ESG for financial services firms: Updating the threat risk and how to protect your business

An evolving regulatory landscape

A number of regulators have a stake in policing ESG compliance and there are signs of activity which may result in significant outcomes in 2026.

In addition to the long-standing potentially relevant Financial Conduct Authority (FCA) requirements, such as those relating to fair treatment for and clear communications with customers, the growth in financial services regulation for UK regulated firms includes: 

• the advent of the Consumer Duty, which generally requires regulated firms to deliver good outcomes for retail customers, including ensuring that they receive the right information, at the right time and in a way they can understand to help them make informed decisions and which requires them to ensure they have tested understanding of consumers;
• the ‘Anti-Greenwashing Rule’ covering references in customer and promotional communications to the sustainability characteristics of a product or service (and which can therefore extend beyond ‘greenwashing’); and
• the Sustainability Disclosure Requirements including the financial products labelling regime and the product naming and marketing requirements already in force, and the ongoing product-level and entity-level disclosure requirements, which came into force from 2 December 2025 for firms with assets under management of over £50 billion, and entity-level disclosures rules extended to firms with assets under management of over £5 billion, which will come in from 2 December 2026. These are intended to help consumers navigate the investment product landscape and regulate the use of sustainability-related terms.

In addition, following draft legislation on the regulation of ESG ratings providers in October 2025, the FCA published a consultation paper on 1 December 2025 setting out its proposed approach to ESG ratings regulation, seeking consultation feedback by 31 March 2026. Relevant ESG ratings providers will need to be authorised under the new regime after 29 June 2028.  

The FCA has also been actively engaging with various sectors on aspects of the ESG agenda.  In August 2025, the FCA published:

1. findings of a multi-firm review on climate reporting by asset managers, life insurers and FCA-regulated pension providers which identified greater transparency for clients and consumers but also room for improvement such as avoiding overly complex disclosures and ensuring information can be accessed more easily; and
2. insights from its ongoing engagement with banks active in the sustainability-linked loans market.    

For its part, the Prudential Regulation Authority (PRA) has been consulting on enhancing the approach of banks and insurers to managing climate-related risks, including with regards to elements of the governance framework such as board ownership of risk appetite, management information and accountability (see our briefing on CP10/25). 

Regulatory risks

The evolving regulatory landscape translates into an increased threat of regulatory enforcement action as firms seek to keep pace with the changing requirements and regulators look to leverage their new toolkits and demonstrate that the changes are effective in driving compliant behaviour and deterring misconduct.

Potential breaches may surface in a number of ways such as through complaints, claims and whistleblowing. Activist groups are increasingly seeking to draw attention to perceived regulatory shortcomings and prompt regulatory action (for example, attempts to judicially review the FCA’s decision to approve a prospectus on the basis of alleged inadequate disclosure of climate-related risks). Even when unsuccessful, such challenges can make headlines and generate unwelcome publicity for companies involved.  

In addition, the emotive nature of certain ESG issues means that potential breaches in this area may be particularly susceptible to whistleblowing either internally or externally and those raising concerns can include employees, investors, third party contractors or competitors. The FCA has campaigned to raise the profile of whistleblowing as an escalation route and to encourage individuals to make reports directly to the regulator. The SRA has also issued guidance to in-house solicitors on reporting wrong doing and conducting investigations (see our summary).  

We know that at least two ESG investigations have been commenced by the FCA:

• in July 2023, the FCA opened an investigation concerning climate-related issues, following a two year period of “supervisory focus” (as confirmed in a May 2024 letter to the Treasury Sub-Committee on Finance Services Regulations and reported in our blog); and
• in August 2025, a listed company, Drax Group plc, announced that it was the subject of an FCA investigation covering the period January 2022 to March 2024 relating to “certain historical statements regarding Drax’s biomass sourcing” and the compliance of its annual reports for 2021, 2022 and 2023 with the Listing Rules and Disclosure Guidance and Transparency Rules (see our recent blog). The FCA has also confirmed the investigation. It has been reported that the investigation follows claims by a whistleblower that the company had misled the market about the sourcing of wood for its biomass pellets. Drax was previously investigated by Ofgem which concluded that an absence of adequate data governance and controls in place had contributed to Drax misreporting data to Ofgem and being unable to satisfy Ofgem regarding supporting evidence for certain profiling data under the Renewable Obligations scheme.

Such investigation announcements are likely to become more commonplace given the FCA’s drive towards greater transparency and, whilst it remains to be seen whether either of these cases will result in enforcement outcomes for the companies involved, it seems likely that other cases are also in the pipeline and that, sooner or later, a decision will emerge, sending a message to the industry regarding the FCA’s approach to ESG matters.  

More broadly, governance is a perennial theme of both FCA and PRA enforcement action and often to be seen as a root cause of issues giving rise to investigations in areas such as financial crime, reporting failures, non-financial misconduct and risk management. In particular, earlier this year, the PRA imposed a fine in connection with a lack of proportionate governance arrangements following a skilled person review which, amongst other things, identified a lack of alignment between governance and regulatory requirements and inadequate management information. The regulators will expect firms to learn these governance lessons and apply them across the business.  

Other regulators are also active in this space. They include:

• the Advertising Standards Authority which has published guidance for firms making environmental and sustainability claims and has taken enforcement action against a growing number of ESG-related promotions for breaches of the Advertising Codes including by financial institutions and listed companies;
• the Competition and Markets Authority, which has issued a “Green Claims Code”, has conducted related investigations in particular sectors and has recently acquired new powers under the Digital Market, Competition & Consumers Act 2024 to directly enforce consumer law and impose fines of up to 10% of a company’s global turnover and introduces new protections for consumers; and
• the Financial Reporting Council, which has emphasised the need for strong interconnectivity between narrative and data reporting and indicated that its programme of corporate reporting reviews and audit quality inspections will pay particular attention to climate-related risks including TCFD disclosures and that it will collaborate with the FCA on monitoring climate risk disclosures and reporting requirements.

In addition to facing civil penalties for breaches, recent developments in corporate criminal liability may also be relevant in an ESG context, making it easier for prosecutors including The Serious Fraud Office and the FCA to hold companies criminally liable for the misconduct of employees and others. For example, the failure to prevent fraud offence which came into force on 1 September 2025 could arise in circumstances involving an untrue statement by an employee or other associated person in relation to a company’s environmental credentials or ‘greenness’ of its products. In addition, companies may be liable for certain economic crimes committed by their senior managers (with proposals for this to be extended to all crimes).

Litigation

ESG-related litigation is also seeing an upward trend.  We track UK court proceedings through the NRF Litigation Trends Survey and responses from the most recent iteration suggest:

• ESG is now a mainstream litigation concern, with both pro-ESG and anti-ESG pressures driving disputes;
• of those surveyed, 27% said they were more exposed to ESG risk in 2025 than in the previous 12 months (compared to 24% in the 2024 survey); and 
• respondents indicated that they expected greater exposure to social, environmental and governance disputes. 

Litigation may seek to leverage regulatory breaches, including in respect of the requirements set out above, and tends to fall into the following categories:

• climate litigation against nation states for failing to address climate change, and against companies seeking to impose liability in various ways such as through claims to impose responsibility for a proportion of contributions to global emissions; to compel companies to adopt reduction targets and strategies; and to establish misrepresentations on behalf of companies in relation to climate impacts;
• value chain liability alleging liability of subsidiaries, suppliers and certifiers for the ESG impacts of third parties (for example, see our briefing here) including taking advantage of jurisdictions with ESG due diligence laws (for example France’s Loi Vigilance) and consumer protection legislation;
• investor claims including derivative actions by activist shareholders (often NGOs) against company directors in respect of matters such as the management of ESG risks and ESG decision-making.

Cases in various jurisdictions have included litigation for failing to curb emissions; failing manage climate change related risks; failing to make sufficient progress towards targets; misleading marketing; or forced labour in the supply chain.

Protective steps

Despite the plethora of interested regulators, there are some clear common themes to be discerned from their various publications and their enforcement activity which include:

• Board ownership and oversight: The board should set and own the overall business risk appetite for climate, which should be based on analysis provided by risk and cascaded across the business; informed by scenario analysis including reverse stress tests and provide a clear statement of how the firm intends to approach these risks. The board should leverage training and management information to provide effective challenge regarding climate-related risks.
• Management information and analysis: Management bodies should provide their board with the relevant information and analysis on climate related risks to help the board understand the potential impacts in different scenarios using the outputs from the risk identification process. The board should be provided with performance analysis under a range of climate scenarios and management should demonstrate to the board the resilience of the firm’s existing strategy.
• Training: Firms should provide boards and other key internal stakeholders with appropriate training on climate related risks, which includes the current methods and tools used by the firm to manage risks.
• Record-keeping: Evidencing ownership, consideration and challenge relies on effective record-keeping such as appropriate minutes of discussion and follow up. Minute-takers need to be trained and provided with guidance on how best to meet the regulators’ expectations in this area
• Governance structures and accountability: Management responsibilities for identifying and managing climate-related risks, including providing appropriate information to the board, should be assigned at an appropriate level of responsibility such as SMF or board member with clear reporting lines. Climate-related risk should be incorporated into internal control frameworks across the three lines of defence. Responsible individuals should be held appropriately to account (for example through the firm’s appraisal and reward system) and so this will need to be built into the performance review process with appropriate criteria and consequences.
• Monitoring: ESG risk should be adequately embedded in the control framework including across all three lines of defence so that it is included in relevant reviews by compliance and internal audit.  Lessons learned from such reviews can also be fed back into policies and procedures as needed.  
• Whistleblowing: Firms will likely prefer to capture and address any concerns internally and pre-empt any unilateral escalation by a whistleblower to the FCA. For this, they will need clear and accessible speak-up procedures and have an effective process for investigating and remediating any issues.
• Disclosures: Given the particular risks posed by a range of potential climate-related disclosures, firms should regularly review their control environment to ensure that: (i) they have identified all the areas in which such disclosures might be made; (ii) they have adequate co-ordinated arrangements for due diligence, verification, record-keeping, escalating, approving and monitoring; and (iii) that those involved in these activities have adequate and up to date expertise in relevant areas.  Disclosures to retail investors and/or customers may require an additional layer of governance such as testing around likely understanding and impact and also accessibility of all the relevant information needed to provide an appropriately balanced picture.

Firms may wish to develop internal checklists which take account of the examples provided in the guidance and emerging from the cases and which can assist internal teams in effective gatekeeping around disclosures. Possible areas of focus include ensuring that:

• information is capable of being easily understood without undue complexity or ambiguity;
• adequate consideration has been given to different ways in which phrases could be interpreted;
• all the relevant information needed to make an informed decision is sufficiently prominent and easily accessible and that material information is not omitted;
• the basis for claims is made sufficiently clear;
• the reader is told what the disclosure relates to (distinguishing between the business as a whole and a particular product for example);
• the information is appropriately balanced (without unduly accentuating the benefits or positives or minimising the negatives);
• any absolute terms are justifiable or contextualised through comparison with alternatives;
• any images are being used appropriately;
• quantitative and qualitative data is available to support disclosures;
• a review has been carried out against applicable rules, guidance and internal policies;
• adequate records of the basis for disclosures are maintained and accessible;
• there is a process for keeping the disclosure under regular review including in the event of any changes that might require it to be updated;
• any complaints about the disclosures are captured and consideration given to potential changes.

Firms may also want to implement and keep updated an internal policy for handling any emerging issues or a regulatory enquiry so that a process is not having to be invented in the midst of a crisis. It may be that ESG issues can be factored into an existing procedure but consideration should be given to appropriate escalation routes and to ensure that relevant stakeholders with ESG expertise are involved.  Areas to consider covering in any policy might include:

• Stop the breach: determining whether there is any ongoing activity which should be stopped or suspended, for damage limitation purposes for example.
• Preserve the data: preserving all the relevant information and data to facilitate any internal enquiries and/or responses to regulators and other third parties.
• Wider issues: whether the particular issue might have wider ramifications which might also need investigating.
• Internal governance: implementing a framework around the process of investigating the issue and preparing any responses potentially to include establishing a working group, reporting lines; action tracking and record-keeping.
• Notifications: the extent to which third parties need to be informed such as regulators, the market, insurers or contractual counterparties.
• Advice and privilege: whether some internal or external legal advice might be helpful, bearing in mind that communications for the purpose of seeking or providing legal advice can be protected from disclosure to regulators and others by legal professional privilege.   

For more information, please get in touch with any of the authors, visit our ESG hub or sign up for our ESG updater.