This article discusses the top five areas that FS firms should prioritise in 2026, whereas a more detailed assessment can be found here Top risks for 2026 in the financial services sector - Forvis Mazars and includes further details on each risk mentioned in this article, as well as other risks facing FS firms and what they mean for your organisation.
In 2026, financial services firms face an increasingly complex and interconnected risk landscape shaped by rapid technological change and regulatory fragmentation. Geopolitical volatility influences regulatory divergence, which in turn complicates technology adoption and operational resilience. The interconnected nature of risks means they amplify one another, complicating mitigation strategies. Firms must adopt integrated, whole-of-firm, risk management approaches to manage this systemic complexity. Strong governance and risk culture, anchored in accountability, transparency and clear decision-making, remain critical enablers for effective risk management. Conversely, financial services firms that embed these risk management fundamentals to support progressive business strategies can seize the opportunities presented by rapid technological advancement while remaining resilient to technologically created threats.
Geopolitical and macroeconomic volatility remain the most pressing concern, as these forces not only reshape trade fragmentation, conflict escalation and global financial flows but also set the backdrop for other risks. Against this turbulent environment, technology and cyber security risk continue to intensify, driven by increasingly sophisticated attacks and compounded by third-party vulnerabilities. In response regulators are emphasising the importance of threat-led testing and board-level accountability, which in turn places operational resilience under sharper focus. Firms are now expected to demonstrate stress-tested continuity under the new Critical Third-Party rules, a requirement that intersects with the rapid adoption of AI. Yet this adoption has elevated ethical risk and the need for AI governance, with regulators concerned about bias, explainability and outsourcing practices. Finally, financial crime and fraud have surged, with authorised push payment (APP) scams, synthetic identities and crypto-related anti-money laundering (AML) concerns triggering thematic reviews and enforcement actions, underscoring how interconnected volatility, resilience and governance have become in shaping today’s risk landscape.
“The top risks for 2026 are deeply interconnected. Geopolitical volatility, technology disruption and operational resilience share common vulnerabilities and demand similar responses. Stress testing, strong governance and accountability are now foundational, not optional, for navigating systemic complexity.”
Gregory Marchat Financial Services Advisory Leader, Forvis Mazars Group
Geopolitical instability remains the most cited systemic risk, acting as a cross-cutting amplifier of vulnerabilities.[1]
Trade fragmentation, energy shocks and policy divergence threaten global financial flows and UK growth, with downside scenarios including GDP contraction and liquidity stress. Political transitions in major economies add regulatory unpredictability as jurisdictions pursue divergent policy paths, increasing complexity in cross-border compliance. Supervisors are increasingly incorporating risks and implications associated with geopolitical stress into supervisory frameworks. The Bank of England has signalled that firms must integrate geopolitical risk into Internal Capital Adequacy Assessment Process (ICAAP) and Own Risk and Solvency Assessment (ORSA) processes, and to demonstrate awareness of any jurisdictional risks in their strategic planning, with expectations for board-level oversight and scenario analysis.[2] Firms should also map and monitor exposures to identify key jurisdictions, supply chains and (groups of) counterparties vulnerable to geopolitical instability, and track developments continuously.
“In the current environment, geopolitical risk is a systemic amplifier of other risk areas. From a supervisory perspective, the focus in 2026 is on banks fully understanding these transmission channels end-to-end and being able to demonstrate how geopolitical shocks translate into operational disruption, and ultimately, into capital, liquidity and funding impacts.”
Eric Cloutier Group Head of Banking Regulations / Head of Global FS RegCentre, Forvis Mazars Group
Cyber security risk remains in the second spot in 2026, reflecting the expanding complexity and systemic impact of digital threats across financial services firms as they accelerate digital transformation, adopt AI and deepen reliance on third-party providers. Governor of the Bank of England Andrew Bailey has described cyber risk as one of the most challenging threats to financial stability, noting that its unpredictability makes it particularly difficult to prepare for and manage.[3]
Cybercrime is projected to cost businesses more than $11.9 trillion globally in 2026,[4] making it one of the most economically damaging risks worldwide. Financial services firms remain prime targets due to the sensitive data they hold and their critical role in economic infrastructure.
Cyber resilience is now a core regulatory priority: The CBEST framework, developed by the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), continues to evolve. The 2024 thematic report emphasised threat-led testing, cyber hygiene and simulation of insider and supply chain attacks.[5] The Digital Operational Resilience Act (DORA), effective from January 2025 in the EU, introduces prescriptive requirements for ICT risk management, incident reporting and third-party oversight.
There are several actions that firms can take to manage cyber security risks including:
Operational resilience has evolved from a regulatory initiative to a strategic imperative; this is why it is a new entrant in our top five risks for this year. In 2026, financial services firms must demonstrate that resilience is embedded across governance, outsourcing and business-as-usual operations, not just documented in standalone frameworks to satisfy a compliance exercise. Regulators are expecting firms to operate consistently within impact tolerances under severe but plausible cross-functional scenarios. Therefore, operational resilience is about demonstrating that firms can withstand disruption, recover swiftly and learn continuously.
AI adoption in UK financial services surged in 2025, with 75% of firms now using AI and another 10% planning to adopt it within three years.[6] While AI offers transformative benefits in fraud detection, customer service and operational efficiency, it also introduces operational, ethical, governance and regulatory risks, particularly around bias, transparency and accountability, if poorly executed by firms.
Managing AI risk is as much about culture as it is about controls. Firms need a culture where ethical decision-making, accountability and transparency are embedded into day-to-day operations. Employees must understand the implications of AI-driven decisions, and boards must set the tone by prioritising responsible innovation. A strong risk culture ensures that governance frameworks are not just documented but lived, reducing the likelihood of bias, opaque models and consumer harm.
Financial services firms must contend with increasingly sophisticated threats as fraudsters leverage generative AI, synthetic identities and crypto-enabled money laundering. The risks from this pervasive and rapidly evolving threat may explain why the FCA’s 2025/26 work programme identifies fighting financial crime as one of its four strategic priorities.[7] From 1 September 2025, large organisations may be held criminally liable if an employee or associated person commits fraud intending to benefit the firm, unless the firm can demonstrate it had reasonable fraud prevention procedures in place. This places even greater emphasis on proactive controls, governance and monitoring.
“Financial crime is a reputational, operational and strategic risk. As fraud becomes more industrialised and tech-enabled, firms must continually invest in advanced fraud detection and prevention tools and demonstrate dynamic, outcomes-focused risk management.”
Luke Firmin Director and Head of Financial Crime, Forvis Mazars UK
2026 will continue to be shaped by geopolitical uncertainties, intensifying cyber threats, heightened operational and third-party risks, rapid AI deployment and tougher financial crime expectations. These are no longer emerging risks but immediate operational and strategic considerations. Supervisors expect firms to understand how severe disruption could arise and through which channels it may occur, as well as demonstrate that they can maintain resilience when it does. For firms, this means developing a joined-up view of vulnerabilities across businesses and jurisdictions, with scenarios that cut across different risk areas rather than treating each in isolation. Boards will need sharper insights into contagion and amplification effects of significant risk events. Anticipation, scenario testing and implementing preventive actions will be critical to navigating this complex environment.
“What will be essential in 2026 is for financial service firms to have an overarching view of their vulnerabilities and interconnectedness, to anticipate and be able to act quickly when conditions change. Navigating today’s complexity requires strong governance and close senior leadership oversight.”
Huseyin Sahin Banking Risk Consulting Lead UK / Global Risk Consulting Lead, Forvis Mazars UK
[1] Systemic Risk Survey Results - 2025 H1 : Bank of England; [2] Systemic Risk Survey Results - 2025 H1 : Bank of England; [3] Central Banking in extreme adversity - speech by Andrew Bailey : Bank of England; [4] The 7 Cyber Security Trends Of 2026 That Everyone Must Be Ready For; [5] CBEST Threat Intelligence-Led Assessments : Bank of England; [6] Artificial intelligence in UK financial services - 2024 : Bank of England; [7] FCA annual work programme 2025/26 : FCA
Subscribe to stay ahead of the curve with our comprehensive quarterly newsletters. Each edition is meticulously crafted to bring you the most current and impactful updates in the financial services regulatory landscape globally.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.