GRC Report Staff

When Trade Changes Suppliers, Third-Party Risk Changes Too

A supplier that looked perfectly sensible in January can become a liability by April without having changed at all. The factory is the same, the quality standards are the same, and the people answering the phone are the same people they were a few months earlier. What changed happened somewhere else, perhaps in a government office thousands of miles away, perhaps in the latest round of trade negotiations, perhaps in a policy announcement that never mentioned the supplier by name. Yet procurement is suddenly looking elsewhere, finance is recalculating costs, and operations is asking how quickly production can move if it has to.

EU Authorities Warn MiCAR Deadline Could Create New Money Laundering Risks During Crypto Market Reshuffle

The European Union's crypto market changes shape on July 1. After that date, firms that have continued operating under MiCAR's transitional arrangements must either hold authorization as Crypto-Asset Service Providers (CASPs) or stop providing crypto-asset services in the bloc. That regulatory milestone has been discussed for months as a licensing event. European anti-money laundering authorities are treating it as something else entirely: a financial crime event.

ASIC Secures $6.7 Million Penalty Against Mercer Super for Systemic Reporting Failures

Australia's corporate regulator has secured a $6.7 million (AUD $10.3 million) penalty against Mercer Super after the Federal Court found the superannuation trustee maintained inadequate systems for identifying and reporting significant compliance investigations, allowing serious member service issues to go undisclosed or be reported inaccurately over nearly three years.

California Delays First Corporate Climate Reporting Deadline as CARB Revises Disclosure Rules

The California Air Resources Board announced this week that it will postpone the state's first deadline for reporting Scope 1 and Scope 2 greenhouse gas emissions from August 10, 2026, to November 10, 2026. The extension is tied directly to the regulation itself, which remains unfinished. Rather than continue the approval process, CARB has withdrawn the package it submitted to the Office of Administrative Law, choosing instead to make what it describes as limited revisions that clarify certain requirements before asking regulators for final approval.

EIOPA Makes Digital Resilience Part of Everyday Insurance Supervision

The European Insurance and Occupational Pensions Authority spent much of 2025 doing the kind of work that rarely attracts headlines but quietly determines whether supervision across Europe's insurance market moves in the same direction. A report published Friday traces that effort through country visits, technical reviews and cross-border coordination, while marking one notable expansion in scope: digital operational resilience has formally become part of the authority's oversight agenda.

Italian Competition Authority Investigates Microsoft Over Microsoft 365 AI-Linked Price Increase

The Italian Competition Authority has opened an investigation into Microsoft Ireland Operations and Microsoft, arguing that the company may have crossed that line when it increased the price of Microsoft 365 after incorporating its Copilot and Designer artificial intelligence services into the subscription.

Sweden to Replace Annual AML Questionnaire With Risk-Based Reporting Framework

Sweden's annual anti-money laundering reporting exercise has long been a familiar ritual. Each year, supervised firms answer the same set of questions, submit them to the Financial Supervisory Authority (FI), and move on. That routine is about to change. Beginning on 1 January 2027, the regulator will replace the existing reporting framework with an entirely new questionnaire that asks firms not simply what they do, but what kinds of risks they carry and how well their controls are built to contain them.