Our quarterly internal audit hot topics provides a thematic view of new and emerging regulatory risks across the financial sector. 

Get in touch if you would like to discuss any of the topics below.

Regulatory priorities

Internal audit risk radar

Our risk focus radar is a combination of our view of key priorities and an extract from the UK Regulatory Initiatives Grid (where key milestones or formal engagement is planned), representing the risks and key priorities raised by the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and leading UK regulatory bodies.

We identify the risk priorities at a glance for the four key sectors, segmented by time horizon and risk themes to support audit planning and forecast upcoming requirements.

Cross sector priorities

With economic conditions continuing to shift, firms need to stay agile and ensure their financial resilience strategies are up to scratch. Stress testing remains a key part of this, helping regulators and institutions understand how well the system can absorb shocks.

The Bank of England (BoE) has kicked off its  2025 Bank Capital Stress Test, marking a new phase in its approach. Moving away from annual testing, the BoE now runs these exercises every two years. This round focuses on the UK’s seven largest banks and building societies—those responsible for the bulk of lending to households and businesses. The aim is to uncover vulnerabilities by testing against severe but plausible scenarios, with results expected later this year.

Smaller firms are also being assessed under two tailored scenarios designed to reflect their size and business models. These tests are intended to guide firms in refining their own internal stress testing frameworks, particularly under Pillar 2, and to help them better understand the types of risks they might face.

In parallel, the BoE is also running its fourth supervisory stress test (SST) for central counterparties (CCPs), focusing on how well they could handle defaults by major clearing members. This highlights the regulator’s broader strategy of assessing multiple touch points across the financial system to ensure overall stability.

Across Europe, similar efforts are underway. The European Banking Authority (EBA) launched its own stress test earlier this year, with results due in August. These findings will feed into firms’ Supervisory Review and Evaluation Process (SREP) and help shape individual capital requirements.

The EBA has also undertaken a peer review of specific member states’ deposit guarantee schemes’ (DGS) stress testing approaches. While most meet the basic standards, some still fall short on key elements like realistic assumptions and objective assessments. A follow-up review is planned in two years to track progress.

What should happen now?

With economic conditions continuing to shift, firms must ensure their financial resilience strategies remain robust and responsive. The BoE’s 2025 Bank Capital Stress Test marks a new phase in supervisory expectations, and while only the largest firms are directly involved, all institutions are expected to engage meaningfully with the materials and insights provided.

Internal audit, risk, and finance teams should now take the lead to:

  • review the BoE’s updated materials: these offer guidance on the current stress test and will help firms understand how capital buffers might be adjusted based on the results
  • use the published scenarios as a starting point: even if your firm isn’t part of the main test, the BoE expects you to challenge your own business model with meaningful, tailored scenarios
  • take note of EBA best practices: these cover everything from core stress tests to cooperation frameworks. Firms should consider how their own approaches measure up and prepare for future scrutiny.

By embedding these practices into their risk management frameworks, firms can demonstrate resilience, regulatory alignment, and readiness for future shocks.

Since its introduction in July 2024, the Consumer Duty has reshaped how financial services approach customer outcomes. The FCA continues to reaffirm expectations, most recently through a multi-firm review into consumer support outcomes, published in March 2025. The message is clear, firms must support customers throughout the product lifecycle, not just at the point of sale.

Customer service plays a central role in helping consumers realise the value of the products they’ve bought, especially in achieving long-term financial goals. The FCA expects firms to demonstrate this through tangible outcomes, not just good intentions.

Now that the Consumer Duty rules have settled, the FCA’s March publication (FS25/2) outlined plans to review some of its broader requirements, including for example:

  • retiring outdated guidance and reduce reliance on ad-hoc communications like Dear CEO letters, making it easier for firms to navigate expectations
  • easing administrative burdens without compromising the standards set by Consumer Duty
  • giving retail banks more flexibility in how they communicate with customers, particularly around disclosure rule
  • reassessing how UK rules apply to firms serving customers overseas, including insurance clients easing administrative burdens without compromising the standards set by Consumer Duty.

Firms can expect further updates from the FCA in the coming months; the FCA is also consulting on further developments and undertaking several market reviews.

What should happen now?

Financial services have undergone a significant cultural shift under Consumer Duty, as the FCA continues to raise the bar on customer outcomes. Firms must embed enhanced outcomes monitoring into day-to-day operations, recognising that this isn’t a one-off compliance exercise and it will need updating over time. To achieve this, firms need granular, relevant, high-quality data to support and evidence-based fair value assessments.

To meet these expectations, internal audit, compliance, and customer experience teams should:

  • deepen their understanding of customer needs, tailoring support and tracking the impact of any interventions
  • ensure post-sale support matches pre-sale standards. Long wait times, poor access to information, or a lack of follow-up are no longer acceptable
  • embed cultural change across the organisation, with training that helps staff understand their role in delivering good outcomes
  • expand monitoring to include a wider range of support outcomes, including tools that allow customers to self-identify support needs
  • interrogate the extent to which first-line teams are obtaining, monitoring and analysing a suitably broad and detailed range of data to evidence the decisions and conclusions reached.

It’s also essential that firms monitor upcoming FCA publications, using their content to refine the relevant frameworks and demonstrate a clear commitment to fair value, transparency, and long-term customer good outcome.

In March 2025, the FCA and PRA confirmed they won’t be moving forward with the proposed changes to diversity and inclusion rules (CP23/20 and CP18/23) but will proceed with their work on non-financial misconduct (NFM). This decision reflects the significant reforms expected under the Employment Rights Bill. As of 1 July 2025, the Government has published a roadmap setting out a phased consultation process for policy measures. In our view, this is a sensible approach. Measures will begin to take effect at Royal Assent and continue through to 2027.

On 2 July 2025, the FCA published CP25/18, which includes a policy statement amending the Code of Conduct (COCON), originally proposed in CP23/20. The new rule, coming into effect on 1 September 2026, expands the scope of COCON to cover serious misconduct (such as bullying, harassment, and violence) in non-banks, aligning it with the standards already applied to banks. This aims to create a more consistent approach to tackling NFM across the financial services sector. The rule won’t apply retrospectively.

CP25/18 also outlines proposals for potential new Handbook guidance in both COCON and FIT. The FCA hopes this will help  Senior Managers and Certification Regime (SM&CR) firms interpret and apply the conduct rules more consistently, while clarifying statutory and regulatory expectations around fitness and propriety.

In addition, the FCA plans to assess the impact of the 2023 bonus cap removal, particularly on gender pay gaps, with findings expected in the 2026/27 financial year.

Meanwhile, the EU is moving ahead with its own D&I agenda, including:

  • the EU Pay Transparency Directive which requires national implementation by June 2026, aiming to close gender pay gaps
  • the EBA’s diversity benchmarking guidelines, which have been in effect since 2024, requiring Capital Requirements Directive (CRD) and Investment Firms Directive (IFD) firms to report on board-level diversity metrics.

What should happen now?

To stay aligned with evolving expectations, internal audit, HR, and compliance teams should:

  • respond to the consultation paper here by 10 September 2025
  • review internal policies on non-financial misconduct, ensuring clear responsibilities under the SM&CR, with appropriate documentation to support accountability, roles and responsibilities
  • consider refresher training for banks so that they understand the new expectations and nuances (eg, conduct in private or personal life is entirely out of scope for COCON but fitness and propriety testing can take account of any relevant matters wherever they occur)
  • prepare training plans on NFM for non-banks
  • be alert for the final guidance to CP25/18 expected to be published by year-end
  • for firms with EU operations, ensure compliance with EBA expectations on gender-neutral pay and transparent reporting – these will feed into the SREP and require robust internal data and monitoring processes.

By maintaining momentum on D&I and proactively addressing conduct risks, firms can demonstrate leadership, improve diversity of thought and demonstrate genuine commitment to an inclusive culture.

The regulatory focus on climate and environmental risk continues to intensify. This includes the PRA’s CP10/25, which proposes updates to SS3/19 and sets out new regulatory expectations for banks and insurers around climate-related financial risks. The consultation acknowledges progress to date but continues to raise the bar as risk management practices mature.

While many firms have made progress, the PRA has made it clear that foundational efforts aren’t enough. Its recent Dear CEO letter highlighted ongoing reliance on estimates and proxies, which may be acceptable for now, but not forever. Firms are expected to build more sophisticated approaches, particularly around scenario analysis, data quality, and risk appetite.

This is part of a broader push to embed sustainability risks into the heart of financial decision-making. This, coupled with the Government’s recent consultations on sustainable finance, including the UK Sustainability Reporting Standards (UK SRS S1 and S2), proposed transition plan rules, and potential changes to sustainability assurance reporting, which are open for feedback until 17 September 2025, set new enhanced expectations for transparency and consistency, backed by the anti-greenwashing rule introduced last year.

It’s also important to note the Government’s recent consultations on sustainable finance, including the UK Sustainability Reporting Standards (UK SRS S1 and S2), proposed transition plan rules, and potential changes to sustainability assurance reporting. These are open for feedback until 17 September 2025.

Read our article The Government launches three consultations to boost sustainable finance | Grant Thornton

However, not all initiatives are moving forward. The Government has withdrawn plans to implement a UK Green Taxonomy, citing concerns over complexity and international divergence. Instead, the focus is shifting toward more flexible, principles-based disclosures. The Leeds Reforms, a package of post-Brexit financial regulatory changes, continue to shape the broader ESG landscape, with implications for how firms integrate sustainability into governance and reporting — particularly through initiatives like the UK Sustainability Reporting Standards.

Across Europe, regulators are also stepping up, but with a focus on clearer, more simplified approaches, while still achieving the right level of consistency. The EBA’s new  ESG dashboard, launched in April, gives firms a clearer view of systemic climate risks and helps benchmark exposures, especially in areas such as real estate. Meanwhile, ESMA is finalising its approach to ESG ratings, with technical standards expected in October.

What should happen now?

Internal audit should make sure the firm’s activities align with the PRA’s evolving expectations on climate risk management as set out in CP10/25, building on the foundations laid out in SS3/19. Taking a proportionate approach, firms should consider the following:

  • Governance

Boards must take ownership of climate risk appetite, ensuring it is informed by the risk function and integrated into strategic planning – this includes reviewing governance structures to confirm they actively support climate-related oversight and decision-making.

  •  Risk management

Firms should continue to refine their climate risk capabilities, with a focus on identifying material exposures and establishing clear mechanisms for monitoring and escalation. Metrics should be meaningful, decision-useful, and aligned with broader risk frameworks.

  • Scenario analysis:

Climate scenario analysis is now a supervisory expectation. Scenarios should reflect current science and economics, and feed into ICAAP or ORSA to support capital planning. The regulator has made it clear that firms will need to enhance the stress testing and scenario analysis they undertake to meet regulatory expectations.  

  • Data

Firms must address data gaps with clear plans to improve quality and coverage. This includes oversight of third-party data and recognising the uncertainty inherent in climate modelling.

  • Disclosures

With the PRA now referencing ISSB standards, firms need to align their reporting with global best practice, clearly explaining how climate risks and opportunities are factored into financial and strategic decisions.

By embedding climate risk into governance, risk, and reporting frameworks, firms can demonstrate resilience, regulatory alignment, and long-term value creation. Firms should also consider the UK Government’s current consultations on climate transition planning, sustainability disclosure standards, and assurance frameworks — each of which is open for feedback until 17 September 2025. These proposals are expected to evolve over time, so it’s crucial to provide practical industry feedback and monitor further developments to remain compliant.

Cyber resilience remains a top priority, especially in light of recent high-profile incidents such as the Scattered Spider group attacks. For financial firms, the risks go beyond reputational or financial damage. Disruptions can impact critical services with a knock-on effect on operational resilience and other regulatory requirements, including the sector-agnostic General Data Protection Regulation (GDPR).

Complex and extended supply chains only add to the challenge. With third-party relationships deeply embedded in operations, firms must ensure that cyber controls extend across their entire ecosystem, with clear understanding of relevant risks and the mitigation and monitoring in place to ensure adequate protection.  Well-defined accountabilities and escalation routes are key to an effective approach.

Recent updates to the Cyber Essentials Programme (April 2025) offer a refreshed baseline for cyber defence. Meanwhile, the upcoming Cyber Security and Resilience Bill (expected to become law by the end of the year) will introduce new requirements for firms operating in critical national infrastructure, drawing heavily from the EU’s NIS2 directive. The Government’s policy statement outlines the scope and expectations in more detail.

What should happen now?

With cyber threats growing in scale and sophistication, firms must take a proactive and structured approach to resilience — one that extends beyond internal systems to the broader ecosystem of third-party relationships and emerging technologies. This includes embedding resilience by design across the organisation, ensuring that systems and processes are built with security and continuity in mind from the outset.

Firms should also strengthen their incident management and crisis response capabilities to ensure they can detect, respond to, and recover from cyber events swiftly and effectively.

To build meaningful cyber resilience, internal audit should:

  • use benchmarking tools: the Cyber Resilience Compass, developed by Oxford’s Global Cyber Security Capability Centre (GCSCC) and the World Economic Forum, provides a practical framework to assess resilience across leadership, culture, systems, and third-party managementstrengthen third-party oversight: ensure cyber security controls are embedded across all supplier relationships and contracts, with clear visibility into risks and response plans and an appropriate level of ongoing assurance and validation of key control activities
  • manage AI-related risks: as AI becomes more embedded in cyber defence, firms must understand the risks, ensure proper governance, and address any vulnerabilities in AI-driven tools both internally and in key elements of their supply chain
  • prepare for new legislation: begin aligning infrastructure and governance with the expected requirements of theCyber Security and Resilience Bill.

By embedding resilience considerations into their approach, internal audit can support and challenge the effectiveness of cyber resilience activities across firms, protecting critical services, ensuring regulatory expectations are met, and maintaining trust in an increasingly digital financial system.

While the March 2025 regulatory deadline for operational resilience implementation has passed, firms need to maintain and enhance their resilience capabilities in the long term. This isn’t a static compliance exercise, but a continuous process to prevent, respond to, and recover from operational disruptions.

Recent events, including the Scattered Spider cyber-attacks, have underscored the importance of operational resilience as a strategic priority and the need to link key aspects of resilience together effectively, for example operational resilience, cyber resilience and supply chain oversight. Firms must shift from implementation to integration while embedding resilience by design for all systems, processes, and third-party arrangements to ensure continuity of critical business services.

Achieving this requires more than a robust control environment. It demands a culture that supports proactive risk identification, open challenge, and continuous improvement. Internal audit functions play a central role in providing assurance over the effectiveness of these frameworks, how they’re being maintained and operated, and identifying areas for enhancement.

What should happen now?

For internal audit, the focus needs to shift from implementation to resilience by design, ensuring the necessary cultural change to support ongoing compliance.

Internal audit, risk, and operations teams should now focus on:

  • stress and scenario testing: go beyond historical scenarios. Use severe but plausible forward-looking threats to test the firm’s ability to respond and recover. This should draw on learnings from previous testing and real-world events and be much more than table-top exercises
  • learning from experience: draw insights from internal incidents, industry events, and regulatory feedback. Use root cause analysis and horizon scanning to stay ahead of emerging risks
  • data and governance: ensure the firm has high-quality data and strong governance to track and monitor critical services (especially as the external environment and firms’ business models evolve).

By taking a forward-looking approach firms can ensure operational resilience becomes a dynamic capability, ready to adapt, respond, and recover in an increasingly complex risk environment.

Critical third party (CTP) requirements took effect in January, aiming to “manage risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services that a CTP provides to regulated firms and FMIs”. Complementing regulators’ existing approaches to operational resilience and third-party risk management, the regime recognises the increased risks that critical third parties present. As such, the regime raises the bar around technology, cyber resilience, change and incident management, risk management and governance with direct oversight from the BoE, PRA, and FCA.

It's also important to note the pending outcome of the Basel Committee on Banking Supervision (BCBS) consultation, Principles for the sound management of third-party risk. These principles aim to improve banks’ ability to withstand, adapt to and recover from business disruption, giving the growing complexity – and dependence on – third party arrangements.

In parallel, the PRA is consulting on new requirements for firms to report operational incidents and material third-party arrangements. This consultation, expected to conclude later this year, is designed to strengthen the UK’s operational resilience framework and ensure regulators have timely visibility of incidents that could impact financial stability. It also reinforces the importance of robust incident notification processes as part of broader third-party risk management.

What should happen now?

Internal audit needs to ensure the firm is approaching the CTP regime as an integral tool to support financial stability, reduce concentration risk and improve operational resilience. This includes setting clear expectations for risk management, supply chains, operational dependencies and greater collaboration with regulators.

The Treasury will designate which organisations count as critical third parties, bringing a number of organisations into the FCA and PRA’s regulatory perimeter for the first time. As such, internal audit needs to make sure the firm understands its obligations, and how to demonstrate effective risk management and compliance.

Taking a broader view, the BCBS principles form an essential benchmark for banks and supervisory bodies to manage and mitigate third-party risk. Aimed at larger, international banks there are a still underlying themes and approaches that individual firms can adopt to inform good practice.

Sector-specific priorities

Banking

Key developments

In April, BCBS updated its Principles for the Management of Credit Risk (BCBS 595) to improve alignment with the wider Basel Framework. This was long overdue, and follows the original version published in 2000. The fundamental approach remains the same, looking at: the credit risk environment; a sound credit-granting process; effective credit administration, measurement and monitoring; controls, and the role of supervisors.

A significant difference is the shift towards a data-driven approach, drawing on AI, machine learning and data analytics to identify and manage credit risk. This focus on technology reflects more modern and robust techniques to credit risk management, and boosts model risk capabilities. The updated document also places greater emphasis on governance, with more information available for robust oversight and decision-making processes.

In addition, the PRA published a Dear CFO letter in April covering prudential expectations for significant risk transfer financing. This addressed how firms apply Article 299(2)(c) of the UK CRR on collateral eligibility for securities financing transactions (SFTs). The regulator asked relevant firms to respond with further information on existing policies, procedures and potential enhancements.

What should happen now?

  • Recognising that BCBS 595 is an international standard, prompt adoption can support financial stability and align cross-border activities. As such, internal audit teams can start with a gap analysis against credit risk management frameworks and the updated guidance. Key considerations include current and potential use of AI, data analytics and machine learningto support decision making, modelling and credit risk management. While these technologies aren’t explicitly referenced in the updated BCBS 595, they’re increasingly relevant to modern risk practices. Firms should assess how existing tools align with supervisory expectations and where enhancements may be needed to support governance, transparency and model risk oversight. This includes reviewing the inventory of AI/ML models in use, evaluating data governance and validation processes, and identifying any gaps in explainability or supervisory transparency.
  • Assessment of the updated rules determining how firms can value and use collateralin counterparty credit risk. Firms will need to assess, and potentially update, current policies, frameworks and reporting practices to reflect evolving regulatory interpretations, including those outlined in the PRA’s Dear CFO letter. This may involve reviewing how Article 299(2)(c) of the UK CRR is applied in practice, and whether eligibility criteria and valuation methods are sufficiently robust.
  • Governance and oversight remain central themes. Firms should map their decision-making processes to the updated principles, ensuring that board-level visibility and challenge mechanisms are in place. Internal audit can play a key role in identifying where enhancements are needed to strengthen oversight and ensure alignment with supervisory expectations.

For firms in scope of the PRA’s work on significant risk transfer financing, it’s important to continue to develop good practice. This includes putting proposed measures into action and proactively addressing regulatory concerns across the sector. The PRA may engage in further discussion with individual firms or through sector-wide communications.

Key developments

The UK’s approach to financial stability continues to evolve, with the Resolvability Assessment Framework (RAF) forming a key part of ensuring that major banks can be resolved without disrupting critical services or risking public funds. Developed by the BoE and the PRA, the RAF sets clear expectations for how firms should demonstrate their readiness for resolution.

Rather than treating resolvability as a one-off compliance task, firms are expected to embed resolution planning into their day-to-day operations, which needs to be ready to be put into action at any time. This includes identifying and removing barriers to resolution, testing operational capabilities, and ensuring that their preferred resolution strategy (whether bail-in or partial transfer) can be executed effectively.

Last year’s resolvability assessment show that firms are making progress, with resolution planning increasingly integrated into governance and risk frameworks. However, the BoE has emphasised that resolvability must be maintained over time, adapting to changes in business models, market conditions, and regulatory expectations. It also highlighted the need for improvements around valuations in resolution, asking larger banks to run a scenario in this space ahead of the 2026 submission. 

What should happen now?

With resolvability now embedded in the UK’s financial stability framework, firms must treat it as a continuous responsibility – integrated into governance, risk, and operational planning. To support this, internal audit, finance, and resolution planning teams should:

  • maintain resolvability – keep resolution plans up to date and ensure they reflect any material changes in structure, operations, or risk profile
  • test and assure key capabilities – regularly test areas such as liquidity mobilisation, continuity of access to financial market infrastructure, and communications planning, supported by independent assurance
  • meet disclosure requirements – publish clear, accessible summaries of resolvability assessments to support transparency and market discipline
  • work with regulators – maintain open dialogue with the PRA and BoE, and be prepared to adapt to evolving expectations or changes in reporting timelines
  • engage with an independent valuer – for banks in scope of the valuation in resolution element of the RAF 2026 test.

By embedding resolvability into core frameworks, firms can demonstrate preparedness, protect critical services, and contribute to the resilience of the wider financial system.

Key developments

In July, the FCA published a Policy Statement (PS25/11), setting out the first steps in its Mortgage Rule Review. These reforms aim to simplify the mortgage market, enhance competition, and align more closely with the Consumer Duty. The changes are designed to:

  • make it easier for customers to engage ininteractive dialogue with mortgage providers without automatically triggering regulated advice
  • introducegreater flexibility in affordability assessments, particularly when customers reduce their mortgage term or remortgage with a different lender
  • retire outdated guidance(FG13/7 and FG24/2), reducing regulatory burden on firms.

These changes are permissive and took effect immediately upon publication.

The reforms are part of a broader strategy to support sustainable home ownership and economic resilience. In a speech accompanying the original consultation (CP25/11), the FCA’s Director of Retail Banking highlighted how these changes can promote informed risk-taking and market accessibility.

To continue this conversation, the FCA published Discussion Paper DP25/2 in June 2025, which remains open for feedback until 19 September 2025. It explores the future of the mortgage market, including potential rule changes and the trade-offs involved. 

What should firms do now?

Internal audit and compliance teams should:

  • review PS25/11 to assess how the new rules impact current advice models, affordability assessments, and customer engagement processes
  • update internal procedures to reflect the withdrawal of FG13/7 and FG24/2
  • clarify what constitutes mortgage advice under the new framework and ensure staff are trained accordingly
  • encourage ongoing dialogue with consumers while maintaining clarity around execution-only sales
  • monitor developments in DP25/2 and prepare to contribute to the consultation process.

Key developments

UK regulators are continuing to reshape the reporting landscape, aiming to reduce complexity and support sustainable growth. The latest Regulatory Initiatives Grid reflects a coordinated effort to ease the compliance burden while maintaining effective oversight.

Key priorities include:

  • limiting new regulatory measures to avoid unnecessary disruption
  • simplifying existing frameworks to make them more accessible and proportionate
  • reducing reporting requirements where data duplication or limited value has been identified.

A major step forward is the launch of MyFCA, a new digital portal designed to give firms easier access to reporting obligations and guidance. Alongside this, the FCA has introduced a new regulatory return for consumer credit firms, replacing elements of the legacy CCR002 and CCR007 returns. The new return is more structured, uses familiar industry language, and focuses on key areas such as permissions, business models, marketing, income, and staffing.

In parallel, the PRA has published PS6/25, which introduces important updates to liquidity reporting and branch return requirements. These include:

  • deletion of Supervisory Statement SS1/17, with relevant content now consolidated into an updatedSS5/21
  • liquidity metrics: firms must report summaryLCR (Liquidity Coverage Ratio) and NSFR (Net Stable Funding Ratio), with alignment to Home State Supervisor (HSS) reporting permitted. The PRA may also request more frequent or granular data under stress scenarios
  • branch return revisions: the implementation date has been moved to1 March 2026, with first reporting due 30 June 2026 – the revised return simplifies data requirements, removes routine reporting of transactional deposits, and focuses on instant access deposits and customer counts.

What should happen now?

As UK regulators move to simplify and modernise the reporting landscape, firms must take early, practical steps to adapt to new expectations and ensure readiness for upcoming changes, particularly around the new consumer credit return, MyFCA portal, and liquidity/branch return updates.

To support a smooth transition, internal reporting, compliance, and data teams should:

  • review the structure and requirements of the new consumer credit return
  • assess internal data collection processes to ensure they align with the new format
  • use the MyFCA portal to access guidance and support materials
  • identify and address any data gaps to ensure readiness for the new reporting cycle
  • review and update internal policies, controls, and reporting processes in line with PS6/25
  • engage proactively with PRA supervisors to clarify expectations
  • begin preparations for the first revisedBranch Return submission in mid-2026.

Over time, the FCA aims to retire legacy returns entirely, reducing ad hoc data requests and creating a more predictable reporting environment.

Key developments

The regulatory focus on market abuse and financial crime continues to sharpen, particularly in light of evolving risks in crypto markets and the role of organised crime in insider trading, and UK regulatory reform will start to have an impact in the second half of this year.

In the EU, ESMA has published final guidelines for supervising market abuse under the Markets in Crypto-Assets Regulation (MiCA). These guidelines, aimed at national regulators, promote consistent supervision and reflect the unique challenges of crypto markets, including decentralised platforms, social media influence, and cross-border activity. While not directly addressed to firms, the guidance signals a clear direction: more active oversight is coming, and firms need to be prepared.

In the UK, the FCA issued a consultation paper on proposed rules for firms issuing stablecoins or undertaking cryptoasset custody at the end of May 2025. A discussion paper on regulating cryptoasset activities was also published in May and consultation on conduct standards is expected in Q3 2025. The FCA is due to publish policy statements on general firm conduct and standards for cryptoassets, including financial crime standards, by 2026.

More broadly, financial crime remains a key area of focus for the FCA, as set out in its five-year strategy published in April 2025. It has recently reinforced its priorities on financial crime through a speech by its joint executive director of enforcement. Key concerns include:

  • the role of organised crime groups in insider trading, often involving insiders within financial institutions
  • weaknesses in handling inside information, particularly around leaks and disclosures in M&A activity
  • expanding surveillance across fixed income, currencies, and commodities markets.

In line with the Government’s general statements about regulatory reform, the Treasury’s Professional and Business Services Sector Plan sets out its intention to reform the UK Money Laundering Regulations by the end of 2025. The Treasury has pledged to:

  • introduce a package of changes to the MLRs before the end of 2025
  • encourage the use of digital identity to streamline client due diligence and verification processes
  • clarify guidance for regulated sectors in relation to the MLRs, based on recent consultation.

The results of the Treasury’s consultation on the MLRs point to some specific areas of change: mandatory EDD on transactions and counterparties in FATF high-risk third countries will be restricted to countries subject to a ‘call to action’ (currently Iran, Myanmar, and North Korea); and all trust and companies services providers’ activities will be in-scope for the regulations.  In the shorter term, the SAR reporting threshold will rise from £1,000 to £3,000 from 31 July 2025.

In other news, the 2025 UK National Risk Assessment for money laundering and terrorist financing has just been published.  Traditional banking activities in the UK remain high risk for money laundering, with money laundering through property a noted risk. Other changes include the risk of wealth management fostering terrorist financing rising from low to medium; risk levels for EMIs and PSPs rising for both money laundering and terrorist financing; and money laundering risk for crypto-assets rising to high, as the typologies associated with digital assets become clearer.

The FCA is also preparing to consult on reforms to transaction reporting, following its 2024 discussion paper; and has indicated it will launch a review of firms’ cash deposit controls, across all channels, in the second half of 2025. Finally, the new failure to prevent fraud (FPTF) corporate criminal offence in ECCTA 2023 goes live on 1 September 2025, by which point firms should have completed their initial risk assessment and should have a view as to whether or not any control enhancements are required to provide them with a defence of ‘reasonable procedures’.

What should happen now?

To stay ahead of evolving expectations, internal audit, legal and surveillance teams should consider the following actions:

  • Crypto market participants should review their surveillance and control frameworks in light of ESMA’s direction, and the topics raised in the various FCA consultation papers, particularly around transparency and cross-border risks
  • All firms should ensure they have strong governance, training, and escalation procedures in place to manage inside information and prevent market abuse
  • Firms involved in M&A or trading in fixed income and commodities should expect increased scrutiny
  • Prepare for changes to transaction reporting by reviewing current processes and ensuring data quality and completeness
  • Firms should consider if/how they’re using digital identities and whether they have robust controls in this area
  • Firms should consider independent assurance on FPTF preparations to date
  • Firms which deal in cash should review their controls to make sure that they are fit for purpose, in advance of any FCA review

By reinforcing controls and anticipating regulatory shifts, firms can reduce exposure to misconduct risk and demonstrate a proactive stance on market integrity.

Capital Markets and Asset Management

Key developments

The BoE has launched its fourth supervisory stress test (SST) for UK central counterparties (CCPs), aimed at assessing their resilience in the face of severe market disruption. This year’s exercise focuses on credit risk with the simultaneous default of two or more clearing members, using a scenario calibrated to a one-in-3,500 probability event.

The test applies market shocks to positions and prices as of 26 March 2025, with CCP resources held constant. All three UK-authorised CCPs are participating, with all clearing services in scope. While a full liquidity stress test isn’t included, the BoE will engage qualitatively with firms to explore liquidity risks and how they’ve evolved since the last round.

The SST also includes sensitivity and reverse stress testing, exploring more extreme scenarios and breaking historical correlations to better understand systemic vulnerabilities.

The BoE will publish its results in Q4 2025.

What should happen now?

With the SST now underway, CCPs, clearing members, and other stakeholders should take coordinated steps to ensure readiness and alignment with supervisory expectations.

To support this, risk, treasury, and regulatory reporting teams should:

  • ensure accurate and timely data submission – CCPs must align with the BoE instructions and review internal risk frameworks to ensure consistency with the test’s severity and assumptions
  • assess clearing member exposures – clearing members should evaluate how the stress scenario could impact margin requirements, default fund contributions, and broader liquidity positions
  • engage with qualitative elements – while a full liquidity stress test isn’t included, firms should be prepared to discuss evolving liquidity risks and mitigation strategies with the BoE
  • monitor supervisory communications – stay alert to updates ahead of the Q4 results and be ready to respond to any follow-up expectations or policy developments.

By actively engaging with the SST process, firms can strengthen their own risk management practices and contribute to the resilience of the wider financial system.

Key developments

The BoE continues to refine its expectations for CCPs, with a particular focus on how margin practices can influence broader market stability. In a recent speech, the deputy governor emphasised the need for CCPs to manage margin requirements in a way that isn’t only risk-sensitive, but also cost-effective and stable during periods of market stress.

Initial margin models should be assessed across three dimensions: how well they cover risk, how costly they’re over time, and how they respond to volatility. Poor performance across these areas can create systemic vulnerabilities. The BoE expects CCPs to calibrate their models accordingly and to engage constructively with clearing members to improve transparency and predictability.

The BoE’s system-wide exploratory scenario (SWES) revealed mismatches between CCPs’ and clearing members’ margin projections (sometimes overestimating, sometimes underestimating) highlighting the need for better alignment. In response, it will begin implementing recommendations from the BCBS-CPMI-IOSCO 2022 report on margining practices.

Separately, concerns remain around the resilience of the gilt repo market. The Financial Policy Committee has endorsed further work in this area, with a discussion paper expected later this year exploring reforms such as increased central clearing and minimum haircuts on non-centrally cleared repos.

What should happen now?

With margin practices under increasing scrutiny, CCPs and market participants should take proactive steps to align with supervisory expectations and prepare for potential reforms.

To support this, risk, treasury, and clearing teams should:

  • recalibrate margin models – CCPs should review and, where necessary, adjust their models to ensure they balance risk coverage, cost efficiency, and stability under stress. This should also consider the use of portfolio margining and whether this, while sensible at an individual level, creates risks at a system-wide level
  • enhance transparency – improve communication with clearing members around margin methodologies to reduce uncertainty and support predictability
  • prepare for gilt repo reforms – market participants active in the gilt repo space should monitor developments and assess how potential changes, such as increased central clearing or minimum haircuts, may affect their operations
  • align with international standards – all firms should assess their practices against BCBS-CPMI-IOSCO recommendations and strengthen internal modelling and scenario analysis capabilities.

By addressing these areas, firms can reduce systemic risk, improve operational resilience, and support the stability of the wider financial system.

Key developments

The FCA has published findings from its latest review of business models among smaller asset managers and alternative investment firms. The review builds on its 2022 supervisory strategy and aims to identify practices that could pose risks to consumers.

While many firms demonstrated sound governance and compliance, the FCA identified several areas requiring improvement:

  • Some firms lacked robust investor assessment processes or misunderstood the regulatory requirements for categorising and marketing high-risk investments
  • Although good practices were observed, some firms had weak controls around conflicts of interest, particularly where senior staff held multiple roles
  • While most firms had taken steps to embed Consumer Duty, others were still working on good practices and embedding it into their business as usual processes

Although the review focused on smaller firms, the FCA noted that the findings are equally relevant to larger firms and expects all market participants to reflect on the outcomes.

What should happen now?

The FCA’s findings offer a timely prompt for internal audit, regardless of the firm’s size, to reassess how well their business models align with regulatory expectations and evolving consumer standards. Key activities include:

  • conduct a targeted review of investor onboarding and categorisation processes, ensuring they’re fit for purpose, especially where high-risk investments are involved
  • ensure financial promotions processes are operating effectively and particularly in respect of marketing high-risk investments
  • reinforce conflict of interest controls, with particular attention to governance structures where individuals hold multiple roles, and where there’s potential for customer harm from unfair allocation of investment opportunities. Clear documentation and regular reviews should be standard practice. This is particularly important for firms with less straightforward operating and business models
  • revisit Consumer Duty implementation, moving beyond policy statements to tangible evidence of how customer outcomes are being measured, monitored, and improved
  • empower compliance and risk functionsto challenge business decisions constructively, ensuring that governance isn’t only formalised but also effective in practice
  • use the FCA’s examples of good and poor practice as a benchmarking tool, identifying areas for improvement and embedding lessons learned into day-to-day operations.

By taking these steps now, firms can demonstrate a proactive approach to supervision and build more resilient, customer-focused business models ahead of further regulatory scrutiny.

Key developments

The FCA’s updated Money Laundering Through the Markets (MLTM) Review, published in January this year, flagged examples of current good practice but also made clear where it felt that market participants’ controls still need improvement, including in relation to transaction monitoring, customer risk assessment and information-sharing. 

The detailed work for the updated MLTM Review focused on wholesale brokers and was backed up by a Dear CEO letter, covering issues relating to financial crime as well as prudential risk management and broker misconduct and remuneration. The letter set out the FCA’s strategy for supervising the sector over the next two years and made clear wholesale broking firms can expect some intensive scrutiny.

Despite its focus on wholesale broking firms, the FCA has been at pains to stress that the observations and good and bad practice examples in the MLTM Review are relevant for all firms active in capital markets.

Other broader regulatory changes, including planned reforms to the UK Money Laundering Regulations, the new failure to prevent fraud offence - which goes live on 1 September 2025 – and the updated UK National Risk Assessment (see the section above on banking for further details) are also relevant to capital markets and asset management.

What should happen now?

The MLTM Review provides a helpful prompt to firms to review their financial crime controls in relation to market activities and to carry out a gap analysis in relation to the good practice and remaining issues the FCA has identified, as well as staying ahead of other regulatory changes. Key activities include:

  • reviewing the design, documentation and application of customer risk assessment controls
  • considering how well existing transaction monitoring controls meet capital markets needs and whether there could be more useful integration between transaction monitoring and market abuse teams
  • reviewing information-sharing on financial crime matters, both inside the firm and with other market participants, including how well you’re making use of new provisions in ECCTA 2023
  • firms should consider if/how they are using digital identities and whether they have robust controls in this area
  • firms should consider whether their risk assessments and controls need adjusting in relation to the updated UK National Risk Assessment.

Firms should consider independent assurance on FPTF preparations to date.

Insurance

Key developments

The FCA is proposing a series of reforms aimed at simplifying insurance regulation, particularly for commercial customers and bespoke products. Consultation Paper CP25/12 outlines changes designed to reduce unnecessary complexity while maintaining appropriate consumer protections.

Key proposals include:

  • narrowing the application of the Consumer Duty to commercial insurance policyholders
  • allowing co-manufacturers to designate a lead firm responsible for product governance under PROD 4
  • broadening exemptions for bespoke non-investment insurance contracts to apply to both insurers and intermediaries
  • removing the 12-month minimum product review cycle for non-investment insurance and replacing this with a risk-based approach
  • eliminating notification and annual reporting requirements for employers’ liability insurance
  • scrapping the 15-hour CPD requirements that resulted from the implementation of the Insurance Distribution Directive.

The FCA is also exploring future reforms, including exemptions relating to conduct rules applied to insurance business conducted outside the UK. Feedback is imminent, with final rules expected to take effect immediately upon publication.

What should happen now?

The FCA’s proposed reforms offer firms a chance to streamline some processes and refocus resources. Key activities for internal audit include:

  • understanding where current practices may shift, particularly in areas like product governance, reporting, and training
  • reassessing internal policies and procedures, especially for bespoke and commercial lines, to take advantage of proposed exemptions and reduced regulatory burdens.

By taking a proactive approach, firms can ensure compliance and also unlock efficiencies and competitive advantages in a more flexible regulatory environment.

Key developments

The International Association of Insurance Supervisors (IAIS) has published a new application paper offering practical guidance on integrating climate-related risks into insurance supervision. Rather than introducing new rules, the paper builds on existing Insurance Core Principles (ICPs), helping supervisors and insurers embed climate considerations into governance, risk management, valuation, investment, and disclosure practices.

The paper reflects the growing impact of climate change on financial stability and consumer protection and encourages both qualitative and quantitative scenario analysis to assess exposure. It also supports consistent global supervisory practices and highlights the importance of macroprudential oversight and group-level coordination.

What should happen now?

With climate risk now recognised as a core financial and supervisory concern, insurers should take practical steps to align with the IAIS guidance and strengthen their climate risk frameworks. To support this, internal audit could:

  • review the IAIS application paper – assess how climate risks are currently integrated into governance, investment strategies, and risk management, and identify areas for improvement
  • enhance scenario analysis – develop both qualitative and quantitative tools to model climate-related exposures and inform long-term planning and capital adequacy
  • engage with supervisory expectations – stay informed on IAIS-led initiatives and participate in upcoming public sessions to support consistent, coordinated supervision.

By embedding climate risk into core decision-making processes, insurers can improve resilience, meet evolving regulatory expectations, and contribute to global financial stability.

Key developments

The European Insurance and Occupational Pensions Authority (EIOPA) has launched a sector-wide survey to understand how generative AI (GenAI) is being adopted across the EU insurance market. The initiative aims to gather insights into current and planned use cases, as well as the governance and risk management frameworks firms are putting in place.

Unlike traditional AI, GenAI presents unique challenges, such as rapid evolution, automation potential, and implications for consumer protection. EIOPA’s goal is to ensure supervisory approaches keep pace with innovation while maintaining robust oversight.

What should happen now?

The launch of EIOPA’s GenAI survey presents a timely opportunity for insurers to take stock of their AI strategies and governance. Whether actively deploying GenAI or still in the exploratory phase, firms should use this moment to strengthen their foundations:

  • Map current and planned GenAI use cases, identifying where these tools are being applied or considered – particularly in high-impact areas like underwriting, claims automation, and customer interaction
  • Review governance and risk frameworks, ensuring they’re equipped to handle the unique characteristics of GenAI, including its speed of evolution, data dependencies, and ethical implications
  • Establish clear accountability structures, with defined roles for oversight, model validation, and incident response, especially where GenAI outputs influence customer outcomes
  • For firms not yet using GenAI, this is a chance to begin structured exploration, balancing innovation with a clear-eyed view of operational, reputational, and regulatory risks

By engaging early and thoughtfully, firms can help shape supervisory expectations while building trust and resilience into their GenAI strategies.

Key developments

The PRA is continuing its work to refine the UK’s Solvency II framework, now commonly referred to as Solvency UK. A key area of focus is how external credit ratings are mapped to credit quality steps (CQS) for capital requirement calculations—an essential component for insurers using the standard formula to assess credit risk.

Originally scheduled for implementation by July 2025, the PRA has now confirmed that the final policy will be delayed, with changes not expected before January 2026. This follows its October 2024 consultation (CP13/24), which proposed restating the relevant EU regulation within the PRA Rulebook as part of broader efforts to localise post-Brexit regulation.

What should happen now?

The delay in implementing updated CQS mappings offers insurers a strategic opportunity to get ahead of the curve. Rather than waiting for final rules, firms should use this time to strengthen their readiness and reduce the risk of disruption:

  • Build flexibility into capital planningby modelling a range of potential CQS outcomes and assessing their impact on solvency positions and investment allocations
  • Enhance data governance and systems readiness, ensuring that internal processes can adapt quickly once the final methodology is confirmed
  • Use the extended timeline for scenario testing, identifying any operational or compliance gaps that could arise under different mapping assumptions
  • Ensure internal credit rating functions are fully engagedwith the changes and are actively working with Matching Adjustment (MA) teams to ensure consistency and compliance with the updated framework
  • Stay actively involved in the consultation process, using feedback opportunities to shape the final policy and gain early insight into likely changes

By treating the delay as a preparation window rather than a pause, firms can position themselves to respond with agility and confidence when the new rules take effect. For most, the change isn’t expected to be disruptive — many already use mapping or averaging tables, and this update simply adjusts the inputs to those frameworks.

Key developments

The bulk purchase annuity (BPA) market continues to grow rapidly, prompting the PRA to sharpen its supervisory focus. In a recent speech, Gareth Truran, Executive Director of Insurance Supervision, outlined the regulator’s priorities for overseeing this expansion.

To support the volume of transactions, the PRA has created a dedicated team to manage Matching Adjustment (MA) permissions, enabling faster engagement with insurers. Firms are increasingly using new flexibilities to include assets with highly predictable cashflows, within their MA portfolios.

However, the PRA is also closely monitoring emerging risks:

  • Solvency-triggered termination rightsin buy-in contracts are under scrutiny due to their potential to introduce balance sheet volatility and operational complexity
  • Funded reinsuranceremains a concern, with the PRA observing signs of weakening collateral standards despite previous guidance

The regulator has made clear that it will intervene if necessary to maintain prudential standards.

What should happen now?

As BPA volumes remain at record levels and regulatory scrutiny intensifies, insurers should adopt a strategic approach to managing both operational complexity and emerging risks:

  • Embed resilience into transaction planning, ensuring that risk frameworks can scale with deal volume and complexity without compromising control or oversight
  • Stress test contractual features, particularly solvency-triggered termination clauses, to understand how they behave under adverse conditions and to identify appropriate mitigants
  • Reinforce oversight of funded reinsurance, with a focus on maintaining high collateral standards and ensuring that governance processes can detect and respond to any deterioration
  • Establish clear protocols for engaging with the PRA, especially when introducing novel asset types or structural innovations, to ensure alignment and avoid delays

By proactively addressing these areas, firms can maintain momentum in the BPA market while safeguarding prudential integrity and regulatory confidence.

Key developments

The current geopolitical situation means that potential sanctions breaches remain a rapidly evolving and important risk for the insurance markets, particularly in higher risk sectors such as maritime. For general insurers, the lack of any formal regulatory requirement to establish the beneficial ownership of counterparties (as set out in the UK Money Laundering Regulations, for instance) means that they can have means that they can have limited visibility into the true nature of their risk exposure, particularly in high-risk sectors such as maritime, where sanctions evasion tactics are increasingly sophisticated and harder to detect.

In addition to sanctions risks, other broader regulatory changes, including planned reforms to the UK Money Laundering Regulations, the new failure to prevent fraud offence, which goes live on 1 September 2025, and the updated UK National Risk Assessment (see the section above on banking for further details) are also relevant.

What should happen now?

Firms should ensure that the design and application of controls in relation to sanctions are subject to regular review, as well as staying ahead of other relevant regulatory changes. Key activities include:

  • firms should consider the effectiveness of their sanctions screening and broader sanctions due diligence
  • firms should consider if/how they’re using digital identities and whether they have robust controls in this area
  • firms should consider independent assurance on FPTF preparations to date
  • firms should consider whether their risk assessments and controls need adjusting in relation to the updated UK National Risk Assessment.
Events schedule

Upcoming events

Our in-person and virtual events will put you in touch with our technical teams who have already undertaken engagements and gained valuable experience in these areas. We do hope you can join us.

Event 1

Grant Thornton Financial Services Heads of Audit Symposium Series – October 2025

  • Mid-Market Banks and Building Societies | October 2025 | 16.00 - 18.30
  • Insurance and Investment Management | October 2025 | 16.00 - 18.30

 

Event 2

Grant Thornton CPD technical update webinar

Payments regulation: What to expect in 2025 and beyond 

The payments industry is undergoing significant regulatory change. Join our experts as we discuss the key regulatory updates, trends and practical.

  • Wednesday 24 September 2025 | 10.00am – 11.15am