The total value of global regulatory fines reached $834.9m in Q3 2025, marking a sharp 71.3% drop compared to the previous quarter.
Despite the decrease, the quarter revealed a significant geographical shift in enforcement patterns, with European regulators issuing the majority of fines — a notable departure from the historically dominant activity of US authorities, claims Corlytics.
Among the most substantial actions were two sanctions imposed by France’s data protection regulator, the Commission nationale de l’informatique et des libertés (CNIL). The authority fined Alphabet Inc., the parent company of Google, and Infinite Styles Services, the Irish entity operating the Shein platform, for breaches of data protection rules. CNIL penalised Alphabet for displaying advertising content between Gmail messages without valid user consent and for deploying advertising cookies during account creation without clear authorisation. Meanwhile, Infinite Styles faced penalties for failing to comply with French legal standards on cookie use across the shein.com website.
Regulatory attention on anti-money laundering (AML) practices intensified throughout the quarter, with several high-profile fines targeting digital asset firms. In the US, the New York Department of Financial Services (NYDFS) issued a $26.5m penalty to Paxos Trust Company for deficiencies in its AML programme and inadequate due diligence of its former partner, Binance.
Across the border, Canada’s financial intelligence unit, FINTRAC, levied a CAD 19.55m fine on Peken Global Limited, operator of the KuCoin exchange, for failing to register as a foreign money-services business, neglecting to report large virtual-currency transactions, and omitting suspicious activity reports. These cases reinforce the growing pressure on virtual asset service providers to uphold robust compliance frameworks amid increasing regulatory alignment across jurisdictions.
Cybersecurity failures also remained a major focus for regulators. NYDFS imposed a $2m fine on Healthplex following a phishing attack that compromised sensitive customer data. Investigations revealed that the breach originated when an employee clicked on a phishing email, granting unauthorised access to a mailbox containing extensive customer information. Healthplex’s shortcomings included the absence of a data retention policy, resulting in unnecessary exposure of non-public data belonging to tens of thousands of New Yorkers. The company also failed to implement multi-factor authentication and delayed notifying the regulator for over four months after discovering the breach.
Together, these enforcement actions highlight how regulatory bodies worldwide continue to prioritise accountability for data protection, AML compliance, and cyber resilience — signalling that despite the reduced fine totals in Q3, the financial and reputational costs of non-compliance remain substantial.
Download the full report here.
Find more on RegTech Analyst.
Copyright © 2025 FinTech Global
