Regulatory Influencer: UK’s Prudential Regulatory Authority’s 2026 Supervisory Priorities – Continuity, Change and Regulatory Focus

On January 15, 2026, the Prudential Regulation Authority (PRA) published “Dear CEO” letters outlining its 2026 supervisory priorities. Although the PRA has issued two separate letters – one to international banks and designated investment firms, and another to UK deposit-takers – its priorities are largely consistent across both.

The PRA is the UK’s prudential regulator responsible for supervising banks, building societies, credit unions, insurers and designated investment firms. Its primary objectives are to promote the safety and soundness of the firms it regulates. The PRA also has important secondary objectives: to facilitate effective competition in the markets within its remit, and to support the UK's global competitiveness and medium-to-long-term economic growth.

The priorities letters are designed to help firms understand the main areas of supervisory focus over the coming year, addressing key risks in each sector while setting out the PRA’s priorities to support competition, competitiveness and growth.

The bigger picture

The PRA’s 2026 supervisory priorities sit at the intersection of continuity and change. Although the regulator’s core prudential objectives remain firmly in place, the risk landscape in which firms operate continues to evolve, shaped by technological innovation, geopolitical uncertainty, operational disruption and policy pressure to support UK competitiveness and growth. 
 

Against that backdrop, it is helpful to look more closely at how each of the PRA’s priority areas have evolved, and where supervisory expectations have either sharpened or remained consistent year on year. 

1. Strategic risk management: Firms must maintain robust risk management frameworks across business lines, risk management and audit. Counterparty credit risk (CCR) management and exposure to non-financial banking institutions (NFBIs) continue to be a supervisory focus, as they were in 2024. Of note, the PRA has made dedicated mentions of advances in technology, such as artificial intelligence (AI) and distributed ledger technology (DLT), as compared to the brief acknowledgement made in its 2024 letter. Although the regulator commends the operational efficiencies such technology can bring to the sector, it is also cognisant of the novel risks they represent. This stance is largely in line with the approach it outlined in its October 2025 approach for the responsible adoption of such technologies.

2. Operational resilience: The PRA expects firms, where applicable, to improve their operational resilience testing and for operational resilience to be an integral part of business decision-making. Although operational resilience has always featured highly on the agenda, the nature of operational disruptions has evolved. For example, in 2021, the PRA focused on operational disruptions arising from COVID-19, which is understandably less of a consideration today. This year’s letters call out the need for firms to have robust detection capabilities and effective responses, with special attention paid to risks such as cyberattacks, geopolitics and reliance on third parties. The changing nature of operational resilience and its demands is a direct result of the evolving risk landscape – one that the PRA is monitoring closely. 

3. Financial resilience: The PRA stresses that firms must consider and manage risks across a comprehensive set of forward-looking liquidity and capital metrics, using rigorous stress testing to evaluate their financial resilience. It further highlights that the majority of Basel 3.1 standards are due to be implemented by January 1, 2027. Financial resilience is a permanent feature of the PRA’s supervisory priorities, given its primary mandate as a prudential regulator. In the 2026 letters, stress testing remains a core PRA tool that the regulators use to determine financial resilience.

4. Data risk: Firms should embed strong data governance and controls, recognising that advanced technologies such as AI heighten reliance on accurate, complete and well-managed data. Since 2022, data has been an increasing area of focus for the regulator, which considers it a cornerstone of effective risk management. Although traditional concerns around the embedding of strong data governance and control continue to feature on the regulator’s radar, its importance has been heightened by the advanced technologies' reliance on accurate and well-managed data. As such, the PRA has also heightened expectations on firms to keep controls and governance infrastructure at pace with technological advancements. It expects firms to demonstrate proactive investment in data architecture and validation processes, addressing challenges due to complex IT landscapes and legacy systems.

5. Facilitating competition, international competitiveness and growth: In 2026, the PRA aims to streamline and reduce the regulatory reporting burden on firms, with a commitment to transitioning to a two-year periodic summary meeting (PSM) cycle for all firms currently on an annual cycle. The PRA further commits to accelerating timelines for new firm authorisations and providing greater support for firms to scale up. This is a new supervisory priority, which is no doubt the result of the government's call for regulators to support growth. In line with the PRA’s response to the growth mandate, the steps it has outlined are largely in line with the recommendations that the government has asked the PRA to have regard to. These include the vital contribution of the financial services sector to overall economic growth and creating a regulatory environment which facilitates growth.

Why should you care?

Firms should not interpret the government’s emphasis on growth and competition or the streamlining and reduction of regulatory burdens as an indication that regulatory oversight will be diluted in pursuit of economic expansion. 

Organisations may see the two-year PSM cycle as a dual-edged sword, as the reduced frequency means fewer opportunities to engage with the regulator and understand emerging concerns before they happen. The reduced cycle means firms will have to adopt a more proactive approach to spotting emerging risks.

The PRA’s supervisory priorities are a clear signal of where regulatory scrutiny, challenge and potential intervention will be focused over the coming year. These themes shape supervisory conversations, stress testing, data requests and firm-specific feedback.

The letters offer a practical roadmap for where firms may face the greatest regulatory pressure and where they should be strengthening controls, resources and senior management oversight now. 

Next steps

Firms should take advantage of the PRA’s intention to streamline regulatory reporting and support growth as a time to actively engage the regulators, sharing pain points and practical expertise to help inform regulatory approaches. 

Some key dates to look out for are: 

• March 1, 2026 – Larger firms will begin transitioning to the PRA’s new two-year supervisory cycle (frequency of PSMs).
• January 1, 2027 – The PRA plans to implement the Basel 3.1 capital standards in the UK. This includes most of the policy, supervisory statements and reporting requirements.
• January 1, 2030 – Full implementation of the Basel 3.1 transitional arrangements is expected to be completed by this date.