Top 10 Compliance Challenges in 2025

The challenges in the year ahead range from climate change and geopolitical tension, with a looming global trade war, to diverging regulations and artificial intelligence. There's also an added risk of conflict in the workplace.

Besides the usual security threats to facilities, data, supply chains and people, companies will need to be alert to increased tension fuelled by geopolitical events and environmental or social crises.

Through 2025, there's likely to be greater divergence in regulations - e.g., on ESG and DEI, posing fresh challenges for the legal and compliance teams of global businesses operating across different regimes.

Of course, there are potential opportunities, too, as a result of new 'friend-shoring' arrangements and from rethinking our strategies. All these challenges require compliance teams to be adaptable and pragmatic. 2025 may well be spent outside our comfort zones.

But by adapting and embracing differences, just as in more diverse teams, companies may yet discover untapped potential and innovation, helping deliver the all-important growth we've been looking for since the pandemic.

Biggest challenges faced by compliance in 2025

1. Focus on trusted Artificial Intelligence and Generative AI (GenAI)
2. Climate change & ESG
3. Geopolitical tension
4. Financial crime
5. Fraud
6. Increased and diverging regulations
7. Polarisation, workplace tension and security
8. Ethics and culture
9. Modern Slavery and forced labour
10. Cybercrime and Third-Party Risk Management (TPRM)

1. Trusted Artificial Intelligence and Generative AI

2025 is expected to be a pivotal year for AI and Generative AI.

As companies accelerate their adoption of AI and generative AI and move from experimentation to implementation, they will also need to face up to the major challenges - for example, the energy consumption of power-intensive GenAI, gender parity, bias, trust and capability.

The choices we make and the progress that companies make as they weigh up these challenges in 2025 will shape our future and may determine AI's overall legacy and future.

According to Deloitte, global data centre energy consumption will double to 1,065 terawatt-hours (TWh) by 2030, driven by power-intensive GenAI, faster than any other use and application.

Advanced technologies - such as innovative cooling solutions, carbon-free resources and more efficient chips - will be required for clean energy transition and to help companies signed up to climate targets.

After a slow start, women's adoption of GenAI tripled in 2024, and the growth rate now outperforms that of men. Commentators believe that closing the adoption gap is a good thing and will help accelerate change.

"Tech companies must enhance trust, reduce bias, and strive for more diverse GenAI workforces – including at the leadership level – to ensure that everyone can fully engage with and benefit from GenAI technologies. By doing so, companies can unlock greater innovation and broaden their consumer base ensuring products and services are equitable and effective globally."

What are the key compliance considerations of AI?

• Create an inventory of AI systems used throughout the company.
• Develop or update your AI policy, setting out a clear strategy and expectations for using Artificial Intelligence and Generative AI.
• Ensure your team understands the challenges, risks (e.g. energy consumption, bias and discrimination, misinformation, privacy and security risks, etc) and limitations of using AI.
• Assess each risk, especially high and unacceptable risks, in line with your legal obligations, such as the EU AI Act.
• Consider the impact of artificial intelligence on our other compliance obligations, e.g. Data Protection and GDPR, market abuse (e.g. spreading market rumours) and security. For example, are your processes for training AI models lawful? What if employees inject false information into AI tools to spread market rumours? Review and update corporate policies to combat these risks, too.
• Train your team to be vigilant, to question and report suspected concerns or misinformation they encounter - e.g. awareness of the use of deepfake social engineering videos or convincing voice recordings of your senior executives, automated malware generation, etc.
• Implement adequate controls, with monitoring and human oversight measures on high-risk activities - including recruitment, loans or other decisions made without human intervention that have a significant impact on individuals, to lessen "AI harms".
• Ensure there is full transparency and explainability of AI systems for workers, customers, investors and stakeholders so people can decide whether to seek out human alternatives instead.
• Review your company's approach and make any adjustments required to comply with new or existing laws, including the EU AI Act and the UK's Data (Use and Access) or DUA Bill.
• Use the IBM Framework for Securing Generative AI to ensure best practice - focusing on the five steps of securing the data, securing the model, securing the usage, securing AI model infrastructure, and establishing sound AI governance.

2. Climate change & ESG

After record-breaking temperatures of 1.54 ⁰C above the pre-industrial average in 2024, global temperatures are expected to fall back in 2025.

The El Niño phenomenon is expected to give way to La Niña, which generally has a cooling effect. While the risk of extreme heat and wildfires remains high, La Niña often coincides with greater rainfall, so there's an increased risk of severe storms and flooding in 2025.

“Climate catastrophe is hammering health, widening inequalities, harming sustainable development, and rocking the foundations of peace. The vulnerable are hardest hit."

Tensions are likely to re-ignite at COP30, which is due to take place in Brazil in November, with pressure again from lower-income countries struggling to meet climate commitments.

Here, governments will also be required to update their nationally determined contributions (NDCs) or climate pledges. But support for the NDC process is widely expected to drop with the Trump administration.

In addition, climate change will continue to cause concerns about energy and food security, increasing geopolitical tensions. 2024 was the fifth consecutive year that global insured losses from natural catastrophes exceeded $100 billion, according to Swiss Re Institute.

Major floods in Europe and the UAE caused losses of $13 billion and disrupted flights at Dubai airport. Losses of $60 billion in the first half of 2024 were 62% above the ten-year average.

• Rising demand for personal property and casualty insurance is predicted.
• If 'disaster' policies become too risky for providers, they may withdraw altogether, causing gaps in the market and raising reinsurance demand.
• As insurance companies price physical risks into premiums or even withdraw from risky disaster-prone areas altogether, governments and regulators will need to decide how best to manage this - e.g., by capping damage insurance premiums or with coverage requirements.
  
  Global agreement may be difficult, but societal pressure should keep climate targets high on the agenda. For companies, the burden and cost of managing climate change is expected to grow through 2025.

After a lengthy consultation, the Corporate Sustainability Due Diligence Directive (CSDDD) was formally adopted in July 2024. It applies to:

• EU companies with more than 1,000 employees and over EUR 450 million 'net worldwide turnover' in the last financial year
• Non-EU companies with over EUR 450 million 'net worldwide turnover' in the European Union
• Companies with franchising or licensing agreements generating royalties of over EUR 22.5 million in the EU or over EUR 80 million worldwide.
  
  There will be a phased implementation for different groups, and Group 1 companies will be given two years to comply.

The EU Commission President Ursula von der Leyen agreed in November 2024 to amend the sustainability frameworks (i.e., CSRD and CSDDD), potentially streamlining reporting requirements and helping reduce the regulatory burden for companies.

While this may simplify the reporting process and reduce overlap, it is not expected to dilute the substantive obligations companies face.

What are key climate & ESG compliance requirements?

• Assess the expected costs of climate change in 2025, the impact of climate on raw materials and your existing supply chains, and plan how to mitigate any risks to increase your resilience (e.g. by introducing or strengthening flood defences, switching production to different areas or broadening the supplier base).
• Consider whether the company is in-scope of the new climate disclosure requirements under the CSRD and CSDDD.
• Arrange training for employees to raise awareness of your new obligations and their implications on work practices.
• Think about what disclosures the company will be required to make and look at what data is already available to streamline the process.
• Continue work on Double Materiality Assessments (DMAs) and reports for the Corporate Sustainability Reporting Directive (CSRD) to record material sustainability impacts.
• Introduce robust processes for conducting human rights and environmental due diligence (HREDD) throughout our global operations and value chain, as required under CSDDD for EU and non-EU companies.
• Develop systems and controls to oversee and report on sustainability risks in your global operations and value chain.
• Keep your knowledge up-to-date throughout the transition period and adjust processes (as required) so they remain fit for purpose.

3. Geopolitical tension

Climate change, universal trade tariffs planned by the incoming Trump administration with the threat of a global trade war, the ongoing Russia/Ukraine war and conflict in the Middle East are all expected to increase geopolitical tensions in 2025.

Companies will need to navigate the reputational risks and manage the potential volatility of growing trade barriers between the US, the EU and China. This may force them to rethink their supply chains.

According to the Economist Intelligence Unit, real GDP growth will be muted at 2.6%. The US will be depressed because of labour market restrictions, with only India showing significant growth.

We can expect China to retaliate against any EU and US restrictions on Chinese exports. Companies like TikTok, Shein and Temu have faced bans or been targeted. China is already hitting back with fines on US due diligence firms like Mintz, anti-monopoly investigations into Nvidia, and a probe into PVH, Calvin Klein's owner.

Citing the turmoil in Syria, the collapse of the government in France, and the events in South Korea with President Yoon Suk Yeol, Goldman Sachs' Chief Financial Officer Denis Coleman said: To say that there is geopolitical instability in the world would be a gross understatement.

The age of globalisation is over, according to some commentators.

"In recent years, businesses have been blindsided by a cascade of disruptions—the pandemic, renewed conflicts in Europe and the Middle East, surging populism, intense competition for green minerals and escalating protectionism—which have forced a fundamental reset of longstanding strategies."

Increasing polarisation and geopolitical tension are creating a surge in so-called friend-shoring strategies. Essentially, this means re-routing supply chains to countries that are seen as politically or economically low-risk or safe to avoid business disruption. Apple did this when it shifted production of its iPhone from India to China.

It's unsurprisingly, therefore, that geopolitical instability was flagged by two-thirds of executives as a primary concern in a report by McKinsey & Co.

What are the key geopolitical compliance considerations?

• Conduct risk assessments to stay aware of emerging risks and geopolitical volatilities, particularly anything that may threaten your supply chains and your reputation.
• Explore AI-powered monitoring and data analytics to manage sanctions risks.
  Use scenario planning and collaborate with teams firm-wide to fully assess the impact of the changing geopolitical landscape.
• Regularly review your company's risk appetite and exposure to high-risk sectors, regions and partners and conduct enhanced third-party due diligence.
• Use the 4Ts model (Tolerate, Treat, Transfer, Terminate) of risk management to help make the right decisions when managing geopolitical risks.
• Consider what mitigations are preferred to combat volatility and strengthen your resilience - such as diversifying our supply chains, relocating your business operations to nearby countries (nearshoring) or bringing them back to the home country (restoring).
• Don't be afraid to withdraw from countries or switch your corporate strategy to limit our exposure and minimise any reputational fallout.

4. Financial crime

Between $800 billion and $2 trillion is laundered each year, according to estimates by the United Nations Office on Drugs and Crime.

Over £12 billion of criminal cash is believed to be generated in the UK every year, with over £100 billion laundered annually through and within the UK or its corporate structures.

However, a report by Strise found that:

• 70% of financial crime experts believe AML measures are inefficient
• 40% said that sanctions aren’t working

"Europol’s figure that only 1% of laundered money is actually stopped underscores the grim reality that current AML efforts are not as effective as intended. Despite our best efforts, the results show we are only scratching the surface when it comes to preventing money laundering."

But there's room for optimism, too, in 2025. Governments are stepping up measures to combat financial crime.

In the UK, anti-money laundering powers will continue to be strengthened with additional measures outlined in the Economic Crime and Corporate Transparency Bill, with compulsory identity verification for new incorporations and Persons with Significant Control (PSC) due to come onstream at Companies House in 2025.

From May 2025, new due diligence and reporting obligations will also apply to non-financial institutions, i.e. those dealing in high-value goods, art and antiques, luxury cars, precious metals, gemstones, whisky and wine investments, and digital assets.

High-value dealers conducting cash transactions or storing art valued over €10,000 will need to have a strong compliance programme and adequate procedures to avoid breaching financial sanctions, conduct due diligence, and comply with reporting requirements.

In the EU, a comprehensive AML Package is set to overhaul AML/CTF regulations and ensure AML regulations are applied consistently across the EU. Among other things, there will be:

• a new regulatory body, the Anti-Money Laundering Authority (AMLA) to replace the European Banking Authority (EBA) by the end of 2025. This promises to "transform the anti-money laundering and countering the financing of terrorism (AML/CFT) supervision in the EU and enhance cooperation among financial intelligence units (FIUs)".
• A single AML rulebook to unify the AML rules and avoid inconsistencies in application
• More stringent and rigorous enhanced due diligence (EDD) for all high-risk transactions - including a need to verify beneficial ownership using trusted sources and conduct in-depth risk assessments on the purpose and nature of the business, with ongoing monitoring. To this end, Germany's BaFin has updated the Auslegungs- und Anwendungshinweise (AuA 2.0), making adverse media screening mandatory from July 2025 and with measures to address emerging risks, such as cryptocurrency.
• More transparent beneficial ownership - synchronising beneficial ownership verification and disclosures across member states, supported by central registries
• Greater cross-border collaboration and cooperation - to combat financial crime more effectively
• Increased scope - with stricter AML regulations for non-traditional finance (such as crypto asset service providers and crowdfunding platforms)
• Focus on non-financial institutions - with AML regulations applying to real estate, luxury goods, art, and gaming, and cross-border crypto transactions, De-Fi and digital assets now coming in-scope of the Travel Rule
• Greater use of AI in RegTech - as regulators push for AI and machine learning to detect suspicious activities and improve automation.

2025 is widely predicted to be the year that artificial intelligence starts to deliver results in the fight against financial crime.

"Global economies can save $3.13 trillion annually using AI to detect and prevent money laundering and terrorist financing"

"$138bn (USD) in total compliance costs could be saved by regulated firms
by implementing AI into their AML strategies"

- Napier AI/AML Index 2024-2025

What are key corporate compliance considerations?

• Review and update AML/CTF policies to take into account the recent changes and ensure your procedures are correctly applied across the business.
• Provide regular refreshers and reminders to help your team identify red flags.
• Strengthen risk assessments to ensure coverage of emerging threats, including crypto-assets and non-financial institutions, as required.
• Conduct risk-based due diligence before doing business and at regular intervals to comply with new limits, e.g. every five years and annual updates for medium and high-risk customers, respectively.
• For crypto-asset service providers, conduct enhanced due diligence on transactions of over €1,000 or involving "self-hosted addresses".
• Investigate how AI AML tools can improve compliance and help combat money laundering and terrorist financing (ML/TF).
• Prepare for supervision by AMLA, if applicable, and regularly check for updates and new guidance.
• Review controls and ensure they are proportionate to the risks facing your company - including the use of blockchain technologies to monitor customers' crypto and virtual transactions.
• Consider how best to balance the new Single Euro Payments Area (SEPA) Instant Payments Regulation (IPR) which is effective from January 2025 and mandates instant fund transfers within 10 seconds, with financial crime obligations.
• Benchmark your progress - explore recent innovations and potential strategic collaborations with fintechs and other technology firms to help combat the ML/TF threat.

5. Fraud

Fraud will continue to pose a major threat to companies and society in 2025.
Technology is enabling organised crime groups to target victims at scale around the world, according to a new Interpol global assessment on fraud.

The use of artificial intelligence and cryptocurrency, along with phishing and ransomware-as-a-service models, are driving more sophisticated and industrialised fraud. 96% of fraud professionals are worried about the industrialisation of fraud.

"We are facing an epidemic in the growth of financial fraud… With the development of AI and Cryptocurrencies, the situation is only going to get worse without urgent action."

According to the latest figures from UK Finance:

• Over £570 million was stolen in payment fraud in the first half of 2024, with a rise of 16% from last year
• We saw a 19% increase in unauthorised fraud, primarily through cards
• Over £710 million of unauthorised fraud was prevented, up 13% on the previous year - despite this, banks believe fraud is still a major problem

In the US, $5.6 billion was lost in cyber-enabled crime and financial fraud, including cryptocurrency scams. Around $4 billion of these losses were the result of investment scams.

Citizens across Europe and Asia have been targeted in 'romance baiting' scams, which are often run on an industrial scale.

Of course, behind the statistics are personal stories of those who have been duped and lost their life savings. As well as financial losses, fraud can be devastating for victims and cause severe psychological harm.

The rise of artificial intelligence and deepfakes means companies are also vulnerable to fraud, including by insiders. Companies will need to bolster existing policies and procedures to address emerging risks.

Under the UK's new corporate criminal offence of 'failure to prevent fraud', companies can also be held criminally liable if an employee, agent, subsidiary, or associated person, commits fraud intending to benefit the organisation.

This includes but is not limited to:
- Dishonest sales practices
- Concealing important information from consumers or investors
- Dishonest practices in financial markets.

Mirroring anti-bribery laws, companies need to demonstrate that they have reasonable fraud prevention measures in place.

What are key fraud compliance considerations?

• Establish effective internal controls to identify, detect, prevent and mitigate fraud risks
• Have adequate customer authentication measures (including multi-factor authentication, password protection, One-Time Passwords, etc) to thwart illicit activities
• Review and strengthen your fraud risk management programme to ensure it addresses emerging threats and consumer redress. For example, are there internal controls to mitigate scams targeting vulnerable customers, how promptly are customers reimbursed, how are emerging threats detected, and is surveillance adequately tested?
• Bolster risk management and remediation through self-reporting and whistleblowing (to combat insider threats) and ensure it aligns with the Consumer Duty and consumer protection laws
• Assess what other data may be used to monitor, detect and prevent fraud and whether it could be streamlined or shared across departments
• Use real-time notifications and alerts to notify customers of suspicious activity
• Find the right balance between appropriate controls and customer experience
• Boost controls to address specific regulatory priorities (e.g. FINCEN) and maintain security for critical customer data
• Ensure fraud teams are appropriately resourced to cope with increasing complexity and demand
• Benchmark your progress and keep up-to-date with new obligations, including the new 'failure to prevent fraud'
• Continue to raise awareness of the risk of AI-enabled fraud and scams (including deepfakes) with education and training
  

6. Increased and diverging regulations

Inevitably, increased regulation and enforcement will be high on the agenda for 2025. Here is a brief snapshot of what we can expect:

• New capital requirements and enhanced risk frameworks - i.e. the 'Basel III endgame' rules.
• For the OECD tax deal that seeks to establish a global minimum tax rate of 15%, buy-in from the US is now considered unlikely so 2025 may be a pivotal year.
• A number of EU digital regulations will be rolled out in 2025 - including the AI Act, which applies from February 2025, and the Digital Fairness Act,which aims to "tackle unethical techniques and commercial practices related to dark patterns, marketing by social media influencers, the addictive design of digital products and online profiling especially when consumer vulnerabilities are exploited for commercial purposes" and builds on the Digital Services Act (DSA) and consumer protection laws.
• There will be further enforcement and implementation of the Digital Markets Act (DMA) and Digital Services Act (DSA) - which are designed to address competition concerns, and regulate online platforms, social networks, app stores, etc. respectively. Similar regulations are expected in the UK and around the world, including Canada's Digital Charter Implementation Act.
• European Design Regulation (EUDR) - applicable from May 2025, this will modernise and strengthen the EU design system and design protection, protecting against copies made by 3D printing and aligning design protection with trade mark rules, with a "repair clause" for automotive spare parts. Holders of EU-registered designs will be able to use the new Ⓓ symbol (similar to © and ®). From July 2026, it will cover new types of designs (including animated and digital designs).
• EU Forced Labour ban - prohibiting products made using forced labour from being made available in the EU. This will address human rights concerns in global supply chains and extends the EU's broader initiatives on corporate responsibility.
• EU Deforestation Regulation (EUDR), which is designed to ensure that products consumed by EU citizens do not contribute to deforestation, forest degradation or breaches of environmental or social laws worldwide. It affects companies trading in cattle, cocoa, coffee, oil palm, rubber, soya and wood, as well as products derived from them.
• Ecodesign for Sustainable Products Regulation (ESPR), which aims to improve the sustainability of products in the EU market. It provides a framework for setting ecodesign requirements on specific product groups and introduces Digital Product Passports (DPP), with digital identity cards for products, components and materials to support products' sustainability, authenticity and circularity. There are also rules relating to the destruction of unsold consumer textiles and footwear to prevent valuable resources from being wasted. Large and medium-sized companies need to disclose information annually on their website about unsold products, including the number and weight, alongside the reasons for this.
• Carbon Border Adjustment Mechanism (CBAM) - the EU's tool that puts a fair price on carbon-intensive goods (e.g., cement, iron, electricity and hydrogen) entering the EU. From January 2025, companies will need to submit full reports. CBAM declarants will be able to apply for 'authorised CBAM declarant' status via the new portal from early 2025, which will become mandatory from January 2026.
• The new pan-European Anti-Money Laundering Authority (AMLA) will become operational and will start issuing guidance in 2025.
• In financial services, DORA comes into effect, with the first designation of critical third parties expected by July. The Capital Requirements Regulation and Capital Requirements Directive (CRR III and CRD VI) rules will also apply from January 2025. EBA EU-wide stress testing will also start in early 2025, with results expected by August.
• The Markets in Crypto-Assets Regulation (MiCAR), the new regulatory framework for crypto-assets, protecting consumers and investors and supporting financial stability.
• In wholesale markets, ESMA's new RTS on order execution policies may also potentially start in 2025. The mandatory buy-in rules required under the CSDR settlement discipline regime will come into effect in November 2025, with the EU bond CTP expected to be operational by the end of the year. The Equivalence for UK central counterparties (CCPs) recognition decision will end in June. Firms also have until September to implement changes to MiFID II following an EU review.

In the UK:

• Following the Worker Protection Act in October 2024, firms will need to continue making adjustments to address and prevent sexual harassment at work, with reports of suspected breaches possible in 2025.
• From 31 March 2025, there are simpler recycling rules and new food waste regulations, requiring businesses with more than 10 employees to recycle all materials, separate out food waste and have it collected by licensed waste carriers. This applies to businesses generating over 5kg of food waste a week, including offices, hospitals, care homes, transport hubs and more.
• Safety and Security declarations - from 31 January 2025, goods imported from the EU into Great Britain will require a safety and security declaration, known as an entry summary declaration (ENS). There are 20 mandatory fields, eight conditional ones, and nine optional ones.
• Financial resilience - the new 'Critical Third Parties' (CTPs) regime comes into effect in January 2025, aligning with the EU's Digital Operational Resilience Act (DORA). It is designed to manage systemic risks posed by certain third parties to the UK financial sector. For example, it requires technology providers to notify regulators of planned technology change projects, resourcing challenges, cyber incidents and outages. UK financial firms also need to fully comply with the final updated rules on operational resilience by March 2025.
• The new 'failure to prevent fraud' offence  comes into effect in September, introduced as part of the Economic Crime and Corporate Transparency Act (ECCTA) to prevent companies profiting from fraud.
• Companies also need to consider the UK's International Tax Compliance (Amendment) Regulations  2025, which aligns UK tax reporting with the OECD's Common Reporting Standard (CRS). This measure is designed to facilitate information sharing between tax authorities and combat tax evasion and avoidance.
• There are new workers' rights under the Employment Rights Bill, giving the right to enhanced parental leave, sick pay and protection from unfair dismissal from day one, as well as a move away from zero-hours contracts, restrictions on fire and rehire practices, and wage increases (e.g., the National Living Wage, National Minimum Wage, statutory maternity and sick pay, and other entitlements).
• There will also be a Draft Equality (Race and Disability) Bill, extending gender pay gap reporting to cover ethnic minorities and people with disabilities. Companies with 250 or more employees will need to disclose ethnicity and disability pay gaps. Further, there will be a statutory code of practice on "the right to switch off", preventing workers from being contacted outside working hours, except in exceptional circumstances.
• A number of digital regulations come into effect - such as the Online Safety Act, requiring social media companies to comply with new rules on illegal content and content harmful to children. Companies can be fined up to £18 million or 10% of worldwide revenue if they fail to comply, with action taken against senior managers.
• There's also the Data Use and Access (DUA) Bill, marking a shift in approach to data management, data privacy and enhanced protections for individuals. It includes strengthened PECR enforcement, a framework for digital identity verification, and digital registers of UK assets, e.g., real estate, providing greater transparency.
• And, there's the Digital Markets, Competition and Consumers Act 2024 (DMCCA), with new guidance on unfair commercial practices (UCPs) such as drip pricing and fake reviews, reforming competition and consumer laws.
• In UK financial services, policy statements are expected on non-financial misconduct, post-trade risk reduction, and diversity and inclusion, with reviews of firms' treatment of vulnerable customers and the next steps expected for Discretionary Commission Arrangements (motor finance). In early 2025, a consultation is also due with draft proposals for the cryptoasset regime, including stablecoins, with the UK Stewardship Code being updated. UK firms also have until July to implement Basel 3.1 rules.
• Other themes are likely to include the treatment of lending consumers in financial distress, the new Buy-Now-Pay-Later regime, and non-financial misconduct.
• In financial crime, firms will need to consider the AML changes in the ECCTA, including new corporate transparency obligations and POCA exemption. The FCA amended the Financial Crime Guide to include lessons learned, innovative transaction monitoring and a reminder that AML controls must also comply with the Consumer Duty. Guidance is expected on customer communications and training in relation to domestic PEPs.
• In wholesale markets, there are changes to transaction reporting (e.g. the removal of the short sale indicator) and firms will need to update their reporting systems, accounting for any divergence between the UK and EU. Rules will also be finalised for Private Intermittent Securities and Capital Exchange System (PISCES) operators. 

What are the key compliance considerations for regulations?

• Review and update policies and practices to reflect the latest legal or regulatory changes
• Provide information and training so employees understand their regulatory obligations
• Arrange regular, bite-sized learning on any new rules to get workers up to speed on their priorities

7. Polarisation, workplace tension and security

Polarisation is disrupting societies around the world. In 2024, we saw tension around political differences, diversity, equity and inclusion (DEI) policies, and environmental, social and governance (ESG) initiatives.

Policies that were previously considered uniting and forward-thinking, are now seen as divisive. This backlash has been driven in part by social media.

Through 2024 and into 2025, we've seen:

• So-called 'anti-woke' boycotts and 'cancelling' of companies, such as Target, Macy's and Bud Light
• Rollbacks of DEI policies, including by Walmart, Boeing, Harley-Davidson, and Ford
• A social media backlash following a rebrand by Jaguar
• The rollback of ESG initiatives and weakening of environmental targets by Unilever, BP, and others
• Withdrawal of big banks from climate pledges to reduce carbon emissions - Morgan Stanley, Citi and Bank of America have joined Wells Fargo and Goldman Sachs, stepping back from the Net-Zero Banking Alliance (NZBA)
• The start of regulatory divergence between the US and EU on ESG initiatives, posing challenges for companies
• The shooting of UnitedHealthcare CEO Brian Thompson  and subsequent backlash on social media
• And, the scrapping of diversity targets by McDonalds for its employees and suppliers.

Through 2025, this increasing polarisation and unwillingness to compromise has the potential to spill over into the workplace, causing tension and hostility. This can undermine collaboration and trust, cause friction and, in the worst cases, violence between colleagues and/or customers.

Attacks may come from lone sympathisers or groups. Or, they may be amplified online, in response to a company's values , strategy or perceived lack of action on the environment. Monitoring and data analytics will be vital to detect and manage potential threats.

The HSE defines work-related violence as:

"Any incident in which a person is abused, threatened or assaulted
in circumstances relating to their work."

Incidents may include physical or verbal abuse or threats. Companies need to be vigilant and alert to discord and unrest in the workplace. There were 649,000 incidents of violence at work. Of those, there were 288,000 assaults and 360,000 threats.

What are key HR compliance considerations?

• Align policies to the Health and Safety Executive's guidance on violence at work
• Look out for signs of violence, hostility or intolerance at work
• Conduct risk assessments and review workplace practices to identify potential flashpoints or high-risk situations - e.g. policies or situations where tension or violence may arise, including for lone workers or those travelling on business
• Stress the business benefits of ESG or DEI initiatives, instead of pitching them as ideological or politically-motivated
• Promote a respectful open culture - with clear boundaries for discussions
• Create psychological safety - so everyone can raise concerns without fear of reprisal, retaliation or being judged
• Provide training on conflict resolution and de-escalation techniques for managers and front-line employees
• Provide refreshers - such as the 4Ds of bystander intervention - to support those encountering conflict
• Encourage anyone experiencing or witnessing hostility at work to speak out - ensure there are recognised channels and the company listens and acts
• Review whistleblower channels and protections - to ensure transparent handling and investigation of complaints, with adequate protection from retaliation
• Develop and test procedures for emergency situations - including climate protests and active shooter scenarios

8. Ethics and culture

Ethics and workplace culture are likely to remain in the spotlight for 2025.
In part, this will be driven by laws introduced at the end of 2024, such as the Worker Protection Act, which requires companies to take reasonable steps to prevent sexual harassment in the workplace.

Through 2025, companies must continue to prioritise this. After all, the consequences of failing to take this seriously can have significant consequences.

For UK financial firms, there is an added impetus, following the published findings of the FCA's survey into non-financial conduct. But in reality, firms in all sectors should now be conducting similar surveys to gather data and identify patterns and trends.

Here are some of the key ethics and culture findings:

• The number of reported non-financial misconduct incidents rose over the last 3 years, with the highest reported figures in wholesale banks
• Bullying and harassment (26%) and discrimination were the most reported types across all sectors
• 41% of non-financial misconduct incidents were reported in the 'other' category, which included misuse of alcohol, inappropriate or offensive language, misuse of confidential information and expenses, retaliatory behaviour, and policy breaches
• Firms identified incidents via reaction routes, such as grievance processes and also whistleblowing
• Disciplinary action was taken in 43% of cases, with incidents like violence and intimidation more likely to result in disciplinary action compared with discrimination
  
  Finalised policy statements on non-financial misconduct and diversity and inclusion are expected in 2025.

So what are the key E&C compliance requirements?

• Review workplace culture (via surveys) regularly to identify potential issues (including non-financial misconduct)
• Provide regular reminders about your company values and expectations to keep them 'top of mind'
• Train your team to recognise inappropriate or harmful behaviour, to call it out and/or report it - e.g., using the 4Ds model
• Encourage psychological safety so people feel safe speaking out if they witness inappropriate behaviour or misconduct, and are able to challenge dominant opinions or express disagreement without fearing negative consequences
• Conduct exit interviews when people leave, change teams or switch roles - this can help you identify a predatory colleague or manager, unacceptable team behaviour, policy violations, etc (leavers may feel they have nothing to lose and be more willing to speak openly)
• Create a speak up, listen up culture - ensuring you act quickly, take allegations seriously when potential issues are raised, and that investigations are fair
• Use the findings of the FCA's survey to benchmark your own performance
• Never withhold information that you reasonably believe would impact the assessment of an individual's fitness and propriety - including circumstances where the individual left while under investigation
• Consider your obligations under the relevant rules within SYSC when hiring anyone with an adverse report on non-financial misconduct
• Ensure management information about non-financial misconduct is shared at board level - so there is adequate governance and oversight, and we get the 'tone from top' right

9. Modern slavery and forced labour

January is National Slavery and Human Trafficking Prevention Month. An opportunity to raise awareness of human trafficking.

The statistics are bleak and show that the problem hasn't gone away:

• According to the International Labour Organisation, forced labour generates $236 billion in profits annually, with profits of $173 billion from forced commercial sexual exploitation
• There are around 49.6 million people in modern slavery on any given day
• Around 6.3 million people are in situations of forced commercial sexual exploitation. 78% of those are girls or women
• Many businesses have slavery in their supply chains without realising it
• There were 17,004 potential victims identified in the UK in 2023
  
  More and more regulators are focusing on modern slavery and transparency in supply chains to encourage responsible business. For example:

1. The U.S. Uyghur Forced Labor Prevention Act (UFLPA) was introduced in response to forced labour of Uyghurs and other ethnic minorities in the Xinjiang Uyghur Autonomous Region (XUAR)
2. In Canada, the Fighting Against Forced Labour and Child Labour in Supply Chains Act was introduced in November 2024, with fines of CA$250,000 for non-compliance.
3. The EU's Forced Labour  Regulation was published in December 2024.

With the new administration in the US, tariffs on China are likely to ramp up. We are likely to see growing political pressure on other countries to prevent imports from regions implicated in forced labour.

And, following the introduction of the EU's Forced Labour ban, e-commerce platforms like Shein and Temu are also likely to face scrutiny as the EU adopts "a zero-tolerance policy for rogue traders in unsafe products and for products manufactured with forced labour". Inevitably, this will impact all companies supplying or selling goods within the EU.

In the UK, lawmakers accused Yinan Zhu, the general counsel for Shein’s European arm, of "wilful ignorance" after she refused to answer questions about its use of Chinese cotton following concerns about forced labour in its supply chain.

What are the key considerations to combat modern slavery?

• Analyse your supply chain, ensuring you know how products are made and exactly where they are sourced
• Consider whether isotopic testing could be used to better understand product origin and where (raw) materials come from
• Conduct robust due diligence and carry out due diligence questionnaires to address modern slavery (and human rights) issues
• Explore how artificial intelligence tools might help the company detect human trafficking and combat modern slavery
• Review your supplier code of conduct and ensure there are clear anti-slavery clauses
• Conduct supply chain audits (with site visits, especially for high-risk suppliers)
• Engage with suppliers to promote transparency and to help understand the challenges they face - then collaborate to find workable solutions
• Assess the impact of the EU Forced Labour ban and the EU Deforestation
• Regulation (EUDR) on our supply chain - in readiness for the new requirements that come into effect on 30 December 2025
• Develop contingency plans to manage potential supply chain disruption and strengthen our resilience

10. Cybercrime and Third-Party Risk Management

By the end of 2025, the cost of cybercrime is expected to cost $10.5 trillion annually.

The UK's head of the National Cyber Security Centre (NCSC) warned that the risks facing the UK were "widely underestimated" and there had been a three-fold increase in the most serious attacks. Its incident management team had provided support in 430 cyber attacks.

"Of these incidents, 89 were nationally significant, 12 of which were at the top end of the scale and more severe in nature."

Hostile states like China, Russia, Iran and North Korea posed "real and enduring threats".

"There is no room for complacency about the severity of state-led threats or the volume of the threat posed by cybercriminals. The defence and resilience of critical infrastructure, supply chains, the public sector and our wider economy must improve."

The costs of fighting cybercrime are immense. As well as the financial burden, companies face considerable business disruption, loss of productivity, embezzlement, theft of personal and financial data, compromised intellectual property, as well as reputational damage.

Gartner is predicting:

• A 15% increase in company spending on security software in 2025 from $183.9 billion to $212 billion to combat the heightened threat
• By 2027, around 17% of cyberattacks and data leaks will involve generative AI.
  
  According to Gartner, there are two factors behind this 15% increase in spending:

1. Generative AI: Companies need to take additional steps to secure their environment when generative AI is used. The IBM Framework for Securing Generative AI highlights five steps: securing the data, securing the model, securing the usage, securing AI model infrastructure, and establishing sound AI governance. - e.g., purchasing additional software to secure applications, data and infrastructure
2. Global skills shortages: When companies do not have cybersecurity expertise in-house, they need to hire specialist security services to manage the risk.

• 27% of organisations faced incidents of stolen secrets
• 32% had experienced compromised services account credentials and
• 27% had experienced compromised privileged user access.

It's obviously challenging to manage data from multiple tools and tool sprawl is a growing concern. In 2025, experts predict there will be more innovation from CSPs and also cloud-native application protection platform (CNAPP) vendors, such as Palo Alto Networks, Trend Micro, CrowdStrike, Wiz, Red Hat, and Aqua Security.

But, with this, there are risks too. On 19 July 2024, the world's biggest global IT outage impacted 8.5 million Microsoft Windows devices. Flights were grounded, operations were cancelled, and bank customers were locked out of their accounts. All because of a faulty piece of code in a software update.

Cybersecurity firm CrowdStrike distributed a faulty update to its Falcon Sensor software, causing devices running Windows to shut down and endlessly reboot. Although a fix was available within hours, there were delays because computers had to be fixed manually.

The outage illustrates the vulnerability of Microsoft Windows and other digital public infrastructure (DPI), defined as:

"networked open technology standards built for public interest, [which] enables governance and [serves] a community of innovative and competitive market players working to drive innovation, especially across public programmes."

On the positive side, the CrowdStrike incident has helped us truly understand the interconnectedness of society, the risks posed by DPI, and the importance of reliable infrastructure. By learning the lessons, we can strengthen our resilience in the future.

What are key cybercrime compliance requirements?

• Train your team to spot signs of phishing and malicious communications and improve our cybersecurity culture.
• Retrain or upskill existing workers to help bolster cybersecurity capabilities across the company and ensure there is at least one board member with relevant cybersecurity expertise.
• Gather data and look for patterns and trends to analyse the threat level - such as geopolitical tensions (potentially increasing state-sponsored cybercrime), polarisation (potentially fuelling cyberattacks to disrupt democracy), anomalies, etc.
• Use the IBM Framework for Securing Generative AI to benchmark and boost security - following the five steps of securing the data, securing the model, securing the usage, securing AI model infrastructure, and establishing sound AI governance
• Invest in training to improve your response to risks - including phishing, ransomware, DDoS, etc - and combat the threat
• Move beyond reactive risk management so you are ready to exploit opportunities as a result of greater preparedness
• Continue to implement a zero-trust model, which goes beyond the perimeter of the company and covers remote workers, third parties and the Internet of Things devices, with continuous AI-enabled monitoring and authentication on every digital interaction
• Deliver cyber and digital resilience in line with the requirements of the EU’s Network and Information Security (NIS2) Directive and the Digital Operational Resilience Act (DORA), effective from January 2025
• Engage with designated providers in line with the UK's new 'Critical Third Parties' (CTPs) regime(also from January 2025) - remember, designated providers need to comply with six fundamental rules mirroring the six high-level principles for regulated firms - i.e., acting with integrity, with due skill, care and diligence, and so on. It also requires technology providers to notify regulators of planned technology change projects, resourcing challenges, cyber incidents and outages.

Looking for more compliance insights?

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!