The CBI's RSO is a direct statement of supervisory intent. This briefing covers all five focus areas, Finvisor's independent assessment, and the questions your Board, CEO, and Head of Compliance should be asking now.
The CBI's first dedicated CASP chapter signals a regulator in active supervisory build-out. Six focus areas, key messages mapped to MiCAR obligations, and questions for Board, CEO, and Head of Compliance.
Regulatory risk is consistently underweighted in financial services M&A. We have seen transactions derailed by undisclosed regulatory conditions, poor compliance infrastructure, and licence perimeter mismatches. What to look for, and how to price it, before you sign.
Regulators globally are intensifying AML supervision for payment firms. The firms succeeding are not those with the longest policies. They have the most accurately calibrated risk assessments, the sharpest transaction monitoring tuning, and the strongest escalation culture.
MiCAR is now fully applicable across the EU. But for firms operating globally, the regulatory picture is more complex. US state and federal frameworks, APAC licensing routes, and multiple EU gateway strategies each carry different implications for business model design and regulatory risk.
Internal audit functions in regulated financial services firms are under increasing scrutiny. Regulators want to see independent, well-resourced third-line functions with direct Board access, a structured audit universe, and the ability to escalate findings without management interference.
Agreement between EU Parliament and Council was reached in November 2025. Final adoption is expected mid-2026 and the PSR applies 21 months after that. Payment firms need to begin impact assessments now, particularly around IBAN verification, open banking obligations, and fraud liability frameworks.