Blog

As we head into 2026, many initiatives that have been in place for the last few years will start to crystallise into binding obligations, supervisory reviews, and enforcement expectations. For financial services firms, 2026 will be less about implementing changes, but more about demonstrating operational embeddedness and control effectiveness.

Fraud Risk Management: Moving Beyond Compliance

From a fraud perspective, in the last 16 months, firms have had to manage the implementation of the APP fraud reimbursement scheme and the Failure to Prevent Fraud corporate offence.

Towards the end of 2025, we started seeing firms receiving various communications from the FCA on the effectiveness of their APP fraud controls, following a year of embedding enhanced and targeted controls to manage the new regime. As we head into 2026, it is likely the FCA will expand its independent evaluation, moving regulatory focus from implementation to assessing effectiveness and consistency.

This will include assessing:

1. Fairness, timeliness, and consistency of reimbursement outcomes
2. How the “reasonable steps” test is applied in practice
3. Effectiveness of fraud prevention controls and customer interventions
4. Approach to identifying and supporting vulnerable customers
5. Quality of governance, management information, and oversight of fraud trends and root causes

The expectation will not be zero fraud, but clear evidence that firms are learning from cases and improving controls. Consequently, with likely FCA requests, firms should be reviewing and ensuring they are comfortable with:

1. Claims handling and dispute resolution frameworks
2. How decision-making criteria are documented, consistent, and auditable
3. Use reimbursement data to drive root-cause analysis and control enhancements
4. Customer communications, particularly around warnings, delays, and reimbursement decisions
5. Ensure boards and senior management receive meaningful qualitative MI, not just volumes and losses

In 2026, firms that cannot explain why outcomes differ across cases will be exposed to challenge.

The corporate offence of Failure to Prevent Fraud, which came into force just over four months ago, represents a fundamental shift in how fraud risk is managed and ultimately supervised. Although the Economic Crime and Corporate Transparency Act (ECCTA) sought to help combat the serious issue in the UK, the offence itself is, of course, not about whether fraud occurs, but whether a firm can demonstrate it has reasonable fraud prevention procedures.

A general rule of thumb for embedding to occur is three to six months, depending on the size of the change and the size of the firm. Consequently, four months in, firms should be looking to understand whether any enhancements in control frameworks have now, or are close to, been embedded appropriately, and are working effectively.

Firms should be asking themselves:

1. Does my latest fraud risk assessment detail the current risks we face, both internal and external fraud? A significant number of fraud risk assessments we have seen in recent times only focus on one.
2. Do we have preventative controls in place to mitigate our risks, including:
   1. Segregation of duties and access controls
   2. Payment and instruction verification processes
   3. Approval thresholds and dual controls
   4. Supplier and third-party onboarding controls
3. Do my detection and monitoring controls appropriately monitor customer behaviours, with appropriate escalation processes?
4. Has training delivered to staff been risk-based and effective? Has our QC (1LOD) and/or QA (2LOD) framework identified any gaps in knowledge and awareness?
5. Have we seen meaningful management information (MI) presented to senior management? How engaged has senior management been?
6. Have we had to use our incident response plan, and did it meet the SLAs required? What did we learn from the incident, and how has this translated into control enhancements?

Consequently, firms need to ensure during 2026 that they move away from design enhancements, but into testing and assurance, so as to be able to appropriately evidence they have reasonable procedures when/if they are challenged.

We've summarised the points above in an easy-to-follow framework below:

Sanctions: Tougher Enforcement and Higher Expectations

Sanctions enforcement is expected to intensify further in 2026, highlighted by proposals to increase maximum penalties and to improve the speed and efficiency of enforcement action. This signals a clear intent from relevant authorities to place greater emphasis on the effectiveness of firms’ sanctions controls and their ability to prevent breaches in practice, rather than relying on procedural compliance alone.

For firms, this means closer and more searching scrutiny of sanctions screening arrangements, particularly the accuracy and timeliness with which potential matches are identified, reviewed, and resolved. The FCA is likely to examine whether alerts are handled promptly in line with defined service level agreements, and whether delays could expose firms to the risk of dealing with sanctioned parties. There will also be an increased focus on ownership and control analysis, including the application of the 50% rule, with firms expected to demonstrate a clear and well-documented understanding of complex ownership structures and control relationships.

Governance and decision-making will be another key area of attention. The FCA will expect firms to show that sanctions-related decisions are escalated appropriately. In our experience, the majority of firms operate an appropriate first line of defence ‘doing’ model, and second line of defence ‘assurance’ model, allowing a natural escalation route for alerts which cannot be discounted, without Compliance being too involved in the day-to-day alert management. The FCA also expects firms to have effective senior management oversight through robust MI and challenge. This is something firms continue to fall short of. Although many firms will have data-driven MI around the number of alerts escalated to the second line, as well as true matches which are consequently reported, most fail to document how this data is discussed and challenged. Rarely do we see in our work senior management questioning spikes of alerts or delays in investigating alerts due to resourcing. A clear audit of such discussions is an easy way to show the FCA that senior management is engaged in sanctions prevention.

To prepare for this continued increased scrutiny, firms should review the effectiveness of their sanctions screening systems and alert handling processes, ensuring that they are appropriately calibrated and supported by realistic and enforceable SLAs. The FCA is expected to continue, and likely expand, its use of testing tools incorporating synthetic data through 2026 as part of its supervisory and assurance toolkit. To ensure tools are working effectively, firms should implement regular testing using their own synthetic data, document the rationale for exclusions, and tune decisions. Crucially, firms should be able to evidence how testing outcomes lead to enhancements in system configuration and escalation processes, as the FCA will be less interested in the sophistication of tools alone and more focused on whether testing demonstrates that those tools work in practice.

Firms also need to prepare for structural changes in sanctions compliance. From 28th January 2026, the UK will move to a single list for all sanctions designations. This change aims to simplify the screening process for firms - OFSI has issued guidance urging businesses to switch to the UK Sanctions List as their primary source well before the deadline.

Beyond updating internal processes, firms should also confirm that their screening vendors are sourcing and processing the correct data. With the OFSI list being retired, assurance over vendor readiness, such as data feeds, matching logic, and identifier updates, will be critical to avoid gaps in sanctions screening once the transition takes effect.

AML Reforms and Digital Identity: From Policy to Practice

The direction set by HM Treasury points towards a more efficiency-driven approach to compliance, as well as providing further clarity on expectations, rather than lowering standards. The UK’s Money Laundering Regulations have always been more principles-based, with prescriptive minimum requirements. The latest expected reforms to the Regulations are perhaps moving the dial, with more clarity on customer due diligence and enhanced due diligence expectations, helping firms distinguish more clearly between standard and higher-risk customers (perhaps not too dissimilar to the approach recently taken by the FCA in its updated PEP Guidance).

Further, in 2026, firms should expect the FCA to articulate more clearly “what good looks like” in the deployment of digital identity solutions. This will include expectations that digital ID is used in a genuinely risk-based way, applied where it enhances effectiveness and efficiency, rather than as a blanket solution. The FCA is also likely to focus on the strength of ongoing assurance and governance arrangements, including how digital identity tools are monitored, tested, and reviewed over time. Crucially, digital ID solutions will be expected to integrate seamlessly into wider AML frameworks, rather than operating as standalone or siloed controls.

To prepare, firms should assess where digital identity can improve due diligence processes without introducing new or unmanaged risks. This includes understanding the limitations of specific technologies, such as coverage gaps, data quality issues, or challenges in higher-risk scenarios. Digital solutions should be supported by clear governance, senior ownership, and robust oversight, with defined fallback controls for cases where technology alone is insufficient. Firms should also avoid over-reliance on automated outcomes, ensuring that human judgment, appropriate escalation, and enhanced due diligence remain available and effective.

Crypto Regulation: From Consultation to Implementation

For firms operating in the cryptoassets sector, 2026 will see cryptoasset activities subject to formal authorisation requirements or variations of existing permissions, bringing them firmly within the FCA’s supervisory perimeter. Consequently, cryptoasset firms are being integrated into the mainstream regulatory framework, with equivalent expectations around financial crime compliance. This means that firms will be judged not only on the existence of controls, but on how effectively those controls operate in practice.

To prepare, firms should begin implementation planning well in advance, even where final rules are still pending. Early gap analysis can help identify where existing frameworks already align with anticipated requirements and where enhancements are likely to be needed, particularly in areas such as customer due diligence and verification of beneficial ownership, and verifying source of funds – two of the heightened risks of the sector. Financial crime risk assessments should be refreshed to ensure that crypto-specific money laundering typologies and cross-border risks are explicitly captured and understood.

Governance will be a particular area of focus, with the FCA expecting clear senior management accountability for such activities, robust oversight of outsourcing and third-party arrangements, and effective challenge at the board level. Firms that delay action until final rules are published risk facing compressed implementation timelines, operational strain, and increased regulatory scrutiny. In contrast, those that plan early and embed regulatory expectations into their core frameworks will be better positioned to navigate 2026 with confidence.

The Bottom Line: Evidence is Everything

Looking ahead to 2026, the focus will be on operational effectiveness and the ability to evidence that controls are not only designed well but are embedded and working in practice. This includes demonstrating fair and consistent outcomes under the APP fraud regime, robust sanctions screening tools, and the seamless integration of digital identity verification into broader frameworks. Firms that proactively test, challenge, and enhance their controls and can clearly articulate the rationale and results to the FCA will be best positioned to navigate the evolving regulatory environment with confidence.

Should you wish to discuss any aspect of your financial crime compliance framework, please get in touch.

Read our look back at 2025 here.

Meet the Experts

Eva Koreskova, Senior Consultant  

Eva is a Senior Financial Crime Consultant, bringing over seven years of experience in financial crime management, regulatory compliance, and risk assessment. Previously, she led financial crime initiatives at an asset financing firm, where she presented insights to senior leadership and implemented robust control measures across the firm. Eva’s background includes roles at a bank and a brokerage firm, where she drove compliance initiatives, managed high-risk clients, and advanced financial crime systems and controls. As an ICA-certified MLRO, Eva is dedicated to safeguarding organisations against financial crime through strategic compliance frameworks and industry best practices.

 

Michael Knight-Robson, Financial Crime Partner  

Michael has joined as a Partner in the Financial Crime team, working alongside Jessica Cath. With over 15 years’ experience in financial crime compliance, he was most recently a Director at BDO, where he built a strong reputation for leading s166 Skilled Person reviews and providing firms with proportionate, risk-based advice to stay compliant. His career also includes senior roles at Bovill, Lloyds Banking Group and Investec, giving him practical, well-rounded expertise to help firms strengthen their financial crime compliance frameworks.