GRC Report Staff

The California Air Resources Board announced this week that it will postpone the state's first deadline for reporting Scope 1 and Scope 2 greenhouse gas emissions from August 10, 2026, to November 10, 2026. The extension is tied directly to the regulation itself, which remains unfinished. Rather than continue the approval process, CARB has withdrawn the package it submitted to the Office of Administrative Law, choosing instead to make what it describes as limited revisions that clarify certain requirements before asking regulators for final approval.

The European Insurance and Occupational Pensions Authority spent much of 2025 doing the kind of work that rarely attracts headlines but quietly determines whether supervision across Europe's insurance market moves in the same direction. A report published Friday traces that effort through country visits, technical reviews and cross-border coordination, while marking one notable expansion in scope: digital operational resilience has formally become part of the authority's oversight agenda.

The Italian Competition Authority has opened an investigation into Microsoft Ireland Operations and Microsoft, arguing that the company may have crossed that line when it increased the price of Microsoft 365 after incorporating its Copilot and Designer artificial intelligence services into the subscription.

Sweden's annual anti-money laundering reporting exercise has long been a familiar ritual. Each year, supervised firms answer the same set of questions, submit them to the Financial Supervisory Authority (FI), and move on. That routine is about to change. Beginning on 1 January 2027, the regulator will replace the existing reporting framework with an entirely new questionnaire that asks firms not simply what they do, but what kinds of risks they carry and how well their controls are built to contain them.

Australia's communications regulator has chosen its battles for the coming year, and the list says as much about where consumer harm is emerging as it does about where regulators believe industry performance still falls short. The Australian Communications and Media Authority's compliance and enforcement priorities for 2026–27 place emergency communications, telecommunications scams, consumer protections, and mobile device compliance at the center of its agenda.

Three times, CACEIS UK checked the Financial Services Register. Three times, it was presented with information showing that WealthTek lacked permission to hold certain client assets. Nothing happened that altered the course of the relationship. According to an enforcement action the UK's Financial Conduct Authority published Thursday, concluding that the asset servicing bank failed to respond appropriately to repeated warning signs while acting as WealthTek's sub-custodian.

Hotels have always occupied an awkward place in the privacy conversation. They are, by necessity, temporary custodians of strangers. Every day, people hand over names, identification, payment details, travel plans, and, for a night or a week, a remarkable amount of trust. The transaction has always depended on a simple understanding that you collect what you need, protect it while you have it, and let it go when you no longer do. Somewhere along the way, some establishments decided that making copies of passports, identity cards, and even both sides of customers' credit cards was simply part of doing business.