In a nutshell: Key white-collar crime and investigations challenges for in-house counsel in 2026

1. Compliance effectiveness and data-driven third-party oversight: Authorities want evidence that controls work in practice, not policy excerpts. Boards will be judged on oversight records showing escalation, deadlines and follow-through. Keep audit-ready files evidencing risk-to-action across jurisdictions, third-party oversight and what changed post-investigation, and enforce record-keeping on approved channels with clear rationales for any overrides. Read about meeting the growing demand for data-driven proof of compliance effectiveness.
2. AI in investigations: opportunity, evidence and defensibility: GenAI speeds review of chat, collaboration and mobile data but needs validation, audit trails and explainability to be defensible. Be ready to justify tool choices, settings and human oversight to regulators. Treat AI tools as evidence sources (prompts, outputs, logs). Read more about AI and investigations: from a helping hand to a source of evidence.
3. Geopolitics, sanctions and cyber/operational resilience: Expect overlapping and sometimes conflicting sanctions, export controls, evidence access and cyber rules in different jurisdictions. Understanding the geopolitical backdrop to new laws and regulation will help when deciding how to conduct an investigation or respond to the authorities. Decisions by the authorities may have a national security context. Deep local knowledge will be crucial in conducting risk assessments and navigating what can often be conflicting requirements. Read about managing conflicting laws amid national security and geopolitical pressures.
4. Corporate criminal liability and investigation discipline: New and broadened offences (e.g., failure to prevent fraud) and shifting attribution tests raise baseline risk, while authorities probe the conduct of internal investigations. Ensure that compliance programs are robust across all relevant jurisdictions. Read about ensuring compliance programs keep up with new corporate criminal offenses and navigating evolving guardrails for internal investigations.
5. Illicit finance: organised crime, gold and crypto: Criminal groups exploit corporate structures, trade flows and professional services for trade-based money laundering and sanctions evasion. High gold prices fuel smuggling, recycling fraud and VAT/carousel schemes. The use of crypto is now routine in fraud and laundering. Expect focus on intermediaries and high-risk sectors, with asset freezes and non-conviction forfeiture. Tighten onboarding and trade-finance controls, provenance checks for gold-linked transactions, and on-chain screening and wallet governance for crypto exposure.
6. Cyber: There is a fragmented, high-risk cyber environment with unpredictable ransomware, state-linked attacks, and supply-chain failures. Expanding regulatory requirements mean faster, more complex incident reporting and increased coordination risks. Dependence on critical third-party technologies demands robust contingency planning and enforceable contract controls. Ransomware responses require sanctions and AML/CFT checks, documented decisions, and structured coordination with insurers and authorities. Boards and management are held more accountable, with whistleblowing emphasizing the need for clear reporting lines, strong disclosure controls, and regular cross-functional exercises. Read about managing cyber risk under escalating threat and enforcement pressure.
7. Data privacy, localisation and cross-border evidence: Data localisation and privacy rules, including in China, Hong Kong and Japan, continue to impact investigative planning. Pre-approve transfer mechanisms, and plan in-country hosting/review where exports are constrained. Our article on geopolitics considers obstacles to moving data across borders.
8. Speak-up systems and regulatory engagement: New whistleblowing regulations provide greater protections for whistleblowers and impose complex obligations on companies. With some authorities keen to incentivise external reporting (direct to the authorities) it is even more important now to ensure that the business has effective whistleblowing policies and procedures in place, and that employees are trained on these policies. More employees are using their personal devices to surreptitiously record whistleblowing conversations, disciplinary meetings, and investigations. Read more about how to ensure whistleblower programs are fit for 2026.
9. ESG disclosures and supply-chain accountability: Scrutiny of disclosures, product claims and due diligence is rising in the EU, with politicised risk in parts of the U.S. Tightening supply-chain rules (e.g., CS3D) demand evidence-based statements and risk-based diligence. Read more on evolving ESG-related enforcement risk.

A&O Shearman’s market-leading white-collar defense and global investigations practice takes a holistic, coordinated approach to navigating clients through criminal, regulatory and internal investigations, and can advise on managing all these challenges. Please contact the authors of this article or your normal A&O Shearman contact.

This article is part of the A&O Shearman Cross-border white-collar crime and investigations review 2026.