Top themes for the financial services sector in 2026

Consumer Duty '2.0’ 

Bringing an updated philosophy on consumer protection, the FCA is leveraging the Consumer Duty rules as a flexible tool to help streamline other elements of regulation. In its publications in September 2025, the FCA noted that it will carry out further work to review the following areas in 2026: 

• Product design – to ensure all products and services meet customer needs, particularly for vulnerable groups. 
• Outcomes monitoring – to make sure firms can measure consumer outcomes and take action to actively promote good outcomes (rather than avoid poor ones).
• Customer journey design – to assess whether firms adequately anticipate customer needs, with products that match their intended purpose (for the specific target market), that are easy to understand and have appropriate levels of friction.
• Customer communications – to ensure firms can identify the key points that customers need to understand at each stage of their journey, with appropriately tested communications to ensure they’re accessible, clear and timely. 

Other changes to watch out for include: a lead manufacturer role in distribution chains (with ultimate accountability for product governance); more clarity on the application of Consumer Duty to wholesale firms and distribution chains; greater FCA co-ordination with the Financial Ombudsman Service; simpler disclosure rules; and a review of current rules and definitions. 

Key takeaways for 2026  

As Consumer Duty continues to evolve, firms need to ensure that compliance is fully documented, with appropriate governance and oversight. Where there are any failings, the FCA expects firms to take prompt action to ensure fair value, prevent foreseeable harm and to evidence good consumer outcomes – particularly for vulnerable customers.

This is easier said than done, given the FCA’s non-prescriptive, principles-based approach, but success will largely depend on a firm’s ability to foster collaboration across the business and wider manufacturing, distribution and servicing chains. Firms that can do this effectively can leverage Consumer Duty to reduce the potential for poor customer outcomes, improve customer loyalty and drive market share. 

What’s next for Consumer Duty?

Read this article

Operational resilience

Operational resilience continues to be a major concern, since service outages can severely disrupt economic markets and harm businesses and consumers financially. Typical drivers of services outages include failings in cyber security and third-party risk management, with the Scattered Spider retail attacks serving as a stark reminder of their impact. There’s also transformation risk to consider and firms need to ensure they can embrace and adopt new technology with minimal disruption.  

In addition to the above, firms need to meet the PRA and FCA’s proposed new requirements on operational incidents and third-party reporting. Key changes include: 

• a formal definition for an operational incident and three distinct thresholds to determine whether to report (covering consumer harm, market integrity and safety and soundness)
• a standardised process for three distinct (templated) incident reports, via a pending online platform
• new requirements for most PRA-regulated and larger FCA-regulated firms to report on their material third-party arrangements (in addition to material outsourcing arrangements).  

Looking ahead, the PRA and FCA plan to consult on ‘Information and Communication Technology (ICT) and cyber risk management and resilience’ in Q2 2026, to boost capability across the sector. 

Key takeaways for 2026  

As a mainstay of the modern regulatory landscape, firms need to ensure they have robust operational resilience processes in place (both internally and across their supply chain), which continue to adapt to their risk profile and activities. Key considerations include the potential impact of business change programmes, AI adoption, geopolitical risk or macroeconomic factors, among others. Robust scenario testing, combined with effective horizon scanning, careful programme management and strong contingency planning can help mitigate operational resilience risks.

ESG

The PRA updated its climate risk management rules, building on the initial framework from 2019, once again putting climate risk at the forefront of the ongoing ESG dialogue. Recognising that firms’ capabilities continue to grow, the PRA has expanded its requirements to cover: 

• Stronger governance expectations – boards and senior management are expected to have clearly defined responsibilities for climate risk, with adequate expertise and training; climate considerations should also be embedded into all decision‑making, oversight and internal challenge processes.
• Better integration of climate factors with existing risk management frameworks including geographic, counterparty or sector exposures; and explicit recognition of litigation risk as a transition channel.
• Greater emphasis on materiality of climate risk over firm size, for improving proportionality.
• Increased focus over climate scenario analysis, which should be robust, well-documented and inform strategic planning.
• Refined data expectations with a focus on understanding of data limitations with appropriate (rather than conservative) proxies where data isn’t available. 

In addition to the above, ESG ratings providers are being brought into the FCA’s regulatory perimeter, meaning they will require authorisation and be subject to key FCA rules, including the Senior Managers and Certification Regime and the anti‑greenwashing rule. Addressing longstanding concerns over quality and consistency, the change will boost transparency and give firms greater assurance over underlying ESG data, with final rules due in Q4 2026. This is crucial to help financial services firms apply effective climate risk management and comply with the Sustainability Disclosure Requirements.  

Key takeaways for 2026 

To meet the challenges in 2026, key actions for financial services firms include: 

• a gap analysis of current climate risk management practices against the new requirements, with a board-approved plan due in June 2026
• reviewing current processes and documentation to assess materiality and proportionality
• align outputs from scenario analysis to strategic decision-making processes
• review current governance arrangements, internal reporting and ensure Board and senior management are appropriately skilled
• adjust any data proxies that are overly conservative, recognising current weaknesses in ESG ratings. 

Article

FCA consults on UK Sustainability Reporting Standards

Read more

Business and technology transformation 

The financial services sector continues to embrace technology transformation, including AI adoption. While this introduces a range of operational efficiencies, reduces costs and enables greater competition, it can require significant changes to platforms, operating models and technology infrastructure. This heightens risk for both operational resilience and Consumer Duty, and firms need effective technology and programme assurance in place.

In many cases, there may also be changes to people processes with implications for resourcing, specialist skillsets and further training requirements to support the target end-state. 

Key takeaways for 2026  

When following a transformation process, it’s important to consider:

• how it aligns to the wider business, people and IT strategies, including tailoring new tools to specific roles
• key regulatory frameworks such as Consumer Duty, operational resilience and ESG (including non-mandated commitments and climate-related goals)
• available technology solutions, vendor selection and support for user adoption. 

Under the new research and development (R&D) tax rules, firms can claim back up to 15% of the costs of certain R&D programmes over the previous two years – making innovation more affordable across the sector.  

Corporate Governance Code  

Under the updated Corporate Governance Code (Provision 29), firms must follow more prescriptive rules to report and disclose on their material controls. From 1 January 2026, boards must carry out an annual review of their material internal controls and disclose their effectiveness in the annual report. Covering material controls over compliance, operations, finance and reporting, the disclosure should include: 

• how the board has monitored and reviewed control effectiveness
• a clear judgment on whether material controls are effective (as of the balance sheet date)
• a summary of material controls not operating effectively and proposed actions to remedy it
• any actions taken to address issues reported in the previous report.  

Firms subject to US SOX can adapt and extend current processes to meet the new expectations, but other firms will need to implement new compliance activities to align.

Key takeaways for 2026  

Firms may struggle to identify their material controls and need to establish an effective framework for identification, assessment and reporting. FRC guidance states that material controls will be related to principal risks that could jeopardise the future business model, performance, liquidity, solvency or reputation. They also include external reporting that could influence investors (or is otherwise price sensitive), or controls on fraud, IT, data, AI or cyber security.

Given the breadth of topics involved, firms must develop appropriate oversight and MI frameworks for robust controls testing and timely reporting to support the board’s assessment process. 

Article

Non-financial misconduct – embedding the new rules

Read more

Financial crime 

The financial sector continues to embed business-as-usual processes around the Economic Crime and Corporate Transparency Act (ECCTA), which introduced a new liability for failure to prevent fraud in September 2025. Under these rules, in-scope firms are criminally liable if an associated person carries out fraudulent activity that benefits the business or its clients. Firms must be able to evidence ‘reasonable procedures’ to prevent fraud, including a clear definition of ‘associated persons’, and demonstrable understanding of exposures, with robust controls in place. While this represents a statutory change, the FCA has emphasised that its supervisory stance remains proportionate and risk-based, focusing on how firms adapt existing frameworks rather than imposing additional prescriptive requirements. 

Alongside this, the FCA has sharpened its focus on risk assessment to inform financial crime controls. This is reflected in two recent multi-firm reviews: one on financial crime controls in corporate finance firms and another on risk assessment processes and controls. These reviews reveal gaps in business-wide and customer risk assessments, while also identifying good practices such as tailored quantitative methodologies, strong governance links, and better alignment between risk appetite and the organisation’s risk assessments for consistent risk management. Firms should review these findings and conduct gap analyses to align with regulatory expectations, noting that the FCA’s updates are guidance-based rather than new rules, and reinforce existing expectations rather than creating new standalone obligations. 

Looking ahead, amendments to the money laundering regulations in 2026 will introduce significant changes including:  

• expedited onboarding for customers from failing banks
• an amended definition of a high-risk third country (which will reduce mandatory enhanced due diligence obligations)
• new obligations for crypto-asset businesses that align with existing requirements applicable to correspondent relationships. 

These developments may increase regulatory divergence internationally, requiring firms with global operations to reassess compliance frameworks. These are legislative changes, not additional FCA-imposed requirements and firms are expected to incorporate them within their current risk-based practices.  

The FCA’s remit will also expand in 2026 to include supervision of professional services firms and the payment services sector, following consolidation with the Payment Services Regulator. This does not introduce new obligations for existing regulated firms but broadens the FCA’s supervisory perimeter to include additional sectors.  

Additional developments on the horizon include anticipated legislation on the UK’s regulatory regime for digital assets in 2026, which will clarify financial crime requirements and signal the UK’s positioning relative to global moves. With the FCA’s increased scrutiny of private market risks, firms should also expect greater emphasis on ‘Know Your Assets’ due diligence for private market investments.  

Finally, the regulator is expected to continue advancing data-driven supervision and supporting responsible use of AI – reinforcing its commitment to technology-enabled compliance. Again, these changes shape expectations within existing frameworks rather than introducing prescriptive new FCA requirements across the board. 

Continued focus on sanctions compliance and preventing circumvention remains a priority, particularly given potential divergence between regimes. Organisations that operate in Europe will also need to be aware of the new criminal offence created through transposition of the EU Sanctions Directive, which is akin to a failure-to-prevent offence that will arise in the event of a breach of sanctions, if the relevant entity is found to have applied insufficient supervision or controls.  

Recent government policy announcements reaffirm the commitment to tackling financial crime, including a new UK Anti-Corruption Strategy to prevent corruption at home and abroad, and an international anti-corruption summit to be convened in July 2026. Together with the government’s preparations for the upcoming Financial Action Task Force (FATF) evaluation, we can expect further initiatives to strengthen the UK’s preventative financial crime framework over the coming year.  

Key takeaways for 2026  

Generally, the FCA expects firms to apply existing risk-based frameworks to meet new and emerging obligations. To continue to meet all supervisory expectations around financial crime prevention, and to prevent foreseeable consumer harm, key considerations include: 

• ongoing sanctions management processes 
• maintaining effective processes to identify and assess financial crime risks  
• a robust fraud prevention plan that focuses on due diligence 
• an effective control environment with ongoing monitoring, governance and oversight 
• well-communicated plans, policies and procedures to mitigate fraud and financial crime, with appropriately targeted training 
• working with the FCA to deliver appropriate data, policies and monitoring data to support the FCA's FATF submission 
• preparing for changes to the Money Laundering Regulations, including digital identity checks, expedited onboarding, enhanced due diligence and cryptosystems requirements 
• readiness for the FCA’s expanded supervisory remit covering professional services and payment services firms 
• planning for the UK’s upcoming digital asset regulatory regime and associated financial crime obligations 
• strengthening due diligence for private market assets in line with the FCA’s focus on ‘Know Your Assets’ 
• supporting data-driven compliance and building readiness for AI-enabled supervision. 

Geopolitical and macroeconomic factors

Financial services firms continue to operate in a challenging economic and geopolitical environment, including increased tariffs, sanctions activity and evolving cross‑border risks. Firms need to actively manage these exposures, which may crystallise through operational disruption, supply chain constraints, reduced trade flows or strategic shifts in business models. 

In 2026, the European Central Bank is running its first ever stress test to incorporate geopolitical risk, underlining its significance across the sector. Targeting 110 directly supervised banks in the EU, firms across insurance, capital markets and investment management can draw on the findings to strengthen financial and operational resilience.  

In the UK, interest rates remain elevated, with the Bank of England base rate now 3.75%. CPI inflation stood at 3.2% in November 2025, still above the Bank’s 2% target. The impact of the recent budget remains uncertain, with measures including minimum wage increases, continued freezes to income tax thresholds and changes to salary sacrifice pension arrangements expected to influence household finances and business costs. Growth forecast from the IMF is modest at 1.3% but is the second highest amongst the G7, when forecasted growth is assessed on a per capita basis (adjusting for changes in population) the UK slips to the bottom of the G7. 
  
The complex geopolitical landscape continues to drive upward pressure on energy and commodity markets. Associated sanction regimes are also subject to rapid change and firms must ensure they have robust monitoring and compliance processes in place. It’s also important to consider greater potential for state sponsored cyber risks and maintain a strong control environment.

Key takeaways for 2026  

The combined impact of macroeconomic pressures, ongoing geopolitical tensions and regulatory updates may affect supply chains, pricing, valuations, liquidity and strategic planning. In 2026, firms should review their current processes to consider: 

• heightened cyber threats and third-party vulnerabilities due to geopolitical uncertainties  
• current financial crime and increased sanctions monitoring requirements  
• scenario planning and stress testing to assess the the impact of geopolitical uncertainty on macroeconomic conditions and financial stability  
• customer support and treatment of vulnerable customers, recognising potential financial pressure on household budgets. 

Board and governance 

Regulatory expectations around board effectiveness and governance continue to rise, with increasing emphasis on clear accountability, effective oversight and evidence of challenge. In 2026, boards are expected to demonstrate that risks are not only understood, but that governance arrangements actively support good decision-making across the business. 

The FCA and the PRA continue to focus on how boards oversee non-financial risks, including operational resilience, financial crime, Consumer Duty, ESG, cyber risk, and technology risk. Regulators are paying closer attention to the quality of management information (MI), with particular scrutiny on whether it is timely, decision-useful and supports effective challenge, rather than being overly complex or backward-looking.

As firms continue to adopt new technologies and AI-enabled tools, boards are also expected to maintain appropriate oversight of data, model and third-party risk. This includes ensuring that accountability is clearly defined under existing governance frameworks, including the Senior Managers and Certification Regime, and that technology-related risks are integrated into broader risk and control discussions. Boards should also have oversight of AI governance more broadly, including development and deployment of AI tools, staff training and awareness, and ethical use.

Key takeaways for 2026

To strengthen board and governance arrangements in 2026, firms should focus on:

• clear ownership and accountability for key financial and non-financial risks
• improving the quality and relevance of MI to support effective board challenge
• ensuring governance frameworks adequately cover technology, data and AI risks
• embedding oversight of Consumer Duty, operational resilience and financial crime at board level
• aligning governance, risk and reporting processes to support consistent decision-making.

For more information contact Alex Ellerton. 

UK Regulatory Handbook 2025

Download now