Four regulatory shifts financial firms must watch in 2026

For financial services CEOs, especially those running large cross-border organizations, this drive towards localization poses risks to their strategies and operating models. Success will depend on three critical capabilities: maintaining keen awareness of the higher costs of doing business in certain jurisdictions as rules diverge; closely monitoring regulatory changes and emerging risks in priority markets; and applying rigorous scenario planning to anticipate the implications of different regulatory outcomes.

Financial services CEOs believe fragmentation will persist, representing a long-term change of direction rather than a short-term tactical response to current risks. While last year’s Outlook anticipated many of these developments, 2026 presents a more complex and dynamic environment: one that will require firms to navigate differing regulatory priorities while identifying areas for growth and resilience.

Across the major regions, distinct regulatory priorities are taking shape: the US is looking to deregulate to support innovation and growth; the EU is focusing on simplification, harmonization and competitiveness; the UK is prioritizing growth over risk; Asia-Pacific is emphasizing fintech innovation and market development; and Latin America is centering on financial inclusion and consumer protection.

There are four key themes that will play out over the coming year in this rapidly changing environment.

1. AI governance: oversight lags behind adoption

Rapid artificial intelligence (AI) adoption in financial services is outpacing regulatory oversight. More than 70% of banking firms report using agentic AI to some degree, with 16% having fully deployed solutions and 52% running pilot projects, according to the EY-sponsored report with MIT Technology Review Insights, “Imagining the Future of Banking with Agentic AI” (pdf). But there is a general lack of robust governance frameworks.

Regulators in the US, EU, UK and Asia-Pacific are taking divergent approaches, with some relying on existing principles and others drafting new rules, creating a complex patchwork for global compliance functions. In response, firms must prioritize regulatory adherence and compliance for AI in each jurisdiction where they operate.

Boards are making AI oversight a standing agenda item and investing in explainability, auditability and third-party risk controls ahead of regulation. Taking the initiative in this area is critical if boards and CEOs are to avoid regulatory gaps, reputational risk and missed opportunities for innovation.

Actions for firms:

• Implement robust AI governance and model management with data security, audit trails and provenance controls to mitigate risks such as biased data and model errors.
• Control unofficial AI use by employees through clear policies and device restrictions.
• Safeguard client and firm data confidentiality by preventing exposure via public or third-party AI platforms and tailoring AI tools to firm-specific workflows.
• Update existing AI policies to cover integration across software and service supply chains, including robust third-party risk management.

2. Digital assets and payments: an expanding regulatory patchwork

Regulation of stablecoins (pdf) is advancing quickly at the national level, notably with the GENIUS Act in the US, which provides the first federal-level legal framework for digital assets. Others, including Brazil, the EU, Hong Kong, Japan, South Korea, Singapore, the United Arab Emirates (UAE) and the UK, are pursuing their own paths, although there is some convergence around three key principles: full reserve backing; clear redemption rights; and robust custody and safeguarding of client assets.

This fragmented regulation is expected to impact firms’ business models and lead to varying levels of stablecoin adoption across the world.

Payments regulation is also caught between local and global efforts, with global rules cutting across the inherently local nature of payments, since specific rules are determined by the jurisdiction where the payment is received.

Actions for firms:

• Focus on horizon scanning, impact assessments, interpretation of upcoming regulatory proposals and the building of roadmaps.
• Design and oversee simulations and stress tests for stablecoin operations, including high-volume redemptions and market volatility scenarios.
• Determine how to treat customers fairly and provide a degree of recourse that takes into consideration customer expectations.

3. Resilience and cybersecurity: board-level imperatives

Supervisors are increasingly focused on threats that originate from non-regulated sources, notably critical third-party technology providers. However, jurisdictions are moving at different speeds, with implementation of the EU’s Digital Operational Resilience Act stepping up through 2026, while in the UK and Canada key developments are awaited. Legislation in Hong Kong comes into force on 1 January 2026. In the US, oversight of these areas is shared among federal and state agencies and remains a concern.

Geopolitical uncertainty intensifies threats to operational resilience and cybersecurity, particularly for firms operating across borders. Firms that responded to the latest EY/IIF global bank risk management survey are addressing these topics at board level and prioritizing digital acumen and the ability to adapt to a changing risk environment in their hiring.

Actions for firms:

• Map exposures to third-party providers, especially in relation to critical services, and put in place measures to mitigate disruption risks. International groups should understand their exposures at a local, regional and global level.
• Benchmark your organization’s approach to cybersecurity and cyber resilience in detail. Include board-level sponsorship, expert technical resources, regular leadership updates and prompt actions to address identified gaps.

4. Good consumer outcomes: standards are shifting 

Treatment of customers will remain a central concern for policymakers and regulators. Changing customer expectations over service levels are placing increasing pressure on firms and raising the political pressure on regulators.

The UK Financial Conduct Authority’s Consumer Duty has generated global interest and set a new benchmark for consumer protection, establishing a duty of care by financial services firms to their retail customers. It is expected to influence changes under discussion in multiple other jurisdictions. The picture in the US, however, is different, following the virtual shutdown of the Consumer Financial Protection Bureau in 2025. 

How firms can prepare for 2026:

• Review end-to-end user journeys to eliminate unfair practices, simplify information, and clarify fee structures.
• Familiarize yourself with how regulators interpret the principle of fairness and be prepared to demonstrate how you are acting in customers’ interests.
• Understand your responsibilities in managing the consumer impact created by your partners and affiliates.

Combat exposure to fraud and scams by assessing how your organization can enhance customer awareness and consider implementing controls to help customers protect themselves.

Summary

The 2026 regulatory outlook reflects a fundamental contextual shift over the past year. The outlook today is complex, volatile, and increasingly defined by the interplay between global and local forces. With the US prioritizing domestic innovation and growth, other countries and regions must decide how to respond. Financial institutions, regulators and clients alike need to focus more keenly than ever on the shifting balance of regulation, innovation and geopolitics.