Introduction
We ended 2025 under a steady stream of year-end publications from the Financial Conduct Authority, plenty of reading material for the average person! Looking ahead to 2026, the regulatory agenda will continue with that momentum. That said, for most traditional financial services firms, the principles underpinning the regulatory framework have not changed. The business still needs to operate, decisions still need to be made, and risk still needs to be managed.
What is changing is the expectation. Regulators are looking for stronger execution rather than more documentation: faster access to data, clearer evidence trails, and compliance functions that can respond at pace while staying aligned with actual business operations rather than theory.
Against that backdrop, it is easy to be distracted by the hefty volume of publications, but that can just be noise. The real challenge for 2026 will be ensuring that the basics are not just in place, but working well in practice.
With that in mind, we have set out a practical set of focus areas to help compliance teams strengthen their foundations and prepare for the year ahead.
Happy New Year!
-
Old dog, re-test old tricks
What teams should be doing now:
- Re-test core frameworks (AML, conduct, operational resilience, consumer outcomes) per the FCA’s strategic priorities around supporting consumers and fighting financial crime and being a data-driven, smarter regulator.
- Refresh enterprise-wide and thematic risk assessments, checking that risks, controls and MI still align with how the business actually operates, especially crucial with businesses that have launched new products/product types or where business strategy has shifted.
- Review issue and breach logs to ensure themes are tracked, escalated and closed with evidence.
- Validate that management information used at committee level is fit for purpose, can be reconciled back to source data and can be used to actually drive strategic discussions.
2. Behaviour outcomes and conduct-first approach
What teams should be doing now:
- Review non-financial misconduct, conduct and whistleblowing frameworks for consistency across HR, compliance and legal.
- Map how conduct risks are identified, escalated and linked to SMCR responsibilities in practice.
- Test whether grievances, disciplinary actions and whistleblowing data are reviewed collectively rather than in silos.
- Assess whether training outcomes, not just completion, are monitored and challenged.
- For those in scope of the FCA’s Non-Financial Misconduct Policy Requirements PS 25/23, we have written a more detailed breakdown here [read more here]
3. Data quality and explainability
What teams should be doing now:
- Be clear on which data goes into regulatory reporting and matters for regulatory purposes, who is actually responsible for it both at sign-off level and day-to-day
- Make sure you can explain where key compliance and regulatory reports pull their data from and how that data is produced
- Review where spreadsheets, manual fixes or workarounds are being used in compliance processes, and why
- Sense-check whether you could clearly explain and evidence your regulatory data to a regulator if asked, without relying on one individual.
4. AI governance in practice
What teams should be doing now:
- Map all third party technology used in the business, identify areas where those relationships are critical to decision-making and map where that technology is also using AI.
- Create and maintain an inventory of AI and advanced analytics use cases across the business (including compliance tools).
- Define ownership, accountability and approval standards for AI models and vendors
- Test model governance processes: validation, monitoring, bias considerations and change management.
- Ensure AI governance aligns with existing risk frameworks. This might be as a standalone policy to start but best practice is that AI governance is not in silo but integrated.
5. Outsourcing, third-party and vendor risk
What teams should be doing now:
- Re-map critical third parties supporting compliance, risk and regulatory processes.
- Review due diligence depth for RegTech and data providers, not just outsourcing providers. Technology providers are somewhat replacing traditional outsourcing partners in some areas like AML KYC.
- Assess concentration risk and substitutability, particularly for single-vendor solutions.
- Refresh exit and contingency plans and test whether they are operational.
6. Faster regulatory response expectations
What teams should be doing now:
- Review escalation frameworks to ensure issues move quickly from identification to decision-making forums.
- Assess whether regulatory responses rely on individuals or are supported by structured processes and data.
- Pre-define response to common supervisory requests (ownership, data pulls, thematic reviews, attestations).
- Test whether remediation plans are time-bound, owned and tracked through to closure.
7. Compliance as a strategic function
What teams should be doing now:
- Assess whether compliance is embedded early in product development, technology change and transformation initiatives.
- Review committee structures to ensure compliance input influences decisions rather than rubber-stamps outcomes.
- Map how regulatory risk is considered alongside commercial and operational risk in senior forums.
- Identify areas where compliance can proactively improve efficiency or decision quality, not just reduce risk.
How Elira can help you
🔒 BAU – Targeted operational support that strengthens core compliance capacity. We help firms keep core frameworks effective and evidence-led as regulatory expectations shift toward outcomes, data quality and execution. BAU stays robust, defensible and aligned with how the business actually operates.
🔍 Framework Review – Independent evaluation to identify meaningful efficiencies and control enhancements. Focused assessment of what’s working, what isn’t, and where regulatory risk is truly material. We cut through control noise to strengthen evidence, prioritisation and supervisory defensibility.
📈 Future Planning – A forward-looking roadmap that positions firms ahead of regulatory change. We translate emerging regulatory expectations into practical roadmaps that align governance, resourcing and delivery, keeping compliance proactive rather than reactive.
🧰 Tech Procurement & Integration – Independent support to select and embed compliance technology. We support technology choices that improve data quality, transparency and regulatory evidence, ensuring tools genuinely enhance control effectiveness rather than add complexity.
