7 UK Financial Regulations Every Compliance Training Program Should Cover in 2026

The FCA handed down over £124 million in fines during 2025, with the bulk targeting anti-money laundering failures and weak internal controls. Major banks, challenger fintechs, and even market operators all found themselves on the wrong end of enforcement action. The pattern was consistent: firms that treated compliance as a paperwork exercise got caught.

If you're a Compliance Officer, Head of L&D, or HR Director at an FCA-regulated firm, the takeaway is straightforward. The regulator is moving faster, closing cases quicker, and handing out bigger penalties. Training that ticks a box but doesn't change behavior won't protect your firm. And with the Economic Crime and Corporate Transparency Act now in force and the Consumer Duty reshaping how firms treat customers, the scope of what your people need to know has grown significantly.

This guide covers the seven UK financial regulations your financial compliance training program must address in 2026 - what each regulation requires, where firms are getting it wrong, and how to structure training that sticks.

1. Financial Services and Markets Act 2000 (FSMA)

FSMA is the foundational legislation underpinning the UK's entire financial regulatory framework. It established the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), defines which activities require authorization, and sets out the enforcement powers regulators can use against firms and individuals who breach the rules.

FSMA has been amended multiple times since 2000, most recently through the Financial Services and Markets Act 2023, which replaced retained EU law with a UK-specific regulatory framework post-Brexit. This gave the FCA and PRA broader rule-making powers and introduced new secondary objectives around growth and competitiveness.

What your training should cover

• The regulatory perimeter - which activities require FCA authorization and what happens when firms operate outside it
• The roles of the FCA and PRA, their objectives, and how they differ
• Approved persons requirements and the authorization process
• Enforcement powers - from warning notices to financial penalties and criminal prosecution
• Post-Brexit changes under the Financial Services and Markets Act 2023

FSMA forms the backbone of every other regulation on this list. If your team doesn't understand the regulatory architecture, specific obligations under SM&CR, AML, or the Consumer Duty won't land properly. For firms building out their compliance training program, FSMA should be the first module new joiners complete.

2. Senior Managers and Certification Regime (SM&CR)

SM&CR replaced the Approved Persons Regime in 2016 for banks and insurers, extending to all FCA-regulated firms by December 2019. It exists to make sure individuals in senior roles can be held personally accountable when things go wrong. The FCA has been explicit: culture drives conduct, and SM&CR is the mechanism for enforcing that.

Changes are coming. The FCA confirmed in late 2025 that SM&CR reforms will likely take effect mid-2026, probably removing the certification regime from legislation and replacing it with a more flexible, regulator-run framework. The number of Senior Management Functions requiring regulatory approval may also be reduced.

The three pillars your training must cover

• Senior Managers Regime. Individuals in Senior Management Functions (SMFs) must have clearly defined Statements of Responsibilities. Training should ensure they understand personal liability, prescribed responsibilities, and how the "reasonable steps" defense works.
• Certification Regime. Firms must assess annually that individuals performing significant harm functions are "fit and proper." Even with upcoming reforms, competence assessments and fitness declarations will remain core requirements.
• Conduct Rules. Five Individual Conduct Rules apply to almost all staff. Senior managers face five additional rules. Training should use real FCA enforcement examples to show what breaching these rules looks like in practice.

A critical development for 2026: from 1 September 2026, non-financial misconduct - specifically bullying, harassment, and violence - will fall under the FCA's Code of Conduct (COCON). This means these behaviors can amount to a breach of FCA rules for any staff member subject to COCON. Training programs must be updated to reflect this expansion. Building a culture of compliance starts with leadership understanding their personal exposure.

3. Anti-Money Laundering (AML) regulations

AML failures were the single largest category of FCA enforcement in 2025. Barclays paid £39.3 million for failing to manage money laundering risks in a long-standing corporate banking relationship. Monzo was fined £21.1 million after customer growth outpaced its AML controls. Nationwide received the year's largest single penalty for governance and oversight failures in its AML framework. The common thread across all three: weak systems and controls that the regulator had warned about for years.

The UK's AML regime is built on the Money Laundering Regulations 2017 (MLRs), the Proceeds of Crime Act 2002 (POCA), and the Terrorism Act 2000. Recent amendments to the MLRs have tightened requirements around crypto-assets and lowered the threshold for "change in control" notifications to better align with FSMA regimes.

Core AML training areas

• Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD). Staff must know when standard CDD is sufficient and when EDD triggers apply - politically exposed persons, high-risk jurisdictions, complex ownership structures.
• Suspicious Activity Reporting (SARs). Front-line staff need to recognize red flags without tipping off the customer. Back-office staff need clear escalation pathways. The volume of SARs submitted to the National Crime Agency continues to rise, and the FCA expects firms to demonstrate their teams know when and how to file.
• Transaction monitoring. The FCA's enforcement actions consistently cite inadequate transaction monitoring as a primary failure. Training must cover what effective monitoring looks like, not just the theoretical framework.
• Record keeping. Firms must maintain records sufficient to reconstruct individual transactions for at least five years after the business relationship ends.

AML training can't be an annual tick-box exercise. The FCA expects ongoing competence. Gamifying compliance training with scenario-based modules and regular refreshers is one way to build genuine AML awareness rather than surface-level familiarity.

4. UK GDPR and Data Protection Act 2018

The UK GDPR (retained from EU law post-Brexit) and the Data Protection Act 2018 together form the data protection framework for all UK organizations. For financial services firms handling sensitive personal and financial data, the stakes are particularly high. The Information Commissioner's Office (ICO) can impose significant fines, and reputational damage from a data breach can be just as costly.

For FCA-regulated firms, data protection intersects directly with the Consumer Duty. The FCA is working with the ICO to clarify how firms should balance data protection obligations with Consumer Duty requirements - particularly around vulnerable customers and data sharing. Further guidance was expected in Q1 2026. Delivering GDPR training effectively requires going beyond generic awareness to cover sector-specific scenarios.

What financial services GDPR training should prioritize

• Data subject rights. Customers' rights to access, rectification, erasure, and data portability. Staff handling customer requests must know response timeframes and escalation procedures.
• Lawful basis for processing. Financial services firms typically rely on contractual necessity, legal obligation, and legitimate interests. Staff should understand which basis applies to different processing activities.
• Data breach response. The ICO must be notified within 72 hours of becoming aware of a qualifying breach. Front-line teams need to know what constitutes a breach and how to escalate immediately.
• AI and automated decision-making. As firms deploy AI for credit scoring, claims assessment, and transaction monitoring, staff must understand the transparency and explainability requirements under Article 22 of UK GDPR.

Effective GDPR training for employees in financial services should be role-specific - what a customer-facing adviser needs to know about data handling differs significantly from what a data engineering team requires.

5. UK Market Abuse Regulation (UK MAR)

UK MAR prohibits insider dealing, unlawful disclosure of inside information, and market manipulation. It applies to all financial instruments traded on UK markets and to anyone - not just regulated firms - who possesses inside information.

The FCA ramped up criminal prosecutions for market abuse through 2025 and into early 2026. Multiple individuals were charged with insider dealing, and several cases involving fraud and forgery were brought forward. The regulator has publicly stated it's pursuing more criminal prosecutions for market abuse than ever before, and the trend shows no sign of slowing.

Training priorities for UK MAR

• Identifying inside information. Staff must understand what qualifies as inside information - non-public, precise, price-sensitive information about an issuer or financial instrument. This is more nuanced than most training programs make it.
• Insider lists and information barriers. Firms must maintain insider lists, implement information barriers ("Chinese walls"), and control the flow of inside information between departments.
• Personal account dealing. Staff trading policies must be clear, monitored, and enforced. FCA enforcement cases consistently involve individuals who circumvented or ignored personal trading restrictions.
• Suspicious Transaction and Order Reports (STORs). The FCA has publicly credited industry reporting with enabling prosecutions. Staff need training on what looks suspicious and how to report it.

Market abuse training is often treated as a one-off onboarding exercise. Given the FCA's increased prosecution activity, it should be refreshed at least annually, with scenario-based assessments that test practical judgment - not just theoretical knowledge.

6. FCA Consumer Duty

The Consumer Duty is the most significant change to UK retail financial services regulation in over a decade. It shifts regulation from a rules-based approach to an outcomes-focused regime. Firms must demonstrate they're delivering good outcomes for retail customers across four areas: products and services, price and value, consumer understanding, and consumer support.

The FCA has made clear that firms treating initial implementation as a documentation exercise are now exposed. The regulator is running analytics across regulatory returns and complaints data to identify statistical outliers. Multi-firm reviews in 2025/2026 are examining how firms design products, monitor consumer outcomes, structure customer journeys, and communicate with customers.

Consumer Duty training must cover

• The four outcomes. Products and services designed to meet target market needs. Fair value (price reasonable relative to benefits). Communications that help customers make informed decisions. Customer support that meets customers' needs.
• The cross-cutting rules. Act in good faith. Avoid causing foreseeable harm. Enable and support customers to pursue their financial objectives.
• Vulnerability. Firms must identify and respond to characteristics of vulnerability - health conditions, life events, low financial resilience, and low capability. The FCA is working with the ICO on guidance around balancing vulnerability identification with data protection.
• Board-level accountability. The Consumer Duty requires annual board assessments of how the firm is delivering good consumer outcomes. Senior managers must understand their personal responsibility under both the Duty and SM&CR.

The Consumer Duty isn't a standalone compliance module. It should be woven through every piece of training your firm delivers - from product design workshops to customer service induction programs. If front-line staff don't understand what "good outcomes" means in their daily work, the training has failed.

7. Economic Crime and Corporate Transparency Act 2023 (ECCTA)

The ECCTA introduced the most significant expansion of corporate criminal liability in a decade. The "failure to prevent fraud" offence came into force on 1 September 2025, making large organizations criminally liable if an employee, agent, subsidiary, or other associated person commits fraud intending to benefit the organization - unless the organization can demonstrate it had reasonable fraud prevention procedures in place.

The Serious Fraud Office (SFO) has been direct about its intentions. The SFO's Director stated they are "very, very keen" to bring charges under the new offence, adding: "We're telling [companies] how to avoid getting into trouble. Come September, if they haven't sorted themselves out, we're coming after them." Penalties are unlimited fines, plus the reputational damage of criminal prosecution.

What ECCTA training must address

• Scope of the offence. It applies to "large organizations" - broadly, those with more than 250 employees or significant turnover and assets. Parent companies can be liable for fraud committed by subsidiary employees.
• The six fraud prevention principles. The Home Office published guidance setting out six principles - proportionate procedures, top-level commitment, risk assessment, due diligence, communication (including training), and monitoring and review.
• Covered fraud offences. Fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, and false accounting. This is broader than many firms realize - it can include misleading representations in prospectuses, inaccurate warranties, and greenwashing claims.
• The "reasonable procedures" defense. This is the only defense available. Training is explicitly listed as a core component of reasonable fraud prevention procedures. Organizations that can't demonstrate they trained their people will struggle to mount any defense.

ECCTA training shouldn't sit in isolation. It connects directly to your AML training (the Act also expanded corporate criminal liability for money laundering offences committed by senior managers) and to your SM&CR training (personal accountability for fraud prevention systems).

At a glance: 7 regulations and training priorities

How to deliver financial compliance training that actually works

Knowing what to cover is only half the problem. The other half is getting people to actually complete it and remember it. Traditional compliance training - hour-long webinars, dense PDF handbooks, annual classroom sessions - consistently fails on both counts. Completion rates hover below 20%, and even the people who do finish often can't recall the content a month later.

That's why more firms are shifting to microlearning. Short, focused modules delivered on mobile devices, with built-in assessments and spaced repetition, outperform traditional formats on completion, retention, and time-to-competence.

What effective financial compliance training looks like in 2026

• Bite-sized, not bloated. Break complex regulations into focused micro-modules. AML training doesn't need to be a three-hour marathon. It needs to be a series of targeted lessons - one on CDD, one on SAR reporting, one on transaction monitoring red flags - that staff can complete between tasks.
• Role-specific, not generic. A customer-facing adviser needs different AML training than a back-office operations analyst. A board member needs different Consumer Duty training than a product manager. One-size-fits-all training wastes everyone's time.
• Continuous, not annual. The FCA expects ongoing competence. A once-a-year compliance day doesn't cut it. Automated scheduling that refreshes modules throughout the year keeps knowledge current and creates an audit trail the regulator can verify.
• Scenario-based, not theoretical. "What is money laundering?" is an information question. "This customer has deposited £9,800 in cash three times this week - what do you do?" is a competence question. The second one is what the FCA cares about.

Firms in financial services using 5Mins report 95%+ completion rates on compliance modules, compared to under 5% on their previous platforms. nsave, a fintech regulated in the UK and Switzerland, uses 5Mins to deliver tailored, up-to-date compliance training across their entire firm. Their Head of Compliance & Anti-Financial Crime, Abdul Gofur, put it this way: "5Mins.ai provides a readymade solution that allows me to provide tailored, up-to-date training to the entire firm. It's scalable, efficient, and gives me reassurance."

CPD-accredited courses that auto-update when regulations change, automated enrollment and reminders, and real-time analytics dashboards that show exactly who's completed what - that's the difference between compliance training that protects your firm and training that just generates a folder of certificates nobody checks. You can explore the full compliance training course catalog or compare platforms in our guide to the best financial compliance training platforms in 2026.