Regulatory Roundup - November 2025: Oversight Tightens as AI, AML, and Geopolitics Converge
- Steve Marshall
- 2 days ago
- 6 min read
As 2025 draws to a close, regulators worldwide are tightening their grip on a compliance landscape shaped by technology, financial crime, and global tensions. This month’s developments reflect a move toward more impact-based, data-driven regulation—from FinCEN’s AML rule delays and coordinated US cyberfraud enforcement actions, to the OCC’s push for clarity on “unsafe or unsound” practices and OFAC’s sweeping new sanctions on Russia and Iran. At the same time, scrutiny of AI governance, model risk, and human oversight continues to intensify. The common thread across all fronts: defensible, well-governed compliance programs remain the surest path to resilience and regulatory confidence.
SPECIAL ANALYSIS: AI & COMPLIANCE RISK
Regulators turning the spotlight on AI, from human oversight to model risk management
As artificial intelligence (AI) use accelerates across financial services and adjacent sectors, regulators are zeroing in on the compliance risks that accompany rapid deployment. Going forward, firms must understand not just the overlap but the distinctions between global and regional obligations. With frameworks like the EU AI Act and California Senate Bill 53 now moving into force, the emphasis is firmly on embedding model risk management, human oversight, and robust governance around AI systems while keeping compliance risk in check.
ANTI-MONEY LAUNDERING (AML)
The GENIUS Act: a federal framework for stablecoins and a new era for fintech licensing
The proposed GENIUS Act could transform US payments oversight by creating a federal framework for payment stablecoins, potentially replacing the current patchwork of state money transmitter licenses. The Act introduces what some call a “bespoke fintech license,” easing entry for nonbank firms while tightening AML and compliance standards. As stablecoins emerge as a new payment rail, compliance teams must stay alert as today’s AML laws may soon evolve to meet this new reality.
Reputation risk and debanking: regulators move to curb subjectivity in AML oversight
A new US initiative would bar federal regulators from citing “reputation risk” as grounds for enforcement or debanking, marking a major shift in how AML risk is evaluated. The OCC and FDIC argue that reputation risk adds subjectivity without improving safety or soundness. Going forward, financial institutions will need to rethink AML risk models to ensure factors are fact-based, well-documented, and tied to measurable financial impact. The result could be a more transparent and evidence-driven approach to risk assessment.
Florida moves to expand anti-debanking rules, raising the bar for governance and oversight
Florida’s Office of Financial Regulation (OFR) has proposed amendments to strengthen protections against discriminatory debanking, expanding the scope of covered individuals and complaint triggers. The updates would require executive-level attestations, broader definitions of protected activity, and stronger documentation of suspicious activity decisions. While aimed at ensuring fairness, the rules would also heighten compliance and governance burdens, demanding tighter internal controls and more rigorous oversight of AML risk factors and their real-world impacts.
OCC Bulletin 2025-29: redefining “unsafe or unsound” practices and refocusing MRAs on financial materiality
In a two-part rulemaking proposal, the OCC and FDIC seek to redefine “unsafe or unsound practices” and tighten the criteria for issuing Matters Requiring Attention (MRAs). The new standard limits enforcement to actions that materially harm an institution’s financial condition or the Deposit Insurance Fund, moving away from subjective interpretations tied to compliance or operational risk.
This shift aims to clarify enforcement boundaries and prioritize material financial risks over procedural findings—meaning examiners must now demonstrate measurable financial impact before issuing an MRA. For AML and compliance professionals, the takeaway is clear: risk frameworks must align to actual financial exposure, not perceived or reputational concerns.
FinCEN delays real estate AML rule, pushing effective date to March 2026
FinCEN has postponed the effective date for reporting non-financed real estate transactions from December 1, 2025, to March 1, 2026, giving firms additional time to develop and implement AML policies. The delay aligns with broader efforts to reduce near-term compliance burdens, but it also pauses reporting high-risk cash transactions in real estate. While the extension offers breathing room for compliance teams, it also underscores ongoing concerns that such delays may mask illicit financing risks in a sector already under heightened scrutiny.
US agencies target cyber-enabled fraud in $15B enforcement sweep
The DOJ, OFAC, and FinCEN have launched coordinated enforcement actions against Southeast Asian scam networks tied to large-scale cyber and “pig butchering” fraud schemes, resulting in $15 billion in asset forfeitures. The actions underscore a growing regulatory focus on cyber-enabled fraud as a top enforcement priority. Financial institutions are urged to tighten controls and enhance monitoring of transnational cybercrime risks—especially schemes that exploit digital payment channels and cross-border vulnerabilities.
COUNTERING THE FINANCING OF TERRORISM (CFT)
BIS extends 50% ownership rule, tightening export control compliance for banks
The US Department of Commerce’s Bureau of Industry and Security (BIS) has expanded its export control framework, prohibiting banks from financing restricted exports to any company 50% or more owned by entities on the Entity List or Military End-User List. Modeled after OFAC’s 50% rule, the change broadens compliance exposure across complex ownership structures and reinforces prior guidance under General Prohibition 10. With the administration signaling tougher enforcement and penalties, financial institutions must strengthen due diligence on both financial and goods-side transactions to identify indirect links to restricted parties.
BNP Paribas hit with $20.5M civil verdict over financing tied to Sudanese atrocities
A US jury ordered BNP Paribas to pay $20.5 million to Sudanese refugees after finding the bank liable for civil conspiracy, aiding and abetting, negligence, and wrongful death related to financing Sudan’s genocidal military campaign. The case built upon BNP’s 2014 guilty plea for processing $8.8 billion in illegal transactions with sanctioned nations. The verdict underscores a key lesson for financial institutions: government settlements don’t close the book on liability—civil exposure can follow, demanding a broader view of risk tolerance and accountability beyond regulatory fines.
OFAC expands sanctions on Iran’s shadow banking and militia networks
OFAC has announced new, coordinated sanctions targeting Iranian financial facilitators and militia-linked entities as part of its maximum pressure campaign (NSPM-2). The measures aim to disrupt Iran’s shadow banking infrastructure, weapons procurement channels, and illicit funding networks. Companies across shipping, finance, energy, insurance, and commodities trading are urged to assess potential exposure to newly designated entities and vessels, as complex ownership structures and layered intermediaries continue to obscure Iran’s global financial activities.
OFAC imposes sweeping sanctions on Russian energy giants Rosneft and Lukoil
OFAC has issued broad new sanctions targeting Rosneft, Lukoil, and dozens of their subsidiaries, while granting limited general licenses to support essential transactions. The move, accompanied by a warning to foreign financial institutions about secondary sanctions risk, comes amid stalled Ukraine-Russia peace negotiations. US firms and financial institutions are urged to reassess exposure, scrutinize counterparties, and strengthen screening and internal controls to detect both direct and indirect links to sanctioned Russian entities within the energy sector.
ARTIFICIAL INTELLIGENCE & TECHNOLOGY
AI hallucinations pose growing compliance risk, calling for more human oversight
With AI hallucinations—false or misleading outputs—occurring in up to 48% of large language model (LLM) responses, organizations face mounting legal, financial, and reputational risks. These errors often stem from biased or incomplete training data and insufficient fact-checking. Regulators, including under the forthcoming EU AI Act, are emphasizing transparency and human oversight. To mitigate risk, firms should ensure expert review of AI outputs, limit use in high-stakes contexts, and train staff on AI’s limitations, while adopting task-specific, domain-trained models for greater reliability and compliance integrity.
AI adoption surges in insurance, but consumer trust lags behind
Nearly 95% of insurance companies are now integrating AI across core operations, yet one-third of UK customers say they lack confidence in insurers’ use of the technology. The rapid adoption brings heightened risks, from ethical and privacy concerns to a fragmented regulatory landscape. To bridge the trust gap, insurers must strengthen AI governance, model risk management, and data security, ensuring that transparency and human oversight remain central to every AI-driven decision.
Expert guidance for a shifting compliance landscape
As regulatory demands grow more complex, FinScan’s Advisory Services provide the practical expertise and strategic direction needed to stay ahead. From enhancing model governance and data quality to navigating sanctions compliance and emerging technology risks, our team can help you fortify your compliance framework and prepare for what’s next. Strengthen your program and your confidence by connecting with our experts today.