PRA supervisory priorities for 2026

Risk management frameworks: senior management and boards need to ensure that their organisations maintain robust risk management frameworks that are proportionate, keep pace with changes to their business model and adapt to the changing external environment. These frameworks should be in place across business lines, risk management and audit.

Counterparty credit risk/exposures to Non-Bank Financial Institutions (NBFIs):

• UKDTs: boards should have an accurate view of exposures particularly across private equity and private capital counterparties. Further progress is needed to keep pace with increased risk appetite by ensuring decisions are better informed by the level, timeliness and nature of disclosures by their clients.
• IBs: boards and senior management should ensure that they have an accurate view of exposures under current and stressed market conditions, particularly across private markets and hedge funds. The growth in intraday counterparty risk exposures at some firms that provide market access, clearing and financing to non-bank wholesale electronic market makers and ultra-low latency liquidity providers has exposed vulnerabilities, and firms have more work to do to ensure that risk appetite decisions are better informed by the level, timeliness and nature of disclosures by clients.
• In 2026, the Bank of England’s second system-wide exploratory scenario (SWES) will focus on the resilience of private markets and their interactions with banks.

UKDTs — Significant Risk Transfers: SS9/13 took effect on 1 Jan 2026. The PRA expects firms’ senior management to be appropriately engaged in approving and maintaining transcations that lead to a reduction in capital requirements.

Shift in global trade flows: firms should ensure adequate risk management of trade financing activities while supporting their clients amid the changing environment.

Model Risk Management: firms should prioritise remediation of shortcomings identified against the expectations in SS1/23 as part of their broader risk management improvements. The PRA will continue to engage with accountable SMFs to assess and monitor implementation.

Technological/AI advances: digital asset initiatives, tokenisation and the use of Distributed Ledger Technology (DLT) present both opportunities and threats to the banking sector. The BoE and PRA support responsible adoption, meaning they expect that firms will not compromise their safety and soundness. The PRA also encourages active participation in the Digital Securities Sandbox.

Testing: the PRA expects firms to improve operational resilience testing and for it to be an integral part of decision-making. Senior managers and boards should routinely consider how strategic changes — such as new products, IT upgrades and outsourcing — affect resilience. Actions should be proportionate to the size and business model of the firm and targeted at important business services.

Cyber and geopolitical risk: with firms most often citing these as their greatest concerns and the most challenging risks to manage, robust capabilities are expected to prevent breaches, detect attacks quickly, respond effectively and recover critical services within their impact tolerances. The PRA encourages all firms to apply learnings from the 2024 cyber stress test and make full use of tools such as CBEST, or STAR-FS for non-systemic firms, to assess cyber resilience.

Third party resilience: firms should prepare for service failure by maintaining and testing contingency plans, exit plans and stressed exit plans. They should be aware of concentration risks and ensure that they understand the full chain of dependencies, including sub-outsourcing. The PRA stresses that firms should not rely solely on assurances from third parties regarding their resilience. Where possible, firms should conduct their own testing and validation to ensure that services can be maintained during disruption..

The PRA expects firms to consider and manage risks “across a comprehensive set of forward-looking liquidity and capital metrics” and to use rigorous stress testing to evaluate their financial resilience.

Basel 3.1/Strong and Simple Framework: firms are expected to have worked through the implications of the Basel 3.1 standards or the Strong and Simple capital regime (for Small Domestic Deposit Takers - SDDTs) for their capital position and to be considering any actions required ahead of implementation on 1 January 2027.

Pillar 2: the submission deadline for the 2025 exercise is 31 March 2026, with existing requirements to be rebased for 2026. Firms should provide timely and high-quality data to enable the PRA to update requirements accurately ahead of the implementation date. The PRA expects:

• Boards to seek assurance over the accurate calculation and reporting of their RWAs for the rebasing exercise and the implementation of the Basel 3.1 standards or the SDDT framework.
• ICAAPs signed off by boards in 2026 to include an impact assessment of the Basel 3.1 standards or SDDT framework.
• ICAAPs from 1 January 2027 to be prepared on a Basel 3.1 or SDDT basis.

Regulatory permissions: firms should engage with the PRA as soon as possible on regulatory permissions already applied for or planned. The PRA expects firms to make any new applications under the Basel 3.1 or SDDT rules and convert any in-flight applications as appropriate.

Weaknesses in data quality continue to drive operational and prudential issues. The PRA expects firms to:

• Embed strong data governance and controls, particularly as advanced technologies including AI heighten reliance on accurate, complete and well-managed data.
• Benchmark practices against recognised standards, including the BCBS 239 principles for risk data aggregation and reporting where relevant.
• Demonstrate proactive investment in data architecture and validation processes, to support timely and accurate regulatory submissions.

The PRA views data quality as a “cornerstone of prudential resilience” and will continue to deploy specialist reviews and skilled person reviews where it observes persistent weaknesses.

In addition to the new two-year PSM cycle, the PRA will continue to pursue other initiatives to deliver against its secondary growth and competitiveness objective, including:

• Accelerating timelines for reviewing senior manager applications, new firm authorisations and internal ratings-based (IRB) model change pre-approval applications.
• Providing support to enable firms to scale up and compete more effectively.
• Streamlining and modernising reporting requirements through the Future Banking Data project.
• Continuing to work with the FCA to consider how best to support the mutuals landscape to “drive inclusive growth in the UK”.

Competitive pressures

• BPA (Bulk Purchase Annuities): the PRA remains concerned that intense competition in the BPA market could dilute pricing discipline and weaken risk management standards. Firms should ensure frameworks and controls can robustly assess risks, especially as pricing pressure rises and more complex features are considered. In 2026, the PRA will revisit insurers’ responses to its Dear CRO letter on solvency‑triggered termination rights to check that risks from these clauses are fully recognised and managed.
• Funded Re: following industry roundtables in 2025, the PRA will integrate firm feedback into policy proposals and plans a further update in Q2 2026.

Investment strategies – liquidity and private assets

• Synthetic investments: the PRA notes greater use of strategic structured and synthetic investments, which can elevate liquidity risk. It expects firms to consider cumulative impact and potential leverage and maintain risk‑appetite and limit frameworks for aggregate cash‑flow risks, including under stress.
• Liquidity: the PRA will track how UK insurers’ liquidity exposures evolve after the new liquidity reporting requirements take effect on 30 September 2026. Affected firms should continue to engage with the PRA to ensure implementation readiness.
• Private assets: the PRA reminds firms to continue paying attention to exposures to private credit assets. Private assets will also be the focus of the 2026 system-wide exploratory scenario (SWES), which will involve a range of market participants including insurers.
• Credit risk: the PRA will look at firms’ credit risk management more broadly, as they expand into new asset classes and geographies. It will continue to assess the adequacy of firms’ credit assessment frameworks, including the robustness of internal ratings.

New capital and ownership structures

• The PRA is open to diverse ownership structures but reminds firms that, regardless of insurer ownership models, it expects prudent management and strong, independent legal‑entity governance within groups, including effective management of any conflicts of interest.

LIST and future disclosures

• The results of the life insurance stress test (LIST) will inform the 2026 supervisory approach. The PRA will also solicit feedback from firms and disclosure users to refine the scope and design of future exercises and disclosures. 

The softening market is particularly affecting parts of the London Market. The PRA calls for underwriting discipline in the face of pressure on pricing, terms and reserving.

• Optimistic underwriting assumptions in internal models
  The PRA has observed instances where internal model assumptions about future underwriting performance appear optimistic relative to track records. In 2026, engagement will intensify for firms showing the largest gaps between actual and modelled profitability. Absent robust, historically grounded justification, the PRA will consider further supervisory action to ensure SCR is not materially understated.
• Exposure management
  Across the London Market, firms need to raise data quality and invest in systems, tools and models to keep pace with an evolving risk landscape.
• Delegated authority underwriting
  The PRA particularly notes growth in delegated authority underwriting in the London Market. To preserve underwriting standards, firms should maintain strong oversight of delegated arrangements, including clear approaches to exit unprofitable deals. The PRA will explore oversight effectiveness with relevant firms.
• DyGIST
  Participating firms should refresh crisis playbooks and test internal communications and coordination. The PRA will host a seminar for all dynamic general insurance stress test (DyGIST) sponsors on 24 February 2026. 

Operational resilience

• Testing: the PRA expects firms to improve operational resilience testing and for this to be an integral part of decision-making. Senior managers and boards should routinely consider how strategic changes — such as new products, IT upgrades and outsourcing — affect resilience.
• Third parties: the PRA expects deeper engagement with third‑party providers to assess the impact of severe but plausible disruptions. Legacy technology obsolescence remains a key weakness. While modernisation programmes progress, firms should consider the risks associated with change management.
• Cyber: firms need robust capabilities to prevent breaches, detect attacks quickly, respond effectively and recover critical services within their impact tolerances. The PRA will continue CBEST/STAR‑FS with higher‑impact firms and may use CQUEST for others, alongside FCA initiatives.

Solvent exit planning

• By 30 June 2026, all in‑scope insurers must complete a Solvent Exit Analysis (SEA) under the PRA’s solvent exit policy framework.

Artificial intelligence (AI)

• Advanced technologies can introduce novel risks and amplify existing ones (e.g., data quality, third‑party and cyber). Firms should adopt technology without compromising safety and soundness.

Facilitating competition, international competitiveness and growth

• The PRA will continue to innovate in supervision, progressing initiatives such as a new UK captive regime (consultation in summer 2026 for a 2027 launch), reforms to the insurance special purpose vehicle (ISPVs) regime, and work on alternative life capital to channel capital consistent with long‑dated liabilities. It also aims to accelerate new firm authorisations and support smaller insurers with dedicated regulatory points of contact when launching new products.