Shifting Sands: the UK Regulatory Enforcement Landscape in 2026 and Beyond

Illustration of two shields

Introduction

The UK's enforcement landscape underwent significant regulatory and legislative change in 2025. Lawmakers strengthened the powers of the country's key regulators, while new economic crime provisions – most notably the "failure to prevent fraud" offence (the "FTPF Offence") under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) – markedly increased corporates' exposure to criminal liability and imposed new compliance obligations on them. At the same time, regulators signalled a sharper focus and adopted an increasingly robust approach to their enforcement agendas, with a renewed focus on consumer protection.

That momentum shows no signs of abating in 2026, with wide-ranging employment law reforms, the FCA's new rules on non-financial misconduct, the CMA's use of its expanded consumer protection powers, and the significant expansion of the identification doctrine all reshaping the regulatory landscape.

In this article, we examine some of the most significant regulatory developments of the past twelve months, assess the key reforms taking effect in 2026, and consider what the evolving enforcement landscape means in practice for legal and compliance teams.

Corporate criminal liability reimagined: the FTPF Offence and imminent expansion of the identification doctrine

The FTPF Offence came into force on 1 September 2025, marking what the SFO described in its annual business plan as "a landmark moment which will widen the reach and breadth of prosecutions".[1]

The FTPF Offence represents a major expansion of corporate criminal liability. 'Large organisations'[2] can be held criminally liable where an "associated person" (such as an employee, agent, or subsidiary) commits a broad variety of fraud offences intending to benefit the organisation, regardless of the knowledge or complicity of senior management.

Significantly, large organisations (and their subsidiaries) will be within the scope of the UK's FTPF Offence regardless of where they are incorporated, provided there is a "UK nexus". This could arise, for example, where a UK-based employee commits a relevant fraud offence, or where the fraud targets victims, in the UK. Conversely, the offence will not capture fraud committed abroad with no UK nexus.

There is a full defence to the FTPF Offence if an organisation can demonstrate that it had "reasonable" fraud prevention procedures in place at the time of the offence, or that it was unreasonable to expect any such procedures to be in place.

While it will likely take time before we see enforcement in this space, the real power of the FTPF Offence may ultimately lie less in the volume of prosecutions it generates and more in its deterrent effect, as was the case with the Bribery Act 2010.[3] With potential consequences including an unlimited fine and significant reputational damage, compliance teams should treat reviewing and updating their existing fraud prevention frameworks as a number one priority.

Under the common law "identification doctrine" a company can only be held criminally liable where a person representing the "directing mind and will" of the company (usually someone at board level) has committed the offence. This is a high threshold. Pursuant to the statutory identification doctrine introduced in December 2023 by sections 196-198 of ECCTA, an organisation can be liable where a "senior manager", acting within the actual or apparent scope of their authority, commits a relevant economic crime. Coming into force on 29 June 2026, section 250 of the Crime and Policing Act 2026 replaces sections 196-198 of ECCTA: going forward, an organisation can be liable where a "senior manager", acting within the actual or apparent scope of their authority, commits any criminal offence. Significantly, unlike with the FTPF offence, there is no "reasonable procedures" defence.

The FCA and CMA: new powers, new priorities

Both the FCA and the Competition and Markets Autonomy (the "CMA") are reshaping their enforcement approach – the FCA through a renewed push for transparency (and therefore deterrence), and the CMA through newly conferred statutory powers.

The FCA's inaugural "Enforcement Watch"[4] newsletter offers important insights into the regulator's enforcement priorities. Between June and December 2025, the FCA opened 23 enforcement operations – matching the total for the entire twelve-month period ending 31 March 2025. This suggests that the FCA may be accelerating its enforcement activities, notwithstanding its mantra of "quality over quantity".

The newsletter also examines the impact of the FCA's updated Enforcement Guidance, which retained the "exceptional circumstances" test for announcing investigations into regulated and listed firms.[5] This marked a retreat from its controversial proposals to routinely "name and shame" firms under investigation, which had attracted fierce criticism from across the City, as well as politicians.[6]

That climbdown, however, should not be mistaken for a softening of the FCA's approach. Transparency remains a central lever in its enforcement strategy, as demonstrated by its decision to publicly announce an investigation into The Claims Protection Agency Limited (TCPA).[7] The High Court's endorsement of the FCA's approach, following an unsuccessful judicial review by TCPA,[8] is likely to embolden the regulator. Firms under investigation should plan for the possibility of public identification at an early stage and factor reputational risk into their response strategy from the outset.

The FCA's ability to hold firms accountable for misconduct on the part of their employees has also received a boost following the Upper Tribunal's ruling in Rangecourt SA (Formerly Banque Havilland SA) and Others v The FCA in February of this year.[9] The case has significant implications for how employee conduct is attributed to regulated firms. The Upper Tribunal upheld the FCA's decision[10] that Banque Havilland had breached Principle 1 of the FCA's Principles for Business,[11] on the basis that the conduct of the bank's employees was attributable to the bank itself. In doing so, the Upper Tribunal declined to apply the common law test for attributing criminal culpability established by the House of Lords in Tesco Supermarkets Ltd v Nattrass[12], under which (as above) only the conduct of individuals representing the "directing mind and will" of the company will be attributed to it. Had it done so, the Upper Tribunal would have "defeat[ed] the regulatory objective"[13] of Principle 1, which is to require a firm to conduct all of its business with integrity. This means that – in the regulatory context – there is a wider basis for attributing misconduct, which may lead to an increase in the number of investigations the FCA is able to bring against financial institutions.

The CMA, meanwhile, has wasted little time in deploying the enhanced consumer protection powers conferred by the Digital Markets, Competition and Consumers Act 2024 (DMCCA). Since these powers came into force in April 2025, the CMA has launched a major consumer protection drive, opening eight investigations into online pricing and advertising tactics across a range of sectors.[14]

Two recent cases lay bare the CMA's enforcement priorities. First, in February, Euro Car Parks was fined £473,000 for failing to respond to an information notice issued pursuant to the DMCCA.[15] This is a stark reminder that information notices carry legal force and cannot be ignored, and that an incomplete or inaccurate response may itself attract a penalty from the regulator. Second, in March, the CMA opened an investigation into whether early termination fees applied to certain Adobe subscription products breach UK consumer protection law. The investigation will examine the fairness of the terms and whether customers are given sufficiently clear and timely information at the point of purchase.[16] For businesses operating subscription models – who are already facing new regulation expected later this year – the investigation is a signal that cancellation charges are firmly within the CMA's sights.

Workplace behaviour - expanding obligations for employers and regulated firms

The Employment Rights Act 2025 and the FCA's rules on non-financial misconduct (NFM) together represent a significant reform of UK employment law – one that will require businesses and regulated firms to re-evaluate their compliance and HR frameworks.

As of April 2026, the newly established Fair Work Agency (FWA) consolidates the enforcement of employment rights into a single body. The FWA is empowered to inspect workplaces, impose civil penalties for underpayment, and initiate proceedings on behalf of workers.

From September 2026, the FCA's new NFM rules will apply to all regulated firms.[17] NFM (including bullying and harassment) will constitute a breach of the Conduct Rules and will inform "Fit and Proper" assessments for senior managers and certified staff. Importantly, conduct in an individual's private life, and wherever in the world it occurs, may be in scope.

From October 2026, employers will be liable for harassment of employees by third parties, including customers and clients. The existing duty to take "reasonable steps" to prevent sexual harassment will be upgraded to a duty to take "all" reasonable steps.

Employers will need to take steps to prepare for these changes by reviewing and updating their existing sexual harassment risk assessment and harassment policies and procedures, as well as carrying out a specific third-party harassment risk assessment and implementing appropriate prevention measures (e.g. provisions in third party contracts and codes of conduct).

Looking ahead

The direction of travel in the UK is towards a more interventionist regulatory environment. The new FTPF Offence, the imminent widening of the identification doctrine, the FCA's NFM rules, and the new regime on third party harassment will mean that businesses and regulated firms must take a more proactive approach to ensuring their compliance programmes are fit for purpose. The push for transparency in the FCA's activities and the CMA's increased focus on consumer protection mean that enforcement risk is also, increasingly, reputational risk. It will be interesting to see if the SFO, reeling from the very recent departure of Nick Ephgrave, is able to recover the sense of purpose enjoyed under Ephgrave's short tenure. The remainder of 2026 will be a test of whether the UK's regulators can translate their ambition into meaningful enforcement outcomes.

Footnotes

[1]  Serious Fraud Office sets out next steps in ambitious plan - GOV.UK

[2]  A 'large organisation' is one which meets at least two of the following criteria: (1) more than £36m turnover; (2) more than £18m in total assets; and (3) more than 250 employees.

Investigations Circular

Providing a bite-size round-up of recent developments in the world of crisis management and investigations.

Read now

Back To Top Back To Top chevron up