FinregE RIG Insight: PRA Priorities 2025 for UK’s financial services sector

UK insurance sector

International Banks and Designated Investment Firms

UK deposit takers

Supervision Priorities and Themes

Solvency UK Implementation and Policy Reforms:

·        Ensuring that Solvency UK reforms are implemented and embedded.

·        Issuing final policy on Insurance Special Purpose Vehicles (ISPVs).

Funded Reinsurance:

·        Evaluating firms’ self-assessment against expectations outlined in supervisory statement SS5/24.

·        Including a funded reinsurance recapture scenario in the 2025 Life Insurance Stress Test (LIST).

Cyclicality in the General Insurance Market:

·        Firms should remain vigilant to potential changes in pricing conditions.

·        Focus on natural catastrophe and cyber underwriting risks.

Evaluating and Maintaining Resilience:

·        Conducting the LIST 2025 exercise to provide insights into the financial resilience of the largest firms in the UK life insurance sector.

·        Disclosure of individual firm results and aggregate results.

Liquidity Management:

·        Welcoming feedback on liquidity reporting proposals.

·        Encouraging eligible insurance companies to apply early for the Contingent NBFI Repo Facility.

Solvent Exit Planning for Insurers:

·        Working with insurers in scope of PS20/24 to support understanding of expectations regarding solvent exit planning.

Operational Resilience, Cyber Security, and Outsourcing:

·        Expecting insurance firms to work towards the March 2025 deadline for operational resilience of important business services.

·        Monitoring and managing risks arising from transformation journeys and vendor practices.

Climate Risk Management:

·        Firms are expected to fully embed the PRA’s climate expectations, with further progress on scenario analysis and risk management required.

Robust Governance, Risk Management, and Controls:

·        Emphasis on the need for firms to have strong governance frameworks and risk management practices in place.

Financial Resilience:

·        Ongoing assessment of individual firms’ capital and liquidity.

·        Utilization of stress testing to evaluate financial resilience and develop effective contingency plans.

Operational Resilience:

·        Firms must demonstrate the ability to remain within impact tolerances for important business services during severe disruptions by March 2025.

·        Strengthening response and recovery capabilities against cyber threats and third-party service disruptions.

Data Quality and Accuracy:

·        Focus on the importance of accurate data for regulatory returns and risk management.

·        Continuous assessment of data accuracy through supervisory tools.

Cyber Resilience and ICT Management:

·        Consultation on policies related to the management of Information and Communication Technology (ICT) and cyber risks in the second half of 2025.

·        Encouragement for firms to enhance their cyber resilience capabilities.

Counterparty Credit Risk (CCR) Management:

·        Continued focus on managing counterparty credit risk, particularly in investment banking activities and exposures to non-bank financial institutions.

Third-Party Risk Management:

·        Robust oversight of major outsourcing and third-party risk management providers.

·        Consideration of the financial health and data security of suppliers.

Engagement with Regulatory Changes:

·        Encouragement for firms to engage with discussion papers and consultations, particularly regarding the transition to a repo-led operating framework.

Feedback from Cyber Stress Tests:

·        Incorporation of findings from the 2024 Cyber Stress Test into operational resilience planning.

Implementation of Basel 3.1:

·        Awareness of the delayed implementation timeline for Basel 3.1 and the need for firms to prepare for the changes.

Robust Governance: Emphasis on the need for strong governance frameworks within firms to ensure effective oversight and decision-making.

Risk Management: Firms are expected to have comprehensive risk management frameworks that are adaptive and resilient, capable of identifying and managing emerging risks.

Controls Frameworks: Implementation of effective controls to mitigate risks, ensuring that firms can proactively address potential vulnerabilities.

Data Accuracy and Management: Continuous improvement in data aggregation and accuracy to support holistic risk management and regulatory compliance.

Credit Risk Management: Focus on the evolution of credit risk management practices, particularly in light of changing market conditions and the need for robust measurement practices.

Operational Resilience: Assessment of firms’ preparedness for unexpected shocks, including liquidity resilience and the management of Information and Communication Technology (ICT) and cyber risks.

Model Risk Management (MRM): Firms should align their model risk management practices with the principles set out in the PRA’s supervisory statements, ensuring high-quality models that capture risks effectively.

Liquidity and Funding Resilience: Assurance from treasury and risk management functions regarding balance sheet management and the implications of changes in the funding and liquidity landscape.

Feedback and Consultation: Engagement with firms to gather feedback on regulatory proposals and to ensure that firms are aware of and prepared for upcoming changes in regulations.

Long-term Risks Consideration: Firms are encouraged to consider longer-term risks, including climate change impacts, in their risk management strategies.

Actions for Firms

The regulatory document from the Prudential Regulation Authority (PRA) outlines several actions that firms in the UK insurance sector are required to take to comply with the new and amended regulations. The key actions include:

Demonstrate Operational Resilience: Firms must show that they can remain within impact tolerances for all important business services during severe but plausible disruptions by March 2025. This includes enhancing response and recovery capabilities to address cyber threats and disruptions from third-party services.

Enhance Climate Risk Management: Firms are required to further embed the PRA’s climate expectations into their governance and risk management frameworks. This includes conducting comprehensive scenario analysis to assess the potential impacts of climate change on their operations and portfolios.

Prepare Solvent Exit Analysis (SEA): By June 30, 2026, most insurers must prepare a Solvent Exit Analysis (SEA) plan that outlines their ability to deliver an orderly, solvent exit from the market if necessary. Firms should begin developing this plan before the deadline.

Improve Liquidity Risk Management: Firms are encouraged to provide feedback on the proposed liquidity reporting requirements outlined in consultation paper CP19/24. They should also enhance their liquidity risk management practices and consider applying for the Contingent NBFI Repo Facility to support liquidity during market turmoil.

Participate in Stress Testing: Firms captured in the LIST 2025 exercise must participate in the stress testing process, which will provide insights into their financial resilience. They are expected to disclose individual firm results and aggregate results to enhance transparency.

Strengthen Cyber Security and Third-Party Risk Management: Firms must enhance their cyber resilience capabilities and maintain robust oversight of major outsourcing and third-party risk management providers. This includes ensuring that new investments in IT infrastructure and third-party arrangements are resilient by design.

Monitor and Manage Risks: Boards and senior management are expected to actively monitor and manage risks arising from transformation journeys and the use of appropriate standards and vendor best practices. This includes being mindful of the financial health of suppliers and their data security.

Engage with Regulatory Expectations: Firms should engage with the PRA to understand the new requirements and expectations, particularly regarding the implementation of Solvency UK reforms and other regulatory changes. This includes participating in consultations and providing feedback on proposed regulations.

The document outlines several specific actions that firms in the banking sector are expected to take in response to the Prudential Regulation Authority’s (PRA) regulatory priorities and expectations. These actions include:

Enhance Governance and Risk Management Frameworks

·        Firms should establish and maintain robust governance structures that support effective risk management.

·        Senior management and Boards must ensure that risk management frameworks are adaptive and resilient, utilizing stress and scenario analyses to inform strategic planning.

Demonstrate Operational Resilience

·        By March 2025, firms must show that they can remain within impact tolerances for all important business services during severe but plausible disruptions.

·        Firms should strengthen their response and recovery capabilities to address cyber threats and vulnerabilities, particularly those arising from legacy infrastructure.

Improve Data Quality and Accuracy

·        Firms are required to submit complete, timely, and accurate regulatory returns.

·        They should enhance their ability to aggregate data to support holistic risk management and informed decision-making at the Board level.

Address Counterparty Credit Risk Management

·        Firms must invest in robust credit risk management practices that are adaptable to changing market conditions.

·        Where control gaps are identified, firms are expected to implement holistic remediation plans to address these shortcomings promptly.

Conduct Financial Resilience Assessments

·        Firms should continuously assess their capital and liquidity positions, considering a broad range of forward-looking indicators.

·        They are expected to utilize stress testing to evaluate financial resilience and develop realistic contingency plans.

Prepare for Regulatory Changes

·        Firms need to prepare for significant changes in the funding and liquidity landscape, particularly regarding the transition to a repo-led operating framework.

·        Engagement with the Bank’s discussion papers and timely adaptation to regulatory changes is essential.

Strengthen Third-Party Risk Management

·        Firms must maintain robust oversight of their major outsourcing and third-party risk management providers.

·        They should ensure that they are mindful of the financial health and data security of their suppliers.

Monitor and Improve Risk Management Practices

·        Firms are expected to continuously monitor their risk management practices and apply learnings from incidents and thematic reviews to enhance their controls and processes.

Engage with Supervisors

·        Firms should engage with PRA supervisors in an open and constructive manner, reflecting feedback received into their operational and strategic planning.

Invest in Cyber Resilience

·        Firms are encouraged to enhance their cyber resilience capabilities and utilize available resources, such as the CBEST thematic reports, to strengthen their defenses against cyber threats.

The document outlines several actions that firms are expected to take in response to the Prudential Regulation Authority’s (PRA) expectations. These actions include:

Establish Robust Governance Frameworks: Firms should develop and maintain strong governance structures that facilitate effective oversight and decision-making at all levels.

Implement Comprehensive Risk Management Frameworks: Firms are required to create adaptive and resilient risk management frameworks that enable proactive identification, monitoring, and management of emerging and novel risks.

Enhance Controls Frameworks: Firms must ensure that effective controls are in place to mitigate identified risks, thereby addressing vulnerabilities within their operations.

Improve Data Aggregation and Quality: Firms should enhance their ability to aggregate and manage data, ensuring that the information used for risk management, board decision-making, and regulatory reporting is complete, timely, and accurate.

Evolve Credit Risk Management Practices: Firms are expected to adapt their credit risk management practices to changing market conditions, ensuring robust measurement and management of credit risk.

Strengthen Operational Resilience: Firms must demonstrate preparedness for unexpected shocks by enhancing their response and recovery capabilities, particularly in relation to cyber threats and third-party service disruptions.

Align Model Risk Management (MRM) with PRA Principles: Firms should implement and embed changes to their model risk management practices in accordance with the PRA’s supervisory statements, ensuring high-quality models that adequately capture risks.

Prepare for Changes in Liquidity and Funding Landscape: Firms need to assess their liquidity management strategies and ensure operational readiness to access reserves through the Bank of England’s Sterling Monetary Framework (SMF) facilities.

Engage with Senior Management Functions: Firms are expected to maintain ongoing engagement with accountable Senior Manager Functions to assess and monitor the implementation of risk management and governance practices.

Consider Long-term Risks in Business Planning: Firms should incorporate considerations of longer-term risks, such as climate change impacts, into their risk management and business planning processes.

Participate in Feedback Mechanisms: Firms are encouraged to provide feedback to the PRA on regulatory proposals and engage in consultations to ensure their perspectives are considered in the policy-making process.

Demonstrate Operational Readiness: By March 2025, firms must show that they can remain within impact tolerances for all their important business services (IBS) during severe but plausible disruptions.

Further areas of focus

Firms in the UK insurance sector should pay attention to several additional pieces of information and considerations as outlined by the Prudential Regulation Authority (PRA). These include:

Evolving Regulatory Landscape: Firms should stay informed about ongoing regulatory reforms, particularly those related to Solvency II and the UK Insurance Special Purpose Vehicles (ISPV) regime. Understanding the implications of these reforms is crucial for compliance and strategic planning.

Market Developments: Firms should monitor developments in the bulk purchase annuity (BPA) market and funded reinsurance transactions. The PRA has highlighted the need for firms to manage their capacity prudently and ensure that competitive pressures do not compromise pricing discipline or risk management standards.

Risk Management Frameworks: Firms are encouraged to continuously review and enhance their risk management frameworks to keep pace with evolving business practices and transaction features. This includes adapting to new complexities in BPA transactions and ensuring that risk management approaches are robust and effective.

Climate-Related Financial Risks: The PRA has emphasized the importance of managing climate-related financial risks. Firms should focus on integrating climate risk considerations into their underwriting strategies, investment decisions, and overall risk management frameworks. This includes conducting thorough scenario analyses and stress testing related to climate impacts.

Operational Resilience and Cyber Security: Firms should prioritize operational resilience and cyber security as critical components of their business strategy. This includes developing contingency plans for potential disruptions, enhancing cyber defences, and ensuring that third-party service providers meet appropriate resilience standards.

Feedback Mechanisms: Firms should establish effective feedback mechanisms to engage with the PRA and other regulatory bodies. This includes providing input on proposed regulations, sharing insights from their operational experiences, and participating in consultations to shape future regulatory frameworks.

Training and Awareness: It is essential for firms to invest in training and awareness programs for their staff regarding regulatory expectations, risk management practices, and compliance requirements. This will help ensure that all employees understand their roles in maintaining compliance and managing risks.

Documentation and Reporting: Firms should maintain thorough documentation of their compliance efforts, risk assessments, and decision-making processes. Accurate and timely reporting to the PRA is essential for demonstrating compliance and transparency.

Engagement with Stakeholders: Firms should engage with key stakeholders, including boards, senior management, and external auditors, to ensure alignment on regulatory expectations and risk management strategies. This collaborative approach can enhance the effectiveness of compliance efforts.

Continuous Improvement: Firms should adopt a culture of continuous improvement in their compliance and risk management practices. Regularly reviewing and updating policies, procedures, and controls in response to changing regulations and market conditions is vital for maintaining compliance and resilience.

Firms should pay attention to several additional considerations as outlined in the document, which can significantly impact their regulatory compliance and operational effectiveness. These considerations include:

Evolving Regulatory Landscape

Firms should stay informed about ongoing consultations and updates from the PRA and FCA, particularly regarding the management of Information and Communication Technology (ICT) and cyber risks. This includes understanding the implications of the upcoming policy consultations expected in the second half of 2025.

Impact of Global Economic Conditions

Firms need to be aware of how global interest rate environments, geopolitical events, and technological changes, including the increasing use of Artificial Intelligence, can affect their risk management and operational strategies.

Focus on Data Risk

The document highlights that poor data quality is a root cause of various risks. Firms should prioritize improving their data governance frameworks to ensure accurate data aggregation and reporting, which is essential for effective risk management and regulatory compliance.

Cyber Threat Landscape

Firms must remain vigilant regarding the rapidly evolving cyber threat landscape. They should continuously assess their cyber resilience capabilities and implement measures to detect, respond to, and recover from cyber-attacks effectively.

Third-Party Risk Management

Given the observed incidents within firms’ third-party arrangements that have disrupted important business services, firms should enhance their oversight of third-party risk management. This includes assessing the financial health and data security of suppliers and ensuring that contingency plans are in place for third-party service disruptions.

Stress Testing and Scenario Analysis

Firms are encouraged to leverage stress testing and scenario analysis not only for regulatory compliance but also as a strategic tool to inform business planning and risk management decisions.

Feedback Mechanisms

Firms should establish mechanisms to gather and incorporate feedback from supervisory engagements into their operational and strategic planning processes. This will help them align their practices with regulatory expectations and improve overall governance.

Investment in Technology and Infrastructure

New investments in IT infrastructure, software applications, and third-party arrangements should be designed with resilience in mind. Firms should ensure that these investments can withstand disruptions and support their operational resilience objectives.

Holistic Remediation Plans

When control gaps are identified, firms should develop and execute holistic remediation plans that address the root causes of these gaps, taking into account insights from thematic reviews and supervisory assessments.

Engagement with Discussion Papers

Firms are encouraged to actively engage with the Bank of England’s discussion papers, such as the one on transitioning to a repo-led operating framework, to provide feedback and prepare for upcoming regulatory changes.

Firms should pay attention to the following additional information and considerations as outlined in the document:

Liquidity Management: Firms need to be aware of the changing landscape regarding liquidity and funding, particularly in light of the Bank of England’s transition to a demand-driven framework for supplying reserves through repo operations. This includes planning for significant Term Funding Scheme with additional incentives for SMEs (TFSME) maturities due in 2025.

Operational Resilience Requirements: By March 2025, firms must demonstrate their ability to remain within impact tolerances for all important business services (IBS) during severe but plausible disruptions. This requires significant progress in strengthening response and recovery capabilities, particularly against cyber threats and vulnerabilities from legacy infrastructure.

Engagement with Regulatory Changes: Firms should actively engage with the PRA’s consultations and discussions, such as the feedback on the Bank’s discussion paper regarding transitioning to a repo-led operating framework. This engagement is crucial for understanding upcoming regulatory changes and their implications.

Data Risk Management: Firms must focus on improving data accuracy and aggregation capabilities, as poor data quality has been identified as a root cause of various risks. This includes ensuring that data used for regulatory calculations and risk management is reliable and timely.

Model Risk Management (MRM) Enhancements: Firms should prioritize the implementation of changes to their model risk management practices to align with the PRA’s supervisory statement 1/23. This includes ensuring that models are of high quality and adequately capture the risks they are intended to measure.

Credit Risk Management Adaptation: Firms need to adapt their credit risk management practices to reflect the current combination of credit risk factors, which may differ from those on which existing models were built. This includes focusing on vulnerable and higher-risk portfolios.

Long-term Risk Considerations: Firms should incorporate long-term risks, such as climate change impacts, into their risk management frameworks and business strategies. This is essential for ensuring sustainable operations and compliance with evolving regulatory expectations.

Feedback and Collaboration: Firms are encouraged to provide feedback to the PRA on regulatory proposals and engage in collaborative efforts to enhance the regulatory framework. This includes participating in consultations and sharing insights on the practical implications of proposed changes.

Board and Executive Involvement: It is essential for boards and executives to be actively involved in assessing the overall approach to risk management and governance, ensuring that risk culture is conducive to effective control environments.

Monitoring of Emerging Risks: Firms should remain vigilant in monitoring emerging risks, including those arising from geopolitical events and technological advancements, such as the increasing use of artificial intelligence.

Amendments To Existing Regulations

The regulatory document from the Prudential Regulation Authority (PRA) introduces several amendments to existing regulations, particularly in the context of enhancing the resilience and risk management practices of insurance firms. The key amendments to existing regulations include:

Reinforcement of Operational Resilience Standards: The document reinforces existing operational resilience requirements by mandating that firms demonstrate their ability to remain within impact tolerances for important business services during severe disruptions by March 2025. This builds upon previous guidance and expectations regarding operational resilience.

Updates to Climate Risk Management Expectations: The PRA’s expectations regarding climate risk management have been updated to require firms to further embed climate considerations into their governance and risk management frameworks. This amendment emphasizes the need for comprehensive scenario analysis and proactive risk management related to climate change.

Introduction of Solvent Exit Planning Requirements: New requirements for Solvent Exit Analysis (SEA) have been introduced, which will come into effect on June 30, 2026. This amendment requires most insurers to prepare a plan for an orderly, solvent exit from the market, enhancing the existing regulatory framework for market exit strategies.

Enhancements to Liquidity Reporting Requirements: The document outlines proposed amendments to liquidity reporting requirements, encouraging firms to enhance their liquidity risk management practices. This includes feedback on consultation paper CP19/24, which aims to close liquidity reporting gaps and streamline reporting processes.

Strengthening of Cyber Security and Third-Party Risk Management: The PRA has amended its expectations regarding cyber security and third-party risk management, requiring firms to maintain robust oversight of major outsourcing and third-party risk management providers. This amendment reflects the evolving cyber threat landscape and the need for enhanced resilience.

Revisions to Stress Testing

Framework: The LIST 2025 exercise is introduced as a means to evaluate the financial resilience of the largest firms in the UK life insurance sector. This amendment enhances the existing stress testing framework by providing insights into individual firm results and aggregate outcomes.

Clarification of Governance and Risk Management Practices: The document clarifies the expectations for governance and risk management practices, emphasizing the need for boards and senior management to actively monitor and manage risks arising from transformation journeys and third-party relationships.

The document introduces several amendments and updates to existing regulations, particularly concerning the implementation of Basel 3.1 and the PRA’s supervisory approach. Here are the key amendments highlighted in the document:

Delay in Basel 3.1 Implementation

·        The implementation date for Basel 3.1 in the UK has been postponed by 12 months, moving from 1 January 2026 to 1 January 2027.

·        Despite this delay, the transitional periods in the rules will be reduced, ensuring that the full implementation date remains unchanged at 1 January 2030.

Changes to the Senior Manager Regime

·        The PRA is looking to consult on changes to the senior manager regime, which may involve amendments to the existing framework governing the responsibilities and accountability of senior management within firms.

Updates to Branch and Subsidiary Supervision

·        The PRA is finalizing updates to its approach to branch and subsidiary supervision, which may involve amendments to how these entities are regulated and supervised in the UK.

Operational Resilience Requirements

·        By March 2025, firms must demonstrate their ability to remain within impact tolerances for all important business services during severe disruptions. This requirement may represent an amendment to existing operational resilience expectations.

Consultation on ICT and Cyber Risks

·        The PRA and FCA plan to start consulting on policies related to the management of Information and Communication Technology (ICT) and cyber risks in the second half of 2025. This may lead to amendments in how firms are required to manage these risks.

Focus on Data Accuracy

·        The PRA will continue its assessments of data accuracy using a full range of supervisory tools, which may lead to amendments in reporting requirements and expectations for data management practices.

The document indicates several potential amendments and considerations regarding existing regulations, particularly in relation to the Prudential Regulation Authority’s (PRA) ongoing regulatory framework. Key points include:

Delay in Implementation of Basel 3.1: The PRA has announced a delay in the implementation of Basel 3.1 in the UK by 12 months, moving the effective date from January 1, 2026, to January 1, 2027. This delay allows for greater clarity regarding the implementation plans in the United States. However, the full implementation date remains unchanged at January 1, 2030.

Consultation on Senior Manager Regime Changes: The PRA is looking to consult on changes to the Senior Manager Regime, which may introduce amendments to the existing governance and accountability frameworks for senior management within firms.

Policy Consultation on ICT and Cyber Risks: The PRA and FCA intend to consult in the second half of 2025 on policy relating to the management of Information and Communication Technology (ICT) and cyber risks. This may lead to amendments in how firms are required to manage and report on these risks.

Strong and Simple Capital Framework: The proposed Strong and Simple capital framework aims to simplify the capital regime for small domestic deposit takers (SDDTs) while maintaining resilience and risk sensitivity. This framework may introduce amendments to existing capital requirements for eligible firms.

Feedback on Disclosure Standards: The PRA is focusing on the outcomes from a 2024 cross-firm review of the disclosure standards applied by banks to non-bank financial institution clients, which may lead to amendments in disclosure requirements based on the findings.

Operational Resilience Requirements: The document emphasizes the need for firms to demonstrate operational resilience by March 2025, which may lead to amendments in existing operational risk management frameworks to ensure compliance with new expectations.

Data Risk Management Enhancements: The PRA expects firms to improve their data aggregation and reporting practices, which may result in amendments to existing data management regulations to enhance data quality and accuracy.

Key Implementation Dates and Transitional Periods

Key Implementation Dates and Transitional Periods

Liquidity Reporting Requirements:

·        Consultation Paper (CP) 19/24: The PRA has proposed new liquidity reporting requirements aimed at closing liquidity reporting gaps and streamlining Standard Formula reporting. While specific implementation dates for these requirements are not explicitly mentioned in the provided documents, firms are encouraged to provide feedback and prepare for changes as they arise.

Solvent Exit Planning for Insurers:

·        Effective Date: From 30 June 2026, new policy requirements will come into force for insurers. This includes the requirement for most insurers to prepare a plan known as a Solvent Exit Analysis (SEA) to ensure an orderly, solvent exit if necessary.

·        Transitional Period: In 2025, PRA supervisors will begin working with insurers in scope of PS20/24 to support their understanding of the expectations ahead of the implementation date.

Operational Resilience:

·        Deadline for Compliance: By March 2025, firms must demonstrate that they can remain within impact tolerances for all important business services during severe but plausible disruptions. This includes strengthening response and recovery capabilities to address cyber threats and third-party service disruptions.

Climate Risk Management:

·        Ongoing Requirement: Firms are expected to continue embedding the PRA’s climate expectations into their risk management frameworks. Specific timelines for updates or consultations on climate risk management policies are not detailed, but firms should be proactive in aligning with evolving expectations.

Liquidity Stress Testing:

·        LIST 2025 Exercise: The LIST 2025 exercise will provide insights into the financial resilience of the largest firms operating in the UK life insurance sector. Specific dates for this exercise will be communicated by the PRA.

Cyber Security and Third-Party Risk Management:

·        Consultation on ICT and Cyber Risks: The PRA intends to start consulting with the FCA in the second half of 2025 on policy relating to the management of Information and Communication Technology (ICT) and cyber risks.

The document outlines several key implementation dates and transitional periods that firms should be aware of, particularly concerning regulatory changes and compliance requirements. These include:

Basel 3.1 Implementation Delay

·        The implementation of Basel 3.1 in the UK has been delayed by 12 months, moving the effective date from 1 January 2026 to 1 January 2027.

·        Despite this delay, the transitional periods in the rules will be reduced to ensure that the date for full implementation remains unchanged at 1 January 2030.

Operational Resilience Requirements

·        By March 2025, firms must demonstrate that they can remain within impact tolerances for all their important business services (IBS) during severe but plausible disruptions. This includes showing significant progress in strengthening response and recovery capabilities against cyber threats and other operational risks.

Engagement with Discussion Papers

·        Firms are encouraged to engage with the Bank of England’s discussion paper on transitioning to a repo-led operating framework, with feedback due by 31 January 2025. This engagement is crucial for preparing for changes in the funding and liquidity landscape.

Cyber Resilience and ICT Management

·        The PRA and FCA intend to start consulting on policy related to the management of ICT and cyber risks in the second half of 2025. Firms should prepare for these consultations and align their practices accordingly.

Ongoing Assessments and Reviews

·        Firms should expect ongoing assessments of data accuracy and risk management practices throughout 2025, utilizing a full range of supervisory tools, including skilled person reviews.

Feedback from Cyber Stress Tests

·        Feedback from the 2024 Cyber Stress Test is expected to be published later in 2025, which firms should consider in their operational resilience planning.

The document outlines several key implementation dates and transitional periods relevant to the regulatory framework for UK deposit takers. These include:

Basel 3.1 Implementation Delay:

·        The implementation of Basel 3.1 has been delayed by 12 months, moving the effective date from January 1, 2026, to January 1, 2027.

·        Despite this delay, the full implementation date remains unchanged at January 1, 2030. The transitional periods in the rules will be reduced to ensure that the timeline for full implementation is maintained.

Operational Resilience Requirements:

·        By March 2025, firms must demonstrate their ability to remain within impact tolerances for all important business services (IBS) during severe but plausible disruptions. This deadline emphasizes the need for firms to enhance their operational resilience capabilities.

Engagement with the Bank of England:

·        Firms are encouraged to engage with the Bank’s discussion paper published on December 9, 2024, by January 2025. This engagement is crucial for understanding the implications of the transition to a demand-driven framework for supplying reserves.

TFSME Maturities:

·        With significant Term Funding Scheme with additional incentives for SMEs (TFSME) maturities due in 2025, firms are expected to plan well in advance for repaying and refinancing their maturing TFSME drawings.

Cyber Resilience Consultation:

·        The PRA and FCA intend to start consulting in the second half of 2025 on policy relating to the management of Information and Communication Technology (ICT) and cyber risks. This consultation will inform future regulatory expectations in this area.

Feedback on Disclosure Standards:

·        The PRA will focus on the outcomes from a 2024 cross-firm review of the disclosure standards applied by banks to non-bank financial institution clients, with further developments expected in 2025.