Financial crime regulatory developments: April 2026

18 May 2026

Tags Financial services Management consulting Risk consulting Insights

In April, the FCA identified weaknesses in CDD frameworks, progressed SM&CR reforms, and consulted on cryptoasset regulation whilst promoting AML innovation through synthetic data. OFSI also signalled a more proactive sanctions approach, and the Crime and Policing Act 2026 increased corporate liability and senior management accountability.

Financial Conduct Authority (FCA)

Firms’ customer due diligence processes and controls

Summary: This article shares the outcome of the FCA's 2025 multi-firm review of CDD, EDD and ongoing due diligence controls. The key findings are summarised below:

Policies and procedures:

Insufficient detail or practical guidance for staff on the verification of customer identity, including the forms of alternative evidence that can be used.
Failure to maintain document version control and detail on when senior management sign-off is needed.
Lack of explanation as to what additional measures should be applied for EDD purposes.
Limited detail is provided on how often periodic reviews should occur and what firms are expected to do for event-driven review.
Firms not following their own policies at an operational level.

CDD/EDD:

Limited information on the purpose and intended nature of the customer relationship.
Some cases show limited evidence of how approaches differ between high and low risk customers.
Periodic review timeframes not always adhered to as required.
Limited examples of scenarios or types of customers that require senior management approval to demonstrate effective governance and oversight.

Compliance monitoring and audit:

An example of a firm's staff completing both the onboarding of the customer and the second line assurance work.
Insufficient detail on checking for quality control.
A lack of version control in some firms’ documentation meant they could not evidence an audit trail of changes or periodic review.

Impact: It is recommended that regulated firms consider whether any of the areas of ineffectiveness identified may be relevant to their own control environments and focus on these areas as part of the monitoring and testing of financial crime related controls.

Publication source

Crypto asset regime consultation

Summary: This publication explains how the FCA proposes to define the regulatory perimeter for crypto asset activities, setting out which activities will require authorisation under the UK’s new crypto regime from September 2026. The guidance aims to give firms clarity on when they fall within scope, including for stable coins, custody, trading, dealing and staking activities.

Impact: This will primarily interest firms that participate in, or support the services of, regulated crypto asset activities. Firms should submit their views on the proposals by 3 June 2026.

Publication source

Research notes on a project delivered with the Alan Turing Institute and Plenitude Consulting to develop a synthetic dataset aimed at supporting innovation in money laundering detection.

Summary: The report explains how synthetic data can be used to create realistic, privacypreserving datasets with embedded money laundering typologies, allowing firms to safely test and develop AML detection tools without relying on real customer data.
It finds that synthetic data can support meaningful experimentation and innovation, particularly in areas such as AIdriven monitoring, but should complement rather than replace live data.

Impact: Firms are expected to test and evidence the effectiveness of detection capabilities using safe, shareable datasets whilst maintaining robust validation against real-world risks.

Publication source

Senior Managers and Certification Regime review

Summary: This FCA publication outlines changes to the Senior Managers and Certification Regime (SM&CR) as part of the first phase of the reforms. Phase 1 introduces a range of measures, including:

Criminal record checks: validity period extended from 3 months to 6 months, no longer required for internal or intragroup moves.
Firms now have 12 weeks to submit an SMF application, rather than needing approval within that period.
SMF role clarity for SMF 7 and SMF 18.
New guidance on the allocation of Prescribed Responsibilities and when it is appropriate to split responsibilities across individuals.
Conduct rules and reporting: requirement to report Senior Manager Conduct Rule breaches promptly (not just annually), distinction drawn between disciplinary action and non-reportable matters.

Impact: mostMost changes came into force on 24 April 2026, so firms can benefit from them straight away.

Publication source

GOV UK

Crime and Policing Act 2026

Summary: The Crime and Policing Act 2026 is now in force, significantly expanding the scope of corporate criminal liability for UK businesses. Under the new regime, organisations may now be held criminally liable for any offence committed by a senior manager acting within the actual or apparent scope of their authority.

Impact: The Crime and Policing Act 2026 will make it much easier for law enforcement to hold UK corporates criminally liable for offences committed by their senior management.

Publication source

Office of Financial Sanctions Implementation (OFSI)

OFSI strategy 2026-2029

Summary: OFSI' strategy for 2026-2029 sets out how the UK will strengthen its sanctions regime in an increasingly complex economic crime and economic crime environment. It introduces the Promote, Enable, Respond and Change (PERC) framework and the strategy also commits to greater use of data and AI, stronger international alignment and transparent KPIs to measure delivery.

Impact: Firms should be aware of the OFSI’s strategic direction, as well as its expectations for firms and increased focus on targeted, intelligence-led and proactive enforcement.

Publication source