November compliance news round-up

December 3, 2025

What’s in this update?

UK regulators intensify enforcement on harassment, mental health, bribery, and money laundering, highlighting gaps in employer preparedness.
EU AML and GDPR updates tighten compliance requirements, with new rules impacting UK firms operating in the bloc.
US regulators increase scrutiny on privacy, fraud, and sanctions, with new CCPA obligations and expanded data exposure liability.
Legal sector faces increased pressure from the SRA and Law Society of Scotland, exposing widespread AML failures and enforcement actions.
Global compliance landscape shifts, with new anti-fraud strategies in Canada, tighter crypto regulations, and upcoming elections impacting regulatory focus.

UK regulatory update

Half of workers in the UK lack confidence in their employers’ ability to prevent sexual harassment, according to our research. With the Employment Rights Bill around the corner requiring even more effort to prevent harassment, these stats show there is much more to do.

Meanwhile the UK’s equality watchdog EHRC has taken the unprecedented step of extending and strengthening a binding legal agreement with McDonalds over its failure to prevent harassment.

New HSE figures have revealed that workplace stress has hit new highs, with nearly 1 million UK workers suffering from work-related mental health issues.

Staggering data shows one in 35 businesses faced a bribe last year, the equivalent of 117,000 bribes being offered, worth over £300 million. Meanwhile one in 43 businesses, or 2% of the total, faced money laundering in a sign that financial crime remains highly prevalent.

The Gambling Commission has released a new version of its casino guidance, on how to keep gaming providers in line with the MLRs 2017, and in particular around the FCA’s approach to PEPs.

A UK politician and former leader of the Reform UK party in Wales was convicted of Russia-linked bribery and sentenced to ten and a half years in prison under the Bribery Act 2010 in a serious reminder of the dangers of bribing public officials.

Less than 2% of UK businesses are fully prepared for The Data (Use and Access) Act with 77% unsure, not prepared or not fully aligned with the new requirements of the law.

The Competition and Markets Authority (CMA) has launched a number of direct consumer enforcement actions targeting a number of major companies. New powers given to the CMA empower it to impose fines of up to 10% of global turnover.

And a new case at the High Court has confirmed the FCA’s powers to name and shame companies, even those under investigation. Companies could find themselves publicly named in as little as 24 hours notice.

EU regulatory update

A leaked draft proposal on the Sustainable Finance Disclosure Regulation 2.0 from the EU will impact both firms in the bloc who are captured, but also UK businesses who may have to comply if they are doing business in the EU.

The EU’s AML transformation continues apace. Alongside AMLA, a single EU rulebook will harmonise the operation of money laundering rules across the bloc, including AMLR, AMLD6 and the operation of AMLA.

Ireland’s first crypto enforcement case saw major crypto provider Coinbase fined €21.4m for not properly monitoring over 30 million transactions. This represents over 30% of all Coinbase transactions in Europe.

German AML regulator BaFin levied millions of euros in fines this year. A €23 million penalty against Deutsche Bank in February, and a record-setting €45 million fine against J.P. Morgan SE in November.

Croatia’s data protection authority fined a telecom operator €4.5m for GDPR breaches. The firm sent data to neighbouring Serbia. Although they share a border, Serbia is outside the EEA and the Croatian firm relied on outdated standard contractual clauses.

Nevertheless, the EU is forging ahead with major changes to GDPR and AI rules through the Omnibus simplification procedure. There could be a new lawful basis for AI training, simplification of the AI Act, and even dropping some provisions altogether.

US regulatory update

Significant updates to the California Consumer Privacy Act (CCPA) will come into force on 1 January 2026. These will require executives to increase and sign off on compliance commitments under penalty of perjury.

A fraud at the basketball team the Atlanta Hawks exposed not only a multi-million dollar scheme, but also a serious array of compliance failures and missed opportunities to prevent fraud.

A ruling from the Fourth Circuit Court of Appeals has introduced a new legal threshold for data protection exposures and risks. Any data published on the dark web is at risk, and is public, and firms are liable.

A number of sweeping sanctions were levied against members of a Mexican family in charge of a global network of casinos alleged to be a money laundering front for the Sinaloa Cartel. These designations follow the United States continuing crackdown on drugs trafficking.

The legal market

The SRA’s AML annual report is out, suggesting a worrying picture of firms failing to get the basics right, including firm wide risk assessments. Nearly a thousand firms were involved in supervisory engagements last year, with 32% being found non-compliant.

The SRA also published its thematic review of Source of Funds and Source of Wealth, finding that 11% of firms lack any source of funds checks and nearly one in five are inadequately scrutinising the evidence collected, a clear breach of the MLRs.

The Law Society of Scotland published an extensive examination of how Scottish firms undertake their AML obligations, including SARs. Fifty Scottish firms were assessed by the thematic review and most were submitting high quality, well-reasoned SARs. However the threshold of suspicion is still an area firms need further guidance on.

A staggering AML case of a solicitor who received over £9m in deposits without making any notes on the file, then transferred to two third parties with no written instructions to do so. The solicitor was fined £4,000 for keeping a ‘mental note’ of the transactions.

Meanwhile a firm was fined £24,000 for serious shortcomings relating to foreign Politically Exposed Persons. The firm had collected extensive information about the clients’ SoF and SoW, but the SRA decided the firm still hadn’t done enough.

AI hallucinations in legal cases are not disappearing. The twentieth case of fake cases being submitted an employment tribunal was recorded in the UK in November, with 24 cases so far recorded in courts including fake precedents or the AI distorting the outcome of real cases.

Around the world

Although Gibraltar was removed from the FATF grey list, two enquiries have exposed the “Kafkaesque” nature of political power and financial crime operating in the Overseas Territory.

Canada has announced a new national anti-fraud strategy as well as the launch of a Financial Crimes Agency to recover the proceeds of complex financial crimes, along the lines of the UK’s NCA.

VinciWorks has published our global election tracker 2026, where compliance teams can view what potential changes of government might occur next year, and how that could affect compliance. From possible new anti-corruption laws in Brazil to modern slavery rules in New Zealand, a change of government can often mean a shift in regulatory focus.

Did you know?

Most cryptocurrency firms are used as a platform for illicit finance. Crypto remains a serious risk for financial crime, and in our view, should always be treated as high risk.