Global crypto regulation: the FSB and IOSCO review implementation progress

At aosphere, we are closely following regulatory developments related to crypto-assets and related services. We were therefore very interested to read the FSB’s and IOSCO’s thematic review reports assessing the progress of jurisdictions in implementing their respective recommendations for regulating crypto-asset activities. They also published a joint information note to accompany the reports. 

The reviews aim to encourage full and consistent implementation of the recommendations across jurisdictions. This article summarises the scope of the reviews and highlights key findings and recommendations for further action.

Background

The reports assess implementation of:

• the FSB’s global regulatory framework for crypto-asset activities, which comprises two sets of high-level recommendations for the regulation, supervision and oversight of: (i) crypto-asset activities and markets (the CA Recommendations); and (ii) global stablecoin arrangements (GSCs) (the GSC Recommendations); and
• IOSCO’s 18 policy recommendations for the regulation of crypto and digital asset markets (the CDA Policy Recommendations). 

FSB report

The FSB’s Thematic Review on the Implementation of its Global Regulatory Framework for Crypto-asset Activities (the FSB report) evaluates implementation progress across 37 jurisdictions and focuses on financial stability risks of crypto-asset activities and stablecoin arrangements.

CA Recommendations

The report covers jurisdictions’ progress implementing a framework regulating crypto-asset activities, including variations in:

• the extent to which jurisdictions have developed or finalised frameworks for crypto-assets that address financial stability. Of the jurisdictions evaluated, 39% reported having a finalised framework (e.g. the EU, Hong Kong, Bermuda), 29% were in the process of consulting or finalising a framework (e.g. the UK, Australia, Switzerland), 11% had a framework that partially addresses financial stability in place (e.g. Canada, South Africa) and 21% remained at an early stage with no framework (e.g. China, India, Mexico);
• the approach to regulation and whether jurisdictions are extending an existing framework to encompass crypto-assets (e.g. Australia, Hong Kong, South Africa, Switzerland) or developing a bespoke crypto-asset regulatory framework (e.g. the EU with its MiCA framework, Bermuda);
• the scope of licensing frameworks for crypto-asset service providers (CASPs). For example, while many jurisdictions have frameworks that go beyond registration and address financial stability (e.g. Bermuda, the EU, Hong Kong, Japan), others remain focused primarily on AML/CFT registration (e.g. India, South Africa);
• approaches in allocating responsibilities for licensing and supervising CASPs;
• the regulatory treatment of CASP activities including CASP borrowing and lending (which the report finds is only comprehensively regulated in two jurisdictions, Bermuda and the Bahamas, and not explicitly addressed in a number of other jurisdictions’ frameworks, including the EU and South Africa), proprietary trading, activities generating liquidity risks (such as yield or earn programs and, in certain cases, staking) and activities generating operational and technology risks (such as custody);
• the scope and rigour of rules related to authorisation and licensing requirements for CASPs, including governance requirements, financial and non-financial risk management requirements and prudential requirements. For example, jurisdictions such as the EU, Turkey and Hong Kong have developed comprehensive frameworks, whereas frameworks in certain other jurisdictions have gaps (e.g. risk management requirements for CASPs in South Africa and Argentina do not address credit risk management);
• regulation of multifunction CASPs. For example, while jurisdictions such as the EU and Hong Kong provide comprehensive and prescriptive frameworks to manage risks associated with multi-functional CASPs, others, such as Australia, Canada, and Korea, have yet to develop detailed regulatory approaches for such CASPs;
• supervisory approaches to CASPs and whether jurisdictions’ frameworks addressing financial stability risks are comprehensive (e.g. Bermuda, France, Hong Kong), partial (Australia, Canada, Japan) or limited/under development (e.g. the UK);
• enforcement frameworks and whether jurisdictions’ crypto enforcement tools are comprehensive (e.g. Australia, Bermuda, Hong Kong), partial (e.g. Argentina, India, Mexico) or minimal/undefined (e.g. China); and
• collection, disclosure and reporting of data and information related to financial stability.

Key findings include that:

• while jurisdictions have made notable progress implementing the CA Recommendations, gaps remain in addressing financial stability risks, particularly in the regulation of CASPs;
• comprehensive regulation of higher-risk activities such as borrowing, lending and margin trading is often lacking, which creates challenges such as regulatory arbitrage and may lead to CASPs migrating to jurisdictions with weaker or less comprehensive frameworks;
• many jurisdictions have not yet implemented the tools necessary for ensuring compliance and oversight of crypto-asset activities; and
• gaps or the lack of comprehensive reporting frameworks for CASPs hinder authorities' ability to monitor and address potential financial stability risks effectively.

GSC Recommendations

The FSB report also covers jurisdictions’ progress implementing a regulatory framework for GSCs, including variations in:

• the extent to which jurisdictions have developed or finalised comprehensive frameworks for GSCs. Of the jurisdictions evaluated, 21% reported having a finalised framework (e.g. the EU, Hong Kong, Bermuda), 34% were in the process of consulting or finalising a framework (e.g. the US, the UK, Australia, Switzerland), 10% had partial regulations in place (e.g. Canada, Thailand) and 38% remained at an early stage with no framework (e.g. India, Mexico);
• approaches to regulating GSCs, noting that there is a noticeable trend towards recognising the limitations of applying existing regulatory frameworks (unless materially adjusted), such as securities or payment regulation, to stablecoin issuers and activities. While some jurisdictions apply the same rules as other crypto-assets to stablecoins (e.g. Argentina, South Africa), some jurisdictions have implemented, or are in the process of implementing, specific regulatory frameworks tailored to stablecoins (e.g. Bermuda, the EU Hong Kong, Japan, the US);
• the types of entities allowed to obtain a licence or authorisation to issue stablecoins. For example, while banks, electronic money institutions and payment service providers are commonly allowed to issue stablecoins, some jurisdictions also allow non-bank entities to issue stablecoins where specific licensing requirements are met (e.g. Bermuda, Hong Kong);
• approaches to stablecoin issuers’ access to central bank payment systems for their settlement with other financial institutions and their ability to hold reserves with the central bank (e.g. in the EU, issuers of e-money tokens may have direct access, while some jurisdictions explicitly prohibit access, e.g. Singapore);
• approaches to listing of stablecoins on trading platforms and whether listing is restricted (for some or all users) to locally licensed stablecoins (e.g. Hong Kong, the EU);
• regulatory requirements for stablecoin issuers including in respect of governance, risk management, redemption, stabilisation mechanisms, reserve collateralisation requirements, reserve assets composition and custody, prudential requirements and recovery and resolution requirements. The report notes that few jurisdictions fully meet all aspects of the GSC recommendations for stablecoin issuers and there is also significant variation in how jurisdictions are implementing these recommendations; and
• supervisory powers, including in relation to examination and inspections.

Key findings include:

• implementation progress has been slow, with few jurisdictions having finalised frameworks for GSCs. Existing regulatory mandates and tools are often insufficient to address the specific risks posed by GSCs and align with the GSC Recommendations;
• jurisdictions are recognising that they need a tailored regulatory framework, however few of these frameworks are fully aligned with the GSC Recommendations and critical gaps include insufficient requirements for robust risk management practices, capital buffers, and recovery and resolution planning; and
• jurisdictional differences in redemption and custody requirements, the timing and details of disclosures, and reserve collateralisation frameworks pose particular regulatory and supervisory challenges in relation to cross-border stablecoin arrangements.

The report also considers jurisdictions’ progress implementing recommendations related to cross-border cooperation and coordination relating to crypto-asset markets, concluding that:

• cross-border cooperation and coordination are fragmented, inconsistent, and insufficient to address the global nature of crypto-asset markets;
• existing mechanisms for enforcement and licensing purposes rarely extend to broader supervisory objectives or financial stability monitoring; and
• divergent definitions, fragmented responsibilities among domestic authorities and legal barriers (such as secrecy or privacy laws) threaten to impede information sharing and may delay coordinated responses to potential systemic risks.

Based on the findings of the report, the FSB makes eight recommendations addressed to jurisdictions as they develop their regulatory regime (as well as to the FSB and other international organisations), including recommendations to:

• close any identified gaps against the CA Recommendations/GSC Recommendations;

• improve their data capabilities and infrastructure to enable them to monitor financial stability risks within the crypto-asset market and between the crypto-asset market and traditional financial markets; and
• assess the scale and nature of cross-border crypto-asset activities into/out of their jurisdictions and develop additional tools (e.g. MoUs) for cross-border cooperation to address the risks.

IOSCO report

The IOSCO Thematic Review on the Implementation of its Crypto and Digital Asset Recommendations (the IOSCO report) assesses the progress of 20 IOSCO jurisdictions (as of 31 July 2025) in implementing 10 of the CDA Recommendations (the Assessed Recommendations) considered most directly relevant to investor protection and market integrity. The Assessed Recommendations cover governance, conflicts of interest, fraud and market abuse, cross-border cooperation, custody, retail client protections and disclosures. The report summarises the key findings in respect of each recommendation, including a summary of overall progress, emerging practices and challenges and gaps (see chapter 5).

In particular, overall findings include that:

• significant progress is being made in implementing key elements of the Assessed Recommendations through implementation of frameworks in line with the CDA Policy Recommendations;
• most jurisdictions are still developing their regulatory frameworks and undertaking further reforms to address market developments and go beyond the Assessed Recommendations;
• the majority of the jurisdictions have adopted varying approaches to comply with the key elements of the Assessed Recommendations, however it is too early to evaluate the effectiveness of these varying approaches;
• a number of jurisdictions continue to face different types and degrees of challenges in adopting all the key elements of the CDA Recommendations; and
• most jurisdictions have mechanisms to facilitate cross-border cooperation, although in some instances there are hurdles to the effective use of these mechanisms. The use of existing information-sharing mechanisms across jurisdictions has been relatively limited to date.

With respect to the findings related to cross-border cooperation (in relation to recommendation 11 on enhanced regulatory cooperation), IOSCO’s report also encourages jurisdictions to consider enhancements to promote cross-border information sharing, for example establishing informational resources, creating new mechanisms for information sharing and updating existing or introducing new formal frameworks.