Compliance News | November 2025

This month's key compliance news includes Cloudflare's global outage, Coinbase's AML fine, the introduction of the UK Cyber Security and Resilience Bill to Parliament, NCSC's warning of a rise in cyber scams and more.

Our pick of compliance stories this month

• 66% of employees with learning disabilities feel unsupported
• Cloudflare global outage exposes dependency risks
• Shoppers warned of rise in cyber scams ahead of Black Friday
• Coinbase fined €21.5m for AML failings
• UK Cyber Security and Resilience Bill officially introduced to Parliament
• GenAI and deepfakes fuel rising digital identity fraud
• Identity verification rollout confirmed by Companies House
• Contracts for Difference: FCA Issues Consumer Alert
• CMA launches major online pricing crackdown

66% of employees with learning disabilities feel unsupported

A new UK survey by Hilton shows significant gaps in workplace support for employees with learning disabilities. Two-thirds (66%) say employers have never asked what adjustments they need, and 57% feel their organisation is not structured to support them. Nearly half report inadequate backing from their employer (49%) and colleagues (44%).

Employees identified on-the-job training (56%) and mentor or buddy schemes (38%) as the most effective support measures. Representation also remains limited: while 74% would feel more confident applying for roles if they saw others with similar disabilities in customer-facing jobs, only 16% currently have a relatable workplace role model.

For compliance teams, the findings underline the need for proactive adjustment processes, regular check-ins on support needs, clearer inclusivity frameworks, and stronger partnerships with specialist organisations.

Key takeaways:

• Proactively ask about support needs: Most employees with learning disabilities aren't being asked what adjustments they require. Regular, structured check-ins can close this gap.
• Strengthen organisational readiness: Over half of respondents feel their employer isn't set up to support learning disabilities, signalling the need for clearer processes and policies.
• Invest in practical support: On-the-job training and buddy/mentoring schemes are highly valued and can improve both confidence and performance.
• Improve workplace representation: Visible role models with learning disabilities can encourage applications and boost inclusion.
• Build partnerships with specialists: Collaborating with disability employment organisations can help design tailored pathways and support programmes.
• Prioritise team awareness: Ensuring colleagues understand and support adjustments is as important as formal employer policies.

Cloudflare global outage exposes dependency risks

On 18 November 2025, a global Cloudflare outage disrupted traffic across the internet, affecting services including ChatGPT, X (formerly Twitter), Discord, and several major e-commerce and media platforms. The outage was triggered by a permissions change in a ClickHouse database cluster, which caused a configuration file for Cloudflare’s Bot Management system to exceed software limits.

This oversized file propagated across Cloudflare’s edge network, leading to intermittent failures in proxying, security modules, Workers KV, Turnstile, and dashboard access. The Cloudflare outage exposed significant dependency risks, highlighting that even top-tier providers can experience failures due to internal configuration errors, which can disrupt thousands of downstream businesses.

Companies that rely heavily on a single Content Delivery Network (CDN) or edge provider are particularly vulnerable to cascading outages, affecting both customer access and internal operations. The incident underscores the importance of building redundancy and contingency plans for critical services that depend on external infrastructure.

Key takeaways:

• Ensure visibility of upstream dependencies (CDN, security gateway, edge-proxy) and include them in incident-response plans.
• Review change-management and propagation safeguards for configuration files, especially those that distribute globally.
• Maintain contingency capabilities (e.g., alternative routing, bypasses) when a major edge-provider fails.
• Monitor not just origin-system availability, but also the delivery chain (edge, proxy, bot-management) that sits between users and applications.

Shoppers warned of rise in cyber scams ahead of Black Friday

As the festive shopping season approaches, the National Cyber Security Centre (NCSC) is urging consumers to remain vigilant against online scams. Criminals often exploit bargain hunters using fake websites, cloned stores, fraudulent delivery notifications, and urgent "limited-time offer" messages.

The risk is significant, with over £11.8 million lost to online shopping fraud during last year's festive period (1 November 2024 to 31 January 2025), according to the City of London Police, the UK's operational lead on fraud.

The NCSC advises the following to guard against fraud:

• Verify sellers before purchasing and check reviews on trusted platforms.
• Enable two-step verification (2SV) on accounts for added security.
• Use safe payment methods like credit cards or secure payment services rather than direct bank transfers.
• Be cautious with delivery notifications — verify directly with the courier before clicking any links.

Coinbase fined €21.5m for AML failings

Coinbase has been fined €21.5 million by the Central Bank of Ireland for serious anti-money laundering (AML) and Know-Your-Customer (KYC) failings. The regulator found that Coinbase failed to properly monitor 30.4 million transactions over a year, representing around 31% of its total transaction volume, and delayed filing over 2,700 suspicious transaction reports linked to crimes such as fraud, cyberattacks, and child exploitation.

Coinbase admitted the failures were caused by software faults in five out of 21 risk scenarios, including transactions containing special characters that were not screened correctly. In addition, internal AML and CTF policies were insufficient, leaving 184,790 high-risk transactions without enhanced monitoring. The fine was reduced by 30% for early settlement.

Coinbase has since strengthened its monitoring system, fixed the coding errors, and implemented additional testing and validation. The firm stated it remains committed to compliance and to building a “trusted, secure, and compliant platform.”

Key takeaways:

• Audit and validate transaction-monitoring systems regularly to catch coding errors or blind spots.
• Implement real-time monitoring for AML/CTF compliance; ensure alerts trigger immediate review.
• Review and strengthen AML/CTF policies and procedures, making sure staff know how to escalate high-risk activity.
• Apply enhanced oversight for high-volume or high-risk transactions to prevent gaps in monitoring.
• Engage proactively with regulators and report issues promptly to reduce potential fines.
• Test system changes and updates thoroughly before deployment, including unusual scenarios (e.g., special characters in transactions).
• Train staff on detecting suspicious activity and ensure clear processes for escalating alerts.
• Use STRs as a supplement, not a substitute - ensure suspicious activity is flagged in real time.

UK Cyber Security and Resilience Bill officially introduced to Parliament

The UK's Cyber Security and Resilience Bill has now been introduced to Parliament. This is a major update to the country's cybersecurity regulation, designed to modernise and strengthen the framework established under the NIS Regulations. The Bill expands the scope of regulation to include more digital services such as data centres, managed service providers, and other critical infrastructure.

It introduces a new category of “Critical Suppliers" subject to stricter cyber duties, and imposes tighter incident-reporting requirements, including notifications within 24 hours and full reports within 72 hours. Regulators are also granted stronger enforcement powers, with the National Cyber Security Centre (NCSC) playing a formal role in assessing compliance via the Cyber Assessment Framework (CAF).

The Bill is significant because it addresses rising cyber threats to essential services and the wider economy. It strengthens the UK's resilience against cyber criminals and hostile actors, tackles supply-chain vulnerabilities, and ensures regulators have the tools to enforce compliance. By promoting timely reporting and stronger oversight, the legislation aims to reduce disruption from attacks while supporting a secure and trustworthy digital economy.

"Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target."

UK businesses need to understand that the Bill widens the regulatory net, particularly affecting managed service providers, data centres, and other digital service firms. Companies should assess their suppliers, especially those that could be designated as Critical Suppliers, and strengthen incident response and recovery processes.

Alignment with the NCSC Cyber Assessment Framework, robust third-party risk management, and board-level ownership of cyber resilience will be essential to meet regulatory expectations. Firms should prepare for potential audits, enforcement action, and cost recovery from regulators, ensuring that cyber risk is embedded into governance, not just technical operations.

GenAI and deepfakes fuel rising digital identity fraud

Fraudsters are increasingly exploiting generative AI (GenAI) and deepfake technology to commit identity fraud, according to Entrust, which analysed over 1 billion identity verifications globally between September 2024 and 2025.

Digital forgeries now account for 35% of document fraud attempts, while deepfakes make up 20% of biometric fraud attempts, including synthetic IDs, animated selfies, and manipulated video. Injection-style attacks, where AI-generated content is fed directly into verification systems, have increased by 40% year-on-year.

The financial sector is particularly affected: crypto (60%), digital-first banks (22%), and payments services (13%) see the most deepfake fraud attempts. Generative AI lowers the barrier for creating realistic fake IDs, making identity verification a critical frontline defence.

"Generative AI and shared tactics fuel volumes and sophistication, targeting people, credentials and systems. Identity is now the front line, and protecting it with trusted, verified identity across the customer lifecycle is essential to staying ahead of adaptive threats."

Key takeaways:

• Expect AI-driven fraud: Generative AI makes it easier to create realistic fake IDs and manipulate biometric data.
• Strengthen identity verification: Update systems to detect deepfakes, synthetic IDs, and AI-generated images or videos.
• Monitor for injection attacks: Be aware that fraudsters may feed fake content directly into verification workflows, not just via user presentation.
• Prioritise fraud intelligence: Use threat reports and analytics to identify emerging attack patterns and adjust controls accordingly.
• Adopt adaptive security: Regularly review and evolve identity-verification processes to keep pace with rapidly evolving AI threats.
• Focus on high-risk sectors: Financial services, crypto, digital-first banks, and payments platforms are most targeted.
• Train staff: Ensure teams understand AI-driven fraud risks and know how to escalate suspicious activity.

Identity verification rollout confirmed by Companies House

From 18 November 2025, all new UK company directors and "persons with significant control" (PSCs) must verify their identity with Companies House. Existing directors and PSCs have a 12‑month transition period to complete verification when they next file their annual confirmation statement or as scheduled by Companies House.

Verification can be done via GOV.UK One Login or through an Authorised Corporate Service Provider (ACSP), after which individuals receive a personal code that must be used for each company role they hold.

The rollout aims to improve the reliability and transparency of the companies register, making it harder for fraudsters to misuse corporate entities. Failing to verify will become an offence once the duties commence, although Companies House plans a proportionate approach to enforcement during the initial rollout.

"Identity verification will play a key role in giving confidence to investors and consumers alike, ensuring greater transparency about the organisations they do business with."

Between 6–7 million directors and PSCs are expected to verify by November 2026, with verification due dates visible on the public register.

Companies should review the verification status of their directors and PSCs, provide guidance on completing verification, ensure personal codes are used for filings, and integrate this requirement into corporate governance processes to remain compliant.

Contracts for Difference: FCA issues consumer alert

The FCA has issued a warning to consumers and investors regarding Contracts for Difference (CFDs), highlighting that they are complex, high-risk products capable of causing substantial losses. The regulator is particularly concerned about firms pressuring retail clients to reclassify as professional clients, which removes protections such as leverage limits and client-loss safeguards.

Additionally, unregulated social media influencers, or "finfluencers," are promoting CFDs for offshore firms without adequate risk disclosure, contributing to more than 90,000 people losing £75 million over four years.

Under its Consumer Duty, the FCA found several CFD providers failing to deliver fair value. Issues included poor handling of customer complaints, unclear or unjustified overnight funding charges, and separate charging for long and short matched positions with minimal benefit. The FCA has warned firms to improve their practices and indicated that it may take further action against providers that fail to meet standards.

Key takeaways

This relates specifically to those firms offering CFDs:

• Ensure fair value: Review pricing and product features to make sure they deliver real value to clients.
• Justify all fees: Be transparent about all charges, including overnight funding and position-related costs.
• Manage complaints proactively: Establish clear processes for handling complaints and incorporate feedback into value assessments.
• Comply with marketing rules: Avoid misleading promotions, especially via social media influencers.
• Protect retail clients: Do not pressure clients to reclassify as professional clients, which removes important protections.
• Prepare for regulatory scrutiny: The FCA will continue monitoring compliance, and enforcement action is possible for non-compliant providers.

CMA launches major online pricing crackdown

The Competition and Markets Authority (CMA) has launched a major consumer‑protection drive targeting misleading online pricing practices under its new powers from the Digital Markets, Competition and Consumers Act 2024 (DMCCA). The authority is investigating eight companies, including StubHub, viagogo, Wayfair, Gold’s Gym, and Appliances Direct, over issues such as hidden fees, drip-pricing, misleading countdown timers, and auto-opt-in charges.

In parallel, the CMA has sent advisory letters to 100 businesses across 14 sectors, including travel, gyms, homeware, and live events, urging them to review their online pricing practices and comply with new transparency rules.

The CMA has also published finalised guidance for firms to help them understand legal obligations. Under the DMCCA, it can enforce compliance directly without court action, with fines of up to 10% of global turnover and potential requirements to compensate affected customers.

"It’s crucial that people are able to shop online with confidence, knowing that the price they see is the price they’ll pay, and any sales are genuine...It’s our job to protect consumers from misleading prices and illegal pressure selling, and today marks an important milestone as we take action across the economy to make sure businesses do the right thing by their customers."

For businesses, the key actions are to audit pricing practices, ensure compliance with the CMA’s transparency guidance, prepare for potential enforcement, and proactively review sales and marketing models, particularly in high-risk sectors. Early compliance will help mitigate risks of penalties and reputational damage.

Looking for more compliance insights?

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.