By Keval Patel, Compliance Consultant and Bradley Stratford, Principal Consultant
As we approach 2026, compliance teams should be looking to prepare for emerging challenges. Here are the top risks we think all firms should be focusing on.
1. AI and technology
Artificial intelligence adoption and advanced technology is accelerating and with change comes risk. Rather than introducing new rules specific to AI, the Financial Conduct Authority (FCA) has taken a deliberately principles-based approach as confirmed in ‘AI and the FCA: Our Approach’. Firms are expected to use existing regulatory frameworks (Consumer Duty, Governance and Accountability) to manage risks from AI and new technology.
For compliance leaders navigating this landscape, the question isn’t whether to become AI experts, but how to understand and oversee AI use across their firms.
Key concerns include:
- Bias and unfair outcomes – FCA research highlighted machine learning risks include historical exclusion, sampling bias, variable selection and human interpretation errors. Firms need robust human oversight and mitigation to prevent customers being treated unfairly
- Third party risk – The Bank of England and FCA found in a survey of AI and machine learning that a third of financial services firms use AI via third party implementation with many relying on the same top three vendors. This concentration risk could trigger industry-wide disruption without adequate resilience testing and monitoring
- Data privacy – With the increase of AI use, firms will need to strengthen data integrity measures when embedding third party AI, prevent unauthorised access and provide specialised staff training to avoid misuse and data loss
2. Consumer Duty
Consumer Duty remains a key priority for the FCA in 2026. Firms must demonstrate they design, price and deliver products that achieve good customer outcomes.
The FCA has launched five cross-cutting projects targeting areas for improvement identified in its good practice observations:
- Products and services – Addressing poor product governance, inadequate support for vulnerable customers and failure to meet customer needs
- Outcomes monitoring – Tackling insufficient board-level discussion of Consumer Duty and customer outcomes
- Customer journey design – Ensuring journeys reflect customer behaviour and adapt continuously. The regulator expects friction points that highlight costs and exclusions so customers understand what they’re agreeing to
- Journey delivery – Examining how firms apply friction to ensure customers’ needs are met throughout their experience
- Consumer understanding – Verifying firms help customers make informed decisions through clear information on robust outcome management information
3. Financial crime
The FCA’s Policy Statement PS24/17 and its accompanying updated guidance set clear expectations around sanctions, transaction monitoring, customer due diligence and oversight of politically exposed persons (PEPs).
Critical areas include:
- Transaction monitoring – Systems must avoid excessive false positives, reflect evolving scam methodologies and enable timely investigation and escalation
- Sanctions – Firms need up-to-date screening capabilities, rapid response to regulatory changes and sufficient sanctions checks throughout the customer relationship
- PEPs – Firms must identify PEP status, assess sources of funds, identify close associates and family members, and apply risk-appropriate due diligence without discriminatory treatment
4. Operational resilience and third parties
PS24/16 “Operational Resilience: Critical Third Parties to the UK Financial Sector” gives regulators powers to oversee critical third-party service providers whose disruption could threaten financial stability. The rules require firms to maintain resilience testing, scenario testing, incident reporting and notification of serious events to both the FCA and affected firms.
Many firms rely on a small number of vendors for cloud, data, and model operations. This concentration poses sector-wide risks if one provider experiences disruption. Regular vendor risks reviews are essential.
5. Non-financial misconduct
The FCA has finalised rules which embed non-financial misconduct (NFM) into the Code of Conduct, including its impact on senior management fitness and proprietary. From September 2026, non-banks will align with conduct rules already applied to banks.
FCA survey data shows NFM incidents rose between 2021 and 2023, with bullying, harassment and discrimination (each up around 25%) most frequently reported.
Firms should ensure senior management champions appropriate culture, establish accessible reporting channels, update disciplinary policies and continuously review NFM management procedures.
Looking ahead
Despite the FCA’s stated mission to reduce the regulatory burden, compliance risks continue to loom large. Firms need to invest appropriate time and resource into identifying and managing these challenges – and there’s no time like the present to start.
Our experienced UK regulatory compliance team is here to help you navigate these evolving requirements. Get in touch today to discuss how we can support your compliance strategy for 2026.
