What happened to regulatory compliance in 2024, and how might it shape strategies for 2025? : By Ben Parker

2024 was a busy year for regulatory compliance. On the one hand, several major regulations have been implemented. We saw parts of the Markets in Crypto-Assets (MiCA) regulations come into force in June, with the remainder expected to apply from the end of this year. The long-awaited arrival of the EMIR Refit Regulation also came into force for the EU and then the UK, bringing radical changes to the way companies report their derivatives to trade repositories.

When it comes to regulators, we have seen a shift in strategy, with electronic communications (eComms) in particular coming under increasing scrutiny. This was illustrated by the significant increase and severity of enforcement action taken against companies for failing to monitor and record digital communications – particularly in the United States – and NatWest became one of the first major institutions to ban the use of off-channel electronic communications on work devices. quite. Then there was the small matter of major elections on both sides of the Atlantic, and these new governments could significantly reshape compliance and financial sector strategies in 2025.

Similarly, although there has been a lot of hype around AI, its practical implementation remains at an exploratory stage, both in terms of how it is integrated into regulatory technology (RegTech) and how regulators respond to its growing use. Will we start to see this having a noticeable impact in these areas next year?

New regulations introduce additional challenges for businesses

While EMIR Refit is now fully deployed, MiCA is approaching its full implementation date – and it has the potential to reshape compliance. The regulation introduces commercial oversight of crypto asset service providers, a sector and asset class that was not previously subject to financial services regulation in Europe. Anyone dealing with a European customer will be affected, meaning its impact is global. Its deployment was quickly followed by the
Digital Operational Resilience Act (DORA)which will apply from January 17. DORA will require financial firms to formalize their risk management strategy around the use of technology and cybersecurity, including solutions from third-party providers.

The introduction of these two sets of regulations means that global businesses could face even greater complexity in terms of cross-border compliance, with managing operational risk shaping up to be a huge challenge. With new regulatory and operational frameworks to consider, global businesses will potentially face significant operational challenges. They will need to understand what aspects of the regulations apply to their business models, and then figure out how to effectively monitor and report those activities.

No more off-channel electronic communications?

August saw the SEC fine 26 companies for a collective total of $390 million “for the widespread and long-standing failures of businesses and their personnel to maintain and preserve electronic communications.” The enforcement action was part of a record year in which U.S. regulators cracked down on traders using off-channel electronic communications. With the FCA also showing signs of a tougher approach in the UK, NatWest has taken the decision to ban WhatsApp, Facebook Messenger and Skype outright. We expect other major financial institutions to follow suit next year, but is this the right strategy?

General prohibitions are an understandable way to simplify compliance. However, this might just shift the problem elsewhere, such as using private groups on personal devices. In the meantime, surveillance technology has advanced to the point where it is now possible to monitor channels like WhatsApp and Telegram on approved devices and link messages to suspicious commercial activity.

Therefore, rather than simply cutting off access to these channels completely, businesses may see the value in taking a proactive approach by investing in electronic communications monitoring technology instead. This could be particularly effective for small businesses, given the complexity of trying to prohibit the use of apps if they have a bring-your-own-device (BYOD) policy. In fact, it could even give them a competitive advantage: they can allow staff to benefit from the speed and efficiency of sharing information through these channels, while also collecting information about these interactions which can then be used to prevent market abuse.

Changing regulators’ strategies

2024 has been a year of heavy fines imposed by global regulators. But rather than only targeting companies for actual instances of market abuse or wrongdoing, a significant number of fines issued by bodies like the FCA and SEC related to failures in preventative measures, such as processes poorly designed reporting systems or a lack of robust compliance systems. In the United Kingdom, for example, the
second biggest fine of the year so far, has been indicted at Starling Bank “for failures in its financial crime systems and controls.” We are also seeing an increased focus on enforcement actions taken against individuals within companies, rather than against the companies themselves.

This is not the only area of ​​regulatory development. In the United States, the focus is now increasingly on enforcement measures against mid-sized companies, and no longer just against tier one financial institutions. We could see UK and EU regulators aligning with this trend in 2025, particularly for cross-border and electronic communications non-compliance.

It will also be interesting to see how the new US government’s pro-digital stance correlates with the regulatory agenda. Given the growing popularity of digital assets, will the new administration encourage greater regulatory oversight as would normally be expected, or will it continue the trend of deregulation started during its last term? As with many aspects of Donald Trump’s return to the White House, the only constant will likely be change.

The two faces of AI

While 2024 has been dominated by discussions around AI and its impact on regulation, its practical use as a compliance tool remains at a relatively nascent stage; however, this situation will certainly accelerate over the next 12 months. In particular, AI will become increasingly important in its ability to analyze behavior, flag anomalies more quickly, and connect suspicious patterns of behavior.

Regulators have clearly expressed their expectations that companies should use new technologies to manage their regulatory obligations more effectively. For regtech providers, this will place greater emphasis on producing user-friendly compliance tools that strengthen regulatory controls and offer actionable insights. Solutions should not just point out problems, but explain the reasoning behind an alert.

However, it is important to keep in mind that AI is not just a tool: it is a whole new data source and a whole new risk that requires its own compliance framework. Therefore, AI-based compliance systems will most certainly be on the radar of regulators next year. Businesses will need to treat AI as both an opportunity and a risk, and prepare for regulatory standards targeting its use when the time comes.

There is no doubt that we are moving towards a state where AI can be used as a supporting tool that will help compliance teams identify risks more quickly. However, while some industry experts predict that AI could eventually evaluate alerts on behalf of compliance teams, we believe this is a premature and potentially dangerous step. Ultimately, companies must be responsible for their decision-making and rely on the expertise and experience of their subject matter experts.

Bottom line, whether it’s new regulations, the ongoing crackdown on off-channel communications, or the growing influence of AI, 2025 could be even more complex for businesses to navigate. New trends will continue to emerge as the year progresses, but one thing is clear: regulators expect companies to have robust systems and controls in place to manage their risks. Businesses that leverage the right tools to stay compliant and use data-driven insights to make faster decisions will remain competitive; those who cannot do so risk suffering the consequences of non-compliance.