The United Kingdom (UK) operates a “twin peaks” regulatory model separating prudential and conduct supervision across multiple authorities.

Prudential Regulation Authority (PRA): The PRA, which is part of the Bank of England (BoE), serves as the prudential regulator for banks, building societies and PRA-designated investment firms. Its primary objective is the safety and soundness of firms, with additional secondary objectives relating to competition, international competitiveness and growth. The secondary competitiveness and growth objective, introduced by the Financial Services and Markets Act 2023 (FSMA 2023), requires the PRA to facilitate (so far as reasonably possible) the international competitiveness of the UK economy and its growth in the medium to long term, subject to alignment with international standards. In practice, this creates a tension with prudential conservatism: the PRA must balance openness and proportionality against its primary safety and soundness mandate. The secondary objective influences consultation dynamics, cost-benefit analysis and the PRA’s approach to calibration decisions, though the extent to which it drives materially different outcomes remains subject to ongoing market and political scrutiny.

Financial Conduct Authority (FCA): The FCA is the conduct regulator for all authorised firms and the prudential regulator for firms outside the PRA’s remit. Its strategic objective is to ensure that markets function well which is underpinned by operational objectives of consumer protection, market integrity and competition, with an additional secondary objective to advance competitiveness/growth.

Bank of England (BoE): The BoE acts as the UK resolution authority under the Banking Act 2009 (BA 2009) and leads on macro-prudential policy through the Financial Policy Committee.

Other bodies: The Financial Ombudsman Service (FOS) adjudicates eligible complaints and provides binding redress. The Payment Systems Regulator (PSR) oversees designated payment systems and their participants, though consolidation of the PSR into the FCA has been signalled by government. The BoE also exercises direct oversight of systemic payment systems and financial market infrastructures (FMIs), including the operation of CHAPS (the UK’s high-value sterling payment system) and the Real-Time Gross Settlement (RTGS) system underpinning settlement across UK payment systems. The Financial Services Compensation Scheme (FSCS) provides depositor protection. The Office of Financial Sanctions Implementation (OFSI) is responsible for sanctions enforcement. The Competitions and Markets Authority (CMA) promotes competitive markets and protects consumers by investigating mergers, breaking up anti-competitive cartels, and enforcing consumer protection law.

The PRA and FCA exercise rule-making powers under the Financial Services and Markets Act 2000 (FSMA 2000). HM Treasury (HMT) retains overarching legislative competence and certain public interest intervention powers.

In the United Kingdom’s (UK) legislative, regulatory and supervisory framework, the legally operative perimeter is not the colloquial “bank” label but the regulated activity of accepting deposits under Part 4A of FSMA 2000 and the authorisation of “deposit-takers.”

For prudential purposes, the onshored UK Capital Requirements Regulation (UK CRR) and the PRA Rulebook use the term “credit institution,” but authorisation is granted under FSMA Part 4A permissions. The general prohibition under section 19 of FSMA 2000 makes it a criminal offence to carry on a regulated activity in the UK unless authorised or exempt.

In simple terms, a firm that accepts deposits or other repayable funds from the public and lends on its own account will ordinarily require authorisation and is supervised as a bank or building society. The specification of regulated activities and exclusions is set out in the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (the RAO).

Lending alone does not trigger a banking licence requirement. Nor does safeguarding client money under payment services or e-money regimes, which are structurally distinct from deposit-taking.

The UK regulatory regime does not operate a single unified “banking licence”. Instead, firms are authorised to carry on specific regulated activities through tailored permissions. Accepting deposits constitutes the core banking permission, but most full service banks also require additional permissions covering activities such as investment business, consumer credit, mortgage lending and insurance distribution.

Payment services and issuance of e-money are subject to separate authorisation regimes under dedicated legislation, under the Payment Services Regulations 2017 (PSR 2017) and the Electronic Money Regulations 2011 (EMR 2011), respectively.

Other activities fall under separate registration or authorisation regimes, including for certain mutual societies, consumer buy-to-let firms and specified cryptoasset firms for anti-money laundering and counter-terrorist financing (AML/CFT) purposes. HMT has recently also proposed new regulated activities for cryptoasset providers as well which will also require authorisation by the FCA.

Mortgage Lending: Banks conducting regulated mortgage contracts must comply with the FCA’s Mortgages and Home Finance: Conduct of Business sourcebook (MCOB). MCOB imposes detailed requirements across the mortgage lifecycle, including responsible lending obligations, affordability assessments, disclosure and pre-contract information, advice standards, and arrears and repossession procedures. Banks must ensure that mortgage lending is affordable for borrowers, taking into account income, expenditure and the impact of potential interest rate increases. Second charge mortgages are subject to MCOB requirements following implementation of the Mortgage Credit Directive. Consumer buy-to-let lending falls outside MCOB but may be subject to separate regulatory requirements.

Consumer Credit: Banks offering consumer credit products (personal loans, credit cards, overdrafts) must hold the relevant FSMA 2000 permission and comply with the FCA’s Consumer Credit sourcebook (CONC). CONC sets out conduct requirements including creditworthiness assessments, pre-contract disclosure, post-contract information and statements, arrears and default procedures, and debt collection practices. Affordability assessments must consider whether the borrower can sustainably repay the credit without undue difficulty. The FCA has particular expectations around high-cost credit, persistent debt and vulnerability. Consumer Duty (described below) requirements apply in addition to CONC for retail credit products.

The Consumer Duty, which came into force for open products and services in July 2023 and for closed products in July 2024, represents a fundamental shift in the FCA’s approach to retail conduct regulation and is currently one of the FCA’s dominant supervisory themes. The Duty applies to all firms in the distribution chain that can influence retail customer outcomes, including banks offering retail products and services. For closed books (products no longer available for sale but with existing customers), the FCA expects firms to review whether closed products continue to deliver fair value and good outcomes, taking remedial action where deficiencies are identified.

The Consumer Duty comprises a Consumer Principle (Principle 12) requiring firms to act to deliver good outcomes for retail customers, supported by three cross-cutting rules: (i) act in good faith towards retail customers; (ii) avoid causing foreseeable harm to retail customers; and (iii) enable and support retail customers to pursue their financial objectives. These are underpinned by four outcome rules and overarching obligations:

1. Products and Services Outcome: Firms must ensure that products and services are designed to meet the needs, characteristics and objectives of a target market, and are distributed appropriately. This requires robust product governance, target market identification and ongoing review.
2. Price and Value Outcome: Firms must ensure that the price of products and services represents fair value for retail customers. Fair value assessments must consider the relationship between price paid and the benefits received, taking into account the nature of the product, limitations, expected total cost and the target market.
3. Consumer Understanding Outcome: Firms must ensure that communications equip retail customers to make effective, timely and properly informed decisions. Communications must be clear, fair and not misleading, appropriately targeted and tested where necessary.
4. Consumer Support Outcome: Firms must provide support that meets the needs of retail customers, including those with characteristics of vulnerability. Support must be available through appropriate channels, provided without unreasonable barriers and enable customers to realise the benefits of products and to act in their interests.
5. Governance and MI obligations: Boards and senior management must oversee compliance with the Consumer Duty. Firms must establish appropriate governance, management information and reporting to monitor customer outcomes, identify poor outcomes and take remedial action. The Senior Managers and Certification Regime (SM&CR) allocates responsibility for Consumer Duty compliance to identified Senior Managers. The FCA places significant emphasis on firms’ ability to evidence good outcomes through robust management information – “paper compliance” without demonstrable customer outcomes will not satisfy supervisory expectations. Fair value assessments must be documented and capable of scrutiny. Firms bear an evidential burden to demonstrate compliance with the Duty, and the FCA has indicated it will request data underpinning assessments and test assumptions through supervisory engagement.
6. Complaints Handling obligations: Banks must operate robust complaints handling procedures in accordance with the FCA’s Dispute Resolution: Complaints sourcebook (DISP). Complaints must be handled fairly, consistently and promptly. Firms must identify the root causes of complaints and take appropriate remedial action. Eligible complainants may refer unresolved complaints to FOS, whose decisions are binding on firms up to applicable limits. Banks must report complaints data to the FCA and publish summary complaints information.

A banking licence (authorisation to accept deposits) does not automatically permit other activities. Firms must specifically apply for the relevant permission for each regulated activity:

• Broker-dealer activities: Investment firms require separate authorisation under the UK Markets in Financial Instruments Directive (MiFID) framework and the Investment Firms Prudential Regime (IFPR) administered by the FCA.
• Payment services: These are governed by the PSR 2017, with client funds safeguarded but not classified as “deposits.”
• Issuing e-money: issuing e-money is a regulated activity under the RAO for banks or electronic money institutions authorised under the EMR 2011
• Besides banks (credit institutions), UK-authorised payment institutions and e-money institutions are regulated under dedicated regimes.

Firms should map proposed business lines against the RAO and relevant perimeter guidance to determine whether activities are regulated and, if so, the appropriate licensing route.

The UK does provide streamlined authorisation pathways for certain circumstances:

• Mobilisation Phase: The PRA offers, where suitable, an optional “mobilisation” phase (authorisation with restrictions) to support orderly build-out following authorisation. New banks may elect to enter mobilisation – typically for a few months and no longer than 12 months – with constrained deposit-taking while completing systems, staffing and third-party arrangements.
• Small Domestic Deposit Taker (SDDT) Regime: The PRA is introducing a more proportionate and simplified prudential framework for SDDTs, easing certain governance and liquidity requirements proportionately, with fuller implementation aligned to Basel 3.1 timelines, while preserving safety and soundness.
• FCA Regulatory Sandbox: The FCA operates a Regulatory Sandbox allowing firms to test innovative financial services in a controlled environment. This does not waive core licensing requirements but may permit restricted authorisation, tailored supervision or time-limited waivers or modifications. There is no permanent “licence light” for deposit-taking.
• Digital Securities Sandbox (DSS): Under the Digital Securities Sandbox Regulations 2023, the BoE and FCA may authorise and supervise FMIs that use distributed ledger technology (DLT) for operating a trading venue or settlement of digital securities. The Sandbox will run until 2028 and introduces temporary modifications to UK Markets in Financial Instruments Regulation (UK MiFIR), Central Securities Depositories Regulation (UK CSDR) and settlement finality rules.

There is no general moratorium on the issuance or custody of cryptoassets in the UK. Banks may provide certain crypto-related services within the scope of their permissions, subject to PRA and FCA expectations on custody, market integrity, operational resilience and prudential risk management.

The UK has implemented a dedicated financial promotions regime for cryptoassets which requires firms to ensure all retail-facing materials meet heightened standards on risk warnings, do not exploit behavioural biases, and are capable of being withdrawn or amended rapidly as market conditions change.

Under FSMA 2023, the UK is implementing a phased regulatory regime for fiat-backed stablecoins used for payments, including prudential, safeguarding, redemption and conduct rules for issuers and payment service providers. A broader regime for cryptoasset exchanges, custody providers and issuance activities is being finalised, expected to follow a FSMA-style authorisation perimeter.

Banks offering crypto-related services must ensure robust custody controls, booking arrangements, segregation of client assets and operational resilience consistent with elevated AML/CFT risks.

Cryptoassets do not qualify as “deposits” under FSMA 2000. Accordingly, they are not covered by the FSCS deposit guarantee, they are not treated as safeguarded deposits, and custody arrangements are contractual and regulatory (if in scope), but not protected under the deposit guarantee scheme. The framework distinguishes between:

•  Deposits accepted by authorised deposit-takers (protected by FSCS)
• Client funds held by payment institutions and e-money institutions, which are safeguarded but not treated as “deposits”

The FSCS provides deposit protection up to £85,000 per eligible depositor per firm for traditional deposits. Banks offering crypto-related services must ensure robust custody controls, booking arrangements and segregation of client assets.

The capital requirements for UK banks holding cryptoassets are currently in a transitional state. The UK has not yet transposed the Basel Committee on Banking Supervision (BCBS) standard on cryptoasset exposures into domestic rules, and the PRA is not expected to consult on implementation until Q4 2026. In the interim, UK banks must rely on the existing prudential framework, guided by PRA supervisory communications, while having regard to the international Basel standard in their business and capital planning. Broadly the BCBS standard provides:

• Unbacked cryptoassets (e.g. Bitcoin) attract a 1250% risk weight (effectively requiring full capital deduction)
• Tokenised traditional assets are treated according to the underlying exposure
• Certain stablecoins may receive more favourable treatment if meeting prudential criteria

Capital requirements depend on classification, exposure type and balance sheet treatment. Banks must calibrate governance, safeguarding and booking controls commensurate with risk. Banks participating in the DSS as dealers, custodians or settlement agents must ensure robust custody/control frameworks, clear segregation of digital asset entitlements and alignment of smart-contract governance with operational resilience expectations.

Process: Pre-application engagement with the PRA and the FCA is strongly encouraged and expected for prospective banks. Applications are made via the PRA (email submission) for PRA-regulated activities such as deposit-taking and via the FCA’s Connect for FCA regulated activities. Both regulators will make a decision independently on whether or not to authorise the firm – while the PRA will make the final decision on the application, they may only authorise a firm with the FCA’s consent.

A complete application must evidence that the firm will meet and continue to meet the “Threshold Conditions” for both regulators (Schedule 6 FSMA 2000). Importantly, the Threshold Conditions are continuing conditions of authorisation – ongoing breach may result in variation or cancellation of Part 4A permission. The substantive Threshold Conditions include: (i) the location of offices condition, requiring the firm’s head office and, if a body corporate incorporated in the UK, its registered office to be in the UK, and for the firm’s affairs to be directed and managed in the UK (often referred to as “mind and management”); (ii) the appropriate resources condition, requiring adequate financial resources (capital and liquidity) and non-financial resources (systems, controls, human resources); (iii) the suitability condition, addressing the fitness and propriety of the firm and its controllers, including competence, reputation and financial soundness; (iv) the effective supervision condition, requiring that the firm’s group structure does not prevent effective supervision, including transparency of ownership and control; and (v) the business model condition, requiring that the business the firm proposes to carry on is consistent with the firm’s meeting the other Threshold Conditions on a continuing basis. Typical core components of an application include:

• A tailored regulatory business plan setting out the business model, governance, customer journey, compliance architecture, complaints, staff training, capital and liquidity and key policies and procedures
• Controllers’ forms for each proposed controller, with clear ownership and control maps
• The SM&CR applications for designated Senior Management Functions and allocation of prescribed responsibilities
• Financial information including forward projections and a credible wind-down plan
• ICAAP and ILAAP documentation to formally set out the capital and liquidity information
• Recovery plan
• Risk management framework – adequacy of policies and procedures for managing prudential and conduct risks.

Timing: The statutory determination period is 6 months for complete applications (three months for insurance distribution only) and up to 12 months if incomplete. In practice, pre-application engagement may take 6–12 months, with total timelines often 12–24 months depending on the quality of pre-application preparation and the completeness and coherence of the initial submission. The appropriate regulator, at any time after receiving an application and before determining it, has the power to require the applicant to provide further information as the regulator reasonably considers necessary.

Pure cross-border provision from overseas without a UK place of business raises complex perimeter questions. For accepting deposits, the activity is typically regarded as carried on where the account is located, but marketing restrictions and other regime-specific requirements still apply.

Under the former passporting regime, financial services firms in any European Economic Area (EEA) member state could use their home state authorisation to establish a presence or carry out permitted regulated activities in the UK without being separately authorised by the PRA or the FCA. Following Brexit, EEA firms can no longer passport into the UK. Third-country firms require UK authorisation to establish a branch or subsidiary to carry on regulated activities in the UK.

Overseas Persons Exclusion: The RAO provides an exclusion for “overseas persons” in certain circumstances, allowing non-UK firms to deal with or through UK authorised persons or otherwise on a limited basis without triggering the requirement for UK authorisation. The exclusion is narrowly construed and does not apply to accepting deposits. Reliance on the overseas persons exclusion requires careful analysis of the specific activity, the counterparty and the manner in which business is conducted. The exclusion may be relevant for wholesale investment services and certain dealing activities but is subject to significant limitations and should not be relied upon without specific legal advice.

Equivalence Decisions: Following Brexit, the UK operates an independent equivalence framework for third-country regimes. HMT may make equivalence determinations recognising that third-country regulatory and supervisory frameworks achieve equivalent outcomes to UK requirements. Equivalence may facilitate cross-border access in specific areas (e.g., central clearing, credit rating agencies, trade repositories) but does not provide a general passporting substitute. The UK has made equivalence determinations for certain jurisdictions and activities, but the framework remains selective. Equivalence status may be granted, varied or withdrawn unilaterally by HMT.

The PRA operates a risk-based framework for Third-Country Branches (TCBs), focusing on:

• The scale and risk profile of UK activities as to whether the firm has the capacity to cause significant disruption to the UK financial system
• Supervisory cooperation and equivalence of home jurisdiction oversight
• Booking arrangements and local risk management of UK-generated risks
• Resolution cooperation and resolvability

The PRA may require subsidiarisation where warranted by systemic footprint, criticality of services or insufficient home-host cooperation.

The regulatory treatment of TCBs differs materially from UK-incorporated subsidiaries. TCBs are not subject to local capital requirements (capital adequacy being assessed at the home jurisdiction level), though the PRA may impose local liquidity requirements where UK activities give rise to material liquidity risk or where the home jurisdiction framework is not considered equivalent. TCB deposits are not protected by the FSCS (depositors must look to home jurisdiction protection schemes), which may affect customer acceptance and business model viability for retail-facing TCBs. From a resolution perspective, TCBs are subject to their home authority’s resolution strategy, which may create coordination challenges and creditor hierarchy complexities. The PRA increasingly scrutinises booking models, expecting UK-generated risks to be managed and controlled within the UK rather than booked through to overseas head offices without adequate local oversight. These factors are particularly relevant post-Brexit as the UK assesses applications from EU banks seeking to establish or maintain UK branch operations.

Any person (individual, body corporate, partnership or unincorporated association) must either be authorised or exempt under FSMA 2000 to carry on regulated banking activities in the United Kingdom.

Non-UK banks may operate through a UK-authorised subsidiary or a UK branch, subject to regulatory approval. Building societies are subject to parallel frameworks under specialist legislation and PRA rules.

UK banking groups may include financial holding companies and mixed-activity holding companies subject to consolidated supervision by the PRA.

Banks commonly operate as public limited companies, private limited companies or, in the case of mutuals, building societies. Other legal forms are possible but are rarely used in practice.

Large UK banking groups with core retail activities are subject to ring-fencing requirements under the Financial Services (Banking Reform) Act 2013 and secondary legislation. The regime currently applies to banking groups with more than £25 billion of “core deposits” from individuals and small businesses, though recent reforms under the Banking Reform Programme will raise this threshold to £35 billion. Ring-fenced bodies (RFBs) must be legally, economically and operationally independent within their groups. Core activities (accepting deposits from individuals and small businesses) must be conducted within the RFB, whilst “excluded activities” (principally dealing in investments as principal and commodities trading) are prohibited. RFBs are subject to geographic restrictions limiting operations to the UK and EEA, exposure limits to other financial institutions (with exemptions for certain central bank, payment system and clearing exposures), and must transact with other group entities on arm’s-length terms. Complex service company structures are typically required to ensure operational continuity whilst maintaining independence. The 10% core deposits threshold (determining whether a firm has significant UK retail activities) remains a key jurisdictional marker for the regime’s application.

Practical challenges include the need to maintain separate governance structures, systems and personnel for ring-fenced and non-ring-fenced activities. Groups must manage intragroup exposures carefully and ensure operational independence while coordinating group-wide functions. The PRA supervises compliance with ring-fencing requirements and may take enforcement action for breaches.

Ring-fencing does not apply to all banks – only those meeting specified thresholds. The Government has announced reforms to the ring-fencing regime through the Banking Reform Programme, which may adjust thresholds and scope in the coming years.

UK banks are subject to robust organisational and governance requirements designed to ensure effective oversight, clear accountability and prudent risk management. Firms must maintain a coherent organisational structure with clearly defined lines of responsibility, supported by independent and adequately resourced risk management, compliance and internal audit functions operating in accordance with three-lines-of-defence principles (whereby business units own risk, risk and compliance functions provide oversight and challenge, and internal audit provides independent assurance).

Board composition and oversight: Boards must include an appropriate mix of executive and independent non-executive directors with relevant expertise. The Chair must be independent. Board committees – including audit, risk, remuneration and nomination committees – must be established with clear mandates and appropriate membership.

Risk management: Banks must operate documented risk appetite frameworks approved by the board, with effective data aggregation and reporting consistent with BCBS 239 principles (the Basel Committee’s principles for effective risk data aggregation and risk reporting). Risk management functions must be independent of business lines with direct board access.

Organisational culture: Boards are responsible for promoting a sound risk culture and embedding conduct expectations, including the Consumer Duty (a regulatory framework requiring firms to deliver good outcomes for retail customers) for retail business. The SM&CR establishes individual accountability, requiring pre-approval of Senior Management Functions, allocation of prescribed responsibilities, and maintenance of governance maps and Statements of Responsibilities.

Financial crime and sanctions: UK banks are subject to comprehensive AML/CFT obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs), the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000. Banks must apply risk-based customer due diligence (CDD), including enhanced due diligence for higher-risk situations such as politically exposed persons (PEPs), correspondent banking relationships and high-risk third countries. Recent reforms have introduced proportionality guidance on PEP treatment for domestic PEPs, particularly in the context of parliamentary and public scrutiny. Ongoing monitoring of business relationships and transactions is required, with suspicious activity reports (SARs) submitted to the National Crime Agency (NCA) where money laundering or terrorist financing is known or suspected – the obligation to report arises under POCA and is central to the UK’s financial crime framework. The SM&CR designates a Senior Manager responsible for AML compliance (SMF17 – Money Laundering Reporting Officer function), ensuring board-level accountability for financial crime controls. The FCA conducts thematic reviews of financial crime systems and controls, with recent focus areas including trade-based money laundering, sanctions evasion and proliferation financing. The FCA expects banks to maintain adequate AML/CFT policies, procedures and controls, including sanctions screening, transaction monitoring and staff training, with board and senior management accountability under SM&CR. UK sanctions obligations require banks to screen against HM Treasury’s consolidated list and comply with asset freeze, sectoral and trade restrictions. The Economic Crime and Corporate Transparency Act 2023 introduced a “failure to prevent fraud” offence for large organisations, under which banks may be criminally liable where an associated person commits a specified fraud offence intending to benefit the organisation, unless reasonable fraud prevention procedures were in place.

UK banks are subject to robust operational resilience requirements under the PRA and FCA frameworks. The regime requires firms to identify important business services, set impact tolerances, and ensure they can remain within those tolerances through severe but plausible scenarios.

Key requirements include:

• Identification of important business services and mapping of dependencies, including people, processes, technology, facilities and third parties
• Setting impact tolerances that represent the maximum tolerable disruption to each important business service
• Scenario testing to demonstrate the ability to remain within impact tolerances during severe but plausible disruptions
• Self-assessment documentation demonstrating compliance with operational resilience expectations
• Boards bear ultimate responsibility for operational resilience, with Senior Managers accountable under the SM&CR for their respective areas.

The regime has been fully in force since March 2025, with firms expected to demonstrate mature operational resilience capabilities.

The PRA and FCA (notably in the FCA’s Systems and Controls Sourcebook (SYSC)) impose comprehensive outsourcing requirements on banks. Firms must maintain appropriate governance, risk management and oversight of all outsourcing arrangements, with enhanced requirements for material outsourcings.

Key regulatory expectations include: maintaining an up-to-date register of outsourcing arrangements; ensuring contractual provisions for regulatory access, audit rights and exit strategies; conducting due diligence on service providers; monitoring ongoing performance; and managing concentration risk across providers. For cloud services, firms must address data security, business continuity, data localisation requirements and substitutability.

UK banks are subject to increasing ESG and climate-related regulatory requirements. The PRA’s supervisory expectations (SS3/19) require firms to embed climate-related financial risks into governance, risk management, scenario analysis and disclosures.

• Key requirements include board-level oversight of climate risk; integration of climate considerations into risk appetite and frameworks; physical and transition risk assessment in credit, market and operational risk; and climate scenario analysis aligned with Bank of England expectations.
• Disclosure obligations are evolving. Listed companies and large private companies are subject to disclosures aligned with the Task Force on Climate-related Financial Disclosures (TCFD) framework. The UK is progressing towards sustainability reporting aligned with the International Sustainability Standards Board (ISSB) standards. The FCA scrutinises sustainability-related claims and disclosures, with greenwashing (making misleading or unsubstantiated claims about environmental credentials) a supervisory priority.
• The PRA expects firms to integrate climate considerations into the ICAAP, including through exploratory scenarios, and to consider the impact of the transition to net zero on business models and credit portfolios.

UK banks are subject to the PRA and FCA Remuneration Codes, which apply on a proportional basis and focus on promoting sound risk management and discouraging excessive risk-taking.

Key requirements include: an appropriate balance between fixed and variable remuneration; deferral of a portion of variable pay over at least four years for senior staff; delivery of a meaningful proportion in instruments such as shares; robust malus (reduction of unvested variable pay) and clawback (recovery of paid variable remuneration) arrangements allowing firms to reduce or recover variable pay where appropriate; restrictions on guaranteed bonuses beyond the first year of employment; and termination payments that do not reward failure. While the UK has removed the EU-era bonus cap, proportionality principles still apply. Performance assessment must reflect risk-adjusted outcomes and conduct, not just financial performance. Pillar 3 remuneration disclosure obligations apply to larger institutions. The PRA and FCA supervise compliance and may take enforcement action for material breaches.

The UK has implemented Basel III through the UK CRR, the PRA Rulebook and supervisory statements, with ongoing Basel 3.1 finalisation via PRA reforms.

The regime includes: Pillar 1 risk-based capital minima (total capital 8% of risk-weighted assets (RWA), with Common Equity Tier 1 (CET1) at 4.5% and Tier 1 at 6.0%), overlaid by combined buffers (Capital Conservation Buffer (CCB), Countercyclical Capital Buffer (CCyB) and systemic buffers for Global Systemically Important Institutions (G-SIIs) and Other Systemically Important Institutions (O-SIIs)); leverage ratio requirements for larger institutions; liquidity standards (Liquidity Coverage Ratio (LCR) and Net Stable Funding Ratio (NSFR)); large exposures limits; and Pillar 2 Internal Capital Adequacy Assessment Process (ICAAP) / Internal Liquidity Adequacy Assessment Process (ILAAP) with Supervisory Review and Evaluation Process (SREP)-driven add-ons for idiosyncratic risks. The PRA conducts the SREP to assess firms’ capital and liquidity adequacy beyond Pillar 1 minima. Through SREP, the PRA sets: (i) the Pillar 2 Requirement (P2R), representing binding capital requirements to address risks not adequately captured by Pillar 1; (ii) Pillar 2 Guidance (P2G), representing non-binding guidance on the additional capital the PRA expects a firm to hold to absorb losses in stressed conditions; and (iii) firm-specific buffer requirements where applicable. The interaction between P2R, P2G and combined buffers determines the Maximum Distributable Amount (MDA) threshold – the point below which automatic restrictions apply to distributions including dividends, variable remuneration and Additional Tier 1 (AT1) coupon payments. Firms must carefully manage their capital stack to maintain headroom above the MDA threshold and articulate this in ICAAP submissions.

Basel 3.1 implementation is currently targeted from 1 January 2027, migrating substantial prudential content from the UK CRR to the PRA Rulebook. The PRA is implementing a simplified regime for Small Domestic Deposit Takers (SDDTs) to tailor requirements proportionately for smaller firms. This represents a deviation from strict Basel application, providing reduced complexity for banks below defined thresholds while preserving safety and soundness.

Credit Risk Framework: UK banks apply either the Standardised Approach (SA) or, with PRA approval, the Internal Ratings-Based (IRB) Approach to credit risk. The SA applies prescribed risk weights based on exposure class and, where applicable, external credit assessments. The IRB Approach permits banks to use internal models to estimate probability of default (PD), loss given default (LGD), exposure at default (EAD) and, for advanced IRB, maturity. Model approval requires demonstration of robust data, validation and governance, and is subject to intensive PRA scrutiny. IRB model permissions require formal PRA approval, and subsequent material model changes are subject to regulatory notification or approval processes. The PRA has increasingly signalled scepticism towards advanced modelling approaches, emphasising conservatism in model outputs and the limitations of internal models in capturing tail risks. Basel 3.1 implementation will introduce an output floor (a minimum capital requirement ensuring that risk-weighted assets calculated using internal models cannot fall below a specified percentage of standardised calculations), limiting the benefit of internal models to no lower than 72.5% of standardised calculations, further constraining IRB capital benefits. Firms should anticipate continued supervisory challenge on model risk governance, parameter calibration and use-test compliance. Credit risk mitigation techniques (guarantees, collateral, netting) may reduce capital requirements subject to eligibility and haircut requirements.

Counterparty Credit Risk: Banks with derivatives, securities financing transactions (SFTs) (such as repurchase agreements and securities lending) and long settlement transactions must calculate counterparty credit risk (CCR) exposures. Methods include the Standardised Approach for Counterparty Credit Risk (SA-CCR) or, with approval, the Internal Model Method (IMM). Credit valuation adjustment (CVA) capital charges apply to reflect mark-to-market losses (changes in fair value) from counterparty creditworthiness deterioration. Central clearing through qualifying central counterparties (QCCPs) attracts preferential capital treatment. Netting agreements and collateral arrangements may reduce exposures subject to legal enforceability and operational requirements.

Interest Rate Risk in the Banking Book (IRRBB): Banks must measure, monitor and control interest rate risk arising from non-trading activities. The PRA expects firms to assess the impact of interest rate changes on both economic value of equity (EVE) and net interest income (NII) under a range of scenarios, including the six prescribed supervisory shock scenarios. IRRBB forms part of the ICAAP and Pillar 2 assessment. Banks must maintain robust governance, limits and hedging strategies commensurate with the scale and complexity of their banking book exposures.

Market Risk: Banks with trading book exposures (being positions held for short-term trading rather than held to maturity) are subject to market risk capital requirements. The current framework permits use of the Standardised Approach or, with approval, internal models (Internal Models Approach or IMA). Basel 3.1 implementation will introduce the Fundamental Review of the Trading Book (FRTB), replacing existing methodologies with a revised Standardised Approach and IMA featuring more granular risk factor treatment, expected shortfall measures (a risk measure capturing tail losses beyond value-at-risk) and stricter model approval standards. The trading book boundary will be subject to enhanced documentation and reclassification controls.

The PRA imposes a binding leverage ratio on the largest banks, expressed as Tier 1 capital over total exposures. The current minimum is 3.25%, with buffer add-ons for certain firms. The PRA has consulted on raising the threshold for scope (for example to £70 billion of retail deposits). G-SII leverage buffer add-ons apply where applicable.

The UK has implemented the Basel III liquidity requirements. The regime includes: LCR and NSFR, with asset eligibility and calibration aligned to UK CRR and PRA policy. All banks are subject to the LCR and must maintain adequate liquidity resources in amount and quality to meet liabilities as they fall due. The PRA may issue firm-specific Individual Liquidity Guidance (ILG) under Pillar 2. Liquidity requirements include compliance with the LCR and NSFR, supported by qualitative PRA liquidity rules on governance, monitoring and reporting. ILAAPs must demonstrate a robust funding strategy, diversified and stable funding sources, collateral management and contingency funding plans, with credible management actions under stress.

Stress Testing: The BoE conducts an Annual Cyclical Scenario (ACS) stress test for the UK’s major banks and building societies, assessing resilience to a severe but plausible macroeconomic scenario. ACS results inform the setting of the stress capital buffer (SCB) for individual firms, which forms part of the combined buffer requirement. Beyond the ACS, banks are expected to conduct reverse stress testing – identifying scenarios that would render the firm non-viable – as part of their risk management and ICAAP processes. Stress testing forms a critical input to capital planning, recovery planning and supervisory dialogue. The interaction between stress test results, ICAAP self-assessments and SREP outcomes shapes the PRA’s view of a firm’s capital adequacy and informs any additional Pillar 2 requirements. Firms should ensure stress testing capabilities, governance and integration with strategic decision-making meet supervisory expectations.

UK banks may access a range of liquidity facilities provided by the Bank of England, including standing facilities, the Discount Window Facility, indexed long-term repo operations and, in stressed conditions, the Contingent Term Repo Facility or Emergency Liquidity Assistance. Access is subject to eligibility and collateral requirements. Banks are expected to demonstrate liquidity mobilisation capabilities, including operational readiness to access secured central bank facilities in resolution.

Banks are subject to Pillar 3 disclosure requirements, which include public disclosure of information. Disclosure under Pillar 3 remains a core market discipline tool, with enhanced templates expected as Basel 3.1 is finalised. Banks must publish annual audited financial statements under Companies Act requirements and regulatory disclosure (Pillar 3). Listed banks publish semi-annual reports.

Regulatory Reporting: UK banks are subject to comprehensive regulatory reporting obligations. Under the PRA Rulebook and the FCA’s Supervision manual (SUP), banks must submit periodic prudential returns covering capital, liquidity, large exposures, funding and other metrics – functionally equivalent to the EU’s COREP and FINREP templates but increasingly UK-specific as the regulatory framework diverges post-Brexit. Returns are submitted through the FCA’s RegData platform (which has replaced the legacy GABRIEL system). The PRA also requires specific returns including liquidity monitoring, IRRBB, leverage ratio and resolution-related submissions. Stress testing submissions form a key part of the reporting calendar, with data requests aligned to the BoE’s Annual Cyclical Scenario (ACS) exercise for larger firms. Data governance expectations have intensified, with the PRA expecting robust data quality, timely aggregation capabilities and clear accountability for regulatory reporting accuracy.

Yes, UK banking groups including financial holding companies and mixed-activity holding companies are subject to consolidated supervision by the PRA. Consolidated supervision applies at group level and entails group-wide capital and liquidity requirements, intragroup exposure monitoring, and resolution planning. Group structures must support effective supervisory oversight, including appropriate governance, information flows and AML/CFT controls across UK and non-UK entities. Internal restructurings such as where thresholds are crossed or control is altered may require regulatory notification or approval where they affect prudential consolidation, resolution strategies or supervisory cooperation. Firms should assess the structure and impact of internal reorganisations against the regime’s thresholds and the regulators’ emphasis on sound and prudent management.

Prior approval is required under the UK change in control regime in Part 12 of FSMA 2000 for any person proposing to acquire or increase “control” over a UK authorised firm, including banks. Increasing control is measured in terms of the percentage of shares acquired, the percentage of voting powers held or becoming a parent.

Notification Thresholds: Prior notification and approval are required when crossing 10%, 20%, 30% or 50% thresholds, or to become the authorised firm’s parent. Disposals crossing the same thresholds are also subject to notification.

Process: Notifications must be made to the appropriate regulator before the proposed acquisition occurs. The statutory assessment period begins once the regulators acknowledge a complete notification and may be paused for information requests. Applications may be approved unconditionally, approved subject to conditions, or refused. Proceeding without approval is a criminal offence.

The PRA/FCA jointly assess acquirers against harmonised criteria reflecting EU practice and joint supervisory guidance. The assessment addresses:

• The acquirer’s reputation and financial soundness in relation to the type of business pursued by the authorised person.
• The likely influence that the acquirer will have on the authorised person
• The reputation, knowledge, skills and experience of proposed appointees
• The authorised person’s ongoing capacity to meet prudential and conduct requirements post-transaction
• Where the authorised person is to become part of a group due to the proposed acquisition, whether the group structure enables regulators to effectively supervise, exchange information and allocate responsibility for supervision
• The risks of money laundering or terrorist financing

A “qualifying holding” in the UK CRR context is broadly a direct or indirect holding of 10% or more of capital or voting rights, or any holding otherwise enabling significant influence over management.

The documents do not identify specific restrictions on foreign shareholdings in UK banks. However:

• Prospective investors from jurisdictions not compliant with the standards of the Financial Action Task Force (FATF) (the inter-governmental body setting international AML/CFT standards) face elevated scrutiny given money laundering/terrorist financing risk is a mandatory assessment criterion
• Investors from jurisdictions with weaker AML/CFT frameworks can expect heightened scrutiny given the mandatory focus on financial crime risk

Ring-Fencing: Large UK banking groups with core retail activities are subject to ring-fencing, separating retail banking services within ring-fenced bodies from investment and certain wholesale activities. Governance, exposures, location and services restrictions apply to protect continuity of critical retail services. RFBs are prohibited from specified trading and exposures to certain financial institutions and must be legally, economically and operationally independent within their groups.

G-SIIs and O-SIIs: Systemic buffers apply for G-SIIs and O-SIIs. UK G-SIIs must also meet Total Loss-Absorbing Capacity (TLAC) standards.

Minimum Requirement for Own Funds and Eligible Liabilities (MREL): The BoE calibrates firm-specific MREL in line with the preferred resolution strategy. Major banks are assessed by the BoE for resolvability against three outcomes: adequate financial resources, continuity and restructuring, and management, governance and communication.

Regulators may also impose conditions on ownership or governance, require the disposal of shareholdings, or prohibit individuals from performing regulated functions. Senior Managers may face enforcement action for breach of the Duty of Responsibility. Proceeding with notifiable transactions such as an acquisition without regulatory approval may constitute a criminal offence.

The UK regulators have wide enforcement and information-gathering powers in the event of presumed regulatory breaches. Sanctions may include business restrictions, variation or withdrawal of permissions, and requirements for remediation, including the appointment of skilled persons or the provision of senior management attestations, as well as public censure and financial penalties for serious breaches. As a matter of practice, the PRA and FCA deploy a range of routine supervisory tools distinct from formal enforcement action. These include the use of section 165 FSMA information-gathering powers to compel production of documents and information, section 166 Skilled Person Reports (discussed further below) to obtain independent assurance on specific matters, and section 166A powers to appoint investigators. These tools are frequently used proactively as part of ongoing supervisory engagement rather than reserved solely for enforcement scenarios, reflecting the UK’s intensive supervisory model.

Firms and individuals subject to certain regulatory decisions have a right to refer the matter to the Upper Tribunal (Tax and Chancery Chamber). Referable decisions include decisions to refuse or restrict authorisation, issue prohibition orders, impose disciplinary sanctions, or publish warning or decision notices. The Upper Tribunal conducts a full merits review and may uphold, vary or dismiss the regulator’s decision. Before a final decision is taken, recipients of warning notices may make representations to the Regulatory Decisions Committee (RDC), an independent body within the FCA that makes contested enforcement decisions. Time limits for referral to the Upper Tribunal are strict and run from the date of the decision notice.

Skilled Persons Reports (Section 166): The PRA and FCA have power under section 166 of FSMA 2000 to require a firm to commission a report by a “skilled person” – typically an accountant, lawyer or consultant with relevant expertise. Skilled persons reports may be used to diagnose issues, verify regulatory compliance, assess remediation or provide assurance on specific matters. The firm bears the cost of the report. Skilled persons owe duties to both the firm and the regulator. The use of skilled persons reports has increased as a supervisory tool, often as an alternative to formal enforcement.

Private Rights of Action and Litigation Exposure: In addition to regulatory enforcement, banks face material private law litigation risk. Under section 138D FSMA 2000, a private person who suffers loss as a result of a firm’s breach of FCA rules may bring a claim for damages (subject to certain defences). This statutory right of action has been relied upon in mis-selling litigation, particularly in relation to interest rate hedging products and payment protection insurance. Banks should also be aware of: section 404 FSMA consumer redress schemes, under which the FCA may require firms to establish schemes compensating eligible consumers without individual litigation; the expanded jurisdiction of the FOS, which can make binding awards up to £430,000 and recommendations up to £430,000; and the risk of collective proceedings under the Competition Act 1998 or representative actions for financial services claims. These private law exposures can be significant, both financially and reputationally, and should be factored into product governance and conduct risk assessments.

The PRA and FCA are active in enforcement against both firms and individuals. Both regulators have published enforcement strategies emphasising earlier intervention, greater use of supervisory tools and a willingness to take public enforcement action where warranted.

Recent trends include: increased focus on individual accountability under the SM&CR, with enforcement action against Senior Managers for breach of the Duty of Responsibility; emphasis on non-financial misconduct and workplace culture, with the FCA and PRA making clear that serious non-financial misconduct can constitute a breach of conduct standards; Consumer Duty enforcement, with the FCA prioritising supervisory activity against firms failing to deliver good outcomes for retail customers; financial crime and AML/CFT enforcement, with significant fines for systems and controls failures; and operational resilience failures, with regulators signalling increased supervisory attention to firms’ ability to prevent, adapt to and recover from operational disruptions.

Individual liability developments include: recent Upper Tribunal challenges to FCA enforcement decisions, with mixed outcomes highlighting the importance of due process and evidential standards; the use of settlement discounts (typically 30% for early settlement) influencing enforcement strategy; and FCA publication policy reforms increasing transparency around warning notices and enforcement outcomes. The FCA and PRA also retain criminal prosecution powers for serious offences including market abuse, misleading statements and breaches of the general prohibition.

Both regulators have indicated that the pace and transparency of enforcement will increase, with a focus on deterrence and public accountability. The FCA’s enforcement strategy, published in 2025, emphasises a proactive and assertive approach.

Deposit Protection: The FSCS provides deposit protection up to £85,000 per eligible depositor per firm. Temporary high balances enjoy enhanced, time-limited protection in defined circumstances. Membership of the FSCS is mandatory for PRA-authorised deposit-takers. Payout speed is targeted at seven days for most cases.

Client Assets: For investment services, the FCA’s Client Assets Sourcebook (CASS) applies. Payment services and e-money activities trigger PSR 2017 and EMR 2011 conduct and safeguarding rules.

UK banks are subject to both solvent wind-down planning as well as recovery and resolution planning obligations under the Banking Act 2009 and related PRA rules. The requirements are designed to ensure that banks can recover from severe stress and, if recovery is not possible, can be resolved in an orderly manner.

Solvent wind-down Planning: Banks must maintain credible solvent wind-down plans as part of their regulatory business plans and ongoing authorisation requirements. Solvent wind-down planning is distinct from resolution planning: it addresses orderly exit from regulated activities while the firm remains solvent, ensuring customer protection, orderly transfer of business and minimisation of harm to market integrity. Key elements of solvent wind-down plans include: identification of triggers and decision points; financial projections demonstrating adequate resources throughout wind-down; customer communication and transfer arrangements; operational wind-down sequencing; regulatory engagement protocols; and governance and accountability frameworks. The PRA and FCA expect wind-down plans to be tested, documented and subject to board oversight. For new bank applicants, a credible wind-down plan is a core component of the authorisation application.

Recovery Planning: Banks must maintain recovery plans setting out options for restoring viability in the event of severe stress. Recovery plans must include a range of credible recovery options, triggers and escalation procedures, governance arrangements and communication strategies. The PRA assesses recovery plans as part of ongoing supervision.

Resolution Planning: The Bank of England, as resolution authority, draws up resolution plans for banks setting out preferred resolution strategies – bail-in (the write-down or conversion of creditor claims to absorb losses and recapitalise the bank), transfer to a private sector purchaser or bridge bank (a temporary institution controlled by the resolution authority), or modified insolvency. Banks must provide resolution packs containing information needed for resolution planning. Resolution plans are reviewed at least annually.

Resolvability Assessment Framework (RAF): Major banks are assessed by the BoE for resolvability against three outcomes: adequate financial resources (including MREL, valuations and liquidity in resolution); continuity and restructuring capabilities; and management, governance and communication arrangements. Banks must provide assurance through annual public disclosures and detailed submissions to the BoE.

Operational Continuity in Resolution (OCIR): Banks must ensure that critical shared services – including intra-group services, IT infrastructure and access to FMIs – can continue to be provided during and after resolution. OCIR requirements mandate robust service level agreements, financial arrangements ensuring service continuity regardless of group distress, and documented playbooks for maintaining operational capacity. Valuation requirements are also central to resolution planning: firms must be capable of supporting Valuation 1 (pre-resolution valuation informing the resolution decision), Valuation 2 (determining the extent of write-down and conversion) and Valuation 3 (informing no creditor worse off (NCWO) assessments post-resolution). These capabilities require robust data, systems and governance, and are assessed as part of RAF submissions.

Continuity of Access to Financial Market Infrastructures (FMIs): Major banks must demonstrate continuity of access to critical FMIs – including payment systems, central counterparties (CCPs), central securities depositories (CSDs) and settlement systems – during stress and resolution. This includes understanding FMI membership requirements, maintaining operational readiness to access alternative FMIs, ensuring adequate collateral mobilisation capabilities and engaging with FMI operators on continuity arrangements. The BoE assesses FMI continuity as part of resolvability assessments. Banks must identify critical FMI dependencies and maintain playbooks addressing scenarios where FMI access may be disrupted or terminated.

Yes, the UK’s Special Resolution Regime includes bail-in as a stabilisation tool under the Banking Act 2009. The Bank of England has powers to write down or convert liabilities to absorb losses and recapitalise a failing bank.

Covered liabilities include unsecured, unsubordinated debt instruments and other eligible liabilities meeting statutory criteria. Capital instruments (CET1, AT1 and Tier 2) are written down or converted first, followed by eligible liabilities in reverse order of the creditor hierarchy. Critically, the Banking Act 2009 (BA 2009) establishes a statutory depositor preference hierarchy that governs the order of claims in resolution. This hierarchy ranks claims as follows: (i) covered deposits (those protected by the Financial Services Compensation Scheme (FSCS), up to £85,000 per eligible depositor) and claims by deposit guarantee schemes, which rank highest among unsecured claims; (ii) preferential deposits, comprising eligible deposits from natural persons and micro, small and medium-sized enterprises exceeding the FSCS coverage limit; (iii) ordinary unsecured creditors, including senior bondholders; and (iv) subordinated debt and capital instruments. Certain liabilities are excluded from bail-in entirely, including covered deposits, secured liabilities, client assets and short-term interbank liabilities. Understanding this hierarchy is essential to analysing loss absorption and creditor treatment in resolution.

MREL: Banks subject to bail-in or partial transfer resolution strategies must maintain sufficient MREL to ensure credible loss absorption and recapitalisation. The BoE sets firm-specific MREL based on the preferred resolution strategy.

The “no creditor worse off” (NCWO) principle applies as a statutory safeguard, ensuring that creditors do not receive less favourable treatment in resolution than they would have received had the firm instead entered insolvency proceedings.

Application: The bail-in tool applies only where a bank is failing or likely to fail, there is no reasonable prospect of recovery under alternative measures, and resolution action is in the public interest. A technical breach of LCR or other liquidity requirements would not, absent broader viability concerns, trigger resolution powers.

MREL: Banks with bail-in or partial transfer resolution strategies must maintain sufficient MREL resources to absorb losses and recapitalise in resolution. The UK framework implements the Financial Stability Board’s (FSB) TLAC standard for Global Systemically Important Banks (G-SIBs) and applies proportionately to other firms.

UK G-SIIs must meet TLAC standards.

Differentiation by Bank Type: From 1 January 2026, the BoE’s revised approach increases the indicative total assets threshold for modified insolvency strategies from £15–25 billion to £25–40 billion. The PRA intends to raise the threshold for the separate Resolution Assessment Part to £100 billion of retail deposits in H1 2026. Smaller banks with modified insolvency strategies may be subject to simplified obligations.

The UK has a robust individual accountability regime via the SM&CR.

• Key features include: Senior Management Functions (SMFs) require pre-approval by the PRA and/or FCA, with prescribed responsibilities allocated to identified individuals. A “Duty of Responsibility” requires Senior Managers to take reasonable steps to prevent regulatory breaches within their remit. Firms must maintain an up-to-date governance responsibilities map and Statements of Responsibilities for each SMF holder.
• The Certification Regime applies to “significant harm” roles and requires annual fit-and-proper certification by the firm. Conduct rules apply broadly across the workforce, with additional, higher-level rules for senior managers. Breach consequences may include public censure, fines and prohibition from performing regulated functions.
• Regulatory References: Under the SM&CR, firms must request regulatory references from all previous employers within the preceding six years before appointing individuals to Senior Management Functions or Certified roles. Firms must provide references within six weeks, using a prescribed template, disclosing information relevant to the individual’s fitness and propriety. References must be updated where new information comes to light. Failure to obtain or provide regulatory references may give rise to supervisory or enforcement consequences.

The Government’s planned reforms to SM&CR, due to be implemented in phases from 2026 onwards, will streamline regulatory approvals, adjust the certification regime and refine conduct-rules applicability.

Key developments likely to have significant impact over the next 12-18 months include:

Basel 3.1 Implementation: Targeted from 1 January 2027, revising credit, market and operational risk frameworks.

Smarter Regulatory Framework (SRF): The SRF represents a fundamental constitutional shift in UK financial regulation following Brexit. Under the Financial Services and Markets Act 2023, retained EU law in financial services is being progressively revoked and substantive prudential and conduct requirements are migrating from primary and secondary legislation into the PRA and FCA Rulebooks. This enhances regulator rulemaking powers whilst maintaining accountability to Parliament through the new regulatory gateway and call-in mechanisms. As part of this programme, HMT and PRA are progressing targeted repeal of UK CRR provisions and migration of core prudential policies into PRA rules, with more principles-led, less prescriptive rulemaking. This represents one of the most significant structural developments in UK financial services regulation and fundamentally changes how firms engage with the regulatory framework.

Digital Assets Regulation: The UK is building a measured regulatory perimeter for digital assets, including a phased regime for fiat-backed stablecoins.

Operational Resilience: The UK’s operational resilience regime has matured from policy concept to binding compliance reality.

Critical Third Parties Regime: The Financial Services and Markets Act 2023 introduces a dedicated regulatory framework for critical third parties (CTPs) – service providers designated by HMT as critical to the stability of, or confidence in, the UK financial system. This represents a major structural shift, extending direct regulatory oversight beyond regulated firms to their key service providers. The regime empowers the PRA, FCA and BoE to make rules directly applicable to designated CTPs, exercise enforcement powers against CTPs (including public censure and financial penalties), and use information-gathering powers to assess CTP resilience. Cross-sector oversight allows coordinated supervision of CTPs providing services to multiple regulated sectors. Firms relying on designated CTPs should understand the implications for contractual arrangements, oversight expectations and incident management, whilst recognising that CTP designation does not transfer firms’ own accountability for operational resilience.

Climate and Sustainability: PRA expectations require boards to integrate climate risk into governance, risk management, scenario analysis and capital frameworks.

Operational Resilience and Cyber Risk: Cyber resilience remains a core supervisory priority, with regulators expecting firms to identify and protect against cyber threats, rapidly detect incidents, respond and recover, and contain disruption. Data protection obligations arise under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, which together form the UK’s data protection framework and impose obligations on controllers and processors including lawful basis requirements, data subject rights, breach notification (within 72 hours to the Information Commissioner’s Office (ICO) for notifiable breaches) and accountability obligations. Banks as operators of essential services may fall within scope of the Network and Information Security (NIS) Regulations 2018, which impose security and incident notification obligations for network and information systems. The PRA’s supervisory statement SS2/21 sets expectations for outsourcing and third-party risk management, including information and communications technology (ICT) governance, whilst FCA guidance (including the principles in FG16/5 on cloud) informs expectations around cloud service provider oversight. Firms should ensure consistency across ICT risk management, incident response and vendor oversight, mindful of UK-specific supervisory expectations.

Third-Party and Outsourcing Risk: The emerging critical third party regime signals broader supervisory scrutiny on concentration risk, exit plans and contractual levers ensuring access, audit and substitution rights. Resilience assessments will encompass not only internal systems but the integrity and recoverability of the supply chain supporting customer-facing services. Firms should anticipate that outsourcing frameworks will require governance, risk management, regulatory access, audit and information rights, data protection, concentration risk assessment and exit planning – particularly for material outsourcings including cloud. The PRA and FCA expect firms to evaluate data localisation requirements, cross-border data transfer dependencies and cloud concentration risk as part of operational resilience.

Financial Crime and Sanctions: UK sanctions have expanded materially, with heightened OFSI enforcement and guidance on ownership and control, trade-based evasion typologies and beneficial ownership transparency. Banks must maintain agile list management, robust look-through and circumvention detection across onboarding, payment filtering, asset freeze administration and exit strategies, with documented governance and periodic independent testing of screening effectiveness. OFSI’s guidance emphasises detection of circumvention typologies, including complex ownership structures, proxy trading networks, trade-based evasion, crypto-mixing services, use of third-country intermediaries and redirection of goods via trans-shipment hubs. The Economic Crime and Corporate Transparency Act 2023 introduced a “failure to prevent fraud” offence applicable to large organisations, including banks.

Climate Risk: Climate and sustainability risk integration remains a supervisory focus, requiring banks to embed transition pathways into ICAAP, credit risk modelling and scenario analysis, linking climate metrics to risk appetite. Greenwashing (making misleading sustainability claims) risks are a supervisory focus; product governance and client communications must be clear, fair and not misleading. The FCA is increasing scrutiny of potential greenwashing, particularly in retail savings products and sustainability-linked finance.

AI and Model Risk: AI deployment is subject to cross-cutting principles and supervisory expectations rather than a comprehensive AI statute currently. Model governance and accountability remain supervisory priorities. Although the UK has not adopted an AI Act, the PRA and FCA expect firms to treat AI models as high-risk within existing governance frameworks. Supervisory areas of focus include data integrity, explainability, bias detection, human-in-the-loop controls, operational resilience and accountability by Senior Managers. Firms must evidence traceability of decision-making and undertake model validation proportionate to risk, including AI-specific stress and sensitivity testing. Where AI is used in credit underwriting, fraud detection or customer communications, Consumer Duty outcomes – particularly fairness and consumer understanding – must be demonstrably met.

Consumer Harm and Conduct Risk: The FCA will ask for data underpinning fair value assessments, pressure-test assumptions used in product stress testing, and examine how management information (MI) informs interventions – product withdrawal, tightening of target market criteria, enhanced adviser training, or changes to fee structures. Firms should expect a greater emphasis on ex-post validation: did customers in fact receive the outcomes the firm predicted. “Paper compliance” is unlikely to satisfy supervisory expectations. FCA multi-firm work in 2024–25 identified weaknesses in firms’ forbearance strategies, affordability assessments and vulnerability treatment. Banks must evidence tailored, sustainable forbearance options, high-quality affordability reviews, and MI capable of tracking customer outcomes across arrears cohorts.

Resolution Liquidity and Execution: The BoE’s expectations on resolution liquidity and credible execution require detailed playbooks, collateral mobilisation strategies and continuity of access to FMIs under stress. MREL stack resilience should be modelled alongside buffer requirements, P2R, P2G and potential distribution constraints, with clear communications to management, boards and markets.

Economic uncertainty and credit risk: Leveraged lending activities remain under PRA scrutiny, with focus on underwriting standards, pipeline risk, covenant robustness, enterprise value dependency and stress testing of leveraged portfolios. Banks must demonstrate prudent risk appetite, sectoral concentration management and governance over underwriting commitments, including syndication pipeline risk.

Regulatory fragmentation post-Brexit: Divergence between the UK and EU regulatory framework may reduce cross-border competitiveness and increase compliance burden for firms operating across multiple jurisdictions.

Profitability pressure: Sustained profitability pressure from capital and liquidity requirements remains a structural challenge for the banking sector.