In 2025, the FCA issued £124 million in fines. ASIC forced $40 million AUD in refunds to over 38,000 retail investors. DORA’s January 2025 go-live introduced binding operational resilience obligations across the EU, with penalties of up to 2% of annual worldwide turnover.
CFDs remain one of the most scrutinised retail trading products globally.
Five interconnected challenges are now reshaping compliance priorities: investor protection failures, market abuse detection gaps, operational resilience requirements, regulatory divergence across jurisdictions, and rising compliance costs that are forcing market consolidation.
For compliance officers, CFD brokers, COOs, and broker leadership, understanding where regulators are focusing—and what enforcement actions signal about future priorities—is essential for staying ahead in 2026.
What Did the FCA's November 2025 CFD Review Actually Find?
The FCA’s Multi-Firm Review found that many CFD firms made “little or no changes” to their investor protection practices following Consumer Duty implementation, with retail loss rates remaining stubbornly high across the sector.
This wasn’t a minor concern. The review examined how firms were defining and serving their target markets, and the results were damning. Too many brokers continued treating retail CFD traders as a homogenous group rather than assessing genuine suitability.
ASIC’s parallel Report 828 “Risky Business” published in January 2026 painted an equally grim picture. Australian retail CFD traders lost 68% in FY24, while EU brokers reported loss rates between 74% and 89%.
The message from regulators is clear: target market definitions must be specific and defensible. The FXCM stop order in December 2025 demonstrated exactly what happens when they’re not—the FCA determined the firm’s target market definition was too broad to protect investors from unsuitable products meaningfully.
Why Are Finfluencers Now a Criminal Enforcement Priority?
Finfluencer promotion of CFDs has escalated from a compliance nuisance to a criminal enforcement priority, with the FCA’s Global Week of Action in June 2025 resulting in three arrests, seven cease-and-desist orders, and over 650 content takedowns.
The scale of harm drove this shift. One scheme alone caused £75 million in losses to 90,000 investors. IOSCO’s May 2025 Final Reports now establish global standards for how firms must monitor and control third-party promoters.
For CFD brokers, this creates direct liability exposure. 83% of Gen Z investors report being influenced by social media content when making investment decisions. If an affiliate or finfluencer makes misleading claims about your products, your firm bears responsibility.
The compliance response requires documented due diligence on all marketing partners, real-time monitoring of promotional content, and clear contractual obligations around compliant messaging.
Treating affiliate management as purely a commercial function is no longer viable.
What Market Abuse Risks Are Regulators Targeting in CFD Trading?
The FCA’s Market Watch 73 revealed that no surveyed firms had surveillance systems capable of detecting “narrowing the spread” manipulation—a finding that should alarm every CFD compliance team.
This specific manipulation pattern involves traders placing orders to artificially tighten spreads before executing larger trades at improved prices. The FCA found it was occurring undetected because surveillance systems weren’t configured to identify it.
The Infinox Capital fine of £99,200 in January 2025—the first MiFIR transaction reporting penalty—demonstrated that even technical reporting failures face enforcement. The firm had failed to report 46,053 transactions correctly.
Market Watch 80’s October 2024 guidance on Overseas Offices Acting Alone (OOAAs) added another dimension. Organised Crime Groups account for approximately 25% of all Suspicious Transaction and Order Reports (STORs), with the FCA identifying over half a billion pounds in OCG profits from suspicious trading since 2022. Single-stock CFDs pose particular risks due to their potential for coordinated manipulation by overseas intermediaries.
The 4,528 STORs received in 2024, with over 70% of FCA investigations originating from these reports, underscores that effective surveillance isn’t optional—it’s the primary detection mechanism for enforcement.
How Can CFD Brokers Reduce False Positives Without Missing Genuine Abuse?
Industry surveys show 23% of compliance teams cite false positives as their primary surveillance challenge, while another 23% struggle with integrating trade surveillance with electronic communications monitoring.
The tension is real as tighter alert thresholds catch more potential abuse but overwhelm investigation teams. Looser thresholds miss genuine manipulation. Neither extreme serves compliance objectives.
The SEC’s January 2025 eComms sweep demonstrates the regulatory expectation.
Penalties totalling $63.1 million—including $12 million for Blackstone, $11 million for KKR, and $10 million for Schwab—all stemmed from failures to capture and retain business communications across personal devices.
Effective surveillance requires cross-product context.
A pattern that looks benign in isolation may reveal manipulation when correlated with communications, order flow across related instruments, or coordinated activity across accounts. The FCA’s guidance on “good” surveillance emphasises that systems must be calibrated to each firm’s specific business model and risk profile.
Investment in surveillance technology and skilled investigators isn’t a cost centre—it’s the foundation of defensible compliance. The question isn’t whether regulators will examine your surveillance capabilities, but when they will.
What Does DORA Require from CFD Brokers in 2026?
DORA (the Digital Operational Resilience Act in the EU) became binding law on 17 January 2025, with penalties reaching 2% of annual worldwide turnover, mandating that CFD brokers operating in the EU implement comprehensive ICT risk management, incident reporting within four hours of significant incidents, and detailed third-party provider oversight.
The Register of Information deadline on 30 April 2025 exposed widespread unpreparedness. Only 6.5% of submissions passed ESA data quality checks on the first attempt.
The designation of 19 Critical ICT Third-Party Providers on 18 November 2025—including AWS, Google, Microsoft, Oracle, and SAP—creates direct regulatory oversight of infrastructure that most brokers depend upon. Cloud concentration risk is real: AWS, Azure, and Google control approximately 63% of the global cloud market.
Real-world incidents demonstrate the exposure. The Cloudflare outage on 18 November 2025 affected multiple CFD platforms, including FXPro, Skilling, and Monaxa, with Finance Magnates estimating that the average broker lost approximately $1.58 billion in trading volume during the three-hour disruption.
XTB’s November 2025 outage—which left traders unable to close positions for hours—highlighted how platform architecture decisions create operational risk that compliance teams must now actively manage.
For brokers handling cross-border payments and international payment processing, DORA’s requirements intersect with broader operational resilience expectations. Firms must document not just their technology stack but the entire chain of dependencies that support client transactions.
Are Smaller CFD Brokers Being Squeezed Out by Compliance Costs?
US broker-dealer registrations fell from 4,757 in 2010 to 3,354 in 2024, while assets under management grew from $4.66 trillion to $6.4 trillion—clear evidence that compliance costs are driving market consolidation.
Financial institutions now allocate approximately 19% of revenue to compliance. AI compliance tools increased costs by 40% in 2025, while team sizes grew 30% to manage expanding obligations.
C-suite executives report spending 42% of their time on compliance matters. For smaller brokers, this represents a structural disadvantage against larger competitors who can spread fixed costs across greater revenue.
Specific fee examples illustrate the burden. CySEC’s DORA-related fees range from €2,000 to €20,000 depending on firm size, while mandatory penetration testing typically costs around €20,000 annually. These aren’t optional expenses—they’re the baseline cost of maintaining authorisation.
The CFD market continues growing—from $1.32 billion in 2026 to a projected $2.31 billion by 2035 — but that growth increasingly flows to larger players with the scale to absorb compliance overhead.
What Should CFD Broker Compliance Teams Prioritise Now?
Compliance teams should focus on four immediate priorities: tightening target market definitions with documented evidence, upgrading surveillance to detect manipulation patterns like spread narrowing, stress-testing operational resilience against third-party failures, and building realistic compliance budgets that reflect accurate regulatory expectations.
Each priority connects to specific enforcement trends. Target market work responds directly to the FCA’s Multi-Firm Review findings. Surveillance upgrades address Market Watch 73’s revelations about detection gaps. Resilience testing prepares for DORA’s ongoing oversight. Budget planning acknowledges that under-resourcing compliance creates long-term licence risk.
The firms that navigate 2026 successfully will be those that treat compliance as strategic infrastructure rather than as a cost-containment measure. Reactive approaches that address regulatory concerns only after enforcement action are increasingly expensive—both in direct penalties and reputational damage.
Turning Compliance Challenges into Competitive Advantage
The regulatory landscape for CFD brokers in 2026 is demanding but navigable. Investor protection, market abuse detection, operational resilience, jurisdictional complexity, and rising costs each present genuine challenges. But firms that build robust compliance frameworks gain more than regulatory approval—they make the operational foundation for sustainable growth.
For CFD brokers evaluating their payment infrastructure, banking relationships, and cross-border payment capabilities, working with specialists who understand both the regulatory environment and the practical requirements of high-volume trading operations makes a meaningful difference.
Capitalixe works with CFD brokers and financial institutions across 140+ countries, providing payment solutions, banking consultant services, and global payment solutions tailored to regulated trading businesses.
Get in touch to discuss how we can support your compliance and operational needs.
