Last Month in Compliance Vol. 16
Try the platform
Share the article
What's been occupying our compliance attention lately? Here's a rundown of notable updates in the world of payments from November.
AI Governance Tightens Across Financial Services
The Monetary Authority of Singapore released a draft AI Risk Management Guidelines outlining expectations for board-level oversight, AI system inventories, risk materiality assessments, and lifecycle controls covering fairness, explainability, data governance, human oversight, third-party risks, and model monitoring.
Regulators are increasingly treating AI as a regulated capability rather than a purely technical tool. Institutions relying on AI for onboarding, monitoring, or risk scoring may need clearer governance structures, evidence trails, and documentation demonstrating that AI-enabled decisions remain accountable and traceable.
DORA Enters a New Phase as Europe Designates Critical ICT Third-Party Providers
The European Supervisory Authorities (EBA, ESMA, EIOPA) published the first official list of Critical ICT Third-Party Providers (CTPPs) under the Digital Operational Resilience Act (DORA). The designation followed a structured process:
• collection of ICT outsourcing data from financial entities’ registers,
• multi-sector criticality assessments with national competent authorities,
• provider notification and right-to-be-heard procedures.
The designated providers deliver core infrastructure, cloud, data and business-layer ICT services across the EU’s financial sector and will now enter direct ESA oversight.
ICT providers supporting essential banking, trading or insurance functions will need demonstrable governance, resilience and incident-management frameworks. Financial institutions, in turn, may need deeper visibility into concentration risks and reliance on dominant vendors.
Crypto Oversight Tightens Globally
(EU, Canada, Japan 4-24 November 2025)
A Eurojust-led operation dismantled a €600 million crypto investment scam built on fake trading platforms, fabricated ads, and celebrity endorsements. Nine suspects were arrested and assets seized across multiple jurisdictions.
In Japan, the FSA proposed classifying cryptocurrencies as financial products subject to insider-trading rules under the Financial Instruments and Exchange Act. The reforms would lower the corporate tax rate on crypto profits, require disclosures on price-volatility risks, allow banks and insurers to sell crypto through their securities subsidiaries, and potentially permit banks to hold crypto for investment or operate exchange and custody businesses. Major Japanese banking groups are also collaborating on a yen-pegged stablecoin to streamline corporate settlements.
Around the same time, Canada issued a record C$176.9 million fine against Cryptomus for failing to report more than a thousand suspicious transactions linked to fraud, sanctions evasion, ransomware payments and child exploitation material.
Taken together, these developments signal a global shift toward bringing crypto closer to the standards applied to traditional financial products. As jurisdictions align crypto with securities-style supervision and impose heavier penalties for compliance failures, expectations around market-abuse monitoring, disclosure, surveillance and transaction-reporting will continue to rise.
Fraud Patterns Shift Toward High-Value Investment Scams
(UK, 17 November 2025)
UK Finance reported that authorised push-payment (APP) fraud losses rose 12% to £257.5m in the first half of 2025. Investment scams grew by 55% and accounted for the largest increases in losses, while purchase scams continued to make up the majority of cases. Most scams originated online or through telecommunications channels.
Starling Bank also launched an AI-driven “Scam Intelligence” tool that evaluates marketplace listings and images to help customers identify fraudulent sellers before making payments.
APP fraud continues to evolve from low-value merchant disputes to higher-value, socially engineered schemes. With fraud originating largely outside the banking system, institutions are increasingly exploring AI-enabled early-warning mechanisms and collaborative intelligence to counter fast-moving scam typologies.
Stablecoins Move Further Into Mainstream Payments
(Global, 12 November 2025)
Visa began pilot testing USD-backed stablecoin payouts to creators and gig workers, enabling “minutes-not-days” settlement directly to users’ wallets.
Revolut, on the same day, launched fee-free 1:1 conversion between USD and USDC/USDT, together with multi-chain transfers and card-linked spending.
Stablecoins are merging into traditional payment flows, reducing friction for global payouts. As adoption widens, expectations for wallet attribution, cross-chain monitoring and consistent sanctions screening will likely become more strict across financial institutions.
Data-Sharing & Open Banking Face Continued Uncertainty in the U.S.
(United States, 31 October 2025)
A judge has temporarily blocked the CFPB’s new financial data rule, putting the 2026 deadline on hold. This decision highlights the ongoing conflict between traditional banks and fintech companies over data sharing.
This ruling adds more uncertainty to the future of U.S. open banking. Since the rules and timelines are now unclear, companies need to stay flexible in how they manage data, especially as the U.S. system continues to develop differently from the UK and EU.
At spektr, we understand that keeping up with regulatory changes and maintaining compliance can feel overwhelming. Let's have a chat about your compliance needs and how we can customize solutions to match your unique business requirements!
