Corlytics, a regulatory intelligence and risk analytics firm, has published its Q1 2026 enforcement report, revealing that global regulators issued approximately $542m in fines during the first three months of the year, with data privacy breaches, systems and controls failures, and consumer harm driving the majority of actions.
The report, which examined penalties exceeding $1m from the world’s leading regulators, found that while total fine volumes were broadly in line with Q1 figures from the previous three years, the quarter sat at the lower end of that range.
US regulators accounted for the largest share of penalties, issuing close to $270m in fines across five agencies. Data privacy enforcement featured prominently in the global top 10, with significant penalties handed to Italian bank Intesa Sanpaolo and French telecoms group Iliad SA.
Meanwhile, global investment banking and wealth management firm Canaccord Genuity received a combined $120m in fines from three US regulators for compliance failures spanning 13 years.
Italian data protection authority issued two separate fines to Intesa Sanpaolo totalling approximately $57m. The first, worth 17.6 million euros, concerned the bank’s unlawful processing of around 2.4 million customers’ data ahead of a transfer to its digital-only subsidiary. The second, worth 31.8 million euros, arose from an employee illegally accessing the personal banking records of 3,573 customers, some of whom held prominent public roles and should have benefited from additional protections.
The regulator also highlighted that ineffective controls had allowed the employee’s access to go undetected. That theme extended to the UK, where the Information Commissioner’s Office (ICO) fined Reddit £14.5m for failing to put in place age verification mechanisms before granting children access to its platform.
The ICO noted this penalty followed a £247,590 fine against MediaLab in February 2026 for similar failings, and indicated both actions were part of a broader initiative targeting children’s data safety online. In France, regulator CNIL issued a 42 million euro penalty to Iliad SA following a 2024 cyber-attack that compromised the data of 24 million customers, with the decision addressing failures in data retention, deletion processes, and remote security monitoring.
In the US, the Securities and Exchange Commission (SEC) continued its shift under chair Paul Atkins towards what it describes as “enforcement for impact” — concentrating resources on misconduct that causes the greatest harm, such as fraud, market manipulation, and abuse of trust.
The SEC closed more than 1,000 enforcement cases without further action in 2025 and has begun expanding its use of artificial intelligence to accelerate examinations. Roughly 18% of staff departed the agency in 2025, predominantly from enforcement
and examinations, and the SEC’s budget request acknowledged plans to hire new personnel while indicating it would continue to prioritise oversight of investment advisers and broker-dealers.
The Canaccord Genuity penalties — issued by FINRA, the SEC, and FinCEN — covered failures in anti-money laundering systems and controls, suspicious activity reporting, best execution, and supervision of trading activity over the period from 2012 to 2025. Regulators stated these deficiencies led to significant economic harm and facilitated illicit transactions including numerous securities fraud schemes.
In Australia, the Federal Court imposed a $6.9m fine on Binance Australia Derivatives following an Australian Securities and Investments Commission (ASIC) investigation originating in 2022. The case centred on the misclassification of 524 customers as sophisticated investors, granting them access to complex products for which they were unsuitable. ASIC found that the assessment process used by Binance could be manipulated and allowed repeated attempts. The firm separately paid $9.4m in compensation to those affected.
Corlytics is a regulatory intelligence company whose data sets track enforcement actions across global financial regulators. Its Q1 2026 report examined fines above $1m from 19 regulators worldwide, covering sectors including banking, securities, data privacy, and healthcare.
The report noted that Corlytics recently added “Non-Financial Risk” and “Operational Risk” classifications to its data sets as part of a broader move towards risk intelligence. This category has quickly become one of the largest by fine volume in the report, and the firm expects this trend to continue as regulators step up activity around cybersecurity and scrutinise compliance with new operational resilience frameworks in Europe and the UK.
Corlytics drew several conclusions from the quarter’s activity. On long-term compliance failures, the report observed that enforcement notices consistently document multi-year systems and controls breakdowns, with Canaccord Genuity’s 13-year failure period serving as the most prominent recent example.
On consumer protection, Binance’s fine highlighted that retail investor misclassification remains an active area of focus, echoing similar MiFID II-related penalties in Europe dating back to 2018 and sitting alongside a consultation from UK authorities requiring sophisticated investor assessments to be redone.
The report concluded that while the volume of fines in Q1 2026 was relatively modest, the underlying message from regulators was unambiguous: compliance risks that are left unaddressed over time rarely stay hidden, and delayed remediation tends to result in larger eventual consequences.
Stay ahead of the deals, disruptions, and strategic shifts defining financial services — RegTech Analyst’s bi-weekly newsletter delivers the executive insight you need before the market moves. Subscribe today.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
