Major laws we’re tracking:
- The Money Laundering and Terrorist Financing (Amendment) Regulations 2026 will come into force May / June, changing AML obligations.
- Employment Rights Act: From April, sexual harassment disclosures become protected under whistleblowing laws, and from October 2026, ‘all reasonable steps’ must be in place.
- Crime and Policing Bill: Will mean senior managers can be personally liable for ANY corporate offence.
- Cyber Security and Resilience Bill: Will mandate cyber security and training for more companies.
- Equality (Race and Disability) Bill: Expected to be announced in the King’s Speech to mandate ethnicity and disability pay gap reporting for large (250+) employers.
UK regulatory update
Some news from the Crown Dependencies. Jersey is introducing its first whistleblowing law. While not as extensive as the EU or UK, it does place new obligations on employers.
The Isle of Man published its AML National Risk Assessment for 2026, outlining key money laundering risks for the island, with cyber fraud and transnational crime being key drivers of risk.
And in Guernsey, a £2m fine against an insurance company for money laundering failures has exposed new risks for firms, particularly with a range of failure to prevent laws recently in force.
Back in the UK, the Employment Rights Act is introducing a wave of new obligations for HR, compliance and legal teams. We’ve pulled together dozens of frequently asked questions from our recent webinar and answered them all.
Shockingly, one in eight employers do not provide sexual harassment training according to our recent survey. This puts them at significant legal risk.
From April, sexual harassment disclosures become protected under whistleblowing laws. But a recent case in Woodall v Google shows the limits of what can be considered a protected disclosure.
The UK has not developed a firm position on AI, and is discussing letting AI developers use copyrighted materials during research. Meanwhile barely 3.5% of organisations are ready for AI regulation, a VinciWorks survey has found.
The FCA has issued a £13m fine for financial misrepresentation against Wood Group who had weak financial reporting and controls. Future cases however could be criminal under the Crime and Policing Bill.
A dramatic incident at the BAFTA Awards recently around Tourettes has ignited a debate around disability and causing offence. But an employment tribunal previously outlined how organisations should respond in such cases.
Will your organisation be in scope of the forthcoming Cyber Security and Resilience Bill? It mandates better cyber security for many more organisations.
The ICO has issued a £1.2m fine against password manager LastPass over a data breach that affected over 1.5 million subscribers.
GRC rules for boards are changing. Provision 29 of the UK Corporate Code means that many more boards will have to actively demonstrate their compliance controls are effective.
Neurodivergence at work is becoming a factor in around a third of all employment tribunal discrimination cases. Businesses who do not have processes in place to deal with disability requests on neurodiversity are putting themselves at risk.
EU regulatory update
A significant enforcement action against the Barcelona Football Club has resulted in a €500,000 fine against the club. It shows how regulators are scrutinising data protection impact assessments.
More European regulators are also putting more attention into the right to be forgotten with a report from the European Data Protection Board showing many organisations are struggling to implement it in practice.
The EU AI Act is also shifting with extended timelines and new changes to previous rules. The European Parliament has also agreed to a new direction for AI Act compliance, altering many parts of the landmark law.
US regulatory update
Corporate DEI programmes have been in the headlines since the second Trump Administration took office in January 2025. Now, the EEOC – the US equality regulator – has published clearer guidelines about what might constitute unlawful DEI, and where it might take action.
The US midterms are coming in November 2026, and it seems like Democrats are planning to make corporate bribery a key election issue. They’ve introduced new legislation to double the FCPA statute of limitations. While unlikely to pass, it signals that the Trump Administstion’;s previous 4-month FCPA pause will be an election issue.
Despite that 2025 pause, FCPA actions are continuing. A new declination with French firm Balt for bribing public sector doctors showed major internal compliance failures. Nevertheless, self-reporting resulted in a lesser penalty.
Meanwhile the DOJ has outlined its focus on prosecuting fraud, with a focus on mismanagement of federal funds and aggressive False Claims Act enforcement.
The DOJ has also reached an agreement with Halkbank, a Turkish lender over a long-running sanctions case tied to Iran. The Deferred Prosecution Agreement looked at how the Turkish bank helped actively facilitate banking for sanctioned individuals.
California has come out with a new climate disclosure law. From August 2026, large companies will need to report their emissions and assess climate-related financial risks in one of the most far-reaching corporate climate regimes.
On AI, the Trump Administration is pushing for a unified, light-touch AI framework that will supersede any state-level rules and focus on a pro-innovation approach to AI regulation.
A CEO relied on ChatGPT to try to escape a $250m contractual obligation, following AI-generated strategies that led to wrongful actions and a major court ruling establishing that AI cannot replace independent judgment or accountability in corporate governance.
The legal market
The government has laid the 2026 amendments to the Money Laundering Regulations 2017. It introduces a range of changes from CDD and EDD requirements to Trusts and Pooled Client Accounts. We’ve published a new guide and will be holding a webinar on 13 May.
The Australian legal industry is changing thanks to Tranche 2. In force from July, it introduces basic AML compliance for law firms, real estate and several other industries that have been out of scope until now.
AI compliance is not just about ticking boxes of course. Law firms in particular are grappling with how to advise their clients on best practice for designing and developing a compliant AI system.
Broader compliance blind spots for law firms have been highlighted by recent SRA tribunals which have sanctioned firms for dishonesty and misconduct, as well as a lack of firm wide risk assessments and effective controls.
Around the world
The Iran War is exposing a number of compliance red flags, in particular the risk of crypto capital flight which has spiked in the initial days of the conflict.
Meanwhile the Trump Administration has made it clear that Cuba is the next foreign policy priority. Similar signals that were present prior to the actions in Venezuela and Iran are present, highlighting a number of sanctions risks firms should be aware of.
New guides
Tranche 2 and the Legal Sector
Compliance Office: AML audit and SRA health check
Omnitrack: Aventine Labs vendor evaluation
Where can I find more?
Follow our daily blog. Check out our new guides. Subscribe to the podcast.
