Sign in Subscribe
Analysis

IOSCO’s 2025 Crypto Markets Review

James Williams

11 min read
IOSCO’s 2025 Crypto Markets Review

and why US projects/counsel should care

Introduction

Last week, the International Organization of Securities Commissions (IOSCO), the global forum of national securities regulators, published a significant report assessing how well countries have implemented IOSCO’s 2023 recommendations around crypto-asset market standards. This Thematic Review” offers a first-of-its-kind reality check on whether, and to what extent, regulators worldwide are heeding IOSCO’s call for “same activity, same risk, same regulatory outcome” in crypto markets. For crypto projects and their US-based lawyers, it offers a revealing glimpse into where global crypto regulation is headed, how US-onshoring advice will need to dovetail with a still-fractured (but increasingly harmonized) non-US regulatory picture and what expectations might soon land on our doorstep.

Background: IOSCO’s 2023 Crypto Asset Recommendations

While IOSCO itself, is not a regulatory body, it promulgates international policy standards for regulation of securities that members (including the SEC, CFTC, and counterparts in 130+ jurisdictions) agree to strive toward. In mid-2023, IOSCO released a set of 18 policy recommendations for crypto and digital asset markets, aiming to establish “a clear and robust international regulatory baseline” for crypto-asset service providers (CASPs). These recommendations were essentially 18 principles covering six key areas of risk in crypto, aligning with IOSCO’s traditional securities oversight framework:

  • Conflicts of Interest: Addressing risks from vertically integrated crypto firms (e.g. exchanges that also issue tokens or trade on their own platform).
  • Market Integrity: Preventing market manipulation, insider trading and fraud in crypto markets.
  • Custody & Asset Protection: Ensuring proper custody of client assets, including safeguarding private keys, segregating customer funds from the firm’s, and having oversight to prevent loss or misuse.
  • Cross-Border Cooperation: Mitigating cross-border risks by enhancing information-sharing and cooperation among regulators.
  • Operational Resilience: Managing operational and technological risks (for example, cybersecurity, system outages, or hacks) that could disrupt markets or harm investors.
  • Retail Investor Protection: Imposing retail access, disclosure and suitability rules.

The purpose of these 2023 recommendations was to help each jurisdiction plug regulatory gaps in crypto oversight while aiming to produce a globally consistent approach. IOSCO explicitly urged regulators to apply the same fundamental principles that govern securities markets to markets in crypto assets, with flexibility for local implementation but an eye toward “optimal regulatory consistency across member jurisdictions”.

The 2025 Reality Check: IOSCO’s Thematic Review Findings

IOSCO’s October 2025 report, titled “Thematic Review Assessing the Implementation of IOSCO Recommendations for Crypto and Digital Asset Markets” examines 20 jurisdictions (a mix of advanced and emerging economies) to evaluate how well each has implemented the 2023 crypto recommendations. The jurisdictions reviewed were: Abu Dhabi, AIFC Astana, Australia, Bahamas, Bermuda, Brazil, Canada, France, Georgia, Gibraltar, Hong Kong, Japan, Republic of Korea, Liechtenstein, Malta, South Africa, Singapore, Switzerland, Thailand and the United Kingdom. The review’s scope was squarely focused on investor protection and market integrity, assessing key areas like organizational governance, market abuse controls, cross-border cooperation, custody practices, and disclosure obligations. In broad strokes, IOSCO found that significant progress has been made in many places , with new laws and rules evolving quickly, but implementation is uneven, leaving dangerous gaps and potential for regulatory arbitrage. Below, I break down the findings in the areas most relevant to legal and compliance frameworks.

Governance & Conflicts of Interest

As mentioned, CASP internal governance, along with the minimization of conflicts of interest was a driving concern in 2023. The 2025 review indicates that virtually all surveyed jurisdictions have acknowledged these concerns and are taking steps to remedy, but at very different cadences. About half of the jurisdictions (10 out of 20)[i] already have new governance requirements in force for crypto service providers, covering things like fit-and-proper management, robust internal controls, and policies to manage conflicts. The rest are in progress: a few have draft rules in consultation, while others have only partial measures or none yet implemented.

Crucially, IOSCO notes a few common gaps. In some countries, crypto exchanges or brokers still aren’t required to institute adequate conflict-of-interest management systems or to disclose conflicts consistently.[ii] Disclosure rules vary, e.g. whether a platform must tell users it’s trading on its own market, or how it handles conflicts if it’s executing customer orders against its own book. Even where rules exist, they often lack requirements for ongoing disclosure, meaning a crypto firm might only declare conflicts at onboarding but not update customers as circumstances change. IOSCO’s message: basic governance and transparency obligations that are standard in traditional finance (like separating brokerage vs. exchange roles, or disclosing that an operator also holds a token it’s listing) need to become standard in crypto as well. While progress is being made, many jurisdictions have more to do to nail down these organizational controls.

Further, the report flags two emerging conflict-of-interest risks: crypto staking services and crypto platforms trading on their own account. IOSCO’s concern is that a platform acting as both custodian and staking validator might end up prioritizing its own interests (for example, how it selects validators or handles staking rewards and penalties) over the interests of its clients. Likewise, when a crypto exchange engages in proprietary trading on its own platform, it introduces the classic self-dealing risk of trading against customers – a conflict that regulators are starting to scrutinize (the UK, for instance, is considering banning exchanges from trading as principal against their users).

Market Integrity: Fraud and Market Abuse

On the market abuse front, IOSCO’s review is cautiously optimistic. It found that most of the 20 jurisdictions have put in place laws or regulations to combat fraud, manipulation and insider trading in crypto markets. In fact, 12 jurisdictions[iii] already have final rules in force that meet all the key elements of IOSCO’s recommendation on market abuse, and five[iv] more have published draft rules on the way. In practice, many countries extended their existing securities anti-fraud and anti-manipulation laws to cover crypto-assets, or created new offense categories for things like crypto pump-and-dumps. This marks a sea change from a few years ago when crypto trading often operated in a gray zone. Regulators are now largely asserting that crypto markets must be policed for the same misconduct as any other regulated financial market.

That said, IOSCO did flag challenges in enforcement. One notable gap is “limits in enforcement authority beyond CASPs”. In plainer terms, some regulators have the power to go after licensed crypto firms for market abuse but may lack the authority to pursue unregulated actors or individuals who commit fraud in crypto markets. For example, if market manipulation is happening on a DeFi platform or by an offshore entity that isn’t a registered exchange, a regulator’s hands may be tied under current law. IOSCO’s findings suggest that market integrity enforcement may require jurisdictions to broaden enforcement reach, either by bringing more actors into the regulatory perimeter or by creating new cooperative arrangements, so that bad actors can’t exploit gaps by operating outside of regulated intermediaries. Still, the overall trajectory is clear: the era of laissez-faire crypto trading is ending, and market abuse in crypto is widely being treated as seriously as in stocks or derivatives.

Cross-Border Cooperation

Crypto markets are inherently borderless, so it’s no surprise IOSCO spotlighted cross-border cooperation as a critical regulatory need and a continuing weak point. The 2025 review found that all assessed jurisdictions are at least signed on to IOSCO’s standard enforcement information-sharing arrangements (the Multilateral MOU and Enhanced MOU). In other words, regulators can share some info when investigating wrongdoing. Virtually all have also struck bilateral or regional MOUs to collaborate on supervision or fintech innovation (Republic of Korea being the lone odd man out).

Notwithstanding this finding, however, IOSCO noted that these mechanisms remain little-used in practice and often do not cover the full lifecycle of regulatory cooperation needed for global crypto businesses. Specifically, the assessment highlights that, outside of enforcement cases, there is relatively limited proactive info-sharing among regulators on things like authorizing or supervising crypto firms operating across borders. Legal barriers in some jurisdictions hamper data sharing, and in general regulators haven’t yet built the kind of seamless cooperation that the global nature of crypto demands.

The upshot is an increased risk of regulatory arbitrage: major CASPs often have a footprint in multiple countries, and they can exploit the cracks between regulators if those authorities aren’t talking to each other. IOSCO’s review calls for stepped-up efforts to “promote information sharing… beyond enforcement”, including during licensing and ongoing supervision, to keep pace with a market where a trading platform might serve users in 100+ countries. For example, if a crypto exchange that’s under investigation in Country A can simply relocate or keep serving customers in Country B because regulators aren’t coordinating, that’s a problem. The report emphasizes that cross-border collaboration isn’t just nice-to-have, it’s essential to consistent oversight and to prevent bad actors from jurisdiction-shopping. US lawyers advising crypto clients should take note: even if a project is based offshore or targets foreign users, in the coming months and years US regulators are likely to be increasingly in touch with their overseas counterparts.

Custody of Digital Assets

Perhaps the most immediately relevant findings were in the area of crypto custody and safeguarding client assets. In the wake of exchange collapses and asset mishandling (FTX and others), IOSCO’s 2023 recommendations put heavy emphasis on protecting customer assets under custody. The 2025 review found that many jurisdictions have responded: 12 out of 20 now have custody rules in place for crypto assets, either by extending existing securities custody frameworks or writing new crypto-specific ones. These typically require that crypto intermediaries (exchanges, brokers, custodians) segregate client assets from their own, maintain robust record-keeping, and have systems and controls to securely hold crypto private keys. Several countries mandate independent audits or other assurance measures to verify that client assets are intact (IOSCO’s Recommendation 15) and have rules to ensure firms can’t use client funds for their own purposes (Recommendation 16).[v]

Despite this progress, IOSCO identified notable gaps in certain regimes. One jurisdiction’s[vi] framework lacked explicit coverage of “securing the private keys” that control access to crypto-assets; a pretty fundamental aspect of crypto custody. Additionally, at least one jurisdiction with bespoke crypto laws still had gaps in its custody provisions,[vii] showing that even purpose-built regimes might miss pieces. Another inconsistency is how countries handle custody disclosures: IOSCO found that while over half the jurisdictions require crypto providers to disclose their custody and safekeeping arrangements to clients (e.g. where and how your coins are held), the level of detail varies, sometimes significantly. Some regulators require very granular disclosure (possibly including whether third-party custodians are used, insurance arrangements, etc.), while others only mandate a basic notice. There’s also the tricky issue of foreign custodians. Specifically, IOSCO observed that not all jurisdictions address what happens if a crypto firm parks client assets with an out-of-country custodian or on a global platform, which could emerge as a blind spot if that arrangement fails.

Retail Investors and Disclosures

Finally, IOSCO’s review looked at how regulators are handling retail investor protection, including disclosures and product suitability for retail customers. This turned out to be an area with less uniform progress. Only 8 of the 20 jurisdictions[viii] have fully implemented IOSCO’s Recommendation 18 on retail client appropriateness and disclosure.

IOSCO observed that many jurisdictions’ rules “lack requirements or clarity on the application of suitability or appropriateness tests when CASPs execute client orders.” In plain English, in most places outside a handful (e.g., the UK or EU under MiCA), crypto firms aren’t yet obligated to vet whether a given token or product is too complex or risky for a retail customer before letting them trade it. Traditional finance has concepts like accredited investor rules or suitability obligations for brokers recommending products. We’re beginning to see echoes of that for crypto, but it’s not yet widespread. The IOSCO review shows that globally, such investor suitability measures are still the exception rather than the norm, although momentum is building.

US Implications: Practical Takeaways for Crypto Projects and Their Lawyers

IOSCO’s standards are not binding US law, and the US wasn’t explicitly graded in this international report (though lawyers from the SEC and CFTC were a part of the report’s review team). So, should US-based crypto projects and their counsel care about a bunch of international recommendations? Absolutely. Here are the key reasons and takeaways:

  1. SEC Views on Cross-Boarder Regulatory Harmonization : Consider the following public statements made by SEC commissioners this year:
  • Feb. 4, 2025 – Commissioner Hester M. Peirce (Speech: “The Journey Begins”, Washington, D.C.): Launching the SEC’s new Crypto Task Force, Peirce emphasized that crafting a crypto regulatory framework will involve broad cooperation, including coordination “with our international counterparts.” She noted the Task Force was even considering a “Cross-Border Sandbox” to enable limited, joint U.S.-foreign experimentation for crypto projects that operate across jurisdictions.
  • May 8, 2025 – Commissioner Hester M. Peirce (Speech: “A Creative and Cooperative Balancing Act” at SEC International Institute, Washington, D.C.): Speaking to an international gathering of regulators, Peirce urged greater cross-border collaboration on crypto innovation. She highlighted that many crypto firms seek to serve multiple jurisdictions and that regulators “would benefit from seeing how products or services work in different environments.”
  • July 16, 2025 – Commissioner Hester M. Peirce (Remarks at Guildhall, London – “Old Flames”): In a speech to the City of London, Peirce celebrated the deep US-UK ties in financial markets and called the UK a “natural partner” in fostering robust global capital markets. She observed that US and UK authorities already “routinely cooperate on enforcement matters,” assisting each other’s investigations of securities law violations. Peirce then revisited her prior proposal for a US-UK “cross-border sandbox” for digital assets, originally suggested in a 2024 comment letter.
  • April 4, 2025 – Commissioner Caroline A. Crenshaw (Statement: “Stable” Coins or Risky Business?, Washington, D.C.): In a public statement critiquing an SEC staff position on stablecoins, Crenshaw underscored global regulatory concerns about crypto. She pointed to international standards, citing the IOSCO Policy Recommendations for Crypto and Digital Asset Markets (Nov. 2023) on stablecoins’ risks and market structure.
  • Sept. 10, 2025 – Chairman Paul S. Atkins (Keynote: OECD Inaugural Roundtable on Global Financial Markets, Paris): In a wide-ranging OECD address, Atkins explicitly called for transatlantic and global alignment in crypto regulation.
  1. Cross-Border Reach and Risk: The days of operating a crypto business offshore to escape regulation are pretty much gone. IOSCO’s review underscores that regulators worldwide are closing ranks and striving for consistent oversight to avoid becoming havens for regulatory arbitrage. US projects that solicit users abroad or have entities in multiple countries need to realize that a violation in one jurisdiction can quickly become everybody’s business. Likewise, foreign laws inspired by IOSCO recommendations (like Europe’s MiCA regime) can directly affect US companies that want to access those markets. The practical upshot: assume global visibility. Structuring compliance for one jurisdiction while ignoring others is not a winning legal strategy.
  2. Mind the Compliance Blind Spots: IOSCO’s findings effectively shine a floodlight on common compliance blind spots- areas where crypto businesses might not yet meet the emerging global norm. US lawyers advising crypto clients that qualify as CASPs should treat these as vulnerabilities to fix before regulators force the issue (essentially self-regulate to the level of IOSCO’s standards). Clearly, this advice may not apply to all projects (e.g. certain decentralized, non-custodial software protocols), but where you represent a CASP engaged in regulated (or questionably regulated) activity, consider this report a helpful checklist of where your compliance program might need work
  3. Prepare for Convergence: Lastly, recognize that international guidance often filters into US policy indirectly through global forums (G20, FSB), through pressure on multinational firms, or even through the courts citing “standards of practice.” The IOSCO report shows regulators globally coalescing around certain principles. For US crypto lawyers, keeping an eye on these global developments isn’t academic; it’s part of anticipating where the law is headed. We’ve seen this in areas like anti-money laundering (global FATF crypto recommendations led to the Travel Rule requirements in many countries, including momentum in the US). A similar dynamic could happen with IOSCO’s crypto market principles. Don’t be surprised if, for example, US lawmakers or regulators proposing new crypto legislation cite the IOSCO principles as a benchmark for what comprehensive regulation should cover. Being conversant in these international standards allows practitioners to front-run the curve and advise clients with an appreciation of not only US rules in isolation, but the broader regulatory zeitgeist.

Conclusion

IOSCO’s 2025 review is a milestone in the maturation of global crypto law. It shows an accelerating consensus that crypto markets need guardrails akin to those in traditional finance, and it identifies where the world’s regulators are falling short. The US is part of a global conversation on crypto oversight; one that is rapidly moving from talk to coordinated action. The crypto industry once had the luxury or curse (depending on your POV) of operating in gaps and gray areas; that era is ending, and compliance strategy must evolve accordingly.

[i] Abu Dhabi, AIFC Astana, Bermuda, Canada, France, Hong Kong, Liechtenstein, Malta, Singapore, Thailand.

[ii]Republic of Korea and Georgia

[iii] Abu Dhabi, AIFC Astana, Bahamas, Bermuda, Canada, France, Gibraltar, Hong Kong, Liechtenstein, Malta, Republic of Korea, Thailand

[iv] Australia, Brazil, Japan, Singapore, United Kingdom

[v] Australia and Switzerland.

[vi] South Africa

[vii] Bahamas

[viii] AIFC Astana, Bermuda, Canada, Gibraltar, Hong Kong, Japan, Singapore, Thailand.