Rizwan Nazir

Some great new insights from my colleagues, Ethan Salathiel and Charlie Lewis-Orr, here. As the #failuretopreventfraud enforcement date approaches, we're answering more and more questions from clients keen to align their approaches to #fraud, #bribery and #taxevasion. This piece speaks to some of the key reasons for doing so. If you want to join this conversation or learn more, get in touch. Thanks again to UK Finance for publishing. #FtPF

18

1 Comment

Supply chain cyber security is now a top priority for the UK public sector. Download our new white paper to understand the ins and outs of the the Government Cyber Security Strategy (GCSS), regulatory expectations as they relate to third-party risk management, and how to build a more resilient supply chain ecosystem with Risk Ledger. 📘 Download the new guide to: ✅ Understand what GCSS & CAF mean for your organisation ✅ Learn how to put the principles into practice ✅ See how our supplier assessment framework maps against the GCSS https://hubs.la/Q03rR_JG0

5

Highly Significant incidents handled by the NCSC Incident Management team are up 50% in the year to September, with an impact in the £Billions to affected business and their supply chains. The NCSC recommendations below are critical reading for all companies of every size, with three clear recommendations: 1. Make cyber risk a Board-level priority using the Cyber Governance Code of Practice. Executive and non-executive directors should prioritise this and ensure it is considered in strategic decision-making. 2. Sign up to the NCSC’s Early Warning service  Early Warning is a free service from the government’s National Cyber Security Centre (NCSC) which informs your organisation of potential cyber attacks on your network. 3. Require Cyber Essentials in your supply chain Supply chain cyber attacks are increasing, yet just 14% of UK businesses assess the cyber risks posed by their immediate suppliers. The blog provides links to further information on all three points.

4

These are wise words from Richard Horne - cyber crime is undoubtedly the biggest risk to global business. In fact, the World Economic Forum identified cyber crime as one of the biggest risks to the global economy. The reality is that businesses are unprepared.

33

2 Comments

Regular readers will know that I think most "Dear CEO" letters (to use the FCA's phrase) should, generally, apply to most firms. With the Cyber letter, I'm surprised to see it's just at FTSE 350 companies, when the report basically says every company should be preparing / improving for a cyber attack. I'm hoping we get more transparency from the supply chain — publish your damned SIG/CAIQ/CAF responses on your trust centers (and let some of the aggregators pull that data, so we can make informed choices/switches). There's lots of things, say, in the Corporate Governance Code that smaller firms (especially aspirational firms) should adopt and embed in the corporate culture so they live and breathe good governance. I've been fortunate to slip some of them in — as good practice and 'proing-the-fuck-up'. And of course, you need an accountable, senior officer, to tackle this, and boards need to hear from (and interrogate) all officers.

3

1 Comment

Not all organisations implement regulatory change and transformation right first time. Very often a tail of activity goes well beyond the initial regulatory deadline, which in the case of Operational Resilience, was 31st March 2025. So it is therefore unsurprising that one year on, UK regulators have highlighted strong cross industry engagement and good practice examples of implementation, but with further work to be done. Operational Resilience is a dynamic, cyclical exercise, not a static one. We continue to work with a range of firms on implementation, remediation, health checks, maturity assessments, peer comparisons and specific initiatives on targeted focus areas. If you would like to discuss what this means for your organisation in more detail, please contact either myself or one of the team at Alba Partners.

9

HM Treasury and DSIT have issued joint guidance explaining how the UK Digital Identity and Attributes Trust Framework aligns with the Money Laundering Regulations (MLRs). This fulfils a commitment from the 2024 MLR consultation, and the guidance is now officially approved for MLR compliance. The government has indicated it expects to consult on a nationally-issued government Digital ID. DSIT has also noted it will work with sector guidance bodies where necessary to ensure consistent application of digital identity for CDD purposes.

5

TPR’s Administration Strategy https://lnkd.in/eJ4sz-gX Report shines a much-needed spotlight on the challenges facing pensions administration: technology, data, cyber resilience, governance and investment in people. At KGC, this comes as no surprise. For over a decade, through our Administration Surveys and client work, we’ve highlighted the capacity crunch can’t be solved by people alone. Proper investment in systems, data quality and skills is essential, yet administration too often remains undervalued despite being members’ main point of contact. We welcome TPR’s focus and see this as a turning point. Now is the moment to move beyond short-term fixes and invest in the people, processes and technology needed to deliver sustainable administration. 📊 Read our latest Administration Survey here: https://lnkd.in/eTcnmx44 #KGCInsights #KGCAdministrationSurvey #Pensions #PensionsAdministration #Governance #OperationalResilience #DataQuality #Technology #Trustees #FutureOfPensions

3

Excellent piece on why trustees must demand clearer evidence of cyber resilience from administrators. With NCSC reporting a doubling of major cyberattacks in the past year and recent incidents hitting, amongst others… M&S, Harrods and the Co-op, this is no longer a back-office concern. For pensions, the stakes are high: schemes hold some of the most sensitive personal and financial data in the UK. A breach isn’t just a technical failure; it’s a governance failure. As Daniel rightly notes, trustees should be asking: 1 Are defences tested regularly? 2 Are vulnerabilities resolved quickly? 3 Can recovery be proven, not just promised? This is about evidence, not risk scores. And as tPR and PASA both stress, cyber resilience must be embedded into governance, not bolted on. With dashboards, consolidation and greater digital reliance ahead, trustees who treat cyber resilience as a standing agenda item will be protecting not only members, but also the trust that underpins the entire pensions system. #cyberresilience #cyber #pensions #trustee #PensionFunds #professionaltrustee

6

𝗪𝗵𝘆 𝘁𝗵𝗲 𝗡𝗖𝗦𝗖 𝗪𝗮𝗻𝘁𝘀 𝗖𝗡𝗜 𝗶𝗻𝗱𝘂𝘀𝘁𝗿𝗶𝗲𝘀 𝘁𝗼 𝗥𝗲𝘁𝗵𝗶𝗻𝗸 𝗖𝘆𝗯𝗲𝗿 𝗣𝗿𝗲𝗽𝗮𝗿𝗲𝗱𝗻𝗲𝘀 The NCSC’s latest guidance for the CNI sector, published on 28 January 2026, is a timely reminder of a reality many organisations still underestimate: 𝗰𝘆𝗯𝗲𝗿 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁𝘀 𝗮𝗿𝗲 𝗻𝗼 𝗹𝗼𝗻𝗴𝗲𝗿 𝗮 𝗾𝘂𝗲𝘀𝘁𝗶𝗼𝗻 𝗼𝗳 “𝗶𝗳”, 𝗯𝘂𝘁 “𝘄𝗵𝗲𝗻”. The guidance highlights that cyber attacks—particularly against Critical National Infrastructure (CNI)—are becoming more frequent, more sophisticated, and potentially far more destructive. It it is entirely plausible that highly capable threat actors will deliberately target UK CNI to cause large-scale disruption. 𝗖𝗿𝘂𝗰𝗶𝗮𝗹𝗹𝘆, 𝘁𝗵𝗲 𝘁𝗼𝗻𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗴𝘂𝗶𝗱𝗮𝗻𝗰𝗲 𝗶𝘀 𝘂𝗻𝗰𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗶𝗻𝗴. 𝗢𝗿𝗴𝗮𝗻𝗶𝘀𝗮𝘁𝗶𝗼𝗻𝘀 𝗮𝗿𝗲 𝘂𝗿𝗴𝗲𝗱 𝘁𝗼 𝗿𝗲𝘃𝗶𝘀𝗶𝘁 𝗿𝗶𝘀𝗸 𝗮𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁𝘀, 𝗿𝗲𝗮𝘀𝘀𝗲𝘀𝘀 𝗽𝗿𝗲𝘃𝗶𝗼𝘂𝘀𝗹𝘆 𝗮𝗰𝗰𝗲𝗽𝘁𝗲𝗱 𝗿𝗶𝘀𝗸𝘀, 𝗮𝗰𝗰𝗼𝘂𝗻𝘁 𝗳𝗼𝗿 𝗲𝘀𝗰𝗮𝗹𝗮𝘁𝗶𝗻𝗴 𝘁𝗵𝗿𝗲𝗮𝘁𝘀, 𝗶𝗱𝗲𝗻𝘁𝗶𝗳𝘆 𝗳𝘂𝘁𝘂𝗿𝗲 𝘀𝗰𝗲𝗻𝗮𝗿𝗶𝗼𝘀, 𝗮𝗻𝗱 𝗿𝗲𝗴𝘂𝗹𝗮𝗿𝗹𝘆 𝘁𝗲𝘀𝘁 𝗮𝗻𝗱 𝗲𝘅𝗲𝗿𝗰𝗶𝘀𝗲 𝘁𝗵𝗲𝗶𝗿 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲 𝗽𝗹𝗮𝗻𝘀. We have already seen the impact of major cyber incidents on leading UK organisations in sectors such as automotive and retail. If similar disruptions were to occur in healthcare, energy, or transport, the consequences would extend far beyond financial loss—affecting essential services and society’s ability to function normally. The key message from the NCSC is clear: resilience must be the priority. 𝗡𝗼𝘁 𝗷𝘂𝘀𝘁 𝘁𝗲𝗰𝗵𝗻𝗼𝗹𝗼𝗴𝘆, 𝗯𝘂𝘁 𝗽𝗲𝗼𝗽𝗹𝗲, 𝗽𝗿𝗼𝗰𝗲𝘀𝘀𝗲𝘀, 𝗮𝗻𝗱 𝗱𝗲𝗰𝗶𝘀𝗶𝗼𝗻-𝗺𝗮𝗸𝗶𝗻𝗴 𝗺𝘂𝘀𝘁 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗲 𝘁𝗼 𝗼𝗽𝗲𝗿𝗮𝘁𝗲 𝘂𝗻𝗱𝗲𝗿 𝘀𝘁𝗿𝗲𝘀𝘀. 𝗘𝘃𝗲𝗻 𝗶𝗳 𝘁𝗵𝗶𝘀 𝘄𝗼𝗿𝗸 𝗵𝗮𝘀 𝗯𝗲𝗲𝗻 𝗱𝗼𝗻𝗲 𝗯𝗲𝗳𝗼𝗿𝗲, 𝗶𝘁 𝗶𝘀 𝗻𝗼 𝗹𝗼𝗻𝗴𝗲𝗿 𝘀𝘂𝗳𝗳𝗶𝗰𝗶𝗲𝗻𝘁. 𝗧𝗵𝗲 𝘁𝗵𝗿𝗲𝗮𝘁 𝗹𝗮𝗻𝗱𝘀𝗰𝗮𝗽𝗲 𝗶𝘀 𝗲𝘃𝗼𝗹𝘃𝗶𝗻𝗴 𝗿𝗮𝗽𝗶𝗱𝗹𝘆—𝗮𝗻𝗱 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗽𝗿𝗲𝗽𝗮𝗿𝗲𝗱𝗻𝗲𝘀𝘀 𝗺𝘂𝘀𝘁 𝗯𝗲 𝗮 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀, 𝗹𝗶𝘃𝗶𝗻𝗴 𝗽𝗿𝗼𝗰𝗲𝘀𝘀. #CyberSecurity #CyberResilience #CNI #IncidentResponse #RiskManagement #OperationalResilience Nuvantiq

10

1 Comment

A good problem to have: Our data has an extremely broad array of possible use cases. It's a common refrain that focus is everything, so we spend a lot of time trying to be pointed with our GTM strategy at Fable; boiling down the many ways you can use our data into a simple narrative. But then projects like this one with the Cyber Monitoring Centre come along, and it's clear that we should embrace the versatility rather than wrestle with it. We started with a mission to harness our Data for Good; shining light on the the world we live in to ensure decision makers are making great decisions rooted in reality. This is a great example of that mission in action, and on such a critical, timely topic.

18

1 Comment

🚨 ISO 20022: Key Actions for UK Migration Readiness As part of the UK ISO 20022 migration journey, here are three key actions we’re sharing from the 14 August SWIFT UK Community Call - please help spread the word: We’ve made progress, but the UK community is not where we need to be. The clock is ticking, and the rules are about to change. 1️⃣ Migrate now - avoid impact of conversion By 22 November 2025, all in-scope payments messages must be sent in MX format. If your migration isn’t complete, MT messages will need to be converted by Swift - this will incur charges, increase rejection risk, and cause payment delays. 2️⃣ Test contingency options early. Short-term solutions for very low message volumes are available (and chargeable) but carry stricter validation rules. Untested contingency could delay or reject payments. 3️⃣ Review your message format settings. If multi-format messaging isn’t needed, opt out now (two-week lead time). From January 2026, this service will be chargeable. 💡 The coexistence period ends 22 November 2025. From this date, all payment messages will be sent in ISO 20022 format - ready or not. Let’s move forward together with clarity, collaboration, and confidence. 🔗 More information: About ISO 20022 | Swift ISO 20022 for financial institutions: Navigating the end of coexistence | Swift #ISO20022Ready #UKCommunity #ISO20022Migration #Payments #SWIFTUK Ian Povey

117

5 Comments

🗣️ Important conversations like this are shaping the future of AI in the UK. 🧠 It was great to see our very own Sofia Ihsan come together with fellow auditors, technologists and policymakers to explore how we build trust, assurance and accountability into AI. 👏 We’re proud to be part of the conversation. #AI #AIAssurance #ResponsibleAI

13

Identity verification at incorporation is now part of the UK’s approach to corporate transparency. Directors and Persons with Significant Control complete a digital check before registration, and Companies House has greater authority to review filings and apply penalties. For compliance teams, verified ownership data supports stronger governance and risk management. Read the full blog for practical details: https://lnkd.in/gUWWr5cu

2

Safeguarding reform is coming - is your firm ready? The FCA’s new rules on safeguarding for payment and e-money institutions go live in May 2026. That means stronger expectations on daily reconciliations, audit assurance and wind-down planning. For firms managing customer funds, this is no longer just a compliance formality, it’s a core part of operational resilience. In our latest blog, I explore: - What’s changing - What this means for governance and reporting - What firms should prioritise now Start planning now and stay ahead of regulatory expectations. Read here: https://lnkd.in/eZHSncf6 #FCA #FinancialServices #Compliance #RiskManagement #FinTech #Safeguarding

12

HM Treasury and DSIT have issued joint guidance explaining how the UK Digital Identity and Attributes Trust Framework aligns with the Money Laundering Regulations (MLRs). This fulfils a commitment from the 2024 MLR consultation, and the guidance is now officially approved for MLR compliance. The government has indicated it expects to consult on a nationally-issued government Digital ID. DSIT has also noted it will work with sector guidance bodies where necessary to ensure consistent application of digital identity for CDD purposes.

12