May 2026 regulatory update: pressure points

Editor’s note: This monthly update covers regulatory developments in order to help regulators understand what is now live, why it matters, and what is coming. If you haven’t already, consider subscribing to our monthly newsletter to stay abreast of the latest regulatory developments.

February was from passage to practice. March was stress-testing new regimes. April was first evidence. May is when the pressure arrives.

New frameworks face implementation challenges, yes, but they also face organised resistance. 

In the UK, the Financial Conduct Authority’s (FCA) motor finance redress scheme is being challenged simultaneously from both sides: lenders who believe it overreaches, and a consumer group that believes it undercompensates. 

In Australia, the Corporations Amendment (Digital Assets Framework) Act 2026 (DAF Act) has received Royal Assent and the Australian Securities and Investments Commission (ASIC) has published its 18-month implementation roadmap – but the clock on the existing no-action position is running out. 

AML/CTF programmes must be approved and operational before obligations commence, not after them. Firms that have not started are already running out of time.

In New Zealand, the Commerce Commission’s decision on the Gull–NPD fuel merger is due 28 May, and whatever the outcome, it will define how New Zealand polices concentration in low-margin consumer markets for years. 

And in Canada, Bill C-22’s committee hearings are now probing whether the government’s third attempt at lawful access legislation can survive the constitutional scrutiny its predecessors could not.

These developments share a common thread: the difference between a framework that holds under pressure and one that bends or breaks – and what that difference reveals about regulatory design, institutional nerve, and the limits of implementation optimism.

Regulatory orientation: what is now live or unavoidable

Australia

• DAF Act receives Royal Assent; ASIC 18-month roadmap published. The DAF Act passed Parliament on 1 April and received Royal Assent on 8 April. The regime commences 8 April 2027, giving an 18-month implementation runway. ASIC published its implementation roadmap on 20 April, covering four phases: industry consultation and engagement (months 1–6); regulatory guidance and standards development (months 6–12); licence applications open for digital asset platform (DAP) and tokenised custody platform (TCP) operators (months 12–18); and full commencement (month 18 onward). The INFO 225 class no-action position expires 30 June, meaning entities must comply with existing licensing obligations during the transition period, without the benefit of the new framework’s tailored provisions. For crypto platforms and custody providers, ASIC’s roadmap is the most operationally consequential document of the year.
• SOCI Act reform consultation closed 1 May. Following the independent review of the Security of Critical Infrastructure Act 2018 (SOCI Act) by Dr Jill Slay AM, the Department of Home Affairs released two consultation papers in March: one on proposed amendments to ministerial directions powers, and one on an exposure draft of enhanced Critical Infrastructure Risk Management Program (CIRMP) rules. Submissions closed 1 May. The proposed changes would replace the existing requirement for an Australian Security Intelligence Organisation (ASIO) Adverse Security Assessment before the Minister can issue a direction, allow the Minister to address systemic vendor risks across entire sectors simultaneously, and permit entities to delay public disclosure of a cyber security incident where disclosure would threaten national security. These are structural expansions of executive power as opposed to incremental adjustments, and the government is now reviewing submissions ahead of legislation.
• AUSTRAC Tranche 2 enrolment: the uptake question. The Australian Transaction Reports and Analysis Centre (AUSTRAC) Tranche 2 enrolment portal has been open since 31 March. With obligations commencing 1 July and an estimated 90,000 new entities – lawyers, accountants, real estate agents, conveyancers, and dealers in precious metals – required to enrol, the critical question in May is whether uptake matches the scale of the obligation. Anti-money laundering and counter-terrorism financing (AML/CTF) programmes must be approved and operational before obligations commence, not after them. Firms that have not started are already running out of time.
• Australia’s regulatory crunch: five frameworks, one deadline. From 1 July, five separate regulators will each be responsible for enforcing a major new framework. The convergence – AUSTRAC Tranche 2, ASIC Group 2 climate disclosure, the Scams Prevention Framework, the digital assets transition, and continued CPS 230 implementation – is the consequence of years of deferred reform arriving simultaneously. ASIC is simultaneously reviewing Group 1 climate reports for greenwashing, managing the digital assets transition, and running a litigation programme flagged as a 2026 enforcement priority.

New Zealand

• Gull–NPD merger decision due 28 May. The Commerce Commission’s decision on the proposed acquisition of NPD Group by Astra Energy (owner of Gull New Zealand) remains the most closely watched competition ruling in the country this year. The Commerce Commission’s Statement of Issues flagged concerns about whether the combined entity could profitably raise prices or reduce service quality in concentrated retail fuel markets. Submissions from the parties closed in April. The decision will become a reference case for how New Zealand polices consolidation in low-margin consumer markets – and will be read alongside the Competition and Markets Authority’s (CMA) Google conduct requirements as a study in contrasting approaches to market power.
• RMA replacement bills before select committee. The Planning Bill and Natural Environment Bill – the coalition government’s replacement for the Resource Management Act 1991 (RMA) – are before the Environment Select Committee. A report is expected mid-2026. The central tension is whether separating development facilitation from environmental protection, combined with provisions that could require councils to compensate landowners when environmental protections reduce land value, would make legitimate environmental regulation financially unworkable for local government. 

United Kingdom

• FCA motor finance scheme faces legal challenge from both sides. On 27 April, Consumer Voice applied to London’s Upper Tribunal to contest the FCA’s motor finance redress scheme, arguing it “fails to deliver fair, adequate or lawful consumer redress and systematically under-compensates consumers.” The group notes that approximately 4.7 million agreements it considers mis-sold are excluded from the scheme’s scope entirely. The FCA has said it will defend the scheme robustly and described the challenge as “disappointing.” The complaint window is still scheduled to reopen 31 May; Consumer Voice has stated its goal is to correct the shortcomings, not halt compensation. Earlier, lenders including Close Brothers and Santander declined to mount their own challenge.
• CMA Google conduct requirements: finalisation imminent. The CMA’s consultation on four binding conduct requirements for Google’s search and search advertising services closed in late February, with requirements addressing publisher content use, fair ranking, user choice, and data portability. The CMA is now analysing responses and moving toward finalisation – the first binding obligations on any firm under the Digital Markets, Competition and Consumers Act (DMCC Act). The Department for Business and Trade (DBT) consultation on restructuring the CMA itself also closed on 31 March 2026, adding a layer of institutional uncertainty to the regulator’s operational calendar.
• FCA non-financial misconduct regime: 1 September countdown. With four months to the commencement of the new Conduct Rules (COCON) amendments for non-banks, firms are stress-testing their disciplinary frameworks and aligning HR, compliance, and legal functions. The FCA’s final guidance, issued in February, confirmed that non-financial misconduct – including bullying, harassment, and discriminatory conduct – is now a conduct matter with direct fitness and propriety consequences. For firms that have treated this as a culture or HR issue rather than a regulatory one, the September deadline is a hard stop.

Canada

• Bill C-22 in committee. The government’s third attempt at lawful access legislation passed second reading on 20 April and was referred to committee. May committee hearings will test whether Part 2 – the ministerial orders framework allowing secret compulsory orders to digital service providers – can survive Charter scrutiny. The Canadian Association of Chiefs of Police has publicly supported the bill; civil liberties groups remain opposed.
• Modern Slavery Act reporting: 31 May deadline. The third annual reporting deadline under the Fighting Against Forced Labour and Child Labour in Supply Chains Act falls on 31 May. Updated Public Safety Canada guidance, issued in late 2025, narrowed reporting obligations for some distributors. The volume and quality of reports submitted this year will show how far supply chain risk has moved from corporate social responsibility into mainstream compliance – and whether the government’s guidance changes have reduced burden proportionately or created new ambiguity.

Four stories to watch

The FCA’s legal gauntlet: what a challenged redress scheme tells regulators

The FCA’s motor finance redress scheme was already unusual by design: a standardised, automated, industry-wide programme covering 17 years of conduct and 12.1 million agreements, built deliberately to prioritise consistency over bespoke outcomes. It is now more unusual still – simultaneously challenged by a consumer group arguing it undercompensates and, until they stood down, by lenders who considered it a regulatory overreach.

Consumer Voice’s challenge goes to the Upper Tribunal on two grounds: the methodology used to calculate compensation, and the exclusion of approximately 4.7 million agreements it considers mis-sold. The FCA’s response – that it has “no vested interest” in the scheme, and that its goal is “fair compensation for consumers as quickly as possible” – is exactly the kind of declarative institutional positioning that regulators in adversarial proceedings rely on. But it does not resolve the underlying tension the challenge exposes: whether a scheme designed to balance consumer outcomes against lender viability can be both fair and financially bounded.

Any design that limits total liability will attract consumer challenges; any design that imposes significant liability will attract industry challenges.

For regulators in other jurisdictions designing mass-redress frameworks, the challenge is instructive in three ways. First, it confirms that standardised schemes will face legal pressure from both directions simultaneously – any design that limits total liability will attract consumer challenges; any design that imposes significant liability will attract industry challenges. Second, Consumer Voice’s explicit statement that it wants to correct shortcomings, not halt compensation, suggests that adversarial oversight of regulatory schemes need not be a zero-sum contest. Third, the FCA’s handling of claims management companies – through ajoint taskforce cracking down on firms charging 20–30% of compensation for a service the scheme makes unnecessary – will be studied as a model for protecting redress infrastructure from extraction.

The complaint window reopens 31 May. Between now and then, lenders face the operational task of building assessment systems for what could be millions of simultaneous claims – while legal uncertainty about the scheme’s final contours remains unresolved. 

ASIC’s digital assets roadmap: 18 months, one chance

The passage of the DAF Act and ASIC’s 18-month implementation roadmap give Australia’s digital assets transition a shape it did not have in April. The 18-month window isn’t, as some market commentary has suggested, simply a licensing queue. Rather, it is a structured programme in which the substantive standards governing how digital asset platforms operate – custody, settlement, financial requirements, governance – will be developed through consultation and legislative instruments over the next 12 months, then applied to incoming licence applications in the final six.

Two things make this operationally significant for firms and for ASIC. For firms, the implication is that applying early for an Australian Financial Services Licence (AFSL) variation or new licence does not lock in all the terms of operation: the standards being developed in Phase 2 will shape what compliance actually looks like. Overseas platforms serving Australian customers are in the same position and need to begin their AFSL analysis now. For ASIC, the roadmap commits the regulator to a level of consultation and guidance-production that runs in parallel with its existing supervisory programme – a programme that already includes Group 1 climate disclosure review, a litigation calendar, and, from 1 July, Tranche 2 AML oversight.

The transition from no-action to active supervision will be the first genuine test of whether ASIC’s tools and bandwidth can handle the complexity and pace of digital asset markets. Its Market Integrity Update for April describes the approach as having “a strong focus on early engagement with industry, clear guidance, and practical transition arrangements” – a framing that signals proportionality, but also places the reputational weight of orderly transition on ASIC’s capacity to deliver. 

Australia’s SOCI Act reforms: security, secrecy, and ministerial power

The proposed reforms to the SOCI Act are framed as a security upgrade. In structural terms, they are something more consequential: a significant rebalancing of power between the executive and regulated entities in Australia’s most sensitive infrastructure sectors.

The five proposed measures (removing the ASIO Adverse Security Assessment requirement before a direction can be issued, allowing sector-wide vendor restrictions across multiple entities simultaneously, permitting delayed public disclosure of cyber incidents for national security reasons, imposing persistent governance conditions on high-risk entities, and introducing enhanced CIRMP requirements for energy, communications, water, and transport assets) each expand the Minister’s operational reach. The Department of Home Affairs has framed this as providing “greater flexibility and precision,” and the reforms do include accountability safeguards: the Minister must still consider ASIO advice and satisfy proportionality requirements before issuing directions.

But the combination of incident disclosure delay and sector-wide vendor restrictions is analytically distinct from previous SOCI iterations. Regulators in adjacent sectors – particularly those overseeing financial services firms that are also critical infrastructure owners – will need to understand how the new ministerial directions interact with existing sector-specific disclosure and reporting obligations. The consultation record, now closed, will shape the final legislation; the policy choices being made now will define Australia’s critical infrastructure governance architecture for the next decade.

New Zealand’s Gull–NPD decision: the cost of concentration 

The Commerce Commission’s 28 May deadline on the Gull–NPD merger is arriving at a moment when competition regulators across all four jurisdictions are navigating explicit government pressure to prioritise economic growth over structural intervention. New Zealand is not immune: the coalition government has embedded a growth and productivity orientation into its broader regulatory reform agenda. The Commerce Commission is independent, but it operates in a political environment that has grown demonstrably less sympathetic to precautionary competition intervention.

The fuel market is a difficult context for that tension. Retail fuel in New Zealand is concentrated, price-sensitive, and geographically constrained in ways that make substitution limited for most consumers. The Commerce Commission’s Statement of Issues flagged that the combined Gull–NPD entity could profitably raise prices or reduce service quality precisely because the competitive constraint it currently imposes on Z Energy, BP, and Mobil would diminish. At the same time, consolidation among smaller players can generate operational efficiencies and investment capacity that genuinely benefit consumers – the kind of argument that resonates in a growth-oriented policy environment.

Whatever the Commerce Commission decides, the reasoning will matter more than the outcome. A clearance with strong behavioural conditions would signal that New Zealand’s competition regime can accommodate consolidation while managing structural risk. A block would affirm that the Commerce Commission is willing to hold the line in concentrated markets even under political headwinds. Either way, the decision will be read alongside the Australian Competition and Consumer Commission’s (ACCC) first Phase 2 referrals and the CMA’s Google conduct requirements as a data point in the emerging question of what independent competition regulation actually means in 2026.

May – July 2026 watch list

Immediate (May 2026)

Australia

• Throughout May – AUSTRAC Tranche 2 enrolment uptake data emerging; AUSTRAC has signalled active outreach to sectors where awareness is lowest. Firms not yet enrolled with AML/CTF programmes in development are already behind schedule.
• From 8 April 2026 – DAF Act in force; ASIC roadmap published. The INFO 225 no-action position expires 30 June 2026 – compliance with existing licensing obligations is required now during the transition.

New Zealand

• 28 May – Commerce Commission Gull–NPD decision due; the reasoning will set the standard for merger control in concentrated consumer markets.

United Kingdom

• 31 May – FCA motor finance complaint window reopens; firms must be operationally ready to receive and assess claims, notwithstanding the Consumer Voice Upper Tribunal challenge.
• May (ongoing) – CMA moves toward finalising Google conduct requirements; first binding DMCC Act obligations on any firm.
• May – Ofcom publishes major platform responses to child safety demands under the Online Safety Act 2023; first public accountability test for platform compliance at scale.

Canada

• 31 May – Annual modern slavery and forced labour reporting deadline under the Fighting Against Forced Labour and Child Labour in Supply Chains Act; third year of reporting, with updated Public Safety Canada guidance narrowing obligations for some entities.
• May (ongoing) – Bill C-22 committee hearings; Part 2 ministerial orders provisions under scrutiny.

Near term (June – July 2026) 

Australia

• 30 June – ASIC INFO 225 no-action position expires; digital asset entities without existing AFSL coverage face enforcement exposure and must comply with current licensing rules.
• 1 July – AUSTRAC Tranche 2 obligations commence; AML/CTF programmes must be approved and operational.
• 1 July – Group 2 climate disclosure obligations commence for mid-sized Australian entities; ASIC supervision begins at scale.

United Kingdom

• 30 June – FCA motor finance Scheme 2 implementation period ends; lenders must be ready to assess post-April 2014 complaints.
• 31 August – FCA motor finance Scheme 1 implementation period ends; lenders must be ready to assess pre-2014 complaints.
• 1 September (horizon) – FCA non-financial misconduct COCON amendments commence for non-banks.

Final word

“What matters to us is getting fair compensation for consumers as quickly as possible and supporting a healthy motor finance market for the future. That’s what our scheme will do, and it’s free for consumers to use.”

– Financial Conduct Authority, responding to Consumer Voice’s legal challenge, April 2026.

The FCA’s statement is a model of institutional positioning under pressure: calm, declarative, and oriented toward the public interest rationale that justifies the scheme’s existence. Whether or not the Upper Tribunal ultimately agrees with the FCA’s methodology, the posture matters. Regulators that can articulate what they are doing and why – in plain terms, under adversarial conditions – tend to preserve the institutional credibility that makes ambitious frameworks sustainable.

That discipline is visible in different forms across May’s other major developments. ASIC has published a detailed roadmap for a genuinely complex digital assets transition, accepting that it will need to develop standards and guidance in public consultation rather than presenting a finished architecture. AUSTRAC is absorbing an estimated 90,000 new regulated entities while remaining explicit that the enrolment deadline is not a grace period. New Zealand’s Commerce Commission is taking the time its process requires on Gull–NPD, even as applicants and political observers push for resolution.

The difference between these examples and Canada’s Bill C-22 – now in its third iteration and still facing the same Part 2 objections – isn’t ambition, since all four regulatory goals are legitimate. The question is whether constraints on executive or institutional power are built into the design from the beginning, or treated as obstacles to be minimised. The frameworks that hold under pressure in 2026 will be the ones where that question was answered honestly at the drafting stage.’

The Modern Regulator delivers independent regulatory news, insight, and analysis for regulators and the professionals who work alongside them. Sign up for our monthly newsletter.