Global enforcements dropped a whopping 72% between 2024 and 2025, with fines dropping to $$5.488bn in total across all four quarters last year.
According to a report by Corlytics, the biggest enforcements were seen in the United States, where fines totalled $3.22bn. Elsewhere, enforcements came to $623m in Ireland, $558m in France, $437m in the United Kingdom, Australia saw $262m and Canada came in at $143m. In comparison, in last year’s report, the US saw total enforcements that passed $17bn.
By quarter, the biggest fines were seen in the conduct of business area, coming in at $2.47bn. Close together on second and third were financial crime and regulatory obligations, totalling $1.588bn and $1.542bn. Corporate governance saw fines of $1.279bn and privacy and cybersecurity saw $1.211bn. Bad market conduct led to fines of $328m and prudential obligations $40.6m.
When it came to enforcements by business line or service, the sectors that stood out most considerably were card services of $1.58bn and non-financial on $1.2bn. Also causing considerable fines were wealth management services of $671.9m, asset management on $479.8m and crypto and digital asset markets at $275.7m.
The 2025 enforcement landscape is defined by scale, cross-border reach and systemic control failures rather than isolated rule breaches. The year’s largest action — the FDIC’s $1.37bn fine against Discover Financial Services — underscores how politically charged consumer harm and overcharging remain. But it sits within a broader pattern of conduct-driven enforcement spanning disclosures, governance and institutional controls.
Data protection and marketing misconduct feature prominently. Ireland’s Data Protection Commission imposed a $598.9m penalty on ByteDance, while France’s CNIL issued major fines against Alphabet and Elite Depot for unsolicited marketing and data-related breaches. These cases signal that privacy, transparency and customer communications remain live regulatory battlegrounds across Europe.
US authorities were equally assertive. The DOJ targeted both UBS Group and American Express for fraud, tax and disclosure-related failures, while OFAC penalised GVA Capital for sanctions and non-cooperation breaches. The CFPB’s $175m action against Block reinforced scrutiny on unfair contracts, disclosures and internal controls within payments infrastructure.
Meanwhile, enforcement in newer market segments shows no regulatory leniency. FinTRAC’s $125.96m action against Xeltoz Enterprises in crypto and digital assets confirms that AML, suspicious activity monitoring and reporting expectations are now firmly embedded. In the UK, the FCA’s $101m penalty against BlueCrest Capital Management highlights continued focus on conflicts of interest and systems-and-controls failings within asset management.
Data protection and privacy failures represent the single largest control breakdown in 2025, with approximately $650m in enforcement value. This places privacy not just as a compliance function, but as a primary regulatory battleground. Breaches relating to personal data handling, transparency, and lawful processing are attracting the most severe financial consequences across jurisdictions.
Systems and controls failures account for roughly $400m in fines, making it the second-largest category. These cases reflect breakdowns in governance frameworks, operational oversight and internal risk management structures. Regulators are signalling that structural weaknesses in control environments are no longer treated as secondary failings.
Sanctions management breaches generated approximately $242m in enforcement value. This underscores continued global sensitivity around sanctions compliance, screening failures and deficiencies in sanctions governance frameworks, particularly amid heightened geopolitical risk.
Record-keeping failures contributed around $238.5m in fines. Inadequate documentation, incomplete audit trails and poor retention practices remain a significant enforcement trigger, reflecting regulators’ insistence on traceability and evidentiary integrity.
Compliance monitoring and oversight weaknesses resulted in roughly $204m in penalties. These actions typically reflect failures to detect, escalate or remediate issues in a timely manner, pointing to deficiencies in second-line assurance capabilities.
Complaint-handling failures accounted for approximately $175m in enforcement value. These cases highlight regulatory scrutiny on how firms identify, assess and resolve customer grievances — particularly where patterns of harm are not adequately addressed.
Conflict of interest management breaches totalled roughly $146.8m in fines. Failures to identify, disclose or mitigate conflicts — particularly in asset and wealth management — continue to attract significant enforcement attention.
Suspicious activity monitoring deficiencies resulted in approximately $130.9m in penalties. While still material, the ranking suggests enforcement focus is expanding beyond transactional AML failures toward broader governance structures.
AML management failures — including programme design and execution weaknesses — accounted for roughly $118.1m in fines. These cases reflect structural deficiencies in anti-money laundering frameworks rather than isolated reporting lapses.
Supervision of relevant persons generated approximately $109.5m in enforcement value. These actions relate to inadequate oversight of staff and accountable individuals, reinforcing regulatory expectations around personal responsibility and effective managerial control.
Moving towards proactive supervision
Rachel Woodworth sees the regulatory shift toward proactive supervision as more than a change in tone – it is a change in operating expectations.
The old mindset, where compliance sat largely within the Compliance function and firms focused on avoiding blame once scrutiny arrived, is no longer sufficient. “Compliance is now everyone’s responsibility,” she argues. Firms must be able to demonstrate real-time risk awareness and data-driven decision-making as part of daily operations, not as a retrospective defence.
Recent enforcement trends reinforce this. As highlighted in Corlytics’ data, major penalties increasingly stem not from traditional monitoring or sanctions failings alone, but from broader control weaknesses, particularly legacy IT and data deficiencies. That evolution signals that regulators are scrutinising infrastructure, governance, and operational resilience just as closely as headline compliance topics.
In response, Woodworth observes greater empowerment of Legal, Compliance, and Audit teams to influence company-wide behaviours, ensuring risks are identified, escalated, and addressed early. But empowerment alone is not enough. Proactive supervision demands deeper cross-functional engagement, greater transparency of information, and stronger technical interoperability across systems.
The foundation, she suggests, rests on four cornerstones: continuous monitoring of external risk signals; a shared risk taxonomy and common language across teams; clearly defined ownership and accountability; and a culture where staff are encouraged and feel safe in order to surface issues early.
When those elements are in place, internal reporting stops being a defensive exercise. It becomes an early-warning system – enabling firms to identify and manage emerging risks before regulators do it for them.
Luca Dalla Giacoma, meanwhile, emphasises that proactive supervision requires firms to rethink what they measure and report. Static, backward-looking metrics are no longer sufficient; early-warning indicators are needed, including near-misses, “almost breaches,” and control execution failures, not just design shortcomings. Capturing these signals allows firms to identify fragility before it becomes actual failure.
Equally important is integrating data across risk, compliance, conduct, and operational functions. Reporting should break down silos so leadership can see how an operational issue might escalate into a conduct or prudential problem. This holistic view makes it possible to intervene early, rather than reacting after an event has already occurred.
By combining forward-looking metrics with cross-functional data, reporting becomes a strategic tool, providing actionable insight that aligns with the regulator’s proactive expectations. It transforms internal monitoring into a system that highlights emerging risks before they escalate into regulatory issues.
Mike O’Keeffe highlights that regulators in 2026 are moving from retrospective enforcement toward continuous, evidence-based oversight. Firms can no longer wait for issues to surface; they must detect, document, and escalate risks before regulators identify them.
This requires a shift to evidence-based attestation. Firms must demonstrate that governance, supervisory controls, documentation, and risk ownership are functioning in practice, particularly around AI, digital communications, and individual accountability. Simply having policies on paper is no longer sufficient; regulators expect proof that they are being applied and monitored effectively.
O’Keeffe also stresses the need for integrated, end-to-end governance across operational resilience, cyber, and financial crime. This includes mapping regulations, policies, and controls across cyber, third-party risk, and AML typologies, creating a holistic view of control maturity. In this environment, internal reporting becomes not just a compliance exercise, but a tool for demonstrating resilience and proactive risk management.
Staying aligned
O’Keeffe stressed that the most successful firms in 2026 align technology, governance, and culture — rather than relying solely on new systems or policies. Technology adoption is treated as a governance transformation, not a tooling project. Leading firms map each use case to regulatory obligations, ensuring employees, supervisors, and systems share a common understanding of risks, controls, and escalation triggers.
These organizations also prioritise risk data interoperability and a unified risk architecture. By reducing silos across regulations, policies, controls, and operational risk, they create shared data standards and interoperable platforms — a necessity as risks become increasingly interconnected.
Finally, top-performing firms invest in upskilling staff for a tech-augmented compliance environment. They combine tech literacy, regulatory expertise, and operational know-how, fostering cross-functional collaboration between compliance, data, operations, and risk teams. This integrated approach keeps both people and technology aligned with evolving regulatory expectations.
Meanwhile, Woodworth highlights that in a landscape of emerging technologies, faster workflows, and evolving regulation, effective communication has never been more critical. Firms need straightforward access to reliable, consistent, and actionable information to remove barriers to discussion and enable sound, data-driven decision-making.
In some jurisdictions, regulators are now mandating demonstrable tooling to support this capability. This makes a holistic, auditable, and flexible technology infrastructure essential to meet both operational and supervisory expectations.
Looking ahead to 2026, Woodworth emphasizes the importance of identifying reliable sources of truth and filtering clear, concise insights from the growing sea of AI-generated information. Maintaining this discipline will be essential for consistency, coordination, and effective decision-making across increasingly complex regulatory and operational environments.
Giacoma observes that the most successful firms in 2026 are proactive in their regulatory engagement. Rather than simply reacting to new rules, they seek to influence regulation before it is finalized.
This includes responding to consultations, participating in industry events, roundtables, and workshops — all opportunities to share insights and recommendations. By actively contributing to the regulatory dialogue, these firms help shape the landscape while positioning themselves as informed, forward-looking participants.
Diverging regulatory approaches
Giacoma emphasizes that while a global compliance strategy remains valuable, it must be adapted to the regulatory expectations of each jurisdiction. A one-size-fits-all approach risks overlooking local priorities and nuances that can have material consequences.
By analysing trends in fines and enforcement actions within specific regions, firms can identify the regulator’s primary focus areas. This insight allows them to tailor policies and controls, ensuring their compliance frameworks remain robust and “air-tight” across all markets where they operate.
Meanwhile, Woodworth suggests that the optimal approach lies between fully centralised and entirely localised compliance. Firms must maintain strong local compliance while preserving international consistency. Significant overlap between regulatory requirements often allows global organisations to “kill many birds with one stone,” even amid diverging regional approaches.
Yet interpretation can vary widely, influenced by company culture and risk appetite, and these differences are amplified in multinational organisations where cultural norms and risk culture differ. This makes both local tailoring and global uniformity critical.
For global firms, Woodworth recommends flexible local monitoring and reporting practices operating alongside clearly defined global minimum expectations. A robust international governance framework ensures roles and responsibilities are understood and monitored, while still empowering local teams to leverage their specialist expertise without being constrained by overly rigid central control.
Lastly, O’Keeffe argues that a fully unified global compliance strategy is increasingly unrealistic. Regulatory fragmentation is accelerating, with the US, EU, UK, and Asia-Pacific each balancing competitiveness, innovation, and financial stability differently. Supervisory expectations are also diverging, particularly around AI governance, digital communications, and accountability, making a single global approach impractical. Some regions are simplifying frameworks while others are tightening or localising requirements.
The solution, O’Keeffe suggests, is a “federated compliance model.” This combines global principles — such as risk appetite, governance, conduct standards, and AI use policies — with locally tailored execution. Local layers handle jurisdiction-specific reporting, accountability, documentation, and controls, while central data governance ensures consistent regulatory mapping.
Shared technology platforms provide a common backbone, but rules and workflows remain configurable at the regional level. This hybrid approach allows global firms to maintain consistency and oversight while adapting to divergent regulatory expectations efficiently, balancing standardisation with necessary local flexibility.
Keep up with all the latest RegTech news here
Copyright © 2026 RegTech Analyst
Find the full enforcement report here.
Copyright © 2018 RegTech Analyst
