On 10 July 2025, the EU published Commission Regulation (EU) 2025/1331 of 9 July 2025 amending Regulation (EU) 2023/1803 as regards International Financial Reporting Standards 1, 7, 9 and 10, and International Accounting Standard 7.

Article 1

In the Annex to Regulation (EU) 2023/1803, the following is amended in accordance with the Annex to this Regulation:

(a) International Financial Reporting Standard (‘IFRS’) 1 First-time Adoption of International Financial Reporting Standards;

(b) IFRS 7 Financial Instruments: Disclosures;

(c) IFRS 9 Financial Instruments;

(d) IFRS 10 Consolidated Financial Statements;

(e) International Accounting Standard (‘IAS’) 7 Statement of Cash Flows.

Article 2

Each company shall apply the amendments referred to in Article 1, at the latest, as from the commencement date of its first financial year starting on or after 1 January 2026.

Article 3

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

On 9 July 2025, the EP updated EU list of money-laundering high-risk countries.

The 4th Anti-Money-Laundering Directive empowers the European Commission to identify high-risk third countries with strategic deficiencies in their AML/CFT regimes and list them through delegated acts, which Parliament or Council can block with an objection - in the case of Parliament, by a majority of its component members.

The update adds the following entries to the list:

Algeria, Angola, Côte d’Ivoire, Kenya, Laos, Lebanon, Monaco, Namibia, Nepal, Venezuela.

And removes the following:

Barbados, Gibraltar, Jamaica, Panama, the Philippines, Senegal, Uganda, the United Arab Emirates.

On 15 July 2025, the AMLA published its Work Programme 2025.

This first Work Programme reflects AMLA’s start-up status and is structured around two core dimensions: the progress achieved so far in 2025, and the priorities for the remainder of the year. It translates European ambitions into actionable steps, aligning with the EU’s strategic commitment to financial integrity and security. 

At the core of AMLA’s mandate are three deliverables, drawn from the AML Package: 

• Completing the Single Rulebook, to ensure regulatory convergence and consistency across all Member States. 
• Developing harmonised supervisory practices, enabling effective and coherent su pervision across both financial and non-financial sectors. 
• Strengthening the working methods and cooperation of Financial Intelligence Units (FIUs), ensuring robust information exchange and enhanced collaboration with law enforcement authorities. 

To fulfil its mandate effectively and sustainably, AMLA has defined the following long-term strategic objectives: 

• Convergence and consistency: Establish a robust and uniform AML framework across the EU by promoting regulatory, supervisory and FIU convergence, using best practices and methodologies while paying attention to compliance costs. 
• Cooperation and inclusiveness, amongst the diverse group of stakeholders: Foster a shared AML/CFT culture with NCAs, FIUs, law enforcement, EU institutions, and private stakeholders to ensure cohesion and trust. 
• Spearheading technology in an evolving landscape: Build up competencies that can be responsive to innovation and the new risk emerging with technology. 
• Credibility and accountability towards the citizens and institutions: Build AMLA’s institutional trust through transparency, communication, and sound governance. 
• Global leadership: Position AMLA as a leading authority in the global fight against money laundering and terrorist financing, promoting high standards, and fostering cooperation.

On 18 July 2025, the EC published Guidelines on the scope of obligations for providers of general-purpose AI models under the AI Act.

Regulation (EU) 2024/1689 of the European Parliament and the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending certain regulations (‘AI Act’) entered into force on 1 August 2024. Its aim is to promote innovation in and uptake of artificial intelligence (‘AI’) in the Union, while ensuring a high level of protection of health, safety, and fundamental rights, including democracy and the rule of law.

These guidelines address four key topics: 

• general-purpose AI models (Section 2); 
• providers placing on the market general-purpose AI models (Section 3); 
• exemptions from certain obligations for providers of general purpose AI models released as open-source (Section 4); 
• compliance with the obligations for providers of general-purpose AI models (Section 5).

In doing so, these guidelines should in particular help actors along the AI value chain to determine: 

• whether their model is a general-purpose AI model; 
• whether they are the provider placing on the market that general-purpose AI model; 
• whether they are exempt from the obligations for providers of general-purpose AI models; and 
• what to expect regarding the Commission’s enforcement of compliance with these obligations, in particular during the period immediately after their entry into application on 2 August 2025.

On 2 July 2025, the EBA published public consultation on its draft Guidelines on the methodology institutions shall apply for their own estimation and application of credit conversion factors (CCF) under the CRR.

These Guidelines are a part of the IRB repair programme, are built on the now-stabilised CRR framework, and aim to provide institutions with clear and consistent expectations for Credit Conversion Factor (CCF) estimation.

By leveraging on existing guidance, particularly through the Guidelines on the Probability of Default (PD) and Loss Given Default (LGD) estimation, the EBA aims to ensure alignment and coherence across key risk parameters in the IRB approach, thus promoting a harmonised and reliable modelling landscape.

Much of the CCF guidance formalises existing expectations already in place for PD and LGD, ensuring consistency for institutions while enhancing clarity for CCF models. Recognising the relatively lower materiality and narrower scope of CCF compared to PD and LGD, the EBA aims to introduce with these new Guidelines simplified approaches where appropriate, to support the efficient implementation of risk sensitive methodologies without compromising prudence.

The Consultation Paper includes a list of detailed questions on the proposed approaches to ensure that the EBA receives relevant feedback in order to provide meaningful guidelines to maintain robust internal models while reducing unnecessary complexity.

The Consultation closes on 15 October 2025. 

On 2 July 2025, the ESMA published Compliance table on MiCA crypto-asset transfer Guidelines.

Guidelines on the procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets under the Markets in Crypto Assets Regulation (MiCA) on investor protection (ESMA35-1872330276-2032).

The following competent authorities comply or intend to comply with ESMA’s Guidelines on the procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets under the Markets in Crypto Assets Regulation (MiCA) on investor protection (ESMA35-1872330276-2032).

BACKGROUND

On 9 July 2025, ESMA published Guidelines on supervisory practices to prevent and detect market abuse under the Markets in Crypto-Assets Regulation (MiCA). These Guidelines are based on Article 92(3) of MiCA and Article 16 of the ESMA Regulation. Their main objective is to ensure consistency among competent authorities in the supervision of crypto-asset markets, particularly regarding the prevention and detection of insider dealing, unlawful disclosure of inside information, and market manipulation. The Guidelines aim to support a uniform and effective application of Title VI of MiCA (Articles 86–92) across the EU.

WHAT'S NEW?

The Guidelines introduce a structured framework for competent authorities to prevent and detect market abuse in crypto-asset markets. They provide practical guidance on applying proportionality in supervision, integrating existing practices, ensuring adequate resources, and fostering a common supervisory culture to protect market integrity. They also emphasize active engagement with stakeholders, monitoring and surveillance, supervision of crypto-asset service providers’ systems and procedures, and effective coordination among ESMA and national competent authorities. In addition, the Guidelines address challenges posed by third-country entities and cross-border market abuse, ensuring authorities can respond effectively to market integrity risks in a global context.

WHAT'S NEXT?

National competent authorities should implement these Guidelines in their supervisory practices to ensure consistent and effective oversight of market abuse in crypto-asset markets. Crypto-asset service providers should expect increased supervisory scrutiny, particularly regarding their arrangements, systems, and procedures to prevent and detect market abuse. ESMA will continue coordinating with national authorities to monitor the application of the Guidelines and may provide further updates or clarifications based on evolving market practices and risks.

On 9 July 2025, the ESMA published Compliance table on MiCA suitability and portfolio periodic statement Guidelines.

The table clarifies which competent authorities comply or intend to comply with ESMA’s Guidelines on the procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets under the Markets in Crypto Assets Regulation (MiCA) on investor protection (ESMA35-1872330276-2032).

BACKGROUND

On 11 July 2025, ESMA published its Final Report containing the Guidelines on the criteria for assessing knowledge and competence under the Markets in Crypto-Assets Regulation (MiCA). The Guidelines aim to strengthen investor protection by ensuring that staff providing information or advice on crypto-assets or crypto-asset services have an appropriate level of knowledge and competence. They also provide a framework for competent authorities to assess whether crypto-asset service providers are meeting their obligations to act in the best interests of clients. By establishing clear criteria, the Guidelines support a consistent approach across the EU in supervising crypto-asset activities.

WHAT'S NEW?

The Guidelines introduce specific criteria to assess the knowledge and competence of staff advising on or providing information about crypto-assets. They take into account the unique features and risks of crypto-asset markets and services, ensuring that staff are adequately prepared to provide informed advice. The Guidelines clarify minimum standards of knowledge, covering both general financial concepts and crypto-specific topics, and provide practical guidance to help crypto-asset service providers implement these standards effectively. ESMA expects these Guidelines to promote greater convergence across the EU in how knowledge and competence are assessed and applied.

WHAT'S NEXT?

Crypto-asset service providers should review and adapt their internal procedures to align with the ESMA Guidelines, ensuring that their staff meet the defined knowledge and competence criteria. Competent authorities will use these Guidelines to supervise and evaluate providers’ compliance with MiCA obligations. Firms should also prepare for ongoing monitoring and potential updates as ESMA and national authorities assess the effectiveness and application of the Guidelines in practice.

BACKGROUND

On 20 August 2025, the EU published Commission Delegated Regulation (EU) 2025/885 (dated 29 April 2025) supplementing MiCA (Regulation (EU) 2023/1114). The act sets regulatory technical standards (RTS) for: (i) arrangements, systems and procedures to prevent, detect and report market abuse in crypto-assets; (ii) a harmonised Suspicious Transaction and Order Report (STOR) template; and (iii) coordination procedures between competent authorities in cross-border market abuse situations.

WHAT'S NEW?

The RTS require persons professionally arranging or executing transactions in crypto-assets to operate proportionate surveillance that covers all orders and transactions, whether on-chain or off-chain, and relevant aspects of DLT functioning (including consensus). Monitoring must generate alerts, include human analysis by trained staff, and be supported by ICT capable of order-book replay and functioning in algorithmic environments. Governance and proportionality are emphasised, including regular audits, written documentation, and five-year record-keeping.

• A single EU STOR template standardises content, timing and transmission. Reports must be fact-based and submitted without delay once reasonable suspicion arises; supporting material (e.g., order-book extracts, blockchain hashes) may be attached. Confidentiality is required to avoid tipping-off.
• Delegation/outsourcing within a group or to third parties is permitted for surveillance/analytics, but the delegating firm remains responsible.

Analyses should consider both internal data and public blockchain information.

• For cross-border cases, the RTS set information-sharing and coordination between national authorities (using the unsolicited-information form under Implementing Regulation (EU) 2024/2545), with ESMA able to coordinate upon request.

WHAT'S NEXT?

The Regulation entered into force on 9 September 2025 and is directly applicable across the EU. From that date, in-scope firms use the EU STOR template and apply the prescribed monitoring, reporting and confidentiality arrangements, while competent authorities follow the cross-border coordination procedures set out in the act.

BACKGROUND

On 2 July 2025, the EU published Commission Delegated Regulation (EU) 2025/532, supplementing the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554). This Regulation sets regulatory technical standards (RTS) specifying the elements that financial entities must determine and assess when subcontracting ICT services that support critical or important functions. Financial entities increasingly rely on complex chains of ICT service providers and subcontractors, which can introduce risks related to service continuity, information security, and risk management. Identifying and managing these risks is essential for maintaining operational resilience.

WHAT'S NEW?

The Regulation requires financial entities to identify the entire chain of ICT subcontractors that provide critical or important services and to continuously focus on those subcontractors whose services underpin these functions. It establishes proportionality in assessments, recognizing differences in size, structure, and complexity among financial entities. The Regulation also sets conditions for ICT subcontracting, including risk assessments, due diligence, approval processes, and planning of subcontracting arrangements. ICT third-party providers are required to assess the suitability of potential subcontractors based on contractual obligations, including expertise, financial and technical resources, information security, organizational structure, and internal controls. This ensures that risks linked to subcontracting are properly mitigated before services are engaged or changed.

WHAT'S NEXT?

The Regulation entered into force on 22 July 2025. Financial entities and ICT third-party providers must align their subcontracting arrangements with the requirements, including documenting the chain of subcontractors, performing due diligence, and ensuring contractual clauses cover all necessary risk management measures. Competent authorities are expected to supervise compliance with these standards, and entities should prepare to demonstrate that they have identified and assessed all critical ICT subcontractors and implemented the required safeguards.

On 8 July 2025, the EBA launches a public consultation on the draft Guidelines on the sound management of third-party risk.

The draft Guidelines focus on third-party arrangements in relation to non-ICT related services provided by third-party service providers and their subcontractors with a particular focus on the provision of critical or important functions. These Guidelines revise and update the previous EBA Guidelines on outsourcing, published in 2019, in line with the DORA. The consultation runs until 8 October 2025.

The draft Guidelines specify the steps to be taken by financial entities for the life cycle of third-party arrangements (i.e. risk assessment, due diligence, contractual phase, sub-contracting, monitoring, exit strategies and termination processes) to ensure consistency with the requirements under the DORA framework to the extent possible. The draft Guidelines provide specific criteria for the application of the proportionality principle.

In addition, the draft Guidelines ensure consistency with the DORA register by allowing financial institutions to store consistent information for both ICT and non-ICT services, including the possibility of using one single register. Taking into account the application of proportionality, the level of information to be documented has been limited to reduce the burden on both financial entities and competent authorities.

To ensure a smooth and efficient transition, financial entities falling under the scope of the updated Guidelines have a transitional period of two years to review and amend their existing third-party arrangements (TPA) and to update the register for non-ICT TPA.

The Consultation closes on 8 October 2025. 

BACKGROUND

On 11 July 2025, ESMA published its Final Report containing the revised Guidelines on outsourcing to cloud service providers. These Guidelines build on the original 2021 Guidelines, which were designed to help firms identify, address, and monitor risks arising from cloud outsourcing arrangements and to promote a consistent supervisory approach across EU competent authorities. With the application of the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) on 17 January 2025, the subject matter of the 2021 Guidelines has largely been incorporated into EU law. DORA consolidates the EU framework on digital operational resilience, including ICT third-party risk, and amends several regulations and directives that underpinned the 2021 Guidelines. Most entities previously subject to the Guidelines are now covered by DORA, though some depositaries under the AIFMD and UCITS Directive remain outside DORA’s scope

WHAT'S NEW?

The revised Guidelines reflect the updated EU legal framework under DORA. They provide guidance on outsourcing to cloud service providers that aligns with DORA’s requirements, ensuring that firms maintain adequate risk management, governance, and monitoring processes. While the 2021 Guidelines focused on cloud outsourcing risks in isolation, the revised version situates these requirements within the broader framework of digital operational resilience. The Guidelines now emphasize the need for firms to ensure continuity, security, and control over outsourced cloud services in line with DORA principles, while also clarifying which entities remain outside the DORA scope and thus still rely on the ESMA Guidelines directly.

WHAT'S NEXT?

Entities affected by these Guidelines should review their existing cloud outsourcing arrangements and ensure they comply with both the revised Guidelines and the applicable DORA requirements. Firms still outside DORA’s scope, such as certain depositaries, must continue to follow the ESMA Guidelines directly. Competent authorities across the EU will continue to supervise cloud outsourcing arrangements to ensure convergence in practices and adherence to digital operational resilience standards. Firms should also monitor potential updates or clarifications from ESMA as DORA implementation progresses.

On 11 July 2025, the ESMA published compliance table on the Joint Guidelines for oversight cooperation under DORA.

The following competent authorities comply or intend to comply with the Joint Guidelines on oversight cooperation under DORA (JC/GL/2024/36). 

The guidelines' date of entry into application is 17 January 2025, while for guideline 5.1 compliance (i.e. reporting) will only be possible when the 1st reporting starts on 30 April 2025, as per the BoS decision. Similarly, for GL 1.6, compliance (i.e. using the secure tool) will only be possible when the tool is rolled out by the ESAs in 2025 Q3.

On 15 July 2025, the EBA published guide on DORA Oversight activities.

Recognising the pivotal role technology plays in the viability and competitiveness of the financial sector, as well as the growing reliance of financial entities (FEs) on external ICT services, the Digital Operational Resilience Act (DORA) introduces a comprehensive oversight framework for critical third-party service providers (CTPPs) of Information and Communication Technologies (ICT). The three European Supervisory Authorities (ESAs) are empowered to oversee CTPPs on a pan-European scale, enhancing the overall digital operational resilience across the various Union financial areas. This oversight framework helps to address potential systemic and concentration risks arising from the financial sector's reliance on a limited number of ICT providers. It complements, rather than replaces, financial entities' own responsibilities for managing ICT-related risks and the supervision already exercised over them by competent authorities (CA).

This guide provides high-level explanations to external stakeholders regarding the CTPP Oversight framework. 

Furthermore, it provides an overview of the governance structure, the oversight processes, the founding principles and the tools available to the overseers.

However, the guide is not a legally binding document and does not replace the legal requirements laid down in the relevant applicable EU law.

The ESAs invite the public, financial entities and, crucially, third-party providers to use this document to prepare for the oversight implementation.

On 25 July 2025, the EBA updated its FAQ on DORA.

The questions are as follows:

Do financial entities must include non-financial entities within the same group in the Register of Information?

If not, why is there an option to do so?

While the primary purpose of the template B_01.02 is to provide a complete overview of the financial entities that are part of the group and that are included in the group registers, it should also capture other non-financial group entities relevant to the provision of ICT services. This includes non-financial entities involved in the provision ICT services, such as intra-group service providers (also to be reported in B_05.01), and also non-financial entities that have signed contractual arrangements for the provision of ICT services on behalf of a financial entity in the group (also to be reported in B_03.01).

In the "RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework"; How should we read: ''A separate and dedicated network for ICT asset administration, along with strict prohibition of direct internet access[...]''? (article 13, paragraph 1, sub (c)).

A separate and dedicated network could be on-premises, but is a virtual-LAN sufficient? or is it enough to have it in the regular production-LAN with other systems? and what if the CMDB is in a cloud environment? is it then a de facto separated and dedicated network or not?

DORA regulation and the corresponding technical standards are principle-based ( Delegated regulation - EU - 2024/1774 - EN - EUR-Lex) and technology agnostic and thus they do not identify specific configurations to ensure they can remain future-proof and that financial entities can decide on the specific arrangements based on their needs, their bespoke environment and their ICT risk assessment. 

In this context, logical (e.g. using of virtual-LAN (vLAN) or a cloud-based solution), physical separation or a combination of both may or may not serve as adequate controls to meet the requirement of “(c)the use of a separate and dedicated network for the administration of ICT assets” (RTS on ICT risk management Article 13(c)). The decision on which controls to implement to ensure such separation would need to be taken in accordance with Article 13 point (a) and in compliance with Article 13 as a whole for network security management aspects.

For example, in the case of isolating an administrative network, where ensuring sufficient separation is key, it is also important to stress that a virtual LAN (vLAN) alone may not be sufficient to ensure effective isolation of the administrative network. In this case, the financial entity should assess whether the logical segregation alone is sufficient and in the case of opting for a VLAN at least consider complementing vLAN with additional controls (e.g. a firewall with an appropriate filtering policy, or implementing appropriate routing, etc). Furthermore, it is important to note that any decision on the use of the regular production-LAN with other systems, would need to consider also at a minimum the requirements under Article 8(2)(b), and Recital 10.

According to Article 28(3) of DORA, must an EU parent bank, which has subsidiaries both within and outside the EU, maintain the register of information regarding all contractual arrangements for the use of ICT services only for subsidiaries that are subject to DORA (financial entities established in the EU), or does this requirement extend to subsidiaries established outside the EU for which DORA does not apply?

Answer already provided as part of the frequently asked questions (FAQ) about the preparation and the reporting of the registers of information of contractual arrangements with the ICT third-party providers that financial entities need to maintain in accordance with Article 28(3) of Regulation (EU) 2022/2554 (DORA) and as specified in the Commission Implementing Regulation (EU) 2024/2956 (ITS on the registers of information).

The scope of the registers of information held at the sub-consolidated and consolidated basis should reflect all financial entities and their branches that belong to their consolidation scope in accordance with both Directive 2013/34/EU and the relevant sectorial Union legislation.

On 11 July 2025, the ESMA published a public statement on Avoiding Misperceptions - Guidance for Crypto-Asset Service Providers Offering Unregulated Services.

Public statement warns investors of the ‘halo effect’ that can lead to overlooking risk when authorised crypto-asset service providers (CASP’s) offer both regulated and unregulated products and/or services.

The statement also reminds CASPs of the issues that they should consider when providing unregulated products and services, recommending that they should be particularly vigilant about avoiding any client confusion regarding the protections attached to unregulated products and/or services. 

To avoid any misunderstanding CASPs should clearly communicate the regulatory status of each product or service in all client interactions and at every stage of the sales process. 

In addition, ESMA reminds crypto-assets entities of their obligation to act fairly, professionally and in the best interests of their clients, ensuring that all information, including marketing communications, is fair, clear and not misleading.

On 15 July 2025, the ESMA updated its Q&A on UCITS.

The question is:

Can the manager of a feeder fund within the meaning of Article 58 of the UCITS Directive charge a performance fee?

Under Article 58 of the UCITS Directive, a feeder fund is a fund which has been approved to invest at least 85 % of its assets in units of another fund (master funds). Paragraph 18 of the Guidelines states that a manager “should always be able to demonstrate how the performance fee model of a fund it manages constitutes a reasonable incentive for the manager and is aligned with investors’ interests”.  

Against this background, the feeder manager does not exercise sufficient discretion over the asset allocation, selection and fund strategy to warrant the charging of a performance fee and as such, the charging of a performance fee to investors should not be considered as appropriate and justified in such cases. Therefore, performance fees, if any, should only be charged at the level of the master fund.  

This is unless: 

• the master fund and the feeder fund are managed by the same manager or by managers belonging to the same group; and  
• the only investor(s) of the master fund is(are) feeder fund(s); 

in which case performance fees could be paid at the level of the feeder fund(s), and not at the level of the master fund, provided that this approach applies consistently to all feeder funds, if more than one. 

On the 21 August 2025, the ESMA published hyperlinks for cross-border distribution of investment funds.

The ESMA publication ESMA34-45-1576 is designed to serve as a single point of reference for fund managers navigating the complex landscape of cross-border distribution rules. It fulfils ESMA’s duty under Regulation (EU) 2019/1156 by gathering in one place the official hyperlinks to the websites of national competent authorities across the EU and EFTA. On these pages, managers will find the complete and up-to-date national laws, regulations, and administrative provisions governing the marketing of UCITS and AIFs, along with the lists of supervisory fees and charges imposed in connection with cross-border activities.

In addition to these links, the document reproduces the national summaries provided directly by the authorities themselves. These summaries outline the practical details of each jurisdiction’s regime, including how notification procedures are handled, whether prior approval of marketing communications is required, the functioning of passporting and de-notification processes, and the language, disclosure, and reporting obligations that may apply. In some cases, they also highlight how national rules treat specific categories of funds, such as real estate or private equity vehicles, and whether marketing to retail investors differs from marketing to professional investors.

By consolidating this information across all EU Member States as well as Iceland, Liechtenstein, and Norway, the publication acts as a centralised navigation tool. It does not impose new requirements but instead reduces uncertainty and administrative burden by directing market participants straight to the authoritative sources and providing a comparative overview of supervisory practices. This makes it a practical guide for managers planning or maintaining cross-border distribution strategies.

On 7 August 2025, the EBA published consultation on its revised Guidelines on internal governance under the CRD.

The draft revised Guidelines have been amended to reflect the changes brought by CRD VI. They specify further the requirements under Article 88(3) of CRD VI, to ensure that each member of the management body, senior manager and key function holder have a documented statement of role and duties, and that a mapping of duties of the members of the management body, senior managers and key function holders has been drawn up.  They also provide specific guidance to ensure that third-country branches have a robust governance framework in place.

The draft revised Guidelines have been amended also to ensure alignment with the DORA Regulation and take into account the findings of the EBA benchmarking Report of diversity practices and gender-neutral remuneration policies. Finally, they also consider the lessons learned from supervisory practices across the EU.

The Consultation closes on 5 October 2025. 

On 1 July 2025, the EC published Commission Delegated Regulation (EU) supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards specifying the method for identifying the main risk driver of a position and for determining whether a transaction represents a long or a short position as referred to in Articles 94(3), 273a(3) and 325a(2).

The size of the business constitutes a proxy for the degree of sophistication that institutions should have in their capital calculations. To determine whether institutions are allowed to use simplified methods for the calculation of own funds requirements for market and counterparty credit risks, they are required to calculate the size of the on- and off-balance-sheet business in accordance with Article 94(1), Article 273a(1) and (2), and Article 325a(1) of Regulation (EU) No 575/2013 . The identification of the main risk driver of a position and, on that basis, the determination of whether a transaction represents a long or a short position, are fundamental for the correct calculation of the size of the business. 

Given the importance of those calculations for small and non-complex institutions, the method for identifying the main risk driver of a position and for determining whether a transaction represents a long or a short position should be proportionate to the degree of complexity of the institution.

The simplified approach should lead to results that are consistent with the risk weighted delta sensitivities approach. Nevertheless, simplifying assumptions should be introduced to reduce the computational and operational burden for institutions, in particular with regard to instruments denominated in a currency that is different from the institution’s reporting currency. For that reason, institutions should be allowed to disregard in the determination of the main risk driver the spot exchange rate between the currency in which the instrument is denominated and the institution’s reporting currency for stocks, bonds and derivative transactions the underlying of which would normally be allocated to the interest rate, credit, equity or commodity risk categories.

Cash positions in the reporting currency should not be taken into account when determining the size of the business, since they do not change their market value under the influence of changes to risk drivers.

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Banking Authority.

BACKGROUND

On 1 August 2025, the EU published Commission Delegated Regulation (EU) 2025/789 of 23 April 2025. The text supplements Regulation (EU) No 575/2013 (CRR) by setting out regulatory technical standards on the conditions and indicators that the EBA must use when determining whether extraordinary circumstances under Articles 325az(5) and 325bf(6) have occurred. These provisions are part of the CRR’s market risk framework, aligned with Basel Committee standards, which allow competent authorities to grant relief from back-testing and profit and loss attribution (PLA) requirements in exceptional cases.

WHAT'S NEW?

The regulation establishes the principles and conditions for recognising extraordinary circumstances:

• Such circumstances may be recognised only where significant cross-border financial market stress or a major regime shift materially affects institutions across the Union.
• A further condition is that institutions are unable to meet back-testing or PLA requirements due to events beyond their control, provided the deficiencies are not attributable to their internal models.
• Both tests are assessed over the preceding 250 business days. Extraordinary circumstances can be recognised when this period includes a span of severe market stress or regime change causing test exceptions not linked to model flaws.
• While each crisis is unique, the regulation identifies common traits such as sharp volatility spikes, correlation shifts, and sudden manifestations of stress. However, volatility changes alone are insufficient to establish extraordinary circumstances.

The EBA must base its assessment on appropriate indicators, including volatility indices, historical comparisons with events such as the global financial crisis or the COVID-19 pandemic, the speed of the shock, and correlation patterns.

WHAT'S NEXT?

The Delegated Regulation entered into force on 22 August 2025 and will be directly applicable across the EU. Institutions and supervisors will rely on this framework when assessing whether exceptional relief from CRR market risk requirements is justified in future episodes of market stress.

On 7 July 2025, the EBA published public consultation on  its draft Guidelines on Ancillary Services Undertakings.

The proper identification of ASUs is essential to ensure the consistent and effective application of the prudential framework. It plays a key role in determining the scope of prudential consolidation for banking groups, there by enabling institutions to comply with the obligations laid down in the CRR on a consolidated basis.

The draft Guidelines set the criteria for the identification of: (a) activities that should be considered a “direct extension of banking”; and (b) activities that should be considered “ancillary to banking”. They also outline the process to identify activities that the EBA may consider similar to those referred to in the CRR to ensure that the guidelines remain responsive to emerging sources of risks. 

The objective of the draft Guidelines is to promote convergence in institutions and supervisory practices regarding the identification of ASUs, with the aim of ensuring a level playing field and enhancing the comparability of prudential requirements across the EU.

The Consultation closes on 7 October 2025.

BACKGROUND

On 1 July 2025, the European Banking Authority (EBA) published its final Guidelines on Acquisition, Development, and Construction (ADC) exposures to residential property under the Capital Requirements Regulation (CRR). The Guidelines provide clarity on the conditions under which institutions can apply a risk weight of 100% instead of 150% to ADC exposures that meet defined credit risk-mitigating criteria. These Guidelines form part of the first phase of the EBA’s roadmap on credit risk implementation of the EU Banking Package and follow a public consultation in May 2024, taking into account stakeholder feedback and data from the 2024 Quantitative Impact Study (QIS).

WHAT'S NEW?

The Guidelines clarify the two conditions that ADC exposures must meet to benefit from the 100% risk weight. The first condition, unchanged from the consultation, requires that at least 50% of total contracts are either pre-sale contracts with a minimum 10% cash deposit, pre-lease contracts with a deposit equal to three months’ rent, or sale-and-lease contracts. The second condition, revised in response to industry feedback and QIS data, lowers the equity-at-risk threshold from 35% to 25% of the residential property’s value upon completion. For public housing projects, the Guidelines introduce additional flexibility: the first condition can be met if applicant demand exceeds unit supply at the municipality level, the equity requirement is reduced to 20%, and eligible equity now includes committed subsidies, grants, and preferential junior loans. These adjustments aim to reflect the characteristics of public housing while maintaining prudential standards.

WHAT'S NEXT?

Institutions should update their ADC exposure risk-weight calculations in line with the new Guidelines, ensuring compliance with the clarified conditions. Public housing projects can apply the more flexible criteria where applicable. Competent authorities will monitor implementation and may use the QIS data to assess the impact and consistency of application across institutions. Institutions should also document their compliance and maintain records to demonstrate adherence to the revised equity and contract requirements.

On 2 July 2025, the EBA launched public consultation on the application of the definition of default under the CRR.

The proposal to retain the 1% threshold is based on three key considerations:

• The current framework is already flexible and risk-sensitive, allows effective restructuring without misclassifying defaults, and is aligned with established accounting principles.
• Maintaining consistency with existing prudential standards helps safeguard the progress made in reducing non-performing loans and prevents regulatory arbitrage.
• A stable threshold supports reliable credit risk modelling, ensuring accurate capital and provisioning assessments across portfolios under both IRB and IFRS 9.

To allow for more proactive debt restructuring and reduce the potential burden on debtors, the EBA is considering a shortened probation period from 1 year to e.g. 3 months for certain forborne exposures. The draft amended Guidelines, however, do not incorporate this change, also because it would widen the gap between the definition of non-performing exposures and the definition of default.

Besides the changes brought forward by the revised CRR, the EBA is also proposing to increase the exceptional treatment of days past due at invoice level from 30 to 90 for non-recourse factoring arrangements to better reflect the economic reality of purchased receivables.

The Consultation closes on 15 October 2025.

On 4 July 2025, the EBA updated its Q&A on CRR.

The questions are as follows:

Which bonds can be considered "subordinated debt" under Art. 128 (c)? Only senior non-preferred bonds? Senior Non-Preferred Bonds and Senior Preferred Bonds (which meet the criteria under Art. 72b(3)? Senior Non-Preferred Bonds and Senior Preferred Bonds (that meet the criteria set out in Art. 72b(3) and are recognized as eligible liabilities by the resolution authority)? Senior Non-Preferred Bonds and Senior Preferred Bonds issued by G-SII entities (which meet the criteria set out in Art. 72b(3) and are recognised by the resolution authority as eligible liabilities)?

The treatment as subordinated debt under Article 128(1)(c) of the CRR is restricted to holdings of eligible liabilities instruments that meet the conditions set out in Article 72b. As a consequence, where a liability does not meet all the conditions of Article 72b(2), holding of such liability only qualifies as subordinated debt exposure if the resolution authority has explicitly permitted such liabilities to qualify as eligible liabilities instruments under Article 72b(3) or Article 72b(4) due to meeting the requirements set out therein. In particular, in the case of liabilities recognised under Article 72b(3), the treatment as subordinated debt under Article 128(1)(c) CRR is limited to the percentage of each liability that is permitted by the resolution authority to qualify as eligible liabilities instruments of the issuer (which cannot exceed 3.5% of total risk weighted exposure amount of the issuer but can be less or even zero, depending on whether and how the resolution authority has exercised the discretion under Article 72b(3) in combination with Article 72b(5) CRR). This percentage should be determined consistent with Article 72e(3) CRR, as the ratio of the amount of liabilities included in eligible liabilities items by the issuing institution to the total amount of the outstanding liabilities of the issuing institution referred in Article 72b(3) CRR according to the latest disclosures by the issuer. Importantly, the limit applies with reference to the total risk exposure amount of the issuer, not of the institution holding the liability.

In case of exposure and guarantee denominated in different currencies, which currency shall be taken into account in the process of application of risk weight for guaranteed part of exposure in accordance with Article 235(3) of CRR3?

Article 235(3) CRR requires for extending the preferential treatment set out in Article 114(4) or (7) CRR that the conditions in Article 114(4) or (7) CRR would be met if the guaranteed exposures or parts of exposures were direct exposures to the central government or central bank. Consequently, the relevant currency for assessing these conditions is the domestic currency of the central government or central bank providing the unfunded credit protection because this determines the currency for the treatment as if this was a direct exposure to the central government or central bank. Therefore, the unfunded credit protection has to be denominated in this currency, and the protected amount has to be funded in that same currency. Furthermore, where the guarantee is denominated in a currency other than that of the guaranteed exposure, the resulting currency mismatch shall be addressed in accordance with Article 233(3) of Regulation (EU) No 575/2013 (CRR).

BACKGROUND

On 3 July 2025, the European Commission published a Commission Delegated Regulation supplementing Regulation (EU) No 575/2013 (the CRR) with regard to regulatory technical standards (RTS) on assessing the materiality of extensions and changes to alternative internal models (AIMs) and changes to the subset of modellable risk factors. Institutions using AIMs must obtain permission from their competent authorities, which covers methods, processes, controls, data collection, organization of risk control and internal validation functions, and IT systems. Modifications to these elements require either notification or approval, depending on their nature, to ensure that AIMs remain aligned with supervisory expectations.

WHAT'S NEW?

The Regulation clarifies that institutions are not required to notify competent authorities of minor adjustments, corrections, or ongoing alignments that fall within already approved methods, processes, controls, data collection, or IT systems. However, when institutions extend or change their alternative internal models or modify the subset of modellable risk factors, they must calculate the required risk numbers to justify and substantiate the materiality assessment of those changes. This approach balances operational flexibility for day-to-day model maintenance with supervisory oversight for significant changes, ensuring that material modifications are appropriately assessed and documented.

WHAT'S NEXT?

Institutions using AIMs should review their internal model governance and change management processes to ensure compliance with the RTS, particularly regarding when risk number calculations are required. Competent authorities will supervise adherence to the new materiality assessment requirements, focusing on extensions or changes to models and modellable risk factors. Institutions should also maintain detailed documentation of all relevant modifications and assessments to facilitate supervisory review.

On 9 July 2025, the EBA published consultation on draft RTS amending RTS on own funds and eligible liabilities instruments.

Leveraging on the experience that competent and resolution authorities have gained during the past few years, and to allow institutions more flexibility in their capital planning, the EBA is proposing to shorten the timeframe to process the applications to reduce own funds and eligible liabilities instruments from four to three months. The initiative is in line with the EBA’s commitment in 2021 to monitor how the submission and assessment of applications is implemented in practice. In addition, the simplified procedure for the reduction of MREL eligible liabilities for liquidation entities is removed from the RTS, in line with recent amendments of the Level 1 text. 

The Consultation closes on 9 October 2025. 

On 11 July 2025, EBA updates its Q&A on IFR.

The question are as follows:

We understand that rTM measures are for firms that deal on their own account. The relevant K-Factor for position risk, K-NPR falls under rTM, therefore the assumption would be that K-NPR refers only to firms dealing on their own account. However, Article 21(4) sets out that for purpose of calculating the rTM K-factor requirement, firms should also include positions other than trading book positions where it gives rise to foreign exchange or commodity risk. 

Does then Article 21(4)  bring firms that do not deal on their own account into the scope of K-NPR or is it an additional requirement only for firms that deal on their own account?

The question is whether IFR Article 21(4) brings firms that do not deal on their own account into the scope of K-NPR or whether this provision concerns an additional requirement only for firms that deal on own account.

As IFR Article 21(4) is positioned under Part Three, Title II, Chapter 3 of the IFR that determines the own funds requirements under the Risk-to-Market (RtM) K-factor, the question is therefore more generally whether investment firms other than those dealing on own account are subject to the RtM K-factor requirement.

A first clarification of the applicable scope for the RtM K-factor requirement is provided by IFR recital 25, establishing the link between the RtM K-factor and investment firms which deal on own account. That recital explains that “the K?factor for RtM for investment firms which deal on own account is based on the rules for market risk for positions in financial instruments, in foreign exchange, and in commodities in accordance with Regulation (EU) No 575/2013”.

Then, in Part Three, Title II, Chapter 3 of the IFR, Article 21(1) explicitly addresses investment firms dealing on own account when providing for the methodologies that have to be used to calculate the RtM K-factor requirements. That Article states that “the RtM K-factor requirement for the trading book positions of an investment firm dealing on own account, whether for itself or on behalf of a client shall be either K-NPR calculated in accordance with Article 22 or K-CMG calculated in accordance with Article 23”.

This interpretation is further reinforced by the reading of the first paragraph of IFR Articles 22 and 23, both explicitly referring to “the own funds requirement for the trading book positions of an investment firm dealing on own account, whether for itself or on behalf of a client”.

Finally, in IFR Article 21(4) itself, it is specified that an investment firm should “include positions other than trading book positions where those give rise to foreign exchange risk or commodity risk” for the specific purpose of calculating the RtM K-factor requirement. Yet, based on the above, it is made clear that the latter only applies to investment firms dealing on own account.

Therefore, it can be concluded that the requirement in Article 21(4) applies only to investment firms subject to the RtM K-factor which is only applicable to investment firms dealing on own account. Article 21(4) should not be understood as broadening the scope of the RtM K-factor provisions to other investment firms.

At the same time, it can be pointed out that any risk not covered or not adequately covered under the Pillar 1 (i.e. K-factor requirements) needs to be adjusted through the supervisory review process and the Pillar 2.

Therefore, if a competent authority considers that investment firms that do not deal on own account are exposed to potential foreign exchange risk or commodity risk of positions other than trading book positions, they may apply appropriate Pillar 2 measures.

Can cash collateral received from third parties via funded credit protection arrangements (i.e. funded guarantees or credit derivatives) qualify as collateral for the purposes of K-TCD and K-CON? 

Article 27 of the IFR states that the amount of “collateral”, as determined in Article 30, can be deducted when calculating an exposure value for transactions subject to K-TCD and K-CON.

In turn, Article 30(1) determines that all collateral for both bilateral and cleared transactions referred to in Article 25 shall be subject to the volatility adjustments established in Table 4 of Article 30(1). It can be considered that the latter is setting out the asset classes that are eligible as collateral under the IFR.

However, Article 30(2), which specifically details how collateral should be valued, appears to apply only to collateral received from the direct counterparty to the transaction. This specification in Article 30(2) therefore raises the question whether it was intended to only permit collateral received directly from the counterparty to the transaction to be eligible when calculating an exposure value for transactions subject to K-TCD and K-CON or whether collateral received from third parties (i.e. protection providers) through funded credit protections would also be eligible.

Although Article 30(2), point (a), only refers to the amount of collateral received by the investment firm from its counterparty, it cannot be inferred from this that collateral received from a protection provider would not be eligible for the calculation of the exposure value under Article 27.

For determining whether collateral received from a protection provider would be eligible, the investment firm should obtain the legal certainty that it will be promptly transferred the property of the collateral in the case of default of the direct counterparty or that the pledged collateral will remain available in the case of default of the protection provider.

In principle, funded credit protections provided by third parties, whereby cash or securities are pledged in the name of the investment firm, which are available at first demand and without any restriction in the case of default of the direct counterparty could also be accepted as collateral under the IFR.

However, the IFR does not specify the eligibility criteria of a funded credit protection as collateral. For this assessment, investment firms could refer to the requirements set out in Regulation (EU) No 575/2013 (Capital Requirements Regulation or “CRR”), such as Article 212(1), as guidelines. On their side, competent authorities will assess the eligibility and the quality of this collateral as part of their Supervisory Review and Evaluation Process (SREP) and will consider whether any residual risk needs to be addressed through Pillar 2.

In this context, it is useful to note that unfunded credit protections and credit derivatives, or any other type of derivatives, received from counterparties, or third parties, are not eligible as collateral under the IFR. These instruments were not considered to be permissible by the legislator and therefore not listed in Table 4 of Article 30(1) of the IFR.

On 11 July 2025, the EBA updated its Q&A on CRR.

The question is as follows:

How should wholesale term deposits be allocated in the available time buckets of c66.01, in case there is an early withdrawal penalty?

In accordance with paragraph 12, letters (a) and (b) of Annex XXIII of the EBA IT solutions applicable under Commission Implementing Regulation (EU) 2024/3117, where an option to defer payment or receive an advance payment exists, the option shall be presumed to be exercised where it would advance outflows from the institution or defer inflows to the institution. Therefore, wholesale term deposit outflows should be reported in the time bucket corresponding to the early withdrawal option, regardless of any penalties. Penalties shall be considered in the outflows if they impact them.

Any options subject to the institution's discretion should be excluded from the treatment, except in cases where it is presumed to be exercised. To this regard, an option shall be presumed exercised where there is a market expectation that the institution will do so; in such cases outflows and inflows should be included in the relative time bucket”

Conversely, letter (e) of the same paragraph establishes an exception to this general framework, applicable exclusively to retail term deposits that fulfill point (b) of Article 25(4) of Delegated Regulation (EU) 2015/61.

BACKGROUND

On 4 August 2025, the EBA published three Regulatory Technical Standards (RTS) on operational risk losses under the implementation of the EU Banking Package. These RTS stem from mandates in the CRR3, which introduced a revised operational risk framework by replacing all existing model-based approaches with the Business Indicator Component (BIC).

Institutions with a Business Indicator (BI) above EUR 750 million are required to build and maintain a loss data set covering at least ten years of operational risk losses above a defined threshold. The RTS provide detailed rules to ensure consistency and comparability in how losses are recorded, classified, and adjusted

WHAT'S NEW?

The three RTS address separate mandates

1. RTS on operational risk taxonomy (Article 317(9) CRR):

• Establishes a common taxonomy aligned with international standards.
• Defines Level 1 event types, Level 2 categories, and a set of attributes for classifying operational risk loss events.
• Ensures data sets are mutually exclusive, collectively exhaustive, and flexible for supervisory purposes.

2. RTS on “unduly burdensome” conditions (Article 316(3) CRR):

• Specifies when calculating the annual operational risk loss can be waived.
• Waivers may apply for up to three years in cases such as:
  - institutions whose BI temporarily exceeds EUR 750 million,
  - institutions with BI between EUR 750 million and EUR 1 billion following a merger or acquisition,
  - bridge institutions established under the BRRD.

3. RTS on adjustments to loss data sets (Article 321(2) CRR):

• Requires loss data from merged or acquired entities or activities to be integrated into the acquiring institution’s data set.
• Specifies that data must be converted into the currency and taxonomy of the reporting institution.
• Provides a temporary formula to calculate the annual operational risk loss when full historical data cannot be promptly included.

The RTS follow a consultation held between June and September 2024, during which nineteen responses were received, and a workshop was organised in November 2024. The texts were adjusted to reflect stakeholder feedback.

WHAT'S NEXT?

According to the EBA, the RTS will be submitted to the European Commission for endorsement, after which they will be subject to scrutiny by the European Parliament and the Council before publication in the Official Journal of the European Union.

On 11 July 2025, the EBA updated its Q&A on PSD2.

The question are as follows:

1. Are postal transfers as defined by the Universal Postal Union, which are not made in paper form but by electronic means, excluded from the scope of PSD2?

Article 3(g) of Directive (EU) 2015/2366 (PSD2) excludes from the scope of its application payment transactions based on a set of paper- based documents drawn on the payment service provider with a view to placing funds at the disposal of the payee, including postal money orders which are paper-based (under point vii). The limitation of the application of this exclusion to transactions based on paper documents is further clarified in recital 22 of PSD2, which states that, where the Directive covers all types of electronic payment services, it would not be appropriate for the rules to apply “where the transfer is based on a paper cheque, paper-based bill of exchange, promissory note or other instrument, paper based vouchers or cards drawn upon a payment service provider or other party with a view to placing funds at the disposal of the payee”. A regard to the first question, only payment transactions based on postal money orders in paper-based form should be excluded from the scope of PSD2.

2. If postal transfers, as defined by the Universal Postal Union, in both electronic and paper format, are inseparable from the postal operator’s accounting system, do paper-based postal transfers also fall outside the scope of PSD2?

Postal money orders initiated on paper benefit from the exclusion in Article 3(g)(vii) PSD2 regardless of how they are treated in the accounting system of a postal operator. Postal money orders which are initiated electronically not on paper, on the other hand, do not benefit from the exclusion in article 3(g)(vii), again regardless of how they are treated in the accounting system of a postal operator.

3. Is the payment institution entitled to credit funds to the payment service customers’ funds accounts where the money of the payment service users is kept separate?

There is no prohibition in PSD2 on the same payment account of the payment service user being credited with funds received by the payment service user both via payment transactions within scope of PSD2 and from payment transactions excluded from PSD2. This is without prejudice to the safeguarding requirements in Article 10(1)(a) PSD2, in particular, the provisions on the prohibition of commingling of the funds which have been received from the payment service users or through another payment service provider for the execution of payment transactions with the funds of any natural or legal person other than payment service users on whose behalf the funds are held.

4. Can a payment institution that is also a postal service provider simultaneously provide both PSD2 regulated services and services related to payments but outside the scope of PSD2?

Article 18(1)(c) of PSD2 provides that entities authorised as payment institutions (including post office giro institutions authorised as payment institutions pursuant to national law as in the case described by the submitter) shall be entitled to engage in business activities other than the provision of payment services, having regard to applicable Union and national law. Accordingly, a post office giro institution authorised as a payment institution can provide both payment services regulated under the PSD2 and services related to payments falling outside the scope of PSD2 including via the exclusions from its scope laid down in Article 3. This is without prejudice to Article 11(5) PSD2.

What devices or procedures can be considered as payment instrument as per Art. 4(14) of PSD2

‘Payment instrument’ is defined under Article 4(14) of Directive 2015/2366 (PSD2) as “a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order”. To be considered as a payment instrument within the meaning of PSD2, the fuel card must thus meet the following conditions:

• be a personalised device(s) or set of procedures agreed between the payment service user and the payment service provider; and
• be used in order to initiate a payment order.

The latter condition must be understood in articulation with the definitions of ‘payment order’ and ‘payment transaction’ in PSD2. Accordingly, ‘payment order’ is defined in Article 4(13) PSD2 as “an instruction by a payer or payee to its payment service provider requesting the execution of a payment transaction”. ‘Payment transaction’ is defined in Article 4(5) PSD2 as “an act, initiated by the payer or on his behalf or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee”.

As regards the first condition – ie be a personalised device(s) or set of procedures -, it should be noted, in accordance with paragraph 70 of the Court’s judgement C 287/19 referring to the interpretation of ‘payment instrument’ in Article 4(23) of Directive 2007/64 (PSD1) held in its judgment C 616/11, that “in order to be considered as ‘personalised’, within the meaning of that provision, a payment instrument must allow the payment service provider to verify that the payment order was initiated by a user authorised to do so”.

In the case described by the submitter, the fuel card allows the fuel card issuer to verify that the cardholder is a party to the deferred payment contractual agreement with the issuer, thus meeting the first condition of the definition of ‘payment instrument’.

As regards the second condition – ie be used in order to initiate a payment order - it should be noted that, in the aforementioned judgement C 616/11, the Court considered that both a transfer order form signed by the payer in person and online banking constituted payment instruments insofar as both represented sets of procedures agreed between the user and the payment service provider and used by the user in order to initiate a payment order. In the case described, the presentation of the card and the process of verification of the cardholder as a party to such agreement constitute steps in the procedure allowing the cardholder to request the execution of a payment transaction resulting in a transfer of funds to the fuel seller. The fact that this is a payment transaction where the funds are covered by a credit line provided by the fuel card issuer to the cardholder, and which is subsequently settled, does not materially invalidate this procedural link between the steps of card presentation and cardholder verification, on the one hand, and the instruction for the execution of a payment transaction, on the other hand, thus meeting the second condition in the definition of ‘payment instrument’.

Does this credit qualify as consumer credit, exclusively available to individual consumers? Or can it also be extended to legal entities?

According to Article 18.4 PSD2, Payment institutions may grant credit relating to payment services as referred to in point (4) or (5) of Annex I only if all of the following conditions are met:

(a)  the credit shall be ancillary and granted exclusively in connection with the execution of a payment transaction;

(b)  notwithstanding national rules on providing credit by credit cards, the credit granted in connection with a payment and executed in accordance with Article 11(9) and Article 28 shall be repaid within a short period which shall in no case exceed 12 months;

(c)   such credit shall not be granted from the funds received or held for the purpose of executing a payment transaction;

(d)  the own funds of the payment institution shall at all times and to the satisfaction of the supervisory authorities be appropriate in view of the overall amount of credit granted.

As no further limitations are provided in this provision, it is to be understood that payment institutions may grant credit related to payment services, as referred to in points (4) or (5) of Annex I, to any payment service users who, in accordance with Article 4(10) of PSD2, are defined as natural or legal persons using a payment service in the capacity of payer, payee, or both.

BACKGROUND

On 2 July 2025, the European Central Bank (ECB) published Regulation (EU) 2025/1355, which recasts and replaces the previous Regulation (EU) No 795/2014 (ECB/2014/28) on oversight requirements for systemically important payment systems (SIPS). This recast regulation aims to enhance the oversight framework for SIPS, aligning it with international standards and addressing emerging risks in the payment systems landscape. The regulation applies to payment systems operated both by central banks and private operators within the European Union.

WHAT'S NEW?

Regulation (EU) 2025/1355 strengthens the oversight framework for systemically important payment systems (SIPS) by introducing more robust governance and accountability requirements for operators, ensuring better management of systemic risks. It includes enhanced provisions for cyber risk management, requiring operators to implement comprehensive measures to address potential cyber threats. The regulation also clarifies rules for outsourcing critical functions, ensuring these remain under effective oversight. Additionally, it provides clearer criteria for identifying which payment systems qualify as systemically important, introduces certain exemptions for Eurosystem-operated systems, and explicitly empowers the ECB to impose sanctions and corrective measures in cases of non-compliance.

WHAT'S NEXT?

Regulation (EU) 2025/1355 entered into force on 3 August 2025, 20 days after its publication in the Official Journal of the European Union. SIPS operators are required to align their operations with the new oversight requirements promptly. The ECB will review the general application of this regulation by no later than two years following its entry into force and thereafter every three years to assess whether amendments are necessary.

BACKGROUND

On 15 July 2025, ESMA published its Final Report on the RTS concerning documents incorporated by reference under the Prospectus Regulation (EU) 2017/1129. This initiative follows the empowerment granted by Article 19(4) of the Prospectus Regulation, aiming to update the list of documents from which information can be incorporated by reference into prospectuses. The update responds to the need for greater flexibility in the issuance of non-equity securities and aligns with recent legislative changes, including the Listing Act Regulation (EU) 2024/2809.

WHAT'S NEW?

The Final Report introduces two significant updates to the list of documents that can be incorporated by reference into prospectuses:

• Documents Approved or Filed Under the Prospectus Directive: The RTS now include documents that have been approved by or filed with a competent authority in accordance with the Prospectus Directive (Directive 2003/71/EC). This change facilitates the incorporation of information from non-equity securities originally offered under the Prospectus Directive into base prospectuses approved under the current Prospectus Regulation.
• Optional Pre-Issuance Disclosures for Green and Sustainability-Linked Bonds: The RTS permit the incorporation of pre-issuance disclosures for bonds marketed as environmentally sustainable or sustainability-linked, as referred to in Article 20 of the European Green Bond Regulation (EU) 2023/2631. This addition provides issuers with more flexibility in aligning their sustainability-related disclosures with their prospectuses.

These updates aim to streamline the issuance process for non-equity securities and enhance the integration of sustainability-related information into financial disclosures.

WHAT'S NEXT?

The proposed RTS will be submitted to the European Commission for adoption. Upon submission, the Commission has three months to decide on adoption, with the possibility of extending this period by one month. Once adopted, the new standards will provide issuers with greater flexibility in incorporating information into prospectuses, thereby reducing compliance burdens and aligning with recent legislative developments.

On 16 July 2025, the EBA published Handbook on simulation exercises for resolution authorities.

Testing requirements are already imposed to institutions through the EBA Guidelines on resolvability testing, and simulations are becoming more prevalent in ensuring preparation among authorities, the EBA’s Handbook proposes a taxonomy for simulation exercises for resolution authorities to harmonise the use of main concepts within the financial stability framework. 

In addition, the Handbook distinguishes between testing, simulations and dry runs and introduces six main types of simulation exercise: brainstorms, desktop exercises, walkthroughs, fire drills, decision-making exercises and operational simulations. This new chapter also presents the concept of end-to-end simulations, which combine multiple exercise types to replicate real-world resolution scenarios. 

The Handbook describes in operational terms how to initiate, plan, prepare and deliver a simulation exercise. It provides practical guidance on defining objectives and scope, designing scenarios, allocating resources, managing delivery, and collecting feedback. The Handbook also includes templates and examples to support authorities in implementing effective and proportionate simulation exercises.

On 7 August 2025, SRB publishes operational guidance for banks on resolvability self-assessment.

This approach is a key part of the SRM Vision 2028 strategy, designed to ensure that European banks are equipped for the future and crisis-ready, based on a revised methodology encompassing lessons learnt from crisis cases, best practice and the testing of banks’ capabilities. 

The guidance introduces a standardised self-assessment report designed to help banks to document their resolvability assessment in a consistent manner, promoting a level playing field, transparency and comparability across the sector. 

The self-assessment takes the form of a structured questionnaire covering each of the seven resolvability dimensions specified in the Expectations for Banks. It outlines the capabilities that banks should have in place to effectively execute resolution measures during a crisis. The methodology will also reflect how well banks’ resolvability capabilities work in practice through their regular testing. Operational guidance on the testing framework, which complements the self-assessment approach, will be published later this year.

Following a public consultation held from December 3, 2024, to February 7, 2025, the SRB has carefully considered the industry's feedback and introduced substantial enhancements to the self-assessment framework, aimed at simplifying the process and alleviating the administrative burden on banks. These improvements include a 20% reduction in the number of resolvability capabilities, a transition to a reporting every two years, and the introduction of a less granular reporting structure, notably for testing activities.

The first self-assessment report under the format established by the new guidance should reflect the resolvability self-assessment as at 31 December 2025 and is expected to be submitted by banks by 31 January 2026 at the latest.

BACKGROUND

On 4 July 2025, the European Banking Authority (EBA) published a hotfix for Reporting Framework 4.1. The original Framework 4.1 sets out the reporting requirements for institutions under EBA regulations. The hotfix was released to correct inconsistencies and ensure the accuracy and consistency of reporting obligations. Alongside the hotfix, the EBA published a list of issues and inconsistencies identified in the original Framework 4.1, providing transparency and guidance for reporting institutions.

WHAT'S NEW?

The hotfix addresses specific errors and inconsistencies in Reporting Framework 4.1, ensuring that data reporting requirements are correctly specified. The accompanying issues list details the fixes applied and provides interim solutions for issues that will be addressed in the upcoming Framework 4.2. Additionally, in Reporting Framework 4.2, the EBA has updated the reference dates for modules and postponed the mandatory adoption of the xBRL-CSV reporting format. Originally scheduled for December 2025, the mandatory implementation of xBRL-CSV is now deferred to March 2026, allowing institutions more time to adapt their systems and processes to the new format.

WHAT'S NEXT?

Institutions should implement the hotfix corrections in their current reporting processes to ensure compliance with Framework 4.1. They should also review the issues list to understand interim solutions for problems that will be fully addressed in Framework 4.2. Preparations for the upcoming xBRL-CSV format should continue, using the extended timeline until March 2026 to update systems and ensure a smooth transition to the new reporting format. Competent authorities will monitor the adoption of these updates and may provide further guidance if needed.

On 11 July 2025, the EBA updated its Q&A on FiCOD.

The question is as follows:

We are seeking clarification about a possible mismatch between ITS and DPM 3.5 (ID v22748_u - T1 L 06.00, column c0020) as part of the compilation of the template FC.06 Template - “Risk Concentration - Exposure by counterparties" within the FiCod. supervisory reporting.

The Commission Implementing Regulation (EU) 2022/2454 of 14 December 2022 states that, within the Template FC.06 - “Risk Concentration - Exposure by counterparties", the exposures must be reported for each individual legal entity belonging to the financial conglomerate, whereas the DPM 3.5 only permit reporting a unique value of the identification code of the external counterparty. This also determines the impossibility of representing separately the exposures held towards the same external counterparty but denominated in different currencies.

We therefore ask what is the correct way to represent - inside the FC.06 Template- the cases in which multiple entities belonging to the conglomerate have exposures towards the same external counterparty and for the cases in which, for each external counterparty, there are exposures denominated in different currencies.

The modelling (DPM) of template L 06.00 - Risk Concentration - Exposure by counterparties will be amended at the next opportunity by making columns 0090 - ID code of the entity of the financial conglomerate, 0030 - ID code type of the external counterparty and 0100 - ID code Type of the entity of the financial conglomerate as key values. With this amendment, there will be four key value columns including 0020 - Identification code of the external counterparty, ensuring the uniqueness of all rows to be reported in this open row template when several entities of the financial conglomerate have exposures with the same external counterparty.

As an interim solution, until the abovementioned amendment has been implemented in the modelling, in case more than one entity of the financial conglomerate has exposures with a specific external counterparty, report in column 0020 - Identification code of the external counterparty a merged version of the IDs in scope for 0020 - Identification code of the external counterparty and 0090 - ID code of the entity of the financial conglomerate, by that creating a unique value for all rows reported in this template.

Please find below an example how to use the interim solution proposed with an external counterparty with identification code ABCD, and three different entities of the financial conglomerate with identification codes 1111, 2222 and 3333 respectively.

Column 0020

Row 0010: ABCD1111

Row 0020: ABCD2222

Row 0030: ABCD3333

Column 0090

Row 0010: 1111

Row 0020: 2222

Row 0030: 3333

Regarding column 0240 – Currency of template L 06.00, its modelling will take into account the outcome of the Joint Committee Q&A FICOD027. Based on the outcome of that Q&A, if needed, the modelling will be amended accordingly, either make column 0240 as an additional key value, or make no changes.

BACKGROUND

On 6 August 2025, the EBA published a no-action letter on the application of ESG Pillar 3 disclosure requirements under the EBA disclosure ITS. The Opinion is based on Article 9c of Regulation (EU) No 1093/2010, which allows the EBA to issue no-action letters in exceptional circumstances where the absence of implementing acts could create uncertainty and affect supervisory convergence.

The measure follows the adoption of CRR3, which extends Article 449a ESG disclosure obligations to all institutions from 1 January 2025, and the European Commission’s Omnibus Package (February 2025), aimed at simplifying and streamlining sustainability reporting under CSRD, CSDDD, and the Taxonomy Regulation. Since the EBA disclosure ITS must be amended to reflect these changes, the no-action letter provides interim clarity until the revised ITS are finalised.

WHAT'S NEW?

The EBA formalises the interim approach already outlined in its Consultation Paper of May 2025 on the amending ITS. Until the new ITS enter into force, the EBA recommends to competent authorities:

For large listed institutions:

• not to prioritise enforcement of the disclosure of templates EU 6 to EU 10, Template 1 column c, and Template 4 column c of Commission Implementing Regulation (EU) 2024/3172;
• not to prioritise enforcement of the collection of these templates under EBA Decision EBA/DC/498 of 6 July 2023.

For all other institutions newly in scope under Article 449a CRR:

• not to prioritise enforcement of the corresponding ESG disclosure templates of Implementing Regulation (EU) 2024/3172.

The EBA also published an updated ESG risk dashboard, noting that the risk landscape across EU/EEA banks remains stable, consistent with the long-term nature of climate-related risks. Future editions of the dashboard will be adjusted in line with the no-action letter.

WHAT'S NEXT?

According to the Opinion, these recommendations apply from the reference date of 30 June 2025 until the adoption and entry into force of the amended EBA disclosure ITS. During this period:

• Competent authorities are expected not to prioritise enforcement of the identified disclosure and collection obligations.
• The EBA will continue its work on a streamlined ESG disclosure framework, taking into account the outcome of the Omnibus Package.
• Institutions should expect the content of the EBA ESG risk dashboard to evolve in line with these interim arrangements.

On 6 August 2025, the FinDatEx launched survey on its templates’ usage.

Since 2019, FinDatEx has experienced significant growth and development, expanding its scope and the range of activities it undertakes. Currently, it plays a crucial role in coordinating the exchange of data and information among a diverse network of stakeholders, including product manufacturers, financial institutions, and distributors. These templates specifically cover important regulatory frameworks such as MiFID, PRIIPs, Solvency II, and ESG topics. 

FinDatEx believes that now is an ideal time to gain a deeper and more comprehensive understanding of how our standardised templates are being utilised in practice, and to identify who the primary users are. Gathering these insights will help us better understand the current market needs, challenges, and expectations, ensuring that our efforts are aligned with industry demands. 

The results will be instrumental in guiding FinDatEx’s future planning, development, and enhancements of its templates and processes to serve the industry better. 

The survey closes on 26 September 2025. 

On 8 July 2025, the EU published Opinion of the ECB of 8 May 2025 on proposals for amendments to corporate sustainability reporting and due diligence requirements.

The ECB supports the Commission’s goal of enhancing the European economy’s long-term competitiveness, whilst maintaining the objectives of the European Green Deal and Sustainable Finance Action Plan. Sustainable, long-term economic growth and resilience supports price stability and the effectiveness of the ECB’s monetary policy. To that end, the ECB supports the Commission’s efforts to streamline and simplify sustainability reporting and due diligence requirements, and thereby ensure that compliance costs for companies are proportionate.

The ECB supports the Commission’s further efforts to streamline and simplify the sustainable finance framework, in order to reduce the reporting costs for companies, increase its usefulness for investors and end-users, and support green investment. First, the forthcoming review of Regulation (EU) 2019/2088 of the European Parliament and of the Council and of Commission Delegated Regulation (EU) 2021/2178  will offer important opportunities for streamlining. Second, the integration of sustainability information into the European Single Access Point (ESAP) offers opportunities to significantly reduce barriers to access and ultimately lower the cost of collecting and analysing sustainability information. Third, the ECB recalls that it supports the requirement that data must be reported in accordance with the single electronic reporting format. This will support the processing of the data and facilitate standardisation within corporate IT software, which will help reduce companies’ reporting costs. To fully reap the benefits of the single electronic reporting format, the ECB recommends that the Commission should explore options to make the complete dataset accessible to end-users for analysis in a suitable format, in particular to facilitate both bulk data exchange and direct access via a suitable database portal. This could be achieved, for example, by further enhancing the features of the ESAP.

On 11 July 2025, the EC adopted “quick fix” amendments to the first set of ESRS.

This will reduce burden and increase certainty for companies that had to start reporting for financial year 2024.

According to the current ESRS, companies reporting on financial year 2024 can omit information on, amongst other things, the anticipated financial effects of certain sustainability related risks. The “quick fix” amendment, which applies from financial year 2025, will allow them to omit that same information for financial years 2025 and 2026.

This means wave one companies will not have to report additional information compared to financial year 2024. Moreover, for financial years 2025 and 2026, wave one companies with more than 750 employees will benefit from most of the same phase in provisions that currently apply to companies with up to 750 employees. You can find here a summary of the modifications.

This quick fix was necessary because wave one companies were not captured by the “stop the clock” Directive, which delayed by two years the sustainability reporting requirements for companies that report from financial year 2025 and 2026 (so called “wave two” and “wave three” companies). This Directive was part of the Omnibus I package adopted by the Commission at the end of February 2025.

Meanwhile, the Commission is working on a broader revision of the European Sustainability Reporting standards (ESRS), with the aim of substantially reducing the number of data requirements, clarifying provisions deemed unclear and improving consistency with other pieces of legislation. It is expected that this review will be completed by financial year 2027.

On 5 August 2025, the EU published Commission Recommendation (EU) 2025/1710 of 30 July 2025 on a voluntary sustainability reporting standard for small and medium-sized undertakings.

Recommendations to SMEs:

1. The Commission recommends that non-listed SMEs and micro-undertakings that wish to voluntarily report sustainability information do so in accordance with the voluntary sustainability reporting standard set out in Annex I.

2.  The voluntary sustainability reporting standard set out in Annex I may also be used by SMEs and micro-undertakings in third countries which wish to provide sustainability information on a voluntary basis.

3. Undertakings applying the standard set out in Annex I to report sustainability information voluntarily may also use the practical guidance included in Annex II.

Recommendations to financial institutions, financial market participants, insurance undertakings, credit institutions and other undertakings seeking sustainability information from SMEs:

4. The Commission recommends that undertakings subject to the requirements laid down in Articles 19a and 29a of Directive 2013/34/EU, where they need sustainability information from SMEs in their value chains for the purposes of sustainability reporting, should limit as far as possible their requests for such information to the information provided pursuant to the voluntary sustainability reporting standard set out in Annex I to this Recommendation.

5. The Commission recommends that financial institutions, financial market participants, insurance undertakings and credit institutions, where they need sustainability information from SMEs, should limit as far as possible their requests for such information to the information provided pursuant to the voluntary sustainability reporting standard set out in Annex I.

Recommendations to Member States:

6. The Commission recommends that Member States raise awareness among SMEs of the benefits of voluntarily reporting sustainability information in accordance with the standard set out in Annex I.

7. The Commission recommends that Member States take appropriate measures at national level to foster the implementation and acceptance of the voluntary sustainability reporting standard for SMEs set out in Annex I.

8. The Commission recommends that Member States also take appropriate measures at national level to encourage the entities referred to in paragraphs 4 and 5 to limit as far as possible their requests to SMEs and micro-undertakings for sustainability information to be used for the purposes of sustainability reporting to the information provided pursuant to the voluntary sustainability reporting standard set out in Annex I.

9. The Commission recommends that Member States take appropriate measures to support the automatic digitalisation of SME sustainability reporting based on the standard set out in Annex I, to enable an efficient exchange of data that respects SMEs data ownership.

On the 18 August 2025, the ESMA published registration guide.

The document is a registration guide published by the European Securities and Markets Authority (ESMA). It explains ESMA’s role as the EU’s financial markets regulator and supervisor, responsible for authorising, registering, recognising, certifying, or endorsing entities that wish to provide certain services within the EU. Registration ensures compliance with EU regulations, protects investors, and helps maintain confidence in financial markets.

The guide describes the application process, which is divided into communication, completeness, compliance, and decision phases. Applicants are encouraged to engage early with ESMA, prepare complete and accurate applications, and ensure that senior staff are directly involved. ESMA assesses applications against legal requirements and supervisory expectations, covering governance, internal controls, outsourcing and third-party risk, ICT and information security, and methodologies.

The document also outlines the specific legal frameworks and requirements for different categories of supervised entities, such as benchmark administrators, credit rating agencies, trade and securitisation repositories, market transparency infrastructures, external reviewers of EU Green Bonds, and ESG rating providers. While it provides practical guidance, it is not legally binding and should be read alongside ESMA’s regulatory technical standards and sector-specific rules.

On 1 July 2025, the ESMA published note on sustainability-related claims used in non-regulatory communications.

This publication outlines four guiding principles on making sustainability claims, aligned with previous publications from the EIOPA and EBA, and offers practical do’s and don’ts, illustrated through concrete examples of good and poor practices, based on observed market practices.  

The thematic note focuses on sustainability credentials such as labels or awards, as these references are among the most used claims in retail-investor focused communications. It does not introduce new regulatory or reporting requirements, but aims to support market participants making clear, fair and not misleading sustainability claims. 

These thematic notes are prepared for the attention of market participants with an educational objective and build on observed market practices. Building on four principles, the first note focuses on ESG credentials. Other thematic notes will follow, as judged necessary. When combined, the notes should be read as a thematic study.

On 4 July 2025, the EC adopted a set of measures to simplify the application of the EU taxonomy.

The changes will reduce administrative burden for companies while preserving the framework’s core objectives. 

Changes are adopted in the form of a Delegated Act amending the Taxonomy Disclosures, Climate and Environmental Delegated Acts. The Commission published the draft of this Delegated Act in February 2025 as part of Omnibus I package, allowing stakeholders to provide feedback on the draft measures.

Commission Delegated Regulation (EU) 2021/2178 specifies the content and presentation of the information that non-financial and financial undertakings, that are subject to an obligation to publish sustainability information pursuant to Article 19a or Article 29a of Directive 2013/34/EU of the European Parliament and of the Council, have to disclose in their management report pursuant to Article 8 of Regulation (EU) 2020/852. Delegated Regulation (EU) 2021/2178 does so by translating the technical screening criteria for environmentally sustainable economic activities laid down in Commission Delegated Regulation (EU) 2021/2139 and Commission Delegated Regulation (EU) 2023/2486 into quantitative key performance indicators (KPIs). Those KPIs show whether, and to what extent, the activities of those undertakings are associated with such environmentally sustainable economic activities, and thus help investors and the public to understand the environmental performance of those undertakings in relation to activities covered by Regulation (EU) 2020/852, Delegated Regulation (EU) 2021/2139, and Delegated Regulation (EU) 2023/2486 (hereinafter collectively referred to as the ‘Taxonomy’) and their trajectories towards aligning their activities with the Taxonomy criteria, which in its turn facilitates the financing of environmentally sustainable activities and projects. Delegated Regulation (EU) 2021/2178 thus increases market transparency and helps preventing greenwashing by informing investors about an undertaking’s environmental performance.

Non-financial undertakings started reporting their KPIs under Delegated Regulation (EU) 2021/2178 as of 1 January 2023 and, financial undertakings as of 1 January 2024. Between the first and second years of reporting by non-financial undertakings the value of turnover and capital expenditures associated with environmentally sustainable economic activities increased significantly.

On 16 July 2025, the ESMA published a compliance table summarising the responses of national competent authorities to the Guidelines on funds’ names using ESG or sustainability-related terms (ESMA34-1592494965-657).

According to the table, all EU and EEA competent authorities comply or intend to comply with the Guidelines, except for the Czech Republic, which explicitly does not comply due to a lack of legal basis to enforce the minimum ESG investment thresholds. However, the Czech National Bank considers compliance with the Guidelines a safe harbour and may still accept lower thresholds if aligned with national legislation.

Bulgaria and Hungary have stated that they intend to comply but require further legislative or regulatory action, with planned alignment expected by April 2026 and October 2025, respectively.

These Guidelines aim to ensure that ESG- or sustainability-related terms in fund names are not misleading and that such labels reflect the actual investment strategy, promoting investor protection and market integrity across the EU and EEA.

On 25 July 2025, the EU publishes Commission Delegated Regulation (EU) 2025/753 of 16 April 2025 supplementing Regulation (EU) 2023/2631 of the European Parliament and of the Council by establishing the content, methodologies, and presentation of the information to be voluntarily disclosed by issuers of bonds marketed as environmentally sustainable or of sustainability-linked bonds in the templates for periodic post-issuance disclosures.

Issuers of bonds marketed as environmentally sustainable and of sustainability-linked bonds may choose to disclose the information referred to in Article 21 of Regulation (EU) 2023/2631 using the common templates. There is no obligation to disclose the information referred to in Article 21 of Regulation (EU) 2023/2631 using these common templates. However, if issuers opt for using those templates, they should follow them. Issuers who use the templates remain free to disclose additional information.

Article 20 of Regulation (EU) 2023/2631 requires the Commission to publish guidelines establishing templates for voluntary pre-issuance disclosures for issuers of bonds marketed as environmentally sustainable and of sustainability-linked bonds. Ensuring consistency between and comparability of the templates published in those guidelines, and the templates that issuers of those bonds should use when they voluntarily disclose post-issuance information, will facilitate the use of the information contained in those templates by investors and thus increase transparency. 

To ensure consistency with the disclosures that issuers have to publish for European Green Bonds, the templates for voluntary disclosures of post-issuance information for issuers of bonds marketed as environmentally sustainable and of sustainability-linked bonds build on the relevant sections of the templates for post-issuance disclosures under the European Green Bond Standard.

Providing clarity for issuers on the use of post-issuance disclosure templates will encourage take-up of those templates, thus helping to enhance transparency and standardisation in the market for sustainable bonds. It is thus necessary to further specify aspects linked to use of those templates. This concerns the frequency at which issuers should publish periodic post-issuance disclosures, which should take into account whether the issuer obtains an external review of the disclosures.

This Regulation enters into force on 14 August 2025.

On the 18 July 2025, the Belgium published Programme Law, DTI deduction.

The amendments clarify the conditions under which the dividend received deduction (DTI) applies. Article 35 changes Article 202 so that a participation must have an investment value of at least €2,500,000 and, if the beneficiary company is not considered small, it must qualify as a financial fixed asset. Article 36 makes the same modification to Article 264/1, ensuring that the €2,500,000 threshold is maintained and that, for non-small companies, the participation must be in the nature of a financial fixed asset. Article 35 will only apply as from tax year 2026, while Article 36 enters into force on the 18 July 2025. Any changes to a financial year’s closing date made after 3 February 2025 that are not justified for genuine reasons will be ignored if they are meant to avoid the application of Article 35. Finally, Chapter 4 abolishes the increase in taxes in cases where the taxpayer acted in good faith.

On the 16 July 2025, the FSMA published Q&A about UCITS.

These questions and answers (Q&A) are aimed at Belgian and foreign UCITS. Belgian public UCIs with a variable number of units may rely on these Q&A when they are required to apply the same legal provisions as those to which Belgian UCITS are subject.

These Q&A are intended to provide support to UCITS and their management companies in the application of various legal provisions that they are required to comply with, including those provided for by the Law of 3 August 2012 on collective investment undertakings that meet the conditions of Directive 2009/65/EC and debt investment undertakings, as well as by the arrangements made for its implementation.

Part I is related to the following topics:

• Key Information Document (KID).
• Prospectus.
• Investment Policy.
• Share classes.
• Dossier for the creation of a UCITS, a sub-fund or a class of units.
• Publication of NAV and press releases.
• Periodic Reporting.
• Statistical Report.

Part II focuses on foreign UCITS, covering rules on public distribution in Belgium, the definition of public offering, and conditions under which non-registered ETFs may be offered. It also clarifies the applicability of Circular OPC 4/2007 on nominee structures.

This update provides significant clarification on operational expectations, investor disclosures, and FSMA’s interpretation of applicable Belgian and EU fund legislation.

BACKGROUND

On 14 July 2025, Belgium published a Royal Decree amending several Royal Decrees related to the annual accounts of credit institutions, investment firms, management companies, and insurance and reinsurance undertakings. These amendments are largely driven by the transposition of EU Directive 2022/2464 on corporate sustainability reporting and aim to ensure consistency across national and sectoral legislation. Previously, the Belgian financial sector lacked a harmonised definition of "net turnover," which was referenced in EU directives and in the Belgian Code of Companies and Associations but had not been consistently applied in sector-specific regulations.

WHAT'S NEW?

A key change introduced by the decree is the formal definition and harmonisation of "net turnover." For insurance entities, it is now defined based on gross premiums in line with Directive 91/674/EEC. For credit institutions and investment firms, it is defined based on specific income components from their profit and loss accounts, following Directive 86/635/EEC. The decree also updates the requirements for country-by-country reporting in annual and consolidated accounts, clarifying which entities are subject to reporting obligations and aligning Belgian rules with Regulation (EU) 2019/2033 and Directive (EU) 2019/2034. The amendments affect annual and consolidated accounts of insurance and reinsurance companies, credit institutions, investment firms, and collective investment managers, as well as the accounting data obligations for branches in Belgium of foreign financial entities.

WHAT'S NEXT?

The Royal Decree enters into force on 1 January 2025. Affected entities should review and update their reporting practices to comply with the new definitions and requirements. Staff involved in financial reporting should receive training on the amended regulations. Entities are also advised to consult with legal and financial experts to ensure full compliance. By taking these steps, entities can achieve a smooth transition to the updated reporting framework and maintain alignment with both Belgian and EU financial reporting standards.

BACKGROUND

On 23 July 2025, the Comissão de Valores Mobiliários (CVM) issued Circular Letter No. 5/2025 addressed to administrators of Real Estate Investment Funds (FIIs) and Agribusiness Investment Funds (FIAGROs). The circular announces improvements to the Fundos.Net system, particularly in the structured forms used for periodic reporting. The goal is to enhance the accuracy, consistency, and regulatory alignment of submitted data, while reflecting self-regulation standards such as the ANBIMA Code of Rules and Procedures for Third-Party Asset Management.

WHAT'S NEW?

For FIIs, new versions of the monthly, quarterly, and annual reports will be available from 28 July 2025. The revised format introduces changes in the “Self-Regulation Classification” field to align reporting more closely with ANBIMA’s framework. From 1 September 2025, all reports must be submitted using the updated format.

For FIAGROs, the Fundos.Net system is now configured to receive the Demonstrative of Asset Portfolio Composition and Diversification (CDA), in line with CVM Resolution No. 175, Annex VI. The new CDA model is available in the “Support Materials” section of Fundos.Net. Administrators must use this format for reference data dated September 2025, with submission required within 45 days after the end of the quarter. Early adoption is permitted for June 2025 data.

WHAT'S NEXT?

The circular stresses the importance of compliance with the updated templates and submission deadlines. Any questions regarding the use of the Fundos.Net platform should be directed to the B3 Issuer Support team by phone or email.

BACKGROUND

On 29 August 2025, ANBIMA published an update to the Code of Administration and Management of Third-Party Resources. The reform is part of its broader effort to modernize self-regulation, improve transparency, and adapt governance practices to evolving market structures.

WHAT'S NEW?

The main changes introduced include:

• Fund fees disclosure: Managers adopting the “global rate” in their regulations must now submit segregated compensation details via a new module in the ANBIMA HUB. This replaces the previous summary model and ensures public disclosure of data through ANBIMA Data.
• Application timeline: The new obligation applies from 3 November 2025 for newly constituted funds. Pre-existing funds must comply at their first regulatory amendment, but no later than year-end.
• Quota movement reporting: Fiduciary administrators will also be required, from 3 November 2025, to submit reports on quota movements through the HUB, using a dedicated module now available for testing.
• Liquidity-risk rules: The scope of liquidity-risk management obligations is extended to all open- and closed-end funds with amortisation schedules, ensuring consistency and stronger investor protection.

WHAT'S NEXT?

The updated Code enters into force on 29 September 2025. ANBIMA encourages managers and fiduciary administrators to test the HUB modules in advance to ensure a smooth transition.

On the 4 August 2025, the CVM published rule on registration of market participants

The changes in the Annexes are punctual, of a technical-formal nature, without significant changes in content and structure. The changes seek, among other objectives, to promote improvements in nomenclature, harmonize similar requirements applicable to different participants and reflect in the registration information that is already required of participants by other rules to which they are subject.

Due to the number of revocations and occasional inclusions, it was decided to edit a new rule, in order to make communication and reading more fluid for users.

1) Editorial adjustments in the "Securities Market Administrator": correction of inconsistency in the nomenclature of the participant and the Responsible Officer.

2) Inclusion of the participant "Central Securities Depositary": insertion of data directly into the system, making the process of entering information more efficient and decentralized.

3) Inclusion of the participant "Securities Intermediaries": incorporates the previous registration of brokers, distributors, investment banks and multiple banks with an investment portfolio.

4) Exclusion of the participants "Administrator of an investment fund in credit rights" and "Administrator of a real estate investment fund": in view of the existence of the generic figure of the portfolio administrator (items I and II of Annex A).

CVM Resolution 234 was exempted from Regulatory Impact Analysis (RIA) considering that the changes promoted by it are limited in nature, that is, the Resolution can be classified as a low-impact normative act.

It enters into force on the 10 September 2025.

On the 4 August 2025, the ANBIMA published consultation response to CVM's SDM Public Consultation 01/2025.

ANBIMA’s letter responds to CVM’s Public Consultation SDM 01/2025 on reforming RCVM 44, endorsing the modernization effort but pressing for clarity, proportionality, and legal certainty. It was prepared by a working group of market participants and frames its suggestions as targeted wording fixes, conceptual clarifications, and practical adjustments so disclosure focuses on genuinely market-relevant events. 

On material facts, ANBIMA asks that disclosure duties hinge on concrete triggers rather than open-ended “update” obligations, proposing to delete generic duties in Articles 14 and 15 and to refine Article 9 so issuers must disclose information that does not aim to mislead. It also questions an indefinite post-tenure confidentiality duty, urging objective limits, and seeks consistent terminology and editorial clarity around simultaneous disclosure rules. 

On relevant shareholdings, it backs a precise definition of “achievement” of a relevant position and asks CVM to address derivative counting and offsetting so artificial hedges between related parties can’t mask exposure. It also requests guidance on securities lending so donations of shares are treated consistently within the four independent counts used by the market. ANBIMA argues that itemizing each member’s sub-5% stake in a related-party group is disproportionate, and it proposes “if applicable” for identifying a Brazilian representative when the ultimate communicator is a foreign entity. For timing, it prefers “trading sessions” over “business days” and a deadline through the end of the fifth session after the trade, aligning with D+1 settlement and operational realities. 

Where an investor intends to influence control or governance, ANBIMA accepts faster disclosure but opposes subjective presumptions, such as treating a change of intention within three months as evidence of prior non-compliance, and prefers either case-by-case assessment or, if a presumption must exist, a shorter 30-day horizon. It asks that ordinary minority-shareholder rights not be treated as signals of intent, and it objects to temporary voting bans until a communication is filed. Finally, it asks how Article 43’s blackout interacts with funds whose managers sit on boards and whether pre-agreed investment plans could mitigate any impact. 

Overall, ANBIMA supports the reform but urges CVM to anchor duties in objective triggers, fine-tune derivative and stock-loan treatment, streamline group disclosures, protect minority rights, and calibrate deadlines and presumptions to real-world market operations.

On the 29 August 2025, the BCB published Report on Social, Environmental and Climate Risks and Opportunities portrays Central Bank initiatives to promote a more inclusive and sustainable financial system.

The 2025 Social, Environmental, and Climate Risks and Opportunities Report (RIS) from the Central Bank of Brazil presents actions carried out between July 2024 and June 2025 across four pillars: governance, planet, people, and prosperity.

It outlines the Bank’s institutional strategy, integrated risk management, and international engagement in sustainability. On the environmental side, it discusses the impacts of climate change on the economy and the financial system, financial stability measures, management of international reserves, and the Bank’s own efforts to reduce emissions.

On the social dimension, it highlights initiatives for financial citizenship, diversity, learning, and employee well-being. In the prosperity dimension, it emphasizes financial inclusion, technological innovation in the financial system, and the advancement of sustainable financial instruments.

The report also adds a perspectives section, presenting ongoing research and future commitments, including the Brazilian Sustainable Taxonomy and participation in COP30.

On 7 July 2025, the Ministerio de Hacienda y Crédito Público published Decree 0769 amending Decree 1068 of 2015 on payment services by savings and multi-active cooperatives with a credit section.

This decree adds Title 14 to Part 11 of Book 2 of Decree 1068 of 2015. It regulates the offer and provision of payment order and fund transfer services by savings and credit cooperatives and multi-active and integral cooperatives with savings and credit sections, emphasizing the use of non-face-to-face (digital) channels.

The decree applies to cooperatives according to their classification into full, intermediate, and basic categories. Cooperatives with full-category savings and credit sections are authorized to carry out acquiring activities, following the regulations established in Decree 2555 of 2010.

Full-category cooperatives must provide transactional services that allow their members to send and receive payment orders and fund transfers with members of other cooperatives or with customers of financial institutions supervised by the Colombian Financial Superintendence. Intermediate-category cooperatives must at least enable similar transactional services among cooperatives within the sector.

A key requirement is the availability of secure non-face-to-face channels. Both full and intermediate-category cooperatives are obliged to have at least one digital channel for members to conduct payment orders and fund transfers. The Superintendence of the Solidarity Economy is tasked with issuing instructions within six months to ensure these channels operate with security, quality, transparency, and efficiency.

The decree also mandates the establishment of a digital transformation policy for providing transactional services. This policy must be aligned with members’ needs and the cooperatives’ capabilities and include governance, clearly defined objectives, resources, deadlines, responsible parties, and disclosure mechanisms to keep members informed about implementation progress. This requirement applies to cooperatives in all categories—full, intermediate, and basic—with staggered deadlines for compliance.

Additionally, cooperatives are required to submit regular reports to the Superintendence of the Solidarity Economy. These reports must cover the volume and amounts of monetary operations carried out through each distribution channel, the types of receiving entities involved, and information on the low-value payment systems linked to the cooperatives. The Superintendence will determine the reporting frequency and will publish aggregated data to reflect sector transactional dynamics.

Regarding timelines, full and intermediate-category cooperatives must comply with the transactional services and non-face-to-face channel provisions within 12 and 15 months, respectively. All categories must implement the digital transformation policy within a maximum of 6 (full), 9 (intermediate), and 12 (basic) months. The decree becomes effective the day after its publication, subject to these transition periods, and the Superintendence must issue relevant instructions within six months.

This Decree enters into force on 8 July 2025.

On 17 July 2025, the ACPR  published a thematic report titled “Rapport sur la prévention des comptes rebonds pour le blanchiment d’escroqueries et autres fraudes.” The report presents the outcome of a supervisory investigation into the misuse of temporary or "rebound" accounts to launder funds obtained from fraud (e.g. scams, phishing). The study covers data from 13 supervised institutions over 2022–2023 and evaluates transaction flows, KYC failures, and risk mitigation practices.

Key findings include:

• Over 70,000 rebound accounts were closed in 2023 by the selected institutions, with nearly €1 billion processed through them.
• €661 million of suspicious inbound transactions were recorded in 2023 (+45% compared to 2022).
• 20% of total suspicious incoming flows were associated with rebound accounts.
• Most rebound accounts were short-lived (under 1 year) and used primarily for quickly transferring fraud proceeds abroad.

Compliance weaknesses identified:

• Deficient KYC during onboarding, especially for remote or online account openings.
• Ineffective transaction monitoring and late detection of suspicious patterns.
• Weak internal escalation and victim refund mechanisms.
• Inadequate alignment with Tracfin’s typologies and good practices.

The ACPR reminds institutions of their regulatory obligations under AML/CFT frameworks, including robust onboarding procedures, continuous monitoring, and reporting of suspicious activities. It calls for immediate reinforcement of controls, particularly in digital institutions and payment service providers, and highlights the risk of supervisory measures if persistent gaps are not addressed.

Version française

Le 17 juillet 2025, l’ACPR a publié un rapport thématique intitulé « Rapport sur la prévention des comptes rebonds pour le blanchiment d’escroqueries et autres fraudes ». Le rapport présente les conclusions d’une enquête de supervision sur l’utilisation abusive de comptes temporaires ou « rebonds » pour blanchir des fonds issus de fraudes (ex. escroqueries, hameçonnage). L’étude couvre les données de 13 établissements supervisés sur la période 2022–2023 et évalue les flux de transactions, les défaillances KYC et les pratiques de maîtrise des risques.

Principaux constats :

• Plus de 70 000 comptes rebonds ont été clôturés en 2023 par les établissements étudiés, représentant près de 1 milliard € de flux traités.
• 661 millions € de transactions entrantes suspectes ont été enregistrés en 2023 (+45 % par rapport à 2022).
• 20 % du total des flux entrants suspects étaient liés à des comptes rebonds.
• La majorité des comptes rebonds étaient de courte durée (moins d’un an) et utilisés principalement pour transférer rapidement à l’étranger des fonds issus de fraudes.

Faiblesses de conformité identifiées :

• KYC insuffisant lors de l’entrée en relation, notamment pour les ouvertures de comptes à distance ou en ligne.
• Suivi inefficace des transactions et détection tardive des schémas suspects.
• Faiblesse des mécanismes internes d’escalade et de remboursement des victimes.
• Alignement insuffisant avec les typologies et bonnes pratiques de Tracfin.

L’ACPR rappelle aux établissements leurs obligations réglementaires en matière de LCB-FT, incluant des procédures d’entrée en relation robustes, un suivi continu et la déclaration des opérations suspectes. Elle appelle à un renforcement immédiat des contrôles, en particulier pour les établissements numériques et les prestataires de services de paiement, et souligne le risque de mesures de supervision si des lacunes persistantes ne sont pas corrigées.

On 4 July 2025, ACPR (via e-surfi) published a communication related to the draft version 2.4.0 of the LCB-FT taxonomy

This taxonomy structures the regulatory reporting obligations in the area of anti-money laundering and counter-terrorist financing (AML/CTF) for French financial institutions, aligning with Instruction ACPR 2025-I-08, applicable to the reporting date of 31 December 2025.

The LCB-FT 2.4.0 taxonomy will replace previous versions and introduces updates in data format, validation rules, and content structure. Although this is currently a draft, it reflects anticipated mandatory technical and semantic changes to the ACPR’s AML-CTF regulatory reporting requirements, implemented via XBRL architecture and consistent with the Banque de France’s OneGate submission platform.

The taxonomy is accompanied by:

• A full XBRL technical package (entry point files, documentation, sample data, validation rules).
• A release note describing what changed from the prior version.
• A public consultation period, open until 31 July 2025, during which feedback is encouraged from supervised institutions and technical providers.

The taxonomy applies to both:

• Banking sector entities (credit institutions, investment firms, payment and e-money institutions).
• Insurance sector entities (insurers, mutuals, provident institutions) subject to LCB-FT reporting.

This draft release gives institutions six months’ lead time to assess IT readiness, align reporting systems, and validate new submission workflows. Given the potential for structural data model changes, firms are advised to initiate technical tests well in advance and verify OneGate integration and validation compatibility.

Version française

Le 4 juillet 2025, l’ACPR (via e-Surfi) a publié une communication relative à la version projet 2.4.0 de la taxonomie LCB-FT.

Cette taxonomie structure les obligations de reporting réglementaire en matière de lutte contre le blanchiment de capitaux et le financement du terrorisme (LCB/FT) pour les établissements financiers français, conformément à l’Instruction ACPR 2025-I-08, applicable à la date de référence du 31 décembre 2025.

La taxonomie LCB-FT 2.4.0 remplacera les versions précédentes et introduit des mises à jour concernant le format des données, les règles de validation et la structure de contenu. Bien qu’il s’agisse actuellement d’une version projet, elle reflète les évolutions techniques et sémantiques attendues des exigences de reporting LCB-FT de l’ACPR, mises en œuvre via l’architecture XBRL et compatibles avec la plateforme de dépôt OneGate de la Banque de France.

La taxonomie est accompagnée de :

• un package technique XBRL complet (fichiers d’entrée, documentation, jeux d’exemples, règles de validation).
• une note de version décrivant les évolutions par rapport à la version antérieure.
• une période de consultation publique, ouverte jusqu’au 31 juillet 2025, invitant les établissements supervisés et les prestataires techniques à formuler des retours.

Champ d’application :

• établissements du secteur bancaire (établissements de crédit, entreprises d’investissement, établissements de paiement et de monnaie électronique).
• établissements du secteur assurantiel (assureurs, mutuelles, institutions de prévoyance) soumis au reporting LCB-FT.

Cette publication en version projet offre aux établissements un délai de six mois pour évaluer la préparation de leurs systèmes informatiques, aligner leurs dispositifs de reporting et valider les nouveaux processus de soumission. Compte tenu des possibles changements structurels du modèle de données, il est recommandé d’engager rapidement des tests techniques et de vérifier la compatibilité des intégrations et validations via OneGate.

On 13 August 2025, the Banque de France, via the e-Surfi Banque/Assurance portal, published the production version (2.4.0) of the LCB-FT taxonomy—applicable from the regulatory reference date of 31 December 2025. The taxonomy, which supports anti-money laundering (LCB) and counter-terrorist financing (FT) reporting requirements, implements the instructions of ACPR guidance 2025-I-08.

This version incorporates only minor updates compared to the July “draft” release—namely, the addition of four new validation controls. Detailed documentation—including release notes, descriptive notes, dictionaries, annotated templates, and control documentation—is available via e-Surfi.

The LCB-FT taxonomy is aligned with the architecture of EIOPA and EBA taxonomies, ensuring consistency in data modelling across regulatory frameworks.

For supervised entities in the banking and insurance sectors, this finalized taxonomy must be adopted for regulatory submissions starting from the year-end date of 31 December 2025. The incremental changes from the draft indicate a stable taxonomy structure, giving institutions time to align their reporting systems and validation processes.

Version française

Le 13 août 2025, la Banque de France, via le portail e-Surfi Banque/Assurance, a publié la version de production (2.4.0) de la taxonomie LCB-FT — applicable à partir de la date de référence réglementaire du 31 décembre 2025. La taxonomie, qui soutient les obligations de déclaration en matière de lutte contre le blanchiment de capitaux (LCB) et le financement du terrorisme (FT), met en œuvre les instructions de l’orientation ACPR 2025-I-08.

Cette version n’intègre que des mises à jour mineures par rapport à la version « projet » de juillet — à savoir l’ajout de quatre nouveaux contrôles de validation. Une documentation détaillée — comprenant les notes de version, notes descriptives, dictionnaires, modèles annotés et documentation des contrôles — est disponible via e-Surfi.

La taxonomie LCB-FT est alignée sur l’architecture des taxonomies de l’EIOPA et de l’EBA, garantissant une cohérence dans la modélisation des données au sein des cadres réglementaires.

Pour les entités supervisées des secteurs bancaire et assurantiel, cette taxonomie finalisée doit être adoptée pour les déclarations réglementaires à compter de la clôture de l’exercice du 31 décembre 2025. Les changements incrémentaux par rapport au projet indiquent une structure de taxonomie stable, laissant aux institutions le temps nécessaire pour aligner leurs systèmes de reporting et leurs processus de validation.

On 9 July 2025, ACPR published the AERAS 2024 activity report outlining its activities under the AERAS Convention, which facilitates access to insurance and credit for individuals with aggravated health risks. In 2024, the Commission received 273 requests, marking an 84% increase from 2023, largely due to the recovery of the property market and the introduction of an online contact form.

The Commission handled both individual mediation cases and systemic issues related to refusals of insurance, exclusions, and the application of the droit à l’oubli (right to be forgotten) and the Grille de Référence AERAS (reference table of pathologies). The report details the mediation process, including a pre-mediation phase, direct engagement with applicants, and structured intervention with insurers and banks.

Key statistics:

• 124 requests were deemed admissible.
• 87% of mediations confirmed compliance with AERAS; 13% led to a (partial) change in outcome.
• Main issues included: failure to follow the 3-level assessment process, improper application of the right to be forgotten, excessive surcharges, and refusal to consider alternative guarantees.

The Commission highlighted:

• An extension of the AERAS scope to professional loans for intangible assets.
• Ongoing difficulties in applying the right to be forgotten to conditions related to cancer sequelae.
• The need for better transparency in insurance refusal letters.
• Persistent inconsistencies in the application of the surcharge-capping mechanism.
• Continued lack of awareness or refusal by some lenders to consider substitute guarantees or insurance delegation, despite legal obligations.

The Commission emphasized improved processing timelines (down to 4 days on average), proactive dialogue with stakeholders, and contributions to legislative evolution, notably the Lemoine Law, which reinforces the right to be forgotten and removes medical questionnaires under certain conditions.

Version française

Le 9 juillet 2025, l’ACPR a publié le rapport d’activité AERAS 2024, présentant ses actions dans le cadre de la Convention AERAS, qui facilite l’accès à l’assurance et au crédit pour les personnes présentant un risque aggravé de santé. En 2024, la Commission a reçu 273 demandes, soit une augmentation de 84 % par rapport à 2023, principalement due à la reprise du marché immobilier et à la mise en place d’un formulaire de contact en ligne.

La Commission a traité à la fois des cas de médiation individuelle et des problématiques systémiques liées aux refus d’assurance, aux exclusions, ainsi qu’à l’application du droit à l’oubli et de la Grille de Référence AERAS. Le rapport détaille le processus de médiation, comprenant une phase de pré-médiation, des échanges directs avec les demandeurs et des interventions structurées auprès des assureurs et banques.

Chiffres clés :

• 124 demandes jugées recevables.
• 87 % des médiations ont confirmé la conformité à AERAS ; 13 % ont abouti à une modification (totale ou partielle) de la décision.
• principales difficultés constatées : non-respect du processus d’évaluation en 3 niveaux, mauvaise application du droit à l’oubli, surprimes excessives, refus de prendre en compte des garanties alternatives.

Points mis en avant par la Commission :

• extension du champ d’application d’AERAS aux prêts professionnels pour actifs immatériels.
• difficultés persistantes d’application du droit à l’oubli pour certaines séquelles liées au cancer.
• nécessité d’une meilleure transparence dans les courriers de refus d’assurance.
• incohérences persistantes dans l’application du mécanisme de plafonnement des surprimes.
• manque de sensibilisation ou refus de certains prêteurs à considérer les garanties de substitution ou la délégation d’assurance, malgré les obligations légales.

La Commission a souligné l’amélioration des délais de traitement (4 jours en moyenne), le dialogue proactif avec les parties prenantes et sa contribution aux évolutions législatives, notamment la loi Lemoine, qui renforce le droit à l’oubli et supprime les questionnaires médicaux sous certaines conditions.

On 28 July 2025, CNIL launched a public consultation on its draft recommendation concerning the deployment of web filtering gateways (also known as web proxies) in professional environments. This initiative forms part of the CNIL’s broader cybersecurity action plan and aims to support data controllers in aligning such tools with Article 32 GDPR on data security.

Web filtering gateways are cybersecurity solutions used by employers to monitor and restrict internet access across their information systems. They filter URLs, detect malicious content, and analyse employee browsing activity, often using advanced technologies such as AI, behavioural analysis, and automated decision-making. While these systems serve legitimate cybersecurity functions, they also involve processing of personal data, necessitating strict compliance with GDPR obligations, especially in terms of proportionality, transparency, and privacy-by-design.

The draft recommendation is aimed at data controllers (e.g. employers) who implement these gateways to protect employee internet access. The scope is limited to professional use and excludes use in public Wi-Fi contexts such as libraries, retail, or hospitality venues. The CNIL offers legal and practical guidance to ensure that such deployments respect data protection principles while achieving cybersecurity objectives.

The public consultation is open until 30 September 2025, and targets data controllers, processors, DPOs, CISOs, IT teams, and solution providers. It is not mandatory to respond to every part of the recommendation to participate. Contributions may be submitted individually or via associations and federations. After analysing the feedback, the CNIL will finalise and publish the updated recommendation. This will be followed by further CNIL publications on cybersecurity techniques and practices.

Version française

Le 28 juillet 2025, la CNIL a lancé une consultation publique sur son projet de recommandation relatif au déploiement de passerelles de filtrage web (également appelées web proxies) en environnement professionnel. Cette initiative s’inscrit dans le plan d’action global de la CNIL en matière de cybersécurité et vise à accompagner les responsables de traitement dans l’alignement de ces outils avec l’article 32 du RGPD relatif à la sécurité des données.

Les passerelles de filtrage web sont des solutions de cybersécurité utilisées par les employeurs pour surveiller et restreindre l’accès à Internet au sein de leurs systèmes d’information. Elles filtrent les URL, détectent les contenus malveillants et analysent l’activité de navigation des employés, en recourant souvent à des technologies avancées telles que l’IA, l’analyse comportementale et la prise de décision automatisée. Si ces systèmes remplissent une fonction légitime de cybersécurité, ils impliquent néanmoins un traitement de données personnelles, ce qui requiert une stricte conformité aux obligations du RGPD, notamment en matière de proportionnalité, de transparence et de privacy by design.

Le projet de recommandation s’adresse aux responsables de traitement (ex. employeurs) mettant en œuvre ces passerelles pour protéger l’accès Internet de leurs employés. Le périmètre est limité à l’usage professionnel et exclut les utilisations dans des contextes de Wi-Fi public (bibliothèques, commerces, hôtellerie, etc.). La CNIL fournit des recommandations juridiques et pratiques pour garantir le respect des principes de protection des données tout en atteignant les objectifs de cybersécurité.

La consultation publique est ouverte jusqu’au 30 septembre 2025 et s’adresse aux responsables de traitement, sous-traitants, DPO, RSSI, équipes informatiques et fournisseurs de solutions. Il n’est pas nécessaire de répondre à l’intégralité de la recommandation pour participer. Les contributions peuvent être transmises individuellement ou via des associations et fédérations. Après analyse des retours, la CNIL finalisera et publiera la recommandation mise à jour, suivie d’autres publications relatives aux techniques et pratiques de cybersécurité.

On 23 July 2025, the CNIL published an analytical article assessing the economic benefits of appointing a Data Protection Officer (DPO) within companies. Drawing on a 2024 survey of 3,625 DPOs conducted by AFPA (at the request of the French Ministry of Labour), and interviews with ten DPOs, the publication examines how companies perceive and benefit from GDPR compliance through the DPO role.

The findings suggest that DPOs create measurable value for companies that treat compliance as a strategic lever rather than a constraint. Key benefits include:

• Increased success in tenders, especially when personal data processing is involved (42% of DPOs confirm this; 50% when actively involved);
• Avoidance of sanctions and reputational damage, particularly in data-driven or consumer-facing business models;
• Reduced exposure to data breaches, with DPOs cited as instrumental in implementing training, detection, and mitigation measures;
• Operational savings and improved internal data governance, by streamlining data collection, retention, and processing.

The CNIL also highlights a correlation between positive perceptions of compliance and DPO satisfaction, resourcing, and effectiveness. In companies that empower DPOs, especially large enterprises or those with sensitive data practices, the return on investment is more pronounced.

The CNIL concludes that DPOs are not just a regulatory obligation under Article 37 GDPR, but a strategic asset that can deliver economic and reputational value. Recommendations include integrating DPOs into CSR and ISS (information systems security) strategies, including them in executive decisions, and quantifying compliance-related ROI.

Version française

Le 23 juillet 2025, la CNIL a publié un article d’analyse évaluant les bénéfices économiques de la désignation d’un délégué à la protection des données (DPO) au sein des entreprises. S’appuyant sur une enquête de 2024 menée auprès de 3 625 DPO par l’AFPA (à la demande du ministère du Travail), ainsi que sur des entretiens avec dix DPO, la publication examine la perception et les avantages liés à la conformité RGPD à travers ce rôle.

Les résultats indiquent que les DPO génèrent une valeur mesurable pour les entreprises qui considèrent la conformité comme un levier stratégique plutôt qu’une contrainte. Les principaux bénéfices identifiés sont :

• succès accru dans les appels d’offres, notamment lorsqu’ils impliquent des traitements de données personnelles (42 % des DPO le confirment ; 50 % lorsqu’ils sont activement impliqués) ;
• évitement des sanctions et atteintes à la réputation, en particulier pour les modèles d’affaires axés sur les données ou orientés vers le consommateur ;
• réduction de l’exposition aux violations de données, les DPO jouant un rôle clé dans la mise en place de formations, la détection et les mesures correctrices ;
• économies opérationnelles et amélioration de la gouvernance interne des données, via une rationalisation de la collecte, de la conservation et du traitement des données.

La CNIL souligne également une corrélation entre la perception positive de la conformité et la satisfaction, les ressources et l’efficacité des DPO. Dans les entreprises qui donnent aux DPO un rôle renforcé — en particulier les grandes structures ou celles manipulant des données sensibles — le retour sur investissement est plus marqué.

La CNIL conclut que les DPO ne sont pas seulement une obligation réglementaire au titre de l’article 37 du RGPD, mais également un atout stratégique susceptible de générer une valeur économique et réputationnelle. Elle recommande d’intégrer les DPO aux stratégies de RSE et de sécurité des systèmes d’information (SSI), de les inclure dans les décisions exécutives et de quantifier le ROI lié à la conformité.

On 22 July 2025, the CNIL released its final set of general recommendations on the development of AI systems, concluding a consultation process and aligning with the EDPB’s December 2024 opinion. The publication provides guidance on three key areas: the applicability of the GDPR to AI models, security during system development, and the conditions under which training data may be annotated. The CNIL reiterates that AI models trained on personal data often fall under the GDPR due to their potential to memorize identifiable data, and provides decision-making tools for assessing this applicability.

New materials include: a practical checklist and summary sheet to help organisations quickly identify relevant risks and obligations. The CNIL also confirms upcoming sectoral guidelines in education, health, and employment, alongside further recommendations on responsibilities across the AI value chain, notably model developers, integrators, and open-source contributors.

The CNIL is also investing in technical enablement tools. Notably, it has launched the PANAME project in partnership with ANSSI and PEReN to build a software library to audit whether AI models process personal data. Additionally, its LINC lab is advancing research on explainability (xAI), combining mathematical and social science approaches to enhance legal certainty for actors deploying explainable AI technologies.

Overall, this communication forms part of the CNIL’s 2025–2028 strategy and reflects a proactive approach to balancing innovation with GDPR compliance in the rapidly evolving AI ecosystem.

Version française

Le 22 juillet 2025, la CNIL a publié sa version finale de recommandations générales sur le développement des systèmes d’IA, clôturant ainsi un processus de consultation et s’alignant sur l’avis du CEPD de décembre 2024. La publication apporte des orientations sur trois axes clés : l’applicabilité du RGPD aux modèles d’IA, la sécurité lors du développement des systèmes, et les conditions dans lesquelles les données d’entraînement peuvent être annotées. La CNIL rappelle que les modèles d’IA entraînés sur des données personnelles relèvent souvent du RGPD en raison de leur capacité potentielle à mémoriser des données identifiables, et propose des outils d’aide à la décision pour évaluer cette applicabilité.

Nouveaux supports : une checklist pratique et une fiche synthétique sont mises à disposition pour aider les organisations à identifier rapidement les risques et obligations pertinents. La CNIL confirme également la publication prochaine de lignes directrices sectorielles dans l’éducation, la santé et l’emploi, ainsi que de recommandations complémentaires sur les responsabilités tout au long de la chaîne de valeur de l’IA, incluant développeurs de modèles, intégrateurs et contributeurs open source.

La CNIL investit aussi dans des outils techniques. Notamment, elle a lancé le projet PANAME en partenariat avec l’ANSSI et le PEReN afin de développer une bibliothèque logicielle permettant d’auditer si des modèles d’IA traitent des données personnelles. Parallèlement, son laboratoire LINC poursuit des travaux sur l’explicabilité (xAI), combinant approches mathématiques et sciences sociales pour renforcer la sécurité juridique des acteurs déployant des technologies d’IA explicables.

Dans l’ensemble, cette communication s’inscrit dans la stratégie 2025–2028 de la CNIL et illustre une approche proactive visant à concilier innovation et conformité au RGPD dans un écosystème de l’IA en rapide évolution.

On 8 July 2025, (ACPR)  issued a letter to AFECEI presenting the “Canevas RACI 2025”, an updated framework for the internal control reporting templates under French prudential regulations.

Scope and Impact:

This letter outlines mandatory RACI (Responsible, Accountable, Consulted, Informed) matrices that credit institutions, investment firms, payment institutions, and e?money issuers must include in their 2025 internal control reports. These templates complement the internal control reporting regime set by the arrêté of 3 November 2014, aligned with EU Regulation 2022/2554 (Digital Operational Resilience – DORA) and other prudential standards.

Key features:

• The letter attaches updated RACI matrices tailored by entity type, aligning internal control roles with regulatory requirements (e.g., IT risk, compliance, AML/CFT).
• Financial institutions must apply the template and submit RACI?based annexes via the ACPR's eSurfi/SURFI portal alongside their annual internal control report.
• A new annex on ICT risk reflects evolving obligations under DORA. Entities must map their governance structure, assigning clear responsibilities to control functions (e.g., CRO, CIO, compliance officer).
• The ACPR emphasizes that these templates are not optional—compliance requires formal adoption or documented justification of deviations.

Implications for compliance and risk team: the updated canevas requires reviewing governance structures, ensuring that each internal control domain (e.g., cyber resilience, outsourcing, financial crime) has clearly designated roles and accountability. Firms must adapt reporting systems and committee charters before year-end submission deadlines (likely by 30 April 2026) and ensure alignment with DORA annex requirements.

Version française

Le 8 juillet 2025, l’ACPR a adressé une lettre à l’AFECEI présentant le « Canevas RACI 2025 », un cadre actualisé pour les modèles de reporting du contrôle interne dans le cadre de la réglementation prudentielle française.

Portée et impact :

Cette lettre définit les matrices RACI (Responsible, Accountable, Consulted, Informed) que les établissements de crédit, entreprises d’investissement, établissements de paiement et établissements de monnaie électronique doivent obligatoirement intégrer dans leurs rapports de contrôle interne 2025. Ces canevas complètent le dispositif de reporting instauré par l’arrêté du 3 novembre 2014, en cohérence avec le Règlement (UE) 2022/2554 (DORA – résilience opérationnelle numérique) et d’autres standards prudentiels.

Éléments clés :

• la lettre joint des matrices RACI mises à jour, adaptées par type d’entité, alignant les rôles de contrôle interne sur les exigences réglementaires (par ex. risques IT, conformité, LCB/FT).
• les établissements doivent appliquer le canevas et transmettre les annexes RACI via le portail eSurfi/SURFI de l’ACPR, en complément du rapport annuel de contrôle interne.
• un nouvel annexe sur le risque ICT reflète les obligations issues de DORA. Les entités doivent y cartographier leur gouvernance et attribuer clairement les responsabilités aux fonctions de contrôle (par ex. CRO, CIO, responsable conformité).
• l’ACPR souligne que ces canevas ne sont pas optionnels — la conformité exige leur adoption formelle ou une justification documentée des éventuelles dérogations.

Implications pour les équipes conformité et risques : le canevas mis à jour impose de revoir les structures de gouvernance afin de s’assurer que chaque domaine de contrôle interne (cyber-résilience, externalisation, criminalité financière, etc.) dispose de rôles clairement définis et de responsabilités identifiées. Les établissements doivent adapter leurs systèmes de reporting et chartes de comités avant les échéances de soumission de fin d’exercice (probablement d’ici le 30 avril 2026) et garantir l’alignement avec les annexes exigées par DORA.

On 15 July 2025, ACPR (Via e- surfi) published a communication related  to the regulatory reporting format change mandated by the EBA.

The aim is to alert regulated entities that, starting with the March 2026 reference date (arrêté 03/2026), regulatory submissions previously made in xBRL-XML format must be filed in xBRL-CSV format. This change is mandated by the European Banking Authority (EBA) and reflects the broader EU push toward standardized and machine-readable supervisory reporting.

The change affects credit institutions, investment firms (IF), payment institutions (EP), electronic money institutions (EME), and financial companies (SF) subject to EBA technical reporting requirements. The ACPR confirms that any submission not compliant with xBRL-CSV will be rejected, and warns of the technical complexity of this format.

Key points:

• The OneGate homologation portal has been open for testing since 16 June 2025.
• Submissions for reference dates prior to March 2026 must still be filed in xBRL-XML.
• The submission file must be a Base64-encoded ZIP (containing the xBRL-CSV) embedded in an XML wrapper using the <csv> tag, as per the ACPR’s 2025 technical note.
• No ACPR/BdF assistance will be offered for file preparation; entities are urged to work with competent technical experts.
• The affected reporting modules include COREP, FINREP, ESG, IRBB, MREL, REMGAP, SBP, CIR, LDR, and others under EBA taxonomy 4.0 and beyond.

Firms are expected to ensure tool upgrades, internal readiness, and testing well ahead of the March 2026 cutoff to avoid disruptions and ensure compliance.

Version française

Le 15 juillet 2025, l’ACPR (via e-Surfi) a publié une communication relative au changement de format du reporting réglementaire imposé par l’EBA.

L’objectif est d’alerter les entités réglementées que, pour les arrêtés à compter de mars 2026 (03/2026), les déclarations réglementaires jusqu’ici transmises en xBRL-XML devront obligatoirement être déposées en xBRL-CSV. Cette évolution, imposée par l’Autorité bancaire européenne (EBA), s’inscrit dans la démarche européenne de standardisation et de lisibilité automatisée des reportings prudentiels.

Le changement concerne les établissements de crédit, entreprises d’investissement (IF), établissements de paiement (EP), établissements de monnaie électronique (EME) et sociétés financières (SF) soumises aux exigences techniques de reporting de l’EBA. L’ACPR confirme que toute soumission non conforme au format xBRL-CSV sera rejetée et souligne la complexité technique de ce format.

Points clés :

• le portail d’homologation OneGate est ouvert aux tests depuis le 16 juin 2025.
• les arrêtés antérieurs à mars 2026 doivent toujours être déposés en xBRL-XML.
• le fichier de soumission doit être un ZIP encodé en Base64 (contenant le xBRL-CSV), encapsulé dans un wrapper XML utilisant la balise <csv>, conformément à la note technique ACPR 2025.
• aucune assistance ACPR/BdF ne sera proposée pour la préparation des fichiers : les entités sont invitées à travailler avec des experts techniques compétents.
• les modules concernés incluent notamment COREP, FINREP, ESG, IRBB, MREL, REMGAP, SBP, CIR, LDR, et d’autres relevant de la taxonomie EBA 4.0 et ultérieures.

Les établissements doivent dès à présent s’assurer de la mise à niveau de leurs outils, de leur préparation interne et de la réalisation de tests en amont de l’échéance de mars 2026 afin d’éviter toute interruption et de garantir leur conformité.

On 10 July 2025, the BMJ published draft law on implementing Directive (EU) 2022/2464 on corporate sustainability reporting, as amended by Directive (EU) 2025/794.

The CSRD aims to encourage certain companies to report on the social and environmental impacts and risks of their operations. The aim of the draft law published today is to implement the directive with as little bureaucracy as possible.

The draft law on the implementation of the CSRD published today follows the principle of 1:1 implementation: it does not go beyond what is required by European law. It also already takes into account the time shift in the requirements due to the Stop-the-Clock Directive. In particular, the draft provides for the following:

Obligation to submit a sustainability report

In the future, affected companies will have to publish a so-called sustainability report together with their annual financial statements. In it, they will have to report on the social and environmental impact of their business activities. The scope and level of detail of sustainability reporting are to be regulated by law. The requirements go beyond the reporting obligations on sustainability information that are already in force today.

Gradual entry into force

The new sustainability reporting requirements will only affect certain companies and they are to come into force gradually. From the 2025 financial year, companies that are considered "large" in terms of accounting law, are capital market-oriented or are a credit institution or insurance company are to be subject to reporting obligations. An additional prerequisite is that they have an annual average of more than 1,000 employees. Which other companies will have to report on their sustainability from the 2027 financial year onwards according to European requirements is currently still being negotiated in Brussels.

Audit by auditors

In the future, the information in the sustainability reports will have to be audited by auditors. The aim is to ensure that the audit is carried out by knowledgeable, independent and qualified auditors who are subject to strict professional principles, continuous quality control and professional supervision. To this end, the professional regulations of the Auditors' Act are to be adapted.

On 25 July 2025, the Deutsche Bundesbank published Implementation of NACE Rev. 2.1 in Bank Statistical Reporting as of January 2026.

On 25 July 2025, the Deutsche Bundesbank issued Circular No. 40/2025 informing domestic banks, non-MFI credit institutions, securities firms, and asset management companies of the mandatory application of the revised statistical classification NACE Rev. 2.1 in bank statistical reporting starting 31 January 2026.

The new classification system aligns with the EU statistical standard and incorporates specific national adaptations through WZ 2025, developed by the Federal Statistical Office of Germany.

The ECB, in coordination with the EBA, will implement the change in a harmonized manner, following the recommendation of the Joint Bank Reporting Committee (JBRC).

All reports submitted for reference dates after 01 January 2026, including corrections to earlier data, must use NACE Rev. 2.1 and WZ 2025. Supporting documents and mapping tables are available on the Bundesbank’s website.

On 4 July 2025, the GFSC updated its AML/CFT/CPF Handbook.

The Commission has issued an amendment to the country list in Appendix I of the Handbook on Countering Financial Crime (AML/CFT/CPF) (the “Handbook”) reflecting the Financial Action Task Force (“FATF”)’s updated list of jurisdictions under increased monitoring, which added Bolivia and the British Virgin Islands. The British Virgin Islands have been added to Appendix I whereas Bolivia was already included due to being listed by other relevant external sources. FATF has removed Croatia, Mali and Tanzania from its list of jurisdictions under increased monitoring, however whilst Croatia is removed from Appendix I, Mali and Tanzania remain due to being listed by other relevant external sources.

The Commission wishes to remind all licensees that a jurisdiction’s inclusion on Appendix I does not automatically make business relationships with a connection to that jurisdiction high risk.  Licensees should consider the nature and materiality of that jurisdictional link in their risk assessment, particularly where the change in the jurisdictional risk has little or no impact on other relevant risk factors within the business relationship, such as the type of customer, the customer or beneficial owner’s risk profile, activities, source of wealth and funds, or to the product or service offered by the licensee.

On 23 July 2025, Ireland’s Minister for Finance adopted S.I. No. 310 of 2025, titled European Union (Information Accompanying Transfers of Funds) Regulations 2025. 

These regulations were enacted to give effect to Regulation (EU) 2023/1113 relating to information accompanying transfers of funds and certain crypto-assets, amending Directive (EU) 2015/849. The regulations include changes in definitions within the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, eliminating terms like "custodian wallet provider" and "virtual asset service provider" and introducing "crypto-asset service provider." 

The Central Bank of Ireland is designated as the competent authority, tasked with ensuring compliance and possessing necessary supervisory powers.

The regulations will commence on 1 August 2025 and revoke S.I. No. 608 of 2017, though existing directions and actions by the Bank are preserved.

On 10 July 2025, Ireland’s Minister for Finance adopted S.I. No. 311 of 2025, titled European Union (Anti-Money Laundering: Beneficial Ownership of Trusts) (Amendment) Regulations 2025, to align national law with Article 31 of Directive (EU) 2015/849, as amended by Directive (EU) 2024/1640.

The regulation amends S.I. No. 194 of 2021 by removing Regulation 27(6), which had allowed certain designated persons to delay verification of beneficial ownership information for trusts in limited circumstances. This deletion reflects the EU’s updated stance that verification of beneficial owners must no longer be deferred.

As a result, Regulation 29, which previously referenced the now-deleted paragraph (6), is also adjusted to refer only to paragraphs (1) and (3) of Regulation 27. These changes reinforce stricter AML compliance by requiring timely and complete verification of trust beneficial ownership data without exceptions.

The amendment entered into force on 10 July 2025.

On 27 August 2025, the Banca d'Italia updated its Circular no. 285 of 17 December 2013 on Supervisory provisions for banks.

The 50th update of 26 August 2025 reflects modifications made throughout various sections. 

The introductory provisions, under the “Scope of Application,” have been amended in Sections I and V. 

In Part Two, Chapter 1 on “Own Funds,” Sections I, II, and III have been modified, while Chapter 2 on “Capital Requirements” also saw changes in Sections I, II, and III. 

Chapter 3, covering “Credit Risk – Standardized Approach,” has been revised in Sections I through IV, and Chapter 4 on “Credit Risk – IRB Approach” has similarly updated Sections I through IV. 

In Chapter 5, concerning “Credit Risk Mitigation Techniques (CRM),” Sections I and II were modified. Chapter 10, on “Large Exposures,” saw changes in Sections I, III, and V, while Chapter 7 on “Counterparty Risk and Credit Valuation Adjustment Risk” has amendments in Sections I, II, and III. 

Chapter 8, covering “Operational Risk,” had modifications in Sections I, II, and III.

In Chapter 11 on “Liquidity,” Sections I, II, and III were updated, and Annex A was removed. Chapter 12, formerly titled “Leverage Ratio,” has been renamed “Financial Leverage Ratio,” with modifications in Sections I, II, and III. 

Chapter 14, addressing “Transitional Provisions on Own Funds,” has updates in Sections I and II.

In Part Three, Chapter 3 on “Covered Bonds” saw changes in Sections III and IV, and Chapter 4 on “Cooperative Banks” was modified in Sections I and IV.

On 23 July 2025, the JFSC published update to the Jersey Private Fund regime.

Effective from 6 August 2025, these changes:

• lift the 50-offer/investor cap;
• expand the definition of professional investor;
• allow the listing of interests in JPFs with the JFSC's consent;
• introduce a 24-hour authorisation process for JPF applications submitted by registered Designated Service Providers.

The revised JPF Guide and a new statutory instrument, the Collective Investment Funds (Jersey Private Funds) Order, demonstrate Jersey’s commitment to innovation and aligns with a global shift toward bespoke, efficient private fund vehicles for professional investors. These enhancements are the result of a focussed collaborative effort by the JFSC, the Jersey Funds Association, Jersey Association of Trust Companies, Jersey Finance, industry stakeholders and the Government of Jersey.

BACKGROUND

The Luxembourg government has long required professionals under the supervision of the AED (Autorité de surveillance du secteur financier, PFI) to comply with anti-money laundering (AML) and counter-terrorist financing (CFT) obligations. These requirements stem from the modified Law of 12 November 2004 (LBC/FT), which mandates that professionals conduct due diligence by identifying and verifying clients using reliable and independent sources. Previous guidance was provided through Circulars 792 (2019) and 792 bis (2020), which set standards for client verification, document requirements, and ongoing monitoring.

WHAT'S NEW?

On 28 July 2025, the PFI published Circular No. 792-ter, which replaces Circulars 792 and 792-bis. This circular reinforces and clarifies AML/CFT obligations, emphasizing that professionals must:

• Conduct client identification and verification before establishing a business relationship and maintain it continuously.
• Use valid, signed identity documents with a photo, with foreign documents being at least partially in English for comprehension.
• Apply a risk-based approach to the extent and method of verification.
• Maintain the burden of proof for client identity and due diligence.

Circular 792ter underscores the importance of ongoing vigilance tailored to a risk assessment, ensuring that professionals adapt their AML/CFT measures to client risk profiles.

WHAT'S NEXT?

Professionals under AED supervision must update their internal policies, procedures, and client onboarding processes to reflect the clarified guidance in Circular 792 ter. This includes reviewing documentation requirements, reinforcing ongoing monitoring procedures, and ensuring that staff are trained on the new risk-based verification standards. Compliance teams should integrate these practices into regular audits and reporting cycles and stay alert for any supplementary guidance or Q&A issued by the PFI.

Version française

BACKGROUND

Le gouvernement luxembourgeois exige depuis longtemps que les professionnels, placés sous la supervision de l’AED (Autorité de surveillance du secteur financier, PFI), respectent les obligations en matière de lutte contre le blanchiment d’argent (LBC) et de lutte contre le financement du terrorisme (LFT). Ces exigences découlent de la loi modifiée du 12 novembre 2004 (LBC/FT), qui impose aux professionnels d’exercer une diligence raisonnable en identifiant et vérifiant l’identité des clients à partir de sources fiables et indépendantes. Des directives antérieures avaient été fournies par les circulaires 792 (2019) et 792 bis (2020), qui définissaient les standards de vérification des clients, les exigences documentaires et le suivi continu.

WHAT'S NEW?

Le 28 juillet 2025, la PFI a publié la Circulaire n°792 ter, qui remplace les circulaires 792 et 792 bis. Cette circulaire renforce et clarifie les obligations en matière de LBC/LFT, en soulignant que les professionnels doivent :

• identifier et vérifier les clients avant d’établir une relation d’affaires et maintenir cette vérification en continu.
• utiliser des documents d’identité valides, signés et comportant une photo, les documents étrangers devant être au moins partiellement en anglais pour en garantir la compréhension.
• appliquer une approche fondée sur le risque quant à l’étendue et au mode de vérification.
• assumer la charge de la preuve de l’identité des clients et de la diligence raisonnable exercée.

La circulaire 792ter souligne l’importance d’une vigilance continue adaptée à l’évaluation des risques, afin que les professionnels ajustent leurs mesures LBC/LFT en fonction du profil de risque des clients.

WHAT'S NEXT?

Les professionnels supervisés par l’AED doivent mettre à jour leurs politiques internes, procédures et processus d’intégration des clients afin de refléter les directives clarifiées dans la circulaire 792 ter. Cela inclut la révision des exigences documentaires, le renforcement des procédures de suivi continu et la formation du personnel aux nouveaux standards de vérification fondés sur le risque. Les équipes de compliance doivent intégrer ces pratiques dans les audits et cycles de reporting réguliers et rester attentives à toute directive complémentaire ou Q&A publiée par la PFI.

BACKGROUND

On 1 July 2025, the PFI published Circular No. 768-33, relaying the outcomes of the June 2025 FATF plenary concerning jurisdictions with strategic AML/CFT deficiencies. This circular replaces the previous one from February 2025.

The objective is to inform Luxembourg-regulated entities of the FATF’s updated country lists and to reiterate the requirement to apply enhanced due diligence (EDD) or countermeasures depending on the risk profile of the jurisdictions identified.

WHAT'S NEW?

The circular identifies North Korea (DPRK) and Iran as jurisdictions subject to a FATF Call for Action, requiring countermeasures such as ceasing correspondent banking relationships, closing DPRK bank branches, restricting business relationships with nationals of these countries, and reporting suspicious transactions involving them. Iran remains on the list due to its failure to ratify the Palermo and Terrorist Financing Conventions. Myanmar is highlighted as a jurisdiction requiring enhanced due diligence, with potential countermeasures if insufficient progress is made. Additionally, the FATF “grey list” now includes Algeria, Angola, Nigeria, Vietnam, and new additions such as Bolivia and the British Virgin Islands. While not subject to countermeasures, these jurisdictions require heightened AML controls.

WHAT'S NEXT?

Luxembourg-regulated entities are expected to maintain enhanced monitoring procedures when transacting with persons or entities from the identified countries, implement reinforced suspicious transaction reporting to the Cellule de Renseignement Financier (CRF), and continuously update their AML/CFT risk assessments based on FATF developments. Institutions should also review and adjust internal controls to ensure compliance with countermeasures and heightened monitoring obligations.

Version française

BACKGROUND 

Le 1er juillet 2025, le PFI a publié la Circulaire n° 768-33, relayant les conclusions de la plénière du GAFI de juin 2025 concernant les juridictions présentant des défaillances stratégiques en matière de LBC/FT. Cette circulaire remplace celle de février 2025.

L’objectif est d’informer les entités réglementées au Luxembourg des mises à jour des listes de pays du GAFI et de rappeler l’obligation d’appliquer des mesures de vigilance renforcée (EDD) ou des contre-mesures, selon le profil de risque des juridictions identifiées.

WHAT'S NEW?

La circulaire identifie la Corée du Nord (RPDC) et l’Iran comme des juridictions faisant l’objet d’un appel à l’action du GAFI, impliquant l’application de contre-mesures telles que la cessation des relations de correspondants bancaires, la fermeture des succursales bancaires nord-coréennes, la restriction des relations d’affaires avec les ressortissants de ces pays, ainsi que la déclaration des transactions suspectes les impliquant. L’Iran reste sur la liste en raison de son refus de ratifier les Conventions de Palerme et de financement du terrorisme. Le Myanmar est quant à lui signalé comme une juridiction soumise à vigilance renforcée, avec des contre-mesures potentielles en cas d’absence de progrès suffisants. Par ailleurs, la « liste grise » du GAFI comprend désormais l’Algérie, l’Angola, le Nigeria, le Vietnam ainsi que de nouveaux ajouts tels que la Bolivie et les Îles Vierges britanniques. Bien que ces juridictions ne soient pas soumises à des contre-mesures, elles nécessitent un renforcement des contrôles LBCFT.

WHAT'S NEXT?

Les entités réglementées luxembourgeoises sont tenues de maintenir des procédures de surveillance renforcées pour les opérations impliquant des personnes ou entités issues des pays identifiés, de renforcer la déclaration des transactions suspectes auprès de la Cellule de Renseignement Financier (CRF) et de mettre à jour en continu leur évaluation des risques LBC/FT en fonction des évolutions des listes du GAFI. Les institutions doivent également revoir et adapter leurs contrôles internes pour assurer leur conformité aux contre-mesures et obligations de vigilance renforcée.

BACKGROUND

On 28 August 2025, the CSSF published its Annual Activity Report 2024. The report opens with a forward-looking preface on global geopolitical fragmentation, the need to mobilise private capital for digital and climate transitions, and the role of Luxembourg’s financial centre in capital markets, securitisation, blockchain and sustainable finance.

WHAT'S NEW?

The report details the CSSF’s activities across multiple supervisory areas and its contributions to European and international regulatory work:

• Banking & Macroprudential Supervision: Focus on real estate risks, credit quality, and ICT resilience. Luxembourg banks took part in the ECB 2024 stress test, which showed resilience with some identified vulnerabilities.
• Investment Funds & Markets: Luxembourg remained Europe’s largest fund centre (AUM > €5 trillion). The IMF’s 2024 Financial Sector Assessment Program confirmed fund resilience. The CSSF issued Circular 24/856 on NAV errors and investor protection.
• Sustainable Finance: Supervisory reviews of SFDR disclosures, inspections on climate risk governance and ICAAP, and on-site inspections at banks. Implementation of ESMA guidelines on ESG fund names to combat greenwashing.
• Digital Finance & Innovation: 52 projects handled by the Innovation Hub, mostly start-ups and RegTech. Contributions to MiCAR implementation and over 50 RTS/ITS. A joint CSSF–BCL survey assessed AI adoption in financial services.
• AML/CFT & Financial Crime: Intensified on-site inspections across banks, PFS, VASPs and funds. Recurring deficiencies noted, including screening gaps and weak monitoring. Luxembourg contributed to preparations for the new EU AML Authority.
• Pensions & Securitisation: 19 new pension schemes and six new pension funds authorised. Supervisory activity covered securitisation undertakings, with ESMA consultations on simplified templates.
• Consumer & Investor Protection: Processing of complaints, oversight of dispute resolution mechanisms, and management of deposit and investor protection schemes. Enhancements to financial education and fee comparison tools.

Operational highlights: The CSSF’s workforce grew to 983 employees. Under its “CSSF 5.0” strategy, it advanced digitalisation, redesigned the eDesk platform, and improved internal ESG performance (solar panels, lighting, EV charging).

Positioning: The report presents the CSSF as (i) a multi-sector national supervisor, (ii) a proactive contributor to EU regulatory convergence and market resilience, and (iii) a promoter of sustainability, digital transformation and user-centric supervision.

WHAT'S NEXT?

The report indicates continued supervisory focus on climate risk integration, AML/CFT enforcement, MiCAR implementation, investor protection, and digital finance innovation, in line with both EU convergence and Luxembourg market stability objectives.

Version française

BACKGROUND

Le 28 août 2025, la CSSF a publié son rapport annuel d’activité 2024. Le rapport s’ouvre sur une préface prospective portant sur la fragmentation géopolitique mondiale, la nécessité de mobiliser les capitaux privés pour les transitions numérique et climatique, ainsi que sur le rôle de la place financière luxembourgeoise dans les marchés de capitaux, la titrisation, la blockchain et la finance durable.

WHAT'S NEW?

Le rapport détaille les activités de la CSSF dans plusieurs domaines de surveillance ainsi que ses contributions aux travaux réglementaires européens et internationaux :

• surveillance bancaire et macroprudentielle : accent sur les risques immobiliers, la qualité du crédit et la résilience ICT. Les banques luxembourgeoises ont participé au test de résistance 2024 de la BCE, qui a confirmé leur résilience tout en identifiant certaines vulnérabilités.
• fonds d’investissement et marchés : le Luxembourg est resté le premier centre de fonds en Europe (AUM > 5 000 milliards €). Le programme FSAP 2024 du FMI a confirmé la résilience du secteur des fonds. La CSSF a publié la circulaire 24/856 sur les erreurs de VL et la protection des investisseurs.
• finance durable : contrôles des publications SFDR, inspections sur la gouvernance des risques climatiques et l’ICAAP, inspections sur place dans les banques. Mise en œuvre des lignes directrices de l’ESMA sur les dénominations de fonds ESG afin de lutter contre l’écoblanchiment.
• Finance numérique et innovation : 52 projets traités par l’Innovation Hub, principalement des start-up et RegTech. Contributions à la mise en œuvre de MiCAR et à plus de 50 RTS/ITS. Une enquête conjointe CSSF–BCL a évalué l’adoption de l’IA dans les services financiers.
• LCB/FT et criminalité financière : intensification des inspections sur place auprès des banques, PSF, VASP et fonds. Défauts récurrents relevés, notamment des lacunes dans le filtrage et un suivi insuffisant. Participation du Luxembourg aux préparatifs de la nouvelle Autorité européenne LCB-FT.
• retraite et titrisation : 19 nouveaux régimes de pension et six nouveaux fonds de pension autorisés. Activité de surveillance des organismes de titrisation, avec les consultations de l’ESMA sur les modèles simplifiés.
• protection des consommateurs et investisseurs : traitement des réclamations, surveillance des mécanismes de règlement des litiges, gestion des systèmes de protection des dépôts et des investisseurs. Améliorations en matière d’éducation financière et d’outils de comparaison des frais.

Points opérationnels : les effectifs de la CSSF ont atteint 983 employés. Dans le cadre de sa stratégie « CSSF 5.0 », l’autorité a poursuivi sa digitalisation, modernisé la plateforme eDesk et amélioré sa performance ESG interne (panneaux solaires, éclairage, bornes de recharge pour véhicules électriques).

Positionnement : le rapport présente la CSSF comme (i) un superviseur national multi-sectoriel, (ii) un contributeur proactif à la convergence réglementaire européenne et à la résilience des marchés, et (iii) un promoteur de la durabilité, de la transformation numérique et d’une supervision centrée sur l’utilisateur.

WHAT'S NEXT?

Le rapport souligne la poursuite de la priorité de surveillance sur l’intégration du risque climatique, l’application des règles LCB/FT, la mise en œuvre de MiCAR, la protection des investisseurs et l’innovation en finance numérique, en cohérence avec les objectifs de convergence européenne et de stabilité du marché luxembourgeois.

On 2 July 2025, CSSF published a press release related to the  Internalised Settlement Reporting under Article 9 of CSDR.

A new procedure titled “Internalised settlement reporting under Article 9 of CSDR” has been available since 1 July 2025.

In line with Article 9(1) of Regulation (EU) No 909/2014 (CSDR), settlement internalisers must report quarterly to their competent authority the aggregated volume and value of securities transactions they settle outside a securities settlement system.

To facilitate this reporting, the CSSF offers two submission options:

• Through the eDesk platform, or
• Via an API solution using the S3 protocol for structured exchange file submission.

The procedure includes the form:

• “Reporting by settlement internalisers in accordance with Article 9 of CSDR

Version française

Le 2 juillet 2025, la CSSF a publié un communiqué de presse relatif au reporting des règlements internalisés en vertu de l’article 9 du CSDR.

Une nouvelle procédure intitulée « Internalised settlement reporting under Article 9 of CSDR » est disponible depuis le 1er juillet 2025.

Conformément à l’article 9(1) du Règlement (UE) n° 909/2014 (CSDR), les internalisateurs de règlements doivent déclarer trimestriellement à leur autorité compétente le volume et la valeur agrégés des transactions sur instruments financiers qu’ils règlent en dehors d’un système de règlement-livraison de titres.

Afin de faciliter ce reporting, la CSSF met à disposition deux options de soumission :

• via la plateforme eDesk, ou
• via une solution API utilisant le protocole S3 pour la transmission de fichiers structurés.

La procédure inclut le formulaire :

• « Reporting by settlement internalisers in accordance with Article 9 of CSDR ».

On 07 July 2025, CSSF published a communication on the new procedure for MMF management reporting.

Following the CSSF communiqué of 16 April 2025, a new procedure for the management of money market fund (MMF) reports is available for testing on the eDesk PREPROD platform as of 1 July 2025, ahead of its formal implementation on 1 September 2025.

Testing can be performed using two methods:

• Manual document submission via the dedicated eDesk procedure
• Automated submission using the API (S3 protocol)

An updated user guide is accessible at: MMFR Handbook – CSSF Website

The eDesk PREPROD platform is designed for professionals to trial procedures in a sandbox environment before live rollout.

For technical questions or support, contact: edesk.preprod@cssf.lu

Version française

Le 7 juillet 2025, la CSSF a publié une communication concernant la nouvelle procédure de reporting pour la gestion des fonds monétaires (MMF).

À la suite du communiqué de la CSSF du 16 avril 2025, une nouvelle procédure de gestion des rapports des fonds monétaires est disponible pour test sur la plateforme eDesk PREPROD depuis le 1er juillet 2025, en amont de sa mise en œuvre officielle le 1er septembre 2025.

Les tests peuvent être effectués selon deux méthodes :

• soumission manuelle de documents via la procédure eDesk dédiée
• soumission automatisée via l’API (protocole S3)

Un guide utilisateur mis à jour est accessible ici :MMFR Handbook – site web de la CSSF

La plateforme eDesk PREPROD est conçue pour permettre aux professionnels d’expérimenter les procédures dans un environnement « sandbox » avant leur déploiement en production.

Pour toute question technique ou demande d’assistance, contacter : edesk.preprod@cssf.lu

BACKGROUND

On 18 July 2025, the CSSF published a form, linked to Circular CSSF 25/894, establishing a new reporting framework for Luxembourg-based alternative investment fund managers (AIFMs or GFIA) managing alternative investment funds (AIFs) that are not authorised by the CSSF and do not operate compartments. The initiative aims to enhance transparency and oversight of non-authorised AIFs, which remain outside the CSSF’s direct product authorisation regime.

The CSSF recalls that each AIFM is responsible for ensuring that the information submitted is accurate, complete, and consistent with applicable regulations. For authorised AIFMs, the CSSF also expects compliance of the AIF’s organisational and delegation structure with regulatory requirements. To assist firms, a guidance table of acceptable delegation configurations is available in the FAQ accompanying the circular.

WHAT'S NEW?

The form introduces a standardised dataset that AIFMs must provide for each non-authorised AIF under management. This dataset covers:

• Identification and regulatory data: including CSSF codes, national codes, LEI, supervisory authority, and authorisation status.
• Fund details: legal form, reference currency, financial year-end, ELTIF/EuVECA/EuSEF status.
• Service providers: depositary, NAV calculator, registrar agent, administrator, portfolio managers, and sub-delegates, with full identification and supervisory authority references.
• Investment strategy: one of the 35 strategies listed in Annex IV of Commission Delegated Regulation (EU) No 231/2013.
• Feeder structures: information on the master AIF, including identification, authorisation, supervisory authority, and service providers.

The CSSF requires AIFMs to indicate potential service providers at the launch stage if final designations are pending. Where changes occur after submission, the form must be updated within 10 working days of signing the agreement with the new provider.

In addition to the form, AIFMs must submit supporting documentation:

• latest version of the AIF’s articles of incorporation;
• latest prospectus/offering document (if available);
• latest annual report (if available);updated registration form for registered AIFMs.

Submission is carried out exclusively via the CSSF’s eDesk portal.

WHAT'S NEXT?

The new reporting requirement establishes a clear supervisory baseline for non-authorised AIFs, strengthening the CSSF’s ability to monitor delegation chains, service providers, and investment strategies in line with AIFMD principles.

Luxembourg-based AIFMs must identify the non-authorised AIFs under their management, prepare the required data according to the new form, and implement processes to ensure timely and accurate submission. This measure strengthens regulatory oversight and aligns transparency standards across both authorised and non-authorised AIFs.

Version française

BACKGROUND 

Le 18 juillet 2025, la CSSF a publié un formulaire, lié à la circulaire CSSF 25/894, établissant un nouveau cadre de reporting pour les gestionnaires de fonds d'investissement alternatifs (GFIA ou AIFM) basés au Luxembourg qui gèrent des fonds d'investissement alternatifs (AIF) non agréés par la CSSF et ne gèrent pas de compartiments. Cette initiative vise à renforcer la transparence et la surveillance des FIA non agréés, qui restent en dehors du régime d'agrément direct des produits de la CSSF.

La CSSF rappelle que chaque gestionnaire de fonds d'investissement alternatif est tenu de veiller à ce que les informations fournies soient exactes, complètes et conformes à la réglementation applicable. Pour les gestionnaires de fonds d'investissement alternatifs agréés, la CSSF exige également que la structure organisationnelle et de délégation du fonds d'investissement alternatif soit conforme aux exigences réglementaires. Afin d'aider les entreprises, un tableau indicatif des configurations de délégation acceptables est disponible dans la FAQ accompagnant la circulaire.

WHAT'S NEW?

Le formulaire présente un ensemble de données standardisées que les gestionnaires de fonds d'investissement alternatifs doivent fournir pour chaque fonds d'investissement alternatif non agréé qu'ils gèrent. Cet ensemble de données comprend :

• données d'identification et réglementaires : notamment les codes CSSF, les codes nationaux, le code LEI, l'autorité de surveillance et le statut d'agrément.
• informations sur le fonds : forme juridique, devise de référence, date de clôture de l'exercice, statut ELTIF/EuVECA/EuSEF.
• prestataires de services : dépositaire, calculateur de la valeur liquidative, agent chargé de la tenue des comptes, administrateur, gestionnaires de portefeuille et sous-délégataires, avec identification complète et références de l'autorité de surveillance.
• stratégie d'investissement : l'une des 35 stratégies énumérées à l'annexe IV du règlement délégué (UE) n° 231/2013 de la Commission.
• structures de feeder : informations sur le FIA maître, y compris l'identification, l'agrément, l'autorité de surveillance et les prestataires de services.

La CSSF exige des gestionnaires de FIA qu'ils indiquent les prestataires de services potentiels au stade du lancement si les désignations définitives sont en attente. En cas de changement après la soumission, le formulaire doit être mis à jour dans les 10 jours ouvrables suivant la signature du contrat avec le nouveau prestataire.

En plus du formulaire, les gestionnaires de FIA doivent soumettre les pièces justificatives suivantes :

• la dernière version des statuts du FIA ;
• le dernier prospectus/document d'offre (si disponible) ;
• le dernier rapport annuel (si disponible) ;
• le formulaire d'enregistrement mis à jour pour les gestionnaires de FIA enregistrés.

La soumission s'effectue exclusivement via le portail eDesk de la CSSF.

WHAT'S NEXT?

La nouvelle obligation de déclaration établit une base de référence claire en matière de surveillance pour les FIA non agréés, renforçant ainsi la capacité de la CSSF à contrôler les chaînes de délégation, les prestataires de services et les stratégies d'investissement conformément aux principes de la directive AIFMD.

Les gestionnaires de fonds d'investissement alternatifs basés au Luxembourg doivent identifier les fonds d'investissement alternatifs non agréés qu'ils gèrent, préparer les données requises conformément au nouveau formulaire et mettre en place des processus garantissant une soumission rapide et précise. Cette mesure renforce la surveillance réglementaire et harmonise les normes de transparence entre les fonds d'investissement alternatifs agréés et non agréés.

BACKGROUND

On 8 July 2025, the CSSF published the Law of 3 July 2025, which updates several core legislative texts to transpose and implement the EU’s latest Capital Markets Union (CMU) reforms. The law amends the Law of 5 April 1993 on the financial sector, the Transparency Law of 11 January 2008, and the MiFID II national transposition law of 30 May 2018.

The objective is to align Luxembourg’s framework with recent EU measures that improve capital markets access, enhance transparency, and establish the infrastructure for consolidated market data.

WHAT'S NEW?

The law incorporates multiple EU acts into national law:

1. Directive (EU) 2024/790 (MiFID II amendments)

• Expands powers for trading halts and oversight of commodity derivatives.
• Streamlines definitions and reporting rules to align with the revised MiFIR framework.

2. Regulation (EU) 2024/791 (MiFIR review)

• Introduces more granular pre- and post-trade transparency.
• Launches consolidated tapes (bonds first, followed by equities and ETFs).
• Abolishes payment for order flow (PFOF) to reinforce best execution.

3. Directive (EU) 2023/2864 (ESAP)

• Creates an EU-wide European Single Access Point for issuer data, with phased entry into force from 2027.

4. Directive (EU) 2024/2811 (Listing Act)

• Simplifies listing and disclosure obligations, with a focus on reducing burdens for SMEs.

WHAT'S NEXT?

The law requires stakeholders to adapt compliance, systems, and policies:

By October 2025: Luxembourg firms must apply the MiFID II changes on trading halts and reporting adjustments.

From 2025 onwards:

• Investment firms and trading venues must prohibit PFOF and update best execution policies.
• Systems must be upgraded to capture new transparency fields and prepare for consolidated tape data.

From 2027: Issuers must prepare for phased ESAP filings, with requirements extending gradually to 2030.

Luxembourg’s adoption of the Law of 3 July 2025 therefore completes national alignment with the EU CMU package, and requires banks, investment firms, market operators, and issuers to adjust trading rules, reporting infrastructures, and disclosure frameworks.

Version française

BACKGROUND

Le 8 juillet 2025, la CSSF a publié la loi du 3 juillet 2025, qui actualise plusieurs textes législatifs fondamentaux afin de transposer et de mettre en œuvre les dernières réformes de l'Union des marchés des capitaux (UMC) de l'UE. La loi modifie la loi du 5 avril 1993 sur le secteur financier, la loi sur la transparence du 11 janvier 2008 et la loi nationale de transposition de la directive MiFID II du 30 mai 2018.

L'objectif est d'aligner le cadre luxembourgeois sur les récentes mesures de l'UE qui améliorent l'accès aux marchés des capitaux, renforcent la transparence et mettent en place l'infrastructure nécessaire à la consolidation des données de marché.

WHAT'S NEW?

La loi intègre plusieurs actes de l'UE dans le droit national :

1. Directive (UE) 2024/790 (modifications de la MiFID II)

• élargit les pouvoirs en matière de suspension des négociations et de surveillance des dérivés sur matières premières.
• simplifie les définitions et les règles de déclaration afin de les aligner sur le cadre révisé du MiFIR.

2. Règlement (UE) 2024/791 (révision du MiFIR)

• introduit une transparence pré- et post-négociation plus granulaire.
• lance les bandes consolidées (d'abord pour les obligations, puis pour les actions et les ETF).
• supprime le paiement pour flux d'ordres (PFOF) afin de renforcer la meilleure exécution.

3. Directive (UE) 2023/2864 (ESAP)

• crée un point d'accès unique européen pour les données des émetteurs, avec une entrée en vigueur progressive à partir de 2027.

4. Directive (UE) 2024/2811 (loi sur la cotation)

• simplifie les obligations de cotation et de divulgation, en mettant l'accent sur la réduction des charges pour les PME.

WHAT'S NEXT?

La loi impose aux parties prenantes d'adapter leur conformité, leurs systèmes et leurs politiques :

D'ici octobre 2025 : les entreprises luxembourgeoises doivent appliquer les modifications apportées par la directive MiFID II concernant les suspensions de cotation et les ajustements des rapports.

À partir de 2025 :

• les entreprises d'investissement et les plateformes de négociation doivent interdire les PFOF et mettre à jour leurs politiques de meilleure exécution.
• les systèmes doivent être mis à niveau afin de prendre en compte les nouveaux champs de transparence et de se préparer à la consolidation des données.

À partir de 2027 : les émetteurs doivent se préparer à des dépôts ESAP échelonnés, les exigences s'étendant progressivement jusqu'en 2030.

L'adoption par le Luxembourg de la loi du 3 juillet 2025 achève donc l'alignement national sur le paquet CMU de l'UE et oblige les banques, les entreprises d'investissement, les opérateurs de marché et les émetteurs à adapter leurs règles de négociation, leurs infrastructures de reporting et leurs cadres de divulgation.

On 31 July 2025, Legilux published CSSF Regulation 25-03, which sets detailed prudential and valuation requirements for Luxembourg credit institutions issuing covered letters under the amended Law of 8 December 2021. The regulation aligns national provisions with EU covered bond frameworks (notably Directive 2019/2162 and CRR amendments under Regulations (EU) 2019/2160 and 2024/1623) and strengthens transparency, governance, and asset eligibility requirements for issuers.

The scope covers all credit institutions authorized to issue covered bonds, and the regulation outlines valuation rules for three main types of eligible cover assets: immovable property, movable property, and renewable energy assets (EnR). A fourth section governs the inclusion of derivative contracts in the cover pool, and a final section specifies reporting and publication obligations to the CSSF.

Key provisions include:

• Prudent, standardized valuation of cover assets in line with CRR and EBA Guidelines (EBA/GL/2020/06), with regular revaluations and backtesting for statistical models.
• Independent valuers must conduct assessments, free of conflicts of interest and outside the credit approval process.
• Dedicated rules for EnR assets, including ERV vs. JV estimation, DCF-based valuation, risk-adjusted discounting, and sensitivity analysis.
• Strict eligibility and quality criteria for derivatives and counterparties (must be low-default-risk institutions).
• Mandatory CSSF reporting (quarterly/annual tables) and publication of key data on the CSSF website.

Impact: The regulation has direct implications for covered bond issuers and structurers. While UCITS and AIF managers are not directly regulated under this text, it is strategically relevant if they invest in lettres de gage, structure funds around covered bond portfolios, or hold significant exposures to EnR assets potentially used as collateral. The detailed EnR valuation methodology may also inform cross-asset ESG valuation frameworks.

Version française

Le 31 juillet 2025, Legilux a publié le Règlement CSSF 25-03, qui établit des exigences prudentielles et d’évaluation détaillées pour les établissements de crédit luxembourgeois émettant des lettres de gage en vertu de la loi modifiée du 8 décembre 2021. Ce règlement aligne les dispositions nationales sur les cadres européens relatifs aux obligations sécurisées (covered bonds) — notamment la Directive 2019/2162 et les modifications du CRR introduites par les Règlements (UE) 2019/2160 et 2024/1623 — et renforce les obligations de transparence, de gouvernance et d’éligibilité des actifs de couverture pour les émetteurs.

Le champ d’application couvre tous les établissements de crédit autorisés à émettre des lettres de gage. Le règlement définit des règles de valorisation pour trois grandes catégories d’actifs éligibles : biens immobiliers, biens mobiliers et actifs liés aux énergies renouvelables (EnR). Une quatrième section encadre l’inclusion des contrats dérivés dans le pool de couverture, et une dernière section précise les obligations de reporting et de publication auprès de la CSSF.

Principales dispositions :

• valorisation prudente et standardisée des actifs de couverture, conforme au CRR et aux lignes directrices de l’EBA (EBA/GL/2020/06), avec des réévaluations régulières et des backtests pour les modèles statistiques.
• recours obligatoire à des évaluateurs indépendants, exempts de conflits d’intérêts et extérieurs au processus d’octroi de crédit.
• règles spécifiques pour les actifs EnR : estimation ERV vs JV, valorisation fondée sur les flux de trésorerie actualisés (DCF), actualisation ajustée du risque et analyses de sensibilité.
• critères stricts d’éligibilité et de qualité pour les dérivés et leurs contreparties (institutions à faible risque de défaut uniquement).
• reporting obligatoire auprès de la CSSF (tableaux trimestriels/annuels) et publication de données clés sur le site de la CSSF.

Impact : Ce règlement a un impact direct sur les émetteurs et arrangeurs de lettres de gage. Bien que les sociétés de gestion UCITS et AIF ne soient pas directement régulées par ce texte, il est stratégiquement pertinent lorsqu’elles investissent dans des lettres de gage, structurent des fonds autour de portefeuilles d’obligations sécurisées ou détiennent des expositions significatives sur des actifs EnR pouvant servir de collatéral. La méthodologie détaillée de valorisation des EnR pourrait également inspirer l’élaboration de cadres transversaux d’évaluation ESG.

On 3 July 2025, the CSSF published the CSSF Regulation No 25-02 of 30 June 2025.

On 30 June 2025, the CSSF adopted Regulation No. 25-2, setting the countercyclical capital buffer (CCyB) rate for the third quarter of 2025.

Pursuant to Article 59-7 of the Law of 5 April 1993 and after consultation with the Banque centrale du Luxembourg and the Systemic Risk Committee (recommendation CRS/2025/003 of 10 June 2025), the CSSF decided:

The CCyB rate applicable to relevant exposures located in Luxembourg remains unchanged at 0.50% for Q3 2025.

This decision was not opposed by the European Central Bank, in line with Article 5 of the SSM Regulation (EU) No 1024/2013.

The regulation enters into force on the date of its publication in the Official Journal of the Grand Duchy of Luxembourg and will also be published on the CSSF website.

Version française

Le 3 juillet 2025, la CSSF a publié le Règlement CSSF n° 25-02 du 30 juin 2025.

Le 30 juin 2025, la CSSF a adopté le règlement n° 25-02 fixant le taux du coussin contracyclique de fonds propres (CCyB) pour le troisième trimestre 2025.

Conformément à l’article 59-7 de la loi du 5 avril 1993 et après consultation de la Banque centrale du Luxembourg et du Comité du risque systémique (recommandation CRS/2025/003 du 10 juin 2025), la CSSF a décidé :

Le taux du CCyB applicable aux expositions pertinentes localisées au Luxembourg reste inchangé à 0,50 % pour le T3 2025.

Cette décision n’a pas été contestée par la Banque centrale européenne, conformément à l’article 5 du règlement MSU (Règlement (UE) n° 1024/2013).

Le règlement entre en vigueur à la date de sa publication au Journal officiel du Grand-Duché de Luxembourg et sera également publié sur le site internet de la CSSF.

On 7 July 2025, the CSSF published a communiqué announcing the launch of the "Management of MMF reports" procedure on the eDesk PREPROD platform, available for testing as of 1 July 2025. This is in preparation for the new MMF reporting transmission rules coming into force on 1 September 2025, as originally communicated on 16 April 2025.

The PREPROD version allows entities to test two transmission methods:

• Manual submission via the dedicated eDesk procedure;
• Automated submission via API using the S3 protocol.

The update aligns with the CSSF’s move to modernize data collection and enhance digital supervision through standardized, API-compatible channels. The updated user guide for MMF reporting has been published.

Version française

Le 7 juillet 2025, la CSSF a publié un communiqué annonçant le lancement de la procédure « Management of MMF reports » sur la plateforme eDesk PREPROD, disponible en test depuis le 1er juillet 2025. Cette étape prépare l’entrée en vigueur des nouvelles règles de transmission des reportings MMF prévue pour le 1er septembre 2025, comme initialement communiqué le 16 avril 2025.

La version PREPROD permet aux entités de tester deux méthodes de transmission :

• soumission manuelle via la procédure eDesk dédiée ;
• soumission automatisée via une API utilisant le protocole S3.

Cette évolution s’inscrit dans la volonté de la CSSF de moderniser la collecte de données et de renforcer la supervision numérique au moyen de canaux standardisés et compatibles avec les API. Un guide utilisateur mis à jour pour le reporting MMF a été publié.

On 25 July 2025, the CSSF issued a communiqué reminding all supervised entities of their obligation to report ICT-related incidents in accordance with Circular CSSF 25/893 (implementing Article 11 of DORA) and/or Circular CSSF 24/847 (pre-DORA transitional guidance).

This supervisory reminder comes in the wake of recent ICT incidents that received public and media coverage. The CSSF underlines that public knowledge or press coverage of an incident does not remove the reporting obligation. Regulated entities must act independently of external disclosures and submit notifications as required by law.

Supervised entities are advised to:

• Re-examine Circulars 25/893 and 24/847 to understand reporting criteria, thresholds, timelines, and reporting channels (e.g. secure CSSF eDesk submission).
• Distinguish between significant ICT-related incidents (e.g. service disruptions, data breaches, cyberattacks) that require immediate or rapid notification.
• Ensure that incident classification and escalation procedures are clearly defined and that key staff are trained accordingly.

The CSSF’s message is especially relevant in the context of the Digital Operational Resilience Act (DORA), applicable from 17 January 2025, and reflects the authority’s expectations for full operational compliance and risk-based vigilance in the ICT domain.

This communiqué does not introduce new rules but serves as a regulatory nudge to reinforce accountability and timely communication with the supervisor.

Version française

Le 25 juillet 2025, la CSSF a publié un communiqué rappelant à l’ensemble des entités supervisées leur obligation de déclarer les incidents liés aux TIC conformément à la circulaire CSSF 25/893 (mise en œuvre de l’article 11 de DORA) et/ou à la circulaire CSSF 24/847 (dispositif transitoire pré-DORA).

Ce rappel de surveillance intervient à la suite de récents incidents TIC ayant fait l’objet d’une couverture médiatique. La CSSF souligne que la connaissance publique ou la médiatisation d’un incident ne dispense en aucun cas de l’obligation de déclaration. Les entités réglementées doivent agir indépendamment des divulgations externes et soumettre les notifications conformément aux exigences légales.

Les entités supervisées sont invitées à :

• relire les circulaires 25/893 et 24/847 afin de bien comprendre les critères de déclaration, les seuils, les délais et les canaux de transmission (par ex. soumission sécurisée via eDesk CSSF).
• -distinguer les incidents TIC significatifs (ex. interruptions de service, violations de données, cyberattaques) nécessitant une notification immédiate ou rapide.
• s’assurer que les procédures de classification et d’escalade des incidents soient clairement définies et que le personnel clé soit correctement formé.

Ce communiqué s’inscrit dans le contexte de l’application de DORA depuis le 17 janvier 2025 et reflète les attentes de la CSSF en matière de conformité opérationnelle et de vigilance fondée sur les risques dans le domaine des TIC.

Il ne crée pas de nouvelles règles, mais constitue un rappel réglementaire visant à renforcer la responsabilité et la communication en temps utile avec l’autorité de surveillance.

BACKGROUND

Historically, the CSSF regulated and collected reporting from Luxembourg-authorised AIFs, including UCITS, Part II funds, SIFs, and SICARs, through existing circulars and regulatory filings. Non-authorised AIFs, including multi-compartment structures, were largely outside the scope of formal reporting obligations. Circular CSSF 25/894 established general transparency principles for AIFMs but did not mandate structured reporting for non-authorised AIFs.

WHAT'S NEW?

On 18 July 2025, the CSSF published mandatory notification requirements for Luxembourg-authorised AIFMs managing non-authorised AIFs, including multi-compartment funds. A dedicated form must now be submitted via the eDesk portal with detailed information on each AIF and its compartments. For each compartment, AIFMs must provide identification data, management start date, investment strategy, delegated and sub-delegated managers, ELTIF status if applicable, and fund share/unit details. For feeder compartments, master fund information is required. Provisional service providers can be listed at launch but must be updated within 10 business days of final appointment. The form must be accompanied by relevant fund documents, including statutes, prospectus/offering documents, and the most recent annual report. AIFMs are reminded to ensure accuracy, completeness, and compliance with AIFMD delegation and organisational rules.

WHAT'S NEXT?

Luxembourg-based AIFMs must identify all non-authorised AIFs under their management, gather the required data, and implement reporting processes to ensure timely and accurate submissions via eDesk. They must also maintain ongoing updates to reflect changes in service providers or structural arrangements. This measure strengthens risk-based supervision of unregulated AIFs and aligns transparency standards for both authorised and non-authorised AIFs under the AIFMD framework. Compliance teams should integrate this process into their regular reporting cycle and monitor any CSSF Q&A updates or guidance clarifying acceptable delegation structures.

Version française

BACKGROUND

Historiquement, la CSSF a régulé et collecté les informations déclaratives des FIA luxembourgeois autorisés, y compris les UCITS, les fonds de type Part II, les SIF et les SICAR, au moyen des circulaires existantes et des obligations de déclaration réglementaires. Les FIA non autorisés, y compris les structures à compartiments multiples, étaient largement en dehors du champ des obligations de reporting formel. La circulaire CSSF 25/894 a établi des principes généraux de transparence pour les AIFM, mais n’imposait pas de reporting structuré pour les FIA non autorisés.

WHAT'S NEW?

Le 18 juillet 2025, la CSSF a publié des exigences obligatoires de notification pour les AIFM luxembourgeois autorisés gérant des FIA non autorisés, y compris les fonds à compartiments multiples. Un formulaire dédié doit désormais être soumis via le portail eDesk, contenant des informations détaillées sur chaque FIA et ses compartiments. Pour chaque compartiment, les AIFM doivent fournir les données d’identification, la date de début de gestion, la stratégie d’investissement, les gestionnaires délégués et sous-délégués, le statut ELTIF le cas échéant, ainsi que les détails sur les parts/actions du fonds. Pour les compartiments feeder, les informations sur le master fund sont également requises. Les prestataires de services provisoires peuvent être indiqués lors du lancement, mais le formulaire doit être mis à jour dans les 10 jours ouvrables suivant leur nomination définitive. Le formulaire doit être accompagné des documents pertinents du fonds, notamment les statuts, le prospectus/document d’offre et le dernier rapport annuel. Les AIFM sont rappelés à veiller à l’exactitude et à l’exhaustivité des données, ainsi qu’au respect des règles organisationnelles et de délégation prévues par l’AIFMD.

WHAT'S NEXT?

Les AIFM basés au Luxembourg doivent identifier tous les FIA non autorisés sous leur gestion, collecter les données requises et mettre en place des processus de reporting garantissant des soumissions ponctuelles et exactes via le portail eDesk. Ils doivent également assurer des mises à jour continues afin de refléter tout changement de prestataires de services ou de structures du fonds. Cette mesure renforce la supervision basée sur le risque des FIA non régulés et harmonise les standards de transparence pour les FIA autorisés et non autorisés dans le cadre de l’AIFMD. Les équipes de compliance doivent intégrer ce processus dans leur cycle de reporting régulier et suivre toute mise à jour des Q&A de la CSSF ou tout guide clarifiant les structures de délégation acceptables.

On 8 August 2025, CSSF published dedicated Data Entry Form for Investment Firm information updates

The CSSF has introduced a dedicated Excel-based data entry form to streamline the process of updating investment firm information. Effective immediately, any changes subject to prior authorisation or notification must be communicated to the CSSF using this form. Submissions that do not utilise the specified Excel files will be considered invalid and will not be processed.

Key Updates Requiring Submission via the Dedicated Form

• General Entity Information: Updates such as company name, address, contact persons, General Meeting date, and articles of incorporation.
• Services and Activities: Requests to change the services and activities provided.
• Management Bodies: Requests to change the Board of Directors and authorised management.
• Shareholders: Requests to change shareholders with a qualifying holding and updates on shareholders, including those without a qualifying holding.
• Key Function Holders: Requests to change key function holders.
• Approved Statutory Auditor: Requests to change the réviseur d’entreprises agréé (approved statutory auditor).
• Representative Office: Requests to open a representative office.
• Tied Agents: Requests to use tied agents.

The dedicated Excel file includes specific sheets for various situations. Investment firms must complete the relevant sheet corresponding to their request and may attach supporting documents in PDF format where appropriate. Completed forms should be submitted via the firm's dedicated folder on the MFT platform, with all supporting documents uploaded separately into a sub-folder.

This initiative aims to optimise processes and ensure efficient handling of updates and changes within the investment firm sector.

Version française

Le 8 août 2025, la CSSF a publié un formulaire dédié de saisie de données pour les mises à jour d’informations des entreprises d’investissement.

La CSSF a introduit un formulaire spécifique sous Excel afin de rationaliser le processus de mise à jour des informations des entreprises d’investissement. Avec effet immédiat, toute modification soumise à autorisation préalable ou notification doit être communiquée à la CSSF au moyen de ce formulaire. Les soumissions qui n’utilisent pas les fichiers Excel spécifiés seront considérées comme invalides et ne seront pas traitées.

Mises à jour clés nécessitant une soumission via le formulaire dédié :

• informations générales sur l’entité : mises à jour telles que la raison sociale, l’adresse, les personnes de contact, la date de l’assemblée générale et les statuts.
• services et activités : demandes de modification des services et activités fournis.
• organes de direction : demandes de modification du conseil d’administration et de la direction autorisée.
• actionnaires : demandes de modification des actionnaires détenant une participation qualifiée et mises à jour concernant les actionnaires, y compris ceux ne détenant pas de participation qualifiée.
• titulaire de fonctions clés : demandes de modification des titulaires de fonctions clés.
• réviseur d’entreprises agréé : demandes de modification du réviseur d’entreprises agréé.
• bureau de représentation : demandes d’ouverture d’un bureau de représentation.
• agents liés : demandes relatives à l’utilisation d’agents liés.

Le fichier Excel dédié comprend des onglets spécifiques pour différentes situations. Les entreprises d’investissement doivent compléter l’onglet correspondant à leur demande et peuvent joindre des documents justificatifs au format PDF, le cas échéant. Les formulaires complétés doivent être soumis via le dossier dédié de l’entreprise sur la plateforme MFT, avec tous les documents justificatifs téléchargés séparément dans un sous-dossier.

Cette initiative vise à optimiser les processus et à garantir une gestion efficace des mises à jour et des modifications dans le secteur des entreprises d’investissement.

BACKGROUND

On 18 August 2025, the CSSF issued Circular CSSF 25/896, adopting the European Banking Authority’s Guidelines (EBA/GL/2024/14 and EBA/GL/2024/15) on internal policies, procedures, and controls for the implementation of Union and national restrictive measures (sanctions).

The circular integrates the EBA Guidelines into CSSF’s supervisory approach in order to promote convergence across the EU. It applies to a broad range of regulated entities, including credit institutions, investment firms, PSPs, e-money institutions, CASPs, and VASPs.

WHAT'S NEW?

The first set of guidelines (EBA/GL/2024/14) requires institutions to establish a clear governance structure, including the appointment of a senior staff member responsible for sanctions compliance, regular exposure assessments, and up-to-date internal policies and staff training. Institutions must be able to promptly identify and freeze sanctioned assets and prevent circumvention of restrictive measures.

The second set (EBA/GL/2024/15) adds detailed requirements for PSPs and CASPs when executing transfers of funds or crypto-assets under Regulation (EU) 2023/1113. These include implementing reliable screening systems, managing sanctions lists, screening transactions before execution, and suspending or reporting transfers where designated persons are involved. Provisions also cover outsourcing, alert management, and ongoing monitoring of systems.

While the guidelines stress proportionality depending on the size, complexity, and risk profile of institutions, the CSSF underlines that this flexibility does not replace the binding obligation to freeze and block assets of sanctioned entities.

WHAT'S NEXT?

The circular applies from 30 December 2025. VASPs remain subject to these rules during their transitional registration period until July 2026 or until full authorisation under MiCAR. From 10 July 2027, the new EU framework under Regulation (EU) 2024/1624 will take precedence, and the guidelines will need to be adapted accordingly.

Version française

BACKGROUND

Le 18 août 2025, la CSSF a publié la Circulaire CSSF 25/896, adoptant les Lignes directrices de l’Autorité bancaire européenne (EBA/GL/2024/14 et EBA/GL/2024/15) relatives aux politiques internes, procédures et contrôles pour la mise en œuvre des mesures restrictives de l’Union et nationales (sanctions).

La circulaire intègre les lignes directrices de l’EBA dans l’approche de surveillance de la CSSF afin de favoriser la convergence au sein de l’UE. Elle s’applique à un large éventail d’entités réglementées, y compris les établissements de crédit, les entreprises d’investissement, les prestataires de services de paiement, les établissements de monnaie électronique, les CASP et les VASP.

WHAT'S NEW?

Le premier ensemble de lignes directrices (EBA/GL/2024/14) impose aux institutions de mettre en place une structure de gouvernance claire, incluant la désignation d’un cadre supérieur responsable de la conformité en matière de sanctions, la réalisation régulière d’évaluations d’exposition, ainsi que l’actualisation des politiques internes et la formation du personnel. Les institutions doivent être en mesure d’identifier et de geler rapidement les avoirs sanctionnés et d’empêcher le contournement des mesures restrictives.

Le second ensemble (EBA/GL/2024/15) ajoute des exigences détaillées pour les prestataires de services de paiement (PSP) et les CASP lors de l’exécution de transferts de fonds ou de crypto-actifs dans le cadre du Règlement (UE) 2023/1113. Celles-ci incluent la mise en œuvre de systèmes de filtrage fiables, la gestion des listes de sanctions, le contrôle des transactions avant exécution, ainsi que la suspension ou la déclaration des transferts impliquant des personnes désignées. Les dispositions couvrent également l’externalisation, la gestion des alertes et le suivi continu des systèmes.

Bien que les lignes directrices insistent sur le principe de proportionnalité en fonction de la taille, de la complexité et du profil de risque des institutions, la CSSF souligne que cette flexibilité ne remplace en aucun cas l’obligation contraignante de geler et bloquer les avoirs des entités sanctionnées.

WHAT'S NEXT?

La circulaire s’applique à partir du 30 décembre 2025. Les VASP demeurent soumis à ces règles durant leur période transitoire d’enregistrement jusqu’en juillet 2026 ou jusqu’à leur autorisation complète au titre de MiCAR. À compter du 10 juillet 2027, le nouveau cadre européen prévu par le Règlement (UE) 2024/1624 prévaudra, et les lignes directrices devront être adaptées en conséquence.

The European Union is gearing up for a major change in post-trading infrastructure with the adoption of a T+1 settlement cycle, aiming to boost the resilience, efficiency, and global competitiveness of European capital markets.

On 30 June 2025, the EU T+1 Industry Committee—formed by ESMA, the European Commission, and the ECB—published a High-Level Roadmap detailing the key actions and milestones necessary for a smooth transition by October 2027.

A public consultation, open until 31 August 2025 and hosted by ESMA, invites market participants and institutions to provide feedback.

The shift to T+1 will entail substantial operational, technological, legal, and behavioural changes across the settlement chain, affecting trading venues, CSDs, asset managers, custodians, and intermediaries.

The CSSF encourages Luxembourg stakeholders to actively engage in the process by identifying challenges, mitigating risks, and exploring opportunities—especially concerning cross-border settlement, asset servicing, and funding liquidity.

Version française

L’Union européenne se prépare à une évolution majeure de l’infrastructure post-marché avec l’adoption du cycle de règlement T+1, visant à renforcer la résilience, l’efficacité et la compétitivité mondiale des marchés de capitaux européens.

Le 30 juin 2025, le Comité T+1 de l’industrie de l’UE — constitué par l’ESMA, la Commission européenne et la BCE — a publié une feuille de route de haut niveau détaillant les principales actions et étapes nécessaires pour une transition harmonieuse d’ici octobre 2027.

Une consultation publique, ouverte jusqu’au 31 août 2025 et hébergée par l’ESMA, invite les acteurs de marché et institutions à transmettre leurs observations.

Le passage au T+1 impliquera des changements opérationnels, technologiques, juridiques et comportementaux importants dans toute la chaîne de règlement, touchant les plateformes de négociation, les CSD, les gestionnaires d’actifs, les dépositaires et les intermédiaires.

La CSSF encourage les parties prenantes luxembourgeoises à participer activement au processus en identifiant les défis, en atténuant les risques et en explorant les opportunités — en particulier en ce qui concerne le règlement transfrontalier, les services aux actifs et la liquidité de financement.

On 9 July 2025, the CSSF published a communiqué drawing stakeholders’ attention to the High-Level Roadmap to T+1 Settlement in the EU, published on 30 June 2025 by the EU T+1 Industry Committee, convened by ESMA, the European Commission, and the ECB. This roadmap outlines key steps for the transition of the European capital markets to a T+1 securities settlement cycle by October 2027, aligning the EU with global moves—particularly the U.S.—toward shorter settlement times.

The roadmap highlights operational, legal, and technological dependencies and milestones. A public consultation is open via ESMA until 31 August 2025, inviting feedback from trading venues, custodians, asset managers, CSDs, and other intermediaries on challenges and readiness.

T+1 will require a comprehensive re-engineering of post-trade operations, including adjustments to:

• Trade affirmation/confirmation cycles
• Cross-border settlement arrangements
• Custody and asset servicing workflows
• Funding liquidity and FX processes

The CSSF encourages Luxembourg stakeholders—especially those involved in cross-border fund distribution and settlement—to assess the operational impacts and contribute to shaping the policy framework. While the roadmap is not binding, it sets in motion critical preparatory actions expected of financial institutions and market infrastructures.

This initiative is part of the EU’s Capital Markets Union (CMU) agenda to strengthen market resilience, reduce settlement risk, and improve competitiveness.

Version française

Le 9 juillet 2025, la CSSF a publié un communiqué attirant l’attention des parties prenantes sur la Feuille de route stratégique pour le passage au règlement T+1 dans l’UE, publiée le 30 juin 2025 par le Comité européen T+1, réuni par l’ESMA, la Commission européenne et la BCE. Cette feuille de route expose les étapes clés de la transition des marchés de capitaux européens vers un cycle de règlement des titres à J+1 d’ici octobre 2027, en alignement avec les évolutions internationales – notamment aux États-Unis – vers des délais de règlement plus courts.

La feuille de route met en évidence les dépendances et jalons opérationnels, juridiques et technologiques. Une consultation publique est ouverte via l’ESMA jusqu’au 31 août 2025, afin de recueillir les retours des plateformes de négociation, dépositaires, gestionnaires d’actifs, dépositaires centraux (CSD) et autres intermédiaires sur les défis à relever et leur niveau de préparation.

Le passage à T+1 impliquera une refonte complète des opérations post-marché, incluant des ajustements en matière de :

• cycles d’affirmation et de confirmation des transactions
• dispositifs de règlement transfrontaliers
• flux opérationnels de conservation et de services aux actifs
• processus de liquidité de financement et de change

La CSSF encourage les parties prenantes luxembourgeoises — en particulier celles impliquées dans la distribution transfrontalière de fonds et le règlement de titres — à évaluer les impacts opérationnels et à contribuer à l’élaboration du cadre politique. Bien que cette feuille de route ne soit pas contraignante, elle lance des actions préparatoires essentielles attendues des institutions financières et infrastructures de marché.

Cette initiative s’inscrit dans le cadre de l’agenda de l’Union des marchés de capitaux (UMC) de l’UE, visant à renforcer la résilience des marchés, réduire le risque de règlement et améliorer la compétitivité.

On 8 July 2025, Luxembourg enacted a national law establishing a public aid scheme to support the transition to a net-zero emissions economy. The law authorises the Minister for the Economy to grant subsidies to companies under two pillars: 

1. Decarbonisation projects through the electrification of industrial production processes (Article 4),
2. Productive investments in strategic net-zero sectors (Article 5), including the manufacturing of batteries, solar panels, electrolyzers, wind turbines, heat pumps, and CO? capture and use equipment.

The aid is awarded via competitive selection procedures with strict eligibility requirements. The maximum aid is capped at €200 million per company for electrification projects and at €150–200 million for strategic sector investments, depending on the assisted zone. Eligible projects must demonstrate a minimum 40% reduction in direct greenhouse gas emissions, comply with applicable EU environmental standards, and prove an incentive effect—i.e. the project would not occur without the aid. A penalty system applies for delays in commissioning, and eligibility is excluded for firms subject to sanctions or prior unlawful state aid recovery orders.

Aid applications must be submitted through a secure government platform requiring strong authentication and extensive documentation. The law also sets out detailed disbursement rules: payments are phased based on project milestones and verified emissions reductions. For projects over €500,000, independent audit reports are required.

Transparency requirements include notification to the European Commission within 60 days of grant and publication on the EU’s Transparency Award Module for aid above €100,000. Aid under Articles 4 and 5 cannot be combined, and compatibility with EU state aid rules must be confirmed by the Commission before any aid is granted (suspensive clause in Article 13).

Application deadline on 31 December 2025.

Version française

Le 8 juillet 2025, le Luxembourg a adopté une loi nationale établissant un régime d’aides publiques destiné à soutenir la transition vers une économie à zéro émission nette. La loi autorise le ministre de l’Économie à octroyer des subventions aux entreprises selon deux volets :

1. Projets de décarbonation par l’électrification des procédés industriels de production (article 4) ;
2. Investissements productifs dans les secteurs stratégiques zéro émission nette (article 5), incluant la fabrication de batteries, panneaux solaires, électrolyseurs, éoliennes, pompes à chaleur, ainsi que les équipements de captage et d’utilisation du CO?.

L’aide est octroyée par le biais de procédures de sélection compétitives, assorties de critères d’éligibilité stricts. Le montant maximal est fixé à 200 millions € par entreprise pour les projets d’électrification et entre 150 et 200 millions € pour les investissements dans les secteurs stratégiques, selon la zone assistée. Les projets doivent démontrer une réduction d’au moins 40 % des émissions directes de gaz à effet de serre, respecter les normes environnementales de l’UE et prouver un effet incitatif (c’est-à-dire que le projet n’aurait pas lieu sans l’aide). Un système de pénalités s’applique en cas de retard de mise en service, et les entreprises soumises à des sanctions ou à un ordre de récupération d’aides d’État illégales sont exclues.

Les demandes d’aide doivent être déposées via une plateforme gouvernementale sécurisée, nécessitant une authentification forte et une documentation complète. La loi fixe également des règles précises de versement : paiements échelonnés en fonction des jalons du projet et des réductions d’émissions vérifiées. Pour les projets supérieurs à 500 000 €, des rapports d’audit indépendants sont requis.

Des obligations de transparence s’appliquent, incluant une notification à la Commission européenne dans les 60 jours suivant l’octroi et une publication dans le Transparency Award Module de l’UE pour les aides supérieures à 100 000 €. Les aides prévues aux articles 4 et 5 ne peuvent être cumulées, et leur compatibilité avec les règles européennes en matière d’aides d’État doit être confirmée par la Commission avant tout octroi (clause suspensive à l’article 13).

Date limite de dépôt des demandes : 31 décembre 2025.

On 15 July 2025, Overheid published an Act amending the Act on Restriction of Access to UBO Registers.

This Act significantly reforms the Dutch legal framework for access to Ultimate Beneficial Owner (UBO) registers of companies, other legal entities, and trusts, following the CJEU judgment of 22 November 2022 (Joined Cases C-37/20 and C-601/20) which invalidated public access to UBO data on privacy grounds.

Key objectives:

• Limit access to UBO information to protect the right to privacy and data protection under the EU Charter of Fundamental Rights.
• Implement safeguards and strict criteria for institutions and individuals seeking access.

Main changes:

• Amendments to the Trade Register Act 2007:
  Removes provisions that previously allowed broader public access to UBO data.
  Grants access to a narrower set of entities (e.g. banks, financial institutions, supervisory authorities, competent authorities, and those with a legitimate interest).
  Allows the UBO themselves to access and receive their data from the Chamber of Commerce.
  Introduces a new Article 22a specifying the institutions and categories of individuals with legitimate interest who may request access (e.g., obliged entities under AMLD, persons combating predicate offences, etc.).
  Mandates that the UBO is notified when such access is granted based on legitimate interest.
• Amendments to the UBO Trust Register Implementation Act:
  Aligns the trust register access rules with the new company register rules.
  Distinguishes between categories of access: competent authorities, AML-obliged institutions, and third parties with a legitimate interest.
• Introduces procedural rules and data protection provisions (e.g., shielding of information at UBO’s request, issuance of certificates, notification obligations).
• Makes trustees’ access to data related to their trusts explicit.
• Amendments to related acts (e.g. Public Administration Integrity Screening Act):
  Grants the Chamber of Commerce access to specific data necessary for processing UBO access requests under the new rules.

Implementation timeline:

• Comes into force by Royal Decree on a future date.
• Evaluation of effectiveness and impact is scheduled within two years.

On 12 August 2025, De Nederlandsche Bank (DNB) published a news item confirming that it will follow the European Banking Authority (EBA) statement of 8 August 2025, which maintains the validity of the previously issued no-action letter on the boundary between the banking book and the trading book. This decision is linked to the European Commission’s Delegated Act deferring the application of the revised market risk framework (Fundamental Review of the Trading Book – FRTB).

The EBA statement clarifies that supervisors across the EU are asked to temporarily refrain from prioritising supervisory or enforcement actions concerning the new boundary provisions, given the delay in the entry into application of the FRTB rules. In practice, this means that credit institutions will not face supervisory enforcement for boundary issues during this extended non-enforcement period.

DNB confirms that it will apply this position to credit institutions under its direct supervision, thereby aligning with the EBA’s approach. At the same time, DNB stresses that institutions should not interpret this as a reason to postpone preparations. Instead, credit institutions are expected to continue implementing the revised market risk framework and related boundary provisions in a timely manner, ensuring readiness for full compliance once the framework comes into force.

This communication provides regulatory clarity and consistency for supervised institutions in the Netherlands. While the supervisory stance offers temporary relief from enforcement, the underlying expectation remains that banks must advance their internal preparations for the eventual binding application of the FRTB framework.

On 10 July 2025, the AFM published a press release on the Integration of sustainability risks and transparency. 

On 30 June 2025, the ESMA published the final report of the Common Supervisory Action (CSA) on fund managers' compliance with the SFDR regarding sustainability risk integration and disclosure. The Dutch AFM conducted a parallel review and confirmed that although most Dutch fund managers meet basic SFDR requirements, transparency, data validation, consistency, and clarity in ESG claims remain insufficient. ESMA issued practical recommendations to improve internal governance, avoid greenwashing, and strengthen ESG data oversight.

On 14 July 2025, Overheid published the decision of 3 July on Implementing Decision EMIR 3 Regulation and EMIR 3 Directive to amend the Decree on EU Regulations under the Financial Supervision Act and the Decree on the Supervision of the Conduct of Financial Undertakings. 

This measure implements Regulation (EU) 2024/2987 and Directive (EU) 2024/2994 aimed at reinforcing the efficiency, safety, and autonomy of EU clearing markets.

This Implementing Decision aligns Dutch supervisory powers and enforcement rules with the updated EMIR framework and associated amendments to the CRR, UCITS Directive, Capital Requirements Directive, and the Money Market Funds Regulation. Key provisions designate De Nederlandsche Bank (DNB) and the Netherlands Authority for the Financial Markets (AFM) as competent authorities based on the nature of the counterparty, with precise supervisory responsibilities detailed in revised annexes.

Crucially, the Dutch implementation reflects new EMIR requirements obliging financial and non-financial counterparties exceeding certain thresholds to open active clearing accounts at EU CCPs for systemically important products (e.g., euro-denominated OTC interest rate derivatives), including representativeness obligations to ensure effective usage. The aim is to reduce reliance on Tier 2 (non-EU) CCPs and improve financial stability through greater clearing volume within the EU.

The decision also ensures that centrally cleared derivatives benefit from more favourable treatment under UCITS concentration risk rules and capital requirements for banks and investment firms. In parallel, it prohibits EU CCPs from being clearing members of other CCPs and imposes stricter disclosure and notification duties on firms using third-country CCPs.

The Decision introduces no new regulatory burden since obligations derive directly from EU law. It primarily updates the allocation of supervisory duties and sanctions enforcement, with minimal operational impact expected for Dutch supervisors, as confirmed by DNB and AFM assessments.

On 19 August 2025, FINMA released a standard audit programme titled Audit Programme: Cyber Risk Management for Fund Management Companies and Collective Asset Managers. The document serves as the baseline for supervisory audits of cyber risk practices, particularly in asset management.

This programme applies to entities governed by the Federal Act on Financial Institutions (FinIA) and the Collective Investment Schemes Act (CISA), as well as their implementing ordinance (FinIO). Its purpose is to ensure consistent and thorough on-site cyber risk assessments, covering:

• Governance and design of cyber risk controls
• Logging, detection capabilities, and incident response
• Data sensitivity classification and protection
• Outsourcing oversight, especially where critical IT functions are outsourced

Auditors must adapt the programme to each institution’s risk profile, scale, and operational model. If certain audit steps (e.g., item 9 concerning sensitive/critical data) are not applicable, a justified rationale must be documented. The framework aligns with prior FINMA guidance (e.g., Guidance 05/2020 on reporting cyber attacks, Guidance 04/2024 on operational risk) and embeds scrutiny on evolving threat landscapes and resilience controls.

This release underscores that FINMA is stepping up its oversight of cyber resilience throughout the financial sector, particularly within the asset management industry, and expects internal auditors and external firms to carry out rigorous, scope-adjusted reviews moving forward.

Version française

Le 19 août 2025, la FINMA a publié un programme standard de révision intitulé Programme de révision : Gestion des risques cyber pour les directions de fonds et les gestionnaires de placements collectifs. Le document sert de référence pour les contrôles prudentiels des pratiques de gestion des risques cyber, en particulier dans la gestion d’actifs.

Ce programme s’applique aux entités régies par la Loi fédérale sur les établissements financiers (LEFin) et la Loi sur les placements collectifs de capitaux (LPCC), ainsi qu’à leurs ordonnances d’application (OEFin). Son objectif est de garantir des évaluations sur place cohérentes et approfondies des risques cyber, couvrant notamment :

• la gouvernance et la conception des contrôles liés aux risques cyber
• la journalisation, les capacités de détection et la réponse aux incidents
• la classification et la protection des données sensibles
• la surveillance de l’externalisation, en particulier lorsque des fonctions IT critiques sont externalisées

Les réviseurs doivent adapter le programme au profil de risque, à l’échelle et au modèle opérationnel de chaque institution. Si certaines étapes de révision (par ex. le point 9 concernant les données sensibles/critiques) ne sont pas applicables, une justification motivée doit être documentée. Le cadre est aligné sur les orientations antérieures de la FINMA (par ex. Communication 05/2020 sur la notification des cyberattaques, Communication 04/2024 sur le risque opérationnel) et intègre un examen renforcé des menaces émergentes et des dispositifs de résilience.

Cette publication souligne que la FINMA intensifie sa surveillance de la résilience cyber dans l’ensemble du secteur financier, en particulier dans l’industrie de la gestion d’actifs, et attend des auditeurs internes ainsi que des cabinets externes qu’ils réalisent à l’avenir des contrôles rigoureux et adaptés au périmètre.

On 20 August 2025, the Swiss Federal Council approved amendments to the Ordinance on Certification Services in the area of electronic signatures (OSCSE) to strengthen trust in digital signatures.

Currently, when an electronic signature certificate is revoked before expiry, the revocation information is available online only until the certificate’s validity ends. After that, verification services cannot access the revocation status, creating potential gaps in auditability. Under the new rules, certification service providers must ensure that revocation data remain accessible for at least 11 years after certificate expiry.

This change will allow automated verification services, such as the government’s validator.ch, to reliably confirm the validity or revocation status of signatures over a much longer period. The reform aims to improve the long-term reliability and usability of digital signatures for both businesses and individuals.

In addition, the revised ordinance clarifies the accreditation framework for recognition bodies, ensuring alignment with current technical standards and specifications. Providers and recognition bodies will have until 1 February 2026 to adapt their processes, while the revised OSCSE will enter into force on 1 November 2025.

By extending the availability of revocation data and strengthening accreditation provisions, Switzerland is reinforcing the security and trustworthiness of its digital signature ecosystem, bringing it closer to international best practices and ensuring legal certainty for electronic transactions.

Version française

Le 20 août 2025, le Conseil fédéral suisse a approuvé des modifications de l’Ordonnance sur les services de certification dans le domaine des signatures électroniques (OSCSE) afin de renforcer la confiance dans les signatures numériques.

Actuellement, lorsqu’un certificat de signature électronique est révoqué avant son expiration, l’information relative à la révocation n’est disponible en ligne que jusqu’à la fin de validité du certificat. Au-delà, les services de vérification ne peuvent plus accéder à l’état de révocation, créant ainsi de possibles lacunes en matière de traçabilité. Selon les nouvelles règles, les prestataires de services de certification devront garantir que les données de révocation restent accessibles pendant au moins 11 ans après l’expiration du certificat.

Ce changement permettra aux services de vérification automatisés, tels que le site officiel validator.ch, de confirmer de manière fiable la validité ou le statut de révocation des signatures sur une période beaucoup plus longue. La réforme vise à améliorer la fiabilité et l’utilisabilité à long terme des signatures électroniques pour les entreprises comme pour les particuliers.

En outre, l’ordonnance révisée clarifie le cadre d’accréditation des organismes de reconnaissance, afin d’assurer une conformité avec les normes et spécifications techniques actuelles. Les prestataires et organismes de reconnaissance disposeront d’un délai jusqu’au 1er février 2026 pour adapter leurs processus, tandis que l’OSCSE révisée entrera en vigueur le 1er novembre 2025.

En prolongeant la disponibilité des données de révocation et en renforçant les dispositions d’accréditation, la Suisse consolide la sécurité et la fiabilité de son écosystème de signatures électroniques, le rapprochant des meilleures pratiques internationales et garantissant la sécurité juridique des transactions électroniques.

On 20 August 2025, the Swiss Federal Council adopted a modification of the Ordinance on Certification Services in the Field of Electronic Signatures and Other Applications of Digital Certificates (OSCSE). The revised ordinance will enter into force on 1 November 2025, with certain requirements phased in by 1 February 2026 and 1 July 2027.

The update strengthens the legal and technical framework for trust service providers (TSPs) and certification authorities in Switzerland. Key changes include:

• Accreditation requirements (Art. 1): The Swiss Accreditation Service (SAS) will accredit recognition bodies for TSPs using ISO/IEC 17065 and ETSI EN 319 403-1 standards, ensuring harmonisation with international norms.
• Use of IDE register (Arts. 5–6): When IDE entities (business identifiers) have not consented to publication of key data, certification providers must require up-to-date extracts from the IDE register to verify authority and representation rights.
• Identity verification (Art. 7): Recognised providers may rely on regulated electronic signatures and certificates to identify applicants, whether representing an IDE entity (with powers registered in the commercial register or proven by proxy) or acting for themselves as individuals.
• Certificate revocation information (Art. 9): Providers must guarantee online access for at least 11 years to key data on revoked regulated certificates (serial number, revocation status, date/time), authenticated with a regulated electronic seal. Exceptions apply to certificates with very short validity or those covered by long-term validation mechanisms.
• Fallback role of OFCOM (Art. 12): If no recognised provider exists, OFCOM assumes responsibility for guaranteeing third-party access to revocation information.
• Transitional provisions (Art. 17a): Accreditation and conformity assessment requirements must be implemented by 1 February 2026, while long-term revocation information obligations must be in place by 1 July 2027.

The reform enhances trust, transparency, and interoperability of electronic signatures and digital certificates in Switzerland, aligning the framework more closely with EU trust service standards.

Version française

Le 20 août 2025, le Conseil fédéral suisse a adopté une modification de l’Ordonnance sur les services de certification dans le domaine des signatures électroniques et autres applications des certificats numériques (OSCSE). L’ordonnance révisée entrera en vigueur le 1er novembre 2025, certaines exigences étant mises en œuvre progressivement d’ici au 1er février 2026 et au 1er juillet 2027.

La mise à jour renforce le cadre juridique et technique applicable aux prestataires de services de confiance (PSC) et aux autorités de certification en Suisse. Les principaux changements comprennent :

• exigences d’accréditation (art. 1) : Le Service d’accréditation suisse (SAS) accréditera les organismes de reconnaissance des PSC sur la base des normes ISO/IEC 17065 et ETSI EN 319 403-1, garantissant une harmonisation avec les standards internationaux.
• utilisation du registre IDE (art. 5–6) : Lorsque les entités IDE (identifiants d’entreprises) n’ont pas consenti à la publication de données clés, les prestataires de certification doivent exiger des extraits à jour du registre IDE afin de vérifier l’autorité et les droits de représentation.
• vérification d’identité (art. 7) : Les prestataires reconnus peuvent s’appuyer sur des signatures et certificats électroniques réglementés pour identifier les demandeurs, qu’ils représentent une entité IDE (avec pouvoirs inscrits au registre du commerce ou prouvés par procuration) ou qu’ils agissent en leur propre nom en tant qu’individus.
• informations sur la révocation des certificats (art. 9) : Les prestataires doivent garantir un accès en ligne d’au moins 11 ans aux données clés concernant les certificats réglementés révoqués (numéro de série, statut de révocation, date/heure), authentifiées par un cachet électronique réglementé. Des exceptions s’appliquent aux certificats de très courte durée ou couverts par des mécanismes de validation à long terme.
• rôle subsidiaire de l’OFCOM (art. 12) : En l’absence de prestataire reconnu, l’OFCOM assume la responsabilité de garantir l’accès tiers aux informations de révocation.
• dispositions transitoires (art. 17a) : Les exigences d’accréditation et d’évaluation de conformité doivent être mises en œuvre d’ici au 1er février 2026, tandis que les obligations liées aux informations de révocation à long terme doivent être opérationnelles au plus tard le 1er juillet 2027.

La réforme renforce la confiance, la transparence et l’interopérabilité des signatures électroniques et certificats numériques en Suisse, rapprochant le cadre des standards européens applicables aux services de confiance.

On 24 July 2025, the Swiss Competition Commission (COMCO) announced a settlement with Visa Europe regarding domestic and cross-border interchange fees for debit and credit card transactions, concluding an investigation into Visa's Swiss market practices.

The settlement introduces legally binding fee caps on Visa debit card transactions in Switzerland and cross-border transactions involving EEA-issued Visa cards. It mirrors the Mastercard settlement of 2024 but goes further in covering payments via mobile devices.

Key measures include:

1. For domestic in-store debit card transactions (card-present), the average interchange fee must not exceed 0.15%.

• Base rate cap: 0.2%
• Reduced rate: 0.12% for everyday consumer goods
• Absolute cap: CHF 0.36 per transaction ? CHF 300

2. The rules apply regardless of whether the payment is made via physical card or digital wallet (e.g., smartphone).

3. For domestic e-commerce debit card payments, the interchange fee will be reduced from 0.31% to 0.25%, effective 1 November 2025.

4. For the first time, COMCO has intervened in cross-border EEA card transactions:

• EEA-issued debit cards used in Switzerland: fee reduced from 1% to 0.2%
• EEA-issued credit cards used in Switzerland: fee reduced from 1.15% to 0.44%

COMCO estimates that these reductions will save Swiss merchants over CHF 10 million annually. While Visa’s domestic cap (0.15%) remains slightly above Mastercard’s 0.12%, the Visa settlement extends coverage to mobile device-based transactions, offering broader practical reach.

For acquiring banks and payment service providers, this regulatory cap directly impacts fee structuring, merchant pricing models, and mobile payment offerings. Firms must update systems and contracts to reflect the new maximum fee rates and prepare for implementation by 1 November 2025 (for e-commerce) and likely earlier for POS rules.

Version française

Le 24 juillet 2025, la Commission de la concurrence (COMCO) a annoncé un règlement avec Visa Europe concernant les commissions d’interchange sur les transactions domestiques et transfrontalières par cartes de débit et de crédit, concluant ainsi une enquête sur les pratiques de Visa sur le marché suisse.

Le règlement introduit des plafonds de frais juridiquement contraignants sur les transactions par cartes de débit Visa en Suisse ainsi que sur les transactions transfrontalières impliquant des cartes Visa émises dans l’EEE. Il reflète le règlement conclu avec Mastercard en 2024, tout en allant plus loin puisqu’il couvre également les paiements effectués via appareils mobiles.

Mesures clés :

1. Pour les transactions domestiques en magasin avec carte de débit (présentation de la carte), la commission d’interchange moyenne ne doit pas dépasser 0,15 %.

• taux de base plafonné à 0,2 %
• taux réduit à 0,12 % pour les biens de consommation courante
• plafond absolu : CHF 0,36 par transaction ? CHF 300

2. Les règles s’appliquent que le paiement soit effectué par carte physique ou via un portefeuille numérique (par ex. smartphone).

3. Pour les paiements domestiques de e-commerce par carte de débit, la commission d’interchange sera réduite de 0,31 % à 0,25 %, avec effet au 1er novembre 2025.

4. Pour la première fois, la COMCO intervient sur les transactions transfrontalières avec des cartes de l’EEE :

• cartes de débit émises dans l’EEE utilisées en Suisse : réduction de 1 % à 0,2 %
• cartes de crédit émises dans l’EEE utilisées en Suisse : réduction de 1,15 % à 0,44 %

La COMCO estime que ces réductions permettront aux commerçants suisses d’économiser plus de 10 millions CHF par an. Si le plafond domestique de Visa (0,15 %) reste légèrement supérieur à celui de Mastercard (0,12 %), l’accord conclu avec Visa s’étend aux transactions via appareils mobiles, offrant ainsi une portée pratique plus large.

Pour les banques acquéreuses et les prestataires de services de paiement, ce plafonnement réglementaire a un impact direct sur la structuration des frais, les modèles tarifaires appliqués aux commerçants et les offres de paiement mobile. Les établissements doivent mettre à jour leurs systèmes et contrats afin de refléter les nouveaux taux maximaux et se préparer à l’application des mesures d’ici le 1er novembre 2025 (pour l’e-commerce) et probablement plus tôt pour les règles applicables aux points de vente.

On 13 August 2025, the Swiss authorities published the Regulation on the Harmonisation of Sanction Ordinances, which introduces clarifications and standardisations in the field of financial sanctions. The amendments aim to ensure consistency across various sanction regimes and provide greater legal certainty for financial intermediaries when implementing restrictive measures.

The Regulation addresses, among other aspects, the treatment of funds credited to blocked accounts and the scope of reporting obligations. These changes seek to harmonise practices across different sanction ordinances, thereby reducing interpretative divergences and enhancing compliance efficiency for financial institutions.

The amendments apply to a wide range of existing sanctions frameworks, including those concerning Belarus, Burundi, Guatemala, Guinea, Guinea-Bissau, Iran, Moldova, Myanmar, Nicaragua, Zimbabwe, Syria, Ukraine, supporters of Hamas and Palestinian Jihad, and Venezuela. This broad coverage highlights the cross-cutting nature of the harmonisation effort.

The Regulation will enter into force on 15 September 2025, giving financial intermediaries a short window to adjust internal procedures and compliance processes. Institutions must ensure that their sanctions screening, account-blocking measures, and reporting frameworks are updated in line with the new harmonised requirements.

This development underscores Switzerland’s commitment to aligning its sanctions regime with international standards and to reinforcing the effectiveness of financial sanctions as a tool of foreign policy and security. For financial intermediaries, the key impact lies in updating compliance processes to reflect the harmonised treatment of blocked funds and reporting obligations across multiple sanctions regimes.

Version française

Le 13 août 2025, les autorités suisses ont publié le Règlement sur l’harmonisation des ordonnances de sanctions, qui introduit des clarifications et des standardisations dans le domaine des sanctions financières. Les amendements visent à garantir la cohérence entre les différents régimes de sanctions et à offrir une plus grande sécurité juridique aux intermédiaires financiers lors de la mise en œuvre des mesures restrictives.

Le règlement traite, entre autres, du traitement des fonds crédités sur des comptes bloqués et de la portée des obligations de déclaration. Ces changements visent à harmoniser les pratiques entre les différentes ordonnances de sanctions, réduisant ainsi les divergences d’interprétation et renforçant l’efficacité de la conformité pour les établissements financiers.

Les amendements s’appliquent à un large éventail de régimes de sanctions existants, notamment ceux concernant le Bélarus, le Burundi, le Guatemala, la Guinée, la Guinée-Bissau, l’Iran, la Moldavie, le Myanmar, le Nicaragua, le Zimbabwe, la Syrie, l’Ukraine, les soutiens du Hamas et du Jihad palestinien, ainsi que le Venezuela. Cette couverture étendue souligne le caractère transversal de l’effort d’harmonisation.

Le règlement entrera en vigueur le 15 septembre 2025, laissant aux intermédiaires financiers un délai réduit pour adapter leurs procédures internes et leurs processus de conformité. Les institutions doivent veiller à ce que leurs dispositifs de filtrage des sanctions, de blocage des comptes et de déclaration soient mis à jour conformément aux nouvelles exigences harmonisées.

Cette évolution souligne l’engagement de la Suisse à aligner son régime de sanctions sur les standards internationaux et à renforcer l’efficacité des sanctions financières en tant qu’outil de politique étrangère et de sécurité. Pour les intermédiaires financiers, l’impact principal réside dans la mise à jour des processus de conformité afin de refléter le traitement harmonisé des fonds bloqués et des obligations de déclaration à travers de multiples régimes de sanctions.

BACKGROUND

On 26 August 2025, the Swiss Official Journal published the Ordinance on the Harmonisation of Sanctions Ordinances, adopted by the Swiss Federal Council on 13 August 2025. The measure amends multiple existing Swiss sanctions ordinances, including those on Zimbabwe, Hamas/PIJ, Belarus, Burundi, Guatemala, Guinea, Guinea-Bissau, Iran, Moldova, Myanmar, Nicaragua, Syria, Ukraine and Venezuela. The objective is to introduce a uniform structure for exemptions, reporting, and authorisation procedures across all sanctions regimes. The amendments will enter into force on 15 September 2025.

WHAT'S NEW?

The ordinance introduces a harmonised set of provisions across all targeted regimes:

• Humanitarian exemptions: Frozen funds or resources may be released where needed for humanitarian purposes, essential needs, or activities by the UN, international organisations, NGOs recognised in UN processes, or Swiss-supported entities.
• Blocked account crediting: Interest, contractual payments, and sums resulting from arbitral, judicial or administrative decisions in Switzerland, the EEA or the UK can be credited to blocked accounts, provided they remain frozen. Third-party transfers are also allowed under the same condition.
• Exceptional SECO authorisations: The State Secretariat for Economic Affairs (SECO) may grant exemptions for humanitarian reasons, to prevent hardship, or safeguard Swiss interests. Certain regimes also allow exceptions for diplomatic functions, safety-related flights or energy-sector activities.
• Mandatory reporting: Financial institutions must declare frozen assets to SECO without delay and file an annual report by 15 February indicating the amounts held as of 31 December. Credits to blocked accounts must also be reported immediately.
• Burden of proof: In proceedings involving sanctions-affected claims, the claimant must prove that execution of the claim is not prohibited.

WHAT'S NEXT?

The harmonised framework will apply from 15 September 2025. From that date, all financial institutions and other relevant actors must ensure compliance with the new uniform exemptions, reporting duties, and SECO authorisation mechanisms, across all Swiss sanctions regimes concerned.

Version française

BACKGROUND

Le 26 août 2025, la Feuille officielle suisse a publié l’Ordonnance sur l’harmonisation des ordonnances de sanctions, adoptée par le Conseil fédéral le 13 août 2025. La mesure modifie plusieurs ordonnances suisses existantes en matière de sanctions, notamment celles concernant le Zimbabwe, le Hamas/PIJ, le Bélarus, le Burundi, le Guatemala, la Guinée, la Guinée-Bissau, l’Iran, la Moldavie, le Myanmar, le Nicaragua, la Syrie, l’Ukraine et le Venezuela. L’objectif est d’introduire une structure uniforme pour les exemptions, les obligations de déclaration et les procédures d’autorisation dans l’ensemble des régimes de sanctions. Les amendements entreront en vigueur le 15 septembre 2025.

WHAT'S NEW?

L’ordonnance introduit un ensemble harmonisé de dispositions applicables à tous les régimes visés :

• dérogations humanitaires : les fonds ou ressources gelés peuvent être libérés lorsqu’ils sont nécessaires à des fins humanitaires, pour des besoins essentiels, ou pour des activités menées par l’ONU, des organisations internationales, des ONG reconnues dans les processus onusiens, ou des entités soutenues par la Suisse.
• créditement de comptes bloqués : les intérêts, paiements contractuels et montants résultant de décisions arbitrales, judiciaires ou administratives rendues en Suisse, dans l’EEE ou au Royaume-Uni peuvent être crédités sur des comptes bloqués, à condition qu’ils demeurent gelés. Les transferts de tiers sont également autorisés dans les mêmes conditions.
• autorisations exceptionnelles du SECO : le Secrétariat d’État à l’économie (SECO) peut accorder des dérogations pour des raisons humanitaires, afin de prévenir des situations de rigueur ou de sauvegarder les intérêts de la Suisse. Certains régimes prévoient également des exceptions pour des fonctions diplomatiques, des vols liés à la sécurité ou des activités dans le secteur de l’énergie.
• obligation de déclaration : les établissements financiers doivent déclarer sans délai au SECO les avoirs gelés et déposer un rapport annuel au plus tard le 15 février indiquant les montants détenus au 31 décembre. Les crédits versés sur des comptes bloqués doivent également être déclarés immédiatement.
• charge de la preuve : dans le cadre de procédures impliquant des créances soumises aux sanctions, il incombe au demandeur de prouver que l’exécution de la créance n’est pas interdite.

WHAT'S NEXT?

Le cadre harmonisé s’appliquera à partir du 15 septembre 2025. À compter de cette date, toutes les institutions financières et autres acteurs concernés devront veiller au respect des nouvelles dérogations uniformes, des obligations de déclaration et des mécanismes d’autorisation du SECO, dans l’ensemble des régimes de sanctions suisses visés.

On the 15 July 2025, the UK Government and FCA and PRA published consultation on Senior Managers & Certification Regime (SM&CR).

In the first phase of reforms, the FCA and PRA propose to streamline the SM&CR. The changes will make the regime more effective and efficient and drive growth in financial services. 

As the government consults on legislative changes to the regime including removing the Certification Regime and increasing flexibility for the regulators to reduce the number of senior management functions (SMFs) which require pre-approval, the regulators’ proposals aim to make the regime less onerous on firms, while continuing to protect consumers and markets, and the safety and soundness of firms.

The consultations, which have been informed by the regulators’ 2023 Discussion Paper, includes proposals to: 

• Give firms more time and flexibility to submit applications for approving new senior managers when there has been an unexpected or temporary change.
• Strip out duplication where the same individuals are certified for separate functions, which would reduce the number of certification roles by 15%.
• Provide guidance on how to streamline the annual checks firms need to undertake to certify individuals are ‘fit and proper’ to do their role.
• Allow more time for firms to report updates to senior manager responsibilities.
• Increase how long criminal record checks for senior manager applications are valid for, prior to application submission.
• Help firms to better understand the definition of certain SMF roles.
• Give firms more time to update the directory, which lists certified staff. 

The SM&CR holds individual senior managers in financial firms accountable for their conduct and competence. 

This consultation will close on 7 October 2025. 

On the 15 July 2025, the FCA published PS25/10 and PS25/9 rules for public offers and admissions to trading regime and public offer platforms.

The FCA’s Policy Statement PS25/9 finalizes rules for the new Public Offers and Admissions to Trading Regulations 2024, replacing the UK Prospectus Regulation. These changes include updates to prospectus rules for regulated markets and primary multilateral trading facilities, and revisions to the UK Listing Rules. The reforms aim to simplify capital raising, reduce issuer costs, and boost the UK’s capital markets competitiveness.

Key adjustments include raising the prospectus threshold for further issuances from 20% to 75% of share capital, aligning prospectus requirements for lower denomination bonds with higher ones, and shortening the IPO prospectus availability period from six to three working days. The FCA also introduces protected forward looking statements, climate related disclosures for equity issuers, and streamlines listing processes. These measures are intended to increase market efficiency, foster retail investor participation, and support economic growth.

Alongside this, Policy Statement PS25/10 establishes the new regime for Public Offer Platforms (POPs), a regulated activity to facilitate off-market public offers of securities over £5 million, primarily aimed at smaller and growing companies. POPs must conduct due diligence to protect investors and prevent fraud, balancing efficient capital raising with consumer protection.

The regime combines tailored conduct rules with general FCA regulations and seeks to expand retail investor access to growth capital while encouraging market innovation. Feedback from consultations was positive, with the FCA addressing concerns about due diligence and regulatory overlap.

They both enter into force on the 19 January 2026.

On the 18 July 2025, the BoE published a policy and supervisory statement on fundamental rules for financial market infrastructures.

The Supervisory Statement sets out ten Fundamental Rules, each focused on essential principles FMIs must follow. These include integrity in business conduct, where FMIs are expected to be transparent and provide participants with clear information about the risks they face, aligning with PFMI Principle 23. FMIs must also operate with due skill, care, and diligence, ensuring sound decision making in both routine operations and strategic matters. A rule of prudence requires FMIs to exercise judgement and foresight in decisions involving risk, complementing diligence but with a particular focus on broader risk implications.

FMIs must maintain sufficient financial resources, such as capital, margins, or default funds, in order to withstand extreme but plausible shocks without disrupting the system. Risk management frameworks should be robust and comprehensive, covering legal, credit, liquidity, operational, and market risks, while also accounting for interconnectedness with other entities. Effective governance is essential, with clear roles and responsibilities for management, and decision makers must be competent and appropriately qualified.

FMIs are required to maintain a cooperative relationship with regulators by disclosing material events or changes that might impact their regulatory obligations, including those at the group level. Preparation for resolution or administration is also mandated. FMIs must plan for scenarios in which they may no longer be able to operate, ensuring continuity of critical services. Operational resilience is emphasized, requiring FMIs to recover from severe disruptions, including third party IT failures, within acceptable impact tolerances. Lastly, FMIs must identify and manage risks their operations pose to financial system stability. This includes assessing both direct and indirect systemic risks, and responding appropriately without compromising their own resilience. 

The Policy Statement outlines how the rules were finalized following a consultation held from November 2024 to February 2025. Stakeholders broadly supported the approach. In response to the feedback, the Bank clarified that FMIs are not expected to compromise their own resilience while managing systemic risks, placed greater emphasis on FMIs being transparent with participants, and refined how rules apply to group level entities. Specifically, the definition of “group” was revised to align with the Companies Act 2006, limiting it to parent and subsidiary relationships rather than entities with minority stakes.

The Bank extended the implementation period from six to twelve months in recognition of the operational effort involved, particularly regarding Rule 10 on systemic risk. While some respondents requested more prescriptive guidance, the Bank reaffirmed its outcome focused approach and emphasized that compliance can vary based on an FMI’s specific context. It also reiterated that while FMIs must take ownership of compliance, no standardised reporting format will be required. Costs were addressed, with the Bank maintaining that existing regulatory obligations should already cover much of what is required, and that the extended timeline would help FMIs manage any additional burdens.

The policy also confirms that these rules represent the first use of the Bank’s general rule making power granted under the Financial Services and Markets Act 2023. Although they currently apply only to UK CCPs, CSDs, RPSOs, and SSPs, the Bank may consider extending them to overseas entities in future. The rules are also designed to support innovation and ensure clarity for both established firms and new entrants, by providing clear outcomes while allowing flexibility in how they are achieved.

It enters into force on 18 July 2026.

On the 18 July 2025, the BoE published consultation on ensuring the resilience of CCPs.

The consultation paper sets out proposed reforms to the UK’s regulatory framework for Central Counterparties (CCPs), which are essential financial market infrastructures that manage counterparty risk in key markets by interposing themselves between buyers and sellers. CCPs reduce systemic risk by guaranteeing contract performance and mutualising default risks among participants, making their resilience vital to both UK and global financial stability.

Following the Financial Services and Markets Act 2023, the Bank of England has acquired new rule-making powers to replace much of the existing UK European Market Infrastructure Regulation (UK EMIR) rules with its own Bank rules. This transition is designed to make the regulatory framework more flexible, adaptable, and clear, enabling quicker responses to market developments and innovations while maintaining alignment with international standards such as the Principles for Financial Market Infrastructures (PFMI).

The paper explains that the existing regulatory framework for CCPs largely works well, so most requirements are restated with limited changes. However, it identifies seven key areas for targeted reforms:

• Improving transparency around margin requirements to better manage risks.
• Increasing the likelihood and effectiveness of client position porting during defaults.
• Introducing a second layer of CCP “skin in the game” to enhance risk management incentives.
• Expanding and clarifying change of control rules for CCP ownership to enhance supervisory oversight.
• Enhancing liquidity risk control requirements.
• Streamlining supervisory processes to be more proportionate, clear, and efficient.
• Clarifying the regulatory approval process for interoperability arrangements between CCPs.

The consultation also includes a discussion on the eligibility of collateral, specifically the potential acceptance of uncollateralised bank guarantees, though any future policy changes here will be subject to further consultation and cost-benefit analysis.

The Bank emphasizes balancing the objectives of financial stability with fostering innovation. By transferring requirements from legislation into Bank rules, it aims to create a more proportionate and technology neutral regulatory environment that can evolve with market needs and new business models.

Implementation of these reforms will be phased. CCPs will generally have six months to comply with new rules once finalized, but more complex changes will have up to two years to allow firms time to raise capital and adjust processes.

The consultation ends on the 18 November 2025.

On the 15 July 2025, the FCA published statement on market reforms and what's to come.

The FCA outlines a sweeping programme of capital markets reforms aimed at maintaining the UK’s global competitiveness in financial services. It highlights completed and forthcoming initiatives as part of its five-year strategy to encourage growth and informed risk-taking. Key reforms already implemented include a simplified listing regime, new public offer platform, streamlined transparency and bond trading rules, and lighter regulatory treatment of commercial commodity derivatives users. The FCA has also introduced innovations such as PISCES, a private stock exchange, and a Digital Securities Sandbox to test new technology.

Looking forward, the FCA plans to introduce a bond consolidated tape in 2025 and consult on an equity tape. It also intends to update definitions for professional investors and review securitisation rules to improve access and reduce cost. The statement affirms a shift from pre-emptive regulatory gating to a more disclosure-based regime that supports innovation and market resilience.

In the FCA a letter to Chancellor Rachel Reeves dated 15 July 2025, FCA CEO Nikhil Rathi outlines improvements to authorisation timelines and transparency. The FCA commits to new stretch targets while supporting the government’s proposed legislative deadline reductions under the Financial Services and Markets Act 2000.

The letter acknowledges the need to balance speed with due diligence and highlights current performance, where 99% of applications are processed within deadlines. New targets include:

• 50% of senior manager regime applications completed within 35 days,
• 3 months for complete variations of permission applications and 6 months for incomplete ones,
• For e-money and payment firms, FSMA targets: 3 months for complete and 10 months for incomplete applications.

The FCA plans to adjust reporting from early 2026 to track both statutory deadlines and stretch targets, while also enhancing communication and support services to improve application quality.

In the PRA letter to CEO Sam Woods, PRA expresses support for government efforts to shorten authorisation timelines, confirming that the PRA already meets or exceeds statutory deadlines. In the 2024/25 reporting year, 99.7% of applications were processed within deadline. The PRA commits to additional ambitious internal targets for simpler cases, including:

• 3 months for wholesale insurance firm approvals,
• 6 weeks for insurance special purpose vehicles (ISPVs), and
• 10 working days for ISPVs qualifying for an accelerated path.

The PRA will also target 50% of senior manager regime applications to be completed within 45 days, anticipating further efficiency if Senior Managers Regime reforms are implemented. Enhanced pre-application support, transparency, and quarterly performance reporting from 2026 will track progress toward these goals.

On the 15 July 2025, the FCA published faster targets for authorisations.

FCA plan to speed up processes for firms and individuals seeking authorisation, recognising the potential this has to support UK growth and competitiveness. FCA aim is to deliver a quicker, more proportionate and predictable approach for firms, while maintaining high standards of entry into regulated financial services.

The package of targets includes:

• Statutory: New firm authorisations and variations of permission applications to be completed in 4 months (currently 6) for complete applications and 10 months (currently 12) for incomplete applications.
• Voluntary: For variations of permission applications where the new permissions closely align to the existing business model, the target will reduce further to 3 months for complete applications and 6 months for incomplete applications.
• Voluntary: Payments and e-money firm authorisations and registrations completed in 3 months (same) for complete applications and 10 months (currently 12) for incomplete applications.
• Voluntary/statutory: For senior manager regime applications, at least half will be completed within 35 days with a proposed statutory deadline of 2 months (currently 3) for all applications. 

The targets also give firms some time to address feedback and remedy issues, reducing, but not eliminating, the risk of increased refusals. 

FCA have significantly enhanced their application process, with 99% of applications now determined within statutory deadlines. Other improvements underway include the digitisation of application forms to make it easier to apply, supporting firms with quality applications to help meet deadlines, and enhanced firm communications.

On the 14 July 2025, the FED issued a joint statement on risk-management considerations for crypto-asset safekeeping.

Federal bank regulatory agencies issued a joint statement in their continued efforts to provide clarity on banks' engagement in crypto-asset-related activities. The statement highlights for banks potential risk-management considerations related to holding crypto-assets on their customers' behalf, or crypto-asset safekeeping.

The joint statement discusses existing risk-management principles that apply to crypto-asset safekeeping and reminds banks that they provide or are considering providing safekeeping of such assets that they must do so in a safe and sound manner and in compliance with applicable laws and regulations.

The statement does not create any new supervisory expectations. The agencies continue to explore ways to provide additional clarity with respect to banks' engagement in crypto-asset-related activities.

On the 29 July 2025, SEC published permits In-Kind Creations and Redemptions for Crypto ETPs.

The Securities and Exchange Commission voted to approve orders to permit in-kind creations and redemptions by authorized participants for crypto asset exchange-traded product (ETP) shares.

The orders approved reflect a departure from recently approved spot bitcoin and ether ETPs, which were limited to creations and redemptions on an in-cash basis. With approval orders, bitcoin and ether ETPs, consistent with other commodity-based ETPs approved by the Commission, will be permitted to create and redeem shares on an in-kind basis.

The Commission also voted to approve other orders that advance a merit-neutral approach to crypto-based products, including exchange applications seeking to list and trade an ETP that would hold mixed spot bitcoin and spot ether, options on certain spot bitcoin ETPs, Flexible Exchange (FLEX) options on shares of certain BTC-based ETPs, and an increase of position limits up to the generic limits for options (up to 250,000 contracts) for listed options on certain BTC ETPs.  Additionally, the Commission issued two scheduling orders soliciting comments in support of, or in opposition to, the Division of Trading and Market’s approval, pursuant to delegated authority, of a national securities exchange’s proposals to list and trade two large cap crypto-based ETPs.

On 9 July 2025, the FATF updated its Consolidated Processes and Procedures for Mutual Evaluations and Follow-Up Universal Procedures

The assessments of countries' effective implementation of the 2012 FATF Recommendations are conducted in accordance with the 2013 Assessment Methodology.

In principle, FATF-Style Regional Bodies (FSRBs) and International Financial Institutions, should  be using the same or similar procedures as the FATF.  While there is some flexibility in the procedural arrangements, there is a set of core elements that should apply to all assessments. This obligation is noted in the High-Level Principles and Objectives for FATF and FATF-style regional bodies which govern the relationship between FATF and FSRB.

On 9 July 2025, the FATF updated its Consolidated Processes and Procedures for Mutual Evaluations and Follow-Up - “Universal Procedures”.

The Consolidated Processes and Procedures for Mutual Evaluations and Follow-Up (Universal Procedures), which are based on the FATF Procedures,  sets out the core elements that should form the basis for the mutual evaluations and follow-up conducted by all assessment bodies. 

In principle, FATF-Style Regional Bodies (FSRBs) and International Financial Institutions, should be using the same or similar procedures as the FATF to assess countries' effectiveness in tackling money laundering, terrorist financing and proliferation financing, and their compliance with the FATF Standards.  While there is some flexibility in the procedural arrangements, these arrangements must address a set of core elements that should apply to all assessments. This obligation is noted in the High-Level Principles and Objectives for FATF and FATF-style regional bodies which govern the relationship between FATF and FSRBs.

The FATF and FSRBs should periodically review their procedures to identify on-going challenges and update their procedures to address those challenges.

The Global Network commenced a new round of evaluations in 2024 using these revised Universal Procedures. The Universal Procedures for the previous round of AML/CFT Mutual Evaluations and the 2013 FATF Methodology for assessing compliance with the FATF Recommendations and the effectiveness of AML/CFT systems will continue to apply to countries being evaluated and those engaged in follow-up processes under the previous round of evaluations.

On 28 August 2025, the FATF published National Risk Assessment toolkit to help countries identify greatest ML risks.

These new practical resources will support countries in assessing their money laundering risks in line with the FATF Standards.

Key areas of risk:

• Crime generates vast illicit revenues every year, estimated to reach trillions of USD.  When laundered, this money flows right back into the pockets of criminals, enabling them to continue exploiting communities worldwide, whether through corruption that robs society of essential services, drug trafficking that destroys lives or fraud that can wipe out family savings in seconds.
• This toolkit provides countries with cross-country risk insights, such as proceeds of crime estimates and most common types of predicate offences and money laundering on a domestic and international level, to help governments and the private sector address the highest risks to ensure that crime does not pay.
• The toolkit highlights the international, cross-border nature of money laundering, aided by the speed and ease with which new technologies allow funds to travel between jurisdictions. It encourages countries to develop awareness of global and regional trends and combine this with knowledge of their unique national risk and context for a stronger risk understanding.

Good practices in assessing risk:

• The toolkit covers four priority areas: corruption, Virtual Assets and Virtual Asset Service Providers, legal persons and legal arrangements, and the informal economy. It focuses on these areas as they consistently challenging to assess because of data limitations, rapidly evolving typologies, or the cross-cutting nature of risks. These areas are often linked and used in combination to launder funds, for example, corrupt officials may exploit their positions to siphon government funds and use shell companies to disguise the origin and movements of funds.
• It includes examples from countries across the FATF Global Network to illustrate how jurisdictions are assessing risk to help them tackle money laundering relating to corruption, cash-based economies, beneficial ownership, and emerging technologies. By integrating findings across these risk areas, rather than assessing them in isolation, countries can build a more comprehensive and effective anti-money laundering (AML) framework.

On 28 August 2025, the FATF updated its ML National Risk Assessment Guidance.

Understanding risk is a fundamental building block to the risk-based approach. Developing a granular, accurate and up-to-date risk understanding is an ongoing, dynamic process for a country. It is a process that necessitates responding to changing environmental factors, constantly assessing new information and scanning the horizon for risks that may be emerging or materialising. Given the complexity of understanding risk, it is important that a country takes a structured and coherent approach to developing an up-to-date risk understanding.

Once common approach for a country to take in developing a risk understanding is through the conduct of a National Risk Assessment (NRA). An NRA is a process that enables a country to systematically evaluate and address potential money laundering threats and vulnerabilities affecting the country. This structured, evidence-based approach can guide policymakers in tailoring national AML strategies to appropriately mitigate ML risk. Tailoring AML strategies to risk means that areas of higher risk should be subject to enhanced risk mitigation measures, and, importantly, that lower risk areas should also be subjected to simplified or lesser measures.

This guidance document supports countries in conducting an NRA focused on the assessment of money laundering risks, drawing on insights from over 90 countries within the FATF Global Network and over 500 respondents to public consultation. Key sections include:

1. NRA Preparation and Setup: This section identifies the prerequisites to a successful NRA. It covers such key foundational parts of the NRA such as political commitment, an inclusive NRA mechanism, objective setting, and the acquisition of information and data.
2. Assessing and Understanding Money Laundering Risks: Offers a flexible yet structured methodology for analysing threats, vulnerabilities, and risks, allowing countries to implement a coherent methodology that is adapted to their capacity and unique risk and context.
3. Post-NRA Actions: Recommends follow-up actions, including aligning mitigation measures with identified risks, communicating findings, and refining the NRA process.

This guidance serves as a practical resource for countries aiming to strengthen their AML/CFT systems and align them with proven practices across the FATF network.

BACKGROUND

On 14 August 2025, the Bank for International Settlements (BIS) published Bulletin No. 111 – “An approach to anti-money laundering compliance for cryptoassets.” The bulletin examines how the rise of cryptoassets on permissionless public blockchains challenges traditional AML frameworks that rely on trusted intermediaries (eg banks, regulated exchanges). It highlights the increasing use of stablecoins in illicit activity (about 63% of illicit crypto transactions in 2024) and explores how the public transaction history on blockchains could be leveraged for AML and related compliance objectives.

WHAT'S NEW?

The BIS explores an alternative AML approach that leverages the transparency of public blockchains. By tracing transaction histories, each crypto unit or wallet could be assigned an AML compliance score, ranging from “clean” to “tainted.” These scores could then be referenced at off-ramps, where crypto is converted into fiat, to prevent illicit funds from entering the traditional financial system.

Different levels of application are possible: the most stringent model would only allow tokens from KYC-verified wallets, while the most permissive would block only those directly linked to illicit addresses. Intermediate solutions, such as minimum clean-holding periods or limits on indirect exposure, are also discussed.

The bulletin notes that the existence of compliance scores could influence markets, with clean tokens trading at a premium. It could also shift responsibility for AML compliance across the ecosystem—onto exchanges, banks, or even individual users—and encourage the development of new verification services.

WHAT'S NEXT?

The BIS does not propose binding measures but highlights possible policy directions. These include using AML scores systematically at off-ramps, clarifying who holds the duty of care to block illicit flows, and anticipating market-based incentives around token cleanliness. The bulletin stresses that international cooperation will be crucial, given the global and borderless nature of cryptoassets.