A comprehensive analysis of enforcement activity across 19 major global regulators in the first quarter of 2026 has confirmed that the volume and value of fines for compliance failures is accelerating, with data privacy breaches, operational risk shortcomings, and AML control failures generating the largest individual penalties.
US regulators accounted for the dominant share of total penalties, issuing close to $270 million across five agencies in the three-month period. The findings, drawn from regulatory data tracking actions above $1 million, reflect a compliance enforcement environment that is broadening significantly in its scope and showing no signs of deceleration.
Among the most significant individual enforcement actions of the quarter was the coordinated $80 million penalty against Canaccord Genuity issued by FinCEN, the SEC, and FINRA for Bank Secrecy Act violations spanning more than a decade, described in full above.
That action alone accounted for a significant portion of total US fine volume during the quarter and set a new benchmark for AML enforcement in broker-dealer markets. The combined coordinated total from all three agencies against Canaccord reached $120 million before FinCEN’s crediting mechanism was applied.
Data privacy enforcement featured prominently among the largest global penalties recorded during the period. Italian data protection authority Garante issued two separate fines to Intesa Sanpaolo totalling approximately $57 million, the first of which, worth 17.6 million euros, concerned the unlawful processing of around 2.4 million customers’ data ahead of a planned transfer to the bank’s digital-only subsidiary.
The second enforcement action against Intesa Sanpaolo addressed additional data processing failings. The Garante’s willingness to issue multiple fines against the same institution within a single quarter signals a more aggressive enforcement posture from one of Europe’s historically more conservative data protection authorities.
In France, the data protection regulator CNIL issued a 42 million euro penalty against Iliad SA following a 2024 cyber-attack that compromised the personal data of 24 million customers. The CNIL’s decision addressed failures across three specific areas: data retention practices, deletion processes, and remote security monitoring. The scale of the customer data exposure, combined with the multi-year gap between the breach occurring and the regulatory action concluding, illustrates the extended enforcement timelines that now characterise major data protection cases in European jurisdictions.
In the United Kingdom, the Information Commissioner’s Office continued its targeted enforcement initiative around children’s data safety online. The ICO noted that a fine issued against a named media platform in early 2026 followed a £247,590 penalty against MediaLab in February 2026 for similar failings, characterising both actions as part of a coordinated initiative rather than isolated enforcement decisions. That framing matters because it signals a programme-based enforcement approach, meaning companies operating online services accessible to children should anticipate systematic regulatory review rather than reactive action following individual complaints. Platforms including TikTok, Snapchat, and Instagram, all of which have faced ICO scrutiny in prior years for children’s data handling, remain in the regulator’s direct line of sight.
In Australia, the Federal Court imposed a $6.9 million fine on Binance Australia Derivatives following an Australian Securities and Investments Commission investigation that originated in 2022. The relatively modest penalty reflects the jurisdictional limitations of ASIC’s consumer protection powers in the derivatives context, but the years-long enforcement timeline from initial investigation to court-imposed penalty illustrates the operational disruption that regulatory investigations impose on firms regardless of the eventual financial outcome.
The analytical firm Corlytics, whose data set tracks enforcement actions across global financial regulators, added non-financial risk and operational risk as distinct classification categories to its monitoring framework, and those categories quickly became among the largest by fine volume in the Q1 2026 analysis. The company has indicated it expects this trend to continue as regulators across Europe and the UK increase their scrutiny of compliance with operational resilience frameworks, including the Digital Operational Resilience Act which came into force in the European Union in January 2025 and whose direct oversight regime for critical technology providers commenced in December of the same year.
A pattern identified across multiple enforcement notices during the quarter was the documentation of multi-year systems and controls breakdowns. Regulators in multiple jurisdictions observed that the failures giving rise to the largest penalties were not sudden events but accumulated over extended periods, often despite repeated internal or external identification of the weaknesses involved. The Canaccord Genuity case, in which FINRA made documented findings in 2014, 2017, and 2018 and the firm nonetheless failed to implement meaningful remediation until the FinCEN investigation commenced, represents the most extreme version of that pattern in the Q1 data set. But similar dynamics appeared in the Intesa Sanpaolo and Iliad enforcement records, where data governance deficiencies had been allowed to persist despite the known risk environment created by major customer data transfers and cyber incidents.
The SEC’s pivot under chair Paul Atkins toward what the agency describes as enforcement for impact has begun to show measurable effects on US fine totals. The Commission closed more than 1,000 enforcement cases without further action in 2025 and has simultaneously expanded its use of artificial intelligence to accelerate examinations, meaning the net effect is a smaller caseload addressed with greater analytical depth. The SEC also lost approximately 18% of its staff in 2025, predominantly from enforcement and examinations divisions, though it has published plans to hire new personnel with a stated focus on investment adviser and broker-dealer oversight.
The quarterly data also reflects an emerging enforcement priority around what regulators are calling AI washing, the practice of companies claiming to deploy artificial intelligence in their products or services without doing so in any meaningful sense. The SEC explicitly flagged this as a compliance risk in its 2026 examination priorities, noting that false or misleading statements about AI capabilities constitute potential securities violations. Investment managers including those operating AI-marketed portfolio strategies and technology companies promoting AI-powered enterprise software face particular exposure if their marketing claims are not supported by the actual operational characteristics of the underlying systems.
For compliance professionals tracking the global enforcement landscape, the Q1 2026 data reinforces several structural conclusions that are likely to define regulatory expectations throughout the remainder of the year. Regulators are less interested in technical procedural compliance and more focused on whether compliance frameworks actually prevent harm. Deferred remediation is being treated as evidence of willfulness rather than resource constraint. Data privacy enforcement is converging across the EU, UK, and US around higher penalties for systemic failures involving large customer populations. And operational resilience, AI governance, and AML controls are moving from advisory guidance into active enforcement territory simultaneously, compressing the timeline available to firms that have not yet completed the necessary investment in their control environments.
