September compliance news round-up

September 30, 2025

What’s in this update?

Fraud & AML: New failure to prevent fraud offence now in force; UK, EU, US and Australia all tightening financial crime rules.

Data & Cyber: UK DUAA and EU Data Act reshape data regulation; surge in cyberattacks and AI-driven ransomware.

Human Rights & ESG: Push for UK human rights due diligence; EU ESG agenda fading; Xinjiang imports highlight modern slavery risks.

Workplace & Diversity: Gender pay gap persists, rising mental health absences, and regulators cracking down on harassment and discrimination.

Enforcement & Governance: Regulators from the SFO to the Bank of England flexing powers with big fines and new compliance expectations.

UK regulatory update

Failure to prevent fraud came into force on the first of this month, but a new VinciWorks poll shows a staggering 4 in 10 companies haven’t yet trained staff about the new offence.

Meanwhile the Serious Fraud Office (SFO) believes Unexplained Wealth Orders (UWO) could be the key to fraud convictions, as it secures its first successful UWO in 2025 and clawed back over £1m from a convicted fraudster.

Another new compliance rule is on the horizon. Mandatory human rights due diligence could be coming to the UK soon after a parliamentary committee recommended new legislation.

The Bank of England has exercised its little used regulatory powers to fine a firm nearly £12m for failing to invest in good governance and strong compliance systems.

Cyber security incidents are raging across the country. Hackers stole data from 8,000 children at a nursery. Meanwhile Jaguar Land Rover was also brought down by a cyber attack. There is no business that can get away with lax cyber security practices.

While the Data (Use and Access) Act is reshaping data protection, enforcement can still bite. A care home director was prosecuted by the ICO and convicted by a court for failing to respond to a subject access request from a resident’s daughter.

Discrimination claims can be complex, but some are straight forward. A pregnant woman who was dismissed by her employer won her £20,000 discrimination claim.

A massive rise in sick leave among workers is being reported, with mental health conditions showing up in over 40% of cases. Firms should think about better wellbeing strategies.

The EHRC – Britain’s diversity regulator has used one of its lesser known powers to force supermarket chain Lidl into a legally binding agreement to improve sexual harassment procedures following an employment tribunal.

The Isle of Man is facing a siege by drug smugglers, money launderers and criminal gangs. In response, the Manx government is preparing to extend its definitions of financial crime to include bribery, corruption and sanctions breaches.

EU regulatory update

The EU’s Data Act has come into force as of 12 September. What does this mean for GDPR and what EU companies do the new rules apply to?

Spain is seeking to tackle endemic corruption with a new anti-bribery law. The embattled Spanish government, itself a target of bribery probes, is proposing stricter penalties and enforcement.

An interesting GDPR case from Denmark which went all the way to the court in Brussels has expanded corporate liability for companies using legacy or outdated IT systems.

ESG – once the poster child of the EU’s ‘Green New Deal’ is dying a rapid death. It’s all but gone from the European policy agenda, and even BlackRock has turned its back on sustainability requirements.

New UBO rules are coming into force across the bloc. By July 2027, firms will have new requirements to identify and verify UBOs under the AML single rulebook.

US regulatory update

Significant regulatory change might be afoot with the Bank Secrecy Act and wider US AML regulations. Treasury officials outlined a possible new approach including changes to penalties… and incentives for compliance.

The legal market

Sweeping reforms to the UK’s Money Laundering Regulations have been announced by the government, reshaping AML compliance for every regulated entity and due to come into force in 2026.

These changes also include rules around pooled client accounts. While these have long been seen as low risk, the Treasury wants to decouple this from simplified due diligence.

A barrister has been named by HMRC as a promoter of a tax avoidance scheme, amplifying the government crackdown on the legal sector’s role in tax avoidance.

The first UK gender pay gap review from over 100 of the UK’s biggest firms has shown men earn 26% more than women. With new pay gap rules on the horizon, how are law firms tackling this issue?

In Scotland, failure to prevent fraud takes on a different flavour as Deferred Prosecution Agreements (DPAs) are not available under Scots law. This could extend the risk for Scottish firms being caught up in fraud prosecutions.

Around the world

In Australia, Tranche 2 reforms on AML are due to start coming into force from March 2026, with a range of new money laundering obligations on everyone from lawyers to crypto. Proliferation financing is also part of the regime that firms will have to deal with.

Brazil is on the brink of an adequacy decision by the EU, allowing for free-flowing data between South America and the European Union.

Almost £1 billion of slave-labour linked goods has been imported from the Xinjiang region of China in the UK. This highlights the very real modern slavery risk of doing business in certain regions.

An investigation has revealed Chinese manufacturers are sending drone parts to Russia in violation of international sanctions. It raises the risk of western manufacturers potentially doing business with sanctioned entities or high risk companies.

Did you know?

Ransomware has gone AI. The first ever fully automated, AI-powered ransomware has been discovered that uses LLMs to target companies all by itself. Scary stuff.