The auditor finds it first, or you do.
A working operator's read on why the regulatory posture across ten regimes has hardened, and the single operational change that decides which side of an audit you land on.
Somewhere on a live server right now, a parameter has moved that nobody chose to move.
A swap reverted to zero after an overnight update. A leverage tier loosened when a group was cloned. A symbol came back online with the wrong margin. None of it fired an alert, because none of it was supposed to happen. The dealing desk is watching prices. The platform team is watching uptime. Nobody is watching the config, because the config is not supposed to change on its own.
It changed anyway. And the clock that matters started the moment it did.
The sentence no broker wants to say
There is a sentence you never want to say to your regulator. It goes roughly like this: we have identified an error that was affecting clients for the past twelve months, and we did not see it until now.
Every part of that sentence is a problem. Twelve months is client impact you cannot walk back. Did not see it is a monitoring failure stated out loud. And in most major regimes the gap between when the error started and when you reported it is no longer read as bad luck. It is read as the thing you are accountable for.
For a long time brokers could live with that gap. The annual audit was the safety net. The spot check was the backstop. If something drifted in March and got caught in the November review, that was the system working as designed.
That is no longer the system. The posture has hardened, and it has hardened almost everywhere at once.
What actually changed
In January 2026 ASIC published REP 828, Risky business. The headline number was nearly forty million dollars in refunds returned to retail clients across the CFD issuers it reviewed. More than half the sector was found to have breached the product intervention order. The transaction reporting picture was worse, with tens of millions of erroneous reports lodged across the population.
The number is not the point. The standard buried inside the report is the point.
ASIC's finding was that a set and forget approach to compliance is itself a breach. Not a weakness. Not a maturity gap. A breach. The regulator was explicit that collecting data is not enough, that issuers are expected to conduct ongoing meaningful monitoring of their own products and outcomes, and that where monitoring surfaces a problem you are expected to have seen it and acted.
Read that against the twelve month sentence above. The regulator is no longer asking whether you passed your audit. It is asking whether you were watching at all.
This is not an Australian story
It would be convenient to file REP 828 under "ASIC being ASIC" and move on. The problem is that every regime a serious broker operates under is moving in the same direction, on the same logic, at the same time.
| Regulator | Jurisdiction | The direction of travel |
|---|---|---|
| ASIC | Australia | Set and forget ruled a breach. Ongoing monitoring now an explicit expectation, backed by sector-wide refunds. |
| FCA | United Kingdom | Principle 11 plus the Consumer Duty. Prompt notification of anything the regulator would expect to know, and a standing duty to monitor client outcomes. |
| ESMA | European Union | Product intervention caps, and under DORA an operational incident clock now measured in hours, not quarters. |
| CySEC | Cyprus | Tightened leverage on lower-liquidity products in 2025 and aligned upward with stricter EU norms. DORA and MiCA layered on top. |
| MAS | Singapore | Suitability-led oversight with prompt breach notification and a low tolerance for governance gaps. |
| JFSA | Japan | Hard leverage caps and a business improvement order regime that treats unresolved control failures as escalation triggers. |
| CFTC | United States | Enforcement division restructured in 2025, with cybersecurity and real-time transaction monitoring treated as core obligations through the NFA. |
| DFSA | Dubai (DIFC) | Top-tier style supervision with prompt breach notification expected of every authorised firm. |
| SCA | UAE | Onshore framework maturing fast, with reporting and conduct obligations converging toward the international floor. |
| SCB | Bahamas | Even the jurisdiction many brokers chose for flexibility now runs structured transaction, audit and breach reporting. |
Look down that column and the pattern is unmistakable. There is no longer a jurisdiction where the answer is "wait for the annual review." The floor moved under all of them. The brokers who run multiple entities feel it hardest, because they now have to satisfy the strictest standard in the stack, not the most forgiving one.
The clock starts when the breach exists
Here is the mechanic that ties it together, and the one most operators underrate.
Across these frameworks the breach reporting obligation is measured in days. A material breach you discover has to be self-reported inside a fixed window. Under DORA, an operational incident clock can run in hours. That part is widely understood.
What gets missed is when the clock starts. It does not start when you notice. Under the ASIC reportable situations regime the obligation triggers from the point you know, or are reasonably able to determine, that a reportable situation has arisen. Reasonably able to determine is the phrase that should keep you up at night. It means a parameter that drifted in March and surfaced in November did not give you eight quiet months. It gave you eight months of accruing exposure against a standard that asks why a reasonable licensee was not watching.
So the time you spend not knowing is not neutral. It is the most expensive time on the clock. Every undetected day is client impact you will later have to quantify, remediate and explain, and it is a day the regulator can argue you should have caught.
The twelve month sentence is the worst version of this. It is not one breach. It is a breach plus a year of evidence that you were not looking.
Why audits cannot close the gap
The instinct is to fix this with more audits. Tighter reviews. A bigger checklist. It does not work, for a structural reason.
A quarterly audit leaves a ninety day blind spot by definition. Whatever drifts on day two sits unseen until day ninety. A spot check only ever covers what someone thought to check, and the failures that hurt are the ones nobody thought to check, because they came from a server update or a cloned group or a plugin nobody flagged. Point-in-time controls are built to confirm that the things you already worry about are fine. They are not built to catch the thing you did not know to worry about.
And the surface is enormous. A mid-sized broker can run hundreds of symbols across a dozen or more servers, each with hundreds of groups, every parameter a potential pricing error, compliance breach or arbitrage exposure the moment it moves. No quarterly review keeps eyes on all of it. No spreadsheet holds all of it in view at once. The gap between audits is not a small risk. It is the risk.
The one change that decides it
The single operational change is not a bigger audit. It is continuous independent surveillance of your own environment, so the gap between a breach existing and you knowing collapses from months to a cycle.
That is a different question than the one most compliance functions are set up to answer. The audit question is, did we pass. The surveillance question is, would we find it before we are forced to disclose it.
Because the regulator is not the one out there looking. It does not watch your servers. It learns about your problems one of two ways: you self-report a breach you can no longer avoid disclosing, or a client complains and the complaint reaches the regulator's desk. Both are the discovery happening to you, on someone else's timing. The audit looks backward at a sample. Surveillance runs continuously across everything, and it is the only thing that puts the discovery back in your hands.
Get that change right and the asymmetry swings in your favour. When you find a config error in one cycle, you self-report it identified, contained and remediated. You walk in with the timeline, the dollar exposure and the fix already in place. That is a broker demonstrating exactly the ongoing monitoring the regulator now expects.
Get it wrong and the discovery happens to you. A client complaint lands on the regulator's desk before it lands on yours, or a breach you missed forces a disclosure you are making months late. Now you are reconstructing a client impact figure that keeps growing, with a year of silence to account for. Same underlying mistake. Two completely different outcomes. The only thing separating them is who found it first.
Where this leaves you
The regulators have already made their move. Ten of them, on the same logic, inside the same window. The posture is not going to soften, and the obligations are not going to get lighter.
What is still yours to decide is which side of the audit you stand on. You can keep relying on periodic reviews and hope the gap between them stays quiet, or you can watch your own environment continuously and make sure that when something moves, you are the one who finds it.
The auditor finds it first, or you do. That is the whole game now.
Broker Intelligence runs independent, read-only surveillance across your live MT4 and MT5 servers, surfacing the breach, the leak and the drift quantified to the dollar, before your regulator does. Book a 30-minute walk-through.