On 18 September 2025, the FCA published a speech, delivered by Jessica Rusu, FCA Chief Data, Information, and Intelligence Officer, at the Future of Fintech conference. Key points covered included the following: Innovation and technology are key to Government and FCA strategy: FCA initiatives to support this include the launch of the Supercharged Sandbox and AI Live Testing, alongside existing support from the Innovation Pathways Service. A focus on encouraging global fintech investment: The FCA is consulting on new proposals to regulate crypto and launching a new scale-up unit, which are intended to create an environment for firms to best innovate, grow and scale. Open finance initiatives: The FCA has also launched its Smart Data Accelerator, with the aim of enabling secure data sharing, and is also working with the Information Commissioner’s Office to address any cross-regulator issues.

On 15 September 2025, The Financial Services and Markets Act 2023 (Capital Buffers and Macro-prudential Measures) (Consequential Amendments) Regulations 2025 were made. These Regulations come into force on 30 November 2025. Background The Capital Requirements (Capital Buffers and Macro-prudential Measures) Regulations 2014 (the 2014 Capital Buffers Regulations) are revoked by virtue of the Financial Services and Markets Act 2023 (Commencement No 9) Regulations 2025 and partly restated by the Capital Buffers and Macro-prudential Measures Regulations 2025 with technical modifications to improve the effectiveness of the overall capital buffer framework. This approach will remove two capital buffers from legislation (the Capital Conservation buffer and Global Systemically Important Institutions buffer) and responsibility for setting these buffers will be transferred to the Prudential Regulation Authority (PRA). Other regulations will be restated, with some technical modifications, where they relate to capital buffers that are set by the Bank of England’s Financial Policy Committee (FPC) (the Countercyclical Capital buffer and the Other Systemically Important Institutions buffer). This is because the FPC does not have broad rulemaking powers like the PRA, and the regulations that underpin the use of its tools must be set out in legislation. The revocation and restatement took effect on 31 July 2025. Revocation and restatement The Regulations now published make certain technical amendments to legislation following the revocation and restatement of the 2014 Capital Buffers Regulations. Among other things, the Regulations ensure that existing references to the 2014 Capital Buffers Regulations in other legislation, such as the Bank of England Act 1998 and retained EU technical standards, are updated accordingly.

On 17 September 2025, the Financial Conduct Authority (FCA) published Consultation Paper 25/25: Application of FCA Handbook for Regulated Cryptoasset Activities (CP25/25). Background CP25/25 follows HM Treasury’s draft statutory instrument (SI) to bring certain cryptoasset activities within the regulatory perimeter and two previous FCA consultation papers covering stablecoin issuance and cryptoasset custody (CP25/14) and a prudential regime for cryptoassets (CP25/15). The FCA’s aim is to align cryptoasset firms with the standards expected of traditional financial services, enhance consumer protection, reduce financial crime, and support the sustainable growth and international competitiveness of the UK crypto sector. Proposals The FCA proposes to apply existing Handbook rules and guidance to those firms that conduct cryptoasset activities that will come under its remit as a result of the SI, with modifications to address the unique risks of cryptoassets. The approach is based on the principle of ‘same risk, same regulatory outcome’, ensuring that cryptoasset firms are held to comparable standards as traditional authorised firms. Following chapter 1 which provides a summary of the FCA’s proposals, the structure of CP25/25 is as follows: Chapter 2: High level standards and supervision Threshold Conditions (COND): Minimum conditions for authorisation and ongoing operation will apply to cryptoasset firms. Principles for Businesses (PRIN): Core principles such as integrity, skill, care, diligence, financial prudence, and fair treatment of customers will apply. General Provisions (GEN): Rules on status disclosure, use of FCA name/logo, and emergency procedures will be extended to cryptoasset firms. Supervision (SUP): The FCA will supervise cryptoasset firms using existing methods, including information gathering, skilled person reviews, and auditor oversight. Chapter 3: Senior Management Arrangements, System and Controls (SYSC) Governance: Cryptoasset firms must have robust governance, risk management, compliance, record-keeping, and whistleblowing arrangements. Senior Managers & Certification Regime (SM&CR): The regime will apply to cryptoasset firms, ensuring clear accountability and personal responsibility among senior managers. Operational resilience: All cryptoasset firms must meet operational resilience requirements (SYSC 15A), including identifying important business services, setting impact tolerances, mapping dependencies, scenario testing, and maintaining business continuity plans. Outsourcing: Use of permissionless distributed ledger technologies will not be treated as outsourcing, but firms must still assess and manage related risks. Financial crime: Cryptoasset firms will be subject to the same financial crime rules as other authorised firms, including anti-money laundering, counter-terrorist financing, and fraud prevention requirements. Firms must implement systems and controls to identify, assess, and manage financial crime risks, in line with the FCA’s Financial Crime Guide. Chapter 4: Guidance on cryptoasset operational resilience The FCA proposes guidance to cryptoasset firms to help them implement the operational resilience requirements (SYSC 15A), with reference to outsourcing provisions under SYSC 8, under the cryptoasset regime. To ensure the guidance is relevant for cryptoasset firms, the FCA focuses on cryptoasset-specific operational and technological risks and uses example cryptoasset business models to demonstrate how operational resilience requirements can apply in practice within regulated cryptoasset activities. Chapter 5: Business standards. The ESG Sourcebook will apply to cryptoasset firms, requiring fair, clear, and not misleading sustainability claims. No new cryptoasset-specific climate or sustainability disclosure requirements are proposed at this stage. Chapter 6: Applying the Consumer Duty and access to the Financial Ombudsman Service (FOS) to regulated cryptoasset activities. Consumer Duty: The FCA is proposing that the Duty should apply to all regulated cryptoasset activities with additional guidance. It is seeking input as to whether this is the right approach or it provides tailored rules that are more appropriate. For clarity, the FCA proposes that it will not apply the Duty to the trading between participants of a UK authorised cryptoasset trading platform as this is comparable to how it treats multilateral trading facilities in traditional finance. FOS: The FCA invites discussion on whether customers should be able to bring complaints to the FOS when the cryptoasset firm has been unable to resolve the complaint and whether the FCA’s complaint handling rules should apply to regulated cryptoasset activities. Chapter 7: Conduct of Business Sourcebook (COBS) and Product Intervention and Product Governance Sourcebook (PROD) COBS: The FCA is seeking feedback on whether and how COBS should apply to cryptoasset firms offering cryptoasset regulated activities, as well as its proposed approach to product governance. On page 69 of CP25/25 the FCA sets out a table which summarises which parts of COBS it intends to apply. PROD: The FCA is also considering whether and when reliance on the Duty may be appropriate instead of applying PROD or aspects of COBS. Next steps The deadline for comments on: Chapters 1 to 5 is 12 November 2025. Chapters 6 and 7 is 15 October 2025. The FCA’s final rules will be set out in Policy Statements which it intends to publish in 2026 per its Crypto Roadmap.

On 9 September 2025, the Joint Committee of the European Supervisory Authorities (ESAs) published its fourth annual report on the extent of voluntary disclosure of principle adverse impacts (PAIs) under the Sustainable Finance Disclosure Regulation (SFDR). Background Article 18 of the SFDR provides that the ESAs must take stock of the extent of voluntary disclosures at entity and product level and publish a report on an annual basis. The annual report is based on the findings from a survey that the ESAs conducted of Member State competent authorities (NCAs) which gathered input on the current state of entity-level and product level voluntary PAI disclosures under the SFDR. The annual report refers to PAI disclosures published by 30 June 2024 for the reference period from 1 January to 31 December 2023. Key finding The annual report confirms the trends of previous years, such as that financial market participants (FMPs) that are part of larger multinational groups disclose the information on sustainability in a more detailed and appropriate manner, and that smaller entities mix information on ESG / general marketing  information with SFDR disclosures (i.e. a lot of text, but no clear information whether principal adverse impacts are considered or not). Next steps The annual report sets out recommendations to both the European Commission (Commission) and NCAs. The recommendations to the Commission include: The Commission should consider the persisting value of PAI statements, possibly in shorter form with reduced indicators, in machine-readable format and made available in the European Single Access Point. The Commission could implement the best practice recommended by the ESAs in joint SFDR Q&A IV.5, which is that FMPs could disclose the proportion of investments covered by data and distinguish that from the proportion that is estimated. The ESAs reiterate that the Commission could consider other ways of introducing proportionality for FMPs, as the “more than the 500-employees” threshold may not be a meaningful way to measure the extent to which investments may have principal adverse impacts on sustainability factors. The Commission reduce the frequency of the annual reports published under Article 18 of the SFDR to every two or three years, as opposed to the current annual publication.

On 9 September 2025, the Financial Conduct Authority (FCA) published a new webpage, AI and the FCA: our approach. The webpage briefly covers how the FCA’s rules apply to AI and how AI is helping the FCA become a smarter regulator.

On 9 September 2025, the Financial Conduct Authority (FCA) published Feedback Statement 25/5: Summary of Feedback Received on the Engagement Paper proposing AI Live Testing (FS25/5). In FS25/5 the FCA summarises the feedback it received to an Engagement Paper it published in April 2025 which set out a proposal for AI Live Testing.  The FCA reports that respondents welcomed the proposal for AI Live Testing, feeling that it was a constructive and timely step toward increasing transparency, trust and accountability in the use of AI systems. Next steps The FCA has launched AI Live Testing, as part of the existing FCA AI Lab. The application window for the first cohort of AI Live Testing was opened on 9 July 2025 and was extended until 15 September 2025. The FCA will start working with participating firms in the first cohort in October 2025. The FCA has plans for two cohorts, each made up of approximately five to ten participating firms. The FCA may accept a higher number of firms depending on the range of use cases submitted and how representative they are of the UK financial services sector. The application window for the second cohort will open before the end of the year. For AI Live Testing, the FCA has committed to publishing an evaluation report at the end of the approximately 12-month process.

On 8 September 2025, the Wolfsberg Group published guidance on the provision of banking services to fiat-backed stablecoin issuers. The Wolfsberg Group is an association of 12 global banks which aims to develop frameworks and guidance for the management of financial crime risks. The Wolfsberg Group notes that the increased adoption of fiat-backed stablecoins represents a new financial crime risk management challenge to financial institutions. The Wolfsberg Group is of the view that most of the same financial crime risk management principles apply in developing and monitoring a relationship with any type of bank or non-bank financial institution, which is reinforced in the guidance. The guidance also explores the unique financial crime risks associated with the provision of banking services to a fiat-backed stablecoin issuer operating in a regulated jurisdiction and establishes a framework for financial institutions to manage these relationships appropriately. Conceptual approach A key message in the guidance is that the conceptual approach to banking a stablecoin issuer is similar to any customer relationship. An FI should understand the risks associated with the customer and the relationship, as well as how that customer manages those risks. The FI then should determine if it is comfortable both with the risk exposure and risk management strategy offered by the issuer. The FI should also develop a reasonable risk management framework that allows the FI to determine if the customer’s behaviour stays within that appetite and take corrective action as necessary. Topics The guidance: Introduces the relevant terminology used by the Wolfsberg Group on stablecoins. While definitions may differ across the industry, a shared understanding of the basic terms introduced and explained in the guidance will be relevant for developing the overarching risk management framework. Describes the typical fiat-based services that an FI may provide to a stablecoin issuer, emphasising how existing financial crime-related controls may require tailoring to respond to the unique risks presented by the relationship. Describes the level to which an FI, in following a risk-based approach, may monitor the compliance obligations of the issuer on the blockchain.

On 5 September 2025, the Australian Securities and Investments Commission (ASIC) issued a media release announcing that the High Court had granted it special leave to appeal a Full Federal Court decision that a digital asset service provider did not need a financial services licence to offer a fixed-yield digital asset-related product. The definition of financial product has been drafted in a broad and technology-neutral way and ASIC believes that it is in the public interest to clarify the position. As such ASIC’s appeal seeks the High Court’s ruling on what falls within the definition of a financial product, as well as clarifying when interest-earning products and products involving the conversion of assets from one form into another are regulated. The appeal will be heard on a date to be set by the High Court.

On 8 September 2025, the Financial Conduct Authority (FCA) published Market Watch 83. In this Market Watch, the FCA shares its observations from a series of reviews of corporate finance firms that provide advisory and corporate broking services to small and mid-cap companies. These reviews focused on firms’ systems and controls for handling inside information about their corporate clients. The FCA assessed the effectiveness of firms’ UK Market Abuse Regulation (UK MAR) policies and procedures. In some cases, it also considered conduct relating to personal account dealing (PAD) and managing conflicts of interest. The FCA’s observations in Market Watch 83 will help corporate finance firms benchmark their systems and controls and consider whether their own arrangements align with the standards expected. Key messages in Market Watch 83 include: The FCA encourages firms to consider whether their policies and procedures help effectively manage the number of market sounding recipients (MSRs) to control the flow of inside information. Both disclosing market participants and MSRs should consider and address the risk of unlawfully disclosing inside information by sharing market sounding information with individuals at the MSR that the gatekeeper has not wall crossed. Firms’ policies and procedures should make sure the same level of information is shared with every MSR. It is important for firms participating in this practice to assess, on a case-by-case basis, whether a market sounding falls within the scope of UK MAR Article 11(1). If not, firms must consider whether disclosures are lawful under UK MAR Article 10(1). Firms should carefully consider whether they have arrangements, policies and procedures that are appropriate to their size to ensure regulatory compliance. Ongoing breaches of PAD policies are unacceptable. These policies and procedures are essential for maintaining market integrity by reducing conflicts of interest and helping to prevent market abuse.  Firms must implement adequate arrangements to manage these risks, and the right tone from the top is crucial for embedding a culture of compliance.

On 8 September 2025, HM Treasury issued a consultation paper, A Streamlined Approach to Payment Systems Regulation. In the consultation paper HMT sets out proposals for integrating the functions of the Payment Services Regulator (PSR) entirely within the Financial Conduct Authority (FCA). Background Earlier this year the UK Government announced the abolition of the PSR, as part of its efforts to cut red tape and drive economic growth. The move followed complaints from payment services firms that they were having to engage with three different regulators, costing them time, money and resource. Ahead of the transition, the PSR and the FCA have already made certain arrangements to ensure operational readiness for implementing the integration and this includes creating a new FCA Executive Director role for Payments and Digital Finance that includes responsibility for both FCA payments and as Managing Director of the PSR. Consultation In the HMT consultation paper the UK Government is consulting on proposals for how it will move all of the PSR’s functions into the FCA. This will see the FCA take on the PSR’s responsibilities, including for promoting competition and innovation in payment systems and the services provided by payment systems, as well as supporting the interests of consumers and businesses who make payments every day. In broad terms, the UK Government is proposing to integrate the PSR’s functions within the FCA’s current framework in the Financial Services and Markets Act 2000 (FSMA 2000) to the extent this is practicable. Where this is not practicable, the UK Government expects the relevant functions to be set out in a new part of FSMA 2000. The consultation paper sets out the UK Government’s approach to the core design decisions for the new regulatory framework, including the role of the FCA alongside other relevant public authorities and the FCA’s proposed future objectives and powers in relation to payment systems, among other key features. The UK Government is not consulting on all the issues associated with the consolidation, but on core design decisions where it would be most useful to receive stakeholder feedback. For example, under the UK Government’s proposed approach, the transfer of the PSR’s functions to the FCA will not result in new categories of persons being brought in scope of payment systems regulation. Instead, the FCA’s payment systems regulatory regime will apply to the same categories of persons as the PSR’s regime in the Financial Services (Banking Reform) Act 2013 (FSBRA 2013) does at the moment. Alongside this, the FCA would continue to perform its wider role as a conduct and prudential regulator, including its existing functions in relation to payment services and e-money legislation. The UK Government is not seeking to alter these functions or expand or reduce the FCA’s remit in relation to these functions, as a consequence of integrating the PSR into the FCA. Furthermore, the UK Government does not consider it appropriate to apply FSMA 2000 style conduct and prudential regulation based on an authorisations process to payment systems or participants in a payment system who are not currently in scope of this type of regulation. The UK Government considers it preferable to retain the approach used in the current framework of designating payment systems because it facilitates more targeted regulation. Next steps The deadline for comments on the consultation paper is 20 October 2025. Legislation will be brought forward to implement the UK Government’s final policy when Parliamentary time allows. By the end of 2025, the UK Government and public authorities, via the Payments Vision Delivery Committee, will publish a Payments Forward Plan, which will provide a sequenced plan of future initiatives across the ecosystem, including initiatives in both retail and wholesale payments, and the role of digital assets.

On 4 September 2025, the Australian Prudential Regulation Authority (APRA) published two letters it sent to Treasurer Hon Dr Jim Chalmers MP and Minister for Finance, Senator the Hon Katy Gallagher on 31 July 2025 and 12 August 2025. The letters outline nine actions APRA is taking to support productivity while maintaining the strength and stability of the financial system in a balanced and efficient way. These actions are further described in APRA’s 2025-26 Corporate Plan. In summary, the nine actions APRA is taking are: introducing further proportionality , including a proposal to formalise a third tier into APRA’s proportionality framework for banks and then focusing on the insurance and superannuation frameworks; simplifying the bank licensing framework with a goal of reducing the time taken to process new bank license applications; promoting access to internal capital modelling, by consulting on changes that aim to simplify and clarify APRA’s accreditation process that allows banks to use internal modelling for regulatory capital purposes; promoting access to cost-effective reinsurance; reducing capital requirements for annuities; removing unnecessary or duplicative rules as part of APRA’s consultation on governance standards; coordinating with peer agencies on payments reform; providing greater clarity of supervisory expectations relating to adjustments for banks to minimum capital requirements; and strengthening data sharing with other regulators, helping to reduce duplicative requests on entities.

On 4 September 2025, the Australian Prudential Regulation Authority (APRA) published a speech from its Executive Director of Cross-industry Risk, Chris Gower. The title of the speech is Finding balance at a time of rising risk. In his speech, Mr Gower runs through APRA’s assessment of the current financial risk landscape and how its latest Corporate Plan balances keeping the Australian financial system safe and resilient but also efficient and competitive. Mr Gower also notes that internationally there continues to be significant geopolitical uncertainty and that geopolitical unrest has also correlated with an increase in cyber-attacks. Domestically, while the global outlook presents downside risks, growth in the Australian economy is expected to pick up slightly in the next year. Mr Gower discusses APRA’s 2025-26 Corporate Plan which is built around the following four pillars: maintaining financial and operational resilience;  responding to significant and emerging risks; getting the regulatory balance right; and improving our organisational effectiveness. In the context of maintaining financial and operational resilience, Mr Gower notes that: APRA will this year finalise revisions to the bank capital framework to phase out Additional Tier 1 capital instruments over coming years and will also engage with industry on potential revisions to the bank liquidity framework; in July this year, CPS 230, APRA’s first prudential standard focused on operational risk management, came into force. Over the next year, APRA will focus on assessing how effectively entities are meeting these new obligations; and APRA will provide an interim update in the next few months following the release of eight proposals in March 2025 to strengthen governance across all APRA-regulated industries. Another pillar of the 2025-26 Corporate Plan that Mr Gower discusses is responding to significant and emerging risks. This includes strengthening institutions’ cyber resilience and stepping up monitoring of AI practices across larger institutions, including the appropriateness of risk management and oversight. Perhaps the most notable change to APRA’s Corporate Plan is the inclusion of the third strategic objective of getting the balance right. Mr Gower explains that whilst at one level this is business as usual for APRA, its elevation to a strategic objective reflects the scrutiny on the costs of regulation that, driven by stubbornly low productivity growth, has been an increasing focus in recent years. Like other Australian regulators, APRA received a letter from the Federal Treasurer asking it to identify specific, measurable actions to reduce regulatory compliance costs without compromising standards. Mr Gower runs through some of the actions that APRA has taken since receiving this letter including removing outdated or duplicative rules from our governance prudential standards.

On 3 September 2025, the Australian Securities and Investments Commission (ASIC) issued a Regulatory Simplification Report which seeks input on range of multi-year initiatives aimed at making regulation clearer, more accessible and easier to navigate, while maintaining robust consumer protections.   Key initiatives The report outlines ASIC’s initiatives in the following key areas: improving access to regulatory information, including a redesigned ASIC website and regulatory roadmap pilots for small-company directors and providers of financial advice, to help them understand their regulatory obligations; reducing complexity in regulatory instruments; and making it easier to interact with ASIC, including transitioning paper-only documents to email lodgement and enabling electronic signatures on all forms by 1 October 2025. Next steps ASIC will review and consider all feedback (which must be received by 15 October 2025) to inform the prioritisation and development of its simplification initiatives.  Following this consultation period, ASIC will refine its work plan and begin implementing further improvements.  Ongoing engagement with stakeholders will remain a key part of the process, ensuring that future changes continue to address the needs of businesses, consumers, and the broader economy while upholding strong regulatory standards.

On 28 August 2025, the FCA published a press release and updated its reporting rules webpage to confirm that firms with a reporting period ending after 31 August 2025 will no longer need to submit certain nil returns if there are no breaches of the conduct rules to report under the Senior Managers and Certification regime (SMCR) during the relevant reporting period. The FCA explained that this change has been made as part of its transforming data collection programme, which aims to make regulatory reporting more proportionate.

On 28 August 2025, the FCA published a webpage setting out that they intend to make it easier for firms to find up-to-date supervisory communications on the FCA website. The FCA explained that they will be labelling pre-2022 multi-firm and thematic reviews as historical, while still making these accessible.  The FCA have stated that they are doing this to make their supervisory priorities clearer. The FCA also set out that they will soon be publishing market reports, instead of Dear CEO and portfolio letters, and that these reports will include information relevant to different types of firms, but that until these reports are published firms should continue to refer to existing supervisory communications.

On 27 August 2025, the Financial Conduct Authority (FCA) published a statement intended to provide clarity for stakeholders (such as employers, platforms, payroll and savings providers) on how workplace saving schemes can be successfully set up and implemented to comply with current rules and legislation. The statement focuses on ‘opt-in’ schemes (i.e. schemes where employees choose to save via payroll, rather than schemes where employees are automatically enrolled) and explains how employers and savings providers can approach perceived regulatory barriers: National Minimum Wage: Employers should seek to avoid certain risks that could breach National Minimum Wage Regulations 2015 and ensure that workers receive the national minimum wage in the relevant period notwithstanding any deductions. FCA regulated activities: The statement mentioned the FCA’s view that workplace savings schemes can be structured in a way that does not involve the employer carrying out a regulated activity, particularly where the funds are transferred to the savings provider. However it mentioned that employers should consider their models in line with the Financial Services and Markets Act 2000 (FSMA) and other legislation, including financial promotions. Financial Promotions: The FCA provided further guidance for employers on when they might be communicating a financial promotion in relation to a scheme, such as encouraging employees to join, and that therefore such a communication would need to (i) be issued by a FSMA authorised person to the employees, or (ii) be approved by a person authorised under FSMA who has the required permission to approve, or (iii) come within an exemption from the restriction. Banking: Conduct of Business Sourcebook (BCOBS) compliance for saving providers: The FCA highlighted the relevant requirements in BCOBS when employees open a workplace savings account, which apply like any other savings account and encourages providers to engage wih how to meet relevant BCOBs requirements without discouraging saving. Customer Due Diligence (CDD): When carrying out due diligence as per the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017, specifically Regulation 28, the FCA mentioned examples of good and poor practice in Financial Crime Guidance (3.1) and how savings providers can receive the necessary information to carry out CDD leveraging information from employers’ pre-employment checks. Data protection considerations: The statement outlined relevant UK GDPR lawful bases for responsible data sharing by employers, payroll providers or benefits companies. These included processing data to deliver contractual services with consent, or where use is expected or justified with minimal privacy impact. It also referred to ICO guidance to help stakeholders identify the appropriate legal basis. Financial Services Compensation Scheme (FSCS): The statement made clear that employees must receive an information sheet on deposit protection when contracting with a savings provider. The FCA mentioned this can be incorporated into the savings account application process or onboarding for new joiners. It also noted that funds held with e-money institutions are not directly FSCS protected. Consumer Duty: The statement also made clear that savings providers are in scope of the Duty whereby requirements apply to workplace savings products as they do to any other product and services. Next steps The FCA will continue to collaborate with stakeholders and the government to promote the implementation of workplace savings schemes to help consumers start saving more regularly.

In the latest episode of our mini-series on the Chancellor’s Mansion House speech and Leeds Reforms, Katie Stephen, Matthew Gregory, Haney Saadah and Catherine Pluck discuss the proposals in relation to the Senior Managers and Certification Regime, as well as the proposals around authorisations. Listen to our podcast here.

The Australian Prudential Regulation Authority (APRA) has released its 2025-26 Corporate Plan, which details APRA’s objectives and activities for the period 2025 to 2029. The Plan outlines APRA’s role in protecting the financial interests of Australians by promoting the safety and stability of the financial system. A few of APRA’s top strategic priorities in the plan have been extracted by way of summary: Strengthening cyber resilience across APRA’s regulated industries given the recent escalation of attacks. In 2025–26, APRA will prioritise targeted supervisory engagements to assess entities’ progress in uplifting cyber resilience. These engagements will focus on evaluating specific cyber control areas and identifying potential single points of failure within entity systems, processes and dependencies. Initial efforts will concentrate on superannuation trustees, insurers and smaller banks. In the superannuation sector, a key focus will be assessing funds’ responses to APRA’s concerns outlined in its June 2025 letter on Information Security Obligations and Critical Authentication Controls. Assessing the degree to which regulated entities are complying with APRA’s new prudential standard CPS 230. On 1 July 2025, Prudential Standard CPS 230 Operational Resilience (CPS 230) came into effect, introducing enhanced requirements for operational risk management across all regulated entities. Given the growing reliance on third parties, rapid technological advancements and geopolitical uncertainty, effective implementation of CPS 230 is critical to maintaining financial safety and stability. Over 2025-26, APRA will engage with entities to ensure they are meeting their new obligations. APRA’s supervision program will initially focus on the largest entities (significant financial institutions), including through targeted prudential reviews of some entities. Updating APRA’s prudential standards for governance. In the second half of 2025-26, APRA plans to consult on draft standards and guidance to update core governance requirements. These changes aim to address persistent poor practices and establish clear expectations for all regulated entities – almost 80 per cent of entities currently under heightened supervision by APRA exhibit underlying governance issues. To inform these revisions, APRA is continuing to engage extensively with stakeholders to gather diverse perspectives. Publishing the results of APRA’s inaugural System Stress Test. In the second half of 2025-26, APRA will publish the results of its inaugural system stress test, designed to evaluate risks to financial stability arising from interconnectedness in the financial system. The test scenario assesses the impact and potential feedback loops between the banking and superannuation sectors from a significant financial market disruption alongside a major operational risk event. APRA will collaborate with industry and regulatory peers to address any vulnerabilities identified through this exercise. Intensifying scrutiny of superannuation fund expenditure. Fund-level expenditure will remain a key focus to ensure superannuation trustees act in the best financial interests of their members. Over the next 12 months, APRA will undertake targeted assessments of expenditure data, and where deficiencies are identified, trustees will be required to make improvements. Reviewing the investment governance and member outcomes of major platform providers. APRA is currently undertaking a review to assess the quality and soundness of trustees’ governance and oversight of investments offered via platforms. The review focuses on key areas including due diligence, onboarding, monitoring, and removal of investment options, as well as strategic planning and practices to promote member outcomes. APRA will assess current practices against relevant prudential standards. APRA’s findings will be shared with the superannuation industry, highlighting areas where enhancements are expected. Releasing the results of APRA’s Climate Vulnerability Assessment for the general insurance sector. In the second half of 2025-26, APRA plans to release the results of its Climate Vulnerability Assessment for the general insurance sector. This assessment has involved Australia’s five largest general insurers and has included detailed analysis of granular, modelled premium data. The findings will provide governments, insurers, policyholders, and the broader community with a clearer understanding of how general insurance affordability may evolve over the medium term in response to the physical and transition risks associated with climate change. A few other key takeaways from the Plan are that APRA: is carefully monitoring potential cyclical risk in the banking system as inflation and interest rates decline, which can give rise to faster rises in house prices, borrowers taking on more leverage, and lenders relaxing their lending standards; continues to position itself as a forward-looking regulator, primarily focused on preventing harm before it occurs; aims to “get the balance right” to ensure its regulation is efficient and proportionate and is working on nine initiatives to minimise regulatory burden and support productivity, but not at the cost of its safety and stability objectives; and is focused on new risks emerging in the system – including potential risks from geopolitical tensions, cyber-attacks, interconnections, an ageing population, and climate change.

Background The Australian Securities and Investments Commission (ASIC) has released its Enforcement and Regulatory Update Report 812, outlining its ongoing focus on consumer and retail investor protection. The reports provide data and analysis from January to June 2025, highlighting key trends in misconduct, enforcement actions, and regulatory priorities. Key ASIC Initiatives in 2025 Some of ASIC’s key initiatives so far in 2025 include: ASIC’s first discussion paper Australia’s evolving capital markets: A discussion paper on the dynamics between public and private markets; ASIC’s Inquiry into the ASX group, led by an expert panel focusing on governance, capability and risk management frameworks and practices across the group; and ASIC’s action against Choosi for allegedly making false representations to customers, claiming it compared products from a range of funeral and life insurers. 2025 Enforcement Priorities Moving forward, ASIC has foreshadowed its 2025 enforcement priorities: Misconduct involving superannuation savings; Unscrupulous property investment schemes; Failures by insurers to deal fairly and in good with customers; Strengthening investigation and prosecution of insider training; Business models designed to avoid consumer credit protections; Misconduct impacting small businesses and their credits; Debt management and collection misconduct; Licensee failures to have adequate cyber-security protections; Greenwashing and misleading conduct involving environmental, sustainability and governance (ESG) claims; Member services failures in the superannuation sector; Auditor misconduct; and Used car finance sold to vulnerable consumers by finance providers

The Australian Securities and Investments Commission (ASIC) has increased its focus on the lodgement of financial reports, following a review of 1,166 ‘grandfathered’ large proprietary companies, after more than half failed to lodge financial reports over FY23 or FY24.  Certain large proprietary companies that were established prior to 1995 and had their financial statements audited were previously exempt from the financial reporting framework in the Corporations Act 2001 (Cth), though these grandfathering arrangements came to an end following the enactment of the Treasury Law Amendment (2022 Measures No. 1) Act 2022 on 10 August 2022. In response, ASIC has foreshadowed taking regulation action to ensure companies to lodge their financial reports moving forward. ASIC has also indicated that it will launch a broader surveillance focused on non-lodgement of financial reports by large proprietary companies, to be completed by Q1 2026. Key takeaway: Companies relying on historical exemptions should not assume they are exempt from current financial reporting obligations.