London Investigations Horizon Scan May 2026

Introduction

The UK investigations and enforcement landscape continues to shift.

The Crime and Policing Act 2026, which received Royal Assent on 29 April, includes a significant expansion of corporate criminal liability, extending the senior manager attribution test to all criminal offences – a development with potentially far-reaching implications for businesses.

It is a time of transition at the SFO, with Nick Ephgrave’s resignation at the beginning of the year and Graham McNulty taking up his appointment as interim director. On 14 April, Mr McNulty, promised continuity, citing the SFO’s recently published Business Plan for 2026 to 2027. The Business Plan focuses on increasing the use of AI and Technology Assisted Review to increase efficiency, developing and maximising its crypto asset investigation capabilities, hosting the International Anti-Corruption Prosecutorial Taskforce Economic Crime Conference, and rebalancing the use of internal and external legal expertise (amongst other matters).

We expect that the SFO will seek to continue driving forward enforcement action including the SFO’s first prosecution of the new Failure to Prevent Fraud Offence. 

Anti-corruption firmly remains a focus – in the UK with the implementation of the UK’s Anti-Corruption Strategy gaining momentum, continued work of the Anti-Corruption Taskforce and the upcoming Illicit Finance summit in June. 

We are waiting for additional details and the exact commencement date of the FCA’s new role as single professional services supervisor with consolidated responsibility for AML and counter-terrorism financing supervision for legal, accountancy, and trust and company service providers.

Crime & Policing Act 2026 – further expansion of corporate criminal liability

The Crime and Policing Act 2026, which received Royal Assent on 29 April, includes what would be the most significant expansion of corporate criminal liability since the Economic Crime and Corporate Transparency Act 2023 (ECCTA).

ECCTA already broadened the scope of UK corporate criminal liability in two key respects. First, it expanded the identification doctrine by introducing a “senior manager test”, under which a company can be held criminally liable where a senior manager commits an economic crime offence while acting within their actual or apparent scope of authority. Second, it introduced the new failure to prevent fraud offence, which came into force on 1 September 2025, exposing companies to unlimited fines where employees or associated persons commit a fraud offence intending to benefit the organisation or its clients.

The Crime and Policing Act 2026 will take this significantly further by extending the senior manager test to all criminal offences under UK law – far beyond the current list of economic offences. This means that if a senior manager commits any criminal offence while acting within the actual or apparent scope of their authority, the organisation itself would also commit the offence.

The implications are considerable. Unlike the failure to prevent fraud offences, the expanded identification doctrine does not require that the misconduct is intended to benefit the organisation, nor does it provide a defence where a company had reasonable procedures to prevent the conduct.

These developments underline the increasing importance of putting in place effective compliance programmes to support staff and prevent criminal activity in the first place and ensuring any suspected activity is identified and contained.

For further details see our briefing here. 

Sanctions – UK changes to financial sanctions enforcement and OFSI update

Following on from our global sanctions update in March (link available here) there have been a series of further sanctions developments in the UK:

• Policy: OFSI has published its strategy for 2026-2029. Focusing on four “KPIs”: Promote, Enable, Respond and Change – OFSI have put forward several ambitious goals, including having 50% of licensing cases completed within 6 months, 90% of new enforcement investigations submitted for decision within 18 months of commencement of investigation,  and pursuing “intelligence originated case outcomes” in financial years 2027/2028 and 2028/2029. The ability of OFSI to achieve certain of these goals will likely be bolstered by changes to its enforcement powers (which include the introduction of a settlement scheme, an early account scheme, and doubling the maximum penalty that OFSI can impose for a breach of financial sanctions – see more on this here).
• Enforcement: On 19 March 2026, OFSI imposed a penalty on Apple Distribution International (ADI), an Irish subsidiary of Apple Inc. for breaches of the UK’s sanctions regime against Russia. ADI instructed a UK-based bank to make two payments totalling £635,618.75 to Okko LLC (wholly owned at the time by UK designated person, JSC New Opportunities).  Although ADI is not a UK-incorporated entity, OFSI has explained that this conduct (including the failure to cancel the payment instructions) amounted to conduct within UK territory by ADI (thus attracting UK jurisdiction). ADI had delegated its sanctions screening and implementation of payment processes to corporate affiliates – OFSI has explained that the conduct of those affiliates was (and will in equivalent circumstances in the future) be viewed as the conduct of the entity directly responsible for the beach (i.e. so in this case, ADI).
• On 15 April 2026, the National Crime Agency (NCA) charged accountant John Ormerod with breaching sanctions against Russia and committing a related money-laundering offence under s327(1) of the Proceeds of Crime Act 2002.
• New “End-Use” Licence requirement: On 22 April 2026, the Government introduced legislation which will create a new licensing requirement for export to a non-sanctioned third country where there is a risk of diversion of specific goods or technology to a sanctioned destination. Exporters will be individually notified by the Department of Business and Trade (either through HMRC’s national clearance hub or through the Office of Trade Sanctions Implementation) that their export is at risk of sanctions circumvention and that the exporter will need to apply for a licence in order to proceed with the export.  If the exporter proceeds to export the goods or technology without a licence after being notified, they will be in breach of sanctions and subject to enforcement action. Details of these new End Use controls are available here.

Whistleblowing in Employment

The law relating to whistleblowing in the UK is set out in the Public Interest Disclosure Act 1998 (PIDA). The legislation protects those with an employment focus and makes amendments to the Employment Rights Act 1996. Workers who raise qualifying concerns, which are in the public interest, are protected from detriment or dismissal under the whistleblowing legislation. Most recently, the Employment Rights Act 2025 amended the whistleblowing framework to include protected disclosures relating to sexual harassment.

In the UK Anti-Corruption Strategy 2025, concern was expressed that the current UK framework of legal protections for whistleblowers may not be operating as effectively as it should be and the Government’s intention to review the UK’s approach to whistleblowing and explore reforms in the employment context by 2027. 

The Office of the Whistleblower Bill is scheduled to have its second reading on 29 May 2026 and would establish a new, independent statutory Office of the Whistleblower with powers going far beyond the current PIDA framework. In particular, it proposes that the Office would:

• act as a central body for receiving whistleblowing disclosures, replacing the fragmented system of over 80 prescribed regulators;
• set and enforce standards for the management of whistleblowing arrangements across organisations;
• direct investigations into whistleblowing concerns rather than merely signposting complainants; and
• order redress for detriment, including reputational and career harm, not limited to compensation via the Employment Tribunal.

These proposals are intended to address widely criticised weaknesses in PIDA, including its reactive nature, narrow personal scope and reliance on individual tribunal claims after detriment has already occurred.

There are currently no proposals to introduce financial rewards for whistleblowers under PIDA or as part of general employment law reform, although this may be considered as part of the general review. Successive governments have historically resisted reward-based models, citing cultural and ethical concerns. However, the Anti-Corruption Strategy also included reference to the fact that arguments have been made for more UK regulators to pay corporate whistleblowers to report wrongdoing and the recent implementation of HMRC’s Strengthened Reward Scheme (introduced for reports of serious tax avoidance or evasion) has shown that this may be the direction of travel. 

Privilege

In a development which potentially expands how the courts will apply legal advice privilege, in Aabar Holdings S.À.R.L. & Ors v Glencore [2026] EWHC 877, the High Court held that any intra-client documents, i.e. documents created by or between members of the “client group” at the client, may benefit from legal advice privilege if created for the dominant purpose of seeking legal advice. The “client group” in this context means the group of individuals at the client that are authorised to provide instructions and receive advice from the lawyer. Previously, the consensus was that intra-client documents were only privileged if they disclosed the substance of a communication between lawyer and client that was itself privileged. As a first instance decision, it will not be binding on other courts, and the point is yet to be considered by a higher court. Nevertheless, the case may have implications for the disclosure of documents in investigations going forward. In investigations the application of legal advice privilege is particularly relevant as litigation privilege may not apply.

Our briefing on this case is available here.  

AI in Investigations update

A recent decision directly addressed the impact on legal professional privilege when confidential and privileged material is uploaded to open-source AI tools such as ChatGPT. The Upper Tribunal in Hamid  confirmed that uploading documents to open-source AI tools will breach confidentiality and waive legal professional privilege, holding that doing so places this information “on the internet in the public domain”. Importantly, the Tribunal drew a distinction between publicly available “open-source” AI tools and closed AI systems (such as Microsoft Copilot), which operate within a secure network.

The decision is an important reminder to those working in investigations that confidential and privileged information should not be uploaded to open-source AI tools.

For further information on this decision see our article here.

Illicit Finance Summit – June 2026

A centrepiece of the UK Anti-Corruption Strategy 2025is the Illicit Finance Summit which will be held on 23 and 24 June 2026. The Summit will bring together governments, civil society organisations and private sector representatives, including major banks, to build an international coalition against dirty money and strengthen the UK’s national security.

Foreign Secretary Yvette Cooper has indicated that the Summit will focus on three key means through which “dirty” money is moved: illicit gold, which is financing Russia’s war in Ukraine; property, used by criminals and kleptocrats to hide cash; and crypto-assets, increasingly exploited by people smugglers to conceal their profits.

The Summit builds on the legacy of the 2016 London Anti-Corruption Summit and businesses operating in high-risk sectors should monitor the outcomes closely, as the Summit is expected to forge new agreements on tackling modern methods of moving dirty money, including laundering through the property sector and misuse of digital assets.

Omnibus Update

On 24 February 2026, the EU Council adopted (subject to certain amendments) the Omnibus Directive which was proposed by the European Commission on 26 February 2025 and approved by the European Parliament on 16 December 2025.

The Omnibus Directive was published in the Official Journal of the European Union on 26 February 2026 and entered into force on 18 March 2026. See our briefing on the Omnibus here.

The Omnibus introduced amendments to the EU Corporate Sustainability Reporting Directive (CSRD) and EU Corporate Sustainability Due Diligence Directive (CS3D), including:

CSRD

• Scope: The Omnibus increases the application thresholds of CSRD to companies with over 1,000 employees and €450 million net turnover. This is a significant increase, compared to the previous thresholds which were set at €50 million in net turnover, €25 million on the balance sheet and 250 employees. For context, it has been estimated that the Omnibus will exclude 80% of companies from the scope of CSRD.
• For non-EU companies with subsidiaries or branches in the EU, the threshold applicable to such subsidiary or branch will now be €200 million (up from the current €40 million), and the non-EU company should also have an overall turnover in the EU of €450 million (which was previously set at €150 million).
• Limit on seeking information: Companies will be prohibited from seeking to obtain information from undertakings in their value chain which have fewer than 1,000 employees, except for the information to be specified in the sustainability standards for voluntary use. However, this prohibition will not apply to information requests made for purposes other than CSRD reporting, including other EU laws requiring due diligence and the reporting undertaking’s risk management. In this way, the prohibition will not limit companies’ ability to continue their supply chain due diligence for the purposes of, for example, the EU Deforestation Regulation (EUDR) or the EU Forced Labour Regulation (EUFLR).

CS3D:

• Scope: The Omnibus increases the thresholds that determine which companies are caught by CS3D to:
  • EU companies with more than 5,000 employees and a net worldwide turnover of more than € 1.5 billion; and
  • Non-EU companies with more than €1.5 billion in net turnover in the EU; and
  • Companies with: (i) EU franchising or licensing agreements for annual royalties that exceed €75 million; and (ii) an annual net turnover excess of €275 million worldwide (for EU companies) or in the EU (for non-EU companies), or the ultimate parent companies of such a corporate group.
• Risk-based assessment: CS3D requires companies to undertake a risk-based assessment of actual and potential adverse impacts through a two-step process:
  • Step one: A scoping exercise to identify general areas across the company’s own operations, subsidiaries and, where related to their chains of activities, those of their business partners where, based on reasonably available information, adverse impacts are most likely to occur and to be most severe. It states that “reasonably available information” will “as a general rule preclude requesting information from business partners” although companies will have “flexibility in judging what information is reasonably available to them”.
  • Step two: Based on the results of the above scoping the company should carry out an in-depth assessment in the areas where the most severe and likely adverse impacts have been identified. For this purpose, companies should not seek to obtain information from business partners “unless this is necessary”. Where a business partner has fewer than 5,000 employees, the company shall only seek such information where information “cannot reasonably be obtained by other means”.
• FAQs: See here for our 10 FAQs arising for companies as they start to prepare for the revised CS3D.

The key next steps are:

• CSRD: The amendments to CSRD will apply to financial years starting from 1 January 2027, with the first reports due in 2028; 
• For CS3D:
  • Member States need to adopt national legislation by 26 July 2028;
  • CS3D will apply to companies from 26 July 2029, save for the reporting requirements under Article 16 which will apply from 1 January 2030.

Cyber

On 16 April 2026, the Government directed the Information Commissioner to prepare a statutory code of practice on good practice when processing personal data in relation to the development and use of AI, and automated decision-making. The direction was issued under the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026. The Regulations require the code to include guidance on the processing of children’s personal data.

This development coincided with the announcement of “Project Glasswing”, an initiative bringing together major technology companies and financial institutions to address AI-driven cybersecurity risks, after Anthropic’s Claude Mythos Preview model demonstrated an unprecedented ability to identify software vulnerabilities autonomously. Project Glasswing partners will receive access to Claude Mythos Preview to find and fix vulnerabilities or weaknesses in their foundational systems in the hopes that doing so can reduce the global attack surface before sophisticated models like Mythos are misused by cyber criminals and nation-states as a tool to identify and exploit vulnerabilities at scale. It is therefore significant that the Regulations modify the panel requirements under section 124B of the Data Protection Act 2018 by providing that the Commissioner must not consider or report on any aspect of the code relating to national security.

The Regulations are not unexpected and fulfil one of the commitments made in the implementation of the Data (Use and Access) Act 2025. Whilst the content of the code remains to be seen, the Information Commissioner has made a head start by opening a consultation on its draft automated decision-making guidance in late March.