Thistle Initiatives Manager Eva Koreskova looks at the progress in financial crime expectations from earlier in the year and what it could mean for firms for the remainder of 2026.
At the start of 2026, in our article Financial Crime Compliance: What to Expect in 2026, we noted that many of the major financial crime initiatives firms had spent recent years preparing for were moving from implementation into supervision, challenge and scrutiny. In particular, we highlighted several areas that we expected to shape the regulatory agenda during 2026:
Looking back at the first six months of the year, many of those developments have continued to move in that direction. Supervisory findings, enforcement activity and policy developments have all provided firms with greater insight into regulatory expectations and the areas where weaknesses continue to be identified. In this article, we look back at some of the key developments from the first half of 2026 and consider what they may mean for firms during the remainder of the year.
Fraud is perhaps the clearest example of how regulatory expectations have developed during the first half of 2026.
At the start of the year, most firms had already spent considerable time responding to the Authorised Push Payment (APP) fraud reimbursement regime and the Failure to Prevent Fraud offence. The conversation was beginning to move beyond implementation and towards the key question: are these measures delivering the outcomes they were intended to achieve?
The Payment Systems Regulator (PSR's) APP scams reimbursement dashboard has provided some of the first meaningful insight into that question. Since the reimbursement regime came into force, 89% of APP scam losses in scope have been reimbursed, representing a significant £243 million returned to victims. Around 82% of claims were closed within five business days and 98% within 35 business days. Perhaps most notably, only 3% of claims were rejected because the customer was deemed not to have taken sufficient care. The results are positive. Customers are being reimbursed, claims are being processed relatively quickly, and there is very little evidence that firms are relying on consumer caution exceptions. For firms, however, the publication of this data creates a different challenge. Once outcomes can be measured, regulators can begin asking more detailed questions.
For example, how are claims assessed? How are vulnerable customers identified and supported? What factors lead to different outcomes? And, importantly, how are firms using reimbursement data to better understand the underlying causes of fraud? The PSR's 2026/27 work programme strongly suggests that these questions are unlikely to go away. APP fraud remains firmly on the supervisory agenda, with continued monitoring of how firms are meeting expected standards and further evaluation of the first year of mandatory reimbursement.
Looking at the wider fraud landscape, the UK's Fraud Strategy 2026 - 2029 reflects growing recognition that tackling fraud requires a coordinated response across government, law enforcement, regulators, technology and communication (including social media) firms and financial services organisations. Measures such as the new Report Fraud service, the Online Crime Centre and greater information sharing all point towards a more collaborative approach.
Perhaps the most pertinent question for firms is, what comes next? Reimbursement remains important, but there is growing attention on what firms are learning from fraud events and what firms are doing with that information. How are claims outcomes being used to identify trends, strengthen controls and reduce future harm? Therefore, firms need to ensure that it is has robust management information in place, which not only details key risk and performance metrics, but also documents trend analysis, to ensure that the intelligence obtained adds value to the firm’s fraud risk management framework.
The first half of 2026 has been a busy period for sanctions. Between the move to the single UK Sanctions List, FCA findings on sanctions systems and controls, and several notable enforcement actions, firms have seen a much clearer picture emerge of where regulatory attention is focused.
A significant milestone was the move to the single UK Sanctions List in January. While intended to simplify the UK's sanctions framework, the transition also served as a practical test of firms' governance arrangements. Firms needed to understand how sanctions data flowed through their systems, whether screening providers were sourcing and processing the correct data, and whether updates to screening logic, identifiers and system configurations had been implemented appropriately. For firms relying on third-party screening solutions, this should never have been viewed solely as a vendor exercise. Responsibility remains with the firm, and the transition provided a useful opportunity to validate controls, challenge assumptions and obtain assurance that systems continued to operate as intended.
Recent enforcement cases have also highlighted the diverse ways in which sanctions exposure can arise. Penalties issued against Bank of Scotland, Deutsche Bank AG London Branch, Apple Distribution International and Sabre Global Technologies Limited demonstrate that sanctions exposure is not confined to a single sector or business model. The Sabre case, together with the FCA's findings on sanctions systems and controls, points to a broader shift in expectations. Sanctions risk is no longer limited to identifying a name on a screening list. Firms increasingly need to consider how sanctions exposure can arise through ownership structures, payment flows, commercial arrangements, trade activity and the actions of third parties.
While screening remains a critical control, recent developments suggest regulators are taking a much wider view of how sanctions risks arise and whether firms genuinely understand where those risks sit across their business.
Perhaps the clearest message from the first half of the year is that responsibility cannot be delegated. Firms may outsource activities, use third-party providers or rely on group-wide processes, but responsibility for understanding and managing sanctions risk ultimately remains with the regulated entity’s senior management.
While the UK's cryptoasset regime has not yet fully taken effect, the first half of 2026 has given firms a much clearer view of where regulation is heading.
The FCA's January consultation on the application of the Handbook to regulated cryptoasset activities gave one of the clearest indications yet of how closely crypto firms are expected to align with the wider regulatory framework. The proposals extend beyond financial crime controls and include areas such as Consumer Duty, complaints handling, conduct standards, Senior Management and Certification Regime and regulatory reporting. Further details were provided through the FCA's consultation on cryptoasset perimeter guidance and the confirmation of the proposed authorisation timetable. Firms intending to undertake newly regulated cryptoasset activities will be able to apply between September 2026 and February 2027, ahead of the regime commencing in October 2027. These developments have helped answer many of the questions firms had been asking over the last few years. While some details remain to be finalised, the direction of regulation is becoming clear.
From a financial crime perspective, that means taking a closer look at governance arrangements, risk assessments and control frameworks. Customer due diligence, source-of-funds and source-of-wealth verification, sanctions screening, transaction monitoring, fraud controls, and third-party oversight should all be examined through a crypto lens. Firms should also consider whether their financial crime risk assessments adequately reflect the specific risks associated with cryptoasset products, cross-border activity and fast-evolving misuse typologies.
There is still time before the new regime comes into force, but firms now have enough information to begin asking practical questions. For example, which activities are likely to require authorisation? Which parts of the financial crime framework may need to change and align with new expectations? And where are the biggest implementation challenges likely to arise? For many firms, these are no longer questions for the future. These are questions that should already be forming part of implementation planning today.
The FCA's action against firms and individuals during the first half of the year also highlights another important point. Market abuse enforcement is rarely limited to the misconduct itself. Regulators are equally interested in the firm’s governance, oversight and control framework, particularly where weaknesses may have allowed misconduct to go undetected. One notable aspect of the first half of the year has been the volume of FCA enforcement activity directed at individuals. FCA action included cases involving insider dealing, unlawful disclosure of inside information and breaches of Article 15 of UK MAR, reinforcing the continued focus on personal accountability, market conduct and individual decision-making.
A similar message can be seen in the FCA's first Enforcement Watch publication, where governance failings, inadequate oversight and individual accountability featured prominently amongst the regulator's priorities. The FCA's decision to introduce a dedicated Market Abuse lot within the latest Skilled Person Panel also reflects the increasing emphasis being placed on market integrity and firms' ability to demonstrate effective governance, oversight and control frameworks in this area.
In our experience, most firms can clearly explain how their surveillance arrangements operate. What is often less clear is when those arrangements were last challenged to determine whether they remain fit for purpose. Recent enforcement activity suggests firms should look beyond the surveillance framework alone. Many of the underlying issues identified by the FCA relate to how inside information is handled, how employee behaviour is monitored, how concerns are escalated and how effectively management challenges potential risks.
The question for firms is simple: would they expect potential insider dealing, inappropriate disclosure of inside information, or other market abuse concerns to be identified internally before attracting regulatory attention? If the answer is unclear, it may be time to revisit governance arrangements, oversight of employee conduct, personal account dealing controls, management information, escalation procedures and staff training.
At the start of the year, we suggested that 2026 would be characterised less by the introduction of new financial crime requirements and more by increasing scrutiny of how firms respond to existing ones. Looking back, many of the themes we highlighted at the start of the year have continued to develop over the last six months.
Across fraud, sanctions, crypto regulation and market abuse, regulators have provided firms with a clearer picture of where their attention is focused and the questions they are increasingly asking. What stands out is the growing focus on ownership. Do firms understand the risks they face, challenge the effectiveness of their control frameworks and learn from the issues they encounter?
The themes differ across the areas. For fraud, the focus is increasingly centred on outcomes and what firms are learning from them. In sanctions, the message has been that responsibility cannot be outsourced, regardless of how many third parties, vendors or group functions are involved. For crypto, the conversation is gradually shifting from regulatory uncertainty to practical preparation. In market abuse, recent enforcement activity has been a useful reminder that governance, conduct and individual accountability must remain firmly on the firm’s agenda.
For many firms, the most useful question to ask during the second half of 2026 may be a simple one: if a regulator asked how we know that our current financial crime compliance framework is working, what would we point to? The firms in the strongest position will be firms that understand their risks, regularly challenge their assumptions and can demonstrate that lessons learned through regular monitoring and testing are translated into meaningful action through the right governance forums.
Many developments during the first half of 2026 have raised a similar challenge for firms: determining whether existing financial crime compliance frameworks are genuinely delivering the expected outcomes.
Thistle Initiatives supports firms by providing independent review and challenge across fraud risk management, sanctions, AML, and market abuse frameworks across all sectors. This includes assessing governance arrangements, robustness of policies and procedures, financial crime risk assessments, control effectiveness, management information, quality assurance and wider oversight arrangements. We also have significant experience in supporting firms that have, either proactively or via the FCA, identified weaknesses in their control frameworks and enhanced systems and controls to meet regulatory expectations. Our approach is practical, proportionate, and focused on helping firms understand not only where risks exist but also how to manage them more effectively.
Should you wish to discuss any aspect of your financial crime compliance framework, please get in touch.
Eva is a Manager at Thistle Initiatives, bringing over seven years of experience in financial crime management, regulatory compliance, and risk assessment. Previously, she led financial crime initiatives at an asset financing firm, where she presented insights to senior leadership and implemented robust control measures across the firm. Eva’s background includes roles at a bank and a brokerage firm, where she drove compliance initiatives, managed high-risk clients, and advanced financial crime systems and controls. As an ICA-certified MLRO, Eva is dedicated to safeguarding organisations against financial crime through strategic compliance frameworks and industry best practices.
Michael has joined as a Partner in the Financial Crime team, working alongside Jessica Cath. With over 15 years’ experience in financial crime compliance, he was most recently a Director at BDO, where he built a strong reputation for leading s166 Skilled Person reviews and providing firms with proportionate, risk-based advice to stay compliant. His career also includes senior roles at Bovill, Lloyds Banking Group and Investec, giving him practical, well-rounded expertise to help firms strengthen their financial crime compliance frameworks.