Technology risks move fast and spread widely through financial systems. As transformation and digitization accelerates, we forecast growing scrutiny and enforcement action on operational resilience, use of AI and crypto markets in the year ahead.
In 2026, fraud, cyber incidents, outages, and algorithmic bias are system-level storms, not isolated lightning bolts. Interconnected digital infrastructure in the financial sector and the normalization of real-time payments, digital assets and AI-driven decision-making will increase the speed and scale of harm if systems fail.
Failures often originate from third party technology platforms, and the UK is moving toward direct oversight of certain designated critical technology providers. But this doesn’t dilute expectations on financial institutions to prevent, detect and remediate damage.
Cyber incidents in particular serve as potent litigation and enforcement triggers, with scrutiny driven by customer impact, data exposure, and service disruption, rather than technical failure or negligence alone.
A handful of enforcement decisions have already been made, with the potential for momentum in 2026. Last year, one US financial broker agreed to pay fines of $45 million to cover data breach and record-keeping failures. In the UK, the FCA also levied fines and sought redress for a customer data hack involving a credit reference agency.
The AI outlook is similarly unpredictable. As States in the US fight back against federal limits on AI regulation, and European policymakers delay the full rollout of the EU AI Act, uncertainty persists
Regulatory gaps and fragmentation notwithstanding, both AI harm and use of AI as a tool for detecting and preventing financial crime will draw the attention of financial regulators. From discrimination to AI-enabled fraud, enforcement action and disputes are on the horizon. Ensuring robust governance, risk management and accountability structures is therefore critical for financial firms in 2026.
Risk of disputes is also rising in crypto as the market matures. In the UK, regulators already enforce AML and financial promotion rules, but full FCA authorization and conduct requirements will soon become the price of entry, raising the bar on compliance.
We forecast new enforcement actions for unauthorized promotion of crypto services and investigations into crypto fraud and money‑laundering schemes in the coming year.
This comes in contrast to the US, where the SEC has deprioritized crypto enforcement under the direction of the current administration. At a state level, however, we do see potential for enforcement against unlicensed activity, ICO fraud, and deceptive promotions, alongside examples of regulatory innovation. Florida, for example, has created a regulatory sandbox to supervise innovative fintech use cases and lower barriers to entry.
Interconnected risks
“Technology and financial risk are ever more interconnected, and regulators’ expectations for operational resilience and compliance are rising as a result. Stress-test your systems regularly — including third party providers — and make sure your governance protocols keep pace with new AI use cases and digital tools.”
Matt Baker, Partner, Financial Services Disputes and Investigations
Get ahead for digital asset normalization and adoption
With the UK’s stablecoin regime due to be finalised in H2 2026, and the new cryptoasset authorisation gateway opening in September 2026, firms should move now to strengthen governance, custody, settlement, and disclosure frameworks ahead of the UK’s shift to full digital asset regulation.
FCA publishes further information on its approach to the UK’s new cryptoasset regime
The FCA has released new guidance to help cryptoasset firms prepare for the UK’s incoming regulatory framework - another step in the FCA Crypto Roadmap and a major marker on the path to full crypto regulation.
FCA CP25/40 explained: What the UK’s new crypto regulations mean in practice
This is the first in a series of three articles examining the UK’s emerging regulatory framework for cryptoassets. Together, the series explores the expansion of the regulatory perimeter for cryptoasset activities, the new admissions, disclosure and market abuse regime, and the prudential requirements designed to strengthen the resilience of cryptoasset firms.
FCA CP25/41: Admissions, disclosures and market abuse in crypto
The FCA’s CP25/41 sets out proposals for two interlinked regimes: the Admissions & Disclosures (A&D) regime and the Market Abuse Regime for Cryptoassets (MARC). Together, they implement HM Treasury’s forthcoming Cryptoassets Regulations, bringing certain activities into the FCA's regulatory perimeter through the Designated Activities Regime (DAR). The goal is to strengthen transparency, protect investors and adapt market abuse rules to the unique characteristics of crypto.
CP25/42: The FCA’s prudential reset for crypto firms
CP25/42 completes the FCA's framework for regulating cryptoasset activities by setting out a dedicated prudential regime for cryptoasset firms. As we have previously mentioned in this article series, this latest volley of changes brings further activities within the regulatory perimeter, namely operating a qualifying cryptoasset trading platform (CATP), staking, arranging deals and dealing as agent or principal. CP25/42 incorporates additional proposals that were previously deferred from CP25/15.
Stay up to date with our latest Financial Regulation and Disputes insights
Prevailing winds
