UK Deposit Takers Supervision – 2026 Priorities: What banks and building societies need to know about the PRA’s latest Dear CEO letter

The Prudential Regulation Authority (PRA) published its UK Deposit Takers Supervision: 2026 Priorities on 15 January which sets expectations for CEOs, boards, and senior leaders of UK banks and building societies, around keeping risk management and governance proportionate and responsive to a more volatile environment.

The letter also outlines the PRA’s expectations for firms to prove operational and financial resilience, as well as improving data risk disciplines as technology, including AI, becomes more embedded.

We provide an overview of the key takeaways below.

Strategic risk management

The PRA expects firms to strengthen their ability to identify and manage emerging risks as business models and market conditions evolve. A major focus for 2026 is the effectiveness of model risk management (MRM). Firms still differ in how well they understand model behaviour, how quickly they can validate changes, and how effectively they aggregate exposures across private markets, non‑bank financial institutions, and trade finance activities.

MRM is now central to strategic decision‑making. Remediation of weaknesses should support wider strategic change, including readiness for Basel 3.1 and future stress testing requirements. The PRA also notes increased use of Artificial Intelligence and advanced analytics. These tools should enhance decision‑making without weakening oversight or understanding.

Key areas of focus for 2026

• Ensure boards have clear visibility of model behaviour, limitations, and emerging risks.
• Strengthen validation processes so models can be updated quickly and confidently.
• Link model risk remediation to wider strategic programmes, including Basel 3.1 preparations.
• Maintain strong oversight of Artificial Intelligence and analytics to ensure responsible use.
• Strengthen data validation so that modelling and reporting remain accurate end-to-end.

Operational resilience

The PRA expects firms to embed operational resilience into strategic decisions. Scenario testing must continue to mature, and resilience should be reviewed whenever new products, system changes or outsourcing arrangements are introduced.

Cyber threats and geopolitical risks remain highly challenging. Firms should apply lessons from sector‑wide testing and ensure they can detect, respond to and recover from cyber incidents. Firms should maintain and test exit strategies and validate resilience through their own assessments rather than relying solely on third-party assurances. These measures ensure that firms can withstand operational shocks and maintain customer trust.

Key areas of focus for 2026

• Strengthen scenario testing for important business services.
• Improve cyber readiness across detection, response, and recovery.
• Map third‑party dependencies clearly and maintain robust contingency arrangements.
• Embed resilience considerations into all strategic change initiatives.

Financial resilience

The PRA expects firms to manage capital and liquidity using forward looking metrics supported by rigorous stress testing. Basel 3.1 reforms and the Strong and Simple regime for smaller firms will take effect in January 2027, and firms must be fully prepared.

In 2026, the PRA will rebase variable Pillar 2 requirements. Firms must provide high quality data, ensure the accuracy of risk weighted asset calculations, and reflect Basel 3.1 or Strong and Simple impacts in their ICAAPs.

Key areas of focus for 2026

• Complete readiness assessments for Basel 3.1 and Strong and Simple.
• Strengthen data quality for the Pillar 2 rebasing process.
• Provide board level assurance over risk weighted asset accuracy.
• Refresh stress testing frameworks to align with updated regulatory expectations.

Data risk

The PRA expects firms to improve data quality, governance, and architecture. Weaknesses in these areas continue to undermine reliable regulatory reporting. Firms should assess themselves against recognised standards and address challenges caused by legacy technology environments.

Firms should benchmark practices against recognised standards, including the Basel Committee’s BCBS 239 principles for risk data aggregation and reporting where relevant. For other financial organisations that are not required to comply, the BCBS 239 framework can still be adopted in a proportionate, holistic way to strengthen ownership, controls, and end‑to‑end data processes across the enterprise.

As the use of Artificial Intelligence increases, firms must ensure that the data supporting models and automated processes is trustworthy and well governed.

Key areas of focus for 2026

• Strengthen governance, lineage and validation across risk and finance data.
• Modernise data architecture to reduce fragmentation and complexity.
• Improve the timeliness and completeness of regulatory submissions.
• Ensure strong data controls for all AI driven processes.

Facilitating competition, international competitiveness, and growth

The PRA plans to streamline regulatory reporting through the Future Banking Data Programme. Firms are encouraged to engage actively to ensure that supervisory data needs align with internal business and risk data requirements.

Key areas of focus for 2026

• Engage early with the Future Banking Data Programme.
• Align internal data models with upcoming reporting changes.
• Look for opportunities to simplify internal reporting processes.

Supervisory approach

The PRA is moving all remaining firms to a two‑year cycle for Periodic Summary Meetings. This shift aims to reduce regulatory burden and support more effective long‑term planning. Timelines for senior manager approvals, authorisations and model change applications will also be accelerated.

Key areas of focus for 2026

• Align internal governance cycles with the two‑year supervisory rhythm.
• Develop capability to produce high‑quality submissions quickly.
• Maintain regular informal engagement with supervisors where needed.

Mutuals and Scale‑up Unit

The PRA will continue supporting mutuals and smaller firms through proportionate reforms, including adjustments to the Senior Managers regime and the application of the Strong and Simple framework. Collaboration with the FCA will continue to support the mutuals sector.

Key areas of focus for 2026

• Identify where proportionality can reduce burden without lowering standards.
• Strengthen governance and risk capabilities to support sustainable growth.

How 4most can help?

At 4most, our delivery approach begins with understanding the full risk landscape, using a risk‑based assessment to identify the most material data, model, and regulatory risks across your organisation. This is achieved through:

• Complimentary Data Risk Survey – Light touch assessment survey to help organisations assess and benchmark their data risk maturity. All respondents will receive an insights report on their organisation’s data risk maturity level across specific areas with SME inputs on best practices.
• BCBS 239 Attestation Tool – Provides a structured assessment against all BCBS 239 principles to identify maturity levels, control gaps and priority remediation areas, and produces a clear attestation‑ready output to support senior management sign‑off and demonstrate compliance progress.
• Specialist MRM support across models, data and regulatory risk – read our comprehensive guide on model risk management best practice.

• AI Operational Risk Gap Assessment – Ensuring the right business, data and technology capabilities are in place for scaling AI.
• AI Governance Assessment – Focusing on GenAI model risk, governance and oversight.

Send us an email if you would like to learn more about how we can support your organisation – info@4-most.co.uk.