A detailed breakdown of the FCA's top 10 regulatory priorities for 2026, from Consumer Duty year two to cryptoasset regulation, with practical steps for compliance teams.
The FCA's 2026/27 Business Plan and accompanying Regulatory Initiatives Grid make one thing unmistakably clear: the pace of regulatory change is not slowing down. If anything, the regulator is accelerating. Between May and September alone, four significant rule changes take effect, each requiring distinct operational responses. For compliance officers and senior managers at regulated firms, the challenge is not awareness of these changes in isolation but understanding how they interact, where they overlap, and which ones demand immediate resource allocation versus longer-term strategic planning.
We have reviewed the full regulatory pipeline, cross-referenced it against enforcement trends we are tracking through our FCA Fines Database, and distilled the landscape into the ten priorities that will define compliance agendas for the remainder of this year. This is not a summary of headlines. It is a practical assessment of what each priority means operationally, what the FCA expects to see from firms, and where the enforcement risk concentrates if firms fall short.
1. Consumer Duty Year Two: From Implementation to Evidence
The Consumer Duty's first anniversary has passed, and the FCA has made clear that 2026 is the year of evidence. The initial implementation period gave firms latitude to build frameworks; that latitude is now exhausted. The regulator's expectations have shifted from "do you have a process?" to "what do your outcomes data tell you, and what have you done about it?"
The annual board assessment, required under PRIN 2A.9, is the focal point. The FCA expects this to be a substantive exercise, not a compliance tick-box. Boards must receive granular management information on customer outcomes segmented by product, channel, and customer characteristic. They must be able to demonstrate that where poor outcomes have been identified, remedial action has been taken and its effectiveness measured.
Firms that treated their initial Consumer Duty implementation as a documentation exercise are now exposed. The FCA's data-led supervision strategy means they are already running analytics across regulatory returns and complaints data to identify statistical outliers. If your fair value assessments have not been refreshed since July 2023, or if your outcomes monitoring produces dashboards that nobody acts on, the risk of a section 166 skilled person review or a direct supervisory intervention is material and growing.
Action required: Schedule your annual board assessment for Q2 2026 at the latest. Ensure the supporting MI pack includes quantitative outcomes data, not just narrative summaries. Where data gaps exist, document them with a remediation timeline and present that to the board alongside the assessment.
2. Motor Finance Complaints: The May 31 Deadline
The FCA's pause on motor finance complaint handling, imposed following the Supreme Court's landmark ruling on discretionary commission arrangements (DCAs), lifts on May 31, 2026. This is not a distant policy discussion. It is an operational deadline with immediate consequences.
The Supreme Court's October 2024 decision in Johnson v FirstRand fundamentally recast the duty of disclosure owed by motor finance brokers to consumers. The FCA responded by pausing the eight-week complaint handling window under DISP to allow the industry to prepare for what could be the largest consumer redress exercise since PPI. The pause ending means that complaints which have been accumulating since late 2024 will begin flowing through firms' complaint handling processes simultaneously.
For motor dealers, lenders, and brokers, the operational challenge is significant. Complaint volumes could be substantial, redress calculations are complex, and the FCA has indicated it will monitor firms' handling closely. Our detailed guide on preparing for the motor finance complaints deadline provides a comprehensive preparation checklist. The key message here is that firms cannot afford to treat May 31 as a start date for preparation. If your complaint handling capacity, redress provisioning, and MI frameworks are not already in place, you are behind.
3. CASS 15 Changes: Custody Rules Update (May 7, 2026)
The Client Assets Sourcebook changes taking effect on May 7, 2026, under CASS 15 introduce updated requirements for firms holding custody assets. These changes, finalised in PS24/10, affect how firms reconcile custody assets, the frequency and scope of internal and external reconciliations, and the obligations around custody asset record-keeping.
For firms within scope, the practical impact centres on systems and controls. Reconciliation processes that were previously adequate may no longer meet the updated CASS 15 requirements, particularly around the timeliness of discrepancy resolution and the documentation of reconciliation breaks. Firms holding custody assets should have already conducted a gap analysis against the final rules; those that have not must treat this as an urgent priority given the May 7 effective date.
Action required: Review your CASS operational oversight arrangements and confirm that your reconciliation processes, record-keeping systems, and CASS resolution packs are aligned with the updated CASS 15 requirements before May 7.
4. Consolidated Complaints Reporting (July 1, 2026)
From July 1, 2026, the FCA's new consolidated complaints reporting framework takes effect, replacing the existing regime with the new REP-CRIM returns. This change, confirmed in PS23/15, consolidates multiple existing complaint reporting obligations into a single framework and introduces new data fields that firms must capture and report.
The transition is not merely administrative. The new returns require firms to capture complaints data at a level of granularity that many existing MI systems were not designed to accommodate. Root cause analysis, outcome categorisation, and vulnerability-flagged complaints are all areas where the new reporting requirements go beyond what the previous regime demanded.
Firms should be testing their reporting systems against the new REP-CRIM templates now. The FCA has provided specimen returns and guidance notes, but the practical challenge lies in mapping existing complaints data taxonomies to the new framework. For firms with outsourced complaint handling, the additional complexity of ensuring third-party providers can deliver data in the required format adds a further dimension to the preparation effort.
Action required: Map your existing complaints MI to the new REP-CRIM data fields. Identify gaps in your current data capture and implement changes to your complaints management system before July 1. Test a dummy submission well in advance of the first live return.
5. Non-Financial Misconduct Rules (September 2026)
The FCA's expansion of the Conduct Rules to explicitly cover non-financial misconduct takes effect in September 2026, following the final rules published in PS24/17. This change means that bullying, harassment, discrimination, and other forms of non-financial misconduct are formally brought within the scope of the Individual Conduct Rules under the Senior Managers and Certification Regime (SM&CR).
The practical implications extend beyond updating conduct rules training materials. Firms must ensure their internal investigation processes, HR policies, and whistleblowing arrangements are aligned with the new regulatory expectations. Where a firm identifies non-financial misconduct by a certified person or senior manager, the obligation to assess fitness and propriety and, where appropriate, notify the FCA is now explicit rather than implied.
The enforcement risk here should not be underestimated. The FCA has been vocal about the link between workplace culture and consumer outcomes, and the regulator's Diversity and Inclusion data collection exercise has given it a baseline against which to measure firms' progress. Firms that have not yet updated their conduct rules documentation, training, and investigation protocols should treat the September effective date as a hard deadline.
Action required: Update your Statement of Responsibilities and Conduct Rules documentation to reflect the explicit inclusion of non-financial misconduct. Review and, where necessary, strengthen your investigation and disciplinary procedures for non-financial misconduct allegations.
6. Cryptoasset Regulation: The Stablecoin Regime and Financial Promotions
The FCA's regulatory perimeter around cryptoassets continues to expand through 2026. The stablecoin regulatory regime, building on HM Treasury's phased approach to bringing cryptoassets within the regulatory framework, introduces prudential and conduct requirements for stablecoin issuers and custodians. Separately, the financial promotions regime for cryptoassets, which took effect in October 2023, continues to be an active enforcement focus.
The FCA has been unambiguous about its willingness to take action against firms and individuals promoting cryptoassets to UK consumers without complying with the financial promotions regime. Over 900 consumer alerts related to cryptoasset promotions have been issued since the regime took effect. For firms operating at the intersection of traditional financial services and cryptoassets, whether as advisers, intermediaries, or technology providers, understanding which activities fall within the regulatory perimeter and which require authorisation is a threshold question that must be answered definitively.
Action required: If your firm engages with cryptoassets in any capacity, conduct a regulatory perimeter assessment to confirm which activities require FCA authorisation or compliance with the financial promotions regime. Do not rely on assumptions about exclusions or exemptions.
7. Operational Resilience: Testing Important Business Services
The March 2025 deadline for firms to have identified their important business services, set impact tolerances, and begun testing has passed. The FCA's expectations for 2026 centre on the maturity of firms' testing programmes and the evidence that testing is driving genuine improvements in resilience, rather than producing reports that sit on shelves.
The regulator is particularly focused on firms' ability to remain within impact tolerances during severe but plausible disruption scenarios. Tabletop exercises and scenario planning are expected to be conducted regularly, with lessons learned feeding into remediation plans that have board-level visibility. For firms that rely heavily on third-party technology providers, the FCA expects the operational resilience framework to extend to critical outsourcing arrangements, including clear contractual provisions for resilience testing and incident reporting.
Action required: Review the results of your most recent operational resilience tests. Confirm that identified vulnerabilities have been remediated or have funded remediation plans with defined timelines. Ensure your board has received and discussed the testing results.
8. Data-First Strategy: FCA's Digital Transformation
The FCA's ongoing digital transformation programme is changing how the regulator collects, analyses, and acts on data. The shift from RegData to an enhanced data collection platform, combined with the FCA's investments in data analytics and machine learning capabilities, means that the regulator's ability to identify outliers, patterns, and emerging risks across its supervised population is qualitatively different from even two years ago.
For compliance teams, the practical implication is that the quality and consistency of regulatory data submissions matters more than ever. Errors, inconsistencies, or late submissions that might previously have gone unnoticed are now more likely to be flagged by automated processes. Firms should treat regulatory reporting as a first-order compliance function, not an administrative afterthought. The FCA's data strategy also has implications for the volume and specificity of information requests firms may receive; the regulator is increasingly using targeted data requests to supplement routine reporting.
9. AI in Financial Services: Model Governance and Accountability
The FCA's discussion paper DP5/22 on AI in financial services generated significant industry engagement, and the regulator's follow-up work through 2025 and into 2026 is shaping expectations around AI governance for regulated firms. While the FCA has not introduced AI-specific rules, the existing regulatory framework, including the Senior Managers Regime, systems and controls requirements, and the Consumer Duty, creates a clear accountability framework for firms deploying AI.
The key regulatory expectation is that firms using AI in decision-making processes that affect consumer outcomes can explain how those models work, how they are governed, and how bias and errors are identified and corrected. This applies whether the AI is used for credit scoring, claims assessment, advice suitability, or financial promotions targeting. Firms that have deployed AI without establishing clear model governance frameworks, including model validation, ongoing monitoring, and defined accountability under SM&CR, should treat this as a priority gap to close.
Action required: If your firm uses AI or machine learning in any consumer-facing or decision-making capacity, document your model governance framework. Ensure that a named senior manager has accountability for AI model oversight, and that model validation and monitoring processes are in place and evidenced.
10. Section 166 Skilled Person Reviews: The FCA's Investigative Tool of Choice
The FCA's use of section 166 skilled person reviews has been increasing steadily, and 2026 shows no signs of this trend reversing. Skilled person reviews allow the FCA to commission an independent, expert assessment of a firm's operations, funded by the firm itself. They are used where the regulator has concerns that cannot be resolved through routine supervision but do not yet warrant formal enforcement action.
The areas where section 166 reviews are being deployed most frequently include Consumer Duty outcomes assessment, financial crime controls (particularly transaction monitoring and sanctions screening), operational resilience, and client money and asset handling. For compliance officers, the lesson is straightforward: the areas where the FCA is commissioning section 166 reviews are a reliable indicator of the areas where the regulator's supervisory concerns are concentrated.
The cost of a section 166 review typically runs between GBP 200,000 and GBP 2,000,000 depending on scope and complexity, and the firm has no choice about whether to cooperate or how to fund it. The most effective defensive strategy is proactive: conduct your own independent reviews of the areas where section 166 activity is concentrated, identify and remediate issues before they attract regulatory attention, and document the process so that you can demonstrate to the FCA that your firm is already addressing the concerns they are likely to raise.
Bringing It All Together
The common thread across all ten priorities is evidence. The FCA's supervisory model has shifted decisively from process-based assessment to outcomes-based assessment, supported by increasingly sophisticated data analytics. Firms that can demonstrate, with data, that their processes are producing good outcomes for customers and that they are identifying and remediating issues proactively are well-positioned. Firms that rely on policies and procedures without corresponding outcomes evidence are exposed.
For compliance teams, this means that the annual compliance plan for 2026 must be a living document that prioritises evidence gathering and outcomes monitoring alongside the traditional regulatory change implementation agenda. The ten priorities outlined above are not independent workstreams; they overlap and interact in ways that create both complexity and opportunity for efficient, integrated compliance responses.
| Priority | Effective Date | Primary Risk |
|---|---|---|
| Consumer Duty year two | Ongoing (annual assessment) | Supervisory intervention, s166 |
| Motor finance complaints | May 31, 2026 | Complaint handling failure, redress |
| CASS 15 changes | May 7, 2026 | Client asset reconciliation failures |
| Consolidated complaints reporting | July 1, 2026 | Reporting errors, regulatory data quality |
| Non-financial misconduct | September 2026 | SM&CR fitness and propriety |
| Cryptoasset regulation | Phased 2026 | Unauthorised business, promotions breach |
| Operational resilience | Ongoing | Impact tolerance breaches |
| Data-first strategy | Ongoing | Data quality, automated supervision |
| AI governance | Ongoing | Consumer harm, accountability gaps |
| Section 166 reviews | Ongoing | Cost, reputational risk |
How MEMA Can Help
MEMA Consultants provides practical, hands-on compliance support across all ten of these priority areas. Whether you need a targeted gap analysis against a specific regulatory change, a comprehensive compliance health check, or ongoing advisory support to manage the volume of regulatory change, our team of ex-regulators and senior compliance professionals can help.
We do not believe in generic compliance templates or one-size-fits-all solutions. Every firm we work with receives advice tailored to their specific business model, regulatory permissions, and risk profile. Our approach is to help you build compliance capabilities that serve your business, not just satisfy the regulator.
Book a consultation to discuss your 2026 compliance priorities with a member of our regulatory advisory team. We will provide an honest assessment of where your firm stands and a practical roadmap for the year ahead.
For more guidance on navigating the 2026 regulatory landscape, explore our Compliance Services or visit our FCA Fines Database to understand enforcement trends that inform these priorities.
MEMA Regulatory Team
The MEMA Regulatory Team includes ex-FCA supervisors and Big 4 consultants with deep expertise across all aspects of UK financial services regulation and compliance.
Need regulatory support?
Our team can help with FCA authorisation, compliance outsourcing, and regulatory change implementation.
Book a consultation
