In the United Kingdom’s (UK) legislative, regulatory and supervisory framework, the legally operative perimeter is not the colloquial “bank” label but the regulated activity of accepting deposits under Part 4A of the Financial Services and Markets Act 2000 (FSMA 2000) and the authorisation of “deposit-takers”. For prudential purposes, the onshored UK Capital Requirements Regulation (UK CRR) and Prudential Regulation Authority (PRA) Rulebook use the term “credit institution”, but authorisation is granted under FSMA Part 4A permissions. In simple terms, a firm that accepts deposits or other repayable funds from the public and lends on its own account will ordinarily require authorisation, and is supervised as a bank or building society.

The following firms, while regulated, generally fall outside the deposit taker regime unless they also conduct regulated deposit-taking:

• investment firms authorised under the UK Markets in Financial Instruments Directive (MiFID) framework and the Investment Firms Prudential Regime (IFPR) administered by the Financial Conduct Authority (FCA);
• payment institutions and electronic money institutions under the Payment Services Regulations 2017 (PSR 2017) and Electronic Money Regulations 2011 (EMR 2011) (client funds safeguarded, but not “deposits”); and
• non-bank credit providers funded via capital markets or wholesale lines (subject to consumer credit or mortgage regulation, where applicable).

UK banking groups may include financial holding companies and mixed-activity holding companies subject to consolidated supervision by the PRA. Following Brexit, the UK maintains extensive onshored EU law, but divergence has emerged in targeted areas, driven by the PRA’s strong and simple prudential agenda, Basel 3.1 implementation choices and UK conduct reforms such as the Consumer Duty.

The UK benefits from a comprehensive, FSMA-centred legal and regulatory framework for banks, complemented by retained EU law and extensive regulator-made rules. The principal sources are FSMA, the Banking Act 2009, the UK CRR and the rulebooks of the PRA and FCA. These are supported by HM Treasury statutory instruments and policy materials, as well as statements of policy and supervisory statements issued by the Bank of England (BoE) and PRA.

Following Brexit, the UK onshored relevant EU regulations and technical standards to ensure continuity, with ongoing reforms under the Financial Services and Markets Act 2023 (FSMA 2023) designed to replace retained EU law with a domestically tailored framework. The UK CRR continues to set core prudential requirements, though substantial elements have migrated (and will further migrate) into the PRA Rulebook as the UK implements Basel 3.1 and broader “Smarter Regulatory Framework” reforms. In addition to FSMA and the UK CRR, sectoral legislation such as the PSR 2017 and EMR 2011 apply to specific activities.

Principal Laws and Regulations

The UK banking prudential and supervisory framework rests on a combination of primary and secondary legislation as well as regulatory rules and policy materials issued by the BoE, PRA and FCA. Key instruments include the following.

• FSMA 2000, as amended by the Financial Services Act 2012 and FSMA 2023, which provides the statutory architecture for authorisation, supervision and rulemaking. FSMA is the foundation statute for UK financial services regulation. It establishes the “general prohibition” (Section 19 FSMA 2000), making it a criminal offence to carry on a regulated activity in the UK unless authorised or exempt. The specification of regulated activities and exclusions is set out in the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO). For deposit-takers, the defining regulated activity is accepting deposits, although most universal banks will also require permissions spanning investment business, consumer credit, mortgages and insurance distribution, and may undertake payment services and issue e-money pursuant to the PSR 2017 and the EMR 2011, respectively.
• The UK CRR and the PRA Rulebook, implementing Basel standards across Pillar 1 capital, leverage, liquidity (liquidity coverage ratio (LCR) and net stable funding ratio (NSFR)), large exposures, reporting and Pillar 3 disclosure, complemented by PRA supervisory statements and policy statements.
• The Banking Act 2009, establishing the UK’s Special Resolution Regime (SRR), resolution tools, Minimum Requirement for Own Funds and Eligible Liabilities (MREL) and the BoE’s resolution authority functions.
• Leveraged lending and wholesale credit risk: the PRA continues to scrutinise leveraged lending activities, focusing on underwriting standards, pipeline risk, leveraged lending definitions, covenant robustness, enterprise value dependency and stress testing of leveraged portfolios. Banks must demonstrate prudent risk appetite, sectoral concentration management and governance over underwriting commitments, including syndication pipeline risk.
• The Ring-Fencing regime (FSMA 2013 amendments and the Ring-Fenced Bodies (RFB) framework) applicable to the largest UK banking groups engaged in core retail deposit taking.
• ICARA and wind-down planning expectations: FCA reviews of investment firms under the Investment Firms Prudential Regime (IFPR) have highlighted deficiencies in wind-down triggers, liquidity projections, stress testing and operational readiness to execute wind-down plans. Banks with IFPR subsidiaries must ensure group-aligned recovery/wind-down strategies, realistic cost projections, and operational capability to execute orderly wind-down without crystallising client harms.
• Anti-money laundering/countering the financing of terrorism (AML/CFT) legislation: the Money Laundering Regulations 2017, as amended, the Proceeds of Crime Act 2002 and the Sanctions and Anti-Money Laundering Act 2018, with the Office of Financial Sanctions Implementation (OFSI) responsible for sanctions enforcement.
• Operational resilience and information and communication technology (ICT) frameworks delivered through PRA/FCA policy (notably PS21/3 and SS1/21 on operational resilience) and the emerging Critical Third Parties regime under FSMA 2023.
• The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 for data protection, the Network and Information Systems Regulations for cyber, and the FCA’s Consumer Duty for retail conduct outcomes.

The PRA supervises safety and soundness (prudential) and is the competent authority for deposit-takers. The FCA supervises conduct across retail and wholesale activities and prudentially supervises non-systemic non-deposit takers under the IFPR. The BoE acts as the UK resolution authority. Competition and payments regulation is overseen by the Payment Systems Regulator (PSR), which is being fully absorbed into the FCA and the Competition and Markets Authority (CMA). The Financial Services Compensation Scheme (FSCS) provides depositor protection.

While many prudential requirements reflect Basel standards similarly to the EU, European passporting no longer applies. Market access is governed by the UK’s domestic regime for UK entities and overseas firms, with a tailored Third-Country Branch (TCB) framework and limited equivalence in specific market segments.

Banking Regulators

UK banks are dual-regulated.

• The PRA (a part of the BoE) is the prudential regulator for banks, building societies and PRA designated investment firms. Its primary objective is the safety and soundness of firms; it also has competition and international competitiveness/growth secondary objectives.
• The FCA is the conduct regulator for all authorised firms and the prudential regulator for firms outside the PRA’s remit. It oversees consumer protection, market integrity, competition and competitiveness/growth secondary objectives.

Moreover, the following are worth highlighting.

• The BoE acts as the UK resolution authority under the Banking Act 2009 and leads on macro-prudential policy through the Financial Policy Committee.
• The Financial Ombudsman Service (FOS) adjudicates eligible complaints and provides binding redress where determinations are accepted. The PSR oversees designated payment systems and their participants; consolidation of the PSR into the FCA has been signalled by government to streamline regulatory burdens.

Local Particularities

Distinctive features of the UK regime include the following.

• A ring-fencing regime separating core retail banking from investment/wholesale activities for groups above thresholds set in FSMA Part 9B.
• A developed resolution framework (the “Special Resolution Regime”) with minimum requirements for own funds and eligible liabilities (MREL) calibrated to resolution strategy.
• A robust individual accountability regime via the Senior Managers and Certification Regime (SM&CR).
• A comprehensive operational resilience framework spanning both prudential and conduct expectations.
• Part 7 FSMA 2000 provides a court-sanctioned mechanism for transfers of all or part of the business of deposit-taking banks. The regime facilitates transfers without counterparty consent, subject to regulator engagement, customer and public notifications and court scrutiny of statutory criteria. Pure investment banks cannot generally use the banking business transfer scheme except as part of a broader intra-group transfer involving deposit-taking.

Besides banks (credit institutions), UK authorised payment institutions and e-money institutions are regulated under dedicated regimes; PRA-designated investment firms are prudentially supervised akin to deposit-takers.

Smarter Regulatory Framework – Implementation Roadmap

The PRA and HM Treasury are progressing the staged repeal and replacement of retained EU law under the Smarter Regulatory Framework. Between 2025 and 2028, key areas of the UK CRR are scheduled to be revoked and replaced by PRA rules, including capital definitions, credit risk, market risk, operational risk and securitisation. Firms will need to align ICAAP/ILAAP, model change, Pillar 3 disclosures and governance programmes with the PRA’s sequencing, including Basel 3.1 (which has currently stalled due to international discussions, and was scheduled to go live on 1 January 2027), transitional floors and updated reporting taxonomy. Boards should receive structured oversight packs mapping existing EU-derived obligations to successor PRA Rulebook provisions to ensure continuous compliance.

Authorisation Requirements

Any person (individual, body corporate, partnership or unincorporated association) must be authorised or exempt to carry on a regulated activity in the United Kingdom. A Part 4A permission under FSMA is required, with the PRA acting as the decision-maker where the application includes a PRA regulated activity (notably accepting deposits, effecting or carrying out contracts of insurance as principal and certain Lloyd’s activities) and the FCA acting in all other cases. Where dual regulation applies, the PRA leads the process and FCA consent is required prior to granting.

Certain activities fall under separate registration or authorisation regimes (including payment services providers and e-money institutions, certain mutual societies, consumer buy-to-let firms and specified crypto-asset firms for anti-money laundering purposes). Firms should map proposed business lines against the RAO and relevant perimeter guidance to determine whether activities are regulated and, if so, the appropriate licensing route.

A person must not carry on regulated activities in the UK by way of business unless authorised or exempt. For banking, the relevant permission is authorisation under FSMA 2000 Part 4A to carry on the regulated activity of accepting deposits. The PRA is the decision-maker for deposit-taker authorisations, with FCA consent.

Assessment Standards and Threshold Conditions

Applications are assessed against the statutory “threshold conditions” and supervisory expectations. Emphasis is placed on robust governance, adequate financial resources, effective risk management, operational resilience, systems and controls, and the suitability of controllers and senior managers.

Initial capital and prudential resources must be commensurate with the proposed business, reflecting UK Capital Requirements Regulation and the PRA Rulebook (including Basel aligned Pillar 1 minimums and applicable buffers). Building societies are subject to parallel frameworks under specialist legislation and PRA rules.

Applicants must present a credible programme of operations, including a business plan, the Internal Capital Adequacy Assessment Process (ICAAP) and the Internal Liquidity Adequacy Assessment Process (ILAAP), a recovery plan and wind-down planning where appropriate. Outsourcing and third-party risk management frameworks should be mature, with operational resilience mapping of important business services and defined impact tolerances.

Governance arrangements must meet the requirements of the SM&CR, with clear allocation of prescribed responsibilities, fit-and-proper assessments, statements of responsibilities and embedded conduct rules.

Systems and controls must be proportionate and effective, covering data, risk, compliance, internal audit, model governance and reporting, with appropriate independent oversight.

Authorisation With Restrictions and Mobilisation

The PRA may authorise firms with limitations or requirements, and where suitable offers an optional “mobilisation” phase (authorisation with restrictions) to support orderly build-out following authorisation. New banks may elect to enter mobilisation – typically for up to 12 months – with constrained deposit-taking while completing systems, staffing and third-party arrangements. PRA supervisory statement SS3/21 sets expectations for new and growing non-systemic UK banks across business models, governance, risk management and capital, and emphasises orderly exit planning if the bank fails.

Cross-Border Considerations

The PRA may authorise UK branches of international banks where criteria are met; larger or more complex cross-border structures may be required to operate through a UK subsidiary, subject to prudential and resolvability considerations. The FCA assesses conduct readiness, including product governance, disclosures, complaints-handling and Consumer Duty compliance for retail propositions.

Licensing Process

Pre-application engagement with the PRA/FCA is strongly encouraged and is expected for prospective banks. Applications are made via the PRA (email submission) for PRA-regulated activities and via the FCA’s Connect for FCA solo-regulated firms. A complete application must evidence that the firm will meet and continue to meet the threshold conditions (Schedule 6 FSMA 2000) and be capable of effective supervision. Typical core components include the following.

• A tailored regulatory business plan setting out the business model, governance, customer journey, approach to vulnerable customers, compliance architecture, complaints, staff training, incentives, capital and liquidity, and key policies and procedures. For firms within scope of the Consumer Duty, the plan must evidence how good outcomes for retail customers will be delivered and monitored, supported by product governance, fair value assessments, customer understanding testing, outcomes monitoring and appropriate management information (MI).
• Controllers’ forms for each proposed controller, with clear ownership and control maps.
• SM&CR applications for designated Senior Management Functions (SMFs) and allocation of prescribed responsibilities, and the firm’s certification and conduct rules frameworks.
• Financial information should include historic data where relevant, forward projections and – where required – a credible wind-down plan evidencing an orderly exit with minimal adverse customer and market impact.

The PRA and FCA scrutinise the completeness and internal coherence of documentation. The FCA has published areas of good practice and improvement requests seen across applications, including:

• clarity of ownership/control;
• UK centre of decision-making where operations are offshore;
• practical allocation of time for individuals with multiple roles;
• evidence of the embedding of Consumer Duty within policies; and
• credible information technology (IT) systems plans.

Smaller firms are not excused substance: policies must be tailored, consistent and operational, and not restatements of rules.

Statutory determination periods are six months for complete applications (three months for insurance distribution only). In practice, end-to-end timelines are highly sensitive to the quality of pre-application preparation and completeness of first submission.

Process and Timelines

The statutory decision period is up to six months from the date that a complete application is received (and up to 12 months if incomplete). In practice, timelines are highly sensitive to the quality of pre-application preparation and the completeness and coherence of the initial submission.

Activities and Services

Regulated activities are those specified under FSMA 2000 and secondary legislation (notably the RAO), including accepting deposits, lending, payment services, custody, dealing and underwriting. Ancillary services may be carried on in accordance with the firm’s permissions and the scope articulated in the regulatory business plan. UK perimeter guidance and the “general prohibition” in FSMA 2000 delineate when activities are considered carried on in the UK and therefore require authorisation or exemption.

Overseas firms and third-country branches

Passporting has ceased between the UK and Gibraltar. Third-country firms require UK authorisation to establish a branch or subsidiary to carry on regulated activities in the UK. The PRA operates a risk-based framework for third-country businesses, focusing on:

• the scale and risk profile of UK activities;
• supervisory co-operation and equivalence of home jurisdiction oversight;
• booking arrangements and local risk management of UK-generated risks; and
• resolution co-operation and resolvability, including the BoE’s ability to achieve SRR objectives.

The PRA may require subsidiarisation where warranted by systemic footprint, criticality of services or insufficient home host co-operation.

Non-UK banks can operate via a UK subsidiary (requiring full authorisation) or a UK branch (branch authorisation). The PRA/FCA has published distinct approaches to international firms, reflecting supervisory challenges of cross-border operating models, resolvability and home/host co-ordination. In certain cases, subsidiarisation may be required. Pure cross-border provision from overseas without a UK place of business raises complex perimeter questions; for accepting deposits, the activity is typically regarded as carried on where the account is located, but marketing restrictions and other regime specific requirements still apply.

Prior approval is required under the UK Change in Control regime in Part XII of the FSMA 2000 for any person proposing to acquire or increase “control” over a UK authorised firm, including banks.

The PRA/FCA jointly assess:

• the acquirer’s reputation and financial soundness;
• the suitability of proposed appointees;
• the institution’s ongoing compliance; and
• the risks of money laundering or terrorist financing.

The regulators may object, impose conditions or approve.

Applications may be approved unconditionally, approved with conditions or refused; proceeding without approval is a criminal offence. The PRA expects banks to monitor controllers and report significant events, and to report annually on controllers. Prospective investors from non‑Financial Action Task Force (FATF) compliant jurisdictions face elevated scrutiny given that money laundering/terrorist financing risk is a mandatory assessment criterion.

Control and Qualifying Holding

For UK purposes, “control” captures direct or indirect holdings at, or crossing, prescribed percentage thresholds of capital or voting rights, as well as situations conferring significant influence over the management of the authorised firm. A “qualifying holding” is broadly a direct or indirect holding of 10% or more of capital or voting rights, or any holding otherwise enabling significant influence over management. The regime applies to acquisitions or increases in control effected individually or through concerted action, indirect structures or other arrangements such as shareholder agreements.

Notification Thresholds

The regime operates in parallel with the EU-derived “qualifying holdings” framework under the Capital Requirements Directive, and thresholds are aligned with EU practice. Prior notification and approval are required when proposing to acquire or increase control at the 20%, 30% and 50% thresholds, or to become the authorised firm’s parent (ie, acquisition of subsidiary status). Disposals crossing the same thresholds are subject to notification. The regulators also expect firms and acquirers to consider look‑through holdings, aggregation across concert parties and the prudential impact of intra‑group restructurings, which may remain in scope notwithstanding the absence of external third parties.

Process and Assessment Period

Notifications must be made to the appropriate regulator before the proposed acquisition or increase occurs. The statutory assessment period begins once the regulators acknowledge a complete notification, and may be paused for information requests. The application may be approved unconditionally, approved subject to conditions or refused. Regulators have powers to object, attach conditions or impose directions, including restrictions on voting rights or requirements to divest. The PRA expects banks to maintain robust monitoring of their controllers, report significant events and provide annual returns on controllers.

Assessment Criteria

The PRA and FCA apply harmonised criteria reflecting EU practice and joint supervisory guidance. The assessment addresses:

• the acquirer’s reputation and financial soundness;
• the reputation, experience and governance of proposed appointees;
• the institution’s ongoing capacity to meet prudential and conduct requirements post‑transaction; and
• the risks of money laundering or terrorist financing.

Investors from jurisdictions with weaker AML/CFT frameworks can expect heightened scrutiny given the mandatory focus on financial crime risk.

Intra-Group Transactions

Intra‑group restructurings may require notification where thresholds are crossed or control is altered, particularly if the changes affect prudential consolidation, resolution strategies or supervisory oversight. Firms should assess the structure and impact of internal reorganisations against the regime’s thresholds and the regulators’ emphasis on sound and prudent management.

Decreasing Control Over a Credit Institution

Disposals or reductions in holdings that cross the prescribed thresholds must be notified. Supervisors will consider whether reductions compromise the firm’s sound and prudent management or group supervision arrangements. Depending on the transaction’s nature and prudential impact, certain corporate actions – such as mergers, de‑mergers, material asset transfers or divisions – may also require approval under evolving capital requirements legislation.

Consequences of Non-Compliance

Completing a notifiable acquisition or increase without prior approval constitutes a criminal offence and may lead to supervisory action, including objections, conditions, directions limiting voting rights or governance participation and requirements to dispose of shares. The regulators retain discretion to intervene to protect the safety and soundness of the firm and the integrity of the financial system.

UK governance standards emphasise a robust and effective board, clear segregation between management and oversight, and strong, independent control functions. The PRA Fundamental Rules and FCA Principles for Businesses set high‑level obligations, complemented by detailed organisational requirements in the PRA Rulebook. Boards must set “tone from the top” and evidence active challenging, particularly on risks to viability and resolvability.

The PRA’s Fundamental Rules and supervisory statements require:

• a coherent organisational structure with clear lines of responsibility;
• independent and adequately resourced risk management, compliance and internal audit, with direct escalation to the board;
• effective model risk management, data aggregation and reporting consistent with Basel Committee on Banking Supervision Regulation 239 (BCBS 239) principles;
• sound outsourcing and third‑party risk management, including intra-group arrangements, with contractual rights and oversight consistent with operational resilience expectations; and
• remuneration policies aligned with prudent risk‑taking, malus and claw-back, and shareholder oversight – the UK has removed the bonus cap for PRA/FCA‑regulated firms, with proportionality and robust risk adjustment remaining central.

Boards must set and oversee risk appetite, ensure a healthy risk culture and embed conduct expectations, including Consumer Duty outcomes for retail business. Diversity, independence and challenge are active supervisory themes.

Ring‑fenced banks (RFBs) are subject to additional structural independence requirements from other group entities. Groups with bail‑in strategies are expected to organise issuance and subordination of loss‑absorbing instruments to support resolvability.

SM&CR

The SM&CR establishes clear individual accountability. SMFs require pre‑approval, with prescribed responsibilities allocated to identified individuals and a duty of responsibility to take reasonable steps to prevent regulatory breaches within their remit. Firms must maintain an up‑to‑date governance responsibilities map and Statements of Responsibilities for each SMF holder.

The Certification Regime component of the SM&CR applies to “significant harm” roles and requires annual fit‑and‑proper certification by the firm.

Across all SM&CR firms, conduct rules apply broadly across the workforce, with additional, higher‑level rules for senior managers.

Although targeted simplifications to the SM&CR framework have been consulted on, the core accountability architecture remains intact and supervisors continue to focus on evidence of reasonable steps, clarity of responsibility and effective oversight.

Diversity

Regulators continue to emphasise the link between diversity and inclusion (D&I) and effective risk management, conduct and innovation. While certain proposed D&I rules were not taken forward (save for non‑financial misconduct work), supervisory expectations remain that firms integrate D&I into governance, remuneration and product design, particularly when serving diverse retail customers. Culture remains a cross‑cutting supervisory priority, with the Consumer Duty expected to strengthen consumer‑centric cultures.

Voluntary Codes and Industry Initiatives on Corporate Governance and Conduct of Business Standards

Many institutions adopt national codes and international standards to strengthen governance and conduct. In the UK, relevant frameworks include the UK Corporate Governance Code and other best‑practice guidance issued by professional bodies. Internationally recognised principles – such as those of the Financial Stability Board (FSB) and Basel Committee on corporate governance – are commonly reflected in firms’ governance frameworks and in supervisory assessments. These voluntary and industry standards complement regulatory requirements and support credible, transparent and stakeholder‑focused governance.

Under the SM&CR, individuals performing SMFs must not commence their roles until regulatory approval is granted. Approval is predicated on the firm demonstrating that the candidate is fit and proper against the established criteria of honesty, integrity and reputation, competence and capability, and financial soundness. A clear and up‑to‑date Statement of Responsibilities must be maintained for each senior manager and – where applicable – an organisationally coherent Management Responsibilities Map must be maintained to evidence clear lines of accountability, reporting and decision‑making. Firms must implement robust onboarding and ongoing oversight arrangements, including pre‑employment screening, regulatory references and annual fit-and-proper assessments for certified staff, supported by comprehensive record‑keeping.

All in‑scope staff (other than those in ancillary roles) are subject to the conduct rules, and firms must deliver role‑appropriate training, maintain evidence of compliance and notify the regulator promptly of any breaches in line with the prescribed reporting framework. The regulators may object to, condition or withdraw approvals and may require remediation where governance is deficient, including through skilled-person reviews, business restrictions or supervisory interventions. Senior managers are subject to the duty of responsibility, requiring them to take reasonable steps to prevent regulatory breaches in their areas of accountability, with breach consequences that may include public censure, fines and prohibition. Firms should ensure that governance arrangements, delegation frameworks and escalation protocols allow senior managers to discharge their responsibilities effectively, with clear MI, challenge from control functions and periodic board oversight of SM&CR compliance.

The PRA and FCA Remuneration Codes apply to material risk takers (MRTs) on a proportional basis for certain smaller firms and staff. Banks are required to ensure that remuneration policies promote sound risk management and avoid excessive risk-taking. Key expectations include the following.

• An appropriate balance between fixed and variable pay. However, the removal of the bonus cap allows flexibility subject to risk alignment, though firms must ensure enhanced governance around variable pay to avoid unduly risky incentives.
• Deferral and instrument‑based payment of a substantial proportion of variable remuneration, with higher deferral for senior staff and larger awards.
• Robust malus and claw-back, with restrictions on guaranteed bonuses and termination payments that would reward failure. The aim is to ensure that remuneration is in alignment with risk appetite and long‑term firm interests.
• Pillar 3 disclosures on remuneration remain in scope for larger institutions.

Staff Subject to the Remuneration Requirements

The Remuneration Codes apply firm‑wide at the level of policy, governance and risk alignment, and apply more prescriptively to identified staff whose activities have a material impact on the risk profile. These typically include senior managers, members of the management body, heads of business units, individuals in control functions (risk, compliance, internal audit) and other MRTs identified through qualitative criteria (role, authority, decision‑making) and quantitative thresholds (total remuneration or variable pay relative to peer groups and business unit risk). Identification must be performed annually, with appropriate documentation of the methodology, rationale and outcomes, and must capture changes in roles, structures and risk drivers. Where individuals are not formally designated but perform equivalent responsibilities or exercise comparable influence, firms should treat them as in scope. Staff not designated as MRTs remain subject to overarching remuneration principles and governance standards, with proportional application of specific requirements depending on the firm’s categorisation.

Remuneration Principles

Remuneration must be governed by a competent and independent remuneration committee for significant firms, with risk and compliance functions providing input and challenge. Policies should be consistent with business strategy, risk appetite, capital and liquidity plans, and should incorporate ex ante and ex post risk adjustment. Performance assessment must be multi‑year, using a balanced scorecard that reflects financial performance, risk and conduct outcomes, and the achievement of strategic and sustainability objectives.

Variable remuneration should be subject to deferral over appropriate time horizons, with longer deferral and vesting schedules for senior roles and larger awards and a meaningful proportion delivered in appropriate instruments (eg, shares or share‑linked instruments) to mirror long‑term stakeholder outcomes. Malus and claw-back must be clearly articulated, legally enforceable and triggered by specified events such as misconduct, poor risk outcomes, material restatements or regulatory sanctions, with look‑back periods calibrated to the firm’s risk cycle and seniority of staff.

Guaranteed variable remuneration and retention awards should be exceptional, subject to strict conditions and must not undermine prudent risk management; buy‑outs must preserve malus and claw-back. Severance should reflect performance over time and should not shield individuals from the consequences of misconduct or risk failings. Personal hedging or insurance that undermines risk alignment is prohibited, and firms must monitor for circumvention. The ratio of fixed to variable pay should support prudence and resilience, with robust justification and board oversight where higher variable pay is proposed. Disclosure must be clear, consistent and sufficiently granular to demonstrate the link between remuneration structures and risk outcomes, including the operation of deferral, instrument delivery and ex post risk adjustment.

UK‑authorised firms must maintain robust systems and controls to prevent, detect and report financial crime under the Proceeds of Crime Act 2002, the Terrorism Act 2000, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) (the “MLRs”), the Bribery Act 2010, the Criminal Finances Act 2017 and the Sanctions and Anti‑Money Laundering Act 2018, together with applicable UK sanctions regulations and guidance issued by the OFSI.

The FCA supervises compliance for most financial services firms through its Principles for Businesses, the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook  and the SM&CR. The Joint Money Laundering Steering Group (JMLSG) Guidance sets out industry‑recognised good practice and is a key reference point for demonstrating compliance.

The FCA expects firms to evidence end‑to‑end financial crime risk assessment, control design and effectiveness testing commensurate with the nature, scale and complexity of the business and its customer base. Material AML/CFT deficiencies are treated as governance failings with prudential and conduct consequences.

Core AML/CFT obligations in the FCA’s SYSC sourcebook include:

• risk‑based customer due diligence, identification and verification of customers and beneficial owners, ongoing monitoring and enhanced due diligence for higher‑risk relationships (including politically exposed persons (PEPs));
• ongoing compliance with sanctions screening and asset‑freezing compliance;
• a designated Money Laundering Reporting Officer (MLRO), staff training, independent audit and governance oversight; and
• timely suspicious activity reporting.

The FCA expects firms to evidence risk assessment, control design and effectiveness, calibrated to the nature, scale and complexity of the business.

The UK AML/CFT framework requires risk‑based customer due diligence (CDD), screening and ongoing monitoring under the MLRs, with group‑wide policies and information‑sharing across UK and non‑UK establishments. Enhanced due diligence applies to higher risk cases, including PEPs and complex or unusual transactions. Suspicious activity reports must be filed with the National Crime Agency.

Material AML/CFT failings are treated as governance issues with prudential consequences. Equally, one should note that the Economic Crime and Corporate Transparency Act 2023 introduced a “failure to prevent fraud” offence applicable to large organisations, including banks. Firms must maintain reasonable procedures to prevent fraud by associated persons, including staff, agents and certain third parties. This intersects with AML/CFT frameworks, requiring enhanced fraud risk assessments, control design, training and oversight methodologies.

Customer Due Diligence and Ongoing Monitoring

Firms must operate risk‑sensitive CDD and KYC procedures at onboarding and throughout the relationship life cycle. This includes:

• identifying and verifying customers using reliable, independent sources;
• establishing and verifying ultimate beneficial ownership and control;
• assessing complex ownership structures; and
• obtaining sufficient information to understand the purpose and intended nature of the relationship.

Ongoing monitoring must be calibrated to the customer’s risk profile and the firm’s business model and should comprise transaction monitoring, periodic KYC refresh, event‑driven reviews and screening against relevant sanctions and watchlists. Enhanced due diligence (EDD) is required in higher‑risk situations, including for PEPs, business relationships or transactions involving high‑risk third countries, correspondent banking, complex or unusual transactions and other elevated risk indicators. For PEPs, firms should adopt a genuinely risk‑based approach in accordance with the MLRs and FCA guidance, applying proportionate EDD and senior approval where appropriate, without automatic de‑risking.

Where group structures are in scope, Regulation 20 of the MLRs requires group‑wide AML/CFT policies, controls and procedures, including information‑sharing arrangements, that ensure consistent standards across UK and non‑UK branches and subsidiaries. Where local law restricts intra‑group information-sharing, firms must implement additional, risk‑mitigating measures and maintain oversight to the extent permitted.

Reporting, Record-Keeping and Supervisory Co-Operation

Suspicious Activity Reports (SARs) must be submitted to the UK Financial Intelligence Unit within the National Crime Agency as soon as practicable where knowledge or suspicion of money laundering or terrorist financing arises. Firms must observe applicable consent (defence against money laundering) and moratorium processes, and avoid tipping off. Internal reporting lines should ensure that front‑line staff escalate suspicions promptly to the MLRO.

The MLRs require firms to retain CDD records and transaction data for the statutory period, and to ensure data completeness, accuracy and retrievability. Firms must be able to provide timely, accurate information to competent authorities upon request. Effective engagement with the FCA, the PRA (where relevant), OFSI and law enforcement is integral to the UK’s co-ordinated AML/CFT architecture.

Governance, Resourcing and Accountability

Firms must appoint a suitably senior and independent MLRO (SMF17) and ensure that the compliance oversight function (SMF16) and other relevant senior managers have clearly delineated responsibilities under the SM&CR, supported by an up‑to‑date Statement of Responsibilities and a Responsibility Map. AML/CFT risk management should be embedded across the three lines of defence, with clear escalation routes, periodic independent testing and validation of models and monitoring tools, and board‑level oversight.

Adequate resourcing is essential, including appropriately skilled personnel, training tailored to roles and risks, and technology capable of effective screening, transaction monitoring and case management. Outsourcing arrangements must be overseen pursuant to SYSC and applicable outsourcing guidance, ensuring retained accountability, auditability and resilience.

Sanctions and Restrictive Measures

UK sanctions and restrictive measures adopted under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA) and implementing regulations are directly binding, and must be fully embedded in onboarding, screening, payment filtering and asset control processes. Firms must:

• implement immediate asset freezes and transaction prohibitions for designated persons and entities;
• undertake ownership and control look‑through in line with OFSI guidance;
• maintain audit trails; and
• ensure rapid updates to sanctions lists and controls as measures evolve.

Breaches may attract civil monetary penalties on a strict liability basis, regulatory action and criminal enforcement. Where appropriate, firms should seek licences from HM Treasury to enable otherwise prohibited activity, and should maintain robust licence management and assurance processes.

Sector‑Specific Considerations and Cross‑Cutting Risks

Firms should consider cross‑sector obligations and risks, including the register of overseas entities regime, Companies House reforms and developments under the Economic Crime and Corporate Transparency Act 2023 (including corporate criminal liability reforms). Businesses operating in higher‑risk sectors or offering correspondent banking, trade finance, payment services or crypto-asset services supervised under the MLRs should calibrate controls to sector‑specific risks, including implementation of the wire transfer “travel rule” requirements and cross‑border information sharing consistent with UK law.

The Financial Services Compensation Scheme (FSCS) provides deposit protection up to GBP85,000 per eligible depositor per firm. Temporary high balances enjoy enhanced, time-limited protection in defined circumstances. Membership of the FSCS is mandatory for PRA-authorised deposit-takers. Payout speed is targeted at seven days for most cases. UK branches of non-UK banks are subject to UK disclosure and protection rules applicable to their authorisation status.

Prudential requirements for UK banks and PRA‑designated investment firms derive from the UK CRR (as onshored and amended) and the PRA Rulebook, supplemented by supervisory statements. Since 1 January 2022, significant portions of the UK CRR (liquidity, leverage, large exposures, certain CCR and reporting/disclosure) have been migrated into PRA rules as part of the UK’s implementation of CRR II‑related Basel standards. The PRA continues to move towards full UK‑specific rulemaking under FSMA 2023, with further migration envisaged under the UK’s Basel 3.1 implementation from 1 January 2027.

At a high level, prudential requirements span Pillar 1 (minimum risk‑based capital and liquidity), Pillar 2 (ICAAP/ILAAP with Supervisory Review and Evaluation Process (SREP)‑driven add‑ons) and Pillar 3 (public disclosure). Firms must also meet leverage requirements (for larger firms) and MREL set by the BoE where relevant, in addition to maintaining adequate financial resources at all times.

Basel III Standards Implementation

Although the Basel III standards do not have direct legal effect in the UK, their substance has been progressively incorporated into EU law (while the UK was an EU member state) through the CRR and the Capital Requirements Directive (CRD) and subsequently onshored into UK law. As a result, the prudential regime applicable to UK credit institutions broadly reflects the Basel framework, adapted to UK-specific policy objectives and applied across the UK banking sector. The UK has implemented Basel III through the UK CRR, the PRA Rulebook and supervisory statements, with ongoing Basel 3.1 finalisation via PRA reforms. The regime includes the following.

• Pillar 1 risk‑based capital minimums: total capital 8% of RWA, with Tier 1 and Common Equity Tier 1 (CET1) sub‑components, overlaid by combined buffers (Capital Conservation Buffer (CCoB), Countercyclical Capital Buffer (CCyB) and systemic buffers for Global Systemically Important Institution (G‑SIIs)/Other Systemically Important Institution (O‑SIIs) and any sectoral Systemic Risk Buffer (SyRB)).
• Leverage ratio requirements for larger institutions and systemically important firms, with a G‑SII leverage buffer where applicable.
• Liquidity standards: LCR and NSFR, with asset eligibility and calibration aligned with UK CRR and PRA policy.
• Large exposure limits anchored to Tier 1 capital and connected client aggregation.
• Pillar 2: the PRA’s SREP determines firm‑specific Pillar 2 Requirements (P2R)/Pillar 2 Guidance (P2G) for idiosyncratic risks not fully captured under Pillar 1, including Interest Rate Risk in the Banking Book (IRRBB), concentration risk, model risk and outsourcing/ICT risks. ICAAP and ILAAP expectations emphasise robust stress testing, credible management actions and clear risk appetite metrics.
• Model risk: permissions for internal models are subject to stringent approval and ongoing validation, with PRA scrutiny similar in intensity to ECB Targeted Review of Internal Models (TRIM)‑style benchmarks, focusing on data quality, parameterisation and back‑testing. Output floor implementation under Basel 3.1 will constrain model variability over time.
• Model risk management (MRM): the PRA’s evolving approach to MRM requires firms to treat model risk as a standalone risk class, with clear board-approved MRM frameworks, model inventories, independent validation, challenger frameworks and documented model life-cycle controls. Supervisors increasingly benchmark model performance, monitoring overrides, back-testing, data lineage and governance of vendor/AI-enabled models. Firms must demonstrate credible remediation plans and incorporate model risk capital where deficiencies are material.
• Banks with bail‑in or partial transfer resolution strategies must maintain sufficient MREL resources to absorb losses and recapitalise in resolution. The BoE calibrates firm‑specific MREL in line with the preferred resolution strategy. From 2026, the BoE will increase the indicative total assets threshold for considering partial transfer strategies and adjust MREL calibration expectations for certain firms, reflecting enhancements to depositor outcomes in insolvency.
• Comprehensive risk management frameworks with independent risk functions, Chief Risk Officer (CRO) stature and board‑level risk governance.

Loss-absorbing capacity is delivered through MREL set by the BoE, interacting with capital buffers and distribution constraints (Maximum Distributable Amount (MDA)). UK G-SIIs must also meet Total Loss Absorbing Capital (TLAC) standards. Disclosure under Pillar 3 remains a core market discipline tool, with enhanced templates expected as Basel 3.1 is finalised.

Basel 3.1 implementation in the UK will migrate substantial prudential content from the UK CRR to the PRA Rulebook, revising credit, market and operational risk frameworks from 1 January 2027. The PRA is also implementing a simplified Small Domestic Deposit-Taker regime to tailor requirements for smaller firms.

Capital: definitions and minimums

Part Two of the UK CRR specifies quality and eligibility of own funds (CET1, Additional Tier 1 (AT1), Additional Tier 2 (AT2)).

UK CRR Article 92 sets the minimum risk‑based capital ratios: CET1 of 4.5%, Tier 1 of 6.0% and total capital of 8.0% of total risk exposure amount.

Article 93 requires capital resources to be at least equal to initial capital required at authorisation. Risk‑weighted assets (RWAs) are determined under standardised or (with PRA approval) internal ratings‑based approaches for credit risk and under standardised or internal model approaches for market risk, with operational risk measured under the Basic Indicator Approach (BIA), standardised approach or Advanced Measurement Approach (AMA) (pending reforms under Basel 3.1).

These minimums are supplemented by buffers (for example, capital conservation, countercyclical, systemic buffers, as applicable) and firm‑specific Pillar 2A/B requirements following SREP. The PRA expects robust ICAAPs underpinning capital planning and risk appetite.

Leverage and Liquidity

The PRA imposes a binding leverage ratio on the largest banks, expressed as Tier 1 capital over total exposures. The current minimum is 3.25%, with buffer add‑ons for certain firms; the PRA has consulted on raising the threshold for scope (for example, to GBP70 billion of retail deposits). All banks are subject to the LCR and must maintain adequate liquidity resources in amount and quality to meet liabilities as they fall due. The PRA may issue firm‑specific Individual Liquidity Guidance (ILG) under Pillar 2.

Pillar 2 Processes

Banks must maintain and periodically update an ICAAP and ILAAP, identifying risks (credit, market, operational, liquidity and funding risks, among others), calibrating internal capital and liquidity adequacy, and evidencing governance around risk management. The PRA’s SREP informs Pillar 2 capital/liquidity requirements and sets supervisory expectations for remediation.

MREL

The BoE sets firm‑specific MREL to ensure credible loss‑absorption and recapitalisation in resolution, reflecting the preferred resolution strategy (bail‑in, transfer or modified insolvency). Eligible liabilities must meet strict criteria to be bail‑in-able. The UK framework implements the FSB’s TLAC standard for Global Systemically Important Banks (G‑SIBs) and applies proportionately to other firms. From 1 January 2026, the BoE’s revised approach increases the indicative total assets threshold for modified insolvency strategies from between GBP15 billion and GBP25 billion to between GBP25 billion and GBP40 billion, and makes targeted changes to MREL calibration for partial‑transfer firms; the PRA also intends to raise the threshold for the separate Resolution Assessment Part to GBP100 billion of retail deposits in H1 2026.

Small Domestic Deposit-Taker (SDDT) Regime

The PRA is introducing a simplified prudential framework for SDDTs, easing certain governance and liquidity requirements proportionately, with fuller implementation aligned with Basel 3.1 timelines, while preserving safety and soundness.

Ring‑Fencing

Large UK banking groups with core retail activities are subject to ring‑fencing, separating retail banking services within ring‑fenced bodies from investment and certain wholesale activities. Governance, exposures, location and services restrictions apply to protect continuity of critical retail services. Reforms to thresholds and scope are under review and incremental changes have been enacted, though ring‑fencing remains a defining UK structural feature.

Groups with substantial retail operations are subject to ring‑fencing under Part 9B FSMA 2000. RFBs are prohibited from specified trading and exposures to certain financial institutions, and must be legally, economically and operationally independent within their groups. Structural separation and governance rules drive significant intra‑group reorganisation for affected groups.

Risk Management Rules

UK firms are expected to maintain comprehensive, forward-looking risk management frameworks calibrated to their business models, risk profiles and scale. The PRA Rulebook establishes requirements for risk control, governance and reporting, supplemented by supervisory statements and Dear CEO letters.

Core expectations include:

• the articulation of clear risk appetite statements approved by the board, supported by quantitative limits and qualitative tolerances;
• effective three-lines-of-defence arrangements, with clearly delineated responsibilities for first-line ownership, second-line oversight and challenge, and independent third-line internal audit;
• a properly empowered and independent second-line risk function led by a CRO with sufficient stature, resources and unfettered access to the board risk committee;
• model risk management policies covering development, validation, use and decommissioning of models, with robust data governance, back-testing and limitations explicitly recognised;
• stress testing and scenario analysis embedded in business planning, capital and liquidity assessments, and contingency actions, including reverse stress tests and multi-factor scenarios; and
• comprehensive risk reporting that is timely, accurate and sufficiently granular to enable board and senior management decision-making.

Firms must also maintain prudent outsourcing and third-party risk management arrangements, including contractual safeguards, exit planning and operational resilience mapping, consistent with PRA expectations on outsourcing and ICT risk.

Board composition and governance should ensure appropriate financial services, risk and audit expertise, with committees overseeing risk, audit and remuneration aligned with prudential objectives and conduct considerations.

Capital and Liquidity Requirements

Capital requirements comprise minimum Pillar 1 risk-based ratios and a binding leverage ratio where in scope, supplemented by combined buffers and firm-specific Pillar 2A capital to address risks not fully captured under Pillar 1. Distribution restrictions apply where CET1 falls within the combined buffer range, constraining dividends, variable remuneration and coupon payments on AT1 instruments via the maximum distributable amount mechanism.

Supervisors expect firms to operate with prudent management buffers above minimum and Pillar 2 thresholds to absorb volatility and maintain market confidence. Liquidity requirements include compliance with the LCR and NSFR, supported by qualitative PRA liquidity rules on governance, monitoring and reporting, and firm-specific Pillar 2 liquidity guidance where necessary. ILAAPs must demonstrate a robust funding strategy, diversified and stable funding sources, collateral management and contingency funding plans, with credible management actions under stress. Firms should maintain adequate high-quality liquid assets and monitor intra-day liquidity, encumbrance and transferability across entities and jurisdictions, with appropriate legal and operational arrangements to ensure availability of resources when needed.

The Banking Act 2009 provides the Special Resolution Regime with tools including transfer powers (sale of business, bridge bank), asset separation and bail‑in. The BoE sets preferred resolution strategies (SPE/MPE), calibrates MREL and conducts resolvability assessments covering valuation readiness, bail‑in execution, continuity of access to financial market infrastructures (FMIs), separability and operational continuity in resolution. Liquidity in resolution is a priority; firms must maintain playbooks for collateral mobilisation, central bank facilities access and FMI obligations.

The BoE’s 2024–2025 guidance requires banks to demonstrate liquidity mobilisation capabilities in resolution, including real-time collateral tracking, FMI payment continuity and executable playbooks for secured central bank facilities. Firms must maintain granular intra-day liquidity analytics and ensure that legal documentation permits transferability and encumbrance tracking during stress.

Recovery planning is mandatory and must set clear escalation indicators, recovery options and governance arrangements. Early intervention powers allow regulators to impose business and governance measures where viability is threatened. Outside resolution, general insolvency tools are available under UK law, with SRR objectives guiding the public interest assessment.

Insolvency

The Banking Act 2009 provides a dedicated bank insolvency procedure, prioritising prompt FSCS payout or transfer of protected deposits. Only the BoE, PRA or Chancellor may petition for bank insolvency, subject to statutory conditions. General corporate insolvency law applies where the bank insolvency procedure is not engaged.

Following HM Treasury’s 2024 review, enhancements to the bank insolvency procedure (BIP) will improve the speed and certainty of FSCS payout, broaden FSCS powers to support transfer strategies, and clarify treatment of operational continuity. Banks should review intra-group service arrangements and wind-down plans to ensure alignment with revised BIP mechanics.

Recovery

Banks must maintain credible recovery plans setting out indicators, governance and options to restore viability in stress. The PRA reviews plans and can direct remedial measures or changes to business models or funding strategies if plans are materially deficient or not actionable. Intra‑group financial support agreements are subject to a specific authorisation framework and disclosure obligations.

Resolution

The BoE’s SRR provides stabilisation options (bail‑in, transfer to private sector purchaser or bridge bank and asset management vehicle), together with temporary public ownership in limited circumstances. The BoE may exercise mandatory write‑down and conversion of capital instruments at the point of non‑viability, and must assess and, where necessary, remove impediments to resolvability.

Resolution Planning: RAF, MREL, OCIR and Legal Stay Readiness

Resolution packs and planning

Banks must maintain resolution packs providing information for the BoE to draw up resolution plans. The PRA’s SS19/13 sets phased information expectations (baseline group structure and critical economic functions, detailed information supporting the preferred strategy, and contingent information on stress). The BoE draws up resolution plans setting preferred strategies – bail-in, transfer or modified insolvency – reviewed at least annually. Smaller banks with modified insolvency strategies may be subject to simplified obligations.

Resolvability assessment framework (RAF)

Major banks are assessed by the BoE for resolvability against three outcomes:

• adequate financial resources (MREL, valuations, liquidity in resolution);
• continuity and restructuring (continuity of contracts and services, FMI access, restructuring capabilities); and
• management, governance and communication.

The BoE publishes public statements on resolvability for significant retail deposit-takers, and firms within the Resolution Assessment Part must produce their own public assessments. The next assessment cycle is planned for 2026–27, focusing on continuity and restructuring.

Operational continuity in resolution (OCIR)

Banks above defined size thresholds that receive critical services must ensure continuity of those services through recovery, resolution and post-resolution restructuring. Contracts for critical services must contain terms ensuring non-termination and continued performance through resolution, on arm’s length terms with predictable charging and access to operational assets, subject to defined exclusions (for example, UK law intra-group contracts, certain FMI contracts). Group providers must be appropriately governed to deliver continuity.

Contractual recognition: stays and bail-in

For third-country law financial contracts, banks must procure contractual recognition of UK resolution stay powers to avoid disorderly termination upon entry into resolution or write-down/conversion at non-viability. Banks must also include contractual recognition of bail-in in third-country law liabilities (subject to impracticability guidance). The BoE expects robust compliance, legal, record-keeping and communication capabilities to support enforceability and counterparty engagement, and expects firms to understand residual early termination risk on out-of-scope contracts.

Continuity of access to FMIs and restructuring planning

Banks must identify and map critical FMI relationships (direct and via intermediaries), maintain usage records, and develop and maintain contingency plans for sustained access in stress and resolution. For bail-in firms, restructuring planning capabilities are required to deliver a viable business reorganisation plan within one month of entry into resolution, addressing causes of failure and restoring long-term sustainability.

Early Intervention Measures

When a bank exhibits deterioration short of failure, the PRA may deploy early intervention measures (Bank Recovery and Resolution (No 2) Order 2014 (BRRO2)) and prudential supervisory measures (UK Capital Requirements Regulations). Tools include:

• requiring reinforcement of risk management and governance;
• restoration plans with deadlines;
• provisioning policies;
• restrictions on business lines posing excessive risk;
• reductions in inherent risk;
• limits on variable remuneration;
• retention of profits to build capital;
• restrictions or prohibitions on distributions and AT1 coupons (where no events of default);
• enhanced reporting;
• specific liquidity requirements; and
• additional disclosures.

Intra-Group Financial Support Agreements (IGFSAs)

Banks in cross-border groups may enter IGFSAs to provide intra-group financial support (loans, guarantees, collateral) prior to meeting early intervention conditions. PRA rules and BRRO2 set conditions, authorisation processes, member approval and disclosure duties. An IGFSA cannot be authorised if terms are incompatible with conditions for support or any party already meets early intervention conditions.

Impediments to Resolvability

Following resolvability assessments, the BoE may determine that there are substantive impediments to resolution and, after a structured process affording the bank the opportunity to propose remedies, direct the bank to implement measures to remove impediments (for example, structural, operational or legal changes). For bail-in firms, the BoE must consider whether constitutional documents present obstacles to conversion (for example, pre-emption rights) and may require amendments.

Mandatory Reduction of Capital Instruments

Where a bank is failing or likely to fail and supervisory measures are insufficient, the BoE has powers to write down or convert capital instruments (AT1/AT2) outside the stabilisation regime in defined “cases”, subject to assessing whether alternative measures (early intervention, prudential measures, parental support) are feasible. The BoE must notify the PRA if considering these powers; if a feasible alternative measure exists (other than parental support), the PRA must take it.

Special Resolution Regime (SRR): Stabilisation Powers and Safeguards

If a bank is failing or likely to fail, public interest conditions are met and SRR objectives cannot be achieved to the same extent in insolvency, the BoE may exercise stabilisation options:

• transfer to a private purchaser;
• transfer to a bridge bank;
• transfer of assets/liabilities to an asset management vehicle (in conjunction with other tools); or
• (via HM Treasury) temporary public ownership (after at least 8% loss absorption by shareholders and creditors).

The BoE’s powers include wide transfer and override provisions subject to statutory safeguards, notably the “no creditor worse off” (NCWO) principle. A bank administration procedure supports continued services to a transferred business where a residual entity remains insolvent. The bank insolvency procedure prioritises transfer or FSCS payout of insured deposits.

The UK embeds climate and broader sustainability expectations through a combination of prudential, disclosure and conduct measures.

• PRA expectations (eg, SS3/19) require boards to integrate climate risk into governance, risk management, scenario analysis and capital frameworks; PRA thematic reviews and supervisory engagement have intensified.
• FCA climate‑related disclosure rules reflect the Task Force on Climate-related Financial Disclosures (TCFD) and the UK’s path towards International Sustainability Standards Board (ISSB)‑aligned reporting. The FCA’s Sustainability Disclosure Requirements (SDR) and investment labels apply initially to asset management but shape market norms and client communications across financial services.
• Transition plan disclosure is developing through the Transition Plan Taskforce (TPT) framework; UK taxonomy consultation is ongoing.
• Greenwashing risks are a supervisory focus; product governance and client communications must be clear, fair and not misleading.

While distinct from EU Sustainable Finance Disclosure Regulation (SFDR)/Taxonomy, the UK regime aims at comparable transparency and integration outcomes, with cross‑border firms managing parallel requirements. The UK will mandate TPT-aligned transition plan disclosures for large listed and regulated firms. Banks must integrate transition pathways into ICAAP, credit risk modelling and scenario analysis, linking climate metrics to risk appetite. The FCA is increasing scrutiny of potential greenwashing, particularly in retail savings products and sustainability-linked finance.

The UK’s operational resilience regime is well established. Banks are required to identify important business services and set impact tolerances, map the resources supporting those services and test their ability to remain within tolerances in severe but plausible scenarios. Banks must remediate vulnerabilities and reach full resilience standards by the regulatory deadlines. As of 31 March 2025, banks should have embedded strategies, processes and systems to meet operational resilience expectations.

Outsourcing and third‑party risk management frameworks across the PRA and FCA rulebooks require governance, risk management, regulatory access, audit and information rights, data protection, concentration risk assessment and exit planning – particularly for material outsourcings (including cloud). Banks must implement robust frameworks that preserve supervisory access and assurance, with particular focus on material arrangements and critical third parties (CTPs).

FSMA 2023 introduces a dedicated regulatory framework for CTPs. Once a service provider is designated jointly by HM Treasury, the PRA and the FCA, financial institutions must comply with new obligations including enhanced due diligence, contractual assurance, incident reporting, and participation in sector-wide resilience testing. The regulators will have the ability to give directions directly to CTPs, including requirements around testing, information provision and remediation, materially affecting firms’ outsourcing strategies and operational risk assessments. Firms must revise outsourcing policies to ensure pre-emptive compliance with CTP standards.

In parallel, OCIR rules require contractual and structural arrangements to ensure continuity of critical services through resolution and post‑stabilisation restructuring. Banks must structure intra‑group service arrangements on arm’s length terms with predictable charging, and must ensure no resolution‑related termination rights.

Outsourcing frameworks across the PRA and FCA rulebooks require governance, risk management, access and audit rights, data protection, concentration risk assessment and exit planning, particularly for material outsourcings and CTPs.

The UK maintains its own regulatory approach to third-party risk management – in particular, on ICT risks and providers. The UK has not adopted the EU’s Digital Operational Resilience (DORA) regime. Instead, PRA and FCA rules require firms to identify important business services, set impact tolerances and demonstrate the ability to remain within tolerances during severe but plausible disruptions. Governance, mapping, scenario testing, third‑party risk and communications are central. FSMA 2023 introduces a regime for CTPs to UK financial services, enabling direct oversight of systemic ICT providers and complementing firms’ outsourcing frameworks.

Cyber resilience remains a core supervisory concern. Banks are expected to identify and protect against cyber threats, rapidly detect incidents, respond and recover, and contain disruption. Use of artificial intelligence (AI) must align with existing, technology‑neutral rules across the AI life cycle – governance, data, model risk and accountability – with the FCA and PRA articulating cross‑cutting expectations for safe adoption.

Data protection and sectoral obligations are framed by the UK GDPR and the Data Protection Act 2018, with cyber obligations grounded in the Network and Information Security (NIS) Regulations and sectoral guidance. AI deployment is currently subject to cross‑cutting principles and supervisory expectations rather than a comprehensive AI statute; model governance and accountability remain supervisory priorities.

Data Location, Cloud Resilience and Exit Management

The PRA and FCA expect firms to evaluate data localisation requirements, cross-border data transfer dependencies and cloud concentration risk as part of operational resilience. Firms must maintain exit strategies capable of restoring critical services within impact tolerances, including demonstrable ability to migrate workloads from dominant cloud providers in severe but plausible scenarios. Metadata, logs and audit trails must remain accessible to the UK authorities irrespective of hosting location.

The main developments on the horizon include the following.

UK Prudential, Conduct and Markets Agenda

The UK continues to consolidate its post‑EU regulatory framework, with FSMA 2023 providing broad powers to revoke retained EU law and restate requirements in domestic rulebooks. In prudential regulation, HM Treasury and the PRA are progressing targeted repeal of UK CRR provisions and the migration of core prudential policies – such as securitisation and capital definitions – into PRA rules, alongside Basel 3.1 finalisation and implementation currently targeted from 1 January 2027. The BoE has consulted on streamlining resolution reporting (including COREP13 UKTS) with implementation aimed for April 2026, and its revised MREL Statement of Policy will take effect from 1 January 2026, including adjusted thresholds and calibrations aligned with improving depositor outcomes in insolvency. Firms should align board‑level oversight with these timelines, ensuring coherent integration across ICAAP/ILAAP, model change, disclosure and resolvability programmes.

Basel 3.1 Calibration and Pillar 3

The PRA’s calibration choices – including the output floor and revisions to credit, market and operational risk approaches – remain pivotal. Firms should anticipate detailed Pillar 3 templates and UK‑specific reporting instructions, with scrutiny of model approval pipelines, portfolio variability and bindingness of the floor across business lines. Transitional arrangements and sequencing will require close programme management and transparent stakeholder communications.

Ring‑Fencing Evolution

Following statutory reviews, the ring‑fencing regime is expected to evolve, with potential threshold recalibration, refinements to permitted activities and closer alignment with resolvability objectives. Banks should validate legal entity strategies, service company arrangements and intragroup exposures to maintain robust separability and continuity of critical economic functions.

Climate and Sustainability Disclosures

UK disclosures continue to converge towards the ISSB, with the FCA’s Sustainability Disclosure Requirements/labels regime and transition plan expectations shaping product governance and investor communications. Banks should embed climate metrics, scenario analysis and transition planning within risk management and public reporting, ensuring internal coherence across prudential, conduct and stewardship frameworks.

Payments Reforms and Open Banking

The payments landscape is being reshaped by mandatory Authorised Push Payment (APP) fraud reimbursement under the PSR, strengthened Confirmation of Payee and work on the future governance of open banking, with possible extensions towards open finance. Operational implications include real‑time fraud controls, customer communications, liability allocation and enhanced data sharing safeguards. Firms should align Strong Customer Authentication (SCA) implementation and dispute-handling across channels, with consistent treatment of vulnerable customers.

The PSR’s mandatory reimbursement regime for APP fraud fundamentally changes liability allocation. From 2024, sending and receiving PSPs must reimburse victims within strict timeframes unless narrow exceptions apply. Banks must implement real-time fraud detection controls, enhanced Confirmation of Payee, strengthened data-sharing mechanisms and consistent treatment of vulnerable customers. Governance frameworks must be updated to reflect APP reimbursement MI, fraud typology analysis and board-level oversight.

Sanctions Enforcement and Circumvention Risk

UK sanctions have expanded materially, with heightened OFSI enforcement and guidance on ownership and control, trade‑based evasion typologies and beneficial ownership transparency. Banks must maintain agile list management, robust look‑through and circumvention detection across onboarding, payment filtering, asset freeze administration and exit strategies, with documented governance and periodic independent testing of screening effectiveness.

OFSI’s 2024 guidance emphasises detection of circumvention typologies, including complex ownership structures, proxy trading networks, trade-based evasion, crypto-mixing services, use of third-country intermediaries and redirection of goods via trans-shipment hubs. Banks must calibrate screening, KYC refresh, payment interdiction and trade finance oversight to these risks, documenting independent periodic testing.

The SM&CR and Remuneration

Targeted refinements to the SM&CR continue, together with remuneration code evolution following removal of the bonus cap. Firms should revisit accountability maps, fitness and propriety controls, variable pay risk adjustment and malus/claw-back frameworks to ensure alignment with conduct outcomes and prudential soundness.

Resolution Liquidity, MREL Resilience and Execution

The BoE’s expectations on resolution liquidity and credible execution require detailed playbooks, collateral mobilisation strategies and continuity of access to FMIs under stress. MREL stack resilience should be modelled alongside buffer requirements, P2R/P2G and potential distribution constraints, with clear communications to management, boards and markets.

Retail Conduct and Markets

While the EU advances MiFIR/MiFID reforms and a Retail Investment Strategy, the UK is pursuing its own trajectory through the Wholesale Markets Review, MiFID onshoring adjustments and the FCA’s Consumer Duty. Changes to market structure, transparency and data (including consolidated tape initiatives) will interact with stricter expectations on product governance, value for money, inducements and client communications. Banks should refresh suitability/appropriateness frameworks, remuneration structures for sales staff and ESG preference assessments, recognising intensified supervisory scrutiny of mis‑selling risks.

Payments and Instant Transfers

The UK is not mirroring the EU’s Payment Services Directive 3 (PSD3)/Payment Services Regulation reforms, but is implementing targeted reforms via the PSR and FCA rulebooks, including 24/7 payments resilience expectations and strengthened fraud prevention. Confirmation of Payee and enhanced sanctions/AML screening for real‑time payments should be embedded operationally. Updates to third‑party access arrangements, open banking standards and governance will require careful contract and vendor management, with ICT resilience integrated under the UK operational resilience regime.

The UK government intends to consolidate and integrate the Payment Systems Regulator into the FCA to streamline supervision and reduce regulatory duplication. This transition will expand FCA enforcement tools in payments markets, consolidate complaints, data and fraud monitoring regimes, and align payment system governance with FCA conduct supervision. PSPs should expect increased scrutiny of operational resilience, fraud controls, dispute-handling and transparency.

Derivatives and Market Infrastructure

UK EMIR continues to diverge in places from the EU’s EMIR 3.0, with UK‑specific reporting, margin and clearing requirements and no active account mandate akin to the EU. Firms should reassess clearing strategies, counterparty risk management and collateral practices to reflect UK supervisory expectations, while preparing for reporting refits and data quality enhancements. In post‑trade, UK policy initiatives – including the FMI sandbox and work on digital securities – aim to support innovation while preserving robust settlement and custody controls.

Data, AI and Cybersecurity

The UK retains the UK GDPR, with ongoing refinements to data protection and digital governance. The UK’s approach to AI is currently principles‑based and pro‑innovation rather than prescriptive, but banks should treat AI applications in credit/underwriting and risk assessment as high‑risk, documenting model governance, data integrity, transparency and human oversight. Cyber obligations intersect with operational resilience and sectoral guidance; firms should ensure consistency across ICT risk management, incident response and vendor oversight, while mindful of UK‑specific supervisory expectations rather than Network and Information Security Systesm 2 (NIS2)/DORA constructs.

Although the UK has not adopted an AI Act (as the EU has), the PRA and FCA expect firms to treat AI models as high-risk within existing governance frameworks. Supervisory areas of focus include data integrity, explainability, bias detection, human-in-the-loop controls, operational resilience and accountability under the SM&CR. Firms must evidence traceability of decision-making and undertake model validation proportionate to risk, including AI-specific stress and sensitivity testing. Where AI is used in credit underwriting, fraud detection or customer communications, Consumer Duty outcomes – particularly fairness and consumer understanding – must be demonstrably met.

Sanctions Operations and Governance

UK restrictive measures are directly applicable, with rigorous enforcement. Controls must address complex corporate structures, trade flows and trans‑shipment risks, ensuring comprehensive ownership/control look‑through and timely asset freeze administration. Governance should document escalations and decision‑making, with independent effectiveness testing and remediation tracking to mitigate both conduct and prudential consequences.

Securitisation and Covered Bonds

The UK securitisation framework is being domesticated, with PRA/FCA rulebooks replacing retained EU law. Simple, Transparent and Standardised (STS) Securitisations remain relevant for preferential treatment, subject to UK criteria. Banks acting as originators, sponsors or investors should maintain documented due diligence, risk retention compliance and transparency, integrating securitisation risks into ICAAP and model oversight. The UK covered bonds regime continues to emphasise asset quality, cover pool management, liquidity buffers and investor disclosure, aligned with resolution separability expectations.

From 2025, the UK Securitisation Regulations are being replaced with PRA/FCA rules, including revised due diligence templates, originator/sponsor definitions, STS criteria, risk retention and disclosure. Banks must update policies to reflect the new UK rulebooks and adjust investor reporting, retention documentation and warehouse financing arrangements accordingly.

Recovery, Resolution and Liquidity

Unlike the EU’s Crisis Management and Deposit Insurance (CMDI) framework package, UK reforms focus on resolvability assessments, bail‑in execution, valuation readiness and early intervention under domestic frameworks. A critical operational dimension – liquidity in resolution – requires detailed playbooks and collateral mobilisation plans, with FMI access continuity evidenced under stress. Recovery and resolution plans should demonstrate separability and robust execution capabilities consistent with BoE guidance.

MREL/TLAC and Capital Stack Interactions

Loss‑absorbing capacity expectations continue to tighten through the revised MREL Statement of Policy (SoP). Banks should articulate internal MREL/TLAC frameworks, subordination strategies and issuance plans, modelling interactions across combined buffers, P2R/P2G and potential breaches, including management of distribution constraints affecting dividends, AT1/AT2 coupons and variable remuneration. Transparent disclosure of stack resilience and contingency measures supports market discipline and supervisory dialogue.

Third‑Country Market Access and Booking Models

The UK framework for overseas firms – spanning authorisation, branch supervision and the Overseas Persons Exclusion – is being refined. Banks should assume a conservative perimeter for cross‑border services into the UK, with attention paid to local risk management for UK‑booked risks and clear governance over back‑to‑back and remote booking to avoid supervisory arbitrage. Colleges and co-operation arrangements remain important, but host‑state expectations for subsidiarisation or enhanced branch supervision may be applied where warranted.

Consumer Credit and Mortgages

The UK is progressing reforms to consumer credit, with the FCA’s Consumer Duty setting high bars for fair value, communications and customer support. MCOBs continue to emphasise responsible lending, affordability and treatment of vulnerable customers. Banks should integrate ESG and energy efficiency considerations where relevant with collateral values and lending policies, ensuring coherent product governance and fair outcomes.

Competition and Digital Markets

UK digital platform regulation – via the CMA and evolving statutory powers – affects payments initiation, wallet interoperability and default settings that shape consumer journeys. Banks should monitor gatekeeper obligations, ensure fair access and preserve competitive neutrality in digital payments ecosystems. Interchange fee constraints and card network rule changes require pricing and conduct alignment, with co-ordinated oversight between competition and consumer protection authorities.

Technical Standards and Supervisory Roll‑Out

Basel 3.1 and the migration from retained EU law to PRA/FCA/BoE rulebooks will entail extensive secondary materials. Institutions should track and implement UK technical standards across credit risk (including real estate exposures), market risk permissions, operational risk, CVA, ESG Pillar 3 templates and governance/reporting for TCBs. Transitional arrangements and phase‑ins will affect model approvals, output floor bindingness and disclosure sequencing; supervisory calendars should be integrated into programme plans with robust board oversight.