Banking Regulation 2022

Last Updated September 17, 2021


Law and Practice


Allen & Overy has an international financial services regulatory team that is a strategic partner to the world’s leading financial institutions, guiding them through an increasingly complex regulatory landscape where national and international regulations may interact or conflict. With more than 80 financial services regulatory experts across its international network of offices, the firm brings the breadth and scale a global business needs, as well as an understanding of the local environment. It helps clients plan for and navigate the complex developments and challenges they are facing, protecting them from regulatory risk and advising them on how to take advantage of emerging opportunities. The group brings together an impressive list of leaders in their field, and amalgamates specialist expertise from the firm's banking, payments, capital markets, investigations and regulatory enforcement practices, along with A&O Consulting and Markets Innovation Group (MIG) colleagues, supported by the advanced delivery and project management teams. This cross-practice, multi-product, international offering provides clients with greater access to market-leading expertise and innovative products and solutions tailored to their very specific, highly complex needs.

The Financial Services and Markets Act 2000 (FSMA) is the primary UK statute governing the financial services sector in the UK, defining the role and purpose of the regulatory authorities. FSMA has subsequently been significantly amended following the financial crisis of 2008–09 to introduce changes (such as the UK Senior Managers Regime and bank ring-fencing requirements) to enhance the resilience of the UK financial services sector.

FSMA makes it a criminal offence to undertake regulated activities by way of business – or (in broad terms) to promote financial services or products – in the UK unless duly authorised or exempt. The list of regulated activities that a bank may undertake is set out in the FSMA (Regulated Activities) Order 2001. Exclusions exist, which (in broad terms and subject to conditions) permit wholesale activities to be undertaken into the UK by foreign banks without obtaining authorisation.

Separate UK legislation governs the provision of payment services (the Payment Services Regulations 2017) and the issuance of electronic money (the Electronic Money Regulations 2011).

A significant proportion of UK banking regulation is derived from EU directives and regulations, reflecting the UK’s historic position as a member of the European Union until January 2020.

The UK left the EU on 31 January 2020 (Brexit), and the post-Brexit implementation period ended on 31 December 2020 (IP Completion Date or IPCD). Prior to the IPCD, FSMA and the secondary legislation and regulators’ rulebooks made under it implemented a number of European law directives into UK law. European regulations that were directly applicable were the other key source of UK legal requirements for UK banks, including the Capital Requirements Regulation (Regulation (EU) 575/2013 (CRR), which implements the revised Basel Accord), the Market Abuse Regulation (Regulation (EU) 596/2014) and the Markets in Financial Instruments Regulation (Regulation (EU) 600/2014 (MiFIR)).

Post-IPCD, EU law ceased to apply in the UK: the EU regulations referred to above and other EU-derived legislation were incorporated into UK law as they applied on IPCD and amended to render them fit for purpose in their new context under the EU Withdrawal Act 2018. This is colloquially referred to as "onshoring" (see the UK Trends and Developments chapter in this guide).

The UK operates a "twin peaks" system of financial regulators, with two principal regulators – the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) – each with its own rulebook. Additionally, the Bank of England (BoE) acts as the resolution authority, and has the primary regulatory responsibility for dealing with failed banks.

The PRA is the prudential regulator for banks, and the FCA regulates banks’ conduct. The PRA has a statutory objective to promote the safety and soundness of the institutions it regulates, with a view to ensuring the stability of the UK financial system. The FCA’s strategic objective is to ensure that the UK’s financial markets function well. The FCA is responsible for regulating a wide variety of regulated firms and activities, including investment services, payment services, retail lending and insurance distribution.

The BoE also operates a Financial Policy Committee, which is the UK’s macro-prudential regulator responsible for the regulation of the broader UK financial system from a macro-economic perspective. The Financial Policy Committee has power to make recommendations to the FCA and PRA in certain cases.

Section 19 of FSMA prohibits persons from carrying on regulated activities by way of business in the UK, unless duly authorised or exempt.

Regulated activities include deposit-taking. This is triggered if money received by way of deposit is lent to others, or if the conducting of any other activity of the person accepting the deposit is financed out of the capital of, or interest on, money received by way of deposit.

Lending is generally not regulated in the UK, with the exception of various activities relating to home finance and consumer credit activity. A number of activities relating to derivatives, securities or fund units are also regulated, including dealing, advice, portfolio management and custody, as is insurance distribution.

The UK operates a universal banking regime, meaning that (with limited exceptions for ring-fenced banks) banks can obtain authorisation to conduct any financial services except for writing insurance and the management of funds (each of which is reserved to specific classes of regulated entity). A firm authorised for deposit-taking is also permitted to provide payment services and issue e-money.

Pre-IPCD, EU providers benefited from so-called "passporting" rights under various EU directives, enabling them to provide services or establish branches in the UK. Post-IPCD, passporting rights ceased to apply and EU firms now require a UK licence in order to be able to continue to undertake regulated business in the UK (subject to a temporary permissions regime (known as the TPR), under which they are deemed authorised for a temporary period), or will need to operate outside the territorial scope of the UK regulatory regime.

A bank looking to establish itself in the UK must obtain authorisation by applying for a so-called Part 4A Permission under FSMA, which will permit it to take deposits and conduct any other regulated activities within the Permission. The application is made to the PRA and FCA (the PRA acts as lead regulator), and requires the submission of extensive and detailed information about the institution, including the completion of a permissions table that sets out in detail the permissions applied for (per type of activity and client type). It is advisable for the applicant to liaise with the PRA in the pre-application phase.

In addition to the application forms, an applicant firm must also provide the following:

  • a regulatory business plan complete with a business rationale;
  • information about the ownership structure of the bank;
  • evidence of sufficient financial and non-financial resources;
  • information regarding the management structure; and
  • information about the institution’s financial standing as well as its capacity to comply with its regulatory requirements via internal monitoring.

The application will be reviewed by, and subject to the approval of, both the PRA and the FCA.

In reviewing an application for authorisation, the FCA and the PRA will assess the applicant against the threshold conditions for authorisation, which include the following requirements:

  • that the applicant has its headquarters or a branch in the UK;
  • that the applicant conducts its business in a prudent manner and possesses sufficient non-financial and financial resources;
  • that it be fit and proper to conduct regulated activities in the UK; and
  • that it be capable of being regulated and supervised by the FCA and the PRA.

The PRA and FCA must make a decision on the suitability of the applicant within a six-month period beginning on the date on which they receive a complete application form. The regulators also have the power to request further information, which resets the start of the six-month period, meaning that the licensing period, in practice, can extend to up to a year.

The application fee is non-refundable regardless of the outcome; if successful, the bank must then pay an annual fee to either the FCA or the PRA, the cost of which varies based on what type of bank the applicant is looking to set up, and the revenue the bank generates. Retail consumer banks also need to pay fees levied by the Financial Ombudsman Service (FOS) and Financial Services Compensation Scheme (FSCS). Licences granted to banking institutions are theoretically indefinite, albeit with the caveat that the PRA has the power to suspend the licence at any point, and to impose fines if the bank fails to comply with the regulatory framework.

Under Section 178 of FSMA, any person intending to acquire or increase their level of control of a UK-headquartered bank must provide written notice of such to the PRA (no requirement applies to foreign banks with a UK branch). Prior to the acquisition taking place, the PRA requires a 60 working-day window to elapse, or approval to be given before the 60 working days is up, before the transaction can be completed. In this context, the meaning of "control" is defined as shareholding and/or voting rights.

This requirement is triggered by the acquisition of a holding that equates to 10% or more of the total shareholding or voting rights in a UK-authorised person, or a parent of that authorised person, or share or voting power that would enable the exercise of significant influence over the authorised person. A person’s "control" includes indirectly held voting power and is aggregated with the control of another with whom he or she is acting in concert.

An increase in control is deemed to have occurred whenever the percentage shareholding or voting rights crosses the 20%, 30% or 50% threshold, or if the authorised person becomes a subsidiary as a result of the acquisition. Likewise, a reduction in shareholding or voting rights at those same thresholds triggers a reporting requirement to provide the PRA with written notice; failure to comply with either of these obligations is a criminal offence.

In assessing an application, the PRA will consider a number of factors, including:

  • the applicant’s reputation and the reputation of anyone who will exert significant control on the bank’s direction;
  • the applicant’s financial position;
  • the ability of the bank to comply with the prudential requirements; and
  • the risk that the acquisition has any connection to financing terrorism or facilitating money laundering.

There are no restrictions on the foreign ownership of banks in the UK, subject to applicable financial sanctions requirements at a UK, EU or United Nations level.

The Companies Act 2006 provides the general basis for the general duties of directors of UK companies. Regulated firms are subject to additional requirements, reflecting the need for high-quality governance in the banking sector.

The PRA Fundamental Rules and FCA Principles establish high-level standards with which banks must comply, designed to protect the interests of customers and the wider economy as a whole. In particular, the PRA Fundamental Rules include requirements that a firm must have effective risk strategies and risk management systems (Fundamental Rule 5), and that a firm must organise and control its affairs responsibly and effectively (Fundamental Rule 6). These high-level requirements are supplemented by the General Organisational Requirements Part of the PRA Rulebook, which implements a number of more detailed organisational requirements under the European regulatory framework set out in the revised Capital Requirements Directive (CRD IV) and the recast Markets in Financial Instruments Directive (MiFID II), each as onshored in the UK. These include requirements for a robust governance framework, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility, for effective processes to identify, manage, monitor and report risks, and internal control mechanisms, and for the management body to define, oversee and be accountable for the implementation of governance arrangements that ensure effective and prudent management.

The FCA and PRA rules are also supplemented by the UK onshored version of EU Delegated Regulation 2017/565 as regards organisational requirements and operating conditions for investment firms, which imposes more detailed requirements around the compliance, risk and internal audit functions, outsourcing and the management of conflicts of interest.

Senior management and personnel are required to be not only sufficiently experienced in their field, but also of sufficiently good repute, in order to ensure the prudent and sound management of the bank. The bank must ensure that it has two employees who qualify as such, and that at least two of these individuals are independent in their formulation of ideas and the bank’s policies.

Additionally, diversity must be taken into account when selecting management members; regulators must be notified of the composition of the management team, and changes made to it; management must have adequate access to information about the bank’s operations; and the effectiveness of the bank’s operations must be monitored and periodically assessed, with steps taken to remediate problems.

The UK framework includes added requirements for significant firms, such as obligations to have a separate chair and CEO, and to have separate board risk, nomination and remuneration committees.

Further requirements apply to UK banks that are UK listed or subject to the UK ring-fencing rules under the UK Corporate Governance Code’s principles of good governance, as overseen and maintained by the Financial Reporting Council.

The Senior Managers and Certification Regime (SMCR) was implemented in March 2016 in the wake of the financial crisis, as a response to a perceived lack of personal accountability amongst individuals working in the financial sector. The SMCR aims to encourage responsibility amongst employees at all levels, and to improve conduct and encourage clear demarcation of responsibility. It is broken up into three separate regimes.

The Senior Managers Regime (SMR) focuses on individuals performing defined senior management functions (including executives, the chief risk officer, the head of the finance function, the heads of key business areas and the head of compliance). They must obtain approval from the regulator to perform senior management functions at their firm, regardless of whether they are physically based in the UK or overseas. Firms must assess whether senior managers are fit and proper to perform their roles both at the outset (including by taking references) and thereafter. Senior managers are also subject to the "duty of responsibility", which requires them to take reasonable steps to prevent breaches of regulatory requirements in their area(s) of responsibility from occurring or continuing. Each regulator sets out a list of prescribed responsibilities that must be allocated among the senior managers, with the intent that senior managers are accountable to the regulators for those responsibilities. UK banks are also required to maintain a management responsibility map describing the firm’s management and governance arrangements, including reporting lines and the responsibilities of senior staff.

The Certification Regime focuses on individuals who are deemed by the regulator to pose a threat to the firm or its customers, by the nature of their role (certified persons). Examples of roles that are denoted as such include individuals who give investment advice or bear responsibility for benchmarks. Certified persons are not "pre-approved" by the regulator, but instead their employers must seek certification that they are fit and proper both at the start of their employment (including by taking references) and annually on a rolling basis.

The Conduct Rules are high-level expectations of all staff involved in the running of the bank. They apply to senior managers, certified persons and almost all other employees of the firm, with the exception of those who perform ancillary functions.

UK remuneration requirements have been set in accordance with the EU provisions set out under CRD IV, subject to limited additional restrictions implemented following the financial crisis of 2008. The requirements are set out in remuneration codes of the PRA and FCA, and apply differently depending on the nature of the firm and its activities. UK banks are subject to both the PRA and FCA Remuneration Codes.

Groups in the UK must apply the Remuneration Codes to all their regulated and unregulated entities, regardless of their geographic location. Subsidiaries of UK banks in third countries must also apply the Remuneration Codes to all subgroup entities, including those based outside the UK. The Remuneration Codes also apply to UK branches of third-country firms.

Some requirements of the Remuneration Codes apply universally to all employees, such as those limiting variable pay or termination payments, whereas others only apply to staff classified as “Code staff”. Code staff are employees who are either senior managers or "material risk takers", individuals engaged in control functions, and any individual whose total remuneration places them in the same remuneration bracket as senior managers. If an individual is classified as Code staff but satisfies the requirements for the "de minimis" concession, certain requirements of the Remuneration Codes can be relaxed. The de minimis concession is satisfied by an individual who has variable remuneration that does not exceed GBP44,000 in a performance year, and where variable pay does not make up more than one third of the individual’s total annual remuneration.

Under the Remuneration Codes, various principles are applicable to an employee's pay ("remuneration", covering all forms of salary and benefit payments, including in kind benefits). A bank must set an appropriate ratio between fixed and variable pay. The Remuneration Codes include bonus cap rules that cap variable pay at 100% of fixed remuneration (or 200% with shareholder approval). At least 50% of variable pay should be in equity, equity-linked or equivalent instruments, and at least 40% of variable pay (or 60% where variable pay is particularly high) must be deferred and vested over a period of four to seven years. Banks are also required to adjust non-vested deferred amounts to reflect outcomes.

Limits are also placed on guaranteed bonuses, which should be exceptional and limited to new staff, and on contract termination payments, to ensure these do not reward failure.

Finally, banks must also implement policies and procedures to ensure that Code staff do not engage in personal investment strategies that undermine the principles of the Remuneration Codes, such as insurance or hedging against the risk of performance adjustment.

The requirements in the Remuneration Codes are subject to a proportionality rule, which provides that, when establishing and applying the total remuneration policies for its Code staff, a firm must comply with the requirements in a way and to an extent appropriate to its size and internal organisation, and the nature, scope and complexity of its activities. The expectations of the PRA and FCA regarding firms’ application of the proportionality rule is based on their "relevant total assets", divided into three levels:

  • Level 1 is for firms with total assets exceeding GBP50 billion, averaged over a four-year period.
  • Level 2 firms are those with total assets exceeding GBP13 billion but less than or equal to GBP50 billion, averaged over a four-year period. A firm with total assets of less than GBP13 billion, averaged over a four-year period, will nonetheless be considered a Level 2 firm if it is a large institution (as defined in the onshored version of the CRR (UK CRR)), or if the firm's assets as calculated on an individual basis exceed GBP4 billion over a four-year period.
  • Level 3 firms are those with less than GBP13 billion in total assets on average over a four-year period, provided that they are not large institutions (as defined in UK CRR), and provided that their assets as calculated on an individual basis are less than or equal to GBP4 billion, averaged over a four-year period. Any firm with total assets of less than or equal to GBP4 billion, averaged over a four-year period, will also be considered a Level 3 firm.

The UK is a member of the Financial Action Task Force (FATF), which is an international, intergovernmental task force (not a formal international body) set up and funded by the G7 and other members to combat money laundering and terrorist financing.

The primary legislation governing AML requirements in the UK is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLR). These are supported by extensive non-statutory guidance given by the Joint Money Laundering Steering Group, which sets out what is expected of banks and staff in relation to the prevention of money laundering and terrorist financing. The principal elements of the MLR are requirements to conduct risk assessments associated with money laundering and terrorist financing, and to apply risk-based customer due diligence policies, controls and procedures, calibrated to the type of customer, business relationship, product or transaction, and taking into account situations and products which by their nature can present a higher risk of money laundering or terrorist financing; these specifically include correspondent banking relationships, and business relationships and occasional transactions with politically exposed persons.

The FCA requires that firms give overall responsibility for their anti-money laundering operations to a director or senior manager, who is responsible for being aware of the money laundering risks and taking steps to effectively mitigate them. A Money Laundering Reporting Officer must also be appointed, as the keystone of the firm’s anti-money laundering procedures.

In January 2020, the UK government enacted the Money Laundering and Terrorist Financing (Amendment) Regulations 2019, which was the legislative instrument designed to implement the European Union’s Fifth Anti-Money Laundering Directive (5MLD). The UK, in fact, has opted to exceed the requirements set out under the EU legislation, as part of its push to maintain its role as a world-leading financial centre.

The updated regulations extended the scope of the persons subject to the MLR, extended the customer due diligence requirements, created bank account portals that can be accessed by financial intelligence units and national regulators, and created a system of registration for crypto-asset businesses. The EU introduced a sixth anti-money laundering directive ((EU) 2018/1673), which had to be implemented by EU Member States by 3 December 2020. The UK chose not to transpose this directive into national law, on the basis that the vast majority of its requirements were already part of existing UK legislation.

The FSCS is the UK compensation fund available to customers of a majority of UK financial services firms. Its purpose is to provide a backstop in case of the failure of a regulated financial institution, paying compensation up to certain limits when the institution in question is unable to pay claims against it, or is likely to become unable to do so. It is the UK’s depositor compensation scheme, but also covers other classes of regulated business, including insurance and investment business.

The failure of a bank, the insolvency of an insurer or the provision of negligent advice causing loss to a consumer by a financial adviser are all examples of potential justified causes for making a claim for compensation. The extent to which a claimant will be compensated in the event of a successful claim varies depending on the nature of the claim.

The regulatory rules applicable to the FSCS’s depositor protection arrangements are largely set out in the Depositor Protection module of the PRA Handbook. This provides that the FSCS must pay compensation in respect of an eligible deposit with a defaulted UK bank or foreign bank with respect to its UK branch deposits. For protected deposits, including retail deposit accounts, compensation is capped at GBP85,000, subject to a higher cap of GBP1 million for certain temporary high balances (such as a balance associated with home sales and purchases). Certain classes of depositor are ineligible for compensation, including banks, investment firms, insurance undertakings, financial institutions and certain funds.

To support the need for the FSCS to be able to make rapid payouts in respect of banks in default, the depositor protection rules are supplemented by extensive requirements to ensure that banks can provide the FSCS with the requisite information to make compensation payments. These are centred around the so-called Single Customer View, which is a dataset made available to the FSCS to enable it to identify clients and their claims in order to be able to identify and fund compensation payments.

The FSCS primarily operates under Part 15 of FSMA, which sets out the governance of the scheme, as well as the capacity of the FCA and PRA to make rules in relation to the FSCS. The scheme is officially managed by Financial Services Compensation Scheme Ltd, operating as a guarantee-limited company.

The scheme is principally funded via fees and levies charged to participating firms. These costs include the management expenses levy (broken up into yearly base cost running fees, and specific costs for particular funding classes) and the compensation costs levy, which is primarily a result of the costs incurred by the FSCS in paying out compensation.

Firms participating in the scheme are typically allocated into one or more funding classes, decided on the basis of the regulated activities they perform. The amount each firm is obliged to pay is based on which of these funding classes they have been placed in, up to a maximum amount per funding class each year. If a firm were to fail, and there was insufficient funding available from the other institutions in that funding class, the costs would be pooled across all the funding classes through a mechanism known as the FCA retail pool.

The UK does not have a specific statutory regime regulating banking secrecy, but instead relies on the common law duty of confidentiality between the customer and bank, borne from their contractual relationship. Common law provides that the bank has a duty of confidentiality to the customer, as an implicit term of the contract.

The duty of confidentiality from a bank to its customer broadly covers all information about the customer that is held by the bank. The case of Tournier v National Provincial and Union Bank (1924) established that the duty expressly covers the credit or debit balance of the customer’s account, all transactions made through the account, and the securities given in respect of the account.

This duty of confidentiality also extends beyond the lifetime of the account, continuing to apply after it is no longer active or even closed. It further extends to information that is held by the bank about the customer that is from a source other than the customer’s own account, if the acquisition of this information was an indirect result of the customer holding that account.

The bank’s duty to the customer is not absolute; there are a number of exceptions to the duty established in Tournier that allow a bank to divulge information in certain circumstances. Information may be disclosed by the bank if the customer has provided their express or implied consent to the disclosure, if the bank is legally compelled, if there is a public duty, or if the disclosure would protect the bank’s own interests.

If a customer has agreed, however, to express terms in their contractual relationship with the bank to permit disclosure in particular situations, then this agreement would take precedence over Tournier. Regulators also have some additional specific powers in relation to compelling bank disclosure; the FCA has statutory powers to require certain disclosures, as does HMRC (the UK’s tax authority) in respect of tax. Likewise, if there are reasonable grounds for suspicions of money laundering or terrorist financing, banks may be compelled to co-operate in providing information under AML and CTF legislation.

When the FCA or PRA requires a disclosure to be made by a bank to its investigators as part of an ongoing investigation, it is subject to a statutory obligation of confidentiality with respect to the information, subject to limited "gateways" permitting disclosure in certain circumstances.

As the duty of confidentiality is a common law regime, rather than a statutory one, a breach of contract or a breach of common law is the potential result of a bank failing to observe the customer's rights. The customer may seek an injunction, even pre-emptively, in order to prevent a breach, or to restrain or avoid a repetition of something previously disclosed. The customer may then also seek damages potentially for a breach of contract, presuming that there are express confidentiality provisions, or for a common law breach of the duty of confidentiality.

As a member of the G20, the UK has implemented the Basel Accord. The principal legislation implementing the Accord is CRD IV (as implemented in the UK) and UK CRR, which apply the Accord to all banks. The PRA intends for many of the remaining reforms under the Basel III package, including the Net Stable Funding Ratio, to come into force in the UK on 1 January 2022.

All authorised banks are subject to PRA Fundamental Rule 4, requiring institutions to hold and maintain adequate financial resources. UK banks are additionally subject to detailed risk management, capital and liquidity requirements that do not apply to non-UK banks, with the exception of some risk management requirements, which apply at branch level.

Risk Management

A bank must be able to identify, manage, monitor and report actual or potential risks through adequate risk management policies and procedures and risk assessments. Specific risks that a bank must plan for include credit risk, market risk and liquidity risk, but also less apparent sources of risk such as operational risk, residual risk, group risk and reputational risk.

A bank must establish and maintain an independent risk management function implementing its policies and procedures and reporting to or advising senior personnel accordingly. The risk control arrangements should (where appropriate considering the bank's size, nature and complexity) include a chief risk officer (CRO) and a board-level risk committee.

Among other things, the CRO should be accountable to the board, be fully independent of business units, have sufficient stature and authority to execute the responsibilities, and have unfettered access to any part of the bank's business that impacts its risk profile. The CRO is expected to report to the chief executive, chief finance officer or other executive directors.

A risk committee should be headed by a non-executive director and be composed mainly of non-executive directors. The risk committee oversees and challenges the bank's risk monitoring and management, and advises the board on risk strategy and oversight. A bank's internal control mechanisms and procedures must permit verification of its compliance with rules adopted under CRD IV and UK CRR at all times.

Capital Requirements

The CRR imposes capital requirements on UK banks in the form of risk-weighted asset and leverage requirements.

Risk-weighted asset capital requirements oblige a bank to maintain regulatory capital ratios by reference to a bank’s "total risk exposure amount", which weights the accounting value of a bank’s assets and credit exposures according to their potential to suffer loss.

Regulatory capital comprises Tier 1 capital (comprising Common Equity Tier 1 (equity) and Additional Tier 1 (equity-like hybrid capital instruments)) and Tier 2 capital (deeply subordinated debt). Common Equity Tier 1 capital is the highest quality capital, generally comprised of ordinary share capital and reserves. Additional Tier 1 capital is the next level of quality of capital, comprised of perpetual subordinated debt instruments or preference shares that must automatically be written down or converted into CET1 if the bank’s CET1 ratio falls below a specified level. In practice, the PRA generally expects that this level is at least 7%. Tier 2 capital is capital that is of an insufficient quality for CET1 or AT1, and is comprised of subordinated debt or capital instruments with an original maturity of at least five years, meeting specific criteria.

The Pillar 1 minimum capital requirements that currently apply to UK banks under UK CRR require the following:

  • a base regulatory capital of at least 8% of the total risk exposure amount;
  • Tier 1 capital (comprising CET1 capital and AT1 capital) of at least 6% of the total risk exposure amount; and
  • CET1 capital of at least 4.5% of the total risk exposure amount.

These are supplemented by buffer requirements. Pillar 2A captures those risks against which banks must hold capital and that are not eligible under the Pillar 1 regime. This includes the combined buffer, formed of a capital conservation buffer of 2.5% of the total risk exposure amount, a countercyclical buffer (expected to remain at 0% until at least December 2021, as part of the COVID-19 mitigation policies – the buffer will be re-evaluated then and, according to the standard implementation period, any subsequent increase would be expected to take effect at the end of 2022 at the earliest), a buffer for global and other systemically important institutions, and a systemic risk buffer for banks that are subject to UK ring-fencing requirements. Pillar 2B, or the PRA buffer, takes into account a bank’s ability to withstand severe stress, alongside perceived deficiencies in its risk management and governance framework, as well as any other information deemed relevant by the PRA.

In determining risk-weighted assets, the bank’s assets and liabilities are divided into the trading book and non-trading book. In determining capital requirements in the non-trading book, banks may follow the standardised or (with PRA approval) internal ratings-based approach. Capital requirements in the trading book comprise counterparty credit risk and market risk, position risk, equity risk, commodities risk, foreign exchange risk and risk associated with options and collective investment schemes. As with the non-trading book, the rules contemplate a variety of methods of calculating risk-weighted asset requirements. The risk-weighted asset requirement also includes a metric for operational risk.

Leverage Ratio

Unlike the risk-weighted assets ratio, the leverage ratio is non-risk sensitive. The leverage ratio requires that a bank’s Tier 1 capital exceed 3.25% of its total assets and off-balance sheet exposures. The PRA has also issued firm-specific countercyclical buffer requirements and additional leverage ratio buffer requirements for such banks.


The BoE also regulates the minimum requirement for own funds and eligible liabilities (MREL), broadly following the revised EU Directive 2014/59 on bank recovery and resolution (EU BRRD), and has also implemented the Financial Stability Board’s standards on total loss-absorbing capacity (TLAC) through the MREL framework. The BoE has issued a policy statement establishing its approach to MREL. The quantum of the MREL requirement depends on the resolution strategy of any given bank, which in turn depends on its size and the nature of its activities. The largest UK banking groups are expected to issue MREL that broadly equate to either twice their risk-weighted asset or twice their leverage capital requirements, whichever is higher. The BoE is currently considering changes to its MREL framework and intends for any policy changes to be reflected in a revised MREL Statement of Policy due to apply from January 2022.

Liquidity Requirements

All UK banks are subject to liquidity requirements implementing the Basel III liquidity coverage ratio, which came into force in January 2015. It is designed to ensure that banks hold a buffer of unencumbered, high-quality, liquid assets in order to meet modelled outflows in a 30-day stress test scenario. The presumption in this scenario is that the institution’s management will be able to take suitable actions to correct the course in that period.

High Quality Liquid Assets (HQLA) are cash or assets that can be converted into cash quickly with limited or no loss in value. An asset can be deemed an HQLA for the purposes of the liquidity requirements if it is unencumbered and meets the minimum liquidity criteria, and if the firm is able to demonstrate that it can be quickly converted into cash if required. HQLA are divided into Level 1 and Level 2 assets, based on their likely liquidity. Level 1 assets include only the most liquid – including cash – central bank reserves, and certain securities that have the backing of a sovereign government or a central bank.

There is no limit on the quantity of Level 1 assets a bank can hold, as these are preferable from a regulatory perspective. Level 2 assets include particular government securities, covered bonds, corporate debt securities and residential mortgage-backed securities. A firm must hold no more than 40% of its total liquid asset pool in Level 2 assets. Under the UK CRR, except for periods deemed to be crises, a UK bank must maintain a liquidity buffer equal to at least 100% of its anticipated net liquidity outflows over a 30-calendar day stress period, where the total net outflows must not exceed the total HQLA pool over the period of the stress testing upon the bank.

The requirements also compel UK banks to regularly report their liquidity data to the PRA, with retail funding reports and systems and control questionnaires being reported quarterly, marketable assets and funding concentration reports being reported monthly, mismatch reports and pricing data being reported weekly, and the underlying liquidity of the bank being reported daily. Liquidity requirements apply on a solo and consolidated basis. The PRA can waive the application of the requirements on a solo basis, but is unlikely to do so other than in relation to sub-groups of institutions authorised in the UK. UK banks are, therefore, generally not able to rely on liquidity from non-UK subsidiaries to satisfy UK liquidity requirements.

The UK has implemented the Financial Stability Board Key Attributes of Effective Resolution Regimes. A bank incorporated in the UK may be wound up under the general insolvency law applicable to UK companies, or wound up or resolved under the special resolution regime (SRR) under the Banking Act 2009. The UK regulatory framework also provides for recovery and resolution planning to enhance the resilience and resolvability of UK banks and banking groups: the MREL requirement described under 8.1 Capital, Liquidity and Related Risk Control Requirements also supports resolution by ensuring that firms have sufficient capital or liabilities available for recapitalisation in resolution, where appropriate.


Banks have special protections from insolvency proceedings, with only the BoE, PRA or the Chancellor of the Exchequer being able to apply for the court order required under Section 94 of the Banking Act. The application to the court would be made on the basis that the bank is either unable to pay its debts, or is likely to become unable to do so, and that the winding-up of the institution would be just and equitable. In order for the application to be made to the court in the first place, the PRA must be satisfied that the trigger conditions of failure or likely failure have been met, and the BoE must be satisfied that it is not reasonably likely that the situation will be reversed. Separately, the Chancellor of the Exchequer can apply on the grounds that the winding-up of the bank would be in the public interest.

Recovery and Resolution Planning

Consistent with the requirements of the EU BRRD (as implemented in the UK), UK banks are required by the PRA to produce and maintain recovery plans, along with resolution packs, in order to reduce the risk that the failure of a UK bank could threaten the broader market or require government intervention in the form of taxpayer money being used for a bailout.

The PRA and BoE introduced a resolvability assessment framework for major banks in 2019, which supplements the recovery and resolution framework by requiring banks to undertake an assessment of their resolvability, submit it to the PRA and publish a summary of the assessment thereafter. The initial reporting and disclosure dates under the framework have been deferred as a result of the COVID-19 crisis.


The SRR gives the UK authorities powers to resolve a failing bank (or banking group company). It consists of five stabilisation options:

  • transfer to a private sector purchaser;
  • transfer to a bridge entity;
  • an asset management vehicle tool;
  • a bail-in tool; and
  • transfer to temporary public sector ownership.

It also includes a modified bank insolvency procedure that facilitates the FSCS in providing a prompt payout to depositors or a transfer of their accounts to another institution, and a bank administration procedure, for use where there has been a partial transfer of business from a failing bank.

The SRR tools may only be deployed where a bank is failing or likely to fail, where it is not reasonably likely that action will be taken that would result in the bank recovering, and where the exercise of resolution powers is in the public interest. In exercising the stabilisation powers, the resolution authority (generally the BoE, although temporary public ownership is reserved to HM Treasury) is required to have regard to a number of resolution objectives, including ensuring the continuity of banking services, depositor and client asset protection, financial stability and the need to avoid interfering with property rights.

On entry into resolution, the SRR requires the BoE to write down equity and write down or convert other capital instruments into common equity. The BoE has discretion to select the appropriate resolution tool to apply to resolve the bank. The main resolution tools are:

  • bail-in – the write-down of the claims of the bank’s unsecured creditors (including holders of capital instruments) and conversion of those claims into equity as necessary to restore solvency to the bank, which is intended to be applied to large banks;
  • transfer to a private sector purchaser or bridge bank – the transfer of all or part of a bank’s business to another bank or to a temporary bank controlled by the BoE, which is intended to be applied to smaller banks; and
  • finally, the modified insolvency regimes for the smallest banks.

Nationalisation is also provided for within the SRR framework as a last resort.

The regime carries with it a number of ancillary powers to enable the transfer of property, to stay default and other rights, and to take other action supporting resolution. Because these potentially affect property and other rights, the framework includes a number of safeguards, including a “no creditor worse off” provision designed to ensure that creditors and other stakeholders in the process are no worse off as a result of the resolution than they would have been had the bank been put into liquidation at the point of the resolution.

Insolvency Preference

Consistent with the requirements of the EU BRRD (as implemented in the UK), the UK insolvency framework includes depositor preferences. These prefer covered deposits (deposits protected by the FSCS). Eligible deposits (deposits by persons eligible for FSCS coverage over the FSCS limit) and deposits made by natural persons and micro, small and medium-sized enterprises that would be eligible deposits if they were taken in the UK are subordinate to covered deposits but rank ahead of other senior claims.


The UK officially left the European Union on 31 January 2020, and the post-Brexit transition period ended on IPCD, from which date passporting rights no longer applied to EU and UK banks. UK banks therefore lost the right to provide financial services in Europe based on passporting rights; EU banks that previously operated in the UK on the basis of passporting rights may temporarily continue to do so via the TPR. Legacy EU law was generally preserved in the UK through the process of onshoring (see 1.1 Key Laws and Regulations). The UK regulators are consulting on potential changes to the UK legislative and regulatory rulesets (including those applicable to banks) that may lead to increasing divergence between EU and UK regulatory framework in the foreseeable future. The impacts of Brexit are described in more detail in the UK Trends and Developments chapter.

Wholesale Markets Review

HM Treasury has recently consulted on its wholesale markets review and is proposing reforms to the UK MiFID II framework. Some of the proposed changes overlap (to a certain extent) with current EU proposals considered by the EU authorities as part of their ongoing programme of MiFID II reviews. As indicated by HM Treasury, the UK does not intend to await the outcome of the EU review of the MiFID framework before proceeding with its own reforms. The UK government will provide further information on the review in due course; the FCA is also expected to publish consultation papers in the first half of 2022 on any changes resulting from the wholesale markets review that would require amendments to the FCA rules. 

Financial Services Future Regulatory Framework (FRF) Review

The FRF Review was initiated by HM Treasury to assess how the UK regulatory framework should be updated to ensure it reflects the UK’s position in the financial services space post-Brexit. HM Treasury has made recent proposals in this respect, related to matters such as the framework regarding the UK regulators’ review of their rules and the move towards a comprehensive FSMA model of regulation in areas currently covered by retained EU law. The consultation is open until 9 February 2022.

Financial Holding Company Regulation

Prior to 29 December 2020, where a corporate group that included a regulated bank was headed by an unregulated UK financial holding company (UK FHC), the position was that the UK FHC would not be responsible for the consolidated supervision of the group, with such responsibility falling on the regulated bank or investment firm within the consolidated group. From 29 December 2020, UK FHCs are subject to certain approval requirements under FSMA, and an approved UK FHC will now bear certain responsibilities relating to consolidated prudential requirements applicable to its group. For further detail, please consult the UK Trends and Developments chapter.

Consumer Duty

The FCA has consulted on the introduction of a new consumer duty, which would apply to any UK banks that provide services to retail clients. The current version of the proposed rules would, among other things, mandate minimum standards for the quality of service and the pricing of products, and require banks to take all reasonable steps to avoid causing foreseeable harm to retail customers. If the consumer duty is implemented, banks would have to raise their standard of consumer protection, and update their policies and processes accordingly. The FCA expects any new rules in this respect to be made by 31 July 2022.

Allen & Overy

One Bishops Square
London E1 6AD

+44 020 3088 0000
Author Business Card

Trends and Developments


Allen & Overy has an international financial services regulatory team that is a strategic partner to the world’s leading financial institutions, guiding them through an increasingly complex regulatory landscape where national and international regulations may interact or conflict. With more than 80 financial services regulatory experts across its international network of offices, the firm brings the breadth and scale a global business needs, as well as an understanding of the local environment. It helps clients plan for and navigate the complex developments and challenges they are facing, protecting them from regulatory risk and advising them on how to take advantage of emerging opportunities. The group brings together an impressive list of leaders in their field, and amalgamates specialist expertise from the firm's banking, payments, capital markets, investigations and regulatory enforcement practices, along with A&O Consulting and Markets Innovation Group (MIG) colleagues, supported by the advanced delivery and project management teams. This cross-practice, multi-product, international offering provides clients with greater access to market-leading expertise and innovative products and solutions tailored to their very specific, highly complex needs.

The UK’s Post-Brexit Agenda for Financial Services


The UK left the European Union single market on 31 December 2020 (known as IP Completion Date), following a short transitional period after its exit from the EU itself. One of the key selling points of Brexit was "taking back control", including of the UK legislative framework. In the financial services sector, EU law-making had steadily accelerated over the last 15 years, leaving the UK with a regulatory framework that was (and still is) dominated by legacy EU law. The process of moving away from the EU law template is now commencing, but will take a number of years. In this update, we consider access rights following Brexit, the "onshoring" of EU legislation and divergence, and the new regulatory framework for UK financial holding companies.


Brexit thankfully passed with relatively little disruption to financial markets. With effect from IP Completion Date, UK firms lost their "passport" – ie, the right to provide financial services across Europe. UK banks and other regulated firms had generally implemented plans to deal with the loss of passporting rights by creating or acquiring "onshore" EU-regulated businesses to enable them to continue to access EU markets from IP Completion Date, but with some exceptions – notably in the retail banking sector, where expatriate customers in some cases have had reduced access to UK banking services. Generally speaking, EU entities established for Brexit are still relatively nascent, and dependent upon UK financial and non-financial resources: the European Central Bank is likely to put pressure on foreign banks to put more substance into their EU affiliates over the coming year and beyond.

By contrast, EU banks active in the UK were granted transitional licences (under the so-called Temporary Permissions Regime, or TPR) to enable them to continue to provide services in and into the UK from IP Completion Date, pending applying for authorisation as a "third country" firm. Under the TPR, the UK regulators have the right to give so-called "landing slots" to TPR firms – requiring the submission of an application for authorisation within the three year period in which the TPR operates. The Prudential Regulation Authority (PRA) has generally not required landing slots for banks in the TPR as it had requested applications to be submitted well in advance of IP Completion Date. The Financial Conduct Authority (FCA) has now started to issue landing slots, and firms (including banks) that are solo regulated are now generally preparing applications for authorisation. Both the PRA and the FCA have taken the opportunity to reassess how they regulate international firms as they acquire full regulatory authority over formerly passported EU firms. This reassessment has resulted in policy documentation from each regulator, which poses some challenges for international banks. Questions of the responsibility of UK branches for cross-border services undertaken into the UK (typically from the head office), including retail services provided to expatriate retail clients, remain a sticking point, and the PRA’s policy approach raises questions around interdependencies between UK branches or subsidiaries and the wider organisation, including cross-border booking arrangements and outsourcings.

Taking back control: onshoring

Brexit was a major legislative and regulatory event. In addition to the loss of EU market access, UK banks and UK branches of international banks faced considerable domestic legislative and regulatory upheaval as a result of Brexit. Much of the regulatory framework applicable to UK-regulated firms was directly applicable EU law (such as the Capital Requirements Regulation) and policy materials generated by European authorities (including the European Banking Authority and the European Securities and Markets Authority). In order to fill the legislative and regulatory gap that would have emerged had such law and guidance fallen away, the UK government and regulators undertook a major exercise to provide a functioning statute book and rule-set from the date of exit from the EU – effectively "onshoring" EU law. In legislative terms, the European Union (Withdrawal) Act 2018 (as amended) (EUWA):

  • terminated the application of EU law from IP Completion Date;
  • converted EU law as its stood at IP Completion Date into domestic law and preserved laws made in the UK to implement EU obligations;
  • created temporary powers to make secondary legislation to enable corrections to be made to the laws that would otherwise no longer operate appropriately once the UK has left the Single Market;
  • brought to an end the jurisdiction of the Court of Justice of the EU in the UK; and
  • provided for Parliament’s oversight of the outcome of the government’s negotiations with the EU on the Withdrawal Agreement and the framework for the future relationship between the EU and the UK.

To make onshored EU legislation fit for purpose (eg, to eliminate single market rights, replace European with domestic bodies, and make consequential changes to references to EU law), the EUWA provided powers to make secondary legislation to deal with any failure of retained EU law to operate effectively or with any other "deficiency" in retained EU law that would arise on exit, and to sub-delegate the power to a public authority where it is best placed to deal with the deficiencies – for example, the Bank of England (BoE), the PRA and/or the FCA (as applicable) in the context of financial services.

HM Treasury (HMT) made more than 70 statutory instruments (SIs) to amend "onshored" EU legislation in the financial services sector, which largely came into force on IP Completion Date. HMT delegated powers to amend the European regulatory technical standards (RTS) and implementing technical standards (ITS), and delegated regulations to the FCA, BoE, PRA and/or the Payment Systems Regulator (PSR) in EU Exit Instruments, subject to the oversight of HMT. Each of the FCA, PRA and BoE published numerous EU Exit Instruments to address their respective areas of responsibility.

Although the resultant changes made by the onshoring process are largely technical (HMT indicated that it would not use the onshoring process to make policy amendments to onshored legislation), they carry with them a host of potentially material changes for financial market participants – eg, changes to risk weights of exposures of UK banks to EU banks. In order to provide transitional relief for the potential change in obligations, HMT brought forward legislation to allow regulators to grant some flexibility in applying new legislative requirements under the EUWA. Part 7 of The Financial Services and Markets Act 2000 (Amendment) (EU Exit) Regulations 2019 empowered the UK regulators to make directions that amended the effect of the onshored EU legislative rule-set in order to provide temporary relief from changes to pre-exit practice. The regulators each exercised their transitional powers broadly. These directions provide for a "standstill" of relevant obligations – in broad terms, obligations that begin to apply or apply differently in relation to which the regulator has responsibility for supervising or ensuring compliance. Each transitional power contains a list of exclusions – these are obligations that the regulators expressly did not standstill.

In October 2020, the FCA published an updated statement of its expectations for UK firms. This set out 13 areas in which the FCA considered it would be inconsistent with its statutory powers to use its transitional power, and in respect of which it expected UK firms to be preparing to comply from IP Completion Date (colloquially referred to as "must do" obligations). The statement provided that the FCA expected firms to undertake ""reasonable steps to prepare to meet the new obligations by 31 December 2020". The FCA went on to say that it would ""not take a strict liability approach and [did] not intend to take enforcement action against UK firms and other regulated entities for not meeting all requirements straight away, where there is evidence they have taken reasonable steps to prepare to meet the new obligations by 31 December 2020."

Critically, the FCA indicated that it would not require UK firms to implement other onshored substantive legal obligations for which it is responsible until March 2022, except where non-compliance is found to give rise to ""serious and foreseeable harm". This effectively meant that UK firms could defer the implementation of other legislative and regulatory changes that came into force on 1 January 2021 until March 2022. This is referred to as "general relief".

The effect of the standstills and general relief has been to defer some of the operational changes needed as a result of the Brexit process.

Taking back control: divergence

The effect of the onshoring programme has been to leave the UK with a domesticated version of the EU rulebook. In a number of respects, that rulebook is not fit for purpose:

  • it is inflexible, being largely based in legislation, not rules;
  • it reflects the needs of EU, not UK, markets; and
  • it includes a number of areas in which the UK’s policy objectives diverge from those of the EU.

Movements towards reform of the framework are progressing at a number of different levels. To reform the UK regulatory system to make it more fit for purpose, the UK government launched a consultation in 2020 on the Future Regulatory Framework. This contemplates the medium-term migration of EU legislation into the regulators’ rulebooks, subject to the oversight of the government. Given the scale of the EU legislation in place, this exercise is going to take a number of years. In the meantime, there have been targeted areas in which the UK authorities have consulted on and/or implemented changes that diverge from the EU position. The former include changes in areas of the Markets in Financial Instruments Directive and Regulation (most of which are also under review in Europe), while the latter include changes to the transitional treatment of foreign benchmarks under the Benchmarks Regulation, and in the implementation of the remaining amendments to the prudential framework under the Capital Requirements Regulation 2.

UK-regulated firms were largely resigned to, and prepared for, the loss of their single market rights, but operationalising divergence will still continue to give rise to short and medium-term challenges for many. Divergence poses challenges for internationally active firms in particular: starting from the perspective of an integrated set of regulatory requirements across the EU and UK, points of divergence – as a result of both UK and EU changes – require firms to implement operational changes to reflect the different frameworks.

Financial holding company regulation

Changes to the prudential regulation of UK holding companies of banks are under way as a result of the implementation of changes to the EU Capital Requirements Directive (CRD V) on 29 December 2020. Prior to the CRD V changes, responsibility for consolidated supervision in a group headed by an unregulated UK financial holding company (FHC) fell to a regulated bank or investment firm within the consolidated group, rather than the UK FHC itself. From the implementation of CRD V, subject to certain transitional provisions discussed below, UK FHCs are subject to approval requirements under Part 12B of the Financial Services and Markets Act 2000 (FSMA) and to supervisory obligations under the Onshored CRR, unless exempt. Article 11 of the Onshored Capital Requirements Regulation (CRR) requires an approved UK FHC to be responsible for ensuring that its group meets a number of consolidated prudential requirements. However, for UK FHCs that were established as UK FHCs on 29 December 2020, Regulation 5 of the Financial Holding Companies (Approval etc) and Capital Requirements (Capital Buffers and Macro-prudential Measures) (Amendment) (EU Exit) Regulations 2020 provides transitional relief from the requirement for approval. The regulation provides that such UK FHCs are to be treated as possessing deemed approval for purposes of Part 12B of FSMA until the determination of an application for approval or 31 December 2021, whichever is earlier (provided that an application for approval was submitted by 28 June 2021).

The PRA approval regime

Section 192P(1) of FSMA provides that "no company may be established in the [UK] as a parent [FHC] unless – (a) the company is approved by the PRA; (b) the PRA has confirmed that the company is exempt from the requirement…; or (c) the subsidiary undertakings of the company do not include – (i) a credit institution, or (ii) a designated investment firm." An exemption exists for passive holding companies under Section 192P(2) of FSMA. This provides a number of conditions to the exemption, including that the FHC "does not take any management, operational or financial decisions affecting (i) the group as a whole, or (ii) any of its subsidiary undertakings which are institutions or financial institutions." In general, this condition is hard to reconcile with the obligations of the board of a holding company.

The PRA will only grant approval where certain conditions covering the following are satisfied:

  • the adequacy of the internal organisation of the group to ensure compliance with the prudential requirements of CRD and CRR on a consolidated or sub-consolidated basis;
  • the effect of the structure of the consolidated or sub-consolidated group on the supervisor’s ability to supervise it effectively; and
  • CRD requirements regarding qualifying holdings and the fitness and propriety of members of the management body of the FHC.

Once an FHC has been approved, it will be responsible for discharging the consolidated prudential requirements of the UK group (or subgroup), and will be subject to new regulatory powers enabling the PRA to take action against it. In-scope UK banking groups that exercise group governance, risk and reporting at operating bank level will need to migrate governance and resources to their FHC.

Allen & Overy

One Bishops Square
London E1 6AD

020 3088 0000
Author Business Card

Law and Practice


Allen & Overy has an international financial services regulatory team that is a strategic partner to the world’s leading financial institutions, guiding them through an increasingly complex regulatory landscape where national and international regulations may interact or conflict. With more than 80 financial services regulatory experts across its international network of offices, the firm brings the breadth and scale a global business needs, as well as an understanding of the local environment. It helps clients plan for and navigate the complex developments and challenges they are facing, protecting them from regulatory risk and advising them on how to take advantage of emerging opportunities. The group brings together an impressive list of leaders in their field, and amalgamates specialist expertise from the firm's banking, payments, capital markets, investigations and regulatory enforcement practices, along with A&O Consulting and Markets Innovation Group (MIG) colleagues, supported by the advanced delivery and project management teams. This cross-practice, multi-product, international offering provides clients with greater access to market-leading expertise and innovative products and solutions tailored to their very specific, highly complex needs.

Trends and Development


Allen & Overy has an international financial services regulatory team that is a strategic partner to the world’s leading financial institutions, guiding them through an increasingly complex regulatory landscape where national and international regulations may interact or conflict. With more than 80 financial services regulatory experts across its international network of offices, the firm brings the breadth and scale a global business needs, as well as an understanding of the local environment. It helps clients plan for and navigate the complex developments and challenges they are facing, protecting them from regulatory risk and advising them on how to take advantage of emerging opportunities. The group brings together an impressive list of leaders in their field, and amalgamates specialist expertise from the firm's banking, payments, capital markets, investigations and regulatory enforcement practices, along with A&O Consulting and Markets Innovation Group (MIG) colleagues, supported by the advanced delivery and project management teams. This cross-practice, multi-product, international offering provides clients with greater access to market-leading expertise and innovative products and solutions tailored to their very specific, highly complex needs.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.