April Global Regulatory Brief: Digital finance

As technology continues to reshape financial services, regulators and policy setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. The following digital finance policy developments represent a sample of wider regulatory and policy coverage available to Bloomberg Terminal customers. Run REGS <GO> to find out more or contact your Bloomberg representative:

• Japan: JFSA strengthens crypto exchange cybersecurity
• Switzerland: FINMA issues guidance on digital fraud risk management
• US: SEC clarifies application of securities laws to crypto assets
• UK: Regulators publish foresight paper on agentic AI

Japan: JFSA strengthens crypto exchange cybersecurity

Summary:
In response to escalating global cyberattacks on crypto asset exchanges, Japan Financial Services Agency (JFSA) finalized a cybersecurity policy following public consultation in early 2026. Building on recommendations from the Financial System Council’s Crypto Asset System Working Group, the policy promotes stronger cybersecurity through a combined framework of firm level initiatives, industry cooperation, and regulatory support. It emphasizes enhanced supervisory oversight, upgraded guidelines, information sharing, and government led research, exercises, and testing to improve resilience, safeguard user assets, and strengthen trust in Japan’s crypto asset market.

Context:

Amid a growing number of cyberattacks causing crypto asset outflows worldwide, JFSA consulted on a draft policy to strengthen cybersecurity among crypto asset exchange operators between 10 February and 11 March 2026, receiving 18 public comments. The Financial System Council’s Crypto‑Asset System Working Group also emphasized that exchange operators should continuously strive to enhance cybersecurity standards, reinforcing the need for industry‑wide efforts to raise resilience.

Key takeaways:

• Crypto assets are increasingly treated as investment products, while global cyberattacks causing asset outflows have occurred repeatedly since Bitcoin’s inception. Recent crypto thefts often involve indirect attacks, including social engineering and vendor compromise, rather than direct signing key theft. Some cyberattacks on crypto exchanges are suspected to involve state actors seeking foreign currency acquisition.
• JFSA published this policy to strengthen cybersecurity through self help, mutual help, and public help measures. Individual crypto exchanges are expected to steadily enhance their own cybersecurity controls through intensified supervisory monitoring. JFSA will consider raising supervisory guideline standards, including cybersecurity staffing, external audits, and outsourced service provider management.
• Industry wide cooperation is promoted, recognizing that individual firms cannot address advanced cyber threats alone. Self regulatory organizations are encouraged to strengthen cybersecurity rules, oversight capabilities, and organizational capacity. Crypto exchanges are encouraged to actively participate in information sharing bodies such as JP Crypto ISAC to improve sector wide threat awareness.
• JFSA will support the industry through research on past cyber incidents, improved cyber exercises, and pilot threat led penetration testing.

Next steps

Companies should assess current cybersecurity frameworks against the JFSA’s policy direction, strengthen governance and staffing, review vendor and outsourcing controls, enhance incident readiness through exercises, and actively participate in industry information‑sharing initiatives to improve resilience and supervisory readiness.

Switzerland: FINMA issues guidance on digital fraud risk management

Summary:

FINMA has published new guidance highlighting weaknesses in banks’ management of digital fraud risks following a 2025 survey of 19 institutions. The findings point to gaps in operational risk management and anti-money laundering controls, as digital fraud cases continue to rise. The guidance applies to banks and entities under Article 1b of the Banking Act.

Context:

Digital banking activity has expanded significantly in recent years, particularly since the COVID-19 pandemic. Since 2022, FINMA has observed an increase in digital fraud incidents affecting both customers and bank accounts used for laundering illicit proceeds.

Key takeaways:

• FINMA’s survey identified deficiencies in how banks manage digital fraud risks, especially in operational risk frameworks and AML controls.
• Digital fraud presents dual risks: customer losses and misuse of bank accounts for laundering fraud proceeds.
• The guidance highlights the importance of comprehensive risk management frameworks.
• Risk frameworks should enable identification, assessment, management, and monitoring of fraud risks, including:
  • Risks linked to remote client onboarding
  • Unauthorised access to accounts
• The guidance reinforces expectations for robust internal controls aligned with existing regulatory requirements.

Next step:

• FINMA expects banks and relevant entities to review and strengthen their risk management and AML frameworks in line with the guidance.
• The publication is intended to support firms in implementing existing regulatory obligations and enhancing fraud prevention systems; no formal consultation or deadline is specified.

US: SEC clarifies application of securities laws to crypto assets

The US Securities and Exchange Commission (SEC) issued guidance on how federal securities laws apply to certain crypto assets and related transactions.

Context:
The SEC positions the interpretation as a move away from enforcement-driven ambiguity toward a clearer framework, and supportive of broader Congressional efforts to establish a formal crypto market structure regime.

Key takeaways:
This guidance from the SEC underlines the view that most crypto assets are not themselves securities by providing a token taxonomy that “draws clear lines in the sand”.

• Token taxonomy: The SEC classifies crypto assets into categories based on their characteristics, uses, and functions, and analyzes each category under the definition of “security”.
• Digital Commodities: Crypto assets that are intrinsically linked to and derive their value from the programmatic operation of a crypto system that is “functional,” as well as supply and demand dynamics, rather than from the expectation of profits from the essential managerial efforts of others. Deemed NOT Securities.
• Digital Collectibles: Crypto assets that are designed to be collected and/or used and may represent or convey rights to artwork, music, videos, trading cards, in-game items, or digital representations or references to internet memes, characters, current events, or trends. Deemed NOT Securities.
• Digital Tools: Crypto assets that perform a practical function, such as a membership, ticket, credential, title instrument, or identity badge. Deemed NOT Securities.
• Stablecoins: Defined in the GENIUS Act as “payment stablecoin issued by a permitted payment stablecoin issuer.” Deemed NOT Securities.
• Digital Securities (or “tokenized securities”) Financial instruments enumerated in the definition of “security” that is formatted as or represented by a crypto asset, where the record of ownership is maintained in whole or in part on or through one or more crypto networks. Deemed Securities.

Investment contracts: The SEC explains that a non-security crypto asset becomes subject to an investment contract when an issuer offers it by inducing an investment of money in a common enterprise with certain representations or promises to undertake essential managerial efforts from which a purchaser would reasonably expect to derive profits.

Clarification: The SEC states that “protocol mining,” “protocol staking,” and the “wrapping” of a non-security crypto asset do not involve the offer and sale of a security.

UK: Regulators publish foresight paper on agentic AI

Summary:

The Digital Regulation Cooperation Forum (DRCF), consisting of the Capital Markets Authority (CMA), OfCom, the Information Commissioner’s Office (ICO), and the Financial Conduct Authority (FCA), has published a ‘foresight’ paper exploring the potential implications of agentic AI, and regulators’ early cross-regulatory considerations.

Key regulatory considerations identified include:

• Governance: Emphasis on robust guardrails, system transparency and human oversight, particularly in complex multi-agent systems.
• Data protection & cybersecurity: Focus on data minimisation, transparency in data use, and monitoring of emerging cyber risks linked to agentic AI.
• Consumer protection: Need for clear disclosures, consent mechanisms, and safeguards against harm, including risks of digital exclusion.
• Competition & markets: Consideration of risks such as algorithmic collusion and network-level behaviours, with a role for monitoring and detection tools.

Next steps

• The paper is exploratory and does not introduce new rules but is intended to inform future regulatory approaches.
• The DRCF will continue monitoring developments in agentic AI and may use the findings to support future policy coordination and potential guidance across UK regulators.