AML & Financial Services Regulatory Archives

In AML & Financial Services Regulatory

United Kingdom: FCA Launches Review on Future AI Approach

February 23, 2026 by Mark Simpson, Caitlin McErlane, Ben Thatcher and Kimberly Everitt 6 Mins Read

On 27 January 2026 the Financial Conduct Authority (FCA) launched the Mills Review to examine the long-term impact of AI on financial services. Led by Sheldon Mills, this initiative invites industry feedback to help shape how AI might transform consumer experiences, market structures, and regulatory approaches in retail financial services. The call for input closes on 24 February, following which Mills will present recommendations to the FCA board in the summer, culminating in an external publication to foster informed debate.

In AML & Financial Services Regulatory

Australia: Treasury Moves to Strengthen MIS Governance Standards

February 20, 2026 by Trudi Procter, Alan Darwin and Bill Fuggle 8 Mins Read

On 10 February 2026, the Treasury released the ‘Enhancing oversight and governance of managed investment schemes’ consultation paper. The Consultation Paper proposes to strengthen retail consumer protections and improve stability and confidence in the superannuation and financial services sectors, predominantly through strengthening governance and capital holding requirements for registered MISs.
The Consultation Paper also considers measures such as waiting periods for superannuation switches and constraints on inappropriate advice related fees.
Ultimately, the measures proposed in the Consultation Paper aim to prevent harm to retail consumers stemming from poor governance practices, whilst maintaining investor confidence in the Australian financial system.

In Cybersecurity, Data and Tech

Australia: Landmark Penalty for Cyber Security Failures

February 20, 2026 by Trudi Procter, Paul Forbes, Anne Petterd and Ryan Grant 5 Mins Read

The Federal Court of Australia in Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92 has ordered FIIG Securities Limited (FIIG) to pay a penalty of AUD 2.5 million plus AUD 500,000 in costs in response to proceedings brought by the Australian Securities and Investment Commission (ASIC) in March 2025 for cyber security failures in breach of FIIG’s general Australian Financial Services Licence (AFSL) obligations between March 2019 and June 2023.

In AML & Financial Services Regulatory

Malaysia: Securities Commission Clarifies Requirements on Digital Asset Broking

February 13, 2026 by Sue Wan Wong 3 Mins Read

On 30 January 2026, the Securities Commission Malaysia provided clarity on the regulatory framework governing the offering of broking services for digital assets. Malaysia’s securities regulator clarified that licensed securities brokers may offer digital asset broking where the assets fall within existing securities rules, provided they notify the regulator, confirm operational readiness, and trade only in approved digital assets.

In AML & Financial Services Regulatory

United Kingdom: New Cryptoassets Regime Published

February 11, 2026 by Mark Simpson, Ben Thatcher and Kimberly Everitt 7 Mins Read

On 4 February 2024, the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026 were made, establishing a comprehensive regulatory framework for cryptoassets in the UK. Under this new regime, cryptoasset firms falling within scope will be subject to regulatory requirements, including, where relevant, authorisation by the FCA. The Cryptoassets Regulations define the categories of cryptoassets and activities subject to regulation, expand the scope of the financial promotions regime to align with the new regulated activities, and make provision for rules relating to market abuse and public offers. The new regime will take effect on 25 October 2027, with the authorisation gateway opening in September 2026. UK cryptoasset firms should review their current and planned activities to determine if they fall within the scope of the new regime, and those seeking authorisation should start engaging with the process now to ensure they are prepared to move quickly once the gateway opens.

In Cybersecurity, Data and Tech

Spain: Spanish DPA on AI Images and New EU Code

February 5, 2026 by José María Méndez, Silvia Saenz de Ormijana, Patricia Pérez Soto and Pablo Usle 5 Mins Read

Recent regulatory developments underscore the growing scrutiny of professional uses of generative AI. On 13 January 2026, the Spanish Data Protection Authority issued a formal notice warning of the legal and privacy risks involved in uploading, transforming or generating images of individuals through AI tools. At the same time, the European Commission has published the first draft of its voluntary Code of Practice on Transparency of AI-Generated Content.

In AML & Financial Services Regulatory

Canada: Stepping into the digital financial future – the Federal Government tables the new Consumer-Driven Banking Act

January 2, 2026 by Michael Garellek and Usman M. Sheikh 4 Mins Read

On 30 November 2025, Canada introduced the Consumer-Driven Banking Act (CDBA) as part of Bill C-15, establishing a federal framework for open banking.
The CDBA aims to enhance consumer control over financial data by creating a secure system for data sharing among accredited entities. It designates the Bank of Canada as the supervisory authority, sets accreditation and security standards, and mandates clear consent requirements. The Act also introduces liability protections, complaint mechanisms, and enforcement measures, including penalties of up to CAD 10 million. Implementation is expected in early 2026 following supporting regulations.

On 4 December 2025, the European Commission introduced the Market Integration & Supervision (MIS) Package to strengthen EU financial market integration.
Key points:
• Direct ESMA oversight of major financial entities and cryptoasset service providers.
• Harmonized rules by converting key directives into regulations for consistent application.
• Goal: Improve market integrity, investor protection, and reduce fragmentation.
Implementation will take several years, with no immediate changes expected.

In AML & Financial Services Regulatory

United States: IRS issues 2025 transition relief and hints at future tips and overtime information reporting obligations

January 2, 2026 by Anne G. Batter, Ligeia Donis and Robin Samuel 1 Min Read

On 16 December 2025, the Internal Revenue Service (IRS) issued two Notices addressing reporting obligations for tips and overtime under the Overtime and Bonus-Based Benefits Act (OBBBA).
The guidance provides transition relief for 2025, recognizing that employers and payors may not have updated systems or forms to comply with new requirements. It also explains how taxpayers can calculate deductions for tips and overtime when employer reporting is unavailable.
In addition, the notices signal future mandatory reporting obligations, indicating that structured compliance processes will be introduced in subsequent years.

In AML & Financial Services Regulatory

Brazil: BCB and CMN establish additional cyber security requirements

January 2, 2026 by Flávia Rebello Pereira, Marcela Trigo and Luis Ambrosio 3 Mins Read

On 18 December 2025, Brazil’s Central Bank (BCB) and National Monetary Council (CMN) issued new resolutions strengthening cybersecurity for financial institutions. The rules mandate 14 security controls, including encryption, intrusion detection, and monitoring of the Deep/Dark Web. Additional requirements apply to PIX and RSFN systems, cloud computing isolation, and annual independent intrusion tests. Institutions must comply by 1 March 2026.