10 Major Financial Regulations Reshaping Capital Markets in 2025 (and How to Stay Ahead of Them)

From sweeping reforms in operational resilience and AI governance to the first-time application of AML obligations to buy-side firms, the scope and depth of regulatory change shows no sign of slowing down in 2025.

In this post, we present a selection of the most strategically significant regulations coming into effect or having significant impact on compliance functions this year. Each regulation was chosen based on its impact on compliance strategy, governance frameworks, or the adoption of enabling technologies.

Additional weight was given to measures that introduce new oversight for artificial intelligence (AI) or third-party technology dependencies. Whether you’re deep in implementation planning or pressure-testing your regulatory change roadmap, this list offers a grounded view of what to expect in the year ahead for global firms.

1, Digital Operational Resilience Act (DORA) – EU  

Effective Date: 17 January 2025

The EU’s Digital Operational Resilience Act (DORA) introduces uniform requirements for financial firms and their information and communications technology (ICT) providers to ensure resilience against digital disruptions. Covering nearly all capital markets firms—including investment advisors, asset managers, broker-dealers—DORA mandates robust ICT risk management frameworks, incident reporting mechanisms, digital resilience testing, and rigorous oversight of third-party ICT providers.

From a governance perspective, firms must establish clear accountability structures, with executive-level ownership of operational resilience policies. On the workflow and data side, DORA requires comprehensive asset mapping and real-time monitoring of digital infrastructures. The technology impact is especially significant: firms need to implement continuous testing capabilities, real-time alerting systems, and centralized ICT incident management protocols. DORA also places emphasis on contractual and operational oversight of third-party vendors, many of whom may now be subject to direct regulatory supervision. Firms must also report major ICT incidents within set timelines (initial, intermediate, and final reports).

To prepare, capital markets firms should conduct a full gap analysis against DORA requirements, prioritize critical service mapping, and ensure they can evidence operational resilience to regulators. They should also audit ICT outsourcing contracts, evaluate third-party dependencies, and invest in platforms that support resilience testing and integrated incident response. Senior management and boards must be engaged to drive a resilience-by-design strategy that integrates compliance, risk, and IT functions.

2. EU Artificial Intelligence Act (AI Act) 

Effective Compliance Dates: 2 February 2025 (initial obligations); 1 August 2025 (general-purpose AI models)  

The EU AI Act is the first comprehensive regulatory framework for artificial intelligence, categorizing AI systems based on risk and imposing strict governance requirements for high-risk and general-purpose AI models. Capital markets firms—especially those using AI for algorithmic trading, portfolio optimization, and client targeting—will face new compliance hurdles.

Governance implications are extensive. Firms must designate responsible persons for AI compliance, conduct risk and bias assessments, and ensure human oversight in decision-making. Workflow and data practices will need to change—only high-quality, non-discriminatory datasets used for training, and explainability and transparency measures must be embedded. Technologically, firms may need to reengineer or retire legacy AI models and adopt model risk management tools to meet these new obligations. Foundation model providers such as those from AWS and Microsoft face more stringent obligations under Article 52 and Annex XIII.

Firms should immediately assess their AI inventories and categorize systems under the Act’s risk-tier classification—prohibited, high-risk, limited-risk, minimal-risk. Compliance will require collaboration across legal, compliance, data science, and IT teams. Firms should be considering AI governance committees, updating documentation and controls, and implementing training programmes for business and compliance staff. The 2025 deadlines are a strategic call to action—capital markets firms that get ahead will strengthen both regulatory trust and customer confidence.

3. UK Operational Resilience Rules  

Effective Compliance Date: 31 March 2025

The UK’s Operational Resilience framework requires financial services firms—including wealth managers, broker-dealers, and asset managers—to demonstrate that they can remain within predefined impact tolerances during severe disruptions to critical business services. The March 2025 deadline marks the end of the transition period.

Governance changes include senior executive responsibility for defining and maintaining operational resilience strategy. Workflows must evolve to include ongoing scenario testing, mapping of dependencies, and real-time impact analysis. From a technology standpoint, monitoring tools including automated recovery solutions, and digital dashboards to track and report resilience metrics should be in scope.

Firms should finalize their resilience playbooks, complete end-to-end testing for each important business service, and document lessons learned. Third-party and supply chain risk management should be elevated, and Boards should regularly review resilience frameworks and validate whether recovery objectives align with regulatory expectations. Firms must have mapped important business services, defined impact tolerances, and tested their ability to stay within them under severe but plausible scenarios. The focus now shifts from planning to execution.

4. SEC Cybersecurity Risk Management Rule  

Effective Compliance Date: December 2025 (for large entities)

In February, the SEC announced the creation of the Cyber and Emerging Technologies Unit (CETU) to focus on combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space. The CETU, led by Laura D’Allaird, replaces the Crypto Assets and Cyber Unit and is comprised of approximately 30 fraud specialists and attorneys across multiple SEC offices.

The final Cybersecurity Risk Management Rule (Adopted July 2023) under the Investment Advisers Act and Investment Company Act, requires large advisers to comply by July 15, 2025.

From a governance perspective, this introduces board-level accountability for data protection. Workflows must accommodate breach identification, internal escalation, and timely external reporting. Data architecture will need retooling to ensure segmentation, monitoring, and access controls. Firms will also need to conduct third-party cybersecurity assessments on vendors handling sensitive information.

To prepare, firms must revise privacy policies, formalize their incident response plans, and conduct tabletop exercises simulating cyber breaches. Vendor oversight programs should be strengthened to align with new due diligence expectations. Cybersecurity needs to become a cross-functional compliance issue—not just a tech one.

5. Basel III Final Reforms (Basel 3.1 / FRTB)

Effective Compliance Date: 1 January 2025 (EU and international rollout; phase-in continues through 2026)  

The Basel III final reforms, often referred to as Basel 3.1, represent a sweeping overhaul of global capital standards. The changes—especially the Fundamental Review of the Trading Book (FRTB)—will impact Banks with large trading operations, requiring updates to risk models, governance frameworks, and capital optimization strategies.

Governance must be adapted to meet higher standards for model approval, validation, and oversight. Workflow changes involve restructured desk-level capital planning and expanded data requirements for risk factors. Technologically, firms must invest in scalable risk engines, real-time analytics, and model performance monitoring tools.

To prepare, firms should finalize their FRTB implementation strategies, complete internal model validation exercises, and integrate revised standardized approaches where necessary. Capital efficiency must be balanced with regulatory compliance, making advanced modelling and RegTech platforms central to execution.

6. FinCEN AML Rule for Investment Advisers (US)

Effective Compliance Date: 1 January 2026 (firms must prepare in 2025)  

For the first time, investment advisers and exempt reporting advisers in the U.S. will be brought under AML obligations. This rule requires these firms to develop and maintain risk-based AML/CFT programs, file Suspicious Activity Reports (SARs), and conduct customer due diligence.

Governance and compliance functions must be expanded to include designated AML compliance officers and board oversight of AML policies. Workflow changes include client risk rating procedures, periodic reviews, and transaction monitoring. Technology needs include onboarding and surveillance systems that align with Bank Secrecy Act (BSA) requirements.

Firms should start by performing an AML risk assessment, defining internal roles and responsibilities, and selecting vendors for screening and monitoring technologies. Preparing in 2025 will be essential to avoid enforcement risk when the rule comes into force.

7. MAS Guidelines on AI Risk Management (Singapore)

Effective Date: December 2024 (supervisory focus intensifies in 2025)  

Monetary Authority of Singapore (MAS) guidelines on responsible AI use reflect Singapore’s commitment to ethical and transparent deployment of AI across financial services. The framework emphasizes governance accountability, model risk management, data quality, and human oversight.

Buy-side and trading firms deploying AI are expected to maintain inventories of AI models, conduct regular impact and fairness testing, and ensure human oversight for high-risk use cases. Workflow adjustments include model validation reviews and documenting performance. Technology teams will need to implement bias detection tools and explainability frameworks.

MAS expects explainability, fairness, and accountability to be built into systems and workflows—especially for customer-facing and trading algorithms. To prepare, firms should embed AI principles into risk governance structures, train staff on MAS’s FEAT principles (Fairness, Ethics, Accountability, Transparency), and develop audit trails for AI-enabled decisions. The MAS guidelines, while not legally binding, are likely to influence supervisory expectations in 2025 and beyond.

8. Hong Kong SFC Guidance on Generative AI  

Effective Date: 2025 (via 2024 Circular; implementation monitored in 2025)  

The Securities and Finance Commission (SFC) of Hong Kong has published a detailed circular outlining governance and control expectations for firms deploying generative AI. The guidance highlights the importance of human oversight, output monitoring, and AI-specific risk assessments.

Firms offering AI-driven investment advisory or trading tools must embed transparency and explainability into client-facing systems. Governance must evolve to assign responsibility for AI supervision, while workflows must integrate output testing and scenario validation. Technology controls must include safeguards against hallucination and real-time drift detection.

To prepare, firms should be considering AI oversight committees, establishing policies governing generative model use, and notifying regulators of material AI deployments. A proactive approach will reduce compliance risk and foster trust in AI-driven services.

9. FCA AML Focus on Private Markets (UK)

Effective Date: March 2025  

The FCA has turned its focus to AML controls in private markets funds, citing risks associated with opaque structures and high-value transactions. Asset managers dealing with private equity, real estate, or debt funds are under renewed scrutiny.

Firms must enhance onboarding processes, conduct source-of-funds due diligence, and review complex ownership structures. Governance teams should ensure AML frameworks address fund-specific risks. Data workflows must support beneficial ownership tracking, while technology investments may include AML screening tools tailored for non-traditional assets.

To prepare, firms should audit their current AML controls, update policy manuals, and enhance staff training on private markets risks. A risk-based approach aligned with FCA expectations will be key to compliance.

10. Enhanced AML Guidelines for Asset Managers (Hong Kong & Singapore)

Effective Date: 2025  

Both Hong Kong’s SFC and Singapore’s MAS are strengthening AML requirements for asset managers and fund management firms in 2025. These updates align with the Financial Action Taskforce (FATF) recommendations and bring previously exempt or lightly regulated entities under more formal oversight.

Firms must implement full-spectrum AML programs including client due diligence, monitoring, and suspicious activity reporting. Governance needs to include a named AML officer and defined escalation paths. Data and workflow systems must support ongoing due diligence and enhanced risk ratings.

To prepare, asset managers should benchmark against the new regional standards, deploy appropriate surveillance tools, and document enhanced controls. Regional supervisors are likely to test effectiveness via inspections and thematic reviews in 2025 and beyond.

Final Takeaways

The regulatory agenda for 2025 reinforces the need for financial institutions to adopt integrated, technology-enabled compliance frameworks. AI governance and operational resilience are becoming mandatory across jurisdictions, with regulators such as the SEC, FCA, MAS, and ESMA setting new expectations. To remain aligned, firms should conduct forward-looking risk assessments, establish early-stage controls for evolving rules, and invest in regulatory technology to streamline compliance processes.

Embedding tools that automate rule monitoring, policy mapping, and real-time surveillance of communications and transactions can improve oversight and reduce manual burden. As risk categories like IT, cyber, and model governance increasingly overlap, a unified approach—such as an enterprise risk committee—can support more consistent and efficient responses.

Sustainable compliance also requires firm-wide awareness. Continuous training and open communication channels enable early issue detection and reinforce accountability. Engagement with regulators, including participation in consultations and pilot programs, will help firms adapt frameworks in line with supervisory expectations while contributing to practical policy development.

Subscribe to our newsletter