Top risks for financial services firms in 2026: key highlights

This article discusses the top five areas that FS firms should prioritise in 2026, whereas a  more detailed assessment can be found here Top risks for 2026 in the financial services sector - Forvis Mazars and includes further details on each risk mentioned in this article, as well as other risks facing FS firms and what they mean for your organisation.

 In 2026, financial services firms face an increasingly complex and interconnected risk landscape shaped by rapid technological change and regulatory fragmentation. Geopolitical volatility influences regulatory divergence, which in turn complicates technology adoption and operational resilience. The interconnected nature of risks means they amplify one another, complicating mitigation strategies. Firms must adopt integrated, whole-of-firm, risk management approaches to manage this systemic complexity. Strong governance and risk culture, anchored in accountability, transparency and clear decision-making, remain critical enablers for effective risk management. Conversely, financial services firms that embed these risk management fundamentals to support progressive business strategies can seize the opportunities presented by rapid technological advancement while remaining resilient to technologically created threats.

Geopolitical and macroeconomic volatility remain the most pressing concern, as these forces not only reshape trade fragmentation, conflict escalation and global financial flows but also set the backdrop for other risks. Against this turbulent environment, technology and cyber security risk continue to intensify, driven by increasingly sophisticated attacks and compounded by third-party vulnerabilities. In response regulators are emphasising the importance of threat-led testing and board-level accountability, which in turn places operational resilience  under sharper focus. Firms are now expected to demonstrate stress-tested continuity under the new Critical Third-Party rules, a requirement that intersects with  the rapid adoption of AI. Yet this adoption has elevated ethical risk and the need for AI governance, with regulators concerned about bias, explainability and outsourcing practices. Finally, financial crime and fraud have surged, with authorised push payment (APP) scams, synthetic identities and crypto-related anti-money laundering (AML) concerns triggering thematic reviews and enforcement actions, underscoring how interconnected volatility, resilience and governance have become in shaping today’s risk landscape.

Our top risk for 2026 remains geopolitical and macroeconomic volatility

Geopolitical instability remains the most cited systemic risk, acting as a cross-cutting amplifier of vulnerabilities.^[1]

Trade fragmentation, energy shocks and policy divergence threaten global financial flows and UK growth, with downside scenarios including GDP contraction and liquidity stress. Political transitions in major economies add regulatory unpredictability as jurisdictions pursue divergent policy paths, increasing complexity in cross-border compliance. Supervisors are increasingly incorporating risks and implications associated with geopolitical stress into supervisory frameworks. The Bank of England has signalled that firms must integrate geopolitical risk into Internal Capital Adequacy Assessment Process (ICAAP) and Own Risk and Solvency Assessment (ORSA) processes, and to demonstrate awareness of any jurisdictional risks in their strategic planning, with expectations for board-level oversight and scenario analysis.^[2] Firms should also map and monitor exposures to identify key jurisdictions, supply chains and (groups of) counterparties vulnerable to geopolitical instability, and track developments continuously.

Cyber security remains number two for 2026

Cyber security risk remains in the second spot in 2026, reflecting the expanding complexity and systemic impact of digital threats across financial services firms as they accelerate digital transformation, adopt AI and deepen reliance on third-party providers. Governor of the Bank of England Andrew Bailey has described cyber risk as one of the most challenging threats to financial stability, noting that its unpredictability makes it particularly difficult to prepare for and manage.^[3]

Cybercrime is projected to cost businesses more than $11.9 trillion globally in 2026,^[4] making it one of the most economically damaging risks worldwide. Financial services firms remain prime targets due to the sensitive data they hold and their critical role in economic infrastructure.

Cyber resilience is now a core regulatory priority: The CBEST framework, developed by the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), continues to evolve. The 2024 thematic report emphasised threat-led testing, cyber hygiene and simulation of insider and supply chain attacks.^[5] The Digital Operational Resilience Act (DORA), effective from January 2025 in the EU, introduces prescriptive requirements for ICT risk management, incident reporting and third-party oversight.

There are several actions that firms can take to manage cyber security risks including:

• Adopting threat-led testing such as CBEST-style assessments to simulate real-world attacks and embed findings into cyber strategy and risk mitigation actions.
• Ensuring board-level oversight of testing outcomes and mitigation strategies, with clear accountability for cyber resilience and third-party risk.
• Investing in cyber insurance; as insurers tighten underwriting standards, firms must demonstrate strong controls, encryption practices and response capabilities to secure coverage.

Operational resilience, outsourcing and third-party risk

Operational resilience has evolved from a regulatory initiative to a strategic imperative; this is why it is a new entrant in our top five risks for this year. In 2026, financial services firms must demonstrate that resilience is embedded across governance, outsourcing and business-as-usual operations, not just documented in standalone frameworks to satisfy a compliance exercise. Regulators are expecting firms to operate consistently within impact tolerances under severe but plausible cross-functional scenarios. Therefore, operational resilience is about demonstrating that firms can withstand disruption, recover swiftly and learn continuously.

AI adoption risk

AI adoption in UK financial services surged in 2025, with 75% of firms now using AI and another 10% planning to adopt it within three years.^[6] While AI offers transformative benefits in fraud detection, customer service and operational efficiency, it also introduces operational, ethical, governance and regulatory risks, particularly around bias, transparency and accountability, if poorly executed by firms.

Managing AI risk is as much about culture as it is about controls. Firms need a culture where ethical decision-making, accountability and transparency are embedded into day-to-day operations. Employees must understand the implications of AI-driven decisions, and boards must set the tone by prioritising responsible innovation. A strong risk culture ensures that governance frameworks are not just documented but lived, reducing the likelihood of bias, opaque models and consumer harm.

Financial crime and fraud

Financial services firms must contend with increasingly sophisticated threats as fraudsters leverage generative AI, synthetic identities and crypto-enabled money laundering. The risks from this pervasive and rapidly evolving threat may explain why the FCA’s 2025/26 work programme identifies fighting financial crime as one of its four strategic priorities.^[7] From 1 September 2025, large organisations may be held criminally liable if an employee or associated person commits fraud intending to benefit the firm, unless the firm can demonstrate it had reasonable fraud prevention procedures in place. This places even greater emphasis on proactive controls, governance and monitoring.

Navigating a complex risk landscape in 2026

2026 will continue to be shaped by geopolitical uncertainties, intensifying cyber threats, heightened operational and third-party risks, rapid AI deployment and tougher financial crime expectations. These are no longer emerging risks but immediate operational and strategic considerations. Supervisors expect firms to understand how severe disruption could arise and through which channels it may occur, as well as demonstrate that they can maintain resilience when it does. For firms, this means developing a joined-up view of vulnerabilities across businesses and jurisdictions, with scenarios that cut across different risk areas rather than treating each in isolation. Boards will need sharper insights into contagion and amplification effects of significant risk events. Anticipation, scenario testing and implementing preventive actions will be critical to navigating this complex environment.

_{[1] Systemic Risk Survey Results - 2025 H1 : Bank of England; [2] Systemic Risk Survey Results - 2025 H1 : Bank of England; [3] Central Banking in extreme adversity - speech by Andrew Bailey : Bank of England; [4] The 7 Cyber Security Trends Of 2026 That Everyone Must Be Ready For; [5] CBEST Threat Intelligence-Led Assessments : Bank of England; [6] Artificial intelligence in UK financial services - 2024 : Bank of England; [7] FCA annual work programme 2025/26 : FCA}