SwanFS Digital Markets and Asset Risk Register 2025: A Technical Analysis of the Global Regulatory Implementation Wave
- James Ross
- Oct 2, 2025
- 23 min read
Executive Summary
2025 marks a pivotal shift for digital assets and financial markets, moving from regulatory development to strict enforcement. The era of regulatory uncertainty and rapid market growth comes to an end, giving way to a landscape of compliance and operational risks. This report provides a risk register and analysis of challenges and strategic impacts, emphasising that market sustainability and competitiveness now rely on advanced, multi-jurisdictional risk and compliance frameworks.
The primary risk epicentres for 2025 have been clearly identified. Within the European Union, the full implementation of the Markets in Crypto-Assets (MiCA) Regulation and the Digital Operational Resilience Act (DORA) presents an exceptional, simultaneous challenge. This ‘great implementation’ requires a substantial upgrade in corporate governance, market surveillance structures, and technological resilience, creating a significant risk of a ‘compliance debt’ crisis among firms unready for the detailed requirements of the new regime.
Meanwhile, a significant strategic friction is emerging from the regulatory divergence between the United Kingdom and the United States. The UK is designing a bespoke, activity-based post-Brexit regime, while the US is promoting a pro-innovation, yet fragmented, framework through landmark legislation such as the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act. This divergence creates a “compliance chasm,” compelling global firms to adopt costly, duplicated operational models and make complex strategic decisions regarding where to base certain business activities.
Beneath these regional dynamics lies the continuous escalation of global financial crime standards. Supranational organisations, led by the Financial Action Task Force (FATF) and the Wolfsberg Group, are systematically closing regulatory gaps, especially concerning stablecoins and the connection between Virtual Asset Service Providers (VASPs) and traditional banking. This is raising “on-chain compliance”—the use of blockchain analytics for AML/CFT—from a niche skill to a vital factor determining a firm’s access to the global financial system, thus formalising the de-risking of entities with inadequate controls.
Ultimately, frontier risks are becoming an integral part of mainstream regulation. The rapid growth of Artificial Intelligence (AI) in financial services and the increasing connections between Decentralised Finance (DeFi) and traditional markets have drawn the attention of systemic risk authorities, including the Financial Stability Board (FSB) and the Bank for International Settlements (BIS). These technologies are no longer viewed as minor experiments, but rather as potential sources of systemic risk, necessitating new risk management frameworks and closer supervisory oversight.
The following consolidated risk register summarises the most critical threats detailed in this report, providing a strategic overview for senior leadership to prioritise attention and resources.
Consolidated Risk Register Summary
Risk ID | Risk Theme | Risk Description | Inherent Risk (I/L) | Key Jurisdictions | Risk Velocity & Trend |
REG-EU-01 | Regulatory Implementation | Failure to operationalise the granular governance and control requirements stipulated in MiCA’s final Regulatory and Implementing Technical Standards (RTS/ITS), leading to authorisation delays, enforcement action, or loss of market access. | High/High | EU | High & Increasing |
OPR-EU-01 | Operational Resilience | Inability to comply with DORA’s comprehensive mandates for ICT risk management, incident reporting protocols, and critical third-party provider (CTPP) oversight, resulting in supervisory penalties and significant operational disruption. | High/Medium | EU | High & Increasing |
STR-GL-01 | Strategic Divergence | Increased operational expenditure and strategic complexity arising from navigating the divergent UK (activity-based) and EU (MiCA) regulatory frameworks, necessitating business model fragmentation and duplicative compliance functions. | High/High | EU, UK | Medium & Increasing |
REG-US-01 | Regulatory Uncertainty | Persistent legal ambiguity regarding the classification of digital assets under the Howey test (securities vs. commodities) outside of the stablecoin framework perpetuates a high-risk environment of “regulation by enforcement.” | High/High | US | Medium & Stable |
FIN-GL-01 | Financial Crime | Failure to meet tightening global AML/CFT standards, including FATF Recommendation 16 (Travel Rule) and expectations for on-chain analytics, leading to de-risking by correspondent banking partners and loss of access to the global financial system. | High/High | Global | High & Increasing |
OPR-GL-01 | Third-Party & Concentration Risk | Systemic and firm-level operational risk from high concentration in a limited number of critical third-party providers for cloud infrastructure (DORA) and foundational AI models (FSB), creating single-point-of-failure vulnerabilities. | Medium/High | Global | High & Increasing |
TEC-GL-01 | Frontier Technology | Contagion risk from idiosyncratic failures in DeFi protocols (e.g., brilliant contract exploits) propagating into traditional markets via tokenised real-world assets (RWAs), presenting novel financial stability threats. | Medium/Medium | Global | High & Increasing |
Introduction: The 2025 Digital Asset Regulatory Supercycle
2025 marks the end of a multi-year effort to embed the digital asset ecosystem into the regulatory framework. It occurs when policy consultations and legislation are transformed into complex and costly rule implementations. The industry’s previous “grace period” of ambiguity has ended. Market participants now focus on executing flawlessly and managing technical details. This report analyses key risk areas from this new era, based on four global themes.
First, the EU’s Implementation Gauntlet remains the most significant compliance event of the year. The concurrent application of MiCA and DORA creates a regulatory “supercycle” that requires substantial capital and human resources in governance, technology, and skilled personnel. For many firms, this is not merely an incremental adjustment but a complete re-architecture of their operating model to meet standards similar to those in traditional finance.
Second, the landscape is characterised by Anglo-American divergence. As the EU implements its comprehensive, pan-sectoral framework, the UK is intentionally pursuing a distinct course with a bespoke, activity-based regime built upon its existing financial services architecture. Meanwhile, the United States, after years of inter-agency jurisdictional disputes, is promoting a pro-innovation agenda through targeted legislation on stablecoins and clarification of agency mandates, resulting in a unique, albeit fragmented, regulatory environment. This divergence poses significant strategic challenges for firms operating across these key markets.
Third, The Global AML/CFT Dragnet Tightens. International standard-setting bodies, notably the FATF and the influential Wolfsberg Group of global banks, are intensifying their focus on the financial crime risks endemic to virtual assets. Their updated guidance and a renewed push for implementing measures, such as the Travel Rule, are increasing the compliance burden on Virtual Asset Service Providers (VASPs) and, crucially, on the financial institutions that provide them access to the fiat monetary system.
Fourth, Frontier Risks Enter the Mainstream. Technologies once seen as niche are now central to supervisory concerns. The potential for Artificial Intelligence to increase systemic risk and for specific shocks within the DeFi ecosystem to cause contagion effects in traditional markets is currently being actively examined by the FSB, BIS, and national regulators. This marks a new frontier in risk management, where firms must look beyond immediate compliance to consider the secondary effects of technological innovation.
Part I: European Union - Navigating the Implementation Gauntlet of MiCA and DORA
The European Union’s digital finance package becomes fully enforceable in 2025, shifting from legislative documents to a real supervisory environment. This shift brings significant operational and compliance challenges for all financial firms and technology providers within the bloc. Companies face the dual task of implementing two major regulations—MiCA and DORA—simultaneously, each accompanied by a comprehensive set of detailed technical standards.
1.1 MiCA Compliance and Market Integrity Risks
MiCA establishes a consistent EU framework for crypto-assets, covering issuance, service provision, and market conduct. The finalisation and adoption of a wide range of Level 2 Regulatory and Implementing Technical Standards (RTS/ITS) during the first half of 2025 will transform MiCA’s broad principles into detailed, legally binding obligations.
Authorisation and Governance Burden
The authorisation process for a Crypto-Asset Service Provider (CASP) under MiCA is strict, mirroring standards for traditional firms. The Commission’s adoption of Implementing Regulation (EU) 2025/306 and Delegated Regulation (EU) 2025/305 in March finalises the forms and information needed for applications. Firms risk rejection or delays if they lack strong governance, effective risk management, and suitable management, as per national regulator guidelines, such as Luxembourg’s CSSF.
Firms must establish policies for conflicts of interest, as outlined in Delegated Regulations C(2025) 1216 and 2025/1142. Many crypto-native firms, focused on tech and growth rather than governance, now face the challenge of building compliance structures from scratch to interpret complex rules. This creates “compliance debt,” straining budgets and resources, and putting them at a disadvantage compared to established financial firms. This pressure may lead to market consolidation, with smaller entities exiting or merging.
Stablecoin (ART & EMT) Regime Complexity
MiCA imposes a rigorous, banking-like regulatory regime on issuers of Asset-Referenced Tokens (ARTs) and E-Money Tokens (EMTs). The final Delegated Regulation on authorisation for ART issuers, adopted in June, reinforces the high barrier to market entry. Issuers face rigorous requirements for own funds, capital adequacy, and stress testing programmes, as specified in Delegated Regulation (EU) 2025/415.
Furthermore, the regulations require strong policies for managing the liquidity of reserve assets, a key element finalised in a June Delegated Regulation, and set out formal procedures for dealing with customer complaints, as detailed in Regulations (EU) 2025/293 and 2025/294. The scrutiny from the European Banking Authority (EBA) over these rules, demonstrated by its published opinions on amendments to the draft RTS, indicates that supervisors will enforce these requirements rigorously. The main risk for stablecoin issuers is underestimating the operational costs and complexities involved in complying with this prudential-grade framework.
Market Abuse and Transparency Mandates
For the first time in the EU, MiCA introduces a formal market abuse regime for crypto-assets, imposing new obligations on trading platforms.ESMA’s April report outlines supervisory expectations. CASPs operating trading venues must implement surveillance systems to detect insider dealing, unlawful disclosure, and market manipulation. This challenge requires investment in specialised software and developing expertise in crypto-asset market abuse.
Platforms are also subject to new transparency and data management rules. Delegated Regulations (EU) 2025/416 and 2025/417, adopted in March, specify the exact content and format for order book records, as well as the presentation of transparency data to the public. The risk lies not only in the cost of implementation but also in the potential for enforcement action if data integrity and reporting standards are not met.
Cross-Border Service Provision and Reverse Solicitation
Non-EU firms, particularly those based in the UK and the US, face risks from MiCA’s strict cross-border rules.ESMA’s guidelines on reverse solicitation, published in February, clarify that this exemption is minimal —only when a client initiates service without the firm’s marketing efforts. Activities like geo-targeted ads, EU conference participation, or offering language options could break this exemption, risking enforcement by EU authorities against firms that mistakenly believe they are passively serving EU clients but are actually providing crypto-asset services without authorisation.
1.2 DORA and the New Paradigm of Digital Operational Resilience
Effective from January 2025, DORA establishes a binding, comprehensive ICT risk management framework for the entire EU financial sector. It goes beyond existing guidelines to create harmonised, legally enforceable rules designed to ensure firms can withstand, respond to, and recover from all types of ICT-related disruptions and threats.
Comprehensive ICT Risk Management Framework
DORA requires a board-level approach to ICT risk management, not just an IT responsibility but a governance duty. Firms must establish resilient infrastructure and a comprehensive risk management framework that encompasses digital resilience, business continuity, and disaster recovery. The EBA’s February guidelines clarify how these standards enhance existing ones. The primary risk is that firms view DORA as merely a compliance measure, neglecting genuine resilience.
Stringent Incident Reporting
A key challenge from DORA’s strict incident rules is the need for firms to quickly detect, classify, and report ICT incidents. They must notify authorities within hours of classification and provide interim and final reports, necessitating the use of advanced 24/7 detection systems and well-rehearsed protocols. Failing to report on time or submitting inaccurate information may result in penalties.
Third-Party Risk and CTPP Oversight
The most groundbreaking element of DORA is the creation of a direct, EU-level oversight framework for Critical ICT Third-Party Providers (CTPPs). The ESAS’s publication of their roadmap in February for designating the first group of CTPPs in 2025 marks the official start of this regime. This means that major technology vendors, including global cloud service providers and data analytics firms, will be subject to direct supervision by European authorities.
While this offers added assurance, financial firms remain fully liable for managing risks associated with outsourcing. The final RTS on sub-contracting, adopted in March, emphasises this, introducing a new risk: a firm’s operations could be disrupted by its supplier’s regulatory status. If a designated CTPP has significant deficiencies, regulators can recommend or require contract suspensions or terminations. This leads to a strategic reevaluation of outsourcing, considering “regulatory diversification” and supervisory risks associated with vendors in cloud and tech strategies. This may require costly multi-cloud or multi-vendor setups solely for the purpose of mitigating regulatory risk.
Mandatory Resilience Testing (TLPT)
DORA requires continuous digital resilience testing, including advanced Threat-Led Penetration Testing (TLPT) at least every three years for major financial institutions. The final TLPT regulation, published in June, formalises these tailored, intelligence-led cyberattack simulations aligned with the TIBER-EU framework updated by the ECB in February. These tests are more than typical penetration tests; they simulate real-world cyber threats. Firms face risks such as high costs, excessive resource use, and the discovery of vulnerabilities that require urgent and costly fixes to meet supervisory standards.
Part II: United Kingdom - Forging a Bespoke Post-Brexit Crypto Regime
In 2025, the United Kingdom solidifies its distinct, post-Brexit approach to digital asset regulation. Instead of developing a single, comprehensive legislative instrument similar to the EU’s MiCA, the UK expands its existing, globally-recognised financial services framework—mainly the Financial Services and Markets Act 2000 (FSMA)—to cover specific crypto-asset activities. This phased, activity-based strategy introduces a unique set of risks and opportunities, fundamentally diverging from the European model.
2.1 Regulatory Perimeter and Authorisation Risks
The centrepiece of the UK’s regime is the near-final draft of the Financial Services and Markets Act 2000 (Regulated Activities and Miscellaneous Provisions) (Cryptoassets) Order 2025, published by HM Treasury in April. This statutory instrument brings defined crypto-asset activities into the regulatory perimeter, requiring firms to undergo the Financial Conduct Authority’s (FCA) thorough authorisation process.
Defining “Qualifying Cryptoassets”
The entire system depends on the newly qualifying form of “qualifying cryptoassets”, which are described as fungible and transferable, while explicitly excluding assets that already qualify as securities, e-money, or tokenised deposits under current law. The most crucial task for any firm is accurately classifying the legal and technical aspects of the assets it handles. The risk of misclassification is high; incorrectly categorising an asset as outside the regulatory scope could lead to unintentional and grave breaches of FSMA, while being overly cautious might cause unnecessary and substantial compliance costs.
New Regulated Activities
The Order introduces new “specified activities” under the Regulated Activities Order (RAO), including operating crypto-asset platforms, dealing or arranging deals in crypto-assets (including lending), and custody of crypto-assets. Any UK or overseas firm engaging in these activities related to the UK market must obtain FCA authorisation. The FCA’s consultation paper (CP25/25) from September offers the first detailed look at the rules these firms will need to follow, suggesting a complex compliance process ahead.
Territorial Scope and Overseas Firms
The UK regime’s broad scope poses risks to overseas firms, covering companies operating from the UK or providing services to UK consumers. Its extraterritorial reach creates compliance challenges, especially for platforms outside the UK, which must prove they do not intentionally target British clients. This uncertainty raises compliance and enforcement risks for non-UK firms with even a minor UK user base.
2.2 Navigating Prudential, Custody, and Staking Rules
Following the legislative groundwork laid by HM Treasury, the FCA moved swiftly in May 2025 to consult on the detailed supervisory rulebooks, revealing a demanding and prudentially sound approach to regulation.
Prudential Regime
The FCA’s consultation on a crypto-asset regime aims to enforce high financial stability standards on authorised firms, likely involving strict capital and liquidity requirements based on the existing IFPR. This poses risks for crypto-native firms with volatile assets and limited regulatory experience, potentially forcing them to raise capital, change their business models, or leave the UK market.
Custody (Safeguarding) Rules
The "safeguarding” consultation proposes applying traditional finance principles—such as separating client assets from firm assets, holding them in trust, and enforcing governance—to digital assets. While simple in concept, implementing them on a blockchain is technically complex. A letter from the FMLC to HM Treasury in May highlights legal uncertainties surrounding digital asset property rights and insolvency, indicating that firms and regulators face significant challenges. Firms must demonstrate to the FCA that their technical protections are comparable to those for traditional assets.
Staking and DeFi Regulation
The FCA’s May discussion paper on staking, lending, and DeFi shows a regulator struggling to adapt principles to new markets. At the same time, January legislation clarified that stakeholder services aren’t automatically Collective Investment Schemes, the FCA remains focused on conduct and consumer protection. The concern is that the FCA might enforce existing rules—like client assets, disclosures, and suitability—on decentralised protocols or staking models in impractical ways. This could hinder UK innovation or prompt activities to be moved offshore due to less regulation.
The mismatch between the UK’s common law-based, activity-focused regulation and the EU’s civil law MiCA creates a costly compliance challenge for global firms. These firms must run separate compliance programmes, interpreting asset definitions differently, maintaining separate reporting pipelines to FCA and EU authorities, and performing varying prudential calculations. This increases operational costs and complexity, forcing firms to make strategic choices about where to domicile business lines, potentially fragmenting their European operations not by commercial need, but to minimise regulatory friction.
Part III: United States - The Quest for Clarity Amidst Legislative and Agency Action
The regulatory landscape in the United States during 2025 is shaped by a compelling dual narrative: a historic legislative breakthrough bringing clarity to stablecoins, contrasted with ongoing and strategically important ambiguity for the broader digital asset market. This creates a complex environment where some risks are being clearly reduced, while others remain significant.
3.1 Stablecoin Regulation and the GENIUS Act
The enactment of the Guiding and Establishing National InnoUSon for U.S. Stablecoins (GENIUS) Act in July 2025 marks a significant milestone, creating the first comprehensive federal regulatory framework for payment stablecoins and integrating a key part of the cryptocurrency ecosystem into the mainstream financial system.
Federal Framework and Issuer Requirements
The GENIUS Act establishes a straightforward approval process for “permitted payment stablecoin issuers” (PPSIs), while also enforcing strict, bank-like compliance rules. Issuers must hold 100% of reserves in cash or U.S. Treasury securities and provide monthly, verified disclosures of reserve composition. It also bans issuers from claiming their stablecoins are backed by the U.S. government or are legal tender. Many stablecoin issuers are concerned about the high costs and operational challenges associated with updating their systems to meet these standards, which may require substantial capital investments and system overhauls.
Combating Illicit Finance
A key element of the GENIUS Act is strengthening the U.S. Treasury Department’s authority to address the use of stablecoins in illegal finance. The legislation requires that all PPSIs must have the technical capacity to seize, freeze, or otherwise block transactions involving their stablecoins when served with a lawful order from a competent authority. This introduces considerable technological and compliance risks. Issuers must not only develop and maintain these functionalities securely and reliably but also establish robust internal procedures to verify and execute such orders promptly, while managing the associated legal and operational risks.
State vs. Federal Alignment
The Act aims to establish a harmonised national standard by aligning federal and state-level stablecoin regulations. However, a residual risk persists due to the significant influence of state regulators, particularly the New York Department of Financial Services (NYDFS), which maintains its own well-established virtual currency regime. The possibility of conflicting interpretations or states imposing additional “gold-plated” requirements beyond the federal baseline could lead to a complex and costly multi-layered compliance environment for issuers operating nationwide.
3.2 Asset Classification and Jurisdictional Ambiguity (SEC vs. CFTC)
While the GENIUS Act clarifies the status of stablecoins, the fundamental and longstanding question of whether most other digital assets are securities (under the jurisdiction of the Securities and Exchange Commission) or commodities (regulated by the Commodity Futures Trading Commission) remains unresolved, perpetuating significant legal and business risks.
Legislative Efforts (CLARITY Act)
Legislative efforts in 2025 gained momentum, with the House passing the CLARITY Act to define ‘digital commodities’ and the Senate working on the RFIA through a bipartisan effort. Until a final law is enacted, the primary industry risk remains ‘regulation by enforcement,’ where agencies use litigation to define rules.
Evolving Agency Stances
In 2025, regulatory agencies underwent significant shifts in communication and operations. ThSEC’s’ Project Crypto’ and the SEC-CFTC’ Crypto Sprint’ in August aimed to update rules and encourage innovation, signalling a move away from purely adversarial tactics. A September joint statement clarified that registered exchanges are not barred from listing specific spot crypto-asset products, easing market growth barriers. However, guidance from agencies, such as SEC staff statements on liquid staking and meme coins, remains non-binding opinions, leaving room for future leaders to overturn these positions.
The “Howey Test” Lingers
The primary legal risk for token issuers, trading platforms, and investors remains the decades-old Howey test and its unpredictable application to digital assets. While legislative initiatives like the CLARITY Act aim to establish new classifications, any token offering that could be regarded as an “investment contract” stays firmly within the SEC’s jurisdiction, posing significant risks of securities law breaches, including registration and disclosure issues.
This dual-track development—clarity for stablecoins and ongoing ambiguity for all other assets—is causing a strategic shift in the U.S. digital asset market. A
Part IV: Global Financial Crime and Prudential Standards
Transcending regional regulatory developments is part of the ongoing and growing global effort against financial crime. For firms in the digital asset sector, compliance with Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) standards is not just a regulatory duty but a vital operational requirement. Failure in this area poses a fundamental threat, risking loss of banking access and exclusion from the global financial system.
4.1 FATF Standards and AML/CFT Compliance Gaps
The Financial Action Task Force (FATF), as the global standard-setter for AML/CFT, continues to exert significant influence over national regulatory policies. Its focus in 2025 has been on assessing and driving the implementation of its standards for virtual assets (VAs) and Virtual Asset Service Providers (VASPs).
Persistent Implementation Failures
FATF’s June 2025 update highlighted that global VASP standards remain “relatively poor,” risking geographic security. Firms in or dealing with non-compliant or weak jurisdictions will face more scrutiny, stricter due diligence, and possible de-risking. Lack of a level playing field fosters regulatory arbitrage, allowing criminals to exploit gaps, and firms in high-risk areas face reputational and operational risks.
The “Travel Rule” Challenge
FATF Recommendation 16, or the "Travel Rule,” requires VASPs to collect, retain, and transmit originator and beneficiary details during virtual asset transfers. This is a significant technical and operational challenge. While 99 jurisdictions have enacted or plan to enact laws to enforce it, the absence of a universal technical solution and inconsistent enforcement create a fragmented landscape. This poses ongoing compliance risks for VASPs in cross-border transactions, who must navigate multiple protocols and meet different jurisdictional requirements.
Focus on Stablecoins and Illicit Finance
The June 2025 FATF update explicitly highlighted the growing use of stablecoins by various illicit actors, including state-sponsored groups like the DPRK, terrorist financiers, and narcotics traffickers. The report indicates that most on-chain illicit activity now involves stablecoins. This increased supervisory attention means that stablecoin issuers, along with exchanges and other VASPs facilitating substantial stablecoin volumes, will face greater scrutiny of their transaction monitoring systems, sanctions screening procedures, and their ability to detect and report suspicious activity related to stablecoin transactions.
4.2 De-risking and Banking Access for the Crypto Sector
For nearly every digital asset firm, gaining and maintaining stable, reliable banking relationships is a critical strategic risk. The actions of global standard-setters and banking industry groups in 2025 are shaping this landscape, creating both potential pathways and significant hurdles.
Wolfsberg Group Guidance as a Double-Edged Sword
The Wolfsberg Group’s September guidance marked a key milestone, providing a roadmap for banks to engage with well-regulated cryptocurrency firms. It sets high standards for due diligence, recommending comprehensive questionnaires and detailed assessments of governance, compliance, and technology, including on-chain analytics. While it may help legitimise banking for top-tier issuers, it could also lead to de-risking smaller, less transparent firms.
FATF Pressure and De-risking
The direct pressure from FATF on its member countries to properly license and supervise their domestic VASP sectors has an apparent knock-on effect on banking access. Banks operating in well-regulated jurisdictions are increasingly reluctant to bear the compliance risk of providing services to, or processing transactions for, VASPs domiciled in countries with weak or non-existent AML/CFT regimes. This dynamic exacerbates the global de-risking trend, creating significant operational continuity risks for VASPs in emerging markets or jurisdictions that are slow to implement FATF standards.
The convergence of pressures from the FATF, the Wolfsberg USoup, and US regulators, such as those enforcing the GENIUS Act, is transforming financial crime compliance in digital assets. Compliance shifts from paper-based processes to on-chain compliance, where firms must invest in blockchain analytics, real-time transaction monitoring, and verifiable on-chain controls. This creates new barriers and accelerates industry professionalisation, making a firm’s compliance tech as vital as its trading tech.
Part V: Frontier Risks - AI, DeFi, and Tokenisation
As the regulatory frameworks for established crypto-assets become more defined, regulators are shifting their focus to emerging technological areas. In 2025, Artificial Intelligence, Decentralised Finance, and the tokenisation of real-world assets have moved from the fringes of regulatory interest to the forefront, recognised as potential sources of new and complex risks to financial stability.
5.1 Artificial Intelligence: Financial Stability and Model Risk
The rapid proliferation and adoption of AI, including Generative AI (GenAI) and Large Language Models (LLMs), have prompted systemic risk bodies to conduct urgent assessments of their potential impact on the global financial system.
Systemic Risk Amplification
The Financial Stability Board’s seminal report on the financial stability implications of AI, first published in late 2024 and a key reference point throughout 2025, identified several critical channels through which AI could amplify systemic risk. These risk vectors include:
Third-Party and Concentration Risk: The financial sector’s increasing reliance on a small number of dominant, non-financial technology firms for foundational AI models, cloud computing power, and specialised hardware creates a systemic single-point-of-failure risk. A disruption at one of these critical providers could have cascading effects across the financial system.
Market Correlations and Herding: The widespread adoption of similar AI models or datasets for trading, risk management, and asset allocation could lead to unintentional herding behaviour and increased market correlation, particularly during periods of stress, amplifying shocks and exacerbating market volatility.
Cyber Vulnerabilities: AI presents a dual cyber risk. Malicious actors can use it to create more sophisticated, adaptive, and scalable cyberattacks, such as deepfake-driven fraud or AI-powered phishing campaigns. Simultaneously, the deployment of AI systems within firms creates new and complex attack surfaces that could be exploited.
Model Risk: The inherent complexity and “black box” nature of many advanced AI models pose a profound challenge to traditional model risk management frameworks. The lack of explainability and transparency makes it difficult for firms and supervisors to validate model outputs, understand their limitations, and govern their use effectively, increasing the risk of unforeseen and significant financial losses.
Operational and Governance Risks
Analyses from the Bank of England and the Bank for International Settlements throughout 2025 have reinforced these concerns, emphasising the need for robust governance. The primary risk for firms is the temptation to deploy powerful AI tools without a corresponding and commensurate uplift in their model risk management frameworks, data governance processes, ethical guidelines, and cybersecurity controls. A failure to manage these operational risks could lead not only to significant financial losses and regulatory penalties but also to severe reputational damage and a loss of client trust.
5.2 Decentralised Finance (DeFi): Contagion and Regulatory Scrutiny
International bodies are no longer viewing DeFi as a self-contained crypto-to-crypto ecosystem. Instead, they are increasingly focused on the risks inherent within DeFi protocols and the growing potential for those risks to spill over into the traditional financial system.
Inherent Vulnerabilities
Reports from the International Organisation of Securities Commissions (IOSCO) and the BIS have catalogued the unique vulnerabilities of the DeFi ecosystem. Key risks include:
Smart Contract Risk: The risk of bugs, flaws, or exploits in the underlying code of a DeFi protocol, which, due to the immutable nature of blockchains, can lead to the immediate and irreversible loss of all user funds.
Oracle and Data Feed Manipulation: Many DeFi protocols rely on external data feeds, known as oracles, to determine asset prices for lending, liquidation, and other functions. The manipulation of these oracles is a known attack vector that can be used to drain funds from a protocol.
Governance Failures: While touting decentralisation, many protocols are governed by holders of specific tokens. Opaque governance processes or highly concentrated holdings of these tokens can lead to manipulation or self-serving decisions that harm users.
The “Decentralisation Illusion”: A critical analysis by the BIS notes that many protocols claiming to be decentralised actually have significant points of centralised control, such as “admin keys” that allow developers to alter the protocol’s parameters. This lack of transparency creates risks for users who may believe they are interacting with a fully autonomous system.
Regulatory Approach
The primary challenge for regulators is identifying a “responsible person” or legal entity to hold accountable in a supposedly decentralised system. The emerging consensus among regulators is to “look through” the claims of decentralisation to identify the individuals or groups who exercise effective control over a protocol, whether through code development, governance rights, or control of key infrastructure. The risk for DeFi developers, founders, and major token holders is that they will increasingly be held legally and financially responsible for protocol failures, illicit use, and non-compliance with financial regulations.
5.3 Tokenisation of Real-World Assets (RWAs)
The tokenisation of traditional financial and real-world assets—from Treasury bills and corporate bonds to real estate and private equity—is a dominant theme in 2025. Reports from the IMF, OECD, and significant industry players highlight its immense potential to improve efficiency and liquidity, as well as its inherent risks.
Operational and Legal Risks
While tokenisation promises to streamline post-trade processes and enable fractional ownership, it introduces new and complex risks. These include ensuring the legal finality of transactions conducted on a blockchain, creating robust mechanisms to link the digital token to the underlying off-chain asset, and managing the technical risks of smart contracts that govern the ownership and transfer of these assets.
Interoperability and Standards
A significant risk to the growth of tokenised markets is the current lack of universal technical and legal standards. This creates a fragmented landscape where a token representing a share of a corporate bond on one proprietary blockchain platform may not be easily transferable, recognisable, or usable as collateral on another. This lack of interoperability risks creating new systemic silos, thereby limiting the very liquidity benefits that tokenisation is intended to provide.
The convergence of frontier technologies creates complex contagion channels. Regulators no longer see DeFi as an isolated “crypto casino.” The use of tokenised real-world assets, like U.S. Treasury bills, as collateral in DeFi lends a direct link between the financial spheres. A failure in a DeFi protocol, such as a brilliant contract exploit or oracle manipulation, could trigger automated liquidations of billions in tokenised traditional assets, causing price disruptions and liquidity shocks that impact conventional markets and financial institutions. As a result, supervisors will scrutinise not just banks’ crypto holdings but also their indirect risks in DeFi, presenting new challenges for institutional risk management.
Part VI: Strategic Outlook - The Impact of Central Bank Digital Currencies
The steady and deliberate progress by the world’s major central banks on Central Bank Digital Currencies (CBDCs) represents a long-term, structural shift for the financial landscape. While a full-scale retail CBDC launch in a major economy is not imminent in 2025, the design choices and pilot projects undertaken during the year will create significant strategic risks and competitive challenges for incumbent financial players, stablecoin issuers, and the broader digital asset ecosystem.
Reshaping the Competitive Landscape
The ongoing work by the European Central Bank on a Digital Euro and the Bank of England on a “Digital Pound” poses a significant long-term strategic threat to the business models of commercial banks and private stablecoin issuers. A widely accessible, interest-bearing retail CBDC could directly compete with commercial bank deposits, potentially causing a structural decline in a crucial source of low-cost funding for banks and affecting their lending capacity. For private issuers of fiat-backed stablecoins, a CBDC represents the ultimate competitor: a risk-free, direct liability of the central bank. The main strategic risk for these private companies is long-term disintermediation.
Privacy vs. Programmability Trade-Off
The design of any CBDC involves a key trade-off between user privacy and the effectiveness of policy tools. Emphasising Privacy-Enhancing Technologies (PETs) reflects this challenge. A CBDC with strong anonymity may gain trust but offer limited benefits. At the same time, one with high traceability could enable new policy tools but face public and political resistance, as seen with the “CBDC Anti-Surveillance State AUS” in the US. The success of any CBDC depends on how central banks and lawmakers balance privacy and control, creating risks that private firms must monitor.
Interoperability with the Digital Asset Ecosystem
A key uncertainty for the digital asset industry is whether future CBDCs will be closed “walled gardens” or open platforms that interoperate with public blockchains and tokenised assets. The Eurosystem’s effort to expand DLT-based settlement shows central banks are exploring how to connect with tokenisation. A CBDC used as a seamless, risk-free settlement asset in regulated markets could boost the growth of the sector. Alternatively, a closed system might fragment digital finance and limit innovation. This design choice is crucial for those preparing for a tokenised future.
Conclusion and Consolidated Risk Outlook
The year 2025 will be remembered as the year of significant regulatory implementation. The digital asset market has definitively transitioned from an unregulated frontier to a complex, multi-jurisdictional, and demanding regulatory environment. The analysis presented in this report indicates that the most critical risks facing firms are no longer market or credit risks in the traditional sense, but are instead overwhelmingly concentrated in the domains of regulatory compliance, operational resilience, and strategic adaptation.
Strong, tech-driven compliance and risk management are critical for success. In the EU, detailed MiCA and DORA standards pose a threat to firms with weak governance. The UK and US must bridge their regulatory gaps with adaptable legal and operational strategies. Globally, FATF and banking pressure make on-chain analytics essential for participation in the economy.
Simultaneously, the horizon of risk is expanding. The integration of AI into core financial processes and the growing connections between DeFi and traditional finance are no longer theoretical concerns; they are now practical realities. Still, they are now recognised by global supervisors as potential vectors for systemic risk. This requires a forward-looking approach to risk management that anticipates and models the second-order effects of technological innovation.
Moving forward, firms must adopt a strategic posture that transcends a reactive, check-the-box approach to compliance. The market leaders in this new era will be those who:
Invest in Integrated Risk Frameworks: Treat compliance, operational resilience, and technology risk not as discrete silos, but as interconnected components of a single, enterprise-wide risk management function.
Embrace “Compliance Tech”: Deploy sophisticated technological solutions for market surveillance, transaction monitoring, on-chain analytics, and regulatory reporting to manage the complexity and scale of the new rulebooks efficiently.
Develop Strategic Agility: Architect operating models that are flexible enough to adapt to the diverging regulatory requirements of key jurisdictions, making informed choices about where to locate specific activities and how to structure legal entities to optimise for both commercial and regulatory outcomes.
Engage in Proactive Horizon Scanning: Establish dedicated functions to monitor and analyse emerging risks from frontier technologies, such as AI and DeFi, as well as the long-term strategic shifts heralded by the development of CBDCs.
The regulatory supercycle of 2025 presents a formidable challenge, but also a significant opportunity. It will catalyse a maturation of the digital asset industry, forcing a professionalisation of standards and practices. The firms that successfully navigate this implementation wave will emerge not only compliant but also more resilient, more trusted, and better positioned to capture the immense opportunities of the next phase of digital finance.
#DigitalAssets #CryptoRegulation #MiCA #DORA #Fintech #Compliance #RiskManagement #FATF #RegTech #FinancialServices #DeFi #AI #2025
