What to watch: Six considerations for financial services assurance planning in 2026

Planning season is here again, and as financial services firms look ahead to 2026, assurance teams are once more asking: what should we be focusing on - and what might we be missing? As in prior years, the aim of our article is not to try and detail all the areas which firms should or will consider, or even those areas of greatest risk (which you will no doubt have captured already). Instead, we’re highlighting a few areas which you may not have considered. We’ve also included some reflections on the areas we looked at last year to help shape your thinking for the year ahead.

Six considerations for 2026 planning

1. AI - Emerging risk to reality?

The phrase of the year (and most mentioned risk) for 2025 was Artificial Intelligence, so it will have doubtless been on your radar – so much so that we refrained from including it within our 2024 assessment. During 2026, financial services firms should consider the extent to which their businesses are adopting AI agents. For many, this is the next step in the AI journey, and an area where businesses are likely to pivot from ad hoc use of AI as a helpful tool, to deeply integrating tooling within BAU processes, or even replace them. You should ensure you are aware of whether and how your business intends to manage the introduction to agents, be these internal or customer facing.

If you've not already done so, we recommend conducting a review to confirm that your firm has implemented, as a minimum, a baseline or foundational framework for assessing and governing AI. This should cover both internal and customer facing use; the potential opportunity risk of falling behind the adoption curve; and how AI technologies could effect and pose a risk to the business, in particular for cyber security. Minimum expectations include the adoption of an AI use policy, risk assessment (including adoption risk), logging approved usage, and monitoring of use or operation of controls where use has been prevented, and, finally, whether expectations have been clearly communicated to staff. Firms should also be cognisant of developing AI regulation and legislation, including the EU AI Act, which like the GDPR before it, includes the potential for significant (7% global turnover) fines.

2. Doing the basics right (and the impact of getting them wrong)

Generally, we have seen our clients’ control environments mature significantly over recent years as practices have evolved. We’re now seeing fewer major control failures or gaps when reviewing processes and functions. As auditors and assurance providers, we are often looking for the ‘thing we haven’t thought of’, particularly when our work does not, or has not, identified significant issues.

From recent experience, we’ve found that often the most significant issues arise where the basic (the things everyone assumed must be in place) have been overlooked. This is reflected in some of the more recent fines issued to major banks by the FCA and PRA for failings which (based on the information publicly available) seem to be in areas of control which should have been foundational to the businesses concerned.

Our reflection is that whilst we should be mindful of our blind spots on the periphery, we should also not overlook those things that may be hiding in plain sight.

3. Business data and reporting

Recent regulatory changes including the Consumer Duty and Operational Resilience, as well as those which are subject to current consultation and discussion, have set greater expectations for businesses’ data accessibility and usability. It is expected that firms’ data would allow them to monitor and report against their key indicators (whether these be KPIs, IToLs, outcomes, etc.)

Whilst generally these matters will have been considered within your reviews of respective compliance areas, and now that we have ‘transitioned to BAU’, i.e. the regulatory implementation timeline has passed, financial services firms must ensure that implemented processes continue to operate and, crucially, are sustainable over time.

It’s worth checking, either by theme or by regulation, whether the right systems are in place (or being built) to make monitoring and reporting easy and reliable. In addition to regulatory requirements, a key theme of market polling is that firms expect macroeconomic and political instability to be key risks to their business plans in coming years. The ability of firms to operate dynamically, and the availability of timely, accurate data on which to base decisions, will be key to navigating this environment.

4. Companies House requirements (Economic Crime and Transparency Act)

The new Failure to Prevent Fraud Offence has captured the majority of headlines relating to the Economic Crime and Transparency Act. However, the Act also has broader implications for firms to consider. One specific operational implication for colleagues (particularly those in the 2nd line) is the impact of changes to Companies House requirements. Under the changes, financial services firms will have to adhere to more stringent requirements around their details filed with Companies House, including director and PSC identify verification.

5. Implications of the Motor Finance ruling

No doubt you will be aware of the various court proceedings and other interventions during the year in relation to the field of motor finance. Whilst this may not be directly relevant to all financial services firms, it gives useful insight into the expectations of the FCA and the Courts around the fair value of products and services, and how these are communicated to customers.

Firms may wish to consider additional review of their fair value assessments, in particular where these have high-percentage commission elements, or pricing structures vary between client groups or distribution channels, to ensure that these take account of the implications of the court rulings, and are being clearly communicated to customers. Further detail is expected from the FCA later in the year as part of their work around the redress scheme, which will offer additional insight into their expectations of the reasonableness of different pricing arrangements.

6. Provision 29 of the UK Corporate Governance Code

As we approach the go-live date for the most impactful aspect of the revised 2024 Code (January 2026), many non-listed entities are choosing to adopt Provision 29 voluntarily - especially PIEs and/or those with complex operations. This is mostly about showing a commitment to best practice and doing what’s sensible and proportionate, without going overboard.

Internal audit may wish to assess and, if necessary, challenge the board’s approach to this. Has the board clearly articulated its stance? Will this stand up to stakeholder, shareholder, and regulatory scrutiny? And does the approach fit neatly with past statements (in annual reports) on adherence to the Code? If not, do these statements need to be revised going forward? Could that leave investors feeling uneasy?

Best practice is all well and good when its achievement is relatively stress-free – but does the appetite for good governance extend to areas that may require significant further maturation, and the investment that goes along with it?

Reflections on our 2025 assessment 

For our 2024/25 update, we focused on six areas. Here we highlight their continuing relevance based on the year’s events:

• Financial crime – The importance of the enterprise-wide financial crime risk assessment. 

In 2024, we highlighted the importance of having a robust assessment of each entity’s inherent and residual financial crime risk. The year saw several fines issued by the FCA:

• Of the total 16 fines issued to date, 31% related to financial crime breaches.
• Of the fines issued to entities (rather than individuals), this increases to 50%.

This emphasises the importance of businesses having a comprehensive understanding (and having documented their assessment) of financial crime exposure, even where this is perceived to be low.

• Cyber security – The adequacy of cyber assurance activity

In 2024, we emphasised the importance of businesses having adequate testing of their cyber controls, ensuring that (where proportionate) testing included exercises which were independent of the IT Function and CISO in scope and approach, in order to provide a realistic assessment of security measures. There have been several high-profile instances during the year, meaning it remains highly relevant for 2026.

Other areas highlighted in our 2024/25 review were:

• Operational Resilience – March 2025 deadline.
• Third-party dependencies – Importance of awareness and visibility of critical third parties.
• Thematic reporting – The challenge for assurance functions on culture and other areas.
• Culture and tone from the top.