Swan FS Global Regulatory Developments Report: November 2025
- James Ross
- Dec 3, 2025
- 7 min read
Executive Summary
November 2025 represents a watershed moment in global financial regulation, characterised by a stark bifurcation in regulatory philosophy between the Atlantic powers.
In the European Union, the transition to granular operational enforcement reached its zenith with the designation of Critical ICT Third-Party Providers (CTPPs) under the Digital Operational Resilience Act (DORA) and the finalisation of technical standards under the Markets in Crypto-Assets Regulation (MiCA). This consolidates the EU’s “Digital Fortress” strategy, asserting its sovereignty over the financial sector's technological infrastructure.
Conversely, the United States has initiated a rapid deregulatory pivot. The judicial vacatur of the SEC’s “Dealer Rule” and the Office of the Comptroller of the Currency’s (OCC) liberalisation of bank crypto-custody for operational purposes signal a dismantling of the “regulation by enforcement” paradigm.
The United Kingdom is executing a strategy of “safe innovation,” highlighted by the Bank of England’s consultation on systemic stablecoins, aiming to bridge the gap between the EU’s rigidity and the US’s fluidity. In the Asia-Pacific region, Hong Kong moved to end its “liquidity island” effect by permitting licensed exchanges to integrate order books with global affiliates.
1. European Union: The Operationalisation of the Digital Single Market
The EU moved decisively from the legislative phase to operationalising its Digital Finance Strategy, focusing on the technical machinery of supervision.
1.1 Digital Operational Resilience Act (DORA)
DORA saw its most significant supervisory action in November: the extension of the financial regulatory perimeter to the global technology supply chain.
1.1.1 Designation of Critical ICT Third-Party Providers (CTPPs)
On November 18, 2025, the European Supervisory Authorities (ESAs) published the inaugural list of 19 CTPPs. This marks the first time non-financial technology conglomerates have been brought under direct financial supervision in the EU. The designation was based on systemic impact, concentration risk, and substitutability.
Table 1: Designated Critical ICT Third-Party Providers (November 2025)
Sector / Category | Designated Provider (Entity) | Strategic Implication |
Cloud Hyperscalers | Amazon Web Services EMEA Sarl | The backbone of modern banking infrastructure is now regulated. |
Google Cloud EMEA Limited | Subject to Lead Overseer audit. | |
Microsoft Ireland Operations Limited | Includes Azure and Office 365 dependencies. | |
Oracle Nederland B.V. | Critical for core banking databases. | |
Technology & Consulting | Accenture plc | Covers managed services and IT outsourcing. |
Capgemini SE | Major integrator for European banks. | |
IBM Corporation | Legacy mainframe and hybrid cloud dominance. | |
Tata Consultancy Services Limited | Significant operational outsourcing hub. | |
Infrastructure & Telecom | Colt Technology Services | Critical network connectivity. |
Deutsche Telekom AG | Core German infrastructure backbone. | |
Equinix (EMEA) B.V. | Data centre colocation dominance. | |
InterXion Headquarters B.V. | Key connectivity hub for trading venues. | |
Orange SA | French telecommunications pillar. | |
Financial Technology | Bloomberg L.P. | Market data and trading terminal monopoly. |
Fidelity National Information Services (FIS) | Core banking processing. | |
Kyndryl Inc. | Managed infrastructure spin-off from IBM. | |
LSEG Data and Risk Limited | Critical market data and risk analytics. | |
NTT DATA Inc. | Global payment and IT services. | |
SAP SE | ERP and core finance systems. |
Implications: Designated CTPPs must establish an EU subsidiary, pay oversight fees, and submit to direct audits. Regulators possess a “nuclear option” to order financial entities to terminate contracts with non-compliant CTPPs.
1.1.2 TIBER-EU and Red Teaming
The European Central Bank (ECB) published the TIBER-EU SSM Implementation Guide on November 21, 2025. This mandates advanced Threat-Led Penetration Testing (TLPT) for “Significant Institutions.” Critically, the guide requires these adversarial tests to be conducted on live production systems, moving beyond theoretical exercises.
1.1.3 DPM 2.0 Reporting
The European Banking Authority (EBA) finalised Reporting Framework 4.2 on November 25, 2025, completing the transition to the Data Point Model (DPM) 2.0. This data-centric architecture replaces template-based reporting. It lays the groundwork for integrating ICT risk data with prudential capital data.
1.2 Markets in Crypto-Assets (MiCA)
1.2.1 The “Legacy Token” White Paper Problem
ESMA clarified on November 17, 2025, that trading platforms (CASPs) face a hard deadline of December 31, 2027, to ensure a MiCA-compliant White Paper exists for every asset listed, including those listed before MiCA’s application. If the original issuer is unavailable, the exchange must produce the White Paper (assuming liability) or delist the asset.
1.2.2 Service Classification
ESMA provided granular guidance distinguishing between “Execution of orders” (agent), “RTO” (routing), and “Exchange” (principal). This forces firms operating hybrid models to obtain the appropriate, more capital-intensive authorisations.
1.2.3 Data Standards
On November 28, 2025, ESMA mandated the use of ISO 20022 messaging standards for MiCA transaction reporting, aligning crypto reporting with traditional finance (MiFIR/SEPA).
1.3 The “Digital Omnibus” Package
Introduced on November 19, 2025, this package aims to reduce “reporting fatigue” by establishing a unified entry point for incident reporting across GDPR, NIS2, and DORA. However, the Association for Financial Markets in Europe (AFME) criticised the proposal for failing to resolve the overlap between DORA and the Cyber Resilience Act (CRA).
2. United Kingdom: The “Safe Innovation” Strategy
The UK is aiming to capture the digital asset market by providing regulatory clarity that balances commercial viability with high prudential standards.
2.1 Systemic Stablecoin Regime
On November 10, 2025, the Bank of England (BoE) published its consultation on sterling-denominated systemic stablecoins.
Backing Assets: The BoE proposes a split: roughly 40% in central bank reserves and 60% in high-quality, short-term UK government debt. This concession allows issuers to generate yield.
Permissionless Ledgers: The BoE did not ban public blockchains but requires issuers to demonstrate control over settlement finality on networks they do not own.
Supervision: A dual-lock model with the BoE (Prudential) and the FCA (Conduct).
2.2 FCA Stablecoin Sandbox
The FCA launched a dedicated Stablecoin Cohort within its Regulatory Sandbox on November 26, 2025, to test non-systemic stablecoin models.
2.3 T+1 Settlement
The UK confirmed a target implementation date of October 2027 for the shift to T+1 settlement, coordinating with the EU and Switzerland to mitigate cross-border settlement mismatch risks.
2.4 Financial Crime
The Serious Fraud Office (SFO) updated its guidance on November 26, 2025, emphasising that compliance programs must be proven effective and adequately resourced to serve as a defence; “paper programs” are insufficient.
3. United States: The Great Deregulation
November 2025 marked a profound shift in US financial regulation, moving away from aggressive enforcement toward liberalisation, particularly concerning digital assets.
3.1 SEC: Vacatur of the Dealer Rule
On November 21, 2025, a Federal District Court vacated the SEC’s “Dealer Rule.” The SEC had attempted to redefine “dealer” to include entities providing significant liquidity, such as DeFi automated market makers (AMMs). The court ruled the SEC exceeded its statutory authority. The vacatur nullifies the rule, removing the requirement for DeFi protocols to register as broker-dealers.
3.2 “Project Crypto” and New Taxonomy
SEC leadership unveiled “Project Crypto” on November 12, 2025, proposing a new, function-based taxonomy: Digital Commodities, Digital Collectables, Digital Tools, and Tokenised Securities. This initiative embraces the concept of morphing, in which a token initially sold as a security can evolve into a digital commodity once the network is sufficiently decentralised.
3.3 OCC Interpretive Letter 1186
The OCC issued Interpretive Letter 1186 on November 18, 2025. The OCC confirmed that holding crypto-assets solely to pay network “gas fees” (e.g., ETH) is “incidental to the business of banking.” This allows national banks to hold gas tokens on their balance sheets, enabling direct interaction with public blockchains.
3.4 Legislative and Agency Shifts
FDIC Rescission: The FDIC, the Fed, and the OCC rescinded previous “heightened scrutiny” guidance for crypto-banking relationships.
IRS Staking Safe Harbour (Rev. Proc. 2025-31): The IRS issued guidance allowing trusts (including ETFs) to stake digital assets without being classified as active businesses, enabling Spot Crypto ETFs to distribute staking rewards.
Boozman-Booker Draft: The Senate Agriculture Committee released a draft bill granting the CFTC exclusive jurisdiction over the “Digital Commodity” spot market.
4. Asia-Pacific: The Race for Liquidity and Licensing
4.1 Hong Kong: Solving the Liquidity Island
Hong Kong’s Securities and Futures Commission (SFC) issued circulars on November 3, 2025, addressing the primary weakness of its regulated market: low liquidity.
Shared Liquidity: The SFC now permits licensed platforms to integrate their order books with overseas affiliates, ending the previous “ring-fenced” approach. Strict access controls and real-time monitoring are required.
Product Expansion: Platforms are allowed to list a broader range of assets and distribute tokenised securities.
4.2 Australia: The Licensing Era
The Australian Government introduced the Corporations Amendment (Digital Assets Framework) Bill 2025. Australia is moving from simple AML registration to a full Australian Financial Services License (AFSL) regime for “Digital Asset Platforms,” including specific authorisation and strict asset segregation requirements for “Tokenised Custody Platforms.”
5. Americas (Canada) & International Bodies
5.1 Canada: OSFI Prudential Easing
The Office of the Superintendent of Financial Institutions (OSFI) updated its Capital Adequacy Requirements. The exposure limit for “Group 2” crypto-assets (e.g., Bitcoin) was raised from 1% to 5% of Tier 1 Capital. Crucially, OSFI removed the punitive 100% deduction rule for exposures above 1%.
5.2 International Standards
FSB: The Financial Stability Board (FSB) announced its 2026 priorities will shift to “implementation monitoring,” highlighting private credit and stablecoins as primary systemic vulnerabilities
IOSCO: IOSCO’s final report on tokenisation concluded that secondary market liquidity is currently a myth due to fragmentation and urged regulators to enforce “Same Activity, Same Risk, Same Regulation.”
6. Implementation Trackers
6.1 DORA Implementation Tracker (EU)
Milestone | Status (Nov 2025) | Critical Detail |
CTPP Designation | Completed | 19 Providers (AWS, Google, etc.)are designated. Oversight fees and audit powers are active immediately. |
TLPT Testing | Active | TIBER-EU Guide published. “Significant Institutions” must scope tests on live production systems. |
Reporting (DPM 2.0) | Finalized | Tech Package 4.2 released. Semantic data definitions (Data Points) replace templates. |
Incident Reporting | Proposed | “Digital Omnibus” proposes a single reporting point, but DORA/CRA overlap remains unresolved. |
6.2 MiCA Implementation Tracker (EU)
Requirement | Status (Nov 2025) | Regulatory Insight |
White Papers | Transitional | Hard deadline of Dec 2027 for all listed assets. Exchanges are legally liable for legacy tokens. |
Execution Policy | Clarified | Strict separation: “Exchange” (Principal) vs “Execution” (Agent) vs “RTO” (Router). |
Data Standards | Mandated | ISO 20022 messaging is required for all transaction reports. |
Stablecoins (ART/EMT) | Live | Banking channels open for reserve custody; non-compliant stablecoins facing delisting. |
7. Conclusion: The Compliance Divergence
November 2025 confirms that the era of synchronised global regulation is over. We are entering a period of Compliance Divergence.
In Europe, compliance is becoming an engineering discipline, requiring deep integration of regulatory standards into the IT stack (DORA, MiCA, DPM 2.0).
In the US, compliance is a legal and structural exercise that focuses on defining the asset class (Project Crypto) and leveraging new banking privileges (OCC Letter 1186).
In APAC, compliance is a market-access tool, used to unlock liquidity (Hong Kong) and build trust (Australia).
A “one-size-fits-all” compliance strategy is no longer viable. The winning strategy for 2026 will involve distinct regional operating models: a “Fortress” model for the EU, an “Innovation” model for the US/UK, and a “Growth” model for APAC.
#FinReg #DORA #MiCA #DigitalAssets #DeFi #Stablecoins #RegTech #FinancialServices #Compliance #RiskManagement
