FinTech Global FS Regulatory Round-up - W/e 3 October 2025

In this edition we round up FinTech-related financial services regulatory developments for the week ending 3 October 2025.

ICYMI

• Cyber security: Two months in retrospect (Australia) - August and September 2025

UK

FCA: Quantum computing applications in financial services

The FCA has published a research note on the potential applications of quantum computing in UK financial services and how firms and regulators can prepare. Key findings include:

• quantum presents a national growth opportunity, but this will require coordinated effort across the public and private sector to achieve;
• near-term commercial applications may be viable, but the full quantum stack needs attention;
• leading firms are already building readiness strategies;
• for financial services, applications are broadly falling into three problem domains (optimisation, machine learning and stochastic modelling), but these are at different stages;
• new regulations are unlikely to be required in the near term, but regulators may seek to develop tools to support quantum development;
• regulatory awareness is low among quantum computing vendors; and
• a new Applications Regulatory Readiness Framework could support effective regulatory engagement

Although research notes do not necessarily represent the position of the FCA, they serve as a source of evidence that the FCA may consider while discharging its functions and to inform its views. [2 Oct 2025] #QuantumComputing

Europe

OJ: Regulation supplementing MiCAR

Commission Delegated Regulation (EU) 2025/1264 supplementing the Markets in Cryptoassets Regulation (MiCAR) with regard to regulatory technical standards (RTS) specifying the minimum contents of the liquidity management policy and procedures for certain issuers of asset-referenced tokens (ARTs) and e-money tokens has been published in the Official Journal of the EU (OJ).

The Regulation will enter into force on the twentieth day following its publication in the OJ. [3 Oct 2025] #MiCAR #Crypto #ARTs #DigitalAsset

ESRB: 59th General Board meeting outcomes

The European Systemic Risk Board (ESRB) has published a summary of the outcomes of its 59th General Board meeting which was held on 25 September 2025. The General Board held that financial stability risks in the EU remain elevated amid ongoing geopolitical uncertainty. Following up on its June 2025 conclusions, the General Board assessed systemic risks associated with stablecoins. It confirmed that the ESRB will publish a report on stablecoins, crypto-investment products and multi-function groups 'in the coming weeks'.

The General Board also discussed and authorised the publication of a report prepared by the Advisory Scientific Committee on AI and systemic risk. The report recognises the many benefits AI can provide to society and, in line with the mandate of the ESRB, examines how AI may exacerbate existing sources of systemic risk and create new risks. [2 Oct 2025] #Stablecoin #Crypto #DigitalAsset #AI

EBA: Work programme 2026

The European Banking Authority (EBA) has published its work programme outlining its key priorities and initiatives for 2026. The programme is built around three priorities:

• developing a rulebook which contributes to an efficient, resilient and sustainable single market;
• performing risk assessments with tools, data and methodologies which support effective analysis, supervision and oversight; and
• tackling innovation to enhance the technological capacity of all stakeholders.

2026 will also see the EBA embark on its oversight and supervisory functions arising from new responsibilities over critical third-party providers (Digital Operational Resilience Act), issuers of crypto assets (Markets in Cryptoassets Regulation), and the use of initial margin models (European Market Infrastructure Regulation). [1 Oct 2025] #DORA #OpRes #MiCAR #Crypto #DigitalAsset

EIOPA: Union-wide strategic supervisory priorities – focus areas for 2026

The European Insurance and Occupational Pensions Authority (EIOPA) has published a paper outlining its focus areas for 2026. EIOPA confirmed that its 2026 focus areas comprise the Digital Operational Resilience Act (DORA) and sustainability risks. [1 Oct 2025] #DORA #OpRes

ESMA: Guidelines on outsourcing to cloud service providers – AIFMD and UCITS entities not subject to DORA

ESMA has published the Guidelines on outsourcing to cloud service providers with translations. These guidelines apply to competent authorities and to depositaries of alternative investment funds (AIFs) referred to in Article 21(3)(c) and in Article 21(3), third subparagraph, of the Alternative Investment Funds Directive (AIFMD), and also to depositaries of UCITS referred to in Article 23(2)(c) of the Undertakings for Collective Investment in Transferable Securities (UCITS) Directive, where such entities are not financial entities to which Digital Operational Resilience Act (DORA) applies.

The Guidelines apply from 30 September 2025 to all cloud outsourcing arrangements entered into, renewed or amended on or after this date. [30 Sep 2025] #DORA #OpRes #CloudService

Hong Kong

SFC and HKMA issue supplemental joint circular to update requirements on intermediaries' VA-related activities

The SFC and the HKMA have issued a supplemental joint circular to intermediaries engaging (or intending to engage) in virtual asset (VA)-related activities, including certain VA dealing services, advisory services, asset management services and/or distribution of investment products with exposure to VAs. This circular updates the requirements under the joint circular issued on 22 December 2023 (see our previous update).

The SFC and the HKMA have conducted a review of the 2023 joint circular in light of market developments and industry feedback, and are introducing some refinements and relaxations to the requirements with a view to facilitating market development while adhering to investor protection. These are set out in the supplemental joint circular, and corresponding updates have been made to the Licensing or registration conditions and terms and conditions for licensed corporations or registered institutions providing virtual asset dealing services and virtual asset advisory services (Appendix 6 of the 2023 joint circular). The updated clean and marked-up versions of these terms and conditions are respectively attached as Appendix A and Appendix B to the supplemental joint circular.

• In April 2025, the SFC issued requirements on staking for licensed platforms and authorised VA funds (see our previous update) and the HKMA issued similar guidance for authorised financial institutions and subsidiaries of locally incorporated authorised financial institutions (see our previous update). Intermediaries are therefore allowed to provide staking services to their clients subject to complying with the relevant requirements.
• Licensed corporations and registered institutions may now execute trades via the off-platform VA trading services of SFC-licensed platforms.
• The SFC and the HKMA clarify that client subscriptions and redemptions of investment products using VAs or in-kind subscriptions or redemptions of VA funds will not be treated as the provision of VA dealing services. Intermediaries should notify the SFC (and the HKMA, where applicable) of such activities in advance and comply with other relevant requirements.
• The net worth and risk disclosure statement requirements under paragraph 6.2 and 13 of the 2023 joint circular do not apply to clients who are institutional professional investors or qualified corporate professional investors.

The supplemental joint circular also reminds intermediaries to notify the SFC (and the HKMA, where applicable) before making changes to their VA-related activities, and provide the information set out in the circular.

As for activities involving specified stablecoins issued by an HKMA-licensed issuer under the Stablecoins Ordinance, the SFC and the HKMA will issue guidance in the near future.

Separately, the SFC is inviting tenders for providing system implementation services of a VA trade surveillance system. [30 Sep & 3 Oct 2025] #DigitalAsset

HKMA research examines impacts of cyber incidents on investment fund outflows and effect of cybersecurity preparedness on mitigating liquidity risk

The HKMA has published a research memorandum on a study that aims to empirically examine the impacts of cyber incidents on investment fund outflows, and determine whether better cybersecurity preparedness could mitigate the associated liquidity risk.

As the global financial system becomes more digitalised and interconnected, cyber incidents affecting financial institutions have increased, leading to financial losses, data breaches, operational disruptions, and financial stability concerns, including "cyber runs" (ie, sudden investor withdrawals triggered by loss of confidence in fund managers' cyber risk management).

Using a novel global dataset of 72 global cyber incidents at major fund managers between 2013 and 2024, the analysis revealed that these incidents could trigger "cyber runs" on investment funds. The severity of these runs decreased with the level of fund managers' cybersecurity preparedness.

• Less-prepared fund managers (with a cyber-security score in the 10th percentile of the sample) were estimated to experience a weekly fund outflow of 2.9% of their net assets following a cyber incident, far exceeding the average weekly fund inflow of 0.2% over the previous decade. In contrast, better-prepared fund managers (with a median cybersecurity score) were estimated to face a much smaller outflow of 1.2%.
• In addition, better cybersecurity preparedness could reduce the risk of cyber incidents occurring.

The findings highlight three key policy implications for financial stability:

• It is crucial to encourage financial institutions to strengthen their cybersecurity to increase their resilience to cyber risks and the potential consequences.
• Close monitoring of cybersecurity-related liquidity risk is warranted, for example by conducting liquidity tests under cybersecurity-related stress scenarios.
• International efforts are needed to harmonise cyber incident reporting, as the fragmentation of incident reporting across different data sources may pose challenges for assessing cyber risk impacts on financial stability. [29 Sep 2025] #Cybersecurity

HKMA commences consultation with retail banks on proposed framework for sharing responsibility in relation to losses arising from authorised payment scams

The HKMA's Deputy Chief Executive, Mr Arthur Yuen, has published an inSight article stating that the HKMA has commenced a consultation with retail banks on a proposed framework for sharing responsibility in relation to losses arising from authorised payment scams.

Since the scam transactions are authorised by the customers, the responsibility to verify the transactions lies with the customers to avoid being scammed before giving authorisation. At the same time, the HKMA considers that banks should also have effective anti-scam measures in place to proactively assist customers in protecting themselves from scams. In reality, delineating responsibility for losses in authorised payment scams can be complicated.

Mr Yuen shared some preliminary thoughts regarding the considerations under the proposed framework:

• Whether banks have proactive and effective monitoring systems and control measures in place to help customers identify and prevent scams;
• What responsibility customers should bear; and
• Actual circumstances of the case and the customer's background (for example, whether the customer is an elderly person).

Mr Yuen indicated that the HKMA will have in-depth deliberations with banks during the consultation process, but that a binary or one-size-fits-all approach should be avoided.

He also noted that some jurisdictions have begun to put in place arrangements for determining the responsibility for losses of different parties involved in a scam, but a consistent approach has yet to emerge. Depending on local circumstances, there are various approaches:

• One that only covers unauthorised transactions resulting from phishing scams and states that banks bear no responsibility beyond providing basic reminders, with the loss primarily borne by the customers;
• One that requires banks to bear a portion of the losses resulting from authorised payment scams; and
• One that imposes fines on banks and other responsible parties that fail their scam prevention responsibilities, but does not order compensation to customers. [26 Sep 2025] #Payments #PaymentScam #Phishing

HKMA research highlights operational risks from FIs' ICT third-party dependencies in Asia Pacific

The HKMA has published a research memorandum analysing the extent of financial institutions' (FIs) dependencies on information communications and technology (ICT) third-party providers (TPPs) in the Asia Pacific region.

Using publicly available business relationship data from S&P Capital IQ, the study finds that FIs are exposed to operational risks from both direct and indirect TPP dependencies. Notably, indirect TPP dependencies constitute a more important channel through which operational risks can be transmitted to FIs in the Asia Pacific region.

Other findings include the following:

• The potential systemic risks arising from disruptions to dominant TPPs could be widespread, warranting close monitoring – The 50 most dominant TPPs (ranked by the total number of FIs that rely on them directly or indirectly) serve half of the sampled FIs, indicating signs of concentration risks associated with FIs' TPP dependencies.
• Enhancing the monitoring of risks arising from FIs' cross-border dependencies on TPPs is important – The most dominant TPPs are headquartered outside Asia Pacific, suggesting that disruptions to these TPPs could generate significant cross-border spillover effects on FIs in the region.
• Enhancing FIs' cybersecurity risk management is important – FIs in the region tend to select TPPs with relatively higher cybersecurity risk management quality, which can partly mitigate the risks. There is a strong positive correlation between the quality of FIs' cybersecurity risk management and that of their TPPs, reflecting that FIs with better cybersecurity risk management have greater incentives and ability to select higher quality TPPs. [26 Sep 2025] #Cybersecurity

Singapore

MAS: PoC sandbox for quantum-safe communications in financial sector

MAS has announced that, in collaboration with a number of industry partners, it has successfully completed a proof-of-concept (PoC) sandbox to evaluate the use of Quantum Key Distribution (QKD) for secure communications in the financial sector. A technical report detailing the results and takeaways from the sandbox has been published. Key findings include:

• QKD has the potential to strengthen the security of communication networks;
• QKD providers and the telecommunications sector need to continue strengthening QKD security assurance; and
• more work needs to be undertaken to achieve greater interoperability between different QKD providers. [29 Sep 2025] #QuantumKeyDistribution #PoCSandbox

Thailand

BoT paper: Directions for development of payment systems

The Bank of Thailand (BoT) has published Directions for the Development of Payment Systems under the Thai Financial Sector Landscape to guide the development of the Thai payment system and prepare for future payment innovations. [30 Sep 2025] #Payments

India

SEBI: Extension of timeline for implementation of circular 'Safer participation of retail investors in algorithmic trading'

SEBI has announced an extension to the timeline for implementing its February 2025 circular entitled 'Safer participation of retail investors in algorithmic trading'. Following discussions with exchanges, broker associations and algorithmic vendors, SEBI has set out a structured timeline for carrying out the required system changes. [30 Sep 2025] #Algos

US

CFTC to participate in World Investor Week 2025

The CFTC Office of Customer Education and Outreach has confirmed that it will participate in World Investor Week which runs from October 6 to 12. The themes this year are scam prevention, digital finance, and AI. [30 Sep 2025] #AI

NY DFS issues updated guidance on virtual currency customer protections in the event of insolvency

The New York State Department of Financial Services (NY DFS) has issued updated guidance on virtual currency consumer protections in the event of an insolvency. The updated guidance addresses:

• acceptable sub-custodians and sub-custodial service agreements;
• how sub-custodians structure their asset custody framework;
• permissible uses of customer assets; and
• sound custody and disclosure practices to protect customers in the event of an insolvency or similar proceeding. [30 Sep 2025] #DigitalAsset

CFTC secures order for over $5.5 in restitution for victims of fraud

The CFTC has announced that it has obtained an order for in excess of $5.5m for victims of a commodity pool fraud. The restitution is in addition to a $1.36m civil monetary penalty and a permanent ban for a Tennessee couple from trading and registering with the CFTC along with prohibitions on further violations of the Commodity Exchange Act and CFTC regulations, as charged.

The CFTC press release explains that the couple secured investment of over $6.5m from approximately 145 individuals for a fraudulent commodity pool named "Blessing Thru Crypto". Trading of the investors' funds was to be guided by a still-unidentified individual referred to as "Coach Wendy" on a trading platform which, it transpired, was an illegitimate copy of an overseas exchange. [25 Sep 2025] #DigitalAsset

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.