Risk & Compliance

The Financial Conduct Authority (FCA) has released the results of a review evaluating financial services firms’ frameworks and controls relating to financial and trade sanctions. The publication sets out illustrations of effective and weak practice, plus development priorities, to support firms in meeting sanctions legislation. According to FCA, firms have advanced in avoiding sanctions breaches, yet deficiencies persist......

Risk & Compliance weekly highlights-28 May 2026 In this issue: Sanctions Fraud Other financial crime Daily and weekly news alerts Horizon scanning Trackers New and updated content Sanctions FCDO announces Russia sanctions targeting crypto exchanges and A7 network The Foreign, Commonwealth and Development Office (FCDO) has unveiled a fresh UK sanctions package aimed at cryptocurrency exchanges and the Kremlin-backed ‘A7 network’, which Russia uses to evade existing measures and channel funds into its war economy against Ukraine. The actions are intended to curb Russia’s growing reliance on ‘dark networks and shadow financial systems’ to sidestep controls and disrupt related financial flows. The package introduces 18 designations against Russia’s illicit financial infrastructure, covering A7-linked individuals, a Kyrgyz bank suspected of processing payments for the network, and three Georgian firms operating Russia-focused exchanges seeking to avoid sanctions. The A7 network is...

CPA 2026 materially widens corporate criminal exposure by extending attribution for all offences to conduct by ‘senior managers’ exercising significant decision-making power. This moves risk beyond the narrow ‘directing mind’ test and brings companies-particularly large, decentralised groups-under sharper enforcement scrutiny. Expect prosecutors to probe operational leadership, governance gaps and aggregate evidence across individuals. Boards should revisit delegation, clarify accountability and reinforce oversight of operational choices. A continuing hurdle is pinpointing who is a senior manager in complex structures, with courts likely to prioritise substance over form. More broadly, the regime will reshape how organisations record authority, decisions and escalation, with greater emphasis on demonstrating how choices are taken and supervised in practice. A reshaped strategic risk profile The most immediate effect of CPA 2026 is a broader range of situations in which a company can be criminally liable. Historically, attribution turned on the...

STOP PRESS: This document is being updated to reflect implementation of the Data (Use and Access) Act 2025 (DUAA 2025) which amends the UK GDPR and Data Protection Act 2018. For more guidance on the compliance implications of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications. This Practice Note consolidates information requirements located in different parts of the UK General Data Protection Regulation (UK GDPR). While many relate to privacy notices, it also covers matters such as data breaches and the data protection officer (DPO). It does not address information requirements where information society services are provided to children. Transparency is a core UK GDPR principle. Most organisations satisfy these obligations through a privacy notice or privacy policy. For a quick reference on the form and content of your notices, see Precedent: Privacy notice audit. For sample privacy notices, see the...

This Practice Note outlines the principal cybersecurity ramifications posed by artificial intelligence (AI) in relation to duties under UK law, including those arising from the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). It further sets out practical guidance on embedding AI as a relevant factor within existing cybersecurity compliance frameworks already in place. Advances in AI prompt concerns about the implications for cybersecurity and, as adoption grows, so too do related cybersecurity concerns. In January 2024, the UK National Cyber Security Centre (NCSC), the UK’s technical authority on cyber threats, warned that AI will almost certainly render cyberattacks on UK organisations more effective and widespread. In April 2026, DSIT and the Cabinet Office published an open letter to businesses on AI cyber threats, warning that the development of AI models is dramatically expanding the speed and scale at which cyber...

This Practice Note compiles a consolidated set of key United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR)-compliant precedent terms, clauses, provisions, schedules and agreements, which can be tailored for commercial dealings and personal data sharing contexts. It also contains certain schedules intended for matters where both the UK GDPR and the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) apply, tackling both regimes within one contract by adopting the highest common denominator of the two compliance frameworks. It is structured as follows: controller to processor data processing arrangements controller to controller data sharing arrangements clauses for international transfers Consult the relevant document for details on when each is intended to be used. For a broad primer on data protection law that gathers key practical guidance, see: UK data protection law...

STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill obtained Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025), with provisions also coming into force in part on that day. Certain DUAA 2025 provisions, addressing matters such as handling data subject access requests and the conferral of powers to make further regulations, commenced straightaway on 19 June 2025. Other provisions, relating to notices issued by the Information Commissioner and specific aspects of law enforcement processing, took effect on 19 August 2025 (being two months from the date of Royal Assent). The majority of DUAA 2025’s provisions will only commence once additional regulations are made, in the form of statutory instruments, to bring them into effect. Parts 5 and 6 of DUAA 2025 serve to amend aspects of data protection and ePrivacy law in the UK, including the United...

STOP PRESS: We are revising this document to align with the coming into force of the Data (Use and Access) Act 2025 (DUAA 2025), which modifies the UK GDPR and the Data Protection Act 2018. For further help on the compliance implications of DUAA 2025, refer to Practice Note: Data (Use and Access) Act 2025—compliance implications. 1 Consent to terms and conditions—not data processing consent [ Insert the terms and conditions for which you are requesting consent, eg your T&Cs in relation to the product/service you are providing ] Please confirm that you have read and accepted these terms and conditions [ before proceeding ]. [ You are required to accept the terms and conditions [ state reason, eg to continue with your purchase ]. ] ☐ I agree to these [ [ insert description, eg Retail ] ] terms and...

1 Introduction 1.1 Bribery and corruption persist as significant problems in global commerce, notwithstanding numerous targeted initiatives to deter them. They inflict serious harm on communities where they arise. They: 1.1.1 divert funds and other assets away from those most in need; 1.1.2 impede economic and social progress; 1.1.3 harm enterprise, notably by pushing up the price of goods and services. 1.2 Our statutory duties are chiefly set by the Bribery Act 2010 (BA 2010). BA 2010 applies to us as a UK organisation if bribery happens anywhere within our operations. 1.3 We conduct our business [ es ] with integrity, and in a frank and principled way. Each of us must act to ensure [ insert organisation’s name ] stays free from bribery or corruption. 1.4 This policy is central to that aim. It is fully endorsed by the [ insert, eg Board ]. It...

Section 7 of the Bribery Act 2010 (BA 2010) provides: (1) A relevant commercial organisation (“C”) is guilty of an offence under this section if a person (“A”) associated with C offers a bribe to another person with the intention of: (a) securing or retaining business for C; or (b) securing or retaining an advantage in the conduct of C’s business. (2) However, it is a defence for C to prove that it had in place adequate procedures devised to prevent persons associated with C from carrying out such conduct. BA 2010, s 8 defines an associated person: (1) For the purposes of section 7, a person (“A”) is associated with C if (disregarding any bribe under consideration) A is a person who performs services for or on behalf of C. (2) The capacity in which A performs services for or on behalf of C...

Please note, this Q&A deals exclusively with UK bribery legislation. Payment of commissions We refer you to Practice Note: How to identify when a commission might become a bribe, which explains that any commission involves providing a financial advantage, albeit it will not invariably amount to a bribe. The Bribery Act 2010 (BA 2010) adopts a wide view of what can constitute a bribe. It is characterised as a 'financial or other advantage' offered or received in a business setting, which amounts to, or induces, the improper performance of a relevant function or activity......

Q&A: Is a solicitor bound by an undertaking that they cannot complete because the client has changed solicitors? This addresses a scenario in which a solicitor is unable to fulfil an undertaking owing to factors wholly beyond their control. It notes that decisions of the Solicitors Disciplinary Tribunal (SDT) abound with rationalisations from defaulting practitioners for failing to comply, such as claiming the promise related to a client for whom they no longer act. However, ceasing to act does not absolve those solicitors from their ongoing professional duty to honour the undertaking......