Top 10 Compliance Challenges in 2026

It's that time again when we look ahead to what’s on the horizon in 2026. As always, there are challenges linked to new regulations, technologies and geopolitical turbulence – so what will be keeping compliance teams busy next year?

Key takeaways

• Emerging technologies present opportunities and risks. With AI becoming increasingly embedded into businesses, compliance teams must balance innovation with ethical oversight, proactive risk management, and strong cybersecurity.
• Global pressures demand greater resilience. Climate change, geopolitical tension, and complex supply chain issues expose organisations to operational and regulatory risks that require detailed ESG and compliance frameworks.
• Workplace culture cannot be overlooked. Rising polarisation, harassment, and discrimination pose tangible threats to a company’s stability. Organisations must foster an open, inclusive, and ethical working environment for their employees.

Technology continues to transform how businesses operate, bringing with it a new set of risks from cyber attacks and AI-driven fraud. At the same time, workplace culture and labour rights are under increasing scrutiny, with regulators, investors, and the public expecting greater transparency from organisations.

Outside of offices and boardrooms, political tension is running high. Trade disputes and sanctions are creating uncertainty, and our global supply chains continue to be upended by regional conflict and extreme weather.

Add this to the usual expansion of compliance regulations, and you have a picture of a demanding year ahead.

We’ll explore the key compliance challenges companies can expect in 2026 and highlight the steps they can take to manage them effectively.

What are the biggest challenges faced by compliance in 2026?

1. Focus on trusted Artificial Intelligence (AI)
2. Climate change & ESG
3. Geopolitical tension
4. Financial crime
5. Fraud
6. Increased and diverging regulations
7. Polarisation, workplace tension and security
8. Ethics and culture
9. Modern Slavery and forced labour
10. Cybercrime and Third-Party Risk Management (TPRM)

1. Trusted Artificial Intelligence (AI)

After a year of rapid adoption across nearly every sector, companies are expected to embed AI, including generative AI, more deeply into their operations in 2026.

As governments commit to building new data centres, and companies continue to invest in AI innovations, concerns about the technology’s ethics and energy consumption will only grow. Goldman Sachs has predicted that AI will drive a 165% increase in data centre power demand by 2030, contributing to roughly one-tenth of global electricity demand over the same period.

These figures make uncomfortable reading for companies committed to clean energy transitions and climate targets, while pressing ahead with AI initiatives.

The volatile economics of the AI boom make the question of whether to invest in these technologies even more complicated. OpenAI is now valued at $500 billion, over three times the figure projected a year ago, while Anthropic has almost tripled its valuation in eight months.

Economists and national banks have warned of a potential AI “bubble” which could prompt significant regulatory and compliance challenges if it bursts. The amount of credit and debt being invested into AI has fuelled concerns about a financial crash if the share price of the major AI companies falls.

Compliance teams could find themselves under pressure to demonstrate that their firms assessed AI-related risks appropriately. They may also need to update policies, reporting, and oversight procedures quickly to respond to any sudden market shocks.

"As adoption of Generative AI increases, organisations will face more complexity in ensuring its output can be trusted … As use cases are developed and new business models created, organisations will need to consider governance, ethics, resilience, privacy, security, legal and contractual obligations, as well as alignment with company values. Giving employees and customers confidence that the AI can be trusted will be paramount to its adoption."

What are the key compliance considerations of AI?

• Create an inventory of AI systems used throughout the company.
• Develop or update your AI policy, setting out a clear strategy and expectations for using Artificial Intelligence and Generative AI.
• Ensure your team understands the challenges, risks (e.g. energy consumption, bias and discrimination, misinformation, privacy and security risks, etc) and limitations of using AI.
• Assess each risk, especially high and unacceptable risks, in line with your legal obligations, such as the EU AI Act.
• Consider the impact of artificial intelligence on our other compliance obligations, e.g. Data Protection and GDPR, market abuse (e.g. spreading market rumours) and security. For example, are your processes for training AI models lawful? What if employees inject false information into AI tools to spread market rumours? Review and update corporate policies to combat these risks, too.
• Train your team to be vigilant, to question and report suspected concerns or misinformation they encounter - e.g. awareness of the use of deepfake social engineering videos or convincing voice recordings of your senior executives, automated malware generation, etc.
• Implement adequate controls, with monitoring and human oversight measures on high-risk activities - including recruitment, loans or other decisions made without human intervention that have a significant impact on individuals, to lessen "AI harms".
• Ensure there is full transparency and explainability of AI systems for workers, customers, investors and stakeholders so people can decide whether to seek out human alternatives instead.
• Review your company's approach and make any adjustments required to comply with new or existing laws, including the EU AI Act and the UK's Data (Use and Access) or DUA Bill.
• Use the IBM Framework for Securing Generative AI to ensure best practice - focusing on the five steps of securing the data, securing the model, securing the usage, securing AI model infrastructure, and establishing sound AI governance.

2. Climate change & ESG

2025 saw global temperatures fall back from a record-breaking high the year before, due in part to the emergence of a weak La Nina period in September.

Nevertheless, the year is on track to be the second or third warmest year on record (behind 2024 and 2023). A recent report from the World Meteorological Organisation suggests there is an 80% chance that at least one of the next five years will break the global temperature record.

Concerns about how countries will respond to energy and food security issues will continue into 2026, particularly in light of the Trump administration’s rejection of the Nationally Determined Contributions (NDC) process.

The gridlock and tension at COP30 in Brazil exemplified the ongoing challenges of achieving consensus on climate action amid competing domestic priorities.

The year was also particularly challenging for extreme weather, with the LA wildfires in January proving the costliest event of the year from an insurance perspective.

Global insured losses from natural catastrophes surpassed the $100 billion threshold for the sixth year in a row, and could exceed the Swiss Re Institute’s projection of $150 billion.

A record-breaking heatwave also struck Europe in summer, with Secretary General of the UN Antonio Guterres describing extreme heat as the "new normal."

"The climate crisis is a human rights crisis. Rising temperatures, rising seas, floods, droughts, and wildfires threaten our rights to life, to health, to a clean, healthy and sustainable environment, and much more. The heat wave we are currently experiencing here shows us the importance of adaptation measures, without which human rights would be severely impacted."

In response to rising climate risks, insurers are expected to expand flood and wildfire-specific coverage and explore ways to make protection more affordable. At the same time, these risks could prompt some insurers to withdraw from vulnerable areas, creating coverage gaps and increasing demand for reinsurance.

A new wave of EU compliance regulations will also take effect in 2026. These include the Carbon Border Adjustment Mechanism, the Energy Performance of Buildings Directive, and the EU’s Green Claims and Consumer Empowerment Rules.

The European Commission also streamlined the CSRD and CSDDD sustainability reporting frameworks in November 2025, so companies will need to familiarise themselves with the updated requirements heading into the new year.

What are key climate and ESG compliance requirements?

• Assess the expected costs of climate change in 2026, the impact of climate on raw materials and your existing supply chains, and plan how to mitigate any risks to increase your resilience (e.g. by introducing or strengthening flood defences, switching production to different areas or broadening the supplier base).
• Consider whether the company is in-scope of the new climate disclosure requirements under the CSRD and CSDDD, and the new EU regulations coming into force in 2026.
• Arrange training for employees to raise awareness of your new obligations and their implications on work practices.
  Think about what disclosures the company will be required to make and look at what data is already available to streamline the process.
• Continue work on Double Materiality Assessments (DMAs) and reports for the Corporate Sustainability Reporting Directive (CSRD) to record material sustainability impacts.
• Introduce robust processes for conducting human rights and environmental due diligence (HREDD) throughout our global operations and value chain, as required under CSDDD for EU and non-EU companies.
• Develop systems and controls to oversee and report on sustainability risks in your global operations and value chain.
• Keep your knowledge up-to-date throughout the transition period and adjust processes (as required) so they remain fit for purpose.
  
  See our ESG Training Package

3. Geopolitical tension

In 2026, companies will need to monitor the geopolitical landscape closely to navigate the compliance challenges of trade volatility, political upheaval and democratic backsliding.

Donald Trump's aggressive tariff manoeuvres towards the EU and China were widely predicted, but a recent high-profile rift with Canada has escalated to a bitter stalemate. Trade negotiators, policymakers and affected companies will hope these issues can be resolved before a scheduled USMCA joint review in 2026.

A major consequence of Trump’s tariff policy is the diversion of Chinese goods away from the US and towards other markets, notably the EU, contributing to the EU's trade deficit with China. Companies importing these diverted goods will need to prioritise complying with EU customs and keeping track of updated environmental reporting regulations.

In world politics, the French government is still navigating a protracted constitutional crisis, and Mexico has been gripped by anti-government protests spurred by drug-related violence. The lingering threat of conflict between China and Taiwan still hangs over the region, and the US navigated the longest government shutdown in its history.

The fragile truce in Gaza and ongoing negotiations between the US, Russia and Ukraine will shape the global security picture in the coming year.

With democratic institutions facing mounting stress, companies will need to adopt flexible strategies to manage potential risk. A recent Gartner survey found that companies view the rising cost and complexity of regulatory changes following elections and court decisions to be their most significant emerging challenge, so proactive compliance planning remains essential.

"In recent years, businesses have been blindsided by a cascade of disruptions - the pandemic, renewed conflicts in Europe and the Middle East, surging populism, intense competition for green minerals and escalating protectionism - which have forced a fundamental reset of longstanding strategies."

What are the key geopolitical compliance considerations?

• Conduct risk assessments to stay aware of emerging risks and geopolitical volatilities, particularly anything that may threaten your supply chains and your reputation.
• Explore AI-powered monitoring and data analytics to manage sanctions risks.
  Use scenario planning and collaborate with teams firm-wide to fully assess the impact of the changing geopolitical landscape.
• Regularly review your company's risk appetite and exposure to high-risk sectors, regions and partners and conduct enhanced third-party due diligence.
• Use the 4Ts model (Tolerate, Treat, Transfer, Terminate) of risk management to help make the right decisions when managing geopolitical risks.
• Consider what mitigations are preferred to combat volatility and strengthen your resilience - such as diversifying our supply chains, relocating your business operations to nearby countries (nearshoring) or bringing them back to the home country (restoring).
• Don't be afraid to withdraw from countries or switch your corporate strategy to limit our exposure and minimise any reputational fallout.

4. Financial crime

The International Monetary Fund (IMF) recently estimated that 2% to 5% of global GDP – between $800 billion and $2 billion – is laundered every year. Over £100 billion of that money is laundered within the UK or its corporate structures.

A report by Strise also found that:

• 70% of financial crime experts believe AML measures are inefficient.
• 40% said that sanctions aren’t working.

"Europol’s figure that only 1% of laundered money is actually stopped underscores the grim reality that current AML efforts are not as effective as intended. Despite our best efforts, the results show we are only scratching the surface when it comes to preventing money laundering."

While these statistics paint a bleak picture, a number of regulations have been recently introduced to combat financial crime.

Reforms to Companies House have removed the need for physical director and controller registers, introduced mandatory identity verification for new and existing directors and Persons with Significant Control, and strengthened accountability through the Senior Managers Regime.

From May 2025, new due diligence and reporting obligations came into force for non-financial institutions, including those dealing in high-value goods, art and antiques, luxury cars, precious metals, gemstones, whisky and wine investments, and digital assets.

High-value dealers conducting cash transactions or storing art valued over €10,000 will need to have a strong compliance programme and adequate procedures to avoid breaching financial sanctions, conduct due diligence, and comply with reporting requirements.

In the EU, the outgoing European Banking Authority (EBA) will transfer all its AML and CFT powers to the newly formed Anti-Money Laundering Authority (AMLA) in December 2025. Companies can expect:

• A single AML rulebook to unify rules and avoid inconsistencies in application.
• More stringent and rigorous enhanced due diligence (EDD) for all high-risk transactions, including a need to verify beneficial ownership using trusted sources and conduct in-depth risk assessments on the purpose and nature of the business.
• Greater transparency of ownership, including standardised beneficial ownership checks and improved access to central registers.
• An expanded scope to AML powers, including across crypto-asset service providers, crowdfunding platforms, high-value goods dealers, and some non-financial sectors like gambling and real estate.
• Stronger supervision of high-risk financial institutions.

Unlawful financial activity shows no sign of easing in 2026, so compliance teams must continue to dedicate resources to detecting financial crime and following anti-money laundering regulations.

In 2026, AI is expected to help compliance teams detect suspicious activity faster, automate reporting, and strengthen anti-money laundering controls across sectors.

"Regulated firms could save as much as $183 billion a year in compliance costs by implementing AI-driven systems."

"$3.3 trillion could be returned to global economies with AI-powered AML strategies."

- Napier AI/AML Index 2025-26

What are key corporate compliance considerations?

• Review and update AML/CTF policies to take into account the recent changes and ensure your procedures are correctly applied across the business.
• Provide regular refreshers and reminders to help your team identify red flags.
• Strengthen risk assessments to ensure coverage of emerging threats, including crypto-assets and non-financial institutions, as required.
• Conduct risk-based due diligence before doing business and at regular intervals to comply with new limits, e.g. every five years and annual updates for medium and high-risk customers, respectively.
• For crypto-asset service providers, conduct enhanced due diligence on transactions of over €1,000 or involving "self-hosted addresses".
• Investigate how AI AML tools can improve compliance and help combat money laundering and terrorist financing (ML/TF).
• Prepare for supervision by AMLA, if applicable, and regularly check for updates and new guidance.
• Review controls and ensure they are proportionate to the risks facing your company - including the use of blockchain technologies to monitor customers' crypto and virtual transactions.
• Consider how best to balance the new Single Euro Payments Area (SEPA) Instant Payments Regulation (IPR) which is effective from January 2025 and mandates instant fund transfers within 10 seconds, with financial crime obligations.
• Benchmark your progress - explore recent innovations and potential strategic collaborations with fintechs and other technology firms to help combat the ML/TF threat.

5. Fraud

Fraud, one of the most widespread forms of financial crime, will continue to pose a major threat to companies and society in 2026.

Organised crime groups are using advanced technology to target victims at unprecedented scale, with AI-driven scams, deepfake impersonation, and crypto-enabled fraud becoming increasingly sophisticated. 96% of fraud professionals are worried about the industrialisation of fraud, and organisations will need to prioritise fraud prevention more than ever.

According to the latest figures from UK Finance:

• Criminals stole £630 million in the first half of the year, a 3% increase on the same period in 2024.
• There were over 2 million confirmed cases of fraud, a 17% increase on the same time last year.
• Banks prevented £870 million of unauthorised fraud through advanced security systems, 20% more than in the first half of 2024 and equivalent to 70p in every £1 attempted.
• 66% of APP fraud cases started online and 17% started through telecommunications networks.

“Fraud continues to be a major threat to our society and our economy, and criminals continue to adapt ways to steal victims' money and funnel significant sums of money to criminal enterprises, impacting society greatly … The scale of the threat is not commensurate with the current level of government investment in countering it or the insufficient action by other sectors. The government must prioritise prevention and hold the social media and telecommunications industries to account.”

The rise of artificial intelligence and deepfakes exposes companies to sophisticated fraud attempts, including by insiders. A finance worker in Hong Kong lost $25 million for his multinational firm after fraudsters used deepfakes to impersonate the company’s chief financial officer. Deepfake celebrity ad scams in the UK, Europe and Canada also scammed thousands of savers out of £27 million.

Of course, behind the statistics are personal stories of those who have been duped. As well as financial losses, fraud can be devastating for victims and cause severe psychological harm.

Companies will need to bolster existing policies and procedures to address emerging risks, particularly in light of the UK's new corporate criminal offence of "failure to prevent fraud". Companies can now be held criminally liable if an employee, agent, subsidiary, or associated person, commits fraud intending to benefit the organisation. This includes but is not limited to:

• Dishonest sales practices.
• Concealing important information from consumers or investors.
• Dishonest practices in financial markets.

What are key fraud compliance considerations?

• Establish effective internal controls to identify, detect, prevent and mitigate fraud risks.
• Have adequate customer authentication measures (including multi-factor authentication, password protection, One-Time Passwords, etc) to thwart illicit activities.
• Review and strengthen your fraud risk management programme to ensure it addresses emerging threats and consumer redress. For example, are there internal controls to mitigate scams targeting vulnerable customers, how promptly are customers reimbursed, how are emerging threats detected, and is surveillance adequately tested?
• Bolster risk management and remediation through self-reporting and whistleblowing (to combat insider threats) and ensure it aligns with the Consumer Duty and consumer protection laws.
• Assess what other data may be used to monitor, detect and prevent fraud and whether it could be streamlined or shared across departments.
• Use real-time notifications and alerts to notify customers of suspicious activity.
• Find the right balance between appropriate controls and customer experience.
• Boost controls to address specific regulatory priorities (e.g. FINCEN) and maintain security for critical customer data.
• Ensure fraud teams are appropriately resourced to cope with increasing complexity and demand.
• Benchmark your progress and keep up-to-date with new obligations, including the new 'failure to prevent fraud'.
• Continue to raise awareness of the risk of AI-enabled fraud and scams (including deepfakes) with education and training.

6. Increased and diverging regulations

Inevitably, increased regulation and enforcement will be high on the agenda for 2026. Here is a brief snapshot of the past year’s regulatory developments, and what we can expect to see moving forward:

• New capital requirements and enhanced risk frameworks could be unveiled in 2026, including a revised version of the Basel III Endgame rules.
• Companies will be required to navigate diverging tax regimes in the coming year. The US withdrew from the proposed OECD minimum tax deal in January 2025, prompting the UK and other G7 members to adopt the agreement independently and design a system that avoids clashing with US rules.
• The Digital Fairness Act did not come into effect in 2025, and is still under development. A legislative proposal is expected around the third quarter of 2026.
• Several big tech and retail firms including Apple, Meta, Alphabet, AliExpress and Temu were found to have breached the EU Digital Markets Act (DMA) and Digital Services Act (DSA), with Apple and Meta incurring hundreds of millions of euros in fines. Further enforcement and implementation of the regulations can be expected next year. New tools have also been implemented under the DSA, including a Transparency Database for content moderation and guidelines to mitigate risks during elections.
• The UK’s own digital regulatory framework – the Digital Markets, Competition and Consumers Act (DMCC) - is being implemented in phases. The Competition and Markets Authority was granted new powers under the DMCC in 2025, including the ability to issue direct fines of up to 10% of global turnover. The first investigation under the regime focussed on Google’s activities in search and search advertising, and Google and Apple’s position regarding their mobile platforms.
• Phase I of the European Design Regulation took effect in 2025. The new design representation regime will be introduced in July 2026, and should increase the volume and diversity of registered designs at EU and national level.
• The EU Deforestation Regulation will begin to apply to medium and large companies from December 30th 2025. For smaller companies, the application date is delayed to June 30th, 2026.
• Companies now need to submit full reports as part of the Carbon Border Adjustment Mechanism, and applications to the new portal will become mandatory from January 2026.
• The new Anti-Money Laundering Authority (AMLA) became operational in 2025. It has been preparing its first set of guidelines and regulatory technical standards. The first public consultations are anticipated by late 2025 or early 2026. Its supervision of high-risk financial institutions will not begin until 2028, with the first selection process for directly supervised entities starting in 2027.
• In financial services, DORA came into effect in 2025. The European Supervisory Authorities published the first official list of 19 designated CTPPs in November, and direct oversight commenced in December. See our DORA training package to support your compliance.
• The new Market in Crypto-Assets Regulation (MiCAR) protecting consumers and investors is now applicable across most of the European Union.
• In wholesale markets, ESMA’s new RTS on execution order policies will not come into effect as previously planned. The mandatory buy-in rules were delayed, and the existing cash penalty system remains in place.

In the UK, the government announced a number of significant tax and compliance changes in its November Budget.

From April 2026, Making Tax Digital will mandate quarterly digital reporting for sole traders and landlords earning over £50,000, expanding further in subsequent years, while tax advisers must register with HMRC and meet minimum standards or face strengthened sanctions.

New joint liability rules will make employment agencies and end clients responsible for unpaid PAYE and NICs in umbrella company arrangements. Updated transfer pricing and permanent establishment rules - alongside the abolition of the Diverted Profits Tax - will also modernise the UK’s international tax framework, with new reporting rules for multinationals enforced from 2027.

Additional measures include changes to capital allowances, tougher penalties for CIS fraud, revised gambling and environmental taxes, amendments to incorporation relief claims, the removal of homeworking expense deductions, and higher dividend tax rates - all of which will expand compliance workloads for UK companies.

Other UK-based developments to be aware of include:

• Acas has begun receiving calls about breaches of the Worker Protection Act, and firms will need to continue making adjustments to address and prevent sexual harassment at work.
• Simpler recycling rules came into effect as planned in 2025. Firms with fewer than 10 FTE employees have until March 2027 to comply with these regulations.
• The U.K.’s new Critical Third Parties regime came into force in 2025. The transition period for U.K. financial firms to meet the operational resilience requirements ended in March. By this date, firms were required to have identified their important business services, set impact tolerances, and performed testing to ensure they could remain within those tolerances during severe disruption.
• The new corporate offence for “failure to prevent fraud” came into effect as planned in 2025.
• The International Tax Compliance (Amendment) Regulations came into force in 2025, with most core operational impacts effective from January 1st, 2026. This measure is designed to facilitate information sharing between tax authorities and combat tax evasion and avoidance.
• The U.K.’s Employment Rights Bill is currently in the final stages of Parliament and is expected to pass into law by the end of 2025. A phased implementation will roll out between April 2026 and 2027, ensuring the right to enhanced parental leave, sick pay and protection from unfair dismissal, as well as facilitating a move away from zero-hours contracts, establishing restrictions on fire and rehire practices, and introducing wage increases (e.g., to the National Living Wage, National Minimum Wage, statutory maternity and sick pay, and other entitlements).
• The Equality (Race and Disibility) bill is in its draft stage and has not yet become law, but it is expected in late 2025 or early 2026. The bill will extend gender pay gap reporting to cover ethnic minorities and people with disabilities. Companies with 250 or more employees will need to disclose ethnicity and disability pay gaps once the law passes. The government still intends to introduce a “right to switch off” code of practice in the form of guidance rather than direct legislation.
• Companies should remain aware of newer digital regulations such as the Online Safety Act - they can be fined up to £18 million or 10% of worldwide revenue if they fail to comply, with action taken against senior managers.
• In financial services, the FCA extended its non-financial misconduct rules to apply to all regulated financial services firms rather than just banks, and established a new Post-Trade Risk Reduction framework. Alongside the Prudential Regulation Authority (PRA), they also confirmed they will not be proceeding with the new DEI rules and expectations proposed in 2023.
• Following a comprehensive review of how firms treat customers in vulnerable circumstances, the FCA published its findings and examples of good and poor practice in 2025. The FCA is not updating its existing 2021 guidance as it believes it remains appropriate.
• The outcome and next steps of the FCA review into motor finance and Discretionary Commission Arrangements are expected to be announced in early 2026.
• The regulation of currently unregulated Buy Now Pay Later products is proceeding, with regulations expected to be enforced in July 2026. Any DPC lender will need to be authorised for the relevant consumer credit activities or have a temporary permission under the DPC temporary permissions regime (TPR), and will need to comply with FCA rules.
  

What are the key compliance considerations for regulations?

• Review and update policies and practices to reflect the latest legal or regulatory changes.
• Provide information and training so employees understand their regulatory obligations.
• Arrange regular, bite-sized learning on any new rules to get workers up to speed on their priorities.

7. Polarisation, workplace tension and security

2025 saw social and political divisions deepen in response to a number of highly publicised and deeply polarising events.

The assassination of activist Charlie Kirk encapsulated the state of political discourse in the US. Prominent figures on the right described the killing as an “act of war” against conservatives, and commentators across the spectrum condemned the country’s collapse into political violence.

Recent figures suggest this toxic atmosphere is spilling into the workplace. Nearly two thirds of US workers experienced political conflict at work in the past year, with over a quarter reporting that the political environment distracted them from their jobs.

The Trump administration signed three executive orders dismantling DEI programs across the public and private sector, and removed any concept of gender identity from the legal definition of a person’s sex. After Trump publicly described DEI initiatives as “illegal and immoral,” corporations continued rolling back their programs and dropping references to DEI from their websites, prompting boycotts from concerned consumers.

The UN-sponsored Net Zero Banking Alliance (NZBA) formally ceased operations in 2025 as banks withdrew en masse from the initiative, seemingly to insulate themselves from “anti-woke” backlash after Trump took office.

The role of social media in driving users towards divisive content is also becoming clearer, with recent research suggesting that small tweaks to X’s algorithm can bring about a rapid shift in views among users. Tellingly, “rage bait” - the term describing content intended to make users feel angry - was christened word of the year by Oxford University Press.

In 2026, increasing polarisation could continue to cause tension in the workplace, undermine collaboration and trust, and, in the worst cases, lead to violence from colleagues and/or customers.

According to recent research, 1 in 12 workers in the UK experienced threats, insults or physical attacks at work, while almost half of managers in another study reported witnessing disagreements over politics at work.

The HSE defines work-related violence as:

"Any incident in which a person is abused, threatened or assaulted
in circumstances relating to their work."

Companies need to be vigilant and alert to discord and unrest amongst employees, and ensure they have robust policies, training and reporting mechanisms in place to identify conflict early and prevent it from escalating.

What are key HR compliance considerations?

• Align policies to the Health and Safety Executive's guidance on violence at work
• Look out for signs of violence, hostility or intolerance at work
• Conduct risk assessments and review workplace practices to identify potential flashpoints or high-risk situations e.g. policies or situations where tension or violence may arise, including for lone workers or those travelling on business
• Stress the business benefits of ESG or DEI initiatives, instead of pitching them as ideological or politically-motivated
• Promote a respectful open culture - with clear boundaries for discussions
• Create psychological safety – so everyone can raise concerns without fear of reprisal, retaliation or being judged
• Provide training on conflict resolution and de-escalation techniques for managers and front-line employees
• Provide refreshers – such as the 4Ds of bystander intervention - to support those encountering conflict
• Encourage anyone experiencing or witnessing hostility at work to speak out - ensure there are recognised channels and the company listens and acts
• Review whistleblower channels and protections – to ensure transparent handling and investigation of complaints, with adequate protection from retaliation
• Develop and test procedures for emergency situations – including climate protests and active shooter scenarios

8. Ethics and culture

Ethics and workplace culture are likely to remain in the spotlight for 2026. The latest figures suggest that companies are struggling to curb instances of harassment, misconduct, and underreporting in the workplace:

• A 2025 report found that 41% of U.K. employees witnessed unfair treatment, discrimination or unsafe practices at work this year, but only 23% reported it.
• A 2024-5 study found that many employees in the US wouldn’t report incidents of harassment for fear of retaliation or reputational harm.
• A 2025 ACAS study of workers in Great Britain reported the highest level of individual conflict ever observed in a survey of its kind. 44% of respondents said they had experienced conflict at work in the last 12 months, with previous estimates ranging from between 25% to 38%.
• The most common topic of conflict in this study was ‘capability and performance’ (38%), while ‘personal disagreements and relationships’ was second highest (33%) and bullying, discrimination and harassment was third highest (24%).

There is growing urgency for UK financial firms in particular after the FCA published a policy statement extending non-financial misconduct (NFM) rules from banks to around 37,000 other financial firms from September 1st, 2026. Companies will need to make themselves aware of their new obligations as quickly as possible.

The ongoing scandal engulfing London’s Metropolitan Police provides a high-profile example of why workplace ethics is so important. Undercover stings, sackings in senior positions and accusations of institutional racism, misogyny and homophobia have damaged the force’s reputation, many would say irreparably.

In more optimistic news, there are signs the Worker Protection Act is having a positive impact on reporting. Between January and June 2025, Acas received almost 5600 calls about workplace harassment - a 39% increase on the same period the year before.

As 2026 approaches, organisations that work proactively and hold high ethical standards will be best equipped to meet regulatory expectations and build healthy workplace cultures.

So what are the key E&C compliance requirements?

• Review workplace culture (via surveys) regularly to identify potential issues (including non-financial misconduct).
• Bring processes up to speed with the expanded FCA NFM rules if they apply to your firm.
• Provide regular reminders about your company values and expectations to keep them 'top of mind'.
• Train your team to recognise inappropriate or harmful behaviour, to call it out and/or report it e.g. using the 4Ds model.
• Encourage psychological safety so people feel safe speaking out if they witness inappropriate behaviour or misconduct, and are able to challenge dominant opinions or express disagreement without fearing negative consequences.
• Conduct exit interviews when people leave, change teams or switch roles - this can help you identify a predatory colleague or manager, unacceptable team behaviour, policy violations, etc (leavers may feel they have nothing to lose and be more willing to speak openly).
• Create a speak up, listen up culture – ensuring you act quickly, take allegations seriously when potential issues are raised, and that investigations are fair.
• Use the findings of the FCA's survey to benchmark your own performance.
• Never withhold information that you reasonably believe would impact the assessment of an individual's fitness and propriety – including circumstances where the individual left while under investigation.
• Consider your obligations under the relevant rules within SYSC when hiring anyone with an adverse report on non-financial misconduct.
• Ensure management information about non-financial misconduct is shared at board level - so there is adequate governance and oversight, and we get the 'tone from top' right.

9. Modern slavery and forced labour

January is National Slavery and Human Trafficking Prevention Month, and a real opportunity to raise awareness of human trafficking and modern slavery.

Figures show the problem has not gone away:

• According to the International Labour Organisation, forced labour generates $236 billion in profits annually, with profits of $173 billion from forced commercial sexual exploitation.
• There are around 49.6 million people in modern slavery on any given day.
• Around 6.3 million people are in situations of forced commercial sexual exploitation. 78% of those are girls or women.
• Many businesses have slavery in their supply chains without realising it.

In the UK, modern slavery in construction firms continues to make headlines, and the broader numbers suggest there is still a lot of work to do:

• 6414 potential victims of modern slavery were referred to the Home Office from July to September 2025, representing a 13% increase compared to the previous quarter and a 35% increase from July to September 2024.
• At the end of 2024 there were nearly 20,000 potential victims of modern slavery - the highest number of referrals since records began in 2009.
• Nearly 6000 (31%) of these potential victims were children, and 23% of those referred were British nationals.
• Cases of modern slavery in Greater Manchester have increased sixfold over the past 10 years.

The Labour government’s recent amendments to asylum policy and the toxicity of political discourse around illegal migration have led to fears that people trafficked from abroad will be treated as immigration offenders instead of being given adequate support.

The FCA has also received criticism after Shein received UK regulatory approval for a London IPO despite allegations of modern slavery and child labour.

Encouragingly, however, the European Commission has outlined plans to make ecommerce platforms like Temu, Shein, and Amazon liable for unsafe or illegal products sold to EU consumers.

In the US, the Trump administration targeted more imports of Chinese goods for high-priority enforcement over alleged human-rights abuses involving the Uyghurs, in line with the recently introduced Uyghur Forced Labor Prevention Act (UFLPA).

Companies must conduct thorough due diligence on suppliers and ensure reporting and remediation processes are in place to address any concerns about labour practices in their supply chains.

What are the key considerations to combat modern slavery?

• Analyse your supply chain, ensuring you know how products are made and exactly where they are sourced.
• Consider whether isotopic testing could be used to better understand product origin and where (raw) materials come from.
• Conduct robust due diligence and carry out due diligence questionnaires to address modern slavery (and human rights) issues.
• Explore how artificial intelligence tools might help the company detect human trafficking and combat modern slavery.
• Review your supplier code of conduct and ensure there are clear anti-slavery clauses.
• Conduct supply chain audits (with site visits, especially for high-risk suppliers).
• Engage with suppliers to promote transparency and to help understand the challenges they face – then collaborate to find workable solutions.
• Assess the impact of the EU Forced Labour ban and the EU Deforestation.
• Regulation (EUDR) on our supply chain – in readiness for the new requirements that come into effect on 30 December 2025.
• Develop contingency plans to manage potential supply chain disruption and strengthen our resilience.

10. Cybercrime and Third-Party Risk Management (TPRM)

Cybercrime surged to the top of the agenda in 2025, driven by a wave of high-profile attacks that highlighted how vulnerable even the largest companies have become.

Marks & Spencer saw their profits for the first half of the year completely wiped out after a cyber attack emptied shelves and left customers unable to buy online for months. Hackers sent abusive messages and ransom demands to the firm’s CEO and stole the personal data of millions of customers.

Jaguar Land Rover posted huge losses after an attack left it unable to operate its production lines for over a month. Hiring consultants and other support teams in response to the hack set the company back another £196 million on top of a headline loss of £485 million.

Data breaches at a number of airlines, including Quantas, Hawaiian Airlines and WestJet, as well as an ethical hack to the McDonald's hiring platform, demonstrated that no size or style of company is completely safe from cyber threats.

New figures from the National Cyber Security Centre (NCSC) suggest that Britain is now facing an average of four “nationally significant” cyber attacks every week. The NCSC handled more than double the amount of major incidents than last year.

The costs of fighting cybercrime are immense. As well as the financial burden, companies face considerable business disruption, loss of productivity, embezzlement, theft of personal and financial data, compromised intellectual property, as well as reputational damage.

Gartner is predicting:

• Global spending on information security will increase by 12.5% in 2026 to a total of $240 billion.
• The use of generative AI as both a security tool and a weapon for hackers will continue driving cybersecurity investment.
• By 2027, around 17% of cyberattacks and data leaks will involve generative AI.

Companies need to take additional steps to secure their environment when generative AI is used. The IBM Framework for Securing Generative AI highlights five steps: securing the data, securing the model, securing the usage, securing AI model infrastructure, and establishing sound AI governance. - e.g., purchasing additional software to secure applications, data and infrastructure.

It's not only AI models that pose vulnerabilities. Companies also need to consider supply chain security. Although cloud service providers (CSPs) such as AWS, Google Cloud and Microsoft Azure make it easier to deploy applications, they give hackers extra access points of attack, making it harder for companies to secure their perimeter.

Recent research found that:

• 27% of organisations faced incidents of stolen secrets.
• 32% had experienced compromised services account credentials.
• 27% had experienced compromised privileged user access.

When companies do not have cybersecurity expertise in-house, they must hire specialist security services to manage the risk.

"There is no room for complacency about the severity of state-led threats or the volume of the threat posed by cybercriminals. The defence and resilience of critical infrastructure, supply chains, the public sector and our wider economy must improve."

These incidents highlight how vulnerable digital public infrastructure (DPI) has become, and suggest companies still have work to do to protect themselves from faults with interconnected services.

What are key cybercrime compliance requirements?

• Train your team to spot signs of phishing and malicious communications and improve our cybersecurity culture.
• Retrain or upskill existing workers to help bolster cybersecurity capabilities across the company and ensure there is at least one board member with relevant cybersecurity expertise.
• Gather data and look for patterns and trends to analyse the threat level - such as geopolitical tensions (potentially increasing state-sponsored cybercrime), polarisation (potentially fuelling cyberattacks to disrupt democracy), anomalies, etc.
• Use the IBM Framework for Securing Generative AI to benchmark and boost security - following the five steps of securing the data, securing the model, securing the usage, securing AI model infrastructure, and establishing sound AI governance.
• Invest in training to improve your response to risks – including phishing, ransomware, DDoS – and combat the threat.
• Move beyond reactive risk management so you are ready to exploit opportunities as a result of greater preparedness.
• Continue to implement a zero-trust model, which goes beyond the perimeter of the company and covers remote workers, third parties and the Internet of Things devices, with continuous AI-enabled monitoring and authentication on every digital interaction.
• Deliver cyber and digital resilience in line with the requirements of the EU’s Network and Information Security (NIS2) and the Directive and the Digital Operational Resilience Act (DORA), effective from January 2025.
• Engage with designated providers in line with the UK's new 'Critical Third Parties' (CTPs) regime (also from January 2025) – remember, designated providers need to comply with six fundamental rules mirroring the six high-level principles for regulated firms i.e. acting with integrity, with due skill, care and diligence, and so on. It also requires technology providers to notify regulators of planned technology change projects, resourcing challenges, cyber incidents and outages.
  

Looking for more compliance insights?

Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our ESG, Financial Crime, Fraud Prevention, DEI and Cybersecurity Training Packages offer a complete solution for your compliance programme. Some of the courses in the libraries include:

• Environmental Social and Governance (ESG) Training Course
• Financial Crime Prevention Training Course
• Fraud Prevention Training Course
• Diversity, Equity and Inclusion (DEI) Training Course
• Cybersecurity Training Course

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.