Global Investigations Bulletin - March 2026

Following the announcement in January that Nick Ephgrave would step down midway through his term as Director of the SFO, it has now been confirmed that Graham McNulty will assume the role of interim Director from early April. McNulty joined the SFO in 2024 following a long career with the Metropolitan Police Service. His appointment comes at a particularly dynamic period, with several high-profile prosecutions progressing toward trial and ongoing government reforms, including proposed limits on juries in complex financial crime cases and the rollout of the new ‘failure to prevent fraud’ offence. McNulty’s immediate focus will likely be on maintaining operational momentum and continuity while a permanent Director is appointed.

In a further setback for the SFO, the agency dropped its long-running bribery prosecution against former executives of London Mining Plc in February, after disclosure issues were identified with its document review software. At Southwark Crown Court, the three defendants, including the company’s former CEO and CFO, were acquitted. The SFO said the decision reflected delays, the challenges of reviewing large volumes of material, and concerns that some evidence may not have been properly examined. The development follows the SFO’s 2025 announcement that problems had been identified with its legacy e-discovery system, prompting a review of past cases to ensure relevant material had not been missed. It also comes after earlier case collapses linked to disclosure failures, including the 2024 prosecution of former executives at G4S.

Jose Alejandro Zamora Yrala, director of UK-based aircraft parts trader AOG Technics, has been sentenced to nearly five years’ imprisonment for orchestrating an aircraft engine parts fraud. Zamora was found to have sold more than 60,000 aircraft engine parts accompanied by forged airworthiness documentation, generating over £7.7 million in revenue. The parts were primarily intended for the widely used CFM56 engine. The scheme came to light after aircraft equipment manufacturer Safran identified a falsified certificate and alerted authorities, prompting safety alerts from aviation regulators and the grounding of aircraft worldwide. Zamora pleaded guilty in December 2025, concluding the SFO’s substantive investigation, though proceedings over confiscation of the proceeds of crime continue.

The SFO has obtained a £283,321 confiscation order against David Ames, following his 2022 conviction for a £226 million timeshare fraud linked to the Harlequin Group. Ames was previously sentenced to 12 years’ imprisonment for defrauding investors who were persuaded to invest in overseas timeshare developments, many of which were never built. The order forms part of the SFO’s ongoing asset recovery efforts, which have identified additional assets linked to Ames. If the order is not paid, Ames faces up to three additional years in prison.

Looking ahead, the SFO has announced that it will host an international economic crime conference in London in May 2026, together with France’s Parquet National Financier (PNF) and Switzerland’s Office of the Attorney General of Switzerland (OAG). The event will be the first hosted by the International Anti-Corruption Prosecutorial Taskforce, a collaboration between the SFO, PNF and OAG established in 2025 to strengthen international prosecutorial cooperation in anti-corruption enforcement. It will also mark the first large-scale multi-jurisdictional conference organised by the SFO. According to the SFO, the conference is intended to strengthen communication between enforcement agencies, deepen operational understanding and support the development of new strategic partnerships to combat international economic crime.

Robb Simms-Davies, a former director of Bluu Solutions, has failed in his attempt to remove his name from a deferred prosecution agreement (DPA) published by the SFO. The DPAs, entered into in 2019 with Bluu Solutions and Tetris-Projects Limited, were initially anonymised while criminal proceedings were ongoing. Simms-Davies and others were acquitted of bribery charges in 2023. Following the trial, the Bluu DPA was published in de-anonymised form, naming him. In Robb Simms-Davies v Southwark Crown Court, the High Court dismissed his judicial review, noting that the individuals had already been publicly named in the criminal proceedings and that open justice principles apply to the publication of DPAs. The court emphasised that the ruling did not imply guilt but allowed the public to understand the SFO’s reasons for approving the agreement.

The FCA has fined Richard Howson, ex-CEO of Carillion, for his role in misleading market statements made by the construction group prior to its collapse and liquidation in 2018. The penalty follows fines imposed in January on former Carillion finance directors, Richard Adam and Zafar Khan. All three were found to have been “knowingly concerned” in the company’s breaches of market disclosure obligations and related controls requirements. The FCA’s action underscores its willingness to hold senior executives personally accountable for failures in market disclosures. Passive reliance in the face of known risks may expose individuals to personal liability, reinforcing the need for proactive engagement when potential issues arise.

The FCA has banned Kasim Garipoglu from working in UK financial services after concluding he lacked the honesty and integrity required to be considered ‘fit and proper’. The FCA’s investigation, which began as an AML review, uncovered internal communications showing Garipoglu encouraging staff to bypass onboarding and AML checks and prioritise profit over compliance, despite warnings from compliance and management teams. The regulator also found that he misled the FCA, including by making misleading statements and using forged documents. The case underscores the FCA’s continued focus on individual accountability, compliance culture and the importance of “tone from the top”.

Continuing its focus on market abuse, the FCA imposed civil penalties totalling £108,731 on Bhavesh Hirani, and Dipesh Kerai for insider dealing in breach of Article 14(a) of the UK Market Abuse Regulation. The FCA found that Hirani, then CFO of Bidstack, disclosed confidential information about an upcoming commercial deal to Kerai. Using that information, the pair purchased 1.3 million Bidstack shares ahead of the announcement, generating profits of more than £9,000. The trading was identified through Suspicious Transaction and Order Reports (STORs) submitted by a market participant, highlighting the important role of industry in detecting market abuse.

On 3 March, the FCA reached a resolution with John Wood Group plc resulting in a fine of nearly £13 million in connection with the market reporting of financial information. The group received the full 30% settlement discount. On 24 March the FCA imposed a further corporate penalty, fining Dinosaur Merchant Bank Limited £338,000 for deficiencies in its systems and controls designed to prevent and detect market abuse.

The Upper Tribunal has upheld enforcement action by the FCA against Stephen Joseph Burdett and James Paul Goodchild, confirming their bans from the financial services industry and fines of £265,071 and £47,600 respectively. The Tribunal found that the pair recklessly exposed pension holders to unsuitable high-risk investments by switching more than £10 million of pension funds into portfolios heavily concentrated in a single offshore property developer. The FCA had previously intervened in 2016 to halt the pensions business of Synergy Wealth Limited and Westbury Private Clients LLP, both of which later entered liquidation. More than £1.4 million has since been paid to affected investors by the Financial Services Compensation Scheme.

In January, the FCA published the first edition of Enforcement Watch (EW1), a new online publication intended to provide greater transparency around the regulator’s enforcement activity and priorities. The report notes that between 3 June and 31 December 2025 the FCA opened 23 new investigations, comprising 18 regulatory investigations, four dual-track investigations and one criminal-only investigation. The new cases cover a broad range of misconduct, including investigations into individuals, listed issuers, unauthorised business activity (particularly in cryptoassets), Consumer Duty breaches, inadequate oversight, financial crime, and consumer investment and asset management misconduct.

In particular, EW1 highlights the FCA’s growing enforcement focus on the Consumer Duty, which until recently had primarily been addressed through supervisory engagement. The publication confirms six new investigations into potential breaches of the Duty’s fair value. The publication also highlights the factors that may escalate a matter from supervisory engagement to formal enforcement, including repeated non-cooperation, failure to address identified issues, deliberately misleading the regulator, and causing significant harm to consumers.

The FCA has had a search warrant overturned following judicial review proceedings. The Administrative Court found that the warrant was unlawfully obtained during a fraud investigation. The Metropolitan Police, acting on behalf of the FCA, applied for and obtained the warrant under section 8 of the Police and Criminal Evidence Act 1984 (PACE). However, the Court held that the application failed to properly address the high likelihood that seized material would include legally privileged documents. The judges concluded that the warrant should instead have been sought under the more stringent procedure in Schedule 1 to PACE, which applies where privileged material is expected. While the Court found no bad faith by the FCA, it ruled the warrant invalid due to the way the application had been presented. The decision highlights the importance of carefully scrutinising search warrants and other enforcement orders - particularly during dawn raids or other unexpected visits - despite the operational pressure to respond quickly.

The Payment Systems Regulator (PSR) has fined Bank of Ireland (UK) plc £3.8 million for failing to implement the “send” functionality of Confirmation of Payee (CoP) within the deadline set by Specific Direction 17. While the bank implemented CoP “respond” capability on time, delays affected both its retail and business platforms, with full compliance only achieved in January 2025. The PSR found the breach was not deliberate or reckless but concluded that internal decisions contributed to avoidable delays, including reliance on an unfinished platform improvement programme and a group-wide mainframe incident that disrupted delivery. The regulator also criticised the bank for failing to notify it promptly that it was unlikely to meet the deadline and for not sufficiently exploring interim measures to mitigate customer risk. The decision underscores the expectation that firms proactively manage technical dependencies, maintain resilient systems capable of supporting regulatory change, and engage early with regulators where compliance risks arise.

On 16 March 2026, HM Treasury published its consultation response confirming the Government’s policy position on reforms to the Financial Ombudsman Service (FOS), alongside a joint FCA/FOS consultation paper and policy statement (CP26/9) finalising certain changes to FCA rules and guidance and consulting on further FOS proposals. The reforms represent significant changes to the UK consumer redress framework.

The HMT response confirms the following legislative reforms (which will require primary or secondary legislation): including an adapted “Fair and Reasonable” test aligned with FCA rules, a formal referral mechanism to the FCA for ambiguous or sector-wide issues, strengthened authority for the FOS Chief Ombudsman, regular joint thematic reporting, a 10-year limit on complaints, and a framework to expedite mass redress events.

Certain regulatory changes are being implemented now under the existing framework, including operational improvements, updated guidance on identifying and rectifying consumer harm, and the development of a lead complaints process.

The reforms and further proposals have practical implications for firms’ complaint handling, FOS engagement, and regulatory risk management. Firms will need to demonstrate compliance with FCA rules in complaint files, monitor and potentially request FCA referrals for ambiguous or significant issues, and adapt to new tools for managing high volumes of complaints, including registration stages and expanded dismissal grounds. The reforms also strengthen the connection between the FOS and FCA redress powers, giving the FCA a more streamlined route to implement redress schemes and pause complaint handling. A further consultation on complaint registration, dismissal grounds, and the “Fair and Reasonable” test closes on 11 May 2026, with additional consultations on funding and case fees planned later in the year.

On 11 March, the PRA announced its first resolution under the Early Account Scheme (EAS), fining UK Insurance Limited, a Direct Line Group subsidiary, £10.6m for miscalculations in its Solvency II balance sheet. Under the EAS (launched in January 2024), firms can submit a detailed factual account within six months in exchange for a potential penalty discount of up to 50%, supported by a senior manager attestation. Direct Line received the full 50% discount. The case demonstrates the EAS’s potential to resolve matters within a year, highlighting the PRA’s evolving enforcement approach and its aim to incentivise early, constructive engagement. Notably, the FCA currently has no equivalent scheme.

In a busy month for enforcement, on 24 March, the PRA also fined The Bank of London and its parent Oplyse £2 million, for failing to act with integrity, and failing to deal with the PRA in an open and cooperative manner in relation to the bank’s capital positions. The case is notable as the first time the PRA has fined a firm for breaching Fundamental Rule 1 (on integrity) and the first enforcement action against a parent holding entity.

On 30 March, OFSI announced a £390,000 penalty against Apple Distribution International Limited (ADI), a subsidiary of Apple Inc., for breaching Russian sanctions by instructing two payments to Okko LLC, a company owned by a designated entity. Although the payment processes were implemented through third-party providers and group affiliates, OFSI emphasised that the entity instructing the payment still retains responsibility for sanctions screening and compliance. ADI voluntarily disclosed the issue to OFSI in October 2022 and received a 35% discount on the penalty following settlement. The case highlights that enforcement can still take significant time, with around three and a half years elapsing between the voluntary disclosure and OFSI’s final decision. A key takeaway is that firms remain responsible for sanctions compliance even where screening or payment processes are outsourced, and must ensure robust ownership due diligence and effective controls to halt payments where sanctions risks arise.

OFSI has updated its enforcement guidance to streamline sanctions investigations and encourage earlier engagement by firms. The revised framework introduces a more transparent case assessment matrix for determining enforcement outcomes and proposes increasing the maximum civil penalty from £1 million or 50% of the breach value to £2 million or 100% (subject to legislation). While the discount for voluntary disclosure and cooperation will be reduced to a maximum of 30%, firms may obtain cumulative discounts of up to 70% by combining voluntary disclosure with new mechanisms such as the Early Account Scheme and a settlement process offering a 20% reduction where cases are resolved quickly. The guidance also introduces fixed monetary penalties of £5,000 or £10,000 for certain administrative breaches and expands the factors considered when assessing the seriousness of sanctions violations, including recklessness, seniority of those involved, and the strategic importance of the sanctions regime affected. The changes signal OFSI’s intention to increase transparency and efficiency in enforcement while incentivising early cooperation.

On 16 February, OFSI also launched a call for evidence on how the “ownership and control” test in UK financial sanctions regulations operates in practice. The consultation seeks input from firms and industry bodies on issues such as the use of “hypothetical control,” practical challenges in applying the control test, and the impact on compliance costs and business decisions. The evidence will inform a review of whether the current framework is clear, proportionate, and effective while remaining workable for legitimate businesses. The consultation is open until 13 April 2026.

On 25 March the Supreme Court handed down its judgment in Celestial Aviation Services Ltd v UniCredit Bank GmbH on the impact of sanctions legislation on a bank’s payment obligations under letters of credit. The dispute arose after aircraft lessors sought payment under letters of credit issued in connection with aircraft leases to Russian airlines. UniCredit declined to pay until it received a licence from OFSI. The case centred on Regulation 28 of the Russia Sanctions Regulations which prohibits providing funds in connection with arrangements whose object or effect is the supply of aircraft to Russia.

The Supreme Court held that the provision should be interpreted broadly, finding that payment under the letters of credit was sufficiently connected to the underlying aircraft leasing arrangements to fall within the prohibition, even though the leases pre-dated the sanctions and had already been terminated. The Supreme Court also considered the scope of the protection available under section 44 of the Sanctions and Anti-Money Laundering Act 2018. It concluded that the provision operates as a defence to civil liability where a person acts or refrains from acting in the reasonable belief that they are complying with sanctions. In this case, that defence would have shielded the bank not only from liability for the principal payment but also for associated claims such as interest and costs. The judgment provides important clarification on the broad reach of UK sanctions and confirms that the licensing regime plays a key role in addressing situations where sanctions rules intersect with pre-existing commercial obligations.

In March, the Information Commissioner's Office (ICO) issued a £100,000 fine to a Birmingham based pendant alarm company  for making unsolicited marketing calls. In the same month, Police Scotland was fined £66k and reprimanded after an investigation found officers had extracted the entire contents of a person’s mobile phone following a crime report, without sufficient safeguards to prevent access to irrelevant personal information. This resulted in the collection of large volumes of highly sensitive information unrelated to the investigation. In February the ICO confirmed it had launched formal investigations into X Internet Unlimited and X.AI LLC over their Grok AI system, following reports that the technology may generate non-consensual sexualised imagery, and is coordinating with Ofcom and international regulators. Also in February, the ICO issued a £247,590 fine to MediaLab, for processing children’s data without parental consent, failing to implement age verification, and neglecting a data protection impact assessment. Reddit was fined £14.47 million for inadequate age assurance that allowed children access to mature content. The regulator also reprimanded Staines Health Group for disclosing excessive medical information about a terminally ill patient to their insurer. These actions underline the ICO’s ongoing focus on AI risks, children’s online privacy, and sensitive personal data protection.

On 9 March, the Home Office published its Fraud Strategy for 2026–29, outlining a renewed government approach focused on disrupting criminal activity, strengthening prevention, and improving support for victims. The strategy is structured around three pillars:

1. Disrupt, including the creation of an Online Crime Centre to coordinate law enforcement, intelligence agencies and industry in tackling fraud networks, alongside stronger international cooperation and reforms to financial crime controls such as changes to HM Treasury’s Strong Customer Authentication framework and potential new regulation of cryptoasset services.
2. Safeguard, which focuses on building resilience among individuals and businesses through expanded public awareness campaigns, enhanced policing, and initiatives such as extending the Vulnerable Victim Notification Scheme supported by UK Finance.
3. Respond, which aims to improve victim support and enforcement, including the rollout of the new Report Fraud service operated by the City of London Police to replace Action Fraud.

The strategy is supported by a new investment programme and governance framework to oversee delivery.