This month's key compliance news includes Cloudflare's global outage, Coinbase's AML fine, the introduction of the UK Cyber Security and Resilience Bill to Parliament, NCSC's warning of a rise in cyber scams and more.
A new UK survey by Hilton shows significant gaps in workplace support for employees with learning disabilities. Two-thirds (66%) say employers have never asked what adjustments they need, and 57% feel their organisation is not structured to support them. Nearly half report inadequate backing from their employer (49%) and colleagues (44%).
Employees identified on-the-job training (56%) and mentor or buddy schemes (38%) as the most effective support measures. Representation also remains limited: while 74% would feel more confident applying for roles if they saw others with similar disabilities in customer-facing jobs, only 16% currently have a relatable workplace role model.
For compliance teams, the findings underline the need for proactive adjustment processes, regular check-ins on support needs, clearer inclusivity frameworks, and stronger partnerships with specialist organisations.
On 18 November 2025, a global Cloudflare outage disrupted traffic across the internet, affecting services including ChatGPT, X (formerly Twitter), Discord, and several major e-commerce and media platforms. The outage was triggered by a permissions change in a ClickHouse database cluster, which caused a configuration file for Cloudflare’s Bot Management system to exceed software limits.
This oversized file propagated across Cloudflare’s edge network, leading to intermittent failures in proxying, security modules, Workers KV, Turnstile, and dashboard access. The Cloudflare outage exposed significant dependency risks, highlighting that even top-tier providers can experience failures due to internal configuration errors, which can disrupt thousands of downstream businesses.
Companies that rely heavily on a single Content Delivery Network (CDN) or edge provider are particularly vulnerable to cascading outages, affecting both customer access and internal operations. The incident underscores the importance of building redundancy and contingency plans for critical services that depend on external infrastructure.
As the festive shopping season approaches, the National Cyber Security Centre (NCSC) is urging consumers to remain vigilant against online scams. Criminals often exploit bargain hunters using fake websites, cloned stores, fraudulent delivery notifications, and urgent "limited-time offer" messages.
The risk is significant, with over £11.8 million lost to online shopping fraud during last year's festive period (1 November 2024 to 31 January 2025), according to the City of London Police, the UK's operational lead on fraud.
The NCSC advises the following to guard against fraud:
Coinbase has been fined €21.5 million by the Central Bank of Ireland for serious anti-money laundering (AML) and Know-Your-Customer (KYC) failings. The regulator found that Coinbase failed to properly monitor 30.4 million transactions over a year, representing around 31% of its total transaction volume, and delayed filing over 2,700 suspicious transaction reports linked to crimes such as fraud, cyberattacks, and child exploitation.
Coinbase admitted the failures were caused by software faults in five out of 21 risk scenarios, including transactions containing special characters that were not screened correctly. In addition, internal AML and CTF policies were insufficient, leaving 184,790 high-risk transactions without enhanced monitoring. The fine was reduced by 30% for early settlement.
Coinbase has since strengthened its monitoring system, fixed the coding errors, and implemented additional testing and validation. The firm stated it remains committed to compliance and to building a “trusted, secure, and compliant platform.”
The UK's Cyber Security and Resilience Bill has now been introduced to Parliament. This is a major update to the country's cybersecurity regulation, designed to modernise and strengthen the framework established under the NIS Regulations. The Bill expands the scope of regulation to include more digital services such as data centres, managed service providers, and other critical infrastructure.
It introduces a new category of “Critical Suppliers" subject to stricter cyber duties, and imposes tighter incident-reporting requirements, including notifications within 24 hours and full reports within 72 hours. Regulators are also granted stronger enforcement powers, with the National Cyber Security Centre (NCSC) playing a formal role in assessing compliance via the Cyber Assessment Framework (CAF).
The Bill is significant because it addresses rising cyber threats to essential services and the wider economy. It strengthens the UK's resilience against cyber criminals and hostile actors, tackles supply-chain vulnerabilities, and ensures regulators have the tools to enforce compliance. By promoting timely reporting and stronger oversight, the legislation aims to reduce disruption from attacks while supporting a secure and trustworthy digital economy.
"Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target."
- Liz Kendall, Science, Innovation and Technology Secretary
UK businesses need to understand that the Bill widens the regulatory net, particularly affecting managed service providers, data centres, and other digital service firms. Companies should assess their suppliers, especially those that could be designated as Critical Suppliers, and strengthen incident response and recovery processes.
Alignment with the NCSC Cyber Assessment Framework, robust third-party risk management, and board-level ownership of cyber resilience will be essential to meet regulatory expectations. Firms should prepare for potential audits, enforcement action, and cost recovery from regulators, ensuring that cyber risk is embedded into governance, not just technical operations.
Fraudsters are increasingly exploiting generative AI (GenAI) and deepfake technology to commit identity fraud, according to Entrust, which analysed over 1 billion identity verifications globally between September 2024 and 2025.
Digital forgeries now account for 35% of document fraud attempts, while deepfakes make up 20% of biometric fraud attempts, including synthetic IDs, animated selfies, and manipulated video. Injection-style attacks, where AI-generated content is fed directly into verification systems, have increased by 40% year-on-year.
The financial sector is particularly affected: crypto (60%), digital-first banks (22%), and payments services (13%) see the most deepfake fraud attempts. Generative AI lowers the barrier for creating realistic fake IDs, making identity verification a critical frontline defence.
"Generative AI and shared tactics fuel volumes and sophistication, targeting people, credentials and systems. Identity is now the front line, and protecting it with trusted, verified identity across the customer lifecycle is essential to staying ahead of adaptive threats."
- Simon Horswell, Entrust
From 18 November 2025, all new UK company directors and "persons with significant control" (PSCs) must verify their identity with Companies House. Existing directors and PSCs have a 12‑month transition period to complete verification when they next file their annual confirmation statement or as scheduled by Companies House.
Verification can be done via GOV.UK One Login or through an Authorised Corporate Service Provider (ACSP), after which individuals receive a personal code that must be used for each company role they hold.
The rollout aims to improve the reliability and transparency of the companies register, making it harder for fraudsters to misuse corporate entities. Failing to verify will become an offence once the duties commence, although Companies House plans a proportionate approach to enforcement during the initial rollout.
"Identity verification will play a key role in giving confidence to investors and consumers alike, ensuring greater transparency about the organisations they do business with."
- Justin Madders MP, Competition and Markets Minister
Between 6–7 million directors and PSCs are expected to verify by November 2026, with verification due dates visible on the public register.
Companies should review the verification status of their directors and PSCs, provide guidance on completing verification, ensure personal codes are used for filings, and integrate this requirement into corporate governance processes to remain compliant.
The FCA has issued a warning to consumers and investors regarding Contracts for Difference (CFDs), highlighting that they are complex, high-risk products capable of causing substantial losses. The regulator is particularly concerned about firms pressuring retail clients to reclassify as professional clients, which removes protections such as leverage limits and client-loss safeguards.
Additionally, unregulated social media influencers, or "finfluencers," are promoting CFDs for offshore firms without adequate risk disclosure, contributing to more than 90,000 people losing £75 million over four years.
Under its Consumer Duty, the FCA found several CFD providers failing to deliver fair value. Issues included poor handling of customer complaints, unclear or unjustified overnight funding charges, and separate charging for long and short matched positions with minimal benefit. The FCA has warned firms to improve their practices and indicated that it may take further action against providers that fail to meet standards.
This relates specifically to those firms offering CFDs:
The Competition and Markets Authority (CMA) has launched a major consumer‑protection drive targeting misleading online pricing practices under its new powers from the Digital Markets, Competition and Consumers Act 2024 (DMCCA). The authority is investigating eight companies, including StubHub, viagogo, Wayfair, Gold’s Gym, and Appliances Direct, over issues such as hidden fees, drip-pricing, misleading countdown timers, and auto-opt-in charges.
In parallel, the CMA has sent advisory letters to 100 businesses across 14 sectors, including travel, gyms, homeware, and live events, urging them to review their online pricing practices and comply with new transparency rules.
The CMA has also published finalised guidance for firms to help them understand legal obligations. Under the DMCCA, it can enforce compliance directly without court action, with fines of up to 10% of global turnover and potential requirements to compensate affected customers.
"It’s crucial that people are able to shop online with confidence, knowing that the price they see is the price they’ll pay, and any sales are genuine...It’s our job to protect consumers from misleading prices and illegal pressure selling, and today marks an important milestone as we take action across the economy to make sure businesses do the right thing by their customers."
- Sarah Cardell, Chief Executive, CMA
For businesses, the key actions are to audit pricing practices, ensure compliance with the CMA’s transparency guidance, prepare for potential enforcement, and proactively review sales and marketing models, particularly in high-risk sectors. Early compliance will help mitigate risks of penalties and reputational damage.
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.