The FCA Isn’t Asking for More Compliance. It’s Asking If Yours Actually Works.
Why strong processes, and evidence of oversight are the biggest takeaways from the 2026 focus report.
There’s something slightly different in the tone of the FCA’s latest regulatory priorities report published for wholesale markets and the buy-side.
At first glance, it all looks pretty familiar. A push for operational resilience, effective management of conflicts of interest and strong conduct oversight, delivery of good outcomes to consumers, while driving efficiency and innovation, founded in safe and responsible adoption of new technologies (yes, AI of course).
Nothing on that list will surprise anyone. But if you sit with it for a moment, the emphasis has shifted.
The FCA isn’t really asking whether firms have controls in place anymore.
It’s asking whether those controls actually work in practice. Not in theory, not on paper, but in the moments that matter.
That’s a more uncomfortable question.
Evidence and ongoing, proactive oversight matters most in 2026
Because most firms have spent years building frameworks that look right. Policies are in place. Committees exist. Oversight is defined. On the surface, everything is where it should be.
The challenge is what happens underneath that.
Take surveillance. The expectation is no longer just that monitoring exists. It’s whether alerts are meaningful, whether they are investigated properly, and whether there is a clear, defensible record of what happened next. Not just that something was flagged, but that it was understood, assessed and resolved in a way that can be explained without hesitation.
Or take third parties, which the FCA is increasingly clear are a major source of operational risk. Most firms can describe their outsourcing framework without much difficulty. They can point to due diligence, contracts, oversight processes. But the question the regulator is really asking is simpler than that. If something goes wrong, do you know exactly what happens next? Who takes ownership, how decisions are made, and what evidence exists that the issue was handled properly?
It’s the same story in private markets, where judgement has always been part of the model. The FCA isn’t trying to remove that judgement. It’s trying to understand how it’s governed. Who challenged the valuation, what information was used, what alternatives were considered, and where that thinking is actually recorded. Not captured somewhere loosely, but documented in a way that stands up to scrutiny.
None of this is new in isolation. That’s what makes it easy to underestimate.
The real shift is cumulative.
Each of these areas, whether it’s surveillance, outsourcing, valuation or resilience, ultimately depends on the same underlying thing. Not more policies, but the ability to show how decisions are made, how actions are taken, and how outcomes are recorded.
And that’s where things tend to get more complicated.
Because in practice, most control environments rely on a degree of coordination that isn’t always visible until it’s tested. People follow up with each other. Information sits in different places. Decisions are made in meetings, then summarised later. Evidence exists, but it often has to be pieced together.
It works, most of the time. But it doesn’t always scale, and it doesn’t always hold up under pressure.
That’s the gap the FCA is starting to lean into.
Not whether firms understand their obligations, but whether they can demonstrate, clearly and consistently, how those obligations are being met in the day-to-day running of the business.
If you reduce it down, the question being asked is actually quite simple.
If someone walked in tomorrow and asked to see how a control operates, could you show them without having to scramble reconstruct the story?
Could you show how an alert was handled, how a third-party issue was escalated, how a valuation decision was reached, who was involved, and what they did?
Not describe it. Show it.
That’s a different standard.
It shifts compliance away from something that is periodically reviewed and into something that is continuously observable. Less about having the right framework in place, more about whether that framework is functioning in a way that is visible, traceable and consistent.
For leadership teams, that changes the conversation slightly. It’s no longer just about whether the firm is compliant. It’s about whether the firm can demonstrate that compliance without friction.
Because the difficulty rarely lies in knowing what the right thing to do is. It lies in being able to show, quickly and confidently, that it was done.
The firms that are ahead of this don’t necessarily have more controls. If anything, they tend to rely less on adding layers.
What they do have is a more connected way of operating. Ownership is clearer. Processes are more structured. Monitoring happens as part of the workflow rather than after it. Evidence is created as a by-product of doing the work, rather than something that needs to be assembled later.
That makes a material difference. It means when questions are asked, the answers already exist. And that, more than anything else, is where the FCA’s priorities are pointing.
Not toward more compliance policies and processes, but toward compliance that can stand on its own, without explanation.
If compliance is becoming harder to evidence than to perform, it’s worth rethinking how your control environment operates.
Fingerprint helps firms structure oversight, automate monitoring, and create clear, defensible audit trails as a natural part of day-to-day workflows.
