Regulatory Compliance in Finance

One of the first mistakes I made when launching my first regulated business was delegating compliance. I started with TransferTo, a mobile micro value transfer service, which wasn’t regulated. Eventually, TransferTo split into two branches (now DT One and Thunes), with the new branch handling actual money transfers that required regulatory compliance. At that time, I thought, "I'll hire a Chief Compliance Officer and let them set up the function," just as I did with marketing or tech. That was a mistake. I faced significant challenges in opening a bank account because I hadn't fully mastered my processes. I also had a hard time communicating with my compliance officer. I didn't have the words or the right codes. Regulatory compliance is ultimately the responsibility of the company and its leadership—it cannot be outsourced. As a CEO, I believe it's essential to make the effort to understand it because the risks for the company are too significant. The least severe risk is a fine. The moderate risk is a suspension of the license. The most severe risk is revocation, or even imprisonment. To effectively manage these risks, I believe it's the CEO's duty to establish the compliance framework. Get your hands dirty. Understand the mechanics. Then, the Chief Compliance Officer can execute your plan. And this is exactly what regulators expect. The CEO's ability to manage compliance is one of the key aspects they evaluate when you apply for a licence. They don't require you to know how to code, but they do expect you to fully understand your company's compliance. If I have one piece of advice for a fintech entrepreneur: invest in compliance. The stakes are too high. As a startup, it could destroy your business. As a scale-up, it could strongly hinder your growth.

New SFDR updates in under 90 seconds below! The EU Commission's Final Proposal is a hard reset of the Sustainable Finance Disclosure Regulation (SFDR). We put together the table below and this summary to let you know what the new articles say. If you advise clients, run funds, or sit in risk/compliance, these changes will shape your 2027–2028 strategy. Here are the new SFDR product categories: 1. Article 7 — Transition -For products backing companies/projects on a credible transition path. -70% of the portfolio must support the transition objective. -Partial Paris-Aligned Benchmark exclusions apply. -Product-level PAI disclosures required. -May use the word “impact” if criteria are met. 2. Article 8 — ESG Basics -Integrates ESG beyond risk management, but without transition or sustainability objectives. -Requires 70% alignment with the stated ESG strategy. -Limited exclusions. -No PAI requirement at product level. -Much narrower than today’s Article 8. 3. Article 9 — Sustainable Features -For products investing in already sustainable assets or pursuing a sustainability objective. -70% sustainable alignment required. -EU Taxonomy ≥15% counts as meeting the 70% test. -Full PAB exclusions, including strict fossil-fuel limits. -PAI disclosures + extra reporting for impact funds. 4. Article 9a — Mixed Products -For portfolios blending Article 7 and Article 9 approaches across asset classes. -Still must meet the 70% threshold using Article 9 criteria. -Not a new label—more a structural option for multi-asset strategies. 5. Article 6a — ESG-Uncategorised Products -Cannot use ESG wording in names. -Any sustainability statements must be minimal and secondary (<10% of strategy description). -Designed to eliminate ESG-lite positioning. What this all means: No grandfathering. No professional-investor opt-outs. The old Article 8/9 system will go away. Disclosures will be simpler, but product requirements will be sharper and more rule-based. Private markets will get clarity on ramp-up periods. The legislative process will take 12–18 months, followed by a transition period. We are helping investors navigate these new requirements and stay ahead of the curve. Get in touch for our full analysis on SFDR and to learn more! #sfdr #EU #sustainablefinance #investors

BaFin, the German financial regulator, imposed a €45 million fine on J.P. Morgan SE. It became the largest AML-related penalty ever issued by BaFin. Why JP Morgan was fined? BaFin found systemic failures in the bank’s processes for submitting Suspicious Transaction Reports (STRs). Specifically: • JP Morgan did not file suspicious-activity reports promptly, • hundreds of alerts and red flags were delayed or not escalated correctly, • the bank’s monitoring and internal controls were not effective during the period Oct 2021 – Sept 2022. Importantly, the fine was not for confirmed money laundering,but for operational and procedural weaknesses in AML compliance, especially delays in mandatory reporting. #aml #aml_compliance

The Financial Action Task Force (FATF) has released its Updated Recommendations (February 2025), reinforcing international standards on AML, CFT, and Combating the Financing of Proliferation (CFP). Key Highlights: ✅ Risk-Based Approach (RBA) Strengthened • Countries and financial institutions must continuously assess ML/TF risks. • Proliferation financing risks (linked to WMDs) must now be explicitly assessed and mitigated. • Greater emphasis on data-driven decision-making in risk management. ✅ Stronger Financial Crime Enforcement & Asset Recovery • Enhanced measures to identify, freeze, and confiscate illicit assets, even without conviction-based legal proceedings. • Countries must cooperate more effectively on cross-border investigations related to ML, terrorism, and sanctions evasion. • Expanded legal mandates for regulators to seize cryptocurrency-related assets used for illicit activities. ✅ Enhanced Corporate Transparency & Beneficial Ownership Regulations • Stricter disclosure requirements for companies and trusts to prevent anonymous ownership structures facilitating financial crime. • Introduction of centralized registries for beneficial ownership information, accessible by regulators and FIUs. • Bearer shares and nominee shareholder arrangements are further restricted due to their role in obfuscating ownership. ✅ New Standards for Virtual Assets & Emerging Technologies • FATF mandates stronger oversight on VASPs, aligning AML rules for crypto-assets with traditional financial institutions. • New tech-based compliance controls (including AI-driven monitoring) recommended to enhance financial crime detection. • Stricter regulations for cross-border virtual asset transactions to combat illicit financing and crypto-enabled ML. ✅ Expanded Measures Against Terrorist Financing & Sanctions Evasion • Countries must implement targeted financial sanctions to prevent terrorism and WMD proliferation financing. • NPOS are now required to assess their terrorist financing risks while ensuring legitimate operations are not disrupted. • Greater scrutiny on correspondent banking relationships to prevent facilitation of illicit transactions. ✅ Increased International Cooperation & Mutual Legal Assistance • FATF calls for faster cross-border financial intelligence sharing to prevent criminals from exploiting jurisdictional gaps. • Countries must align with UNSCRs on CTF and sanctions enforcement. Recommandations: 🔹 Implement advanced transaction monitoring using AI to detect suspicious financial activities more effectively. 🔹 Reinforce beneficial ownership compliance 🔹 Strengthen cross-border AML/CFT coordination by fostering partnerships between FIs, regulators, and law enforcement agencies. 🔹 Ensure robust oversight on virtual assets by applying FATF’s Travel Rule to cryptocurrency transactions and monitoring DeFi risks. #AML #FATF #FinancialCrime #Compliance #CryptoRegulation

𝐈𝐧𝐝𝐢𝐚’𝐬 𝐨𝐧𝐥𝐢𝐧𝐞 𝐠𝐚𝐦𝐢𝐧𝐠 𝐢𝐧𝐝𝐮𝐬𝐭𝐫𝐲 𝐡𝐚𝐬 𝐞𝐧𝐭𝐞𝐫𝐞𝐝 𝐚 𝐧𝐞𝐰 𝐫𝐞𝐠𝐮𝐥𝐚𝐭𝐨𝐫𝐲 𝐩𝐡𝐚𝐬𝐞. The Ministry of Electronics and Information Technology has introduced a formal regulatory structure for one of India’s fastest growing digital industries. 🔹A dedicated regulator, the Online Gaming Authority of India, has been established. 🔹Games may be classified and dealt with differently based on category. 🔹Registration requirements apply to notified categories. 🔹 User protection and grievance redressal obligations are now expressly recognised. 🔹 Appellate remedies have also been built into the framework. 🔹Gaming companies will need stronger internal compliance systems. 🔹 Product, payments, advertising, and onboarding decisions may now require closer legal review. 🔹Investors receive greater policy certainty in a sector that has often faced fragmented treatment. 🔹Users gain clearer channels for complaints and accountability. The commercial effect of these Rules will depend on how consistently they are administered and how practical the compliance process proves to be.

🌐 Financial Action Task Force (FATF) Standards Update – June 2025 Yesterday, the #FinancialActionTaskForce (#FATF) announced important updates to #Recommendation16, commonly referred to as the Travel Rule, with a focus on enhancing the transparency and security of #crossborderpayments and #virtualasset transfers. updates : ▪️ Standardised data requirements for peer-to-peer cross-border payments above USD/EUR 1,000 (name, address, date of birth) ▪️ Clearer allocation of responsibilities within the payment chain, starting with the financial institution receiving the customer’s instruction ▪️ Mandatory adoption of anti-fraud and error-prevention technologies, such as recipient account verification tools ▪️ Clarified scope for card transactions, which remain exempt from full R.16 requirements when used for goods and services, with updated definitions These changes support the G20 roadmap to make cross-border payments faster, cheaper, more transparent, and more inclusive They were shaped by two public consultations involving over 300 contributions from financial institutions, industry bodies, civil society, and public authorities. The revised standards will take effect by the end of 2030, with further guidance to be issued by the FATF to support implementation across the private sector. #aml #antimoneylaundering #followthemoeny #dirtymoney #compliance #complianceofficer #duediligence #transactionmonitoring

MDR/IVDR Are Just the Tip of Your Regulatory Iceberg—Look Beyond Them A cornerstone of successful medical device development is identifying all regulatory requirements. The MDR (Regulation (EU) 2017/745) and IVDR (Regulation (EU) 2017/746) provide a vast catalog of device requirements and company procedures. Standards then offer additional details for compliance. However, many see this as the entire iceberg and assume it’s enough for full compliance. The reality is different. Medical devices and manufacturers often need to comply with multiple regulations. It’s crucial to identify all applicable regulations beyond the obvious ones. Here are 7 regulations and directives many miss but are often essential: EU AI Act (Proposal COM/2021/206) → Crucial for any medical device incorporating AI. → Adds a certification framework beyond MDR/IVDR. → Overlapping requirements mean a thorough gap analysis is essential. European Health Data Space Regulation (Proposal COM/2022/197) → Central to unlocking cross-border health data sharing in the EU. → A framework for primary and secondary use of electronic health data. → Compliance requires alignment with GDPR and national health laws. Radio Equipment Directive (2014/53/EU) → Applies to devices with wireless communication (e.g., Bluetooth). → EMC testing under MDR isn’t enough for compliance. → Requires additional IFU content, such as wireless frequency specifications. General Data Protection Regulation (Regulation (EU) 2016/679) → Applies to all devices interacting with personal data. → Covers even non-sensitive data, beyond health-related information. → Expected since its enforcement began in 2018. Battery Regulation (Proposal COM/2020/798) → Relevant for devices with rechargeable or disposable batteries. → Mandates user access to batteries for removal or replacement. → Requires compliance with labeling and recycling standards. RoHS (Directive 2011/65/EU) and REACH (Regulation (EC) No 1907/2006) → Limit hazardous substances in device materials. → Biocompatibility doesn’t guarantee compliance with these regulations. → Crucial during material selection for physical devices. WEEE (Directive 2012/19/EU) → Governs proper decommissioning and disposal of electrical devices. → Includes exemptions for implantable and potentially infectious devices. → Often Requires agreements with waste management organizations. By identifying them early, the iceberg may remain large, but at least you’ll have transparency and control. P.S. What other regulations or directives would you add to this list? ⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡ MedTech regulatory challenges can be complex, but smart strategies, cutting-edge tools, and expert insights can make all the difference. I’m Tibor, passionate about leveraging AI to transform how regulatory processes are automated and managed. Let’s connect and collaborate to streamline regulatory work for everyone! #automation #regulatoryaffairs #medicaldevices

Climate Transition Planning 🌍 Climate transition planning is no longer a nice-to-have—it’s becoming a business necessity. With mounting regulatory requirements and investor expectations, companies must move beyond setting climate targets and demonstrate how they will achieve them through structured Climate Transition Plans (CTPs). CTPs are increasingly embedded in global regulations. The UK, Switzerland, Australia, Hong Kong, and Japan have mandated transition plan disclosures, and other regions are moving in the same direction. In the US, the SEC climate disclosure rule, although currently on hold, also includes transition planning for companies that have one. Many existing sustainability frameworks already incorporate CTP elements. The Task Force on Climate-related Financial Disclosures (TCFD) remains the foundational reference, influencing ISSB’s IFRS S2 standards, SEC climate disclosures, and country-specific regulations. The overlap between frameworks allows businesses to integrate CTPs into existing sustainability reports rather than treating them as standalone requirements. The UK’s Transition Plan Taskforce (TPT) and GFANZ provide structured guidance, while SBTi, CDP, and Climate Action 100+ offer tools to assess credibility and track progress. Beyond compliance, transition planning is a strategic advantage. Investors and financial institutions are embedding transition risk assessments into decision-making, and companies with robust, science-based transition plans are better positioned to access capital and strengthen partnerships. One of the biggest challenges remains financial planning. Only 5% of companies reporting to CDP in 2023 provided sufficient details on how they will fund their transition. Aligning sustainability strategies with CapEx, OpEx, and R&D budgets is essential to turn plans into real action. Businesses that act now will be ahead of regulatory shifts and well-positioned to mitigate transition risks. A strong climate transition plan isn’t just about reducing emissions—it’s about ensuring long-term resilience and competitiveness in a rapidly changing landscape. With regulations evolving across Europe, North America, and Asia-Pacific, the question isn’t whether companies should have a CTP, but rather how well-prepared they are to disclose and implement it. Source: @BSR #sustainability #sustainable #business #esg #climatechange #CTP #risks

Remittance firm Wise hit with $4.2m fine, UK's Monzo Bank pays £21m penalty, both stemming from money laundering control failures: This week has seen multiple AML-related fines against high-profile fintech firms. Wise's US subsidiary reached a consent order with state regulators in California, Minnesota, Nebraska, New York, Texas, and Massachusetts stemming from BSA and AML/CFT failures. The action followed a multi-state exam of the international payments firm, which serves consumer and business customers, that took place in early 2024 examining the period from July 2022 to September 2023. The exam found: -Wise failed to provide for an independent review of its AML program on a frequency commensurate with services provided; -deficiencies in Wise’s processes for investigating and reporting suspicious activity, including the failure to timely file suspicious activity reports; -transaction monitoring data integrity issues; -failure to timely correct past deficiencies detected in prior examinations and independent audits; -and violations related to the Consumer Financial Protection Bureau’s Remittance Transfer Rule. The consent order Wise reached with the states requires Wise to remediate the identified issues and to pay a $4.2 million penalty. Meanwhile, digital-only bank Monzo also paid a price for AML missteps last week, agreeing to a £21m with the UK Financial Conduct Authority. The fine could have been as much as £30.1m, but Monzo qualified for a "stage 1 discount," which reduced the penalty by 30%. The FCA's 44-page final notice provides significant insight into what went wrong at Monzo -- at a far greater level of detail than comparable actions by US regulators. Monzo's AML control issues stemmed in part from: -Rapid growth. Monzo saw its number of customers increase by 1,154% from Feb 2018 to March 2023 and its deposits grow by a whopping 8,315% in the same time frame. -Expanded product line. Monzo began as a prepaid card and expanded to offering current accounts (checking accounts) to both consumers and businesses, as well as launching overdraft, lending, and payments products. The reported noted that "rapid customer growth must not come at the detriment of compliance with the requirement to maintain adequate systems and controls to counter the risk that the firm might be used to further financial crime." Examples of gaps in Monzo's controls included: -Not doing any address verification at various points in time, allowing customers outside of the UK to open Monzo accounts, sometimes using obviously fake addresses like "Buckingham Palace" or "10 Downing Street" (Prime minister's residence) -Failing to obtain info about the purpose and nature of proposed customer relationships -Failing to verify the identity of all beneficial owners persons of significant control for business accounts -Lacking clear documentation on when customer enhanced due diligence is necessary, and how to undertake and document such diligence

📔 FATF outlines best practices for countries' virtual asset AML risk assessments TGIF! My nerdy version of a Friday wind-down includes - ice cold prebiotic soda and the new Financial Action Task Force (FATF) toolkit for AML National Risk Assessments (NRA). An NRA is a process by which countries systematically evaluate and address potential money laundering threats and vulnerabilities affecting the country. Countries typically refresh their NRAs every 3 years or so, and often publish the results. The toolkit supplements existing FATF guidance on NRAs. Notably, FATF provided additional guidance for assessing "challenging areas" including virtual assets and VASPs. Key recommendations include: 🔹 Distinct assessments for assets and service providers. Specifically, FATF suggests that countries start by understanding the key assets/tokens in their ecosystem before analysing VASPs, in order to establish an overview of the entire ecosystem. 🔹 Ensuring the appropriate authority leads the assessment. FATF highlights that there are often benefits to having the FIU and the lead crypto regulator involved in the assessment "given the data and expertise they have access to." 🔹 Analysing threats and vulnerabilities, including whether particular asset types or VASPs are more predisposed to being used for criminal activity 🔹 Leveraging a variety of data sources, including supervisory and industry data, SARs/STRs, international information sharing and blockchain intelligence tools such as TRM Labs. FATF emphasized the importance of ensuring the data comes from "reliable and reputable sources" and "avoid[s] bias." It also encouraged countries not currently collecting their own data to consider doing so, and ensuring that data collected can be easily used for its NRA. 🔹 Involving the private sector in the process, which could "provide data where gaps exist and explain how specific VA/VASP products and services are used and misused." 🔹 Identifying and including red flag indicators in the NRA to help both authorities and private sector better detect suspicious activity 🔹 Communicating NRA findings effectively. FATF noted that "VASPs are the newest reporting entities to be brought under the FATF Standards, and therefore they may not be familiar with AML obligations and may struggle to understand outcomes of ML risk assessments. The communication of the results of the risk assessment should take this into account and frame the findings in the context of AML obligations for VASPs." FATF also noted that even in countries where crypto activity is banned, "additional risk mitigating measures may be necessary, including identifying VASPs that operate illegally in the jurisdiction, assessing the risk of VA/VASP services offered in the country by a VASP based abroad, and applying proportionate and dissuasive sanctions to such entities." The guidance included case studies from Luxembourg, South Africa and Egypt (which has banned crypto).