As the new year approaches, compliance officers yet again face a year ahead of regulatory change. The convergence of technological innovation, operational resilience requirements, and enhanced accountability frameworks presents both challenges and opportunities. This article examines the critical regulatory priorities and provides practical guidance on preparing your firm for the year ahead.
Basel 3.1 Implementation
Time to Finalise Your Approach
The Prudential Regulation Authority (PRA) has confirmed Basel 3.1 standards implementation will commence on 1 January 2027, following a 12-month delay from the original 1 January 2026 date. This provides critical breathing space, but compliance officers must help their business heads to resist complacency and use this period strategically.
The PRA’s near-final rules enhance UK market competitiveness through reduced capital requirements for SME lending and infrastructure projects. Whilst the implementation date has moved, the nature of these changes demands immediate action.
Practical implications
The delay affects immediate data submission deadlines, which can also be treated as paused. However, firms should continue working through the potential capital impact of Basel 3.1 rather than standing still.
The Bank of England will conduct a Bank Capital Stress Test in 2025 involving the UK’s largest and most systemic institutions. Results will inform capital buffer settings at both firm and system-wide levels.
What to do now
- Review your capital models against the near-final rules.
- Identify where reduced SME and infrastructure capital requirements might benefit your portfolio strategy.
- Ensure your data infrastructure can support the new reporting requirements when they activate in 2027.
- Consider whether the delay creates opportunities to enhance your approach rather than simply postpone work already underway.
Operational Resilience and Third-Party Risk
Beyond Box-Ticking
March 2025 marked a watershed when firms were required to demonstrate their ability to remain within impact tolerances for all important business services during severe disruptions. The PRA emphasises that operational resilience must become a key board consideration for any business expansion, signalling a fundamental shift from tactical compliance to strategic risk management.
Third-party risk management continues to evolve rapidly. The PRA explicitly highlights concerns about the financial health of suppliers, requiring firms to be “mindful” and conduct robust ongoing diligence on material third parties. Critically, this extends to intra-group providers, challenging traditional assumptions about the safety of internal arrangements.
For many firms, the intersection of operational resilience with cybersecurity threats creates compound risks. Geopolitical uncertainty intensifies threats to operational resilience, particularly for firms operating across borders.
Practical implications
Your important business services framework should now be embedded in decision-making processes. When your firm considers new business lines, geographic expansion, or technology changes, operational resilience implications must feature in board papers. The days of operational resilience as a compliance project are over. It is now a strategic governance requirement.
On third-party risk, the PRA’s focus on supplier financial health requires more sophisticated monitoring. You cannot simply conduct annual reviews of service delivery quality. You need real-time awareness of your critical suppliers’ financial stability, particularly in the current economic environment.
What to do now
Audit your board papers from the past six months. Are operational resilience considerations explicitly addressed in expansion proposals? If not, work with your governance team to embed this requirement.
For third-party risk, identify your critical service providers and establish quarterly financial health monitoring. Consider credit ratings, financial statements, and market intelligence.
For intra-group arrangements, apply the same rigour you would to external providers. Corporate structures provide less protection than you might assume during stress events.
Digital Operational Resilience Act (DORA)
Preparing for Convergent Standards
Whilst DORA is an EU regulation, its influence extends beyond the European Union’s borders. ESMA has designated cyber risk and digital resilience as a Union Strategic Supervisory Priority for 2026, with enhanced coordination across EU supervisors on ICT risk management requirements.
UK firms with European operations must align their approaches with DORA requirements, which took effect in January 2025. Even purely UK-based institutions should monitor DORA implementation, as regulatory expectations around digital resilience are converging internationally. The Financial Conduct Authority’s (FCA) emphasis on operational resilience creates complementary pressures that elevate cyber and operational risk management to boardroom priorities.
Practical implications
If you operate in both UK and EU jurisdictions, you face dual regulatory expectations. The smart approach is to adopt the higher standard across your entire operation rather than maintaining separate frameworks. This reduces complexity and positions you well for future UK regulatory developments, which are likely to align with international standards.
What to do now
Map your current operational resilience framework against DORA requirements. Identify gaps, particularly around ICT third-party risk management, incident reporting, and digital operational resilience testing.
Even if DORA doesn’t directly apply to your firm, treating it as a benchmark ensures you’re ahead of UK regulatory evolution.
Liquidity Framework Review
Positioning for Regulatory Change
The PRA will review the liquidity supervisory framework in 2026, with consultations on regulatory reporting changes expected. This responds to lessons from the March 2023 banking stress and acknowledges the Bank of England’s evolving operating framework.
Compliance officers should prepare for potentially significant changes to liquidity monitoring and reporting obligations. International coordination through the Basel Committee on Banking Supervision suggests that any UK reforms will align with global developments in liquidity risk supervision.
Practical implications
The 2023 banking turmoil demonstrated that traditional liquidity metrics don’t always capture emerging risks, particularly around concentrated funding sources and rapid deposit outflows enabled by digital banking. The PRA’s review will likely result in enhanced reporting requirements and potentially new metrics focused on behavioural aspects of liquidity risk.
What to do now
Review your liquidity risk management framework with fresh eyes. Where are your funding concentrations? How quickly could you access contingent liquidity? What are your exposures to non-bank financial institutions, which the PRA has specifically flagged as a concern?
Don’t wait for the consultation to strengthen your frameworks. You can conduct reviews now based on the known weaknesses that emerged in 2023. When the consultation arrives, you’ll be responding from a position of strength rather than scrambling to comply with new requirements.
Artificial Intelligence Governance
Moving from Innovation to Accountability
The FCA and PRA are intensifying their focus on artificial intelligence and machine learning deployment within financial services. The PRA maintains a specialist Fintech Hub and has established an AI Consortium for public-private engagement, signalling the centrality of AI governance to 2026 priorities.
Many compliance officers are facing the challenge of enabling innovation whilst managing emerging risks. Key considerations include algorithmic decision-making transparency, ethical deployment of machine learning models, and bias detection and mitigation strategies.
Practical implications
The regulatory focus on AI represents a significant expansion of compliance remits into technology governance territory. You need frameworks for human oversight of algorithms, mechanisms to explain and audit algorithmic decisions, and clear governance structures for AI system deployment.
This isn’t about blocking innovation. It is about ensuring responsible innovation that aligns with regulatory expectations around customer protection and market integrity.
What to do now
Conduct an AI inventory across your firm. What AI or machine learning systems are currently deployed? Which are in development? For each system, document: the business purpose, the decision-making role (advisory versus determinative), the oversight mechanisms, and the bias testing approach.
Establish an AI governance committee if you don’t have one, with representation from compliance, risk, technology, and business functions.
Create approval frameworks for new AI deployments that ensure regulatory considerations feature from the design stage, not as an afterthought.
Consumer Duty
Wholesale Firms Cannot Assume Exemption
Whilst the Consumer Duty primarily targets retail customers, the FCA has clarified its application to wholesale firms. FCA CEO Nikhil Rathi’s letter to the Chancellor addressing the Consumer Duty’s application to wholesale markets underscores that compliance officers in wholesale firms cannot assume blanket exemption.
The FCA’s 2026 priorities include consultations on amendments addressing how the Duty applies across distribution chains and proposals to limit its application to business conducted with UK customers only. These developments require wholesale firms to maintain vigilant monitoring of Consumer Duty evolution.
Practical implications
The boundary between wholesale and retail is not always clear-cut, particularly in distribution chains. If your wholesale products ultimately reach retail customers through intermediaries, you may have Consumer Duty obligations even though you don’t directly serve retail clients.
The FCA’s emphasis on distribution chain responsibilities means you cannot assume that duties stop at the point of sale to a wholesale counterparty.
What to do now
Map your product distribution chains end-to-end. Where do your products or services ultimately end up? If there’s any retail customer exposure, even indirect, assess your Consumer Duty obligations.
For firms in distribution chains, establish clear communication channels with your counterparties about respective Consumer Duty responsibilities. Document how you’re ensuring good customer outcomes, even where you’re several steps removed from the end customer.
CASS 15 and Payments Safeguarding
The 7 May 2026 Deadline
The FCA’s new safeguarding rules under CASS 15 take effect on 7 May 2026 for payment service providers and e-money institutions. These introduce daily fund reconciliations (on each reconciliation day) and significantly enhanced transparency and governance requirements.
This represents the most significant change to client money protection in the payments sector for many years. The shift from monthly to daily reconciliations fundamentally changes operational requirements and creates new pressure points in firms’ processes.
Practical implications
Daily reconciliations demand robust automated processes. Manual reconciliation approaches that suffice for monthly cycles will not scale to daily requirements without creating unsustainable operational burdens and error risks. Firms must also prepare comprehensive resolution packs, which are effectively wind-down plans that enable rapid customer fund returns in insolvency scenarios.
Beyond the technical requirements, CASS 15 introduces a new governance framework. Firms need a CASS oversight function, clear escalation procedures, and board-level accountability for safeguarding.
The annual audit requirement means your CASS arrangements will face independent scrutiny.
What to do now
If you’re in scope for CASS 15, you should be in implementation mode already. As 7 May 2026 is imminent in regulatory terms.
Conduct a gap analysis against the final rules published by the FCA. Focus particularly on: your reconciliation processes and whether they can scale to daily frequency; your segregation arrangements and whether they meet the enhanced requirements; your resolution pack and whether it contains all required information; and your governance framework and whether you have clear CASS oversight accountability.
If you’re behind schedule, engage with the FCA proactively. They would rather know about implementation challenges in advance than discover non-compliance in May 2026.
SMCR Streamlining
Efficiency With Continued Accountability
The FCA and PRA are streamlining the Senior Managers and Certification Regime (SMCR). making it more efficient and outcomes-focused whilst reducing administrative burdens.
The PRA plans to finalise revised rules for banks on streamlining material risk-takers’ remuneration requirements, including reducing bonus deferral periods.
The FCA continues to refine certification requirements and is reviewing client categorisation rules to ensure greater alignment across its Handbook.
Practical implications
The streamlining creates opportunities to eliminate unnecessary processes whilst maintaining robust governance frameworks.
However, the fundamentals of individual accountability remain unchanged. The regime’s core principle that senior individuals should be clearly accountable for their areas of responsibility is not being diluted.
What to do now
Review your SMCR processes for unnecessary complexity. Are you collecting information that adds little value? Are your handbooks and statements of responsibilities clearer than they need to be, or have they accumulated layers of belt-and-braces drafting?
The regulatory streamlining gives you permission to simplify. So take advantage of it. However, ensure that simplification doesn’t compromise the quality of your accountability frameworks. Documentation, attestations, and fitness and propriety assessments remain fundamental to demonstrating compliance.
Transaction Reporting
Preparing for Regime Changes
The FCA has published proposals to improve the UK transaction reporting regime, aiming to remove unnecessary burdens for firms whilst maintaining high regulatory standards. ESMA has launched parallel consultations on streamlining transaction reporting requirements across EU markets.
For firms operating across multiple jurisdictions, the divergence between UK and EU approaches requires careful monitoring. The UK is pursuing reforms tailored to its market structure, whilst the EU focuses on harmonisation across member states. These differing priorities may result in materially different reporting requirements.
Practical implications
Transaction reporting changes affect your data infrastructure and reporting systems.
Unlike rule changes that affect front-office behaviour, reporting changes require technology builds. These often have long lead times, particularly if you’re dependent on vendor solutions that need to be updated across multiple clients.
What to do now
Monitor the FCA’s transaction reporting proposals and assess the likely impact on your systems.
Engage with your technology and data teams early. Don’t wait for final rules.
If you use third-party reporting vendors, open dialogue with them about their implementation timelines.
For firms with both UK and EU operations, map the diverging requirements and consider whether you’ll need dual reporting systems or whether you can find a common approach that satisfies both regimes.
2026 Regulatory priorities
Regulatory priorities in 2026 demands that compliance officers adopt strategic perspectives extending beyond technical rule-following. Firms that embed regulatory requirements into business strategy, treating compliance as a competitive differentiator rather than a cost centre, will continue to thrive in this environment.
The convergence of operational resilience requirements, technological innovation governance, and enhanced accountability frameworks creates opportunities for compliance functions to drive business value. Proactive engagement with regulatory developments, robust governance frameworks, and strategic resource allocation will separate leaders from laggards.
As regulatory complexity intensifies, the role of specialist compliance advisors becomes increasingly valuable. Firms should assess whether their internal capabilities require augmentation through expert consultancy support, particularly for transformational projects like Basel 3.1 implementation, operational resilience framework enhancement, or CASS 15 preparation.
The regulatory priorities for 2026 are clear. Success depends on moving beyond awareness to action. Conducting gap analyses, strengthening frameworks, and embedding regulatory requirements into strategic decision-making. The firms that act decisively now will navigate 2026’s regulatory challenges with confidence.
Leaman Crellin provides regulatory compliance consulting services to financial services businesses, helping clients navigate UK and international regulatory requirements. Our team of former regulators and industry professionals delivers practical, business-focused compliance solutions tailored to your organisation’s needs, including SMCR, transaction reporting, third-party risk management frameworks, operational resilience planning, and CASS compliance advisory. Get in touch with us today.
