Practice Compliance

In this issue: Sanctions Fraud Other financial crime Artificial intelligence Daily and weekly news alerts Horizon scanning Trackers New and updated content Sanctions FCDO announces Russia sanctions targeting crypto exchanges and A7 network The Foreign, Commonwealth and Development Office (FCDO) announced a suite of UK sanctions aimed at cryptocurrency exchanges and the Kremlin-backed ‘A7 network’, which Russia has used to sidestep existing curbs and funnel money into its war economy in Ukraine. The package seeks to counter Russia’s growing reliance on ‘dark networks and shadow financial systems’ to circumvent restrictions and interrupt the movement of funds. The measures include 18 designations striking at Russia’s illicit financial architecture, covering A7-associated persons, a Kyrgyz lender alleged to process payments for the network, and three Georgian firms running Russia-facing exchanges that attempt to dodge sanctions. The A7 network is...

The Financial Conduct Authority (FCA) has released the results of a review evaluating financial services firms’ frameworks and controls relating to financial and trade sanctions. The publication sets out illustrations of effective and weak practice, plus development priorities, to support firms in meeting sanctions legislation. According to FCA, firms have advanced in avoiding sanctions breaches, yet deficiencies persist......

CPA 2026 materially widens corporate criminal exposure by extending attribution for all offences to conduct by ‘senior managers’ exercising significant decision-making power. This moves risk beyond the narrow ‘directing mind’ test and brings companies-particularly large, decentralised groups-under sharper enforcement scrutiny. Expect prosecutors to probe operational leadership, governance gaps and aggregate evidence across individuals. Boards should revisit delegation, clarify accountability and reinforce oversight of operational choices. A continuing hurdle is pinpointing who is a senior manager in complex structures, with courts likely to prioritise substance over form. More broadly, the regime will reshape how organisations record authority, decisions and escalation, with greater emphasis on demonstrating how choices are taken and supervised in practice. A reshaped strategic risk profile The most immediate effect of CPA 2026 is a broader range of situations in which a company can be criminally liable. Historically, attribution turned on the...

STOP PRESS: This document is being updated to reflect implementation of the Data (Use and Access) Act 2025 (DUAA 2025) which amends the UK GDPR and Data Protection Act 2018. For more guidance on the compliance implications of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications. This Practice Note consolidates information requirements located in different parts of the UK General Data Protection Regulation (UK GDPR). While many relate to privacy notices, it also covers matters such as data breaches and the data protection officer (DPO). It does not address information requirements where information society services are provided to children. Transparency is a core UK GDPR principle. Most organisations satisfy these obligations through a privacy notice or privacy policy. For a quick reference on the form and content of your notices, see Precedent: Privacy notice audit. For sample privacy notices, see the...

This Practice Note outlines the principal cybersecurity ramifications posed by artificial intelligence (AI) in relation to duties under UK law, including those arising from the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). It further sets out practical guidance on embedding AI as a relevant factor within existing cybersecurity compliance frameworks already in place. Advances in AI prompt concerns about the implications for cybersecurity and, as adoption grows, so too do related cybersecurity concerns. In January 2024, the UK National Cyber Security Centre (NCSC), the UK’s technical authority on cyber threats, warned that AI will almost certainly render cyberattacks on UK organisations more effective and widespread. In April 2026, DSIT and the Cabinet Office published an open letter to businesses on AI cyber threats, warning that the development of AI models is dramatically expanding the speed and scale at which cyber...

This Practice Note compiles a consolidated set of key United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR)-compliant precedent terms, clauses, provisions, schedules and agreements, which can be tailored for commercial dealings and personal data sharing contexts. It also contains certain schedules intended for matters where both the UK GDPR and the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) apply, tackling both regimes within one contract by adopting the highest common denominator of the two compliance frameworks. It is structured as follows: controller to processor data processing arrangements controller to controller data sharing arrangements clauses for international transfers Consult the relevant document for details on when each is intended to be used. For a broad primer on data protection law that gathers key practical guidance, see: UK data protection law...

STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill obtained Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025), with provisions also coming into force in part on that day. Certain DUAA 2025 provisions, addressing matters such as handling data subject access requests and the conferral of powers to make further regulations, commenced straightaway on 19 June 2025. Other provisions, relating to notices issued by the Information Commissioner and specific aspects of law enforcement processing, took effect on 19 August 2025 (being two months from the date of Royal Assent). The majority of DUAA 2025’s provisions will only commence once additional regulations are made, in the form of statutory instruments, to bring them into effect. Parts 5 and 6 of DUAA 2025 serve to amend aspects of data protection and ePrivacy law in the UK, including the United...

STOP PRESS: We are revising this document to align with the coming into force of the Data (Use and Access) Act 2025 (DUAA 2025), which modifies the UK GDPR and the Data Protection Act 2018. For further help on the compliance implications of DUAA 2025, refer to Practice Note: Data (Use and Access) Act 2025—compliance implications. 1 Consent to terms and conditions—not data processing consent [ Insert the terms and conditions for which you are requesting consent, eg your T&Cs in relation to the product/service you are providing ] Please confirm that you have read and accepted these terms and conditions [ before proceeding ]. [ You are required to accept the terms and conditions [ state reason, eg to continue with your purchase ]. ] ☐ I agree to these [ [ insert description, eg Retail ] ] terms and...

1 General information Review date: [ Insert date ] Individual(s) conducting the review: [ Insert name ] 2 Data Criteria In the last [ insert period, eg quarter ] / Over the last 12 months Total internal Suspicious activity reports (SARs) received: [ Insert number ] [ Insert number ] Internal SARs containing a bribery or corruption element: [ Insert number ] [ Insert number ] Internal SARs with a bribery or corruption element reported to the National Crime Agency (NCA): [ Insert number ] [ Insert number ] Internal SARs with a bribery or corruption element reported to the NCA requiring consent: [ Insert number ] [ Insert number ]... ...

Section 7 of the Bribery Act 2010 (BA 2010) provides: (1) A relevant commercial organisation (“C”) is guilty of an offence under this section if a person (“A”) associated with C offers a bribe to another person with the intention of: (a) securing or retaining business for C; or (b) securing or retaining an advantage in the conduct of C’s business. (2) However, it is a defence for C to prove that it had in place adequate procedures devised to prevent persons associated with C from carrying out such conduct. BA 2010, s 8 defines an associated person: (1) For the purposes of section 7, a person (“A”) is associated with C if (disregarding any bribe under consideration) A is a person who performs services for or on behalf of C. (2) The capacity in which A performs services for or on behalf of C...

Key legal issues for guarantees Guarantees constitute contracts and must accordingly meet the four essential elements of a contract, namely: offer acceptance consideration the intention to create legal relations As a rule in law, consideration given in the past is ordinarily insufficient. A firm ought not to take a guarantee once it has already agreed to supply services to a client in question. The guarantee must also comply fully with s.4 of the Statute of Frauds 1677. It must thus be recorded in writing and properly signed by the guarantor as required. The Firm should also be alert to potential claims of misrepresentation, duress, and undue influence. It is sound practice to see that the guarantor receives independent legal advice on the implications of giving the guarantee. Is the guarantee a regulated credit agreement? Where undertaken by way of business in the United Kingdom, entering into a regulated credit...

What is a DCFA? Most practitioners know the ‘pure’ CFA, commonly referred to as a ‘no win, no fee’ agreement. Working under a pure CFA, the lawyer or legal representative is remunerated only upon a win, as the CFA expressly defines it. If that outcome is not achieved, no fee is payable for the professional work undertaken on the matter. For additional detail, see the subtopic: CFAs and DBAs for further information. A DCFA is often described as a ‘no win, lower fee’ arrangement in contrast to the pure CFA. Under a DCFA, the client agrees to meet the lawyer’s fees in full on success; if the case fails, a reduced fee is payable to the representative. The role of success fees Success fees exist to ensure a solicitor’s portfolio of CFA-backed litigation can operate at nil net loss overall. Put...