Compliance News | February 2026

This month's key compliance news includes Iran's suspected sanctions evasion, Rakuten's AML fine, an automotive cartel, Paddy Power Betfair's fine, and more.

Our pick of compliance stories this month

• Amazon confirms 16k job cuts after email error
• Crypto crime hits record $158bn in 2025
• Former bank executive pleads guilty in sexual assault case
• Ex-LCF CEO found guilty of breaching court order
• Bank of Scotland fined for sanctions breach
• Call for the FCA to tackle harmful use of AI
• AML penalities issused by EU regulators increase sixfold
• WhatsApp gains the right to challenge its €225m fine

Amazon confirms job cuts after email error

Amazon has confirmed it will cut 16,000 jobs globally, after an email about the layoffs was mistakenly sent to staff. The redundancies affect employees in the US, Canada, and Costa Rica, though the company has not detailed exactly which roles or locations will be impacted.

The move is part of Amazon's broader effort to streamline operations, reduce bureaucracy, and increase efficiency. Beth Galetti, senior vice president of people experience and technology, emphasised that these are targeted adjustments, not ongoing periodic layoffs, following the company’s previous cut of 14,000 corporate roles in October.

The layoffs, internally referred to as "Project Dawn," were expected by employees. A former staff member suggested the company may ultimately eliminate around 30,000 roles by May. While affected employees are being offered opportunities to reapply for other positions, openings are limited, and severance pay will be provided where necessary.

Since Andy Jassy became CEO, Amazon has pursued a stricter work culture, mandating full-time office attendance and closely monitoring costs, including mobile phone reimbursements. Jassy described this period as "a time to rethink everything we’ve ever done," reflecting the company’s focus on efficiency and adaptation amid rapid changes.

In addition to job cuts, Amazon will close its remaining Amazon Fresh and Amazon Go stores while expanding the Whole Foods Market brand.

Key takeaways:

• Ensure all sensitive announcements are pre-approved and reviewed by relevant teams to prevent accidental leaks or misinformation reaching employees.
• Follow local labour laws for each affected country, including proper notification periods, severance calculations, and consultation with employee representatives.
• Maintain confidentiality by using secure project codes, limiting access to sensitive information, and tracking who receives communications.
• Provide fair severance packages and clear opportunities to reapply for open roles, ensuring consistency with company policies and employment contracts.
• Adapt global policies to local requirements, making sure redundancies comply with country-specific labour regulations while maintaining organisational consistency.
• Document all structural changes, workforce planning decisions, and rationale for layoffs to mitigate legal and regulatory risks.
• Engage senior leadership throughout the process to oversee workforce decisions, support compliance, and communicate strategic rationale to employees.
  
  See our Data Protection Training Package

Crypto crime hits record $158bn in 2025

Cryptocurrency crime reached a record $158 billion in 2025, a 145% increase from 2024, according to TRM Labs' 2026 Crypto Crime Report, though illicit activity remained only about 1.2% of total crypto volume.

The surge was largely driven by Russia-linked sanctions evasion, which grew over 400%, centred on the A7 wallet cluster and the ruble-pegged stablecoin A7A5, processing over $110 billion combined.  These networks facilitated transactions for sanctioned platforms like Garantex and Grinex.

Stablecoins became the main channel for illicit flows, often routed through non-custodial services, OTC brokers, and bespoke settlement layers to evade seizure, with the stablecoin market surpassing $300 billion. Chinese underground banking and escrow networks expanded to $103 billion, supporting scams and cybercriminals across Asia-Pacific. Other criminal activity, including darknet markets and hacked/stolen funds, grew more modestly.

TRM Labs warns that as state-linked and professionalised crypto networks grow, regulators and law enforcement face increasing challenges in 2026.

Key takeaways:

• Strengthen sanctions monitoring: Prioritise screening for Russia-linked wallets and ruble-pegged stablecoins like A7A5 to detect potential sanctions evasion.

• Increase stablecoin oversight: Monitor stablecoin flows, especially through non-custodial wallets and OTC brokers, as these are now primary channels for illicit activity.

• Enhance transaction monitoring for APAC operations: Pay close attention to Chinese-language escrow and underground banking networks that may facilitate scams, money laundering, or cybercrime.

• Adapt AML/KYC processes: Ensure controls cover sophisticated state-linked and professionalised networks, not just retail-level fraud.

• Leverage blockchain analytics tools: Use on-chain intelligence to trace complex, multi-layered transactions and identify emerging criminal infrastructure.

• Stay updated on regulatory changes: Monitor developments in regions with favourable stablecoin regulations, like the U.S., to anticipate new compliance risks.

• Prepare for higher enforcement scrutiny: Regulators are likely to focus on organised and geopolitical crypto crime in 2026, requiring proactive compliance measures.

Former bank executive pleads guilty in sexual assault case

Edward Gene Smith, a former senior bank executive, has pleaded guilty in federal court in New York to multiple serious crimes, including drugging and sexually assaulting women, possessing and distributing child pornography, and attempting to obstruct justice.

Prosecutors say Smith used his wealth and influence to target vulnerable women over many years, often luring them to his residences, drugging them without consent, and then sexually abusing them. In some cases, he recorded his assaults and shared explicit material.

The charges also include possession and receipt of large quantities of child sexual abuse images. After law enforcement executed a search at his home in 2024, Smith allegedly tried to interfere with the investigation by paying a victim to provide false information.

Among the victims was a woman Smith met when she was under 18; he solicited explicit photos from her and later sexually assaulted her after she reached adulthood.

Smith faces decades in federal prison when he will formally be sentenced in May 2026. The case has drawn attention for illustrating how individuals in positions of power can exploit their status to commit and conceal abuse, and authorities are urging anyone with additional information or who may have been victimised to come forward.

Key takeaways:

• Strengthen oversight: Monitor senior executives to prevent abuse of power and influence.
• Implement reporting systems: Ensure whistleblower channels and early detection mechanisms are active.
• Enforce anti-obstruction policies: Prohibit interference with investigations or retaliation against victims.
• Address off-duty conduct risks: Include guidance on off-work behaviour that may affect organisational reputation or compliance.
• Control digital usage: Regulate and monitor technology use to prevent misuse and unlawful recording or sharing of content.
• Protect vulnerable populations: Maintain strict compliance with child protection laws and mandatory reporting.
• Prepare for reputational impact: Develop ethics programmes and crisis response plans to handle high-profile misconduct cases.

Ex-LCF CEO found guilty of breaching court order

Michael Thomson, the former chief executive of the collapsed investment firm London Capital & Finance Plc (LCF), and his wife, Debbie Thomson, have admitted breaching a court-ordered restraint order and have been held in contempt of court following action by the Serious Fraud Office (SFO).

The restraint order was put in place as part of the SFO's investigation into suspected fraud and money laundering at LCF, a probe connected to the collapse of the firm that left around 11,000 investors out of pocket.

According to the SFO, Michael Thomson admitted breaching the order twice and his wife admitted four breaches. Investigators found that, while the order was in force, the couple received a £2,000 holiday refund and sold several items, including a hot tub and horse saddles worth nearly £5,800, in violation of restrictions on dealing with restrained assets.

"This is the second time the Serious Fraud Office has successfully held Michael Thomson in contempt for brazenly breaching his restraint order. We remain committed to taking decisive action whenever we uncover restraint orders are not being adhered to."

The couple are due to be sentenced on 12 March.

Bank of Scotland fined for sanctions breach

The Bank of Scotland has been fined £160,000 by the UK's sanctions regulator, the Office of Financial Sanctions Implementation (OFSI), for breaching British financial sanctions on Russia. In February 2023, the bank processed 24 payments totalling around £77,383 to and from a personal bank account that should have been blocked under UK sanctions rules.

The account belonged to Dmitrii Ovsiannikov, a Russian national and former senior government official, who has been sanctioned by the UK for his role in supporting Moscow's actions in Ukraine.

The breach occurred because Ovsiannikov was able to open the account at Halifax, a part of the Bank of Scotland, using a UK passport with a slightly different spelling of his name than the version listed on the UK sanctions register. This discrepancy meant the bank's automated screening system did not initially flag the account.

The fine was reduced by 50% because the bank voluntarily reported the issue to the regulator after discovering the problem. OFSI's enforcement action underscores the ongoing scrutiny of UK banks' compliance with sanctions related to Russia's invasion of Ukraine. Ovsiannikov, a former Russian government minister and ex-governor of Sevastopol in Russian-occupied Crimea, had previously been convicted in the UK for evading sanctions and sentenced to prison.

Call for the FCA to tackle harmful use of AI

Financial services professionals are calling on the Financial Conduct Authority (FCA) to take a more proactive approach in tackling harmful uses of artificial intelligence in the industry. At a recent Lang Cat conference, advisers highlighted concerns that existing and emerging AI technologies could be exploited by bad actors. Examples of this include misleading clients, bypassing regulatory safeguards, or automating unsuitable product recommendations.

They argued that regulators need to make rules, not principles,so there is clearer guidance on how AI should be used responsibly as well as more agile oversight to prevent abuse before it causes harm. The discussion reflects wider industry debates about how to balance innovation with investor protection as AI tools become more prevalent in advice and distribution.

"It is such a fast moving area the FCA has to be more proactive on this stuff. They need a team that is looking at it today."

Key takeaways:

• AI governance frameworks are essential. Firms should implement clear policies governing the design, testing, deployment and monitoring of AI tools used in advice, marketing or operations.
• Consumer Duty applies to AI. AI-driven recommendations, communications and decision-making must deliver good outcomes and avoid foreseeable harm.
• Human oversight remains critical. Automated systems should not operate without meaningful supervision, escalation routes and accountability.
• Explainability and transparency matter. Firms must be able to explain how AI tools reach decisions, particularly where they affect suitability or client outcomes.
• Robust testing and monitoring are required. Ongoing validation is needed to detect bias, errors, data drift or unintended consequences.
• Third-party risk must be managed. Where AI systems are outsourced or vendor-provided, due diligence, contractual protections and oversight are crucial.
• Senior management accountability applies. Under SMCR, responsibility for AI-related risks should be clearly allocated and documented.
• Regulatory engagement should be proactive. Firms adopting advanced AI should expect increased scrutiny and should engage early with the FCA where risks are novel or complex.

AML penalities issused by EU regulators increase sixfold

European regulators dramatically increased anti‑money‑laundering (AML) penalties in 2025, with total fines and settlements rising more than sixfold compared with previous years as several long‑running investigations concluded. Major global banks were among those hit with some of the largest enforcement actions as authorities stepped up scrutiny of weaknesses in financial crime controls and compliance frameworks.

The surge in enforcement reflects growing regulatory expectations that banks must strengthen AML systems and internal controls to better detect and prevent illicit flows. Financial institutions now face heightened pressure to improve governance, technology and oversight to reduce regulatory risk and avoid costly sanctions.

Meanwhile, in the UK, lenders were hit with a series of smaller fines and settlements by the Financial Conduct Authority (FCA).

"The UK continues to show a steady and robust approach to AML enforcement, and the fines we saw in 2025 reflect just how long regulatory investigations can take,"

WhatsApp wins right to challenge its €225m fine

Meta's messaging service WhatsApp has won a significant legal victory in Europe's highest court, allowing it to challenge a €225 million (about US$268 million) privacy fine imposed by Ireland's data protection regulator under the EU's General Data Protection Regulation (GDPR).

The fine dates back to 2021, when Ireland’s Data Protection Commission (DPC) increased the penalty after intervention by the European Data Protection Board (EDPB) over complaints about how WhatsApp handled personal data.

WhatsApp had previously lost an appeal at a lower tribunal on procedural grounds, with judges ruling the company lacked legal standing to sue because the EDPB’s decision was formally directed at the Irish regulator rather than WhatsApp itself. But the Court of Justice of the European Union (CJEU) disagreed, ruling that WhatsApp does have the right to challenge the EDPB’s decision and sending the case back to the lower court to be heard on its merits.

The judgment is seen as potentially important for other large tech companies facing GDPR enforcement, as it confirms that decisions influenced by the EDPB can be contested in EU courts and not just through national regulators' processes. WhatsApp welcomed the ruling, saying it supports the principle that businesses and individuals should be able to hold the EDPB accountable through legal challenge.

Key takeaways:

• Ensure the ability to legally challenge EU-level decisions: Establish internal processes to assess and, if needed, contest EDPB or cross-border regulatory rulings.
• Implement robust cross-border compliance frameworks: Strengthen data protection systems across all EU jurisdictions to manage coordinated enforcement and minimise regulatory gaps.
• Maintain strict procedural diligence: Keep thorough documentation and ensure legal standing when responding to or appealing regulator actions to avoid procedural rejections.
• Engage proactively with regulators: Communicate early with both national and EU-level regulators to clarify expectations and potentially prevent escalated penalties.
• Monitor and mitigate financial risk: Regularly review GDPR compliance to reduce exposure to substantial fines, like the €225 million originally imposed on WhatsApp.
• Track legal precedents and adjust risk strategies: Stay informed of rulings that affect GDPR enforcement to adapt policies, train staff, and anticipate future regulatory challenges.

Looking for more compliance insights?

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.