The Prudential Regulation Authority has published its annual Dear CEO letter outlining supervisory priorities for UK banks and building societies. The letter dated 15 January sets out the PRA 2026 priorities for UK deposit takers. The priorities reflect the regulator’s continued focus on resilience amid heightened geopolitical tensions, global trade fragmentation, and sovereign debt market pressures.
Strategic risk management
Strategic Risk Management remains a central focus for the PRA. Boards and senior leaders are expected to maintain robust frameworks that keep pace with evolving business models and external conditions. Particular attention is drawn to counterparty credit risk management, with exposures to non-bank financial institutions and private equity counterparties requiring accurate aggregation across business lines. As of January 2024, major banks trading book exposures to NBFIs were approximately £120 billion. While firms have made progress on data and risk aggregation since the 2024 letter, further work is needed. Firms using significant risk transfers as capital management tools should ensure senior management is appropriately engaged in transaction approvals under the updated SS9/13, which took effect on 1 January 2026.
Operational resilience remains a regulatory priority
Moving to operation matters, operational resilience continues as a priority following the March 2025 deadline under SS1/21. The PRA expects firms to improve testing programmes and embed resilience considerations into strategic decision-making, including new product launches, IT upgrades, and outsourcing arrangements. Cyber risk and third-party concentration risk receive particular emphasis, with the regulator noting these remain the most frequently cited and challenging risks to manage across the sector. Systemic firms should apply lessons from the 2024 sector-wide cyber stress test and make full use of CBEST, while non-systemic firms should consider STAR-FS assessments to evaluate their cyber resilience capabilities. Firms must also maintain and test contingency plans for third-party service failures, avoiding over-reliance on provider assurances alone.
Financial resilience and Basel 3.1 implementation
On the capital front, financial resilience preparations intensify ahead of Basel 3.1 implementation on 1 January 2027. Firms must work through the capital implications and consider necessary actions before the implementation date. Meanwhile, small Domestic Deposit Takers should similarly prepare for the Strong and Simple Framework. The Pillar 2 rebasing exercise requires high-quality data submissions by 31 March 2026. ICAAPs signed off by boards this year must include Basel 3.1 or Strong and Simple impact assessments.
Data risk management
Underpinning all these priorities, data risk is highlighted as a cornerstone of effective risk management. Accordingly, the PRA expects firms to embed strong data governance and controls, recognising that poor data quality undermines regulatory calculations, decision-making, and resilience, particularly as AI adoption heightens reliance on accurate information. Firms should benchmark practices against BCBS 239 principles where relevant.
Beyond risk management, the letter also highlights the PRA’s secondary objective to support competitiveness and growth, including streamlined reporting through the Future Banking Data Programme and transition to two-year PSM cycles for all firms.
How Leaman Crellin Can Help
Our regulatory consulting team works with deposit takers across the UK to navigate evolving PRA expectations. From operational resilience frameworks and third-party risk assessments to Basel 3.1 implementation planning and ICAAP preparation, we provide practical, proportionate guidance tailored to your firm’s size and business model. Contact us to discuss how these PRA 2026 priorities affect your organisation.
