Recent enforcement actions point to sharpened regulatory expectations for evidence of controls capable of preventing, detecting, escalating, and correcting risk. Where firms are falling short, enforcement is landing on design, governance, and oversight failures. Across trading surveillance, client onboarding and valuation governance, regulators are drawing the same distinction between having controls on paper and having a fully functional GRC framework.
Three recent actions illustrate the point. One turns on incomplete surveillance coverage after a business change. Another exposes weak client classification and oversight in onboarding. A third shows how valuation processes can fail when challenge, access control and independence break down. Taken together, they show how weak control design is becoming the common thread behind very different enforcement outcomes.Change Control Failure
The FCA’s action against Dinosaur Merchant Bank turned on a basic control failure: a material part of the firm’s Contracts for Differences (CFDs) trading activity fell outside automated surveillance after the introduction of a new order system. According to the FCA, between June and October 2024, 2,194 trades with a notional value of about $3.05 billion were executed via that platform but were not captured and reviewed by the automated surveillance system. The firm identified the issue in October 2024, yet the FCA said the deficiencies were not properly addressed until May 2025.
What matters in this case is where the control failed. A new trading workflow went live without effective validation that surveillance coverage remained complete. Once the gap was found, remediation did not close it with sufficient speed. The weakness therefore sat not only in trade monitoring, but in change governance, control ownership, and escalation. The FCA’s case shows how regulators will treat incomplete surveillance coverage as evidence of a broader systems-and-controls failure rather than as a narrow tooling defect.
Culture Overriding Controls
ASIC’s case against Binance Australia Derivatives exposed deficiencies in client classification and onboarding controls. The Federal Court ordered a $10 million penalty after more than 85 per cent of the firm’s Australian client base was misclassified over a nine-month period, with 524 retail clients incorrectly treated as wholesale investors. ASIC said those clients incurred $8.66 million in trading losses and paid $3.89 million in fees.
ASIC said clients seeking sophisticated investor status were allowed unlimited attempts at a multiple-choice quiz until they passed. It also pointed to poor staff training and inadequate compliance oversight of applications and supporting documents. The classification logic could be worked around, review was weak, and oversight was inadequate. That is why the case reads as an enforcement action on flawed control design rather than only on client harm. Regulators are looking at whether eligibility, review and challenge mechanisms can withstand pressure in live operations, not whether a firm can point to an onboarding process on paper.Lack of Independent Oversight
The CFTC’s action against James Velissaris highlights a different form of control inadequacy: weak valuation governance around OTC derivatives. The court granted summary judgment for the CFTC, imposed a $2.2 million civil monetary penalty, and entered permanent trading and registration bans. The CFTC said Velissaris falsely represented that certain OTC derivative positions were valued independently, when in fact he made manual adjustments that inflated reported values and fed investor reporting, fund net asset values, and fees.
Here, the problem was not the absence of a valuation framework. The inadequacy lay in the control environment around it. If one individual could alter assumptions or inputs without effective independent challenge, then access control, override governance, price verification, and committee oversight were not strong enough. The case is a reminder that regulators will examine whether core financial controls were capable of constraining discretion where incentives were strongest. Where challenge is weak or independence is compromised, valuation processes incur regulatory risk.
The GRC Fault Line
Taken together, these cases show a consistent enforcement pattern. Regulators are looking for gaps in control coverage, weaknesses in control design and failures in oversight. They are asking whether controls kept pace with business change, whether they were hard to circumvent, whether exceptions were escalated, and whether weaknesses were corrected once identified.
That means firms are being judged less on whether a control existed and more on whether it was complete, credible, and capable of operating under real conditions. A surveillance framework that fails to detect new order flows, an onboarding process that can be gamed, or a valuation process that lacks independent challenge will all attract the same regulatory conclusion—the GRC framework was inadequate.
Subscribe to our newsletter
