Why integration, not authorisation, is the biggest compliance risk in 2026 M&A
Key insights
- Regulators no longer judge the deal. They judge the integration. Day‑2 execution is now where compliance risk is won or lost.
- SMCR is most fragile after completion, not before it. Integration exposes blurred accountability at the exact moment regulators expect clarity.
- Consumer Duty turns integration gaps into supervisory issues fast. Inconsistent products, pricing and outcomes rarely stay hidden post‑deal.
- Most integration failures are capacity failures. Overstretched compliance teams create risk even when the technical framework is sound.
- The strongest firms design compliance for the combined future state early. Integration PMOs, surge support and governance redesign separate resilience from exposure.
The first few months of 2026 are already shaping up to be one of the most active years for consolidation across banking, wealth, insurance, payments, fintech and trading. With that activity comes a wave of regulatory scrutiny and compliance risk not seen since the post‑crisis era, particularly across complex M&A transactions in financial services.
As firms merge, restructure, divest, or enter new markets, compliance leaders are navigating heightened expectations across SMCR, Consumer Duty, financial crime, governance, and operational resilience. These pressures are also reshaping compliance hiring, as organisations reassess whether existing structures and capacity are sufficient to support post‑acquisition integration.
Crucially, regulators are sharpening their focus on post‑acquisition integration, not just transaction approvals, placing greater emphasis on post-merger integration and ongoing regulatory compliance across the full M&A process.
1. Why Day‑2 integration is now the primary compliance risk
Most organisations invest heavily in Day‑1 readiness as part of due diligence and transaction planning.
Typical focus areas include:
- SMCR handover
- Notifications
- Policy alignment
- Training
- Governance mapping
Day‑2 is where the real regulatory exposure sits, as processes, systems and operating models collide across the acquirer and target company.
This is where firms encounter:
- Differing product governance cultures
- Incompatible AML/financial crime controls, including sanctions frameworks
- Mismatched conduct risk tolerances
- Diverging oversight of ARs, brokers or distributors
- Inconsistent complaints and vulnerability standards
- Conflicting operational resilience maturity
Integration risk isn’t theoretical. We see duplicated approval processes delaying decisions, conflicting management information impacting board decision-making, and gaps in AML or conduct oversight only becoming visible post-integration.
These are often compounded by misaligned it systems, fragmented data protection controls and inconsistent risk management approaches across entities. Consumer Duty, in particular, makes those gaps far more visible to supervisors.
The most successful organisations treat Day-2 as a core part of compliance integration, building it into the integration roadmap with the same weight, budget and senior ownership as Day-1.
2. SMCR under pressure: redesigning accountability for the combined firm
When two regulated entities merge or restructure, SMRC requirements can become unintentionally messy – particularly where multiple legal entities and jurisdictions are involved.
The most common issues include:
- Duplicated or unclear SMF16/SMF17 accountability
- Statements of Responsibility that no longer reflect reality
- Governance committees that temporarily fall between two models
- New reporting lines contradicting regulatory filings
- Decision‑making dispersed across legacy structures
These gaps create regulatory fragility. The FCA’s own guidance on consumer understanding highlights the importance of clear governance, effective oversight and robust management information, all of which can be undermined where responsibilities are unclear or capacity is stretched.
In reality, this often leads to situations where accountability becomes blurred at exactly the point regulators expect the greatest clarity, increasing the risk of challenge during supervisory engagement or enforcement reviews, particularly where compliance problems emerge post-deal.
The best integrations don’t “lift and shift” legacy SMCR. They redesign accountability from the future-state operating model backwards, aligning governance to the combined business rather than the acquired structure.
This includes:
- Mapping decisions, not just titles
- Building governance pathways, not just organisational charts
- Clarifying interactions between conduct, risk, product and financial crime teams
- Documenting reasonable steps from day one
Strong SMCR design remains the single most effective safeguard against post‑integration enforcement risk.
3. Consumer Duty as the stress‑test for every integration
Consumer Duty acts as an amplifier of every inconsistency between merging firms across the product lifecycle, including:
- Fair value
- Consumer understanding
- Vulnerability
- Outcomes testing
- Product lifecycle governance
During integrations, firms inevitably combine products with:
- Different pricing philosophies and approaches to pricing and value
- Different data standards and data privacy controls under GDPR
- Different remediation histories
- Different customer-journey designs
- Different conduct MI and board reporting
In practice, this is often where firms are caught off guard, particularly where legacy products or historical customer outcomes from the acquired company do not align with the combined firm’s current standards. Those inconsistencies surface rapidly under Consumer Duty scrutiny, especially when firms must demonstrate evidence of alignment across the business.
This is why many high-performing organisations now run dedicated Consumer Duty integration programmes, structured as cross-functional workstreams, responsible for:
- Harmonising product and fair‑value frameworks
- Aligning customer journey mapping
- Merging conduct dashboards and MI
- Bringing vulnerability and forbearance standards into one model
- Updating distribution oversight in line with the combined footprint
Consumer Duty is no longer a standalone regulation. It is increasingly the lens through which supervisors assess whether integration has been successful in practice.
4. The capacity trap: where integration risk really sits
A recurring theme from compliance leaders is not a lack of expertise, but a lack of bandwidth.
Integrations require compliance teams to deliver multiple, overlapping initiatives across BAU and transformation, often within compressed timelines and without any increase in headcount.
These typically include:
- SMCR redesign
- Policy consolidation
- Product governance harmonisation
- Financial crime framework alignment
- regulatory notifications
- Conduct MI rebuild
- Training and cultural integration
- Systems migration oversight
The FCA has been clear that overstretched SMF16/17 holders are a red flag. Where capacity is not addressed, delays, backlogs and control weaknesses quickly emerge, often just as regulatory scrutiny intensifies post‑transaction.
This is why organisations that invest early in temporary surge support, covering monitoring, promotions, AML investigations, Consumer Duty gaps, file reviews, CASS, or AR oversight, outperform those that attempt to absorb everything internally. This is particularly evident in complex M&A deals involving private equity, fintech or cross-border structures.
Capacity, not capability, is the differentiator between compliance strength and regulatory vulnerability.
What effective compliance integration looks like in 2026
Firms that thrive through integration tend to follow a similar pattern:
- A standalone compliance integration PMO
Run by compliance specialists, not generalist consultants - Early surge capacity to avoid backlogs
Particularly across promotions, monitoring, complaints, AML, CASS and file reviews - A full SMCR redesign,
built from future‑state governance backed by clear reasonable‑steps evidence - A Consumer Duty alignment programme
With explicit ownership across product, distribution, customer experience and Management Information (MI) - Integration MI for the board
Bringing together conduct, operational, financial and cultural indicators for key stakeholders - A capacity plan from Day‑0
Not when the cracks start to show
Implemented early, this approach protects deal value, reduces regulatory friction and supports cultural alignment across the combined organisation.
This is not just a year of deal-making, it is a year of regulatory consolidation.
Compliance leaders who treat integration as a core regulatory priority, not a secondary phase, will be far better positioned to navigate this environment. Those who underestimate the complexity of Day-2 integration risk creating avoidable exposure at exactly the point regulators are most focused on outcomes.
In this context, successful integration is no longer defined by completing the transaction, but by demonstrating that governance, accountability and customer outcomes remain robust in the combined organisation, across both the acquirer and the acquired business.
