As organizations prepare for 2026, risk and compliance leaders face an increasingly complex enforcement landscape shaped by national security priorities, evolving regulatory frameworks, and rapid technological change. This year, authorities worldwide are intensifying their scrutiny of trade compliance, fraud prevention, and the use of artificial intelligence, while expanding protections and incentives for whistleblowers.

In this blog, we identify six key themes that will define compliance and enforcement trends in the year ahead, offering practical questions and considerations to help businesses strengthen their programs and respond effectively to emerging risks.

National Security themes in enforcement: Trade compliance risk and scrutiny continues to ramp up

National security will continue to be a driver and a tool increasingly used by authorities to scrutinize M&A transactions. There has also been a year-on-year uptick in ex-US trade compliance enforcement since 2022 together with increased coordination between authorities, and we expect this trend will continue.

Companies, including investors and their portfolio companies, need to ensure they can demonstrate risk-based controls including third party due diligence, restricted party screening, tracking of supply chains, and end user / use visibility and controls where appropriate. Clear board reporting, rapid escalation, and documentation of decision-making will be critical evidence in any inquiry, which by their nature will look back with the benefit of hindsight.

This is especially clear where the issue is arising in an industry or across geographies where there is current strategic attention. This is true in both the US Administration (tariffs, Cartels, AI, and technology) and in the UK an EU on matters related to Russia, Iran, and regional security.

Key questions:

  • Are there policies and procedures addressing, as appropriate, key areas such as: (a) tariff classification and country of origin of goods, (b) restricted party screening of counterparties up to ultimate beneficial owners (as well as other third parties including banks), and (c) documented end-use/end user and ownership checks across higher-risk goods, technologies and supply routes?

  • How responsive is the program to changes in regulations?

Fraud

Expect continued focus from regulators and enforcement agencies, in some cases bolstered by new statutes. See, for example, the new Failure to Prevent Fraud offence in the UK, which has far-reaching extraterritorial implications for organisations worldwide – for those new to the offence, have a listen to this quick start guide – and various statements and efforts focused on fraud and financial crime enforcement from the US (especially around healthcare and trade-related fraud) Canada, Mexico, and many EU member states.

Educating the organisation about fraud in all its forms, not just financial, as well as ensuring controls are tailored to business operations will be crucial. Business leaders need to remain conscious of the value impact of strong fraud-prevention and compliance infrastructure – ultimately, preventing and detecting fraud protects the bottom line. A modern, responsive program that can demonstrate it identifies issues (and deals with them) is critical for sale readiness and allows for strong answers when you are facing the need to provide know your customer/client/counter-party information on the health of your program.

Key questions: 

  • Have you conducted a recent risk assessment which helps you map your fraud risks?

  • What anti-fraud compliance initiatives have been identified to mitigate those risks?

  • Are you partnered with first-line business leaders to understand the fraud risks they face and to be available to them for guidance?

Well-resourced compliance programs can help preserve and grow enterprise value

Regulators and enforcement agencies continue to emphasize the importance of effective compliance, including in recent guidance from the UK Serious Fraud Office (SFO) on the evaluation of corporate compliance programs. The benchmark for evaluating corporate compliance programs remains the US Department of Justice’s guidance for prosecutors, with recent statements on priorities informing what compliance teams should regard as priority areas.

In our experience, effectiveness starts with understanding how the organization operates in practice, both globally and locally (culminating in a documented risk assessment). Strong compliance programs are grounded in the company’s risk profile, decision-making processes, and incentives, informed by a clear understanding of business operations and the pressures employees face. Compliance investment will be assessed in context, considering the company’s size, complexity, and overall financial capacity.

Ultimately, a well-designed compliance function which has a strong partnership with the business will support sustainable growth. It also supports early identification and mitigation of issues. If enforcement action arises, meaningful cooperation, robust investigations, and demonstrating a well-thought through compliance program can have a powerful bearing on the outcome.

Key questions:

  • Do I have a current and credible inventory of our business’ inherent risks?

  • Has that inventory been developed in partnership with the business and does it reflect how the business actually operates?

  • How does our compliance program manage or mitigate the risks inherent in our company’s business operations?

  • If asked, how would I demonstrate to my board or to regulators how I am confident our compliance program is performing effectively?

Crisis management – Preparedness will impact outcomes

Well-prepared businesses will need to navigate periods of regulatory uncertainty and risk. Organizations need clear, practical frameworks to respond effectively across jurisdictions and business lines.

Effective crisis management supports business continuity, informed engagement with stakeholders (and potentially regulators), and the mitigation of reputational harm. Crisis plans should be clearly owned, regularly tested, and supported by training and simulations so that teams can act decisively under pressure.

For those with large groups or portfolios, this includes ensuring that company boards and senior leadership teams are equipped to oversee and direct crisis response. Proactive preparation and learning from comparable situations can materially improve outcomes when a crisis occurs. Ensuring company directors are equipped is vital to value preservation. Learn lessons from other organisations and ensure your Board is prepared.

Key questions: 

  • Do you have a clear and actionable crisis management framework that reflects your risk profile and geographic footprint?

  • How have you engaged with your leadership, board directors, and stakeholders to ensure members are sufficiently trained to tackle and navigate high-stakes crises?

  • Are roles, decision-making authority, and escalation paths clearly defined and understood in a crisis scenario?

  • Have you recently conducted table-top exercises on higher risk themes?

Whistleblowing: New incentives and protections raise the stakes

As in previous years, whistleblowing remains a core focus for global authorities. With the criminal division of the US Department of Justice put in place a whistleblower awards pilot program in 2025, we expect 2026 to see discussion in the UK about potential whistleblower incentives as part of a wider push on anti-corruption.

This is also likely to be relevant to reporting on non-financial misconduct (including bullying, discrimination, and sexual harassment). The UK tax authority has already rolled out a rewards program offering 15-30% of any tax receipts collected to the whistleblower. At the same time, whistleblower protection regimes continue to expand across jurisdictions, increasing expectations around how organisations receive, assess, and respond to reports.

Against this backdrop, it is critical that companies maintain trusted and effective speak-up mechanisms that encourage concerns to be raised internally and addressed promptly, fairly, and transparently. A strong speak-up culture, supported by procedures that are tailored to local legal requirements, reduces the risk that issues escalate into higher-stakes external whistleblowing. In designing compliance programs, organisations should draw on lessons from lessons from well-publicised cases and experts on “speak up”.

Key questions: 

  • Does the whistleblowing framework enable employees to raise difficult or sensitive issues early, without fear of retaliation?

  • Is it well socialized?

  • Is the whistleblowing program designed to reflect the organization’s culture, business operations, and local practices across jurisdictions?

  • Are procedures for receiving, investigating, and responding to reports clear, consistent, and compliant with applicable local whistleblower protection laws?

Continued increase in the use of AI will pose regulatory and business risks

As AI use cases mature and scale, the risk profile will shift. The focus will be on how systems are governed, validated, and supervised in practice. These include regulatory non-compliance, unreliable or misleading outputs, data integrity concerns, and the downstream consequences of automated decision-making.

Regulators and enforcement authorities have generally encouraged the use of AI to enhance risk management and compliance capabilities, while making clear that safeguards, human oversight, and accountability frameworks must keep pace with deployment. For compliance and legal teams, there are two focus points:

  • Considering how systems are implemented in a tailored, impactful manner within their functions; and

  • On defensibility: understanding where and how AI is used within the business, ensuring controls are proportionate to risk and jurisdiction, and being able to explain decisions, outcomes, and public claims about AI use when challenged.

​Key questions: 

  • Does the organisation have visibility into how AI is used in practice across the business?

  • Are AI guardrails and controls clearly defined, implemented, and monitored?

  • Is there a crisis management plan for AI-related risks and are you ready to respond?