Compliance Thematic Reviews in 2026: What Is on Your Radar?

Financial crime.

Financial crime encompasses a wide range of compliance concerns such as sanctions, anti-money-laundering, anti-bribery and corruption, and fraud, and is an area that's been subject to various reviews and updates in recent times.

Additionally, the Economic Crime and Corporate Transparency Act 2023 introduced a new corporate offence of "failure to prevent fraud," which became effective from 1 September 2025.

Firms have had to adapt to lots of change in recent times, driven by everything from geo-political tensions — such as the conflict between Russia and Ukraine, where Western governments have intensified sanctions in an attempt to exert more pressure for change — to increasingly sophisticated attempts to commit fraud and cyber-crimes using the financial services markets.

On the anti-money laundering front, regulators globally have been pushing for greater transparency in beneficial ownership and digital asset controls, with AI-driven monitoring becoming a compliance standard. In the fight against bribery and corruption, both the EU and the UK have introduced new laws, bringing increased corporate liability and enforcement risks. It's no surprise that fighting financial crime was one of the four cornerstones of the FCA Annual Work Programme published in April 2025, and It's a reasonable assumption it will have a similarly prominent place in the 2026 plan.

With so much regulatory change and oversight, we would anticipate insurers, brokers and MGAs might wish to conduct a thematic review focused on three core areas, underpinning their work with the consideration of issues that might arise from outsourcing and third-party risks as well as the maturity of any systems being used to manage financial crime risks.

Artificial intelligence.

The potential business uses for AI have evolved rapidly. Although still an emerging risk in many ways, AI also now presents tangible operational, ethical and compliance challenges that organisations must actively manage. Its integration into business processes, decision-making and customer interactions has introduced new dimensions of risk, ranging from data privacy and algorithmic bias to accountability and transparency.

As AI technologies mature, so too does the regulatory landscape that surrounds them. We're seeing a move from voluntary frameworks and principles to formal legislation and enforcement, with jurisdictions around the world introducing (or working on) new rules to govern AI development and deployment. The EU AI Act (Regulation (EU) 2024/1689) started to take effect in August 2024, with most requirements due to be fully in place by August 2026. The EU AI Act was introduced to ensure AI systems used in the EU are safe and transparent and respect fundamental rights.

In the UK, as we look ahead to 2026, firms should expect some regulatory alignment around AI governance, data ethics and digital transformation. Additionally, the FCA's focus on consumer duty and operational resilience will continue to shape expectations for how AI is deployed responsibly and effectively. Regulators internationally are likely to expand the oversight of AI-driven decision-making, especially where it affects pricing, underwriting or customer outcomes.

It's another area where firms may be well-advised to conduct a thematic review and this could be focused on three pillars:

A thematic review on this topic could help firms identify gaps, strengthen controls and align AI strategies with regulatory expectations, ensuring responsible innovation and resilience in a fast-evolving environment.

ESG and climate change.

The UK insurance sector's regulatory journey on ESG and climate change began with the Climate Change Act 2008. Since then, ESG has moved from voluntary principles to mandatory frameworks, with Task Force on Climate Related Financial Disclosures (TCFD)-aligned disclosures becoming compulsory for large insurers from 2021. In 2023, the Financial Services and Markets Act introduced a new regulatory principle requiring the FCA and PRA to consider the net-zero target in their supervisory roles, and 2025 has seen ESG and climate-related regulation intensify across the UK insurance sector.

The PRA's Climate Change Adaptation Report and supervisory priorities highlighted the need for insurers to embed climate risk into governance, scenario analysis and capital planning. In December, the PRA published PS25/25 enhancing banks' and insurers' approach to managing climate-related risks, an update to SS3/19 which has changed the landscape for climate-change related compliance for UK insurance firms.

Collectively, these changes reflect a growing regulatory and stakeholder demand for transparency, accountability and climate resilience; with so many different strands, it's an area where firms may want to commit time to assessing the effectiveness of their compliance with the varied rules. 2026 is only likely to bring further regulatory pressure to demonstrate credible net-zero transition strategies, improved ESG data quality and integrated climate risk strategies across underwriting and other areas.

A thematic review might be structured around three pillars:

A thematic review on this topic could also evaluate how ESG is embedded across the value chain, from product design to claims handling and ensure that the firm is positioned to meet evolving stakeholder and regulatory demands in 2026 and beyond.

Outsourcing and third-party risk.

Regulatory oversight of outsourcing and third-party risk in the UK insurance sector has steadily evolved over the past decade, reflecting growing reliance on external service providers and increasing concerns about the impact of failures within the regulated firms or those providing them with core services. Initial guidance was embedded in the FCA's Principles for Businesses and Systems and Controls (SYSC) rules, with further clarity introduced through the PRA's Supervisory Statement SS2/21 and Policy Statement PS7/21 in 2021, which modernised expectations around outsourcing governance, risk management and operational resilience.

In response to increasing systemic risk from concentrated service providers, particularly in cloud and data services, the Financial Services and Markets Act 2023 established a formal regime for critical third parties (CTPs) which came into effect in January 2025, giving regulators direct oversight of designated CTPs while reaffirming that regulated firms remain fully accountable for managing all outsourcing arrangements, whether critical or not.

The FCA has also consulted on enhanced incident reporting and notification requirements for material outsourcing arrangements. With final rules and a policy statement expected in the first half of 2026 followed by implementation 12 months later, regulators are likely to expand scrutiny on governance, risk management and board-level accountability for outsourced functions.

Following the publication of final rules, a thematic review in this area may be beneficial and could focus on four key areas:

Thematic review here could also help firms support strategic decisions around vendor selection, contract structuring and board-level oversight — ensuring firms are resilient, compliant and well-prepared for regulatory developments in 2026 and beyond.

Delivering your thematic reviews.

Often, even when a mature compliance team is present, external third parties are chosen to undertake thematic reviews. This has the advantage of providing greater comfort levels around impartiality, specialist knowledge, the ability to benchmark against market norms and ensuring that resourcing the investigation work and writing of comprehensive reports does not impact on day-to-day compliance management.

This overview of the main areas for thematic review is designed to help firms structure the delivery of this work as part of their compliance planning process and ensure readiness for future regulatory developments. If there are aspects where you would like to discuss your own approach and seek independent advice, we are very happy to assist.

Final thoughts.

Compliance planning and the delivery of thematic review work isn't just a regulatory requirement, it's a strategic opportunity that should be approached with the firm's corporate goals and objectives as guidance. As you prepare for 2026, consider how your plan reflects your risk landscape, regulatory obligations and operational maturity, and whether there are aspects where you may benefit from support with planning and delivery of thematic reviews.

Artex UK Advisory is here to help. Our team of compliance experts and flexible resources are available to assist with anything from support with developing your compliance plans, to delivery of specific thematic review work or the provision of planned or unplanned overflow resourcing. If you would like to discuss any of the issues raised in this article, please speak with the author or your usual Artex contact.

Disclaimer

The information contained herein is offered as insurance industry guidance and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer financial, tax, legal or client-specific insurance or risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms, and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis.