Compliance 2026: Five resolutions to future-proof your function
Did you know? The majority of our Section 166 reviews over the past two years (we’ve done 18) have been triggered by firms’ own data returns, flagged as outliers by the regulator.
That’s right: the numbers you submit can put you straight under the microscope. In an era of digital oversight and data-driven supervision, weak governance or inaccurate reporting isn’t just a compliance gap, it’s a fast track to regulatory intervention.
And that’s why compliance has evolved. It’s no longer about simply keeping pace with regulation; it’s about mastering data, technology, and governance to deliver obligations with confidence. As we enter 2026, the Compliance function has moved beyond the back-office gatekeeper; it’s a strategic driver of trust, resilience, and competitive advantage.
With regulators stepping up action against firms that fail to proactively prevent customer and market harm and with tech innovation reshaping risk at lightning speed, compliance leaders must embrace agility, foresight, and a willingness to rethink traditional approaches.
Kick off 2026 with confidence! We’ve lined up five essential New Year’s resolutions every compliance leader should embrace, plus practical steps to make them happen.
Resolution 1 – Data: The strategic edge for compliance leaders
Why it matters: In today’s compliance landscape, data isn’t just an operational necessity, it’s the foundation for strategic decision-making. Yet, our Section 166 work across all areas continues to highlight a recurring issue: many firms struggle to produce even basic quality MI. These challenges are especially prevalent where customers have migrated from legacy platforms to new ones without proper linkage, leaving firms with fragmented and incomplete data trails.
Firms also continue to grapple with manual data collection, often resulting in inaccuracies, disconnected data sources, and significant lags in MI availability. The lack of effective, real-time, automated MI creates inefficiencies that drain resources, make informed decision-making difficult for senior leaders, and weaken real-time oversight.
In 2026, data must move from being a burden to becoming a competitive advantage.
Practical steps:
Map your data ecosystem: Identify data silos, gaps, duplicates, and inconsistencies. Understand where data lives and how it flows. We often hear “our data’s crap” which can be overwhelming as it isn’t clear where to start. By mapping your data ecosystem you can pinpoint where it’s “crap” and come up with specific actions to start fixing it.
Structure and streamline: Standardise formats and consolidate sources to create a single source of truth.
Build real-time dashboards: Implement centralised MI tools that allow real-time visibility, empowering leadership to act on up-to-date insights.
Resolution 2 – Embracing AI? Put governance at the core
Why it matters: AI has the potential to revolutionise compliance through streamlining document reviews, automating monitoring activities, detecting anomalies, and even predicting customer harm before it occurs. But with opportunity comes responsibility. The FCA has made its position clear: AI must be used safely, transparently, and with adequate oversight and controls.
From our work with firms, we are seeing a growing trend: many want to adopt AI but lack the strong governance and quality data needed to realise its full benefits. Research from MIT[1] found that 95% of organisations reported no measurable financial return from GenAI initiatives, largely due to poor data quality, fragmented systems, unclear strategy and leadership, and a lack of workflow integration meaning AI tools were not embedded into daily business processes.
Even among firms that we are seeing introducing AI successfully, for example, to identify customer vulnerability through call analysis or to detect patterns (e.g., habitual late payments), there are significant gaps. Many cannot clearly articulate how the technology works in practice, they lack adequate documentation of the AI’s logic, and do not have sufficient oversight of its outputs.
Practical steps:
Start with a clear AI strategy: define the purpose and scope of AI within your firm ensuring initiatives are aligned with business objectives and regulatory expectations. Ask: is the goal for efficiency, risk management, or improved customer outcomes? A clear strategy prevents fragmented efforts and sets measurable success criteria.
Build strong governance and accountability: create a robust AI governance framework that includes evidence-based audit trails of model logic, training data sources, assumptions and decision-making processes. In addition, assign clear accountability for AI risk management, with responsibilities documented and assigned to individuals with the right expertise.
Implement oversight and continuous monitoring: introduce strong controls to monitor AI outputs for bias, errors or unintended consequences. For example, this may include developing quality MI dashboards for real-time monitoring, creating escalation processes for anomalies or issues, introducing a cross-functional compliance committee (IT, legal, risk, business leaders) to ensure decisions are informed by diverse expertise and aligned across the firm.
Resolution 3 – Compliance risk assessments: Time for a 2026 review
Why it matters: The risk landscape for financial services has changed dramatically. While traditional risks remain, new threats such as cyberattacks, AI-driven vulnerabilities, non-financial misconduct, and ESG obligations are now front and centre. Yet many firms still rely on frameworks built for yesterday’s challenges. In 2026, regulators expect proactive risk management not reactive fixes, so a static framework is a liability. To stay resilient, firms must continuously evolve their risk management approach, ensuring clear appetites, tolerance thresholds, and controls which align to emerging risks.
Practical steps:
Test what actually matters – real customer outcomes: Most firms still focus heavily on process completion and lagging MI to assess customer outcomes. Firms are expected to assess, test, understand and evidence the outcomes customers actually receive. That means outcome testing that mirrors real journeys, surfaces gaps for different customer segments (including vulnerable customers), and triggers timely fixes.
Embrace the FCA’s evolving supervisory approach: As regulation shifts from prescriptive rules to an outcomes-focused model, Boards, Senior Management Functions (SMFs), and compliance teams must take ownership of their interpretations and maintain well documented rationales. They should be prepared to justify proportionate approaches. Firms are expected to act proactively, raising issues, sharing data, and implementing remediation as the regulator moves toward a more data-led, assertive stance. To keep pace firms should move beyond static, annual cycles and implement dynamic frameworks and governance models that adapt as risks do.
Perform scenario-based stress tests: Use scenario analysis to assess resilience against emerging threats such as AI-driven fraud, cyber breaches, or ESG-related compliance failures.
Resolution 4 – Price and value assessments: Driving better customer outcomes
Why it matters: Price and Value is central to the Consumer Duty and critical for delivering good customer outcomes. Strong assessments show that customers receive benefits commensurate to the total price paid, including non-financial costs like time and friction. Done well, they guide better product design, sharpen pricing decisions, and identify risks for vulnerable customers before harm occurs. Done poorly, they create blind spots including products that look competitive but deliver poor value in practice and inconsistent treatment of customer groups.
From our work with firms, common gaps include failing to apply a customer outcomes lens, omitting sufficient detail for the document to stand alone for regulatory review, and weak articulation of pricing methodology, such as fees and charges based on expected usage, non-financial costs, and costs incurred by the firm in the manufacture and distribution.
Practical steps:
Apply a customer outcomes lens: clearly articulate the link between the product features, pricing, identified vulnerabilities within the target market and behavioural biases to how good customer outcomes will be achieved.
Make the assessment a standalone document: ensure the document contains all key details including the target market, behavioural biases inherent to the target market, vulnerabilities, pricing methodology and any assumptions made. This will enable the reader to clearly understand how fair value was assessed without cross-referring to other sources, which will be useful should the Regulator request a copy.
Evidence pricing methodology: clearly show how pricing was determined, including the full cost of the product including any fees and charges taking into account how the target market’s likely usage, non-financial costs (e.g. time spent contacting customer service), and the costs incurred by the firm. The costs should be assessed alongside benefits beyond price such as product quality, limitations, and service experience to provide a holistic view of value.
Resolution 5 – Make financial crime risk assessments actually inform decisions
Why it matters: At the end of last year, the Financial Conduct Authority (FCA) published the findings of its multi-firm review into Business-Wide Risk Assessments (BWRAs) and Customer Risk Assessments (CRAs). What stood out was not just a list of technical weaknesses, but a deeper acknowledgement that most risk assessments are failing to generate meaningful insight.
Too many firms remain stuck with form-led, backward-looking assessments built on vague taxonomies, superficial analysis, and weak links between firm-wide risk and customer risk ratings. This persists because risk assessments have become more about appearances than analysis. Risks are labelled “high” or “low”, controls are listed, but the connection between real-world behaviour, exposure, and mitigation is rarely explained. Risk appetite often exists on paper, disconnected from how controls are actually designed or used.
Practical steps:
Define real risk events: Clearly articulate who is acting, what they are doing, how processes are exploited, and the likely outcome. Avoid generic or abstract risk statements.
Use your business profile as the anchor: Let customers, products, delivery channels, and geographies genuinely shape both BWRA and CRA conclusions.
Stop confusing risk factors with risks: Risk factors should inform scenarios, not replace them. Be clear about what the actual risk event is.
Assess controls in context: Evaluate controls against real exposures, not in isolation, and show how they reduce risk in practice.
Make residual risk meaningful: Use residual risk to reflect control effectiveness and the level of risk the firm is genuinely prepared to accept.
Join up the frameworks: Ensure BWRA, CRA, and risk appetite are connected through data so management can see how risks flow from firm-wide exposure to customer-level outcomes.
Aim for better insight, not more documentation: Firms that treat risk assessments as decision-making tools — rather than regulatory artefacts — will be far better placed to meet supervisory expectations.
Keep an eye out for our own risk assessment tool in 2026. We’ve poured thousands of hours into its development and are beyond excited by what we’re creating...
Final Thought
Compliance in 2026 is about building resilience, trust, and agility in a world of accelerating change. From harnessing AI responsibly to refreshing risk frameworks and strengthening governance, these resolutions aren’t just best practices, they’re strategic imperatives.
If you’d like to explore these topics further or gain tailored insights for your firm, get in touch at contact@avyse.co.uk. We’re here to help you turn these resolutions into actionable strategies.
[1] The GenAI Divide: State of AI in Business 2025, Massachusetts Institute of Technology's (MIT)