2 2025. Updated FCA guidance on cloud computing to be consulted on during H2 2025, with guidance set to be finalised in 2026, and updated encryption guidance to be consulted on in Spring 2025. Changes to the PRA’s framework for the prudential treatment of firms’ exposures to cryptoassets, with a CP planned for Q4 2025 and a policy statement (PS) expected in H2 2026. An FCA discussion or engagement paper on market risk capital requirements for specialised trading firms, due in Q1 2026, to be followed by a CP and PS. The repeal and replacement of the Markets in Financial Instruments Directive Organisational Regulation, with a PRA CP on transferring systems/controls and organisational requirements for CRR firms due in H1 2025, followed by a draft SI from HMT later in H1 2025. HMT plans to revoke the firm-facing requirements from the Regulation in H2 2025, to coincide with the FCA and PRA publishing a PS with replacement rules on the same date. The sector-specific initiatives, which also include a number of new developments, are set out in their respective sections within the Grid.

On 11 April 2025 the European Commission (“the Commission”) launched a public consultation on the review of Regulation (EU) 2019/881 on the European Union Agency for Cybersecurity (ENISA) and on information and communications technology cybersecurity certification (Cybersecurity Act). The consultation forms part of the Commission’s simplification agenda, which is a key focus for its 2025 work programme. By way of background, the Cybersecurity Act sets out a permanent mandate and objectives for ENISA, as well as establishes a European Cybersecurity Certification Framework (ECCF) for voluntary European cybersecurity certification schemes for information and communication technology (ICT) products, services and processes. One of the certification schemes foreseen by the legislation is the European Union Cloud Services Scheme (EUCS), which has been a subject of much controversy and debate since the publication of the first draft standards by ENISA back in 2020, with the key contentious points relating to the sovereignty requirements for certain cloud services providers (CSPs). Whilst the consultation is sector-agnostic and the Commission is looking for feedback from a broader range of stakeholders, it is certainly of interest to the financial sector given its growing interlinkages with the ICT service providers (including CSPs) in day-to-day operations. The current consultation is divided into three main parts and covers the following: Section 1: Mandate of ENISA The Commission seeks stakeholders’ views on a variety of issues concerning the current mandate and the functioning of ENISA, including the importance of the cybersecurity tasks entrusted to ENISA and added value brought by the latter; ENISA’s role in providing technical support in the implementation of European Union (EU) law, as well as the institution’s track record in cooperating with other institutional bodies and stakeholders. Section 2: Functioning of the ECCF The consultation explores various subjects linked with the functioning of the ECCF, ranging from the baseline topics such as views on the current legislative setup of the scope, objectives and elements of the ECCF, areas for further harmonisation with other European cybersecurity certification schemes, through to consideration of a potential mandatory European cybersecurity certification for certain products, services, processes and/or managed security services. Interestingly from a perspective of financial entities and ICT services providers that recently completed their mutual DORA compliance efforts, the Commission seeks stakeholders’ views on a potential development of voluntary certification of entities that support compliance with EU requirements concerning cybersecurity and data security as stemming from various pieces of legislation (including DORA, NIS2 Directive and others). The consultation also looks at assessing ENISA’s performance in execution of its mandates under the ECCF, including on stakeholder involvement and potential areas for improvement in that space. Finally, the Commission also considers in the consultation issues linked with ICT supply chain security. Section 3: Simplification of cybersecurity and incident reporting obligations The final section of the consultation document focuses on simplification, and the Commission is looking for stakeholders’ views on the issue of simplification of the European cybersecurity legislation in particular in the context of incidents reporting. The consultation is open until 20 June 2025, following which the Commission is expected to present its legislative proposal amending the Cybersecurity Act later in Q4 2025.

With less than five months to go until the new UK failure to prevent fraud offence comes into force on 1 September 2025, many organisations are conducting risk assessments and enhancing anti-fraud policies and procedures with a view to preventing fraud and providing themselves with a defence should this be necessary.  The new offence will apply to organisations wherever they are located (including outside the UK), where a fraud is committed which has some nexus to the UK. The only defence for an organisation will be to have “reasonable procedures” in place to prevent fraud. More details on the new offence, including the underlying fraud offences covered, are set out here. In a recent speech the SFO Director Nick Ephgrave emphasised that the SFO is looking to prosecute the offence, and noted that organisations should ensure their procedures are in place by September: “Come September, if they haven’t sorted themselves out, we’re coming after them. That’s the message I’ll be delivering…I’m very, very keen to prosecute someone for that offence. We can’t sit with the statute books gathering dust, someone needs to feel the bite.” Whilst, in practice, many organisations will (and should) be continuing to enhance their policies and procedures on an ongoing basis, it is important that organisations have taken significant steps ahead of September to implement “reasonable procedures”, and that there is a clear plan for further review (and a process for making enhancements, should those be required) in future. We will be publishing a series of articles on key steps to take ahead of September. In this article we explore one of the first steps in preparing for the new offence: conducting a risk assessment. Part 1: Risk assessments As the Home Office’s November 2024 guidance (the HO Guidance) and UK Finance’s February 2025 guidance (the UKF Guidance) (together the Guidance) acknowledge, organisations (particularly those in the financial services and other regulated sectors) may already have existing risk assessment frameworks in place that can be adapted to address the risks presented by the new offence. Our expectation is that conducting a failure to prevent fraud risk assessment will take some time – the Home Office issued an impact assessment (see here) in November 2022 which estimated that risk assessments should take organisations between c.100-130 hours to prepare. There are a number of considerations to work through when an organisation is assessing its approach to risk assessments. We explore each of these below. 1. Deciding who will conduct and oversee the risk assessment Jurisdictional scope: the new offence will apply to any organisation and could arise where a fraud offence is committed with a connection to the UK (e.g. because a meeting is held or communication is made in the UK) or where there are victims in the UK (which could include investors and / or counterparties) or, in some cases, where there is a gain or loss in the UK. This means that whether an organisation is subject to the offence will vary depending on the specific circumstances in which the fraud takes place (and so could shift from transaction to transaction, or as its investor profile changes). In addition to the jurisdictional scope question, organisations need to decide whether to approach implementation on a global or local scale.  -Multinational organisations may choose to conduct risk assessments and enhance fraud procedures on a global basis (although in the short term it may make sense to focus efforts on UK entities and other entities with a UK nexus). Ownership: it is rare that a single function can effectively conduct the failure to prevent fraud risk assessment or enhance / implement the requisite procedures to ensure compliance with the new offence on its own. Input from stakeholders across the organisation is likely to be required to fully understand the scenarios in which fraud risks could arise in practice. We have helped clients put in place cross-functional working groups to obtain input from a variety of different business units including finance, marketing, sales, procurement, legal, sustainability, ethics/compliance and internal audit. Oversight by senior management: the Guidance suggests it may be appropriate that some level of approval of the risk assessment should be given by senior management/the Board and that there should be designated responsibility for horizon scanning for new fraud risks and approving the assessment of risk. We would recommend that the approach taken in conducting a risk assessment is agreed at a senior level at the outset, with appropriate consideration given to resource allocation, coordination (e.g. via a working group) and reporting. There should be a specific budget and resources for undertaking the risk assessment as well as making relevant enhancements to procedures. Level of external input: it is worth considering the level of support required from external  providers to undertake risk assessment(s). Although much of the knowledge required to conduct the risk assessment will be held internally, many organisations will need some level of external legal support including to work through the details of the offences and how they can be committed in practice, navigating some of the core scoping questions such as those relating to the definition of associated persons and questions of territoriality, and benchmarking against peer organisations. 2. Understanding the relevant risk assessments already in place; and what they do and do not cover Most organisations (particularly those in the financial services and other regulated sectors) have some kind of risk assessment in place that covers fraud.  Many of these existing risk assessments focus on cases where the organisation is a victim of fraud (i.e. “inward fraud”) rather than addressing fraud committed by Associated Persons for the benefit of the organisation or its clients (i.e. “outward fraud”). Appreciating this distinction is essential in terms of ensuring the risk assessment is fit for purpose. 3. Assessing the likelihood of the underlying fraud offences arising It is crucial that those undertaking the risk assessment and enhancing anti-fraud procedures understand the underlying offences in sufficient detail. The offences are complex (much more so than, for example, those under the UK Bribery Act) and often the precise conduct covered by the offence is not obvious from the shorthand description set out in the relevant legislation. Further, there are numerous “grey areas” around whether certain conduct would meet the relevant standard of dishonesty (a defining characteristic of nearly all of the underlying offences) which need to be thought through. Given these challenges, many clients have found it useful to break down each offence into its constituent elements and to bring these to life with examples of how each offence could potentially be committed in practice in their sector (and, as set out below, in each different business unit or support function or by their associated persons). Once the underlying offences are fully understood by those participating in the risk assessment process, it is then important to assess how they could arise. The Guidance suggests as a starting point identifying different types of Associated Person and then for “nominated risk owners” to consider circumstances in which those associated person might attempt fraud (and whether there are particular types of fraud offence, e.g. false accounting or abuse of position which are more likely to be committed by particular types of Associated Persons). A strategy we have seen work well to put structure around this is to have each business head lead an appropriate discussion about the offences within their function and this may be facilitated by an internal questionnaire. The business head can then feed back to the working group those scenarios which have been identified as risk areas and any relevant controls. This enables the organisation to build up one document setting out risk areas across the business for each underlying offence and will also help to promote consistency across different business lines and functions.  An element of cross fertilisation with different internal teams learning from each other’s examples can also be helpful.  For organisations starting their risk assessments now, it may make sense to determine, and focus in the first instance on, areas of highest risk in order to identify priority programme enhancements (see below). 4. Conducting a ”gap analysis” to assess what policies and procedures are already in place and identify any areas for enhancement It is important to understand the extent to which existing policies or procedures (whether fraud specific or otherwise) can be adapted or supplemented. Many organisations will already have in place policies, procedures and controls that can be leveraged (e.g. third-party due diligence and monitoring processes related to bribery and corruption and controls around financial reporting and approval of marketing materials). Many clients have found it useful to identify, in relation to each offence and the scenarios which have been identified, relevant controls that are in place. Those controls can then be reviewed to determine whether there are any “gaps” and to identify where enhancements may be required. An enhancement and prioritisation plan can then be drawn up based on the output of this work.  This exercise is also useful in drawing together all the relevant internal anti-fraud procedures so that there is a central record of these that could be deployed as part of any defence strategy if needed.  5. Producing a written risk assessment and agreeing when it will be reconsidered Whilst the primary purpose of anti-fraud procedures is, of course, to stop fraud happening in the first place, it is also crucial that an organisation can defend itself if allegations of fraud are raised and it is facing a criminal investigation (or seeking to persuade criminal authorities not to investigate) or alternatively a regulatory investigation. This means the organisation’s procedures, including the risk assessment, need to be documented carefully. To defend procedures effectively requires contemporaneous documentation of the decisions made and steps taken in conducting a risk assessment, including the rationale for those decisions. For example, where an offence arises in an area of a business which was deprioritised in light of the risk assessment, following a risk-based approach it will be important to be able to provide contemporaneous evidence of the rationale for that decision. This is particularly important where the organisation will not have finalised its anti-fraud procedures by September. How often should the risk assessment be refreshed? The guidance states that the risk assessment should be dynamic and kept under regular review, either annually or bi-annually. Risk assessments should be refreshed in the interim as the business (and risks faced by the business) change – and in light of any fraud issues identified either internally or where knowledge of peer experience is available. We are helping various organisations prepare for this change: if you would like to discuss how we can help, please get in touch.

On 11 April 2025, the Prudential Regulation Authority (PRA) announced that it was offering a modification by consent (MbC) to modify Article 11 (1)(d)(ii) of the Liquidity Coverage Ratio part of the PRA Rulebook. The MbC allows a firm that has incorrectly applied a rule regarding third country covered bonds’ inclusion in Level 2A High Quality Liquid Assets (HQLA) of the Liquidity Coverage Ratio (LCR), to recognise these bonds on a limited and declining basis. The MbC permits inclusion of only the bonds that the firms are including within HQLA 2A up to a maximum value, determined as at 31 January 2025 (the reporting date). As the third country covered bonds mature or are disposed of, they must not be replaced in the LCR, so the cap declines, eventually to zero. Next steps Firms and UK Capital Requirements Regulation (CRR) consolidation entities may provide consents to the PRA by emailing PRA-waivers@bankofengland.co.uk. Following receipt of the relevant consent the PRA will confirm in writing whether it has given a modification direction. If the PRA gives a direction, it will send the direction to the relevant firm or CRR consolidation entity and will publish it on the Financial Services Register. A modification direction takes effect on the date stated in the direction.

On 11 April 2025, the Financial Conduct Authority issued Occasional Paper 66 – Playing the market: a behavioural data analysis of digital engagement practices and investment outcomes. In the Occasional Paper the authors draw upon a large representative sample of consumer data from several trading app firms (platforms that allow users to buy and sell investment products predominantly via applications on their phones), to investigate the impact of digital engagement practices on real consumer outcomes.