On 29 May 2026, HM Treasury (HMT) wrote to the Co-Chairs of the Crypto & Digital Assets APPG.SummaryHMT set out that it recognises the potential for digital assets and blockchain technologies to drive economic growth in the UK and that this is why the Government introduced the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, which establishes a new financial services regulatory regime for cryptoassets.HMT further explain that the legislation’s implementation period is intended to help manage implementation costs for the sector and give firms time to come into compliance before the new requirements come into force and also that the Financial Conduct Authority (FCA) expects to finalise its rules by mid-2026, and for the application period to be open from 30 September 2026, in order to give firms sufficient time to secure authorisation before the regime goes live on 25 October 2027.HMT therefore argues that the current timetable strikes the right balance between implementing the regime at pace and allowing firms sufficient time to adjust their processes as required and secure authorisation and, further, that the FCA is putting in place a range of provisions to encourage high quality applications and efficient processing, including offering firms a free pre- application meeting, providing key information ahead of the gateway opening, and prioritising its resource as needed.

On 29 May 2026, the Financial Conduct Authority (FCA) published Policy Statement 26/8: Retail banking business models data (PS26/8).BackgroundIn January 2026, the FCA consulted on transforming a previously ad hoc series of retail banking business models (R2B2) data collections into an annual regulatory return. Under the proposals firms would supply core financial data comprising of product and sub-product level financial and volumetric information on residential mortgages, personal banking, personal lending, small business banking and lending, other business banking and lending and wholesale funding. The FCA would also include an ‘off-the-shelf’ request for firms to provide various readily available business documents.SummaryIn PS26/8, the FCA sets out its final rules and guidance for the R2B2 return. It explains that most respondents agreed with the consultation proposals in relation to frequency of collection, alignment with firms’ internal accounting periods and annual publication of relevant statistics. However, the FCA also set out that it has made some changes following feedback aimed at making the rules clearer and more proportionate, including: Reconciliation: The FCA have removed from the template a formula driven reconciliation between product level data and whole business profit and loss and renamed this section ‘whole business’ to better reflect its nature and how it will be used. Streamlining off the shelf document request: This request has been amended to focus more on the business as a whole rather than individual products. Rule amendments on group reporting requirements: The FCA have sought to better align these rules with how firms report financial information, for example to enable parent firms to include data in respect of all entities they prepare group accounts for. Clarifications: The rules have bene clarified to make clear that product level data and off the shelf data required only relates to products firms provide to UK customers. Next stepsThe new rules come into force on 1 June 2026.  The FCA will engage with industry in the run up to the deadline for the first submission at the end of November 2026.

On 29 May 2026, the European Securities and Markets Authority (ESMA) published its sixth annual report on the quality and use of regulatory data.Compared to previous annual reports, this annual report has further expanded the scope of the datasets covered to include prospectus reporting, credit rating agency reporting, central counterparty supervisory reporting, crowdfunding reporting, Digital Operational Resilience Act major ICT-related incident reporting, reference data under the Markets in Financial Instruments Regulation and the ESMA registers. The report generally shows that improvements in data quality and data use reinforce each other in a virtuous cycle, supporting more effective supervision and market monitoring across the EU.The ESMA will host on 18 June 2026 a webinar to present the main findings of the report.

On 28 May 2026, the European Commission adopted a Delegated Regulation supplementing the Capital Requirements Regulation (CRR) with regard to regulatory technical standards (RTS) specifying operational risk requirements.The CRR 3 includes amendments to the operational risk area, where a revised framework is introduced and all previously existing approaches for the calculation of regulatory capital are replaced by the business indicator component (BIC). The BIC is based on a business indicator, which measures an institution’s volume of business. The business indicator is a financial statement-based proxy for operational risk. Only the items representing recurrent banking business operations in an institution’s profit and loss statement, or balance sheet statement should be included within this indicator.The RTS: Specify the components of the business indicator by detailing a list of items and the elements to be excluded from the business indicator. Specify how institutions are to determine the adjustments to the business indicator following mergers, acquisitions and disposals, the conditions according to which Member State competent authorities may grant the permission to adjust the business indicator following disposals and the timing of the adjustments post-disposals. Establish a risk taxonomy on operational risk and a methodology to classify the loss events included in the loss data set by developing a list of operational risk loss events and providing guidance on the classification of rapidly recovered losses and losses from legal proceedings. Specify the conditions under which the calculation of the annual operational risk loss should be deemed unduly burdensome for institutions the business indicator of which is equal to or exceeding EUR 750 million and not exceeding EUR 1 billion Specify how institutions are to determine the adjustments to their loss data set following the inclusion of losses from merged or acquired entities or activities. Next stepsThe Delegated Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union.

On 29 May 2026, the Financial Conduct Authority (FCA) published Handbook Notice 141.This Handbook Notice describes the changes to the FCA Handbook and other material made by the FCA Board under their legislative and statutory powers on 23 April 2026 and 28 May 2026.On 23 April and 28 May 2026, the Board of the FCA made the relevant changes to the Handbook as set out in the instruments: Collective Investment Schemes (Use of Distributed Ledger Technology in Authorised Funds) Instrument 2026 Collective Investment Schemes (Direct Dealing) Instrument 2026 Consumer Credit (Regulatory Reporting) (Amendment) Instrument 2026 Supervision Manual (Amendment) Instrument 2026 Technical Standards (European Markets Infrastructure Regulation) (Clearing Thresholds) (Amendment) Instrument 2026 Short Selling Rules Sourcebook (Administration) Instrument 2026

The Serious Fraud Office (SFO) has entered into its first Deferred Prosecution Agreement (DPA) in five years. The agreement with Ultra Electronics Holdings Limited (Ultra), a British defence, security and aerospace manufacturer, covers historic alleged conduct relating to failure to prevent bribery under the UK Bribery Act 2010 (UKBA).The SFO commenced an investigation in 2018, following Ultra self-reporting suspected corruption in Algeria relating to Ultra’s overseas third-party agents. The scope was later widened by the SFO in 2022 to cover Oman, and again in 2024 to encompass all jurisdictions in which Ultra operated.Under the DPA, Ultra agreed to: pay a £10 million financial penalty, plus £4.8 million in SFO costs; and meet strict conditions, including annual reporting to the SFO on the operation of its ABC programme, and demonstrating genuine and sustained reform over a forward-looking three-year period. This DPA provides important insights into the evolving UK criminal enforcement landscape. We explore five key takeaways below.1. Reminder of the broad scope of failure to prevent offencesThe Ultra DPA is a good reminder of the breadth of failure to prevent offences following the recent coming into force of the failure to prevent fraud offence in September 2025.The DPA serves as a reminder to organisations to ensure that risk assessments, controls and policies are regularly reviewed and updated. Notably, during the investigation, Ultra undertook extensive steps to enhance its compliance programme, including commissioning an independent external risk assessment focusing on the failure to prevent fraud offence.2. Third‑party risk remains a critical exposureThe SFO’s investigation centred on the alleged activity of Ultra’s third-party sales and commercial agents in relation to securing high-value contracts. The Ultra DPA underpins the importance of ensuring compliance programmes deal head on with bribery and corruption risks arising from third party agents and intermediaries.Practical steps include: mapping and risk-rating all third-party channels and relationships; clearly explaining to third parties compliance expectations and understanding what policies and procedures they have in place (to ensure that ABC reps and warranties have meaning); conducting thorough due diligence (including considering business intelligence review for higher risk third parties); testing the commerciality of arrangements and the rationale for the engagement of particular third parties; applying enhanced due diligence and ongoing monitoring to higher-risk third parties; and undertaking an audit on financial controls on payments, including for expenses, third parties, gifts and hospitality and charitable and political donations (as Ultra did as part of its remediation steps). It is critical that companies can provide detailed documentation and data on how third-party risks are managed.3. The benefits of early and fulsome self-reportingUltra submitted a self-report to the SFO in 2018, following concerns raised about payments to an Algerian agent. This was followed by a detailed internal investigation report submitted to the SFO in 2019.In 2022, Ultra made a further disclosure to the SFO relating to conduct in Oman. However, the SFO rejected Ultra’s analysis that a prior internal investigation into the conduct in 2015 had not identified evidence of bribery and corruption, leading to a temporary breakdown in DPA negotiations that were on foot.The case illustrates two important points: Self-reporting can significantly improve the prospects of securing a DPA, rather than facing prosecution. However, the timing, completeness, and accuracy of self-disclosures are critical. In April last year, the SFO published its Cooperation Guidance that made clear prompt self-reports to the SFO, accompanied by full cooperation, would result in an invitation to negotiate a DPA, rather than prosecution.While the Ultra DPA indicates that progressive disclosures made over the course of the investigation are not prohibitive to securing a DPA, early and fulsome reporting helps to ensure the best outcome if you are intending the get the benefit of self-reporting. When assessing the Ultra DPA, the court noted that it had not overlooked the late reporting of the Oman conduct, and that it could properly be reflected in assessing the penalty.The message for corporates is clear: early, comprehensive and transparent engagement with authorities can have significant benefits down the track.4. Cooperation and remediation are determinativeA pivotal factor in securing the DPA was Ultra’s extensive cooperation and remediation efforts, particularly following its acquisition by new owners who were unconnected to the misconduct.Under new ownership and leadership, Ultra executed a “post-acquisition compliance reset” and provided substantial cooperation to the SFO, including: identifying relevant individuals and producing key documents; facilitating access to overseas records and legacy entities; offering limited waivers of privilege; supporting witnesses interviews; and delivering detailed investigative findings, reports and presentations. The company also strengthened its compliance culture, demonstrating active steps to remediate, including: engaging external lawyers to assess its compliance programme and implementing recommendations, and an external accounting firm to undertake a risk assessment; enhancing policy frameworks across business units; undertaking a wholesale review on the approach to selecting and managing third-party agents and intermediaries and a subsequent reduction on the reliance on third-parties; overhauling the Board of Directors and providing the Board with data on Ultra’s ABC programme, as well as introducing a group-level Chief Compliance Officer to report directly to the Board; establishing an independent compliance function and introducing “compliance champions” to sit within business units; and implementing a mandatory training programme. These efforts ultimately led to the SFO resuming DPA negotiations. The outcome demonstrates that meaningful cooperation and remediation can materially influence enforcement outcomes in the right case.5. Increasing emphasis on group-level accountabilityThe DPA also reflects a growing focus on accountability at the group level. Ultra’s parent company, Cobham Ultra Limited, provided formal undertakings to ensure that Ultra would: comply with the terms of the DPA; and remain operational and under its control for the duration of the agreement. This was similarly the case in a previous DPA entered into in 2019 between the SFO and Serco Geografix Ltd, where the parent company (Serco Limited) was required to provide undertakings. In approving the DPA, the Court noted that without undertakings given by the parent company, it was very unlikely that the goals of the DPA could have been achieved, and that it is the parent company which necessarily must engage in any compliance programme and cooperate with law enforcement agencies.This requirement highlights the SFO’s expectation that parent entities play an active role in ensuring compliance and remediation across group structures.The Ultra DPA also serves as a reminder to acquiring entities to undertake thorough due diligence during an acquisition, as they may effectively assume successor liability for the target’s historic misconduct. ConclusionThe Ultra DPA is a significant development in the UK corporate criminal enforcement. It reinforces several themes: the centrality of prevention-focused compliance, the critical importance of third-party risk management, and the tangible potential benefits of early cooperation and genuine remediation.For organisations operating in high-risk sectors or jurisdictions, the case serves as both a warning and a roadmap, demonstrating not only how failures can arise, but also how companies can navigate enforcement processes and, ultimately, mitigate outcomes through proactive and sustained compliance efforts.

On 28 May 2026, the Financial Conduct Authority (FCA) updated its webpage which sets out its findings from a review of how benchmark administrators manage data risks.The FCA completed a multi-firm project looking at the quality of calculation controls in the benchmarks sector and this is reported on in chapter 5 of the webpage. The FCA looked at error handling arrangements, including error identification, classification, prioritisation and notification. The FCA noted that there were two distinct approaches being taken by firms in how they captured and handled errors: Quantitative (data-led) and Qualitative (judgement-led). Both models have strengths and weaknesses.The FCA has also updated the next steps section of the webpage. It will be carrying out further work later this year on other risks set out in its December 2024 portfolio letter, including corporate governance. It adds that addressing any weaknesses in data quality and calculation controls should help firms gain confidence in, and better demonstrate, the effectiveness of their governance and oversight arrangements, as well as strengthening their overall operational resilience.

On 28 May 2026, the Financial Conduct Authority (FCA) published its findings in relation to financial firms’ controls, highlighting good and poor practices and areas for improvement to support better compliance with sanctions rules.BackgroundThe FCA highlights that over the past four years, the UK’s sanctions regimes have grown in scope and complexity and that, therefore, it recently assessed financial services firms’ systems and controls for financial and trade sanctions. As a result, the FCA now sets out examples of good and poor practice, and areas for development, to help firms comply with sanctions legislation.SummaryOverall, the FCA sets out that although there were fewer reports of suspected sanctions breaches from FCA-supervised firms between 2023-2025, the figure remains substantial compared to pre-2022 levels, and most reported breaches relate to financial sanctions, with only a comparatively small proportion of breach reports submitted by firms relating to trade sanctions. As a result, it sets out certain key observations in relation to the following areas, including: Key themes in breaches: The most common root causes of reported sanctions breaches were weaknesses in due diligence, alert management, transaction and name screening, as well as the management of frozen assets and compliance with specific and general licences. Firms should focus on strengthening their control frameworks in these areas as they underpin many of the issues the FCA observe.  Governance and oversight: Sanctions frameworks only work well if firms have strong governance and oversight. Firms should have clear ownership and accountability for compliance, and their senior management should oversee and provide informed decision-making, acting quickly to address weaknesses. Firms should also have robust contingency plans to deal with sudden events or system outages. Management Information (MI): Meaningful MI should allow senior management to understand sanctions exposure, emerging risks, control effectiveness and issues that need escalating or remediating. Firms generally reported some sanctions-related MI to senior management. Tracking and reporting true matches and false positives arising from customer and transaction screening against the UK Sanctions List is also common practice. However, the quality and depth of sanctions MI varied. Stronger MI included data and commentary on the nature and extent of inherent sanctions exposures, the operation of the firms’ controls structures and the crystallisation of any sanction’s risks. Risk assessments: Good sanctions risk assessments should guide how firms design and operate their systems and controls. Firms should assess their exposure to sanctions risks present among their customers, products and the jurisdictions they operate in, as well as the strength of the systems and controls they have in place to address them, which can help identify control gaps and support remediation. Due diligence and ongoing monitoring: Robust customer due diligence (CDD) at onboarding and ongoing reviews can help firms identify sanctions risks and take actions throughout the customer lifecycle.  Some firms understood and assessed the sanctions risks posed by their customers. In others, initial screening and CDD at onboarding did not show that they’d properly considered how they would get a clear view of their sanctions exposure. Among those that had found higher sanctions risks, the use of enhanced due diligence (EDD) tools such as sanctions exposure questionnaires was inconsistent. In some cases, questions were outdated, did not consistently cover UK sanctions regimes, or were used only as a form of customer self-attestation.  Screening: Good sanctions screening can find potential sanctions risks across customer and counterparty relationships and transactions. Firms’ screening and alert management systems and processes should be proportionate to risk exposure, appropriately calibrated, and regularly tested and reviewed. Screening policies: Firms with stronger screening frameworks often supported their screening activity with well‑documented policies and procedures with details of who or what to screen, how often, and how to escalate and resolve potential matches.  More mature frameworks had clear escalation routes, with defined roles and responsibilities across the first and second lines of defence. However, the FCA also found screening policies that were unclear, incomplete, or not applied consistently.  List management and data feeds: Firms varied in their approaches to sanctions list management and the underlying data feeds. Around two-thirds of those in the FCA’s proactive work said that they implemented sanctions list updates within one day of notification and had processes and controls in place so that updates were accurate and prompt. However, the FCA also found errors or omissions in sanctions lists provided by third-party vendors, because of poor quality data and the transfer of data between systems, as well as delays or failures in updating the UK Sanctions List in a timely manner. Calibration, configuration, and assurance testing: The sophistication of firms’ screening configuration and testing varied considerably. Effective practices included periodic calibration and quality assurance testing, engaging with vendors to retest systems following list updates or changes to matching logic, and using root cause analyses following screening mismatches to improve performance. In contrast, the FCA also observed limited testing and oversight of sanctions screening systems, meaning that some firms could not easily detect obfuscated or variant names, including those with non-Latin characters. This meant that firms couldn’t find exact matches between names on their systems and the UK Sanctions List, nor easily identify name variations. Alert management and resourcing: Alert handling was a common cause of reports of suspected breaches by firms. This includes failures to respond to alerts and to freeze accounts before assets were moved, and handling errors leading to alerts being incorrectly resolved, sometimes due to unclear procedures, training, or oversight controls. Evasion detection and investigation: Screening names and payments may not always be sufficient to identify activities breaching sanctions, particularly as connections to sanctioned activity can’t always be identified from transaction messaging.  This is particularly the case for sanctions outside asset freeze measures, such as sectoral financial sanctions and trade sanctions. Firms may need to undertake transaction monitoring, data analysis, thematic reviews and intelligence-led investigations, and have a good understanding of evasion typologies and how these may manifest across a firm’s business. Asset freezing and licence compliance: To effectively comply with asset freezing and the requirements set out in sanctions licences, firms must have clear processes to quickly identify, implement and maintain the requirements. Policies, procedures and systems, along with staff training and appropriate governance, can help ensure assets are frozen and remain frozen, and that licence permissions are managed. Reporting and assessing breaches: UK sanctions legislation defines obligations for reporting suspected breaches of financial and trade sanctions. This requires firms to have clear processes for identifying, escalating and reporting potential breaches to relevant authorities in a timely manner. Discovering what caused the breaches can inform remediation, control enhancements, and risk assessments. Firms are identifying and reporting breaches more quickly and the reporting data shows the average time between identification and reporting has shrunk slightly from 2024. Next stepsFirms should consider the findings and examples in this report and continue to review their systems and controls to ensure they comply with both financial and trade sanctions.The FCA are working with the firms that had weaknesses we found during our review, to make sure they’re taking the right remedial action and will continue to monitor firms to help drive improvements and reduce financial and trade sanctions risk across the industry.The FCA will also continue to liaise and work with relevant partners across HM Government such as the Office of Financial Sanctions Implementation and the Office of Trade Sanctions Implementation to share insights to enhance the FCA’s work. 

On 28 May 2026, the Prudential Regulation Authority (PRA) published Policy Statement 15/26 (PS15/26) setting out updates to Pillar 2A methodologies and related guidance, as the first phase of a two-stage review.BackgroundIn Consultation Paper 12/25 (Pillar 2A review) Phase 1 (CP12/25), the PRA proposed updates to Pillar 2A methodologies and guidance as the first phase of a two-stage review. Pillar 2A capital requirements are set for firms to address risks not already, or not sufficiently, captured by Pillar 1.CP12/25 marked the beginning of a programme of work to modernise the PRA’s approach to Pillar 2A capital by improving the information, guidance and transparency around the setting of Pillar 2A capital over time. It also outlined the PRA’s proposals to address the consequential impacts of the PRA rules that would implement the Basel 3.1 standards.SummaryThe PRA explained in PS15/26 that respondents generally welcomed the PRA’s intention to address the consequential impacts of the implementation of the Basel 3.1 standards, as well as increase the transparency and proportionality of the PRA’s policy.The PRA also set out that it received the most responses on the credit risk proposals. In this area, respondents expressed a range of views, with comments focused on the: Case to retain the benchmarking methodology. Calibration and scope of the two proposed systematic methodologies for certain exposures. Level of prescription and the proportionality of the proposed approach to assessing idiosyncratic credit risk. Having considered the responses to CP12/25, the PRA has made certain changes to the draft policy materials for the purpose of providing greater detail and increasing clarity where it considers appropriate, material changes include: Credit risk: Excluding exposures to small and medium sized enterprises from the systematic methodology for unconditionally cancellable commitments in the retail exposure class (retail UCCs); and, providing greater flexibility in how firms are expected to assess their idiosyncratic credit risks, compared to the CP proposal to introduce expectations for firms to use credit scenarios. Operational risk: Clarificatory updates to improve transparency and guidance for all firms, and changes to the small domestic deposit takers (SDDT) policy materials to align the operational risk Pillar 2A methodology for SDDTs and non-SDDTs. Next stepsFollowing the completion of this first phase of Pillar 2A review, the PRA will conduct a more in-depth review of certain individual methodologies within Pillar 2A. The PRA will publish a further consultation on these proposals next year.The amended Reporting Pillar 2 Part of the PRA Rulebook, reporting templates, reporting instructions and schedule, Supervisory Statements and Statements of Policy will come into force on 1 January 2027.

3 April – 3 May 2026IntroductionESG is changing the landscape for financial institutions as stakeholders, including investors, increasingly expect them to make their operations more sustainable.Financial services regulators also view ESG as a priority, embedding the principles of climate-related financial risks into their supervisory frameworks and dealing with greenwashing issues.There is limited uniformity in regulation as financial services regulators are at different stages in developing their ESG regulatory framework, particularly in relation to disclosures and taxonomy, which is a challenge for many institutions operating across borders. It is therefore critical to monitor the latest regulator updates.To help you, we have tracked ESG regulatory developments from 3 April 2026 – 3 May 2026, from the UK, France, EU, the Netherlands, the US, Australia as well as other key international regulators.This month’s highlightsNavigating the ESG Regulatory Patchwork: A Growing Challenge for ComplianceInternational firms operating across multiple jurisdictions face an increasingly complex web of ESG regulations that are difficult — and at times impossible — to reconcile. As the United Kingdom, the European Union, and the United States each pursue distinct regulatory philosophies, compliance departments find themselves caught in the crossfire of overlapping, and occasionally contradictory, obligations.In the UK, the Financial Conduct Authority has introduced stringent anti-greenwashing rules alongside broader conduct requirements designed to ensure that sustainability claims are fair, clear, and not misleading. Firms marketing financial products or services must substantiate their green credentials with rigorous evidence, and the regulatory tone is firmly interventionist. Across the Channel, the EU’s Corporate Sustainability Reporting Directive (CSRD) imposes a sweeping double-materiality framework, requiring companies to disclose not only how sustainability risks affect their business, but also how their operations impact the environment and society at large. The volume and granularity of data demanded under the CSRD represent a significant step beyond most existing reporting regimes. Meanwhile, in the United States, ESG regulation remains politically fractured. Federal initiatives, such as the Securities and Exchange Commission’s climate disclosure proposals, have met fierce resistance, and a patchwork of state-level rules — some supportive, others openly hostile to ESG considerations — adds further uncertainty.For compliance departments, the practical difficulties are acute. Teams must interpret and operationalise frameworks that differ not merely in detail but in underlying philosophy. A disclosure strategy designed to satisfy CSRD requirements may generate content that is scrutinised differently under UK anti-greenwashing standards or that attracts political risk in certain US states. Data collection and assurance processes must be flexible enough to serve multiple reporting lines simultaneously, yet robust enough to withstand regulatory challenge in each jurisdiction. Resource constraints compound the problem: recruiting and retaining staff with the cross-jurisdictional expertise needed to manage these obligations is an ongoing struggle.Ultimately, the absence of meaningful international harmonisation means that compliance is not simply a matter of meeting the highest standard and assuming coverage elsewhere. Firms must instead maintain parallel workstreams, each tailored to the specific expectations of its respective regulator — a burden that shows little sign of easing.United KingdomThere have been no reported updates this month.European Union21 April 2026 – European Commission adopts Delegated Regulation on RTS specifying the measures and safeguards to be implemented by ESG rating providersThe European Commission (Commission) adopted a draft Commission Delegated Regulation supplementing Regulation 2024/3005 (ESG Rating Regulation) with regard to regulatory technical standards (RTS) specifying the measures and safeguards to be implemented by ESG rating providers to separate their ESG rating activities from their other activities.The structure of the draft Commission Delegated Regulation is as follows: Article 1 sets out that all ESG rating providers should put in place separate organisational structures and working environments for employees and other persons involved in the rating process from any of the activities listed in Article 16(1) of the ESG Rating Regulation, and subject them to regular self-declarations attesting employees’ non-involvement in such activities. Article 2 proposes that ESG rating providers intending to provide investment services and/or insurance and reinsurance activities implement additional technical and internal control measures. Article 3 provides that, ESG rating providers that intend to provide benchmarks, or do provide such benchmarks, are to adopt additional specific safeguards ensuring that employee compensation remains unaffected by conflicts of interest related to benchmark activities, that ESG ratings are produced and offered independently of the provision of benchmarks, and that any actual or potential conflicts of interest are assessed and documented before entering into a contract for the provision of ESG rating activities. The draft Commission Delegated Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union (OJ). It applies from 2 July 2026.21 April 2026 – European Commission adopts Delegated Regulation on RTS specifying the elements of ESG rating products to be disclosed to the public and to users of ESG ratingsThe Commission adopted a draft Commission Delegated Regulation supplementing the ESG Rating Regulation with regard to RTS specifying the elements of ESG rating products to be disclosed to the public and to users of ESG ratings, rated items and issuers of rated items.The structure of the draft Commission Delegated Regulation is as follows: Article 1 specifies that the RTS address disclosures to be made under Annex III.1 and Annex III.2 of the ESG Rating Regulation. Article 2 specifies that disclosures made in accordance with Annex III.1 of the ESG Rating Regulation should be presented in accordance with the sequence and structure of the table in Annex I of the RTS. Article 3 requires a range of rating level disclosures around what is rated and what risks and impacts are measured. Article 4 addresses general methodological disclosures. Article 5 deals with disclosures on the limitations of data sources. Article 6 deals with disclosures on ESG rating providers’ organisational information. Article 7 establishes a higher level of methodological disclosures for rated items and users of ESG ratings. Article 8 deals with disclosures on the revision of methodologies. The draft Commission Delegated Regulation enters into force on the twentieth day following its publication in the OJ. It applies from 2 July 2026.24 April 2026 – ESG Rating Regulation – Commission adopts Delegated acts on fees and penaltiesThe Commission adopted: Commission Delegated Regulation supplementing the ESG Rating Regulation with regard to fees charged by the European Securities and Markets Authority (ESMA) to ESG rating providers. This Delegated Regulation supplements the ESG Rating Regulation by specifying the type of fees, the matters for which fees are due, the amount of the fees and the respective justification, the manner in which they are to be paid and, where applicable, the way in which ESMA is to reimburse competent authorities in respect of any costs that they might incur when carrying out tasks pursuant to that Regulation, in particular as a result of any delegation of tasks pursuant to the ESG Rating Regulation. Commission Delegated Regulation supplementing the ESG Rating Regulation with regard to rules of procedure on fines and periodic penalty payments imposed to ESG rating providers by ESMA.  This Delegated Regulation sets out further rules of procedure for the exercise of ESMA’s power to impose fines or periodic penalty payments, including provisions on rights of defence, temporal provisions and the collection of fines or periodic penalty payments, and on detailed rules on the limitation periods for the imposition and enforcement of fines and periodic penalty payments. Next stepsThe Council of the EU and the European Parliament will now scrutinise the Delegated Regulations. If neither object, the Delegated Regulation on fees enters into force on the day following that of its publication in the OJ and the Delegated Regulation on fines and periodic penalty payments enters into force on the twentieth day following its publication in the OJ.FranceThere have been no reported updates this month.The NetherlandsThere have been no reported updates this month.AustraliaClimate Integrity report co-authored by Ruth Higgins SC suggests recent ICJ decision will catalyse more climate litigationA report from Climate Integrity co-authored by the incoming solicitor general, Ruth Higgins SC, found a recent Advisory Opinion from the International Court of Justice on states’ climate change obligations would catalyse increased litigation over companies’ and directors’ climate obligations. The report warns of three primary litigation fronts: greenwashing claims (including those concerning ‘Paris-aligned’ targets), disputes over the regulatory approval of emissions-intensive projects, and legal challenges concerning director liability for climate-related harm.In the ICJ opinion, their Honours found states must act with due diligence and cooperate internationally to prevent environmental harm from greenhouse gas emissions, aligning with commitments under the Paris Agreement. The report observed this decision “has already precipitated legal and regulatory developments that create or amplify climate-related transition risks” (indeed, the opinion already been relied upon in at least three Australian cases challenging decisions to approve fossil fuel projects) and “we expect it to continue to do so. As the magnitude of those risks or the probability of their occurrence rises, so too may the standard of care expected of directors of those corporations.”The report stated that directors of fossil fuel companies will be affected most by the opinion, and that “in our view, directors of such corporations would be required in their decision-making processes to a least consider such risks” that their companies’ assets associated with fossil fuels may be limited, prohibited or rendered financially unviable in the near future.The report highlighted the situations most likely to give rise to a breach of a director’s duty: Where a director approves misleading statements about a corporation’s climate-related risks (including statements that are misleading by omission); Where a director fails to consider climate-related risks at all; or Where a director approves a course of action so unreasonable that no reasonable director would have approved it. The takeaway from the Climate Integrity report is that directors must exercise greater ‘diligence and intelligence’ regarding climate-related risks. Specifically, they should stay informed on evolving climate developments, seek expert advice when necessary, and ensure timely risk disclosure to the market.United States- SEC and CFTCThere have been no reported updates this month.International regulators – FSB, IOSCO, Basel Committee, NGFS, SASB, IFRS, ISSBThere have been no reported updates this month.

On 15 May 2026, the Bank of England (BoE), Financial Conduct Authority (FCA) and HM Treasury (HMT) (the Regulators) published a joint statement on frontier AI models and cyber resilience.SummaryThe Regulators consider that AI continues to evolve rapidly and that, in particular, frontier AI models represent a step-change in capability, with significant implications for cyber security and operational resilience.  As a result, the Regulators highlight that in their view it is essential that firms have effective protective, detective, threat containment and cyber response capabilities including to address faster and more disruptive frontier AI-driven attacks, in particular that firms should be taking active steps in relation to: Governance and strategy: Firms should ensure their boards and senior management have sufficient understanding of frontier AI risks. Investment and resourcing decisions should reflect the emerging threat, including increased exposure from end-of-life systems or those out of vendor support. Firms should also consider whether they have appropriate insurance in place.  Identification and risk management of vulnerabilities: Firms should be able to triage, prioritise, risk assess, and remediate vulnerabilities more quickly, more frequently, and at scale, including through automation where appropriate, while mitigating the operational risks from doing so. Managing risks from third parties: Firms should effectively manage frontier AI cyber risks from third parties and supply chains, including open-source software. Firms should also be prepared to address and remediate vulnerabilities identified by third parties at scale. Protection: Effective access management, network security, and data protection should enable firms to reduce the attack surface a frontier AI model might access and limit the likelihood and impact of such attacks. Firms should consider adopting automated and AI-enabled defences to operate at comparable speed to AI-driven attacks.   Response and Recovery: Firms should be able to respond to and recover from disruption quickly. Firms should read and consider the effective practices on cyber resilience published by the Regulators in October 2025.  Next stepsThe Regulators will continue to actively monitor frontier AI developments and engage with industry through the Cross Market Operational Resilience Group.  

On 8 May 2026, the Australian Securities and Investments Commissions (ASIC) issued an open letter to industry calling on all licensees and market participants to urgently strengthen their cyber resilience measures, as frontier artificial intelligence (AI) intensifies the global cyber risk environment.The letter emphasises the need for urgent, focused action, reminding industry that cyber resilience must be treated as a core licensing obligation, not simply an IT issue.Steps to takeASIC is urging licensees and market participants to take the following steps: Reassess cyber plans and refocus efforts on the most critical risks in today’s threat environment. Confirm cyber risk, governance and overall risk and decision-making frameworks and consider the cumulative impact of interrelated vulnerabilities and facilitate clear decision making and escalation at the pace necessary to manage risk. Identify and protect critical assets and systems, with a clear understanding of what matters most to the business and customers. Strengthen cyber security fundamentals by regularly reviewing and validating core controls. Minimise attack surfaces by reducing exposure of systems and services to untrusted networks. Regularly review user access and reassess privileges, to protect against unauthorised access. Insider threats are increasing and entities should monitor for warning signs and act to restrict access where concerns are identified. Patch systems promptly, recognising that AI is accelerating vulnerability discovery and exploitation. Review and strengthen patch management processes, considering challenges daily patching may present to identification, testing, and governance of critical updates. Implement layered, defence-in-depth architectures that assume breach and restrict lateral movement. Prepare for incident response by maintaining and exercising incident response plans and playbooks including business continuity plans and identification of highest priority services, channels and platforms. Actively manage third-party risks, particularly where services introduce concentration or systemic exposure. Use AI for defensive purposes, where appropriate, including identifying vulnerabilities and securing software before release. GovernanceASIC expects boards and senior executives to understand their organisation’s position, ask the right questions, and be able to evidence the basis for their assurance.This includes: Being satisfied that cyber resilience measures are proportionate to the evolving threat environment. Ensuring cyber capability is adequately resourced, prioritised and qualified to the standard necessary for the services and risk footprint of your organisation. Receiving meaningful reporting on end-to-end control effectiveness, not just activity. Overseeing how emerging risks, including those from AI, are being assessed and integrated into risk management frameworks. Critically, ASIC states that governance should not rely only on assurances. It should be supported by evidence – test results, audit findings, lessons from incidents, and independent validation, supported by appropriate capability and resourcing.ASIC Commissioner Simone Constant said, ‘Appropriate cyber risk management starts at the leadership of licensees and participants. Boards and executives must ensure systems are tested, weaknesses are addressed early and that action is taken before threats can be exploited.’ASDThe letter also reminds all ASIC-regulated entities that they should use practical guidance from trusted sources to strengthen their cyber defences, including the Australian Signals Directorate. ASIC also encourages the use of the Australian Government’s free and anonymous Cyber Health Check, which provides a tailored action plan with simple, actionable steps to improve cyber security.

On 15 May 2026, the Financial Conduct Authority (FCA) published the results of its multi-firm review of UK-registered credit rating agencies (CRAs) which focused on surveillance processes, credit rating methodologies and internal controls.BackgroundIn the review the FCA sought to understand how CRAs maintain robust arrangements for ratings surveillance, consistent application and ongoing review of methodologies, and effective internal controls under the UK Credit Rating Agencies Regulation. The regulator’s findings are based on a sample of firms and involved: Analysis of scoped information provided by CRAs including rating and control review files . Analysis of internal procedures of CRAs. Engagement with analytical and control functions of CRAs. Review of regulatory notifications.  Ongoing supervisory work. FindingsThe FCA sets out good practices it observed and areas for improvement as regards surveillance, credit rating methodologies and their application and internal controls.The FCA has also set out an Annex setting out its observations as to how firms consider ESG factors and disclose them in their methodologies and rating action.Next stepsCRAs should review these findings, evaluate their processes and controls under Board oversight, and consider if gap analysis and remediation are necessary.

On 14 May 2026, the Financial Conduct Authority (FCA) announced that it was re-opening its AI Input Zone.The FCA is reopening the AI Input Zone to gather views from different market participants to understand what stakeholders feel ‘good’ looks like in terms of safe and responsible AI development, and what can be learned from and improved. This will help to inform a good and poor practice publication on AI later this year.The FCA is keen to hear specific examples with as much detail as possible so that its publication is grounded in the latest evidence.The deadline for comments is 19 June 2026.

On 14 May 2026, HM Treasury (HMT) announced an independent review (the Review) into access to banking services and published terms of reference (TORs) for this review.BackgroundHMT highlights in the TORs that while access to cash is protected by legislation and the Financial Conduct Authority has responsibility and powers to ensure reasonable provision of cash withdrawal and deposit facilities; there are currently no existing protections for the provision of access to in-person banking services. As a result, HMT has commissioned an independent Review into Access to Banking Services to better understand the impact of the current trajectory of access to in-person banking services. SummaryThe TORs also set out that the Review should consider whether declining access to in-person banking services is causing consumer detriment, the scale of any detriment, and should look at this primarily through a ‘customer needs’ lens.HMT sets out that the Review will seek to answer the following questions, in particular: Which in-person banking services are important or essential for customers to be able to access? Are there groups of customers who need or require access to in-person banking services and if so, who are they? Is the decline in access to in-person banking services causing detriment to customers, and to how many customers? What is the materiality of the detriment caused to these customers? As part of answering these questions, HMT makes clear in the TORs that the Review should consider both how in-person banking has evolved to the present day, as well as the likely trajectory in this area under current regulation, alongside the role of existing initiatives or emerging digital or hybrid service models to mitigate any detriment.Next stepsThe Review is being conducted on an independent basis, the Chair will provide a report and recommendations to the Government in October 2026, and the Government will publish the report following this.

On 14 May 2026, HM Treasury (HMT) and the Financial Conduct Authority (FCA) announced plans to reform the UK Money Market Fund (MMF) Regulations.SummaryHMT and the FCA set out in the announcement that they consider that recent periods of market stress have highlighted the need to strengthen the resilience of MMFs. As a result, in 2023, HMT and FCA consulted on replacing and reforming MMFR.In relation to the new regime, HMT and the FCA highlight that it will include guidance setting out expectations that UK MMFs hold higher levels of liquidity, which reflects internationally developed proposals.  HMT and the FCA also highlighted that they welcomed feedback from across the sector to help develop a proportionate set of proposals that will enhance the resilience of MMFs and that the FCA will issue a statement shortly with further details on its plans on these proposals.HMT also set out that it recognises the cross-border nature of this sector, and the important role that EU domiciled MMFs play in the UK market such that, in March at the Joint EU-UK Financial Regulatory Forum, the UK and EU recognised the value of constructive engagement on the practices that will enhance the resilience of respective MMF sectors.Finally, HMT also confirmed its intention to extend the Temporary Marketing Permissions Regime, with a view to establishing a longer-term solution on market access, in line with the UK’s framework and process for recognition of overseas firms and funds.Next stepsHMT will now lay legislation as soon as parliamentary time allows to establish the new regulatory framework, under which most requirements for UK MMFs will be set out in FCA rules and guidance.

On 12 May 2026, the European Securities and Markets Authority (ESMA) updated its Manual on pre-trade and post-trade transparency under MiFID II/MiFIR.On pages 12 to 21 of the Manual ESMA sets out a table setting out the updates that it has made to the Manual.The updates include a new paragraph 143 which has been added on page 318:143.  For the purpose of Article 8a of RTS 2, as well as for the application of supplementary deferrals under Article 11(3) of MiFIR, references to the “end of the trading day” (EoD) should be understood as follows: On-venue transactions: EoD means that the transaction needs to be made public at the end of the trading hours of that given trading venue; Off-venue transactions: the publication should take place by 19.00 local time. Next stepsIn the Manual ESMA states that further updates are expected in the context of the MiFID II/ MiFIR review and the subsequent Regulatory Technical Standard 2 review for derivatives and any further legislative or legal change impacting its content. Furthermore, the Manual will be regularly updated addressing new questions from market participants similarly to ESMA Q&A documents.

On 13 May 2026, the Financial Conduct Authority (FCA) issued a press release announcing that it will review how consumer investment firms support bereaved customers.Research prepared for the FCA reports that only 47% of bereaved customers felt they received the support needed from financial firms, and so has launched its review to assess the adequacy of the support being provided.The review is set to focus on firms that advise, manage or administer investments, including platforms, advisers and wealth managers. The FCA will examine the experience customers have from initially being informed about a bereavement, through to settlement or transfer of investments, as well as assessing how firms communicate, support vulnerable customers, service standards and how fees are handled on bereaved accounts.Next stepsFrom May 2026, the FCA will contact selected firms as part of the review, with the intention of publishing its findings, including good and poor practice, later this year.

On 13 May 2026, the European Securities and Markets Authority (ESMA) published a resolution briefing for central counterparties (CCPs).The resolution briefing is issued under Article 25 of the ESMA Regulation and Article 5 of Regulation (EU) 2021/23. The objective of the CCP resolution briefing is to provide a methodology to be considered by Member State resolution authorities (NRAs) when drawing up resolution plans for CCPs. The resolution briefing is not subject to any ‘comply or explain’ mechanism for NRAs and is non-binding. The resolution briefing focuses on the operational considerations that NRAs should bear in mind to optimise the effectiveness of the write down and conversion of instruments tool while limiting associated risks. Other related subjects to this resolution tool, such as the application of the non-creditor worse off principle fall outside the scope of the document.

On 13 May 2026, the King’s Speech 2026 was published together with briefing notes.Page 34 of the briefing notes refers to The Enhancing Financial Services Bill which will deliver key parts of the Leeds Reforms set out by the Chancellor in 2025.The briefing notes report that the Bill will: Modernise consumer protections and redress arrangements to reflect today’s markets and maintain confidence. Reforms to the Financial Ombudsman Service (FOS) will increase consistency and clarity of decision-making, helping people resolve disputes more quickly and with greater certainty. On 16 March 2026, HM Treasury (HMT) published its consultation response in relation to its review of the FOS. Consolidate the regulatory framework to enable stronger coordination and clearer responsibilities, reduce fragmentation of the regulators and support innovation. By streamlining the regulatory architecture and consolidating the Payment Systems Regulator within the Financial Conduct Authority (FCA), firms will deal with fewer overlapping regulators, providing clearer accountability and faster decision making. On 21 April 2026, HMT published its consultation response in relation to proposals to take a streamlined approach to payment systems regulation. Ensure that the administrative burden on firms is proportionate without compromising on core consumer, prudential and market protections. This includes reducing the overall burden of the Senior Managers and Certification Regime (SMCR). On 22 April 2026, the FCA and Prudential Regulation Authority issued policy statements setting out changes for the SMCR as part of Phase 1 of the reforms. HMT also published its consultation response to support Phase 2 in which the regulators would be able to make additional changes if legislation is made. Enable credit unions to expand by improving the rules on who can become a member. This will allow credit unions to serve more people and communities, widening access to affordable finance and supporting the Government’s aim to double the size of the mutual and co-operative sector. On 18 March 2026, HMT issued its response to its earlier Call for Evidence on the merits of and considerations for changing the credit union common bond requirement for membership in Great Britain, under the Credit Unions Act 1979. Support lending and investment including by updating the statutory framework underpinning the ring-fencing regime, which requires major banks to separate their UK retail banking services from investment banking activities. The reforms will unlock more finance for UK businesses. Improved competition in Small and Medium-Sized enterprises’ lending will help small businesses access finance. In its financial services growth and competitiveness strategy the Government stated that HMT would undertake a short review of the ring-fencing regime and issue a report in early 2026.