This Week in Compliance Vol. 12

What's been occupying our compliance attention lately? Here's a rundown of notable updates in the world of payments from the past weeks.

DORA Takes Effect: A New Era of Operational Resilience in the EU

As of 17 January 2025, the Digital Operational Resilience Act (DORA) is officially in force, setting a new standard for ICT risk management and cybersecurity across the EU financial sector. The regulation aims to enhance resilience, risk monitoring, and oversight, prompting banks and financial institutions to overhaul their internal systems to comply.

However, challenges remain, as key aspects of the DORA rulebook are still evolving, including rules on subcontracting ICT services and threat-led penetration testing. With financial firms investing millions in preparation, experts emphasize that compliance is not a one-time task but an ongoing process requiring continuous risk assessments and strong cyber hygiene.

Sweden's Central Bank Urges Banks to Join TIPS Cross-Currency Payment Project

The Riksbank is calling on Swedish banks to actively participate in the Target Instant Payment Settlement (TIPS) cross-currency initiative, a collaboration with the ECB and Danmarks Nationalbank to enable instant payments between euros, Swedish kronor, and Danish kroner. Deputy Governor Per Jansson emphasized the project's alignment with the G20's goal of making cross-border payments faster, cheaper, and more secure but stressed that cooperation between central banks and market players is essential. With Norges Bank set to join in 2028 and the ECB exploring international expansion, Swedish banks are encouraged to submit a Letter of Intent by 28 February 2025 to engage in system design and testing.

Zumo Releases MiCA Readiness Report at Davos, Highlighting Industry Gaps in Sustainability Compliance

At the World Economic Forum (WEF) in Davos, B2B digital asset platform Zumo unveiled a MiCA readiness report, assessing the industry's preparedness for the EU's upcoming Markets in Crypto-Assets (MiCA) regulation, particularly its sustainability disclosure requirements. While 75% of respondents are familiar with MiCA, fewer than a third understand its sustainability mandates, with key challenges including unclear regulatory guidelines (50%) and resource constraints (38%). Peter Kerstens of the European Commission stressed that firms should view MiCA not just as compliance but as a gateway to the EU market. The report underscores that non-compliance risks include reputational damage (75%) and customer loss due to sanctions (69%), prompting Zumo to advocate for greater industry collaboration with regulators.

EU AI Act’s ‘Unacceptable Risk’ Provisions Take Effect, Setting Global Compliance Precedent

On 2 February 2025, the first key provisions of the EU AI Act came into force, marking a major regulatory milestone by banning AI systems deemed to pose an "unacceptable risk." This includes manipulative AI, social scoring, untargeted facial recognition scraping, and real-time biometric identification in public spaces (with exceptions). Companies failing to comply face penalties of up to €35 million or 7% of global annual turnover.

Beyond enforcement, today also marks the deadline for meeting AI literacy requirements, ensuring teams working with AI receive adequate training. Experts warn that global businesses—even those outside the EU—must assess their AI operations for compliance. With 18 months until the next major deadline, companies are urged to start AI system audits and cataloging efforts to avoid regulatory risks.

OKX Fined $505M for AML Violations, Admits to Operating Unlicensed Money Transmission

OKX operator Aux Cayes Fintech has agreed to pay $504 million in penalties after pleading guilty to operating an unlicensed money transmitting business in the United States. Despite its policy of restricting US users since 2017, the Seychelles-based exchange actively sought out retail and institutional customers in the US, facilitating over $1 trillion in transactions without registering with FinCEN. The DOJ found that OKX failed to implement KYC requirements and, in some cases, advised users on how to bypass them, enabling over $5 billion in suspicious transactions. US authorities emphasize that this case underscores heightened enforcement of AML regulations in the crypto sector.

At spektr, we understand that keeping up with regulatory changes and maintaining compliance can feel overwhelming. Let's have a chat about your compliance needs and how we can customize solutions to match your unique business requirements!