What's New: Regulatory Tracker

DORA is the primary regulation for ICT risk in the EU, requiring comprehensive frameworks for backup, recovery, and cyber-threat detection. It mandates strict oversight of critical ICT third-party providers and harmonised incident reporting timelines.

The transition period for the UK's operational resilience framework has ended. Firms in scope, including large PIs and EMIs, must now be able to operate within their impact tolerances.

The FCA has finalised a major overhaul of safeguarding for Payment Institutions and E-Money Institutions, moving to a strict CASS-style framework with enhanced reporting, annual audits, and resolution packs.

The EU is modernising PSD2 into a new Directive (PSD3) and Regulation (PSR1). EMIs and PIs will be merged into a single Payment Institution category, with new safeguarding enhancements and winding-up plan requirements.

Revokes the requirement for annual external AML audits and mandates annual independent risk-based reviews by Internal Audit. Covers ML/TF and Proliferation Financing.

A harmonised regional framework for licensing non-bank payment service providers, including e-money and fintech firms. Introduces enhanced consumer protection and insolvency rules across the OECS.

The timeframe for reporting Suspicious Transactions (STRs) or Suspicious Activities (SARs) to the FIUTT has been reduced from 14 days to 5 business days from the date the suspicion was formed.

The rigid requirement for a full external AML audit has been revoked. Firms must now conduct Independent Risk-Based Reviews covering Proliferation Financing as well as ML/TF, with strict independence documentation.

All FIUTT registrations are now valid for 5 years. Existing firms must track their original registration date and apply for renewal 3 months before expiry. New registrants must complete a mandatory Self-Assessment Questionnaire.

The Bahamas has replaced the requirement for information to be 'updated' with a mandate for it to be 'up-to-date' at all times. Nominee directors are now largely prohibited and nominee shareholders must disclose the nominator's identity.

Defines and regulates virtual asset service providers conducting exchanges, transfers, safekeeping, and related financial services on behalf of other persons.