top of page

Regulatory Updates Newsletter : May 2025

Updated: Jun 17

Welcome to the May 2025 edition of our regulatory newsletter, highlighting the most significant developments in financial regulation across the world’s major economies.

This month, we lead with the UK Prudential Regulation Authority’s new banking rules for overseas banks, followed by key updates from the US, EU, and India.

We then turn to important regulatory actions and proposals from other jurisdictions, including the UAE, Australia, Nigeria, and South Africa, ensuring you are informed of the latest in banking, financial crime, AI governance, digital lending, and emerging risk management frameworks.


PRA Tightens Rules for Overseas Banks in the UK

The UK’s Prudential Regulation Authority (PRA) has implemented a significant policy update aimed at strengthening the regulatory framework for international banks operating through UK branches. Effective May 2025, the PRA revised its "open banking" thresholds to account for inflationary trends. Covered deposit thresholds for branches were raised from £100 million to £130 million and from £500 million to £650 million.


A new intermediate threshold of £300 million was also introduced, acting as a pivot beyond which international banks are expected to shift from branch to subsidiary operations.


The PRA also confirmed in Policy Statement PS7/25 that the longstanding SME and infrastructure support factors will be removed from capital requirement calculations. To counterbalance this change and preserve access to SME and infrastructure lending, the regulator introduced tailored Pillar 2A capital requirements. These adjustments are aligned with Basel 3.1 standards and mark an important recalibration of the UK’s prudential regime.


Implications:

  • International banks must reassess branch structures and prepare for possible reauthorization as subsidiaries if deposit thresholds are exceeded.

  • Removal of SME support factors may raise effective capital requirements and necessitate reassessment of lending strategies.

  • Compliance teams must ensure that risk and capital reporting systems are updated to reflect the new methodologies.

SEC, OCC, and EBA Advance Enforcement and AML Rules

Sources:


In a coordinated effort to bolster financial crime oversight, U.S. regulators took decisive action in May 2025.

The SEC brought charges against individuals involved in two major Ponzi schemes totalling over $135 million and filed suit against crypto startup Unicoin for allegedly misleading investors in a $100 million token offering.


The Office of the Comptroller of the Currency (OCC) imposed enforcement actions against community banks for unsafe practices, and civil money penalties were levied against former Wells Fargo executives over legacy misconduct.


Across the Atlantic, the European Banking Authority (EBA) introduced draft Regulatory Technical Standards requiring crypto-asset service providers (CASPs) to designate a central contact point when operating across borders. This measure is designed to enhance cross-border AML/CFT supervision and improve regulatory communication in the rapidly growing crypto sector.


Implications:

  • Financial institutions should ensure robust monitoring systems and fraud detection protocols are in place.

  • Senior executives are increasingly held accountable for governance failures—compliance must be ingrained at the leadership level.

  • CASPs must proactively establish central contact functions and ensure local compliance frameworks meet both home and host country obligations.

UK Financial Taskforce Issues Generative AI Risk Guidance

A UK financial sector taskforce, comprising CMORG, UK Finance, and FS-ISAC, released its AI Baseline Guidance Review to support safe adoption of generative AI within financial services.


The guidance addresses regulatory alignment, technical controls, governance protocols, legal obligations, and staff education. Notable recommendations include monitoring AI use against board-approved risk appetites, addressing bias and hallucination risks, managing vendor dependencies, and deploying training on emerging threats like AI-generated phishing and synthetic media.


The guidance, while voluntary, is seen as a foundational step for future UK regulatory frameworks on AI and complements upcoming rules under the EU AI Act.


Implications:

  • Firms must develop or enhance AI governance frameworks tailored to sector-specific risks.

  • Deployment of generative AI should be accompanied by strong access controls, data management protocols, and third-party oversight.

  • Training programs should prioritize detection of AI-driven social engineering threats.

RBI Releases Digital Lending Framework

On May 8, 2025, the Reserve Bank of India (RBI) released its updated Digital Lending Directions, consolidating previous fragmented guidance into a unified and enforceable framework. Aimed at protecting borrowers and ensuring transparency in digital credit delivery, the framework mandates the issuance of Key Fact Statements (KFS) prior to loan execution, which must include detailed disclosures on loan tenure, APR, fees, and repayment schedules.


Loan agreements must now be digitally signed and securely delivered to borrowers. A mandatory cooling-off period of at least one day allows borrowers to reconsider loans without penalty.


Furthermore, Default Loss Guarantee (DLG) arrangements are capped at 5% of the loan portfolio and must be contractually backed by cash or bank guarantees to avoid obfuscation of credit risk.


Implications:

  • Regulated Entities must update documentation processes and ensure seamless integration with Lending Service Providers (LSPs).

  • The framework promotes borrower empowerment through transparency, and compliance teams must recalibrate disclosure and communication protocols.

  • Firms must assess and restructure existing DLG arrangements to meet the new cap and legal enforceability conditions.

PRA Proposes Updated Supervisory Expectations for Banks and Insurers on Climate-Related Risks

On 30 April 2025, the Prudential Regulation Authority (PRA) published Consultation Paper CP10/25, proposing an update to its Supervisory Statement on climate-related financial risks (SS3/19).


The consultation sets out enhanced expectations for banks and insurers to manage climate risks more comprehensively, focusing on governance, risk management, scenario analysis, data, and disclosure.


The proposals aim to clarify and expand upon previous guidance, rather than introduce new binding rules. The consultation is open until 30 July 2025.



Implications:


  • Governance and Risk Management: Firms must integrate climate risks into their governance and risk frameworks, ensuring these are proportionate to their exposure and regularly reviewed.


  • Climate Scenario Analysis: Banks and insurers are expected to use robust, scenario-based analysis to assess both physical and transition risks, and to inform business decisions and capital planning.


  • Data and Disclosure: Enhanced data collection and transparency are required, with plans to address data gaps and improve reporting to stakeholders.


  • Strategic Planning: Firms should develop plans to build internal data capabilities and use conservative assumptions where reliable data is lacking.


  • Board Oversight: Boards and management must be equipped with decision-useful climate risk reporting and maintain clear risk appetites that cascade throughout the organization.


  • No Immediate Capital Changes: While immediate changes to capital requirements are not proposed, the PRA highlights ongoing concerns about firms’ ability to demonstrate appropriate capitalisation against climate risks, signalling potential future adjustments as risk quantification improves

Summary of Other Regulatory Updates

Regulator

Update

Source

FCA (UK)

The FCA published the outcome of its review on international payment transparency, identifying significant inconsistencies in how firms disclosed fees and exchange rates to customers. The regulator emphasized that some providers failed to clearly communicate the total cost of transactions, potentially misleading consumers. Firms were reminded of their responsibilities under the Consumer Duty regime, which mandates clarity, fairness, and comprehensiveness in all customer communications, especially for cross-border services.

FCA Payment Disclosure Findings

ICO (UK)

The Information Commissioner's Office opened a consultation on new encryption guidance to reflect current data protection expectations under UK GDPR. It introduces a tiered “must, should, could” model that helps distinguish mandatory legal requirements from best practice recommendations. The ICO seeks stakeholder input on appropriate encryption use cases across different technologies including cloud storage, email communications, and Internet of Things (IoT) ecosystems. The guidance aims to strengthen organizational security postures and improve residual risk management.

ICO Encryption Consultation

MAS (Singapore)

The Monetary Authority of Singapore released a consultation paper proposing streamlined IPO prospectus requirements aimed at improving market accessibility for both domestic and foreign issuers. Key reforms include simplified disclosures for material information, relaxed interim reporting obligations, and enhanced access for retail investors through early-stage marketing efforts. The proposal also permits pre-lodgement engagement with institutional investors, reflecting MAS’s intent to align with global best practices and boost Singapore’s competitiveness as a listing destination.

MAS Consultation on IPO Disclosure

SEBI (India)

India’s market regulator SEBI doubled the threshold for mandatory ownership disclosures by Foreign Portfolio Investors (FPIs) from ₹25,000 crore to ₹50,000 crore. While this reduces regulatory burden on over 60% of mid-sized FPIs, it places heightened scrutiny on large investors with significant exposure to specific sectors. Enhanced reporting is now required for holdings that exceed 5% in any Indian sector. The move aims to foster transparency and reduce systemic concentration risks while also promoting increased capital inflows into priority sectors like fintech and renewable energy.

SEBI Press Release

CBUAE (UAE)

On May 20, 2025, the UAE Central Bank imposed a record AED 200 million fine on an unnamed exchange house after identifying severe violations of anti-money laundering (AML) and counter-terrorist financing (CFT) regulations. The enforcement was executed under Article 137 of Federal Decree-Law No. 14 of 2018, and was accompanied by a personal fine of AED 500,000 for the branch manager, who was also permanently banned from holding any future role in licensed financial institutions. The case underscores the UAE’s commitment to upholding international financial integrity standards.

CBUAE Press Release

APRA (Australian Prudential Regulation Authority)

CPS 230: Operational Risk Management standard comes into effect from July 2025, with full compliance required by July 2026. Sets requirements for operational risk and resilience, including third-party risk management, business continuity, and incident response.

APRA CPS 230 – Operational Risk Management

SEC Nigeria (Securities and Exchange Commission)

New crypto rules under the Investments and Securities Act (ISA) 2025: All VASPs must obtain a license; crypto is now treated as securities. Strict KYC/AML, disclosure, and investor protection measures are in place.

SEC Nigeria (main page)  Note: ISA 2025 is not yet published as a standalone document on the SEC site, but the update is widely reported and effective.


Stay informed with our regulatory updates and join us next month for the latest developments in risk management and compliance!

For any feedback or requests for coverage in future issues (e.g. additional countries or topics), please contact us at info@riskinfo.ai. We hope you found this newsletter insightful.


Best regards,

The RiskInfo.ai Team


Comments

bottom of page