Major laws we’re tracking:
- Employment Rights Act: A new timeline of implementation was published. Firms must have all reasonable steps in place to prevent sexual harassment by October 2026.
- Data (Use and Access) Act: New rules were implemented in February, bringing in new rules on complaints, DSAR and PECR reforms.
- Crime and Policing Bill: Will mean senior managers can be personally liable for ANY corporate offence
- Cyber Security and Resilience Bill: Will mandate cyber security and training for more companies
- Money Laundering and Terrorist Financing (Amendment and Miscellaneous Provision) Regulations 2025: Will update AML laws for regulated entities
- EU Digital Omnibus: Will reduce compliance obligations of some aspects of GDPR and EU AI Act
UK regulatory update
Most employers are unprepared for the new menopause action plans, according to research from our recent webinar on the subject, while 3 in 4 compliance professionals say the menopause provisions of the Employment Rights Act don’t go far enough.
The UK has hit Russia with the largest sanctions package yet. As the conflict enters its fourth year, over 300 entities linked to Russian supply chains have been sanctioned. Meanwhile the OFSI is tightening its approach to sanctions enforcement, increasing the risk of a sanctions breach like what happened to the Bank of Scotland, fined over a spelling inconsistency.
The Crime and Policing Bill will create a perfect storm of criminal liability for companies. The threshold for dishonesty was recently lowered in English law, and combined with the Bill making companies liable for any criminal action by a senior manager, the risk of a compliance failure is increasing exponentially.
By June 2026, UK companies will need to have new complaints handling frameworks under the Data (Use and Access) Act. The ICO has set out what firms need to do.
New whistleblowing data from the FCA reveals that financial services employees are more willing to call out wrongdoing. With new bullying and harassment rules (non-financial misconduct) coming online in October 2026, FCA firms should prioritise staff reporting channels.
The FCA has also announced tighter compliance requirements for Annexe I firms, e.g. commercial lenders, money brokers and leasing companies. Annexe I firms will have to demonstrate better compliance with AML rules.
New research from Hogan Lovells has shown the enforcement risk to UK firms is increasing, with bribery risks overlapping with fraud and sanctions.
Provision 29 of the UK Corporate Governance Code requires UK firms to state explicitly that they have effective controls. This came into force in January 2026, and necessitates additional senior manager training.
EU regulatory update
A new EU pay transparency directive will require companies to deal with the gender pay gap and take action to remediate unjustified discrepancies.
A Swedish bank faces an AML probe into its CDD controls. Weak client due diligence is one of major triggers for a regulator’s investigation.
A landmark ruling from the EU’s top court (CJEU) has confirmed that companies can directly challenge decisions and fines from the European Data Protection Board (EDPB).
Ireland is setting the pace for AI governance with a new AI Office and sector-led supervision that includes GDPR-level penalties. Ireland has adapted the EU AI Act into a formidable national regime that could reshape AI regulation in Europe’s tech hub.
The EU Digital Omnibus is rewriting GDPR and the EU AI Act with floating compliance and pushed-back dates with high risk AI systems not becoming regulated until the end of 2027.
Meanwhile, a number of GDPR fines across Europe’s largest economies show that regulators have become adept at issuing millions in fines for data breaches and compliance failures.
US regulatory update
The Trump Administration has taken the significant step of reclassifying cannabis, moving the drug from a Schedule I to a Schedule III controlled substance. This is significant for federal banking requirements, reducing the need for SARs and easing investment into the growing cannabis sector.
California’s recently expanded Consumer Privacy Act (CCPA) has shown some teeth by issuing a $2.75m fine against Disney for breaching data protection rules through its streaming systems.
Supply chain rules have struck imports from Serbia. Bans on the import of tires were issued by US authorities due to forced labour concerns, meaning the goods can be detained because of modern slavery concerns.
The legal market
VinciWorks has released our updated guide to high risk jurisdictions following February 2026 updates from the FATF grey list and EU high risk jurisdiction list. This is important for every regulated entity to review.
The SRA has levied a £68,000 fine against a firm run by a former Law Society president. The virtual law firm operating as an ABS allowed millions of dollars to pass through its client account without a proper link to legal work.
As the UK gears up for its FATF mutual evaluation in 2027, a new analysis shows that just 28% of frozen assets have been recovered. This could see more effort to claw back ill-gotten gains.
The issue of AI and legal privilege is becoming a serious problem for law firms. A US court has found that inputs into commercial AI systems like ChatGPT are not protected by privilege. Law firms must be very careful about using commercial AI systems.
Around the world
The recent violence in Mexico following the elimination of a major cartel leader has sparked serious compliance issues with a potential influx of illicit funds into the banking system. Regulated entities would be wise to upgrade due diligence on Mexico-related transactions.
A proposed law in New Zealand, the Modern Slavery and Worker Exploitation Bill, would bring in mandatory modern slavery reporting for large businesses.
In Australia, a forthcoming court case could redefine the legal status of cryptocurrency in the country after years of fragmented rulings. Meanwhile a proposed new law would bring a clear definition for the first time.
The former premier of the Turks and Caicos, a British Overseas Territory, has been found guilty of bribery after a long-running investigation exposing the need to conduct enhanced due diligence of PEPs.
New guides
A guide to high risk jurisdictions for money laundering: February 2026 update
Source of funds and source of wealth
Make your organisation menopause friendly
VinciWorks Portal: Your central hub for compliance training
The state of cryptocurrency compliance in 2026: Key risks and challenges
Where can I find more?
Follow our daily blog. Check out our new guides. Subscribe to the podcast.
