What’s happened to regulatory compliance in 2024, and how could this shape 2025 strategies?: By Ben Parker

It’s been quite the year for regulatory compliance in 2024. For one, several major regulations were rolled out. We saw certain parts of the Markets in Crypto-Assets (MiCA) regulation come into effect in June, with the remainder set to apply from the end
of this year. The long-awaited arrival of the EMIR Refit regulation also came into action for the EU and then the UK, bringing sweeping changes to the way firms report derivatives to trade repositories. 

When it came to regulators, we witnessed a shift in strategy, with electronic communications  (eComms) especially coming under increasing scrutiny. This was epitomised by the significant increase and severity of enforcement action taken against firms for
failures to surveil and record digital communications – particularly in the US – and NatWest becoming one of the first major institutions to ban the use of off-channel eComms on work devices altogether. Then, there has been the small matter of major elections
on both sides of the Atlantic, and these new governments could significantly reshape strategies for both compliance and the finance sector in 2025.

Equally, while there has been a lot of hype around AI, its practical implementation remains at an exploratory stage both in terms of how it’s integrated into regulatory technology (RegTech) and how regulators respond to its increasing use. Will we start
to see it have a notable impact in these areas next year?  

New regulations introduce additional challenges for firms 

While EMIR Refit has now been fully rolled out, MiCA is approaching its full implementation date – and it has the potential to reshape compliance. The regulation introduces trade surveillance to Crypto Asset Service Providers, a sector and asset class that
hasn’t come under financial services regulation in Europe before. Anyone who deals with a European client will be affected, meaning its impact is global. Its rollout is quickly followed by the

Digital Operational Resilience Act (DORA), which will apply from January 17th. DORA will require financial firms to formalise their risk management strategy around the use of technology and cybersecurity, including solutions sourced from third party vendors.

The introduction of both sets of regulations mean global firms could face even more complexity in terms of cross-border compliance, with the management of operational risk set to be a huge challenge. With new regulatory and operational frameworks to consider,
global firms will potentially be dealing with significant operational headaches. They will need to understand which aspects of the regulations apply to their business models and then figure out how to monitor and report those activities effectively.

No more off-channel eComms? 

August saw the SEC
fine 26 firms a collective total of $390 million “for widespread and longstanding failures by the firms and their personnel to maintain and preserve electronic communications”. This enforcement action was part of a record year of US regulators clamping
down on traders using off-channel eComms. With the FCA also showing signs of a stricter approach in the UK, NatWest made the decision to ban WhatsApp, Facebook Messenger and Skype outright. We expect other large financial institutions to follow suit next year,
but is this the right strategy? 

Blanket bans are an understandable way to simplify compliance. However, this could simply move the problem elsewhere, such as the use of private groups on personal devices. Meanwhile, surveillance technology has progressed to the point where it is now possible
to monitor channels like WhatsApp and Telegram on approved devices and link messages to suspicious trading activity. 

Therefore, rather than simply cutting off access to these channels altogether, firms may see the value in taking a proactive approach by investing in eComms surveillance technology instead. This could be particularly effective for smaller firms given the
complexities of trying to ban the use of apps should they operate a bring-your-own-device (BYOD) policy. In fact, this could even offer them a competitive edge: they can allow staff to benefit from the speed and efficiency of sharing information through such
channels, while still gathering data insights from such interactions that can then be used to preempt market abuse. 

Shifting regulator strategies

2024 was a year of hefty fines being handed out by global regulators. But rather than just targeting companies for instances of actual market abuse or wrongdoing, a significant number of the fines levied by bodies like the FCA and SEC were for failures in
preventative measures, such as poorly designed reporting processes or a lack of robust compliance systems. In the UK, for example, the

second largest fine of the year so far was handed down to Starling Bank “for failings in their financial crime systems and controls”. We’re also seeing an increased focus on enforcement action being taken against individuals within firms, rather than just
the firms themselves.

This is not the only area of regulatory evolution. In the US, there’s now a growing focus on enforcement action against mid-market firms, not just tier one financial institutions. We could see the UK and European regulators align with this trend in 2025,
especially for instances of cross-border and eComms non-compliance. 

It will also be interesting to see how the new US government’s pro-digital assets stance correlates with the regulatory agenda. Given the increasing popularity of digital assets, will the new administration encourage greater regulatory oversight as one might
normally anticipate, or will it continue the deregulation trend from his last term in office? As with so many aspects of Donald Trump’s return to the White House, the only constant is likely to be change. 

The two sides of AI

While 2024 has been dominated by talk of AI and its impact on regulation, its practical use as a compliance tool remains at a relatively fledgling state; however, this is certain to accelerate over the next 12 months. In particular, AI will become increasingly
important in its ability to analyse behaviours, flag anomalies faster, and connect patterns of suspicious behaviour. 

Regulators have been clear in their expectations that firms should be using new technologies to manage their regulatory obligations more effectively. For regtech vendors, this will create a greater emphasis on producing user-friendly compliance tools that
strengthen regulatory controls and offer actionable insights. Solutions should not simply flag issues, but explain the reasoning behind an alert. 

However, it’s important to remember that AI is not just a tool – it’s a whole new data source and risk that needs its own compliance framework. Therefore, AI-powered compliance systems will most definitely be on the regulators’ radar next year. Firms will
need to treat AI as both an opportunity and a risk, and be prepared for regulatory standards targeting its use in due course.

There can be little doubt that we’re heading towards a state in which AI can be used as a supporting tool which will help compliance teams to identify risk quicker. However, while some industry experts are predicting that AI could end up assessing alerts
on behalf of compliance teams, we believe that this is a premature and potentially dangerous step. Ultimately, firms must be responsible for their decision making and draw on the expertise and experience of their subject matter experts

In conclusion, whether its new regulations, the ongoing crackdown on off-channel communications, or AI’s growing influence, 2025 could be even more complex for firms to navigate. New trends will continue to emerge as the year progresses, but one thing is
clear: regulators expect firms to have robust systems and controls in place to manage their risk. The firms that harness the right tools to remain compliant and use data-led insights to make faster decisions will remain competitive – those who cannot are likely
to suffer the consequences that come from non-compliance.