Top 10 Risks for Financial Services Firms in 2026

Geopolitics in 2026 is not just a standalone risk - it acts as a cross-cutting amplifier of other vulnerabilities. Political instability and regulatory divergence interact with pre-existing weaknesses in technology, resilience, and supply chains, magnifying their impact. This interconnectedness underscores why firms must treat geopolitical factors as a systemic influence embedded across strategic planning, operational resilience, and compliance frameworks. The Bank of England’s December 2025 Financial Stability Report reinforces this view [5], warning that global fragmentation, energy shocks, and policy divergence remain key downside risks to UK growth and financial stability.

Geopolitical risk landscape

Geopolitical risk continues to be the most cited concern in the Bank of England’s Systemic Risk Survey (2025 H1), with 67% of respondents identifying it as the most likely risk to materialise and 87% [6] citing it as having the highest potential impact. These results are consistent with previous surveys, highlighting the persistent and systemic nature of geopolitical instability as a dominant threat to financial services firms. These figures accentuate the persistent and systemic nature of geopolitical instability, which remains a dominant threat to financial services firms.

Key developments in the geopolitical macroeconomic landscape

UK macroeconomic environment: The UK economy is expected to remain subdued in 2026, with GDP growth forecasts ranging between 0.8% and 1.2%, reflecting persistent global trade frictions and domestic fiscal tightening. Independent forecasts point to modest growth under baseline assumptions, but the outlook is skewed to the downside. Inflation is projected to ease toward 2.3–2.5% [7] by late 2026 as energy shocks fade, while the Bank of England base rate is expected to fall gradually to around 3.25–3.5% by mid-2026, offering some relief to borrowers. However, trade fragmentation could reduce UK GDP by up to 1.1% below baseline in a severe scenario, amplifying risks to investment and liquidity [8]. The Autumn 2025 Budget introduced targeted tax increases on property, savings, and dividends, but stopped short of raising the bank surcharge - though sector-specific measures remain possible [9]. These dynamics highlight the need for firms to incorporate downside scenarios into stress testing and capital planning

US-China tensions: Reciprocal tariffs and semiconductor restrictions have led to a 35% YoY decline in US imports of Chinese goods, disrupting global supply chains and increasing FX volatility [10]. More broadly, the IMF estimates that the April 2025 US tariff surge contributed to a 0.2 percentage point downgrade in global growth forecasts [11], with trade rerouting and efficiency losses expected to persist. While exemptions and trade negotiations have softened the immediate impact, the statutory effective tariff rate remains elevated, and long-term consequences for global trade flows are still unfolding.

Middle East instability: Escalating tensions between Israel and Iran continue to threaten energy markets and shipping routes, particularly in the Red Sea and Suez Canal.

Election cycles: Political transitions in the US, India, and the EU are contributing to regulatory unpredictability and policy divergence, which is especially important in 2026 as firms face heightened uncertainty around AI, cyber, and resilience regulations due to shifting leadership priorities and potential changes in legislative agendas.

Global fragmentation: Trade barriers and protectionist policies are reshaping the global financial system, with the IMF warning that fragmentation could reduce cross-border investment by 15% and cost the global economy up to $5.7 trillion in extreme scenarios[12].

While baseline forecasts point to modest growth and easing inflation, the outlook remains skewed to the downside. Persistent geopolitical tensions, trade fragmentation, and energy shocks could derail recovery, while domestic fiscal tightening and policy uncertainty amplify vulnerability. Firms should prepare for scenarios where global and UK growth underperform expectations, with implications for credit quality, liquidity, and capital planning.

Regulatory fragmentation

A critical outcome of geopolitical risk is regulatory fragmentation. As jurisdictions pursue divergent policy paths (particularly post-Brexit and amid rising protectionism) firms face increasing complexity in cross-border compliance. This includes differing ESG disclosure regimes (e.g. UK SDR vs EU SFDR); divergent AI governance frameworks; and differing implementation to prudential standards such as Basel 3.1.

Supervisory focus

Regulators are increasingly incorporating risks and implications associated with geopolitical stress into supervisory frameworks. Both, the EIOPA 2024 insurance stress test and EBA 2023 EU-wide stress test included geopolitical scenarios to assess systemic resilience. The Bank of England also has signalled that firms must integrate geopolitical risk into ICAAP and ORSA processes, and to demonstrate awareness of any jurisdictional risks in their strategic planning, with expectations for board-level oversight and scenario analysis [13].

How firms should prepare for geopolitical and macroeconomic risks in 2026:

• Consider geopolitical factors within firm’s stress testing scenarios. Ensure stress testing frameworks reflect severe but plausible geopolitical disruptions, including trade fragmentation and energy shocks, and how they may impact your firm (e.g. constrained access to liquidity).
• Map and monitor exposures: Identify key jurisdictions, supply chains, and (groups of) counterparties vulnerable to geopolitical instability and track developments continuously. Ensure those risks are reflected and scored in risk and compliance assessment processes.
• Embed into board-level governance: Ensure that the impacts of geopolitical risks are regularly reviewed at Board and Executive Committee level, with clear ownership and escalation protocols.
• Strengthen contingency planning: Update business continuity and crisis response plans to reflect geopolitical risks, including cross-border operational disruptions.

“In the current environment, geopolitical risk is a systemic amplifier of other risk areas. From a supervisory perspective, the focus in 2026 is on banks fully understanding these transmission channels end-to-end and being able to demonstrate how geopolitical shocks translate into operational disruption and, ultimately, into capital, liquidity and funding impacts.” - Eric Cloutier, Partner, Global Head of Banking Regulations, Forvis Mazars Group

Cybersecurity risk remains a top risk in 2026. This reflects the growing complexity and systemic impact of digital threats across financial services. As firms accelerate digital transformation, adopt AI, and deepen reliance on third-party providers, the threat landscape is evolving rapidly. Andrew Bailey, Governor of the Bank of England, has described cyber risk as one of the most challenging threats to financial stability, noting that its unpredictability makes it particularly difficult to prepare for and manage [14].

According to the UK Government’s Cyber Security Breaches Survey, 43% of UK businesses experienced a cyber breach or attack in the past year, down from 50% in 2024, but this decline is largely driven by fewer small firms reporting incidents. Medium and large firms remain highly targeted, with 67% and 74% respectively reporting breaches, consistent with previous years [15].

Phishing remains the most prevalent and disruptive attack, affecting 85% of breached businesses. Meanwhile, ransomware attacks have doubled, and third-party involvement in breaches has surged to 30%[15]. In response, regulators such as the PRA and FCA are intensifying scrutiny, with the Bank of England’s CBEST programme continuing to highlight gaps in foundational cyber defences and threat intelligence integration. The sector is under pressure to demonstrate robust cyber resilience, not just technical controls, but also governance, oversight, and strategic preparedness.

Cyber threat landscape

Cybercrime is projected to cost businesses over $11.9 trillion globally in 2026 [16], making it one of the most economically damaging risks worldwide. Financial services firms remain prime targets due to the sensitive data they hold and their critical role in economic infrastructure.

In the UK, banks are now required to reimburse victims of APP scams, including phishing and payment fraud, under the CHAPS reimbursement rules introduced by the Payment Systems Regulator (PSR) [17]. These rules, effective from 7 October 2024, mandate that Payment Service Providers (PSPs) compensate affected individuals and businesses, aligning with similar protections under the Faster Payments Scheme.

Key technology developments heightening the risk of cyber incidents

Firms relying on legacy systems are at heightened risk of cyberattacks due to unpatched vulnerabilities and lack of vendor support. According to the FCA’s multi-firm review “Implementing Technology Change” [18], over 90% of UK FS firms are still reliant on legacy infrastructure and applications to deliver production services. Third-party risk is equally concerning with 58% of UK financial firms experiencing at least one third-party cyberattack in 2024, with only 14% conducting continuous assessments [19]. While still emerging, quantum technologies threaten to render current encryption obsolete. The “harvest now, decrypt later” strategy is prompting urgent migration to post-quantum cryptography (PQC). Attackers are also using deepfake audio and video to impersonate executives and manipulate employees, with several UK firms reporting spoofed payment requests. Finally, we are seeing how autonomous AI agents are now capable of launching evolving social engineering and malware campaigns, probing defences and bypassing traditional controls.

Regulatory and supervisory focus

Cyber resilience is now a core regulatory priority. The CBEST framework, developed by the Bank of England, PRA, and FCA, continues to evolve. The 2024 thematic report emphasised threat-led testing, cyber hygiene, and simulation of insider and supply chain attacks [20].  We also have the Digital Operational Resilience Act (DORA), effective January 2025 in the EU, introducing prescriptive requirements for ICT risk management, incident reporting, and third-party oversight. UK firms operating in the EU or serving EU clients must comply with this [21]. The FCA’s enforcement actions, including the £11.2m fine against Equifax, highlight the expectation that firms retain oversight of their data and ensure board-level accountability [22].

How firms should prepare for cybersecurity risk in 2026

• Adopt threat-led testing: Use CBEST-style assessments to simulate real-world attacks and embed findings into cyber strategy and risk mitigation actions.
• Integrate the findings from cyber testing into enterprise risk management frameworks and governance: Ensure board-level oversight, with clear accountability for cyber resilience and third-party risk.
• Enhance third-party oversight: Monitor resilience of outsourced providers, especially Critical Third Parties (CTPs), and ensure contractual obligations align with regulatory expectations.
• Strengthen incident response and reporting: Develop robust cyber and operational resilience playbooks, ensure timely regulatory disclosures, and rehearse crisis scenarios involving AI failures, cyber breaches, and third-party outages.
• Invest in cyber insurance: As insurers tighten underwriting standards, firms must demonstrate strong controls, encryption practices, and response capabilities to secure coverage.

“Cybersecurity in 2026 is no longer just a technical issue - it’s a strategic, operational, and regulatory imperative. Firms must evolve from reactive defence to proactive resilience, embedding cybersecurity into every layer of their organisation.[AF1] [HM2] ” – Simon Withington, Partner, Head of Technology Assurance, Forvis Mazars in the UK

Operational resilience has evolved from a regulatory initiative to a strategic imperative. In 2026, financial services firms must demonstrate that resilience is embedded across governance, outsourcing, and business-as-usual operations, not just documented in standalone frameworks. The end of the FCA’s and PRA’s PS21/3 transition period in March 2025 marks a shift from compliance to integration, with regulators expecting firms to operate consistently within impact tolerances under severe but plausible scenarios.

Recent events have brought this into sharp focus. The AWS outage in October 2025, which lasted over 15 hours and disrupted services across major UK banks, exposed the fragility of cloud-reliant infrastructure. The incident affected millions of users, highlighting the systemic risk posed by third-party concentration and the need for multi-cloud strategies, failover systems, and contractual resilience clauses [23].

Firms are expected to map key vulnerabilities across cyber, AI, and operational domains, identifying dependencies that could lead to cascading failures. Regulators have emphasised the importance of cross-functional scenario testing, including cyber disruption and third-party outages, to validate impact tolerances and response capabilities.

While cyber risks are not the sole driver of operational resilience, they are deeply intertwined. Firms that perform well tend to integrate cyber threat intelligence into their resilience planning, maintain real-time dashboards for service performance, and conduct joint tabletop exercises across risk, IT, and business functions.

Regulatory landscape and key developments

In 2026, the regulatory focus will be on how firms are operationalising resilience in practice. Regulators expect organisations to move beyond documentation and demonstrate tangible progress. This includes integrated resilience planning across cyber, AI, and third-party risk domains; dynamic scenario testing that reflects evolving threats and systemic interdependencies; and board-level ownership of resilience strategies with clear accountability and escalation protocols. Additionally, third-party oversight is a priority under the Critical Third Parties (CTP) regime, which now mandates resilience testing, incident reporting, and exit planning for designated providers.

The regulatory landscape is increasingly shaped by real-world disruptions, and firms are expected to learn from incidents like the AWS outage and apply those lessons to strengthen governance, mapping, and response capabilities.

How firms should prepare for operational resilience and third-party risk in 2026

In 2026, firms must go beyond compliance and demonstrate that resilience is embedded in how they operate, adapt, and respond to disruption. This means addressing persistent challenges while proactively strengthening their frameworks:

• Embed resilience into governance and strategy: Ensure board-level oversight and integration into change programmes, outsourcing decisions, and transformation initiatives. Avoid siloed ownership and ensure resilience is treated as a strategic enabler, not a compliance exercise.
• Strengthen third-party risk management: Firms remain accountable for outsourced services, even when providers are designated as Critical Third Parties (CTPs). This includes intra-group arrangements and non-outsourced dependencies. Monitor financial health, cyber resilience, and contingency planning across all providers.
• Clarify impact tolerances and align with business continuity: Avoid conflating impact tolerances with recovery time objectives. Regulators expect clear, measurable thresholds tied to consumer harm and market integrity [24]. Ensure BCP testing reflects IBS priorities and regulatory expectations.
• Enhance scenario testing: Many firms still focus on predictable disruptions [25]. Broaden testing to include prolonged, cross-border, and multi-jurisdictional crises. Collaborate with third parties and internal teams to validate response capabilities under severe but plausible scenarios.
• Improve regulatory visibility: Maintain a structured register of material third-party arrangements [26], as proposed by the FCA, and ensure periodic submissions to support supervisory insight and rapid response.

“Operational resilience in 2026 is about demonstrating that firms can withstand disruption, recover swiftly, and learn continuously. As regulators shift focus to enforcement and integration, firms must ensure resilience is lived, not just logged.[AF1] [HM2] ” – Sarah Ouarbya, Partner, Risk and Regulatory Consulting, Forvis Mazars in the UK

AI adoption in UK financial services surged in 2025, with 75% of firms now using AI and another 10% planning to adopt it within three years [27]. While AI offers transformative benefits in fraud detection, customer service, and operational efficiency, it also introduces complex operational, ethical, governance, and regulatory risks - particularly around bias, transparency, accountability and data quality.

The UK’s regulatory approach to AI is principles-based, sector-led, and technology-neutral, guided by five core principles: safety, transparency, fairness, accountability, and contestability [28,29]. This aligns with the Government’s pro-innovation strategy, integrating AI oversight into existing frameworks.

How firms should prepare for greater adoption of AI models

AI governance is not just about mitigating risks, it’s about competitiveness and resilience. Failure to adopt AI responsibly or execute digital transformation effectively could leave firms inefficient and uncompetitive, especially as C-suite priorities for 2025 show “Transforming IT/Tech” as the top strategic focus (see Forvis Mazars C-Suite Barometer). In other words, the risk is twofold:

• Irresponsible AI adoption - ethical, regulatory, and operational failures.
• Insufficient adoption or poor execution - strategic disadvantage and lost market share.

The rapid deployment of AI, especially within foundation models and third-party systems, has the potential to outpace firms’ ability to govern them effectively. Firms need to be particularly cognisant of the following issues when deploying AI tools:

• Explainability and model opacity: Only 34% of firms report having a complete understanding of the AI systems they use, with 46% admitting partial understanding, especially when using third-party models [27]. This leaves firms open to systemic biases and discrimination in their business model activities, particularly in credit scoring and onboarding. The FCA’s literature review on bias in supervised machine learning highlighted the need for proactive mitigation strategies [30]. Firms must implement bias detection and mitigation protocols, particularly in consumer-facing applications.
• Strengthen model-specific governance: Validate AI models, document decision logic, and ensure explainability - especially for high-impact use cases like lending and fraud detection.
• Embed ethical frameworks: Align AI deployment with Consumer Duty principles, ensuring fair value and transparency for all customers.
• Third-party risk: A third of all AI use cases are outsourced, raising concerns over model provenance, contractual accountability, and ethical standards. In addition, firms increasingly rely on models embedded in vendor platforms or internal tools without full visibility or validation, creating “unknown unknowns” in risk management. Firms must assess outsourced AI systems for ethical compliance, data provenance, and contractual accountability.
• Automated decision-making: 55% of AI use cases involve some level of automation, with 24% being semi-autonomous. Regulators expect human-in-the-loop governance for critical decisions [27].

Firm need to ensure strong governance and board-level accountability. Assign clear ownership of AI risks and ensure oversight is embedded into enterprise risk management. The FCA and Bank of England’s third joint AI and ML survey revealed governance gaps and rising third-party exposure. Regulators are expected to launch sector-specific guidance in 2026 [27].

Managing AI risk is as much about culture as it is about controls. Firms need a culture where ethical decision-making, accountability, and transparency are embedded into day-to-day operations. Employees must understand the implications of AI-driven decisions, and boards must set the tone by prioritising responsible innovation. A strong risk culture ensures that governance frameworks are not just documented but lived - reducing the likelihood of bias, opaque models, and consumer harm.

“AI governance in 2026 is not just about compliance - it’s about trust and strategic advantage. As regulators sharpen their focus and consumers demand transparency, firms must ensure their AI systems are innovative, ethical, explainable, and accountable, or risk falling behind competitors who get it right.” – Sofia Ihsan, Director, AI Consulting Leader, Forvis Mazars in the UK

Financial crime remains one of the most pervasive and rapidly evolving risks facing UK financial services firms in 2026. As fraudsters leverage emerging technologies and exploit regulatory gaps, such as weak customer authentication, fragmented data oversight, and inconsistent crypto asset controls, firms must contend with increasingly sophisticated threats (from synthetic identities to crypto-enabled laundering). At the same time the regulatory authorities are pursuing greater scrutiny of firms’ anti-financial crime processes, with a focus on governance, data integrity, and real-time monitoring.

Fraud and financial crime landscape

The convergence of digitalisation, real-time payments, and generative AI has created fertile ground for increasingly sophisticated fraud schemes. Synthetic identity fraud is now one of the fastest-growing threats, with criminals using AI to create convincing fake profiles that bypass traditional onboarding checks [31,32]. Deepfake-enabled scams are targeting both consumers and firms, with impersonation of executives and spoofed communications leading to unauthorised transactions [33]. With the FCA’s launch of the new “Supercharged Sandbox” initiative [34] in 2025 in collaboration with NVIDIA, as well as its Authorised Push Payment (APP) fraud synthetic datasets [35], it is clear that the regulator is expecting firms to embrace developments in data, technology and artificial intelligence as part of the ongoing maturity of financial crime systems and controls.

Crypto-related AML risks are escalating. In 2026, the UK transitions from AML registration to full FCA authorisation for crypto asset activities, introducing stricter conduct, governance, and prudential standards[36].[6] While jurisdictions are gradually recognising crypto as part of mainstream financial activity, they are simultaneously imposing more stringent regulatory frameworks to address risks such as money laundering, market abuse, and consumer harm. Firms operating in this space must navigate a complex and evolving landscape, balancing innovation with compliance, and ensuring robust controls over onboarding, transaction monitoring, and cross-border flows. There is an expectation for firms to fully document the crypto risks to which they are exposed, considering the findings from the FCA’s recent multi-firm review on risk assessment [37].

Authorised Push Payment (APP) fraud continues to rise, fuelled by instant payment platforms and social engineering. The FCA is tightening expectations around reimbursement and consumer protection[38].

OFSI has ramped up its enforcement of breaches of sanction regimes in 2025. From increased use of its disclosure (“name and shame”) powers to financial penalties, and enforcement against firms who do not respond to requests for information in a timely manner, the pressure on regulated firms to comply with sanctions obligations has never been greater.

Legislative, regulatory and supervisory focus

The FCA’s 2025/26 work programme identifies fighting financial crime as one of its four strategic priorities [4]. Key developments include the economic Crime Plan 2 (2023–2026), a national strategy involving public-private collaboration to reduce fraud, money laundering, and sanctions evasion. They have also secured convictions for over £25m in fraud since April 2023, issued record fines, and shut down thousands of scam websites [39,40]. Finally, firms must prepare for full FCA authorisation under the new crypto regime, with stricter conduct, governance, and prudential standards.

The Failure to Prevent Fraud Offence, from 1 September 2025, highlights how large organisations may be held criminally liable if an employee or associated person commits fraud intending to benefit the firm, unless the firm can demonstrate it had reasonable fraud prevention procedures in place. This places greater emphasis on proactive controls, governance, and monitoring [41].

Previously the FCA's Skilled Person panel included both Financial Crime and Market Abuse under one subject matter area ("Lot"). However, as part of the FCA's new Market Abuse Skilled Person Panel (FSMA s.166) commencing from April 2026, Market Abuse will sit under its own Lot. This highlights the specialist, technical knowledge requirements needed to effectively understand and assess the risks associated with market abuse and manipulation.

How firms should prepare for managing risks from financial crime and fraud in 2026

• Strengthen fraud detection and prevention: Use multi-layered controls, behavioural analytics, and biometric verification to detect synthetic identities and deepfakes.
• Enhance AML frameworks: Align with evolving crypto regulations, including transaction monitoring, risk-weighted capital, and governance standards.
• Improve consumer protection: Ensure fair treatment and redress for APP fraud victims, in line with FCA expectations.
• Invest in staff training and awareness: Equip frontline teams to recognise fraud signals and respond effectively.

“Financial crime is a reputational, operational, and strategic risk. As fraud becomes more industrialised and tech-enabled, firms must continually invest in advanced fraud detection and prevention tools and demonstrate dynamic, outcomes-focused risk management.” - Luke Firmin, Director and Head of Financial Crime (UK), Forvis Mazars in the UK

Climate and ESG risks are no longer peripheral concerns - they act as cross-cutting drivers of risk across credit, market, liquidity, and operational domains. Rather than being standalone, these risks amplify vulnerabilities in business models and financial stability. In 2026, UK financial services firms are expected to face a wave of new sustainability disclosure requirements (based on the International Sustainability Standards Board’s standards) and transition plan disclosures, with regulators embedding sustainability into supervisory frameworks and consumer protection mandates. This is consistent with the UK Government’s aim to position the UK as a global hub for sustainable finance.

A key area of focus for banks in 2026 will be implementing the PRA’s updated supervisory statement regarding climate risk management. The final statement, SS4/25 (published December 2025), introduces considerably stronger expectations for governance, data management, scenario analysis, and integration of climate risk into ICAAP and ORSA processes [42]. Firms must complete a gap analysis and submit an implementation plan within six months of publication.

Climate and ESG risks have dropped out of the Top 5 for 2026, but they remain significant and highly interconnected with other risk domains. The shift reflects a nuanced global picture: while some regulators are slowing the rollout of sustainability measures - such as the EU Commission’s Omnibus adjustments to CSRD and the UK’s narrower scope for Transition Plan disclosures - others, including the ECB and the PRA, continue to tighten expectations on governance, scenario analysis, and integration of climate risk into ICAAP and ORSA processes. 

This divergence creates complexity for firms, as regulatory fragmentation becomes a risk in itself. Supervisors are embedding climate risk into stress testing and resilience frameworks, even as disclosure timelines evolve unevenly across jurisdictions.

How firms should prepare for climate and ESG risks in 2026 and beyond

• PRA’s climate risk management supervisory expectations: Begin preparing a gap analysis and implementation plan to meet the PRA’s expectations.
• Follow the UK government’s sustainability and Transition Plan disclosure consultations closely: The UK will introduce ISSB sustainability reporting standards and a requirement for Transition Plan disclosures. The key question is what will be the scope of application.
• Don’t see sustainability risk as a compliance exercise: Investors and customers increasingly expect financial institutions to contribute positively to sustainability efforts. Responsible finance enables banks to identify and support financially resilient customers and companies, which in turn helps banks performance. Quoting the PRA from its introduction to the recent climate risk supervisory statement consultation: “These [Climate] events are affecting PRA-supervised banks and insurers through direct losses and business model changes. The financial and economic losses related to climate change are projected to increase over time, although the magnitude and timing of losses are uncertain [42].”
• Mitigate greenwashing risks: Substantiate all sustainability claims with robust evidence and ensure marketing, fund labelling, and public statements are regulator-compliant.

“Climate and ESG risk in 2026 is about more than compliance, it’s about credibility. As regulators sharpen their focus and stakeholders demand transparency, firms must demonstrate that sustainability is embedded in their strategy, not just their statements.” – Pierre- Alexandre Germont, Director, Global Climate Risk Lead, Forvis Mazars in the UK

Talent and remuneration risk in 2026 reflects growing pressure on financial services firms to attract, retain, and reward skilled professionals in a competitive and evolving labour market. Skills shortages persist, particularly in areas like AI, cyber, ESG, and data, with 92% of firms reporting hard-to-fill vacancies [43]. Hybrid work models, leadership churn, and rising expectations around purpose and progression are reshaping workforce dynamics. Employees increasingly seek roles that offer not just competitive pay, but also meaningful work, inclusive culture, and clear development pathways, placing pressure on firms to rethink how they attract and retain talent in a post-pandemic, digitally driven environment.

However, financial services firms must also contend with increasing employment costs driven by government policy. Most notably, the increases in employer National Insurance Contributions (‘NICs’) announced in the October 2024 Budget and continued rises in the National Minimum Wage (‘NMW’). This may drive some financial services firms to utilise greater numbers of off payroll workers, though this in itself is an area under increased scrutiny from HMRC where firms should ensure they have robust processes in place to minimise the risk of unexpected income tax and NIC liabilities being triggered. 

Regulatory reform is also underway. The PRA and FCA consulted on changes to the remuneration regime (CP16/24 and CP24/23) [44], including relaxed deferral rules, removal of the bonus cap, and closer alignment with SMCR accountability. These proposals aim to balance competitiveness with sound risk management.

How firms should prepare for talent and remuneration risk in 2026

• Align remuneration with risk and accountability: Ensure pay structures reflect individual responsibilities and risk outcomes, in line with SMCR expectations.
• Strengthen retention strategies: Invest in career development, structured incentives, and inclusive culture to retain top talent.
• Adapt to regulatory reform: Prepare for implementation of CP16/24 proposals, including changes to deferral, vesting, and MRT identification.
• Enhance workforce planning: Forecast future skills needs and build internal pipelines through upskilling and early career programmes.
• Monitor market competitiveness: Benchmark remuneration practices against global peers to attract talent in high-demand areas.
• Review pay and reward strategy: Utilise mechanisms that will reduce employment costs, in particular salary sacrifice schemes for pensions and electric vehicles and bonus waivers to reduce employer NIC. 
• Strengthen off payroll working processes: Ensure robust processes are in place to identify off payroll workers and assess their employment status. 

Talent and remuneration goes beyond pay, it’s about purpose, progression, and performance. As firms compete for scarce skills and leadership stability, those that embed people strategy into business strategy will be best positioned to thrive.

Regulatory change in 2026 is characterised by both scale and fragmentation, creating significant complexity for international firms. Divergence has become a core risk, with UK firms facing an extensive pipeline of reforms across prudential, conduct, ESG, and digital domains, while post-Brexit differences with the EU add further challenges for cross-border operations. At the same time, the US Basel package is expected to diverge from Basel 3.1 (particularly in market risk and operational risk capital) adding uncertainty for global banks operating across multiple regimes. This highlights why Basel 3.1 implementation is a central driver of regulatory change, with the PRA urging firms to embed these reforms into strategic planning and strengthen governance and model risk management. As Philip Evans noted in his December 2025 speech [2], inconsistent adoption across jurisdictions could amplify compliance burdens and competitive distortions, making proactive horizon scanning and cross-border coordination essential.

This fragmentation extends beyond prudential standards to ESG disclosures, AI governance, and resilience frameworks, forcing firms to navigate conflicting timelines, definitions, and supervisory expectations. The Regulatory Initiatives Grid (April 2025) [45] outlines over 100 active reforms, with implementation timelines stretching into 2027, remarking the need for proactive and coordinated responses. Divergent capital rules could impact risk-weighted assets and profitability, while inconsistent ESG and AI requirements increase compliance burdens and reputational risk. In addition, widely varying supervisory expectations make governance alignment critical.

How firms should prepare for regulatory change and complexity in 2026

• Conduct horizon scanning: Maintain a live inventory of regulatory initiatives across UK, EU, and global jurisdictions, with clear ownership and impact assessments.
• Integrate regulatory change into strategic planning: Align capital, product, and operational decisions with upcoming reforms, including Basel 3.1 and Solvency UK.
• Strengthen cross-border governance: Ensure legal, compliance, and risk teams collaborate across jurisdictions to manage divergence and avoid duplication.
• Engage with regulators: Participate in consultations, respond to thematic reviews, and build relationships with supervisory teams to shape and anticipate change.
• Simplify internal frameworks: Where possible, consolidate policies and reporting structures to reduce complexity and improve agility.

“What will be essential in 2026 is for financial service firms to have an overarching view of their vulnerabilities and interconnectedness, to anticipate and be able to act quickly when conditions change. Navigating today’s complexity requires strong governance and close senior leadership oversight.” Huseyin Sahin, Partner, Banking Risk Consulting, Forvis Mazars in the UK

Data governance has emerged as a standalone risk in 2026, underpinning regulatory compliance, operational resilience, and model reliability. As firms accelerate automation, adopt AI, and expand ESG disclosures, the integrity of data systems is under intensified scrutiny from regulators and stakeholders alike.

Poor data quality, lineage, and documentation are undermining firms’ ability to manage risk, meet regulatory expectations, and deliver fair customer outcomes. Key challenges include fragmented data architecture, where legacy systems and siloed platforms impede integration and traceability; real-time reporting gaps, as regulators demand near-instantaneous access to accurate data for stress testing and incident response; and third-party data dependencies, which introduce risks around provenance, accuracy, and contractual accountability.

The FCA’s 2025/26 strategy identifies data governance and digital intelligence as core supervisory priorities. The regulator is streamlining data collection, improving regulatory reporting systems (such as RegData), and enhancing supervision through better use of technology. Recent enhancements include the launch of flexi collections within RegData, the rollout of the My FCA portal, and the digitisation of authorisation workflows. In parallel, the FCA and Bank of England are leading a joint transformation programme to modernise data collection, define common data standards, and reduce regulatory burden [4].

How firms should prepare for model risk and data governance in 2026

• Strengthen data quality controls: Implement automated validation, lineage tracking, and metadata management across all critical systems.
• Enhance governance frameworks: Assign board-level accountability for data risk, with clear ownership and escalation protocols.
• Monitor third-party data sources: Assess vendor data for accuracy, reliability, and contractual resilience. Include in scenario testing and risk assessments.
• Prepare for regulatory scrutiny: Align with FCA expectations for real-time reporting, backup testing, and data audits.

“Firms that embed data integrity into their risk frameworks will be better positioned to meet regulatory demands, support innovation, and build stakeholder trust.” Sofia Ihsan, Director, AI Consulting Leader, Forvis Mazars in the UK

Consumer Duty represents a fundamental shift in UK financial services regulation, setting higher and clearer standards of customer protection. In 2026, the FCA’s focus has moved from implementation to enforcement, with firms expected to demonstrate that good outcomes are embedded across products, services, communications, and support - especially for vulnerable customers.

The FCA launched its first Consumer Duty investigation in late 2025, targeting both a firm and an individual. This signals a tougher stance and sets a precedent for future enforcement [46]. The FCA’s multi-firm review also found that 44% of vulnerable customers reported negative experiences, compared to 33% of non-vulnerable customers. Firms must now evidence tailored support and inclusive design [47,48]. Finally, the FCA and Financial Ombudsman Service (FOS) are consulting on modernising the complaints and redress framework, including faster resolution, clearer guidance, and a shift to Bank of England base rate +1% for compensation interest [49].

How firms should prepare for Consumer Duty and customer protection in 2026

• Embed Duty into governance and MI: Ensure Consumer Duty is owned at Board and SMF level, with granular management information to monitor outcomes and identify risks.
• Design for vulnerability: Tailor products, services, and communications to meet the needs of vulnerable customers. Train staff to identify and respond to vulnerability effectively.
• Strengthen fair value assessments: Use data-driven frameworks to assess total cost vs benefit, including distribution and servicing costs.
• Improve complaints handling and redress: Align with FCA and FOS reforms to ensure timely, transparent, and fair resolution of customer issues.
• Monitor and evidence outcomes: Move beyond policy to practice - firms must demonstrate that good outcomes are being achieved and sustained.

“Consumer Duty in 2026 is not just about avoiding harm - it’s about actively championing customer interests. As the FCA shifts to enforcement and outcome monitoring, firms must ensure that customer protection is embedded in every decision, not just documented in compliance manuals. ” – Christos Doumas, Director, Conduct Risk and Regulatory, Forvis Mazars in the UK

Motor finance has been under scrutiny for several years. The FCA first began investigating the sector in 2017 and published its final findings in 2019. A key observation was that certain commission structures used to remunerate car dealers for arranging finance could have caused consumer harm. Specifically, these were commission models that allowed dealers to set interest rates based on the level of commission they wished to earn. Such arrangements are known as Discretionary Commission Arrangements (DCAs).

DCAs were banned from 28 January 2021. Following the ban, customers and Claims Management Companies began submitting complaints to motor finance lenders, with some cases escalating to the Financial Ombudsman Service (FOS) and others to the courts.

In January 2024, the FOS ruled in favour of customers in two cases. Concerned that this could trigger widespread issues, the FCA launched an investigation to assess the scale of the problem. At the same time, three cases reached the Supreme Court. In a partial relief for lenders, the Court ruled in favour of them in two cases, citing that dealers did not owe a fiduciary duty and therefore the law on bribery did not apply. However, in the third case, the Court determined that the arrangement constituted an “unfair relationship” under the Consumer Credit Act.

Following these developments, the FCA announced a consultation on a potential redress scheme. The consultation is scheduled to close on 12 December, with the final publication of the proposed scheme expected in February/March 2026.

The FCA has issued a consultation paper proposing a redress scheme that would cover specific types of cases. These include cases subject to discretionary commission arrangements (DCAs), cases where commissions were disproportionately high compared to the total cost of credit - specifically exceeding 35% of the total charge or 10% of the loan amount - and cases where the dealer was tied to one of the motor finance lenders.

How firms should prepare for the FCA’s proposed redress scheme

• Automation: Automating key activities across redress calculation, communication, settlement, and project management reduces manual effort, improves accuracy, and ensures cost-effective outcomes.
• Data collection and quality: Identifying all required data upfront and testing quality early prevents gaps, while a clear data strategy ensures issues are resolved efficiently.
• Flexible and scalable database: A central database should securely store and update essential data, support future inputs, and enable streamlined redress calculations.
• Redress calculation tool: The tool must handle both customer-level redress and overall exposure, with controls to manage limitations and ensure accuracy.
• Communication and Consumer Duty: Communication strategies must meet Consumer Duty standards, clearly explain redress outcomes to customers, and align internal/external messaging with data management.
• Settlement: Payments should be automated with strong validation checks to ensure accuracy and proper allocation to customers.
• Governance and project management: A robust governance framework with senior oversight, clear reporting, and strong project management ensures effective remediation and stakeholder engagement.
• Regulatory strategy: Firms need a proactive regulatory strategy to engage constructively with the FCA, highlight key issues, and build trust through transparent dialogue.
• Assurance: Independent reviews of remediation processes help demonstrate compliance, strengthen FCA interactions, and provide assurance that redress is executed properly.

The FCA’s Motor Finance Redress Scheme, announced last October, is due to be finalised in early 2026. With strong stakeholder and public scrutiny, it will remain a key focus for at least the next two years, and potentially longer given its complexity. – Christos Doumas, Director, Conduct Risk and Regulatory, Forvis Mazars in the UK

[1] Financial Stability Report - December 2025 | Bank of England

[2] Basel 3.1: Market Risk − speech by Phil Evans | Bank of England

[3] Prudential Regulation Authority Business Plan 2025/26 | Bank of England

[4] FCA annual work programme 2025/26 | FCA

[5] Financial Stability Report - December 2025 | Bank of England

[6] Systemic Risk Survey Results - 2025 H1 | Bank of England

[7] UK interest rate forecast: Third-party predictions & outlook | Capital.com

[8] 3 scenarios for the UK in 2026: Bank of England economist - HotMinute

[9] Economic Outlook: Factors Influencing the UK’s Economic Future | Morningstar

[10] How should financial institutions navigate a fragmented world? | World Economic Forum

[11] Global Economic Outlook Shows Modest Change Amid Policy Shifts and Complex Forces

[12] The Impact Of Geoeconomic Fragmentation On Financial Growth

[13] Systemic Risk Survey Results - 2025 H1 | Bank of England

[14] Central Banking in extreme adversity - speech by Andrew Bailey | Bank of England

[15] Cyber security breaches survey 2025 - GOV.UK

[16] The 7 Cyber Security Trends Of 2026 That Everyone Must Be Ready For

[17] CHAPS participants for CHAPS reimbursement rules

[18] Implementing Technology Change - FCA

[19] Cyber resilience good practice for firms | FCA

[20] CBEST Threat Intelligence-Led Assessments | Bank of England

[21] Digital Operational Resilience Act (DORA) | Updates, Compliance, Training

[22] On the Cyber Attack | Clifford Chance

[23] AWS Outage: A Major Risk For The Financial Sector? | FinTech Magazine

[24] FCA Report: Are firms prepared for operational resilience deadline?

[25] Operational Resilience: Preparing for the 31 March 2025 Deadline - The Compliance Digest

[26] CP24/28: Operational Incident and Third Party Reporting

[27] Artificial intelligence in UK financial services - 2024 | Bank of England

[28] AI Update | Financial Conduct Authority

[29] FS2/23 – Artificial Intelligence and Machine Learning | Bank of England

[30] AI Regulation in Financial Services: FCA Developments and Emerging Enforcement Risks | Global Regulation Tomorrow

[31] Global_Fraud_Trends_Report_2024_FinalV.pdf

[32] uk-fraud-report-2025.pdf

[33] Fighting fraud in the digital age: Top insights from Money20/20 | LSEG

[34] FCA allows firms to experiment with AI alongside NVIDIA | FCA

[35] Authorised Push Payment synthetic data | FCA

[36] UK Regulatory Changes 2026: Complete Compliance Guide for Crypto and Fintech

[37] Risk assessment processes and controls in firms: our findings | FCA

[38] Reducing and preventing financial crime | FCA

[39] Financial crime resources | FCA

[40] Shifting the dial on financial crime requires a collective push | FCA

[41] Economic Crime and Corporate Transparency Act 2023

[42] SS4/25 – Enhancing banks’ and insurers’ approaches to managing climate-related risks | Bank of England

[43] FSSC-Future-Skills-Report-2024.pdf

[44] UK bankers' remuneration: significant reform proposals - A&O Shearman

[45] Regulatory Initiatives Grid | FCA

[46] FCA Cracks Down: First Consumer Duty Enforcement Action Launched

[47] Guidance for firms on the fair treatment of vulnerable customers | FCA

[48] Bridging the Vulnerability Gap: FCA Identifies Need for Action Under Consumer Duty | News

[49] CP25/22: Modernising the redress system | FCA