This Month in Compliance Vol. 15
Try the platform
Share the article
What's been occupying our compliance attention lately? Here's a rundown of notable updates in the world of payments from the past couple of months.
UK: FCA PS25/12 - Overhaul of safeguarding for payment and e‑money firms (Aug 7)
Overview
The FCA finalised PS25/12, creating a supplementary safeguarding regime for payment institutions and e‑money institutions. It introduces a new monthly safeguarding return, annual safeguarding audits for certain firms, tighter T+1 reconciliation/segregation expectations, and more wind‑down/failure playbooks. The package sits alongside the post‑repeal approach and is designed to protect customer funds and speed up distributions if a firm fails.
The payment and e‑money firms might treat safeguarding as a board‑owned control and map data flows for the new monthly return. It may be prudent to line up audit scope, document timely reconciliation evidence, and refresh wind‑down materials and customer disclosures.
US: CFPB reopens Section 1033 (“open banking”) via ANPR (Aug 22)
Overview
The CFPB issued an Advance Notice of Proposed Rulemaking to reconsider the 2024 Personal Financial Data Rights rule under CFPA §1033. It seeks input on definitions, data access scope, fees, and security/privacy standards, and follows the Bureau’s request to stay related litigation. The move signals potential adjustments to timelines and technical requirements for data‑sharing ecosystems.
The firms active in US data‑sharing should consider preparing a short comment letter on consent, revocation, interface fees, and security benchmarks. It may also help to scenario‑plan for extended compliance dates across bank, aggregator, and fintech APIs.
EU: DORA - Subcontracting RTS (Reg. (EU) 2025/532) published in the OJ (July)
The Commission published the DORA subcontracting RTS in the Official Journal, specifying what financial entities must determine and assess when subcontracting ICT services supporting critical or important functions. The RTS codify requirements for risk assessment, contractual clauses, oversight of N‑th party chains, and documentation of exit/termination rights. It enters into force 20 days after publication, aligning with DORA’s broader operational resilience framework.
EU‑regulated financial entities and partners need to inventory sub‑outs and add notice/termination/exit clauses where gaps exist. It could be sensible to align incident reporting, monitoring, and exit plans with the RTS and refresh third‑party registers.
EU: AML - High‑risk third‑country list updated (adopted Jun 10, 2025; in force Aug 5)
Overview
The European Commission updated the list of high‑risk third‑country jurisdictions for AML/CFT purposes. New entries include Algeria, Angola, Côte d’Ivoire, Kenya, Laos, Lebanon, Monaco, Namibia, Nepal, and Venezuela, while some jurisdictions were removed. The delegated act entered into force on Aug 5, 2025, after the scrutiny period.
EU: AML high‑risk third countries (consolidated)
Global: FATF updates Recommendation 16 on payment transparency (Jun 18)
Overview
FATF adopted changes to Recommendation 16 and related interpretive notes to improve the transparency of data accompanying cross‑border payments. The revisions emphasise complete originator/beneficiary information and introduce tools to mitigate fraud and error. Correspondent banks and PSPs will be expected to enhance end‑to‑end data validation and controls.
The PSPs and banks might coordinate with correspondent partners on schema/validation updates and fraud‑screening logic. Reviewing remediation SLAs for incomplete or non‑compliant messages could also be helpful.
Global: FATF - Sixth targeted update on Virtual Assets/VASPs (Jun 26)
Overview
FATF’s sixth targeted update highlights the growing role of stablecoins in illicit flows and records continued progress on Travel‑Rule implementation. It flags persistent gaps around DeFi arrangements and stresses stronger supervision of virtual‑asset service providers. The report includes typologies and implementation challenges observed across the global network.
Comments
For VASPs and payment firms, you may wish to close Travel‑Rule gaps across onboarding→transfer→withdrawal and strengthen wallet screening/counterparty due diligence. Documenting typology coverage for stablecoin flows in your AML risk assessment could add clarity.
Sources
- Report
UK: Enforcement - FCA fines Monzo £21.1m for financial‑crime control failures (Jul 8)
Overview
The FCA fined Monzo for systemic financial‑crime control failings between 2018 and 2020 and for breaching restrictions on opening high‑risk accounts in 2020–2022. Findings covered onboarding, customer risk assessment, and transaction monitoring shortcomings during rapid growth. The case underscores supervisory focus on challenger banks’ control maturity and adherence to imposed restrictions.
The fast‑growing financial institutions should validate BWRA quality, screening coverage, and TM thresholds, and evidence triggers for review or suspension.
At spektr, we understand that keeping up with regulatory changes and maintaining compliance can feel overwhelming. Let's have a chat about your compliance needs and how we can customize solutions to match your unique business requirements!
.jpg)