The total value of regulatory fines issued globally in Q3 2025 reached $834.9m, marking a sharp 71.3% decline compared to Q2.
This quarter, however, saw a notable shift in enforcement trends — European regulators issued the majority of fines, breaking the longstanding pattern of U.S. authorities leading global activity, claims Corlytics.
Two of the most significant actions came from France’s data protection authority, the Commission nationale de l’informatique et des libertés (CNIL).
The regulator imposed penalties against Alphabet Inc., the parent company of Google, and Infinite Styles Services, the Irish entity behind Shein’s website operations. CNIL sanctioned Infinite for placing advertising content between Gmail messages without valid consent and for deploying cookies at account creation without obtaining freely given and informed consent from users in France. The company was also penalised for failing to meet the legal standards on cookie usage for the shein.com domain.
Across the globe, authorities intensified scrutiny on anti-money laundering (AML) practices, with several high-profile cases emerging from the digital asset sector. The New York State Department of Financial Services (NYDFS) fined Paxos Trust Company $26.5m for failing to conduct sufficient due diligence on its former partner, Binance, and for systemic shortcomings in its AML programme.
In Canada, the Financial Transactions and Reports Analysis Centre (FINTRAC) levied a CAD 19.552m penalty on Peken Global Limited, operating as KuCoin. The company faced enforcement for operating without registration as a foreign money services business, failing to report large virtual-currency transactions, and neglecting to submit suspicious transaction reports — key obligations under Canadian AML law.
Cybersecurity and data protection also remained a dominant theme, as regulators continued to highlight the risks of weak security frameworks. The NYDFS imposed a $2m penalty on Healthplex following a significant cybersecurity breach that compromised sensitive customer information. The incident began when an employee fell victim to a phishing email, allowing attackers access to a mailbox containing extensive personal data belonging to customers.
Investigators found that Healthplex lacked a robust data retention policy, which resulted in the unnecessary storage of non-public information belonging to tens of thousands of New Yorkers. The absence of multi-factor authentication further exacerbated the risks. Notably, Healthplex delayed its notification to the regulator for more than four months after discovering the breach and subsequent exposure — a major violation of timely disclosure requirements.
The Q3 2025 enforcement landscape demonstrates a decisive global push toward enhanced accountability in data governance, cybersecurity resilience, and AML compliance. With Europe taking the lead and regulators across multiple jurisdictions pursuing greater oversight, financial institutions face mounting pressure to modernise systems, strengthen controls, and maintain proactive compliance frameworks.
Download the full report here.
Copyright © 2025 RegTech Analyst
Copyright © 2018 RegTech Analyst
