IOSCO Evaluates Implementation of Crypto-Asset Regulatory Recommendations

The International Organization of Securities Commissions ("IOSCO") found uneven progress across 20 jurisdictions on the implementation of its 2023 Policy Recommendations for Crypto and Digital Assets ("CDA").

In the 2025 Thematic Review, IOSCO highlighted key trends reshaping global crypto regulation, such as: (i) the market’s rapid expansion to $3.9 trillion, which underscores crypto's growing role in global finance; (ii) illicit activity, totaling $53.1 billion in 2024, (IOSCO noted that stablecoins surpassed Bitcoin in unlawful use); (iii) new models like staking and crypto lending, which pose fresh risks around liquidity and counterparty exposure; and (iv) artificial intelligence, which is driving both innovation and new cyber threats, reinforcing the need for agile, coordinated oversight.

IOSCO explained that in 2023, the Fintech Task Force finalized CDA and DeFi Policy Recommendations which included clarifications on how the two frameworks interact. IOSCO subsequently launched a "Crypto-Asset Implementation Roadmap" to promote global adoption and regulatory consistency.

In the 2025 Thematic Review, IOSCO assessed progress on 10 of the 18 CDA Recommendations, primarily those focused on investor protection and market integrity across 20 jurisdictions. IOSCO concluded that jurisdictions have made meaningful, but uneven progress, with many regulatory frameworks still developing or only partially implemented. IOSCO said that approaches continue to vary widely, creating potential for regulatory gaps and arbitrage as crypto markets evolve with new risks and business models. IOSCO urged jurisdictions to accelerate full implementation of the CDA Recommendations to enhance market integrity and investor protection.

Specifically, IOSCO considered implementation of:

1. Recommendation 2 (Organizational Governance). IOSCO found that all jurisdictions have made some progress, with 10 having relevant requirements in place and 8 yet to publish measures that fully address all elements. IOSCO highlighted conflicts of interest among vertically integrated Crypto-Asset Service Providers—especially around proprietary trading—as a key challenge.
2. Recommendation 3 (Disclosure of Role and Conflicts). IOSCO reported that 11 jurisdictions have final implementation measures in place. IOSCO noted ongoing challenges, such as weak conflict management systems and a lack of continuous disclosure requirements.
3. Recommendation 8 (Fraud and Market Abuse). IOSCO observed that 12 jurisdictions have implemented this recommendation. IOSCO highlighted that limited enforcement authority over unlicensed entities or individuals remains a key obstacle.
4. Recommendation 11 (Enhanced Regulatory Cooperation). IOSCO found that while all participating jurisdictions have cooperation frameworks, such as the IOSCO Multilateral Memorandum of Understanding, their use for crypto assets has been limited. IOSCO identified gaps in ongoing supervision and legal barriers from differing national classifications and recommended exploring ways to strengthen cross-border coordination.
5. Recommendations 12–16 (Custody of Client Assets). IOSCO noted significant progress: 
   • Recommendation 12 (Overarching Custody). IOSCO reported that 12 jurisdictions finalized and enacted custody measures.
   • Recommendation 13 (Segregation of Assets). IOSCO observed that 14 jurisdictions implemented requirements ensuring proper asset segregation.
   • Recommendation 14 (Custody Disclosure). The IOSCO said that 11 jurisdictions satisfied all disclosure obligations related to custody arrangements.
   • Recommendation 15 (Reconciliation and Independent Assurance). IOSCO confirmed that 14 jurisdictions fully adopted reconciliation and assurance standards.
   • Recommendation 16 (Securing Client Assets). IOSCO indicated that 12 jurisdictions introduced comprehensive measures to safeguard client assets, including liability provisions for losses.
6. Recommendation 18 (Retail Client Appropriateness and Disclosure). IOSCO found mixed progress, with 8 jurisdictions fully implementing requirements and 3 yet to adopt any key measures. IOSCO emphasized that many frameworks still lack clear suitability or appropriateness tests for CASPs that only execute client orders, posing ongoing risks to retail investor protection.