PRA sets out 2025 banking supervisory priorities

The PRA issued Dear CEO letters to UK Deposit Takers and International banks and designated investment firms on 21 January 2025, setting out its supervisory priorities for the year ahead.

The PRA’s priorities represent a continuation of previous years’ focus areas, with emphasis placed on firms maintaining robust risk management, governance and controls, supported by accurate information, to proactively identify and mitigate risks. The letters also include some specific details on supervisory activities planned over the year.

What does this mean?

The PRA groups its priorities into five focus areas for both portfolios of firms: (1) risk management, governance and controls; (2) data risk; (3) financial resilience; (4) operational resilience; and (5) Basel 3.1 delay.

PRA expectations remain largely consistent across the UK deposit-takers and international banks and designated investment firms portfolios. In some areas, the PRA has placed emphasis on specific risks/issues relevant to each portfolio of firms. The letters should also be read alongside any firm-specific communications.

Risk management, governance and controls

The PRA notes that firms continue to vary in their ability to proactively identify, monitor and manage emerging and novel risks, including from geopolitical and technological developments.

The PRA emphasises that firms’ senior management and Boards should ensure robust governance, risk management and controls frameworks are in place - ensuring these are adaptive and resilient, leveraging stress and scenario analyses to inform risk management, strategy, and business planning.

The PRA highlights counterparty credit risk as a continued area of focus, particularly firms’ exposures to non-bank financial institutions. It notes that many international banks continue to fall below the standards expected. It expects firms to continue to invest in credit risk management practices, highlighting that new lending, growth areas and existing portfolios should be risk assessed in the context of the evolving economic outlook.

For UK deposit takers, the PRA notes its assessment of firms will focus on strategic growth areas (e.g. funds lending), vulnerable and higher-risk portfolios (e.g. buy-to-let, unsecured retail, leveraged lending) and key international portfolios. The PRA flags commercial real estate exposures as a focus of its assessment of credit risk management for both portfolios of firms.

For UK deposit takers, the PRA expects firms to continue embedding changes to model risk management to align with SS 1/23 principles. It will be monitoring the quality of regulatory model submissions as an indicator of firms’ model risk management.

The PRA also outlines plans to undertake credit risk management thematic reviews amongst UK deposit takers. These will focus on forbearance and unsecured lending. The PRA will also conduct a cross-firm review of illiquid/structured significant risk transfer financing in 2025, including both UK deposit-takers and international banks and designated investment firms.

Data risk

The PRA notes that poor data continues to be a root cause in a number of risks requiring remediation. It expects firms to continue to improve their ability to aggregate data to support holistic risk management, robust Board decision making, and accurate regulatory calculations.

In particular, the PRA identifies technological developments, including the increasing use of Artificial Intelligence (AI), as placing heightened importance on the quality and accuracy of data underpinning these tools.

The PRA also confirms it will continue to use the full set of its supervisory tools, including continued use of Section 166 reviews to ensure progress is made.

Financial resilience

The PRA expects firms to prepare for significant changes to the funding and liquidity landscape for UK banks over the next several years as a result of Bank of England (BoE) balance sheet normalisation and changing market dynamics. This includes firms seeking assurance from treasury and risk management functions on the effectiveness of balance sheet management and the impact on funding options and underlying business model.

In particular, it highlights the increasing need for firms to source their stock of sterling reserves directly from the BoE through its Sterling Monetary Framework (SMF) facilities. It expects firms to consider how to source and manage liquidity and ensure they are operationally ready to access reserves through SMF facilities regularly and at scale.

For UK deposit takers, the PRA emphasises that firms should plan well in advance for repaying and refinancing their maturing Term Funding Scheme with additional incentives for SMEs (TFSME) drawings, taking into consideration the potential for increased competition for deposits and the balancing of collateral.

Operational resilience

Firms should have made significant progress to comply with the PRA’s Operational Resilience rules by March 2025. The PRA reiterates that operational resilience should continue to be a key point of consideration for boards and executives when planning major change programmes, making strategic board decisions, or engaging in new third/fourth party relationships.

The PRA highlights the importance of firms’ ability to detect, respond to, and recover from cyber attacks, and encourages firms to use its CBEST thematic reports to enhance cyber resilience capabilities.

The PRA confirms that it plans to issue the results of its cyber stress test later in 2025. Alongside the FCA, it will also consult on policy relating to the management of ICT and cyber risks in H2 2025.

Basel 3.1 delay

The PRA confirms the delay to Basel 3.1 implementation in the UK by 12 months from 1 January 2026 to 1 January 2027.

For relevant UK deposit takers, the PRA notes that it is considering the impact of Basel 3.1 delay on the timeframe for implementing its Strong & Simple framework. Nevertheless, it continues to expect eligible firms to consider the possible capital impacts of the proposals and which prudential regime will be most appropriate for them.

What do firms need to do?

Prepare for scrutiny of risk management and governance controls.

Manage and implement change programmes effectively.

Invest in technology solutions to drive efficiencies in risk management and compliance capabilities.

The PRA’s supervisory agenda continues to be extremely busy, reflecting the range of risks the banking sector currently faces.

Continued economic and geopolitical volatility means the PRA remains focused on firms’ risk management, governance, and controls and financial resilience. Firms should be prepared for continued scrutiny in these areas through supervisory channels and thematic reviews.

The PRA also stresses the importance of identifying, monitoring, and managing novel risks including those arising from technological developments and the increased use of AI. Firms should be prepared for PRA focus across these areas, particularly as firms look to progress technology change programmes and transformations.

Continuing to invest in technology solutions will help firms to meet the PRA’s expectations around data and reporting, risk management including counterparty credit risk, and cyber resilience, among other things.

Despite the delay to Basel 3.1 implementation, relevant UK deposit takers should continue to consider the strategic case for whether to opt-in to the Strong and Simple framework or to prepare for the “full version” of Basel 3.1.

Next steps

Firms should expect ongoing engagement from supervisory teams on the areas covered in the letter as well as specific feedback, including through the periodic summary meeting process.