On 15 January 2026, the PRA published its annual supervisory priorities for UK deposit takers and international banks operating in the UK. The letters set out the PRA’s supervisory priorities for the year ahead, and should be read alongside firm-specific feedback provided through Periodic Summary Meetings.
The PRA’s priorities for 2026 continue its emphasis on risk management capability, data accuracy, resilience and effective governance, but place these expectations in the context of heightened macroeconomic, geopolitical and market uncertainty. Firms are expected to demonstrate that their risk management, controls and decision-making frameworks remain robust and forward-looking in this environment.
In this article
What does this mean?
The PRA’s areas of focus remain largely consistent with the 2025 letters. However, the PRA’s expectations should be placed in an evolving environment of market, geopolitical and technological developments which banks will need to carefully consider and manage.
Key areas of focus in the letter include:
Strategic management and governance
The PRA has observed that firms’ ability to proactively identify and mitigate risks in an increasingly complex environment varies. Boards and senior management are expected to take clear ownership of risk appetite, emerging risk identification and strategic decision-making. The PRA continues to expect evidence of effective challenge, escalation and oversight, particularly where firms are exposed to complex or rapidly evolving risks.
Counterparty credit risk (CCR) remains a key priority for the regulator. In particular, the PRA highlights the ability of banks to build an aggregate picture of exposures to non-bank financial institutions (NBFIs) as an area of concern. For international banks the PRA specifically highlights intra-day CCR exposures to non-bank market participants as an area requiring focus.
The PRA highlights innovation, particularly in AI and the digital assets ecosystems, as developments which can bring significant benefits to firms, but also risks which need to be managed. Firms can expect the PRA to engage and monitor developments in these areas, as deployment matures across the industry.
Operational resilience
The PRA sets out the next phase of supervisory focus for operational resilience, following its review of firms’ implementation of the framework. In particular the PRA expects firms to develop their testing capabilities and for resilience to be embedded fully into business decision making.
The PRA highlights cyber and geopolitical risks as particularly prominent risks the sector is facing. The PRA expects firms to develop capabilities to detect attacks and recover quickly. The regulator also references the increased reliance on a small number of third parties, and emphasises the need to manage concentration risk and the dependencies throughout supplier chains, including through testing and validation.
Financial resilience
The PRA expects firms to maintain robust capital and liquidity positions and to use stress testing and scenario analysis effectively to inform decision-making. The PRA stresses the need for firms to have fully worked through the implications of implementation of Basel 3.1 and (for in-scope banks) the Strong and Simple regime. The PRA is also working through a process of ‘rebasing’ Pillar 2 requirements, with firms required to submit data by 31 March 2026. In the context of changes from Basel 3.1, Strong and Simple and the rebasing exercise, the PRA expects Boards to ensure RWAs and reporting are accurate.
Data risk
Poor data quality is again highlighted as a root cause of risk management failures and inaccurate regulatory reporting. In 2026, firms are expected to demonstrate progress in improving data accuracy, completeness and timeliness, particularly where data underpins risk reporting, stress testing, regulatory submissions and deployment of AI. Firms should benchmark their capabilities against standards such as BCBS 239. The PRA makes clear it will continue to engage in supervisory action, including skilled person reviews where weaknesses in this area persist.
Competition, international competitiveness and growth
The letter highlights a number of areas where the PRA will advance its international competitiveness and growth objective in 2026. These include: modernising and streamlining reporting requirements through the Future Banking Data programme; moving all firms currently on an annual Periodic Summary Meeting (PSM) cycle to a two-year cycle; and accelerating timelines for reviewing Senior Manager applications, firm authorisations and Internal Ratings Based model change pre-approvals.
What do firms need to do?
Strengthen board and senior management oversight of emerging risks, and focus on transformation of risk management capabilities.
Embed operational resilience considerations into business decision making, investment decisions and third-party management.
Improve end-to-end data capabilities, controls and management information to support risk management and regulatory reporting.
Despite steps to reduce the supervisory burden, the PRA’s agenda continues to be extremely busy, reflecting the range of risks the banking sector currently faces.
The priority for firms should be to focus on continuing to build their holistic risk management capabilities in the face of a diverse and rapidly evolving risk environment. Boards should be confident that risk appetite statements, stress testing and scenario analysis appropriately reflect external risks, including geopolitical and market fragmentation risks highlighted by the PRA. This will require firms to focus on developing a risk function which takes a strategic view of the broad risk environment, enabled through robust data and analytics tools.
The regulator’s focus on operational resilience is entering a new phase. Firms will be tested on their testing, including for technology and third-party risks. The PRA will also seek evidence that operational resilience considerations are fully embedded in business decision making.
Ensuring robust data quality is a prerequisite for effective risk management, business strategy and regulatory compliance, as well as being fundamental to the successful deployment of AI and other advanced analytics tools. Achieving this will require firms to invest in an end-to-end data model with common taxonomies, data standards and governance. With a significant degree of change on the near horizon because of Basel 3.1, Strong and Simple and the Pillar 2 rebasing exercise, it will be of even more importance that Boards have assurance over the accuracy of RWAs and regulatory reporting.
Underpinning firms’ ability to successfully navigate a diverse supervisory agenda will be having a suitable supervisory engagement model. These functions play a vital role in conveying messages to and from the regulators and managing key stakeholder relationships. As with other regulatory functions, there is increasing scope to deploy technology solutions to optimise this model and ensure clear and consistent messages are shared with supervisory teams.
“Strong fundamentals in governance, risk management and data remain critical to firms’ resilience, particularly in an uncertain global environment.”
Next steps
Firms should expect engagement from their supervisory teams on the topics set out in the letter which are relevant to their business models. Firms should use the 2026 priorities to inform internal risk assessments and supervisory engagement plans, ensuring that actions taken in response to PSM feedback are aligned with the PRA’s stated focus areas.
Contacts
Peter El Khoury
Follow us
