The PRA has released Consultation Paper CP9/25 on 23 April 2025 to restate MiFID Organisational Regulation into the PRA Rulebook.
The changes—outlined in the April 2025 Consultation Paper and accompanying legal instruments—aim to streamline and strengthen governance, compliance, and internal oversight processes for MiFID investment firms.
The paper includes no new requirements. But it restructures how firms access and interpret key organisational obligations.
From Assimilated Law to UK Rulebook
MiFID Org Reg has existed as assimilated law since Brexit. Firms followed it through cross-references in the Rulebook.
Now, the PRA proposes full integration of these rules into its own framework. This change improves accessibility and enforcement.
The shift aligns with the Financial Services and Markets Act 2023. The PRA will gain more flexibility to update rules quickly.
Scope of the Proposed Change
Although the PRA is not introducing new requirements, the consultation covers a comprehensive restatement of obligations relating to:
- General organisational structure and governance
- Board and senior management responsibilities
- Outsourcing and third-party oversight
- Recordkeeping and access to supervisory data
- Compliance, internal audit and risk management functions
The core principle remains proportionality: obligations should reflect the size, nature, and complexity of the firm’s business. However, these requirements will now be contained within the Rulebook, increasing transparency around compliance responsibilities and enforcement powers.
Why It Matters Now?
Firms must still comply with existing obligations. But those obligations will now appear directly in the PRA Rulebook.
This improves visibility for compliance teams and senior managers. Internal control teams can navigate obligations with greater clarity.
Firms can expect faster updates in future. The PRA can revise Rulebook entries more easily than EU-derived legislation.
This also improves transparency for supervisors and regulated firms.
Summary of key rule changes:
Reinforced General Organisational Requirements
The PRA has updated several key chapters of the General Organisational Requirements Part (PRA Rulebook: CRR Firms) with new expectations:
Compliance and Internal Audit
- New provisions inserted under Chapter 3, requiring:
- Separation of the compliance function (Art. 21A)
- Clear mandate and periodic reporting to senior management (Art. 21A.2)
- Strengthened independence and resourcing of internal audit functions (Art. 21B)
Outsourcing
- Chapter 4 (Outsourcing) now mandates:
- Enhanced risk assessments and oversight for all material outsourcing arrangements (Art. 22.1–22.5)
- Documentation of contractual rights and audit access (Art. 22.6–22.9)
- Alignment with operational resilience outcomes
Record Keeping
- Amendments under Chapter 5 reinforce:
- Evidence retention obligations aligned with MiFID II standards (Art. 23.1–23.3)
- Clarity on format, accessibility, and retention period of records
Risk Control
- Changes in Chapter 6 now require:
- Independence of risk control from operational functions (Art. 24A.1)
- Direct access of risk control to governing body (Art. 24A.2)
- Sufficient authority and resources for effective operation
Notifications
- Chapter 7 (Notifications) adds:
- Requirements to notify PRA of failures in key control functions (Art. 25.1)
- Specific timelines and channels for material incident reporting
New Self-Assessment and SIF Attestation Requirements
The second instrument proposes a new chapter titled:
“Chapter 8 – Self-Assessment and Attestation”
This introduces the following mandatory obligations:
Annual Self-Assessment
- Firms must complete a comprehensive, documented assessment of their compliance with all rules in the General Organisational Requirements part.
SIF Attestation Requirement
- A Senior Management Function (SMF) holder must attest to:
- The accuracy and completeness of the self-assessment (Art. 26A.1–26A.3)
- That the board has reviewed and endorsed the conclusions (Art. 26A.4)
Governance and Recordkeeping
- The firm must retain the assessment for regulatory review and produce it on request (Art. 26A.5–26A.6)
Key Implementation Dates and Transition Periods
- Commencement of FSMA 2023 Provisions: The proposals in the document are dependent on the anticipated legislation (commencement regulations) to bring into force the provisions of the Financial Services and Markets Act (FSMA) 2023. The specific date for this commencement is not explicitly stated in the document, but it is indicated that it is expected to occur soon.
- Revocation of MiFID Org Regulation: The document mentions that the FSMA 2023 will revoke the assimilated law MiFID Org Regulation. This revocation is a critical step in the transition to the new regulatory framework.
- Consultation Period: The PRA is conducting a consultation process regarding the proposed changes. Responses are requested by Monday 23 June 2025.
- Implementation Timeline: Once the FSMA 2023 provisions are commenced, the PRA will update the Rulebook to reflect the new requirements. The document suggests that the PRA aims to implement these changes in a timely manner following the commencement of the legislation.
- Transitional Arrangements: While the document does not provide specific transitional periods, it implies that firms will need to transition their existing policies and practices to align with the new requirements once the FSMA 2023 is in effect. Institutions should prepare for this transition by reviewing and updating their compliance frameworks accordingly.
- Future Updates: The PRA has indicated that it may update the rules further in response to evolving market conditions and regulatory needs. Firms should remain vigilant for any announcements regarding additional implementation timelines or changes.
How FinregE Enables End-to-End Compliance with the New PRA Rules
FinregE’s platform has been purposefully designed to handle exactly this type of regulatory complexity.
Rule Mapping and Traceability
With FinregE’s digitized rulebook, users can trace each amended article (e.g., Art. 21A, 22.3, 24A.1) to internal controls, policies, and audit trails—creating instant visibility and accountability.
Annual Self-Assessment Workflow
FinregE’s Self-Assessment module supports:
- Pre-loaded rule templates aligned to PRA Handbook parts
- Editable fields for interpretations, evidence, and risk assessments
- Role-based workflows for input, review, and attestation
- Dashboards to track completion and generate exportable reports
It mirrors PRA’s expectation for structured, complete, and validated reporting—without the manual effort.
Integrated SIF Sign-Off and Governance Logs
The approval and attestation features include:
- Electronic signature and date logging for SMF owners
- Review tracking for board or governance committees
- Exportable audit trail to demonstrate compliance during PRA supervision
Regulatory Update Management
With PRA continuing to release evolving guidance and rules, FinregE’s Regulatory Change Viewer ensures:
- Instant visibility of new updates
- Automatic rule comparison and delta analysis
- Seamless integration of rule changes into your firm’s compliance workflows
Closing Thoughts
As regulatory expectations intensify, firms must move beyond spreadsheets and fragmented tools. The PRA’s proposed MiFID reforms make it clear: self-assessment and executive-level accountability are no longer optional—they are integral to compliance.
FinregE empowers firms to not only meet these demands but to do so with confidence, clarity, and operational efficiency.
Request a demo or contact us to explore how FinregE can future proof your compliance strategy under the PRA’s evolving regulatory landscape.
