A doctrine, not a rulebook
The most consequential thing the Financial Conduct Authority has said about financial crime in 2026 is not a new rule. It is a sentence.
In a speech at the FCA’s financial crime conference on 14 May 2026, chief executive Nikhil Rathi told the room that “separating financial services from national security is outdated and dangerous”, and that the UK fraud and money-laundering picture is “a question of fundamental economic and national security”. The transcript, Working together against financial crime, is short. The repositioning underneath it is not.
For most of the period since the National Economic Crime Centre stood up in 2018, UK financial crime has been treated by the FCA primarily as a conduct and prudential problem — a regulated-firm compliance failure to be supervised, fined, and remediated. Rathi’s speech moves the frame. Financial crime at the scale the UK is now seeing is being described by the regulator itself as a threat to the integrity of national economic infrastructure. That is closer to the language the National Cyber Security Centre uses about ransomware than to the language of a section 166 skilled-person review.
The doctrine change is the lede. The reason it matters is the second half of the speech.
What “national security” lets the FCA do that “compliance” does not
Rathi’s speech sets out five concrete operational commitments. None is, on its own, dramatic; together, they describe a different supervisory posture.
First, data fusion with the National Crime Agency and the National Economic Crime Centre. The FCA is moving from receiving suspicious-activity reports and sharing case-level intelligence to running a joint operational data pipeline with the NCA. The vehicle is a set of nine economic crime priorities published jointly with the NCA, with selected banks piloting action plans whose stated purpose is to produce law-enforcement outcomes — not regulatory ones.
Second, network analytics on the FCA’s own intelligence holdings. Rathi disclosed that the FCA’s intelligence infrastructure has processed “over 52 million intelligence records”. The financial crime detection capabilities programme, which the speech named, applies “advanced network analytics” across that corpus. That is a different supervisory artefact from the firm-level AML thematic reviews UK banks have been organised around — it treats the FCA’s own data, not the firm’s, as the primary detection surface.
Third, a feed into law-enforcement systems. By June, Rathi said, the FCA will be sharing more than 5,000 records via the Police National Database. That is a small number in absolute terms. It matters because it changes the destination of FCA intelligence: from supervisory case files to operational policing infrastructure used by territorial forces.
Fourth, an international layer. The speech named IOSCO’s I-SCAN cross-border investment fraud database and a joint TechSprint with the FCA’s AI Lab as the technical components of an internationalised response. UK fraud is overwhelmingly international in origin; the I-SCAN reference signals that the FCA expects its detection surface to live partly outside UK jurisdiction.
Fifth, perimeter widening. Rathi explicitly named “professional body supervisors in the legal and accountancy sectors” and the payments sector as part of the response. That is consistent with the direction of the Economic Crime and Corporate Transparency Act 2023, but the speech is the most explicit FCA statement yet that the supervisory perimeter for financial crime is wider than FCA-authorised firms alone.
The scale claim, sourced
Two figures in the speech do the work of justifying the doctrine. The first is the FCA’s own statement that the average loss for an investment-fraud victim is over £25,000. The second is the 52 million intelligence records held by the FCA’s financial crime intelligence infrastructure. Both are FCA-primary figures, not third-party estimates. Both are the kind of numbers a regulator cites when it is about to ask for more supervisory headroom.
Rathi did not lead with the aggregate exposure figures UK Finance and the NCA cite. He led with the per-victim loss and the regulator’s own intelligence volume — framing financial crime as an individual-harm and a systemic problem at once.
What firms should read into this
Firms that have built financial-crime functions as a compliance cost centre are now being supervised by a regulator that has reframed its own role as upstream of law enforcement. That changes the calculation around suspicious-activity reporting throughput and the depth of information shared in joint pilots. It also changes how the FCA is likely to read poor outcomes: under a compliance frame, an AML control failure is a section-166 candidate; under a national-security frame, it is closer to a critical-infrastructure failing.
For the payments sector — which Rathi named — the implication is sharper. The FCA’s data fusion with the NCA presupposes that payments firms can share transaction-graph data in usable form. The Economic Crime and Corporate Transparency Act 2023’s information-sharing provisions are in place but still being operationalised. Firms that have not yet stood up the legal and technical pipes for inter-firm sharing have a narrow window before the joint pilots become the supervisory norm.
Caveats, and the Leeds Reforms question
Two things keep this from being a clean inflection point.
The first is the Leeds Reforms Enhancing Financial Services Bill, introduced on 20 May, which folds the Payment Systems Regulator into the FCA and rewrites the supervisory architecture in which Rathi is operating. The financial-crime mandate is not the headline of that bill, but the absorption of PSR will give the FCA direct rule-writing authority over the payments rails through which most UK fraud now travels. The doctrine in Rathi’s speech is presumably calibrated to that.
The second is the information-sharing perimeter. The statutory framework limiting what firms can share with each other about suspected criminals sits with the Home Office and HM Treasury, not the FCA. The practical ceiling on data fusion is set by primary legislation, not by speeches. Neither caveat dissolves the doctrine; both shape its operational reach.
What to watch
Three near-term tells will show whether the speech is posture or substance. First, the June Police National Database threshold: whether the 5,000-record figure lands, and whether it grows on a published cadence. Second, whether the FCA names the banks in its joint NCA pilots or keeps them anonymised — naming is the cleanest signal that supervisory outcomes are subordinated to law-enforcement outcomes. Third, the Leeds Reforms committee stage: any financial-crime amendment that writes national-security language into statute is the doctrine being made durable.
Until then, Rathi’s sentence is the artefact. UK financial crime is now being supervised as if it were a national-security problem, by a regulator that has decided to say so out loud.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.