Regulators Tighten the Net: Surveillance, AI, & Individual Accountability

The first half of 2025 has been a period of regulatory anticipation and change —with firms aligning policies and procedures to major frameworks in Europe, and the arrival of a new Administration in the US. August has marked a turning point. Regulators across jurisdictions are shifting gears, making clear that expectations are no longer theoretical or future-facing. The focus now is on how firms are operationalising compliance across critical domains. From the FCA’sreview of off-channel communication controls to the EU’s formalisation of crypto market abuse standards under MiCA, the message is consistent: policies must be embedded, tools must be tested, and governance must be demonstrable. Regulatory attention is gravitating toward the interface between people, systems, and data—not just the presence of policy, but the effectiveness of its implementation at every level, from boardrooms to back offices.

In parallel, the conversation around AI in financial services is maturing. What once focused on potential has now moved to practical governance, with firms expected to show not just innovation, but auditability, accountability, and risk awareness in their use of AI and advanced analytics.

Even where formal rules have yet to change, supervisory tone has sharpened. Regulatory bodies are heightening scrutiny on whether firms can withstand operational disruptions, supervise third-party service providers, and demonstrate control over every channel of communication and data exchange.

In short, August 2025 signals a regulatory pivot. Compliance is no longer about horizon scanning—it's about proving that internal systems are built to perform under pressure, and that regulatory expectations have made the leap from guidance to ground-level accountability.

What to Expect in September

Looking ahead to September, firms should brace for a period of intensified regulatory implementation and audit-readiness. With the MiCA market abuse RTS entering into force on 9 September, crypto platforms and related service providers will need to demonstrate live surveillance capabilities and cross-border reporting readiness. Additionally, as DORA technical standards solidify, we expect national regulators to begin issuing more targeted guidance on ICT resilience testing, third-party oversight, and incident reporting frameworks.

At the same time, we also noticed a decisive shift by regulators towards individual accountability— that is likely to continue. Regulators are making it clear that personal integrity and professional conduct are no longer soft issues, but central pillars of supervisory agendas. From FINRA’s individual fines to the FCA’s £1 million penalty and ban of a CEO, the message is consistent: while firms may, at first glance, benefit from a lighter touch on broad regulatory burden, individual misconduct will face heightened scrutiny and personal consequence. Taken together, these developments suggest that September will be a proving ground—not only for firms to operationalise policy frameworks, but also for leaders and staff to demonstrate accountability in conduct and culture. Compliance in the months ahead will be measured not just by whether policies exist, but by how well firms and individuals alike live up to them to market realities.