Our quarterly internal audit hot topics provides a thematic view of new and emerging regulatory risks across the financial sector. Get in touch if you would like to discuss any of the topics below.

Regulatory priorities

Internal audit risk radar

Our risk focus radar is a combination of our view of key priorities and an extract from the UK Regulatory Initiatives Grid (where key milestones or formal engagement is planned), representing the risks and key priorities raised by the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and leading UK regulatory bodies.

We identify the risk priorities at a glance for the four key sectors, segmented by time horizon and risk themes to support audit planning and forecast upcoming requirements.

Cross sector

The geopolitical environment continues to prove challenging and affects business strategies across the financial sector. Ongoing political tensions present significant issues for all businesses, and sanctions management remains a concern. It’s also essential to consider how international tensions may affect trade, business strategy and operational resilience.

While there have been three Interest rate cuts this year, it remains relatively high, at 4%, with inflation at around 3.8% CPI. Inflation is forecast to continue to be above the Bank of England’s 2% target but a softening in economic indicators (as illustrated by a higher-than-expected unemployment rate of 5%) means the decision to change this rate further is finely balanced. The recent budget included changes for businesses such as updates to the tax treatment of salary sacrifice pension contributions, minimum wage increases and the extension of the freezing of income tax thresholds, which could prove a key juncture for the UK economy.

What should happen now?

In response to potential macroeconomic shocks, firms should consider the impact of interest rate changes on business models, pricing and valuations and liquidity risk under scenarios where credit conditions tighten. Other considerations include:

  • the impact on scenario analysis, business continuity processes and supply chain disruptions
  • financial crime controls, particularly around sanctions monitoring
  • cyber security processes, including critical services.

Firms may also need to consider changes in business hiring patterns, consumer spending and how they continue to identify (and offer additional support to) vulnerable customers. 

Cyber security remains a priority this year, following major cyber-attacks on the retail and manufacturing sector. This includes a breach at a high-profile automotive company, which the Cyber Monitoring Centre cites as the "the single most financially damaging cyber event ever to hit the UK", worth an estimated £1.9 billion. Meanwhile, ransomware from the Scattered Spider group halted online orders for a major UK retailer, with losses of about £300 million. In both cases, arrangements with third-party service providers appear to have been manipulated or exploited in the cyber-attack. This is an ongoing trend, with Verizon noting that 30% of breaches in 2024 leveraged a third-party relationship, double that of the previous year.

With this in mind, it's no surprise that the IIA has chosen cyber security and third-party risk management as its first and second topical requirements, with organisational resilience currently under consultation. These requirements form an integral part of the IIA's International Professional Practices Framework (IPPF), aiming to standardise audit practices and create a minimum baseline to assess governance, risk management and control. 

What should happen now?

Effective cyber security must be embedded across the firm, with all individuals and teams across all three lines of defence recognising their individual roles and responsibilities. Senior management must support individuals and teams by setting an appropriate culture around cyber security, backed by sufficient training and risk management approaches, in line with emerging threats. 

When these areas are included in the internal audit plan, firms need to follow the new topical requirements, as follows:

  • Cybersecurity, effective 5 February 2026 – to include a formal cyber security strategy and objectives, policies, roles and responsibilities, response activities and ongoing monitoring
  • Third-party risk, effective 15 September 2026 – to include a formal approach to determine whether or not to contract with a given third-party, identifying, analysing ranking, monitoring and prioritisation of threats, and a robust due diligence process
  • Organisational resilience, likely effective from early 2027 – to include a formal board-approved strategy, identification of critical services, an incident command structure, and ongoing monitoring and testing

The Economic Crime and Corporate Transparency Act came into force in September, introducing the new failure to prevent fraud offence. This makes in-scope firms criminally liable if an associated person (including an employee, agent or contractor) commits fraud that benefits the organisation or its clients. It applies to organisations with two or more of the following criteria:

  • turnover greater than £36 million
  • a balance sheet of more than £18 million
  • over 250 employees.

In the event of fraud, firms need to demonstrate that they had ‘reasonable procedures’ to prevent it, including a clear definition of ‘associated persons’, a sufficient understanding of their exposures, and evidence of robust controls. Other key considerations include decentralisation risks, and territoriality to identify exposures where the UK operations could inadvertently enable overseas fraudulent activity (noting that a UK nexus is integral to the offence). It’s also important to highlight the interaction with Consumer Duty, recognising that that severe misrepresentation of financial products or services could, theoretically, construe fraud.

Alongside the above, regulators are putting firms under greater scrutiny over their financial crime controls. HMT’s Anti-Money Laundering and Counter-Terrorist Financing Supervision Report, published in March noted that 10% of all supervised firms were subject to desk-based reviews or site visits in 2023-24, compared to 6% the previous year. 1,227 enforcement fines were issued by all supervisors in 2023-24, compared to just 614 in 2021-22 – highlighting that many firms are still not meeting the expected standards. 

What should happen now?

To support the above, internal audit needs to ensure the firm has:

  • clearly communicated anti-fraud processes, with up-to-date policies and procedures
  • appropriate general and targeted training
  • effective procedures to identify and assess financial crime risk
  • a fraud prevention plan to mitigate risks, with an emphasis on due diligence
  • ongoing monitoring and appropriate oversight.

Last year’s UK Corporate Governance Code introduced a revised Provision 29, requiring firms to report on their material controls. While the concept itself is nothing new, the prescriptive reporting and disclosure requirements mark a significant shift in regulatory expectations. 

For financial years beginning on or after 1 January 2026, boards must monitor their firm’s risk management and internal control systems, including all material controls, with an annual review of their effectiveness. This extends to material controls across finance, operations, reporting and compliance.

Boards must now also disclose in their annual reports: 

  • how they’ve monitored and reviewed the effectiveness of the control framework
  • a declaration of the effectiveness of material controls as at the balance sheet date
  • any material controls that weren’t operating effectively at that date
  • actions taken or proposed to address those deficiencies
  • updates on any previously reported issues.

Firms also need to gain attestation over these controls, which will be familiar to those subject to US SOX (for financial material controls). Firms not subject to US SOX will face a greater journey to implementation.

What should happen now?

The most immediate challenge is defining what constitutes a material control and internal audit should refer to the FRC’s guidance, which notes material controls as those relating to principal risks and are likely to encompass:

  • risks that that might threaten the firm’s business model, future performance, solvency, liquidity and/or reputation
  • external reporting that is price sensitive or that could lead investors to make investment decisions
  • fraud, including the override of controls iinformation and technology risks, including cybersecurity, data protection and AI.

Internal audit needs robust processes to identify which controls are material, with appropriate assurance processes and controls testing in place to support the board in their attestations. This is particularly important given that company directors must sign off on the robustness of those controls, with personal accountability, with coverage across financial, operational and financial crime frameworks.

The Financial Stability Board’s (FSB) annual report on AI Vulnerabilities in Financial Services noted that AI models have become higher performing, at a lower cost, with greater vertical integration across supply chains. With new use-cases emerging daily, adoption is on the up, with subsequently greater considerations over third-party risk management, concentration risks and cyber security. It also notes the potential for AI-driven market correlations, where algorithms use the same market data to reach the same decisions, and the potential for AI to heighten existing systemic risks. As such, the FSB highlights the need for national authorities to embed consistent definitions of AI to support more effective monitoring and supervision across the financial sector.

These concerns are shared by other supervisory bodies, as reflected in ongoing work between the ICO and FCA on supporting AI, innovation and growth in financial services. Recognising that data protection and Consumer Duty are two key barriers to adoption, the regulators are exploring how to provide greater certainty to promote safe growth in this space. Similarly, the PRA has noted the emerging risks of AI, in its 2025 business plan, with key considerations including application of model risk management principles, effective operational resilience processes and international consistency to support innovation.

What should happen now?

As a key area of innovation across the sector, internal audit teams need a good understanding of where various teams are applying AI across the firm, with effective controls and oversight in place. Key considerations include:

  • operational resilience processes – including understanding how AI supports critical services, the impact of concentration risk and alternative arrangements to restore services in the event of an outage
  • governance and oversight – to ensure AI is effectively monitored, with clear accountability and escalation processes
  • data management – to ensure data quality, integrity and security
  • model risk management – to make sure all processes follow the PRA’s requirements (as per SS1/23)
  • regulatory compliance – ensuring all AI activity is repeatable, explainable and traceable to support all regulatory requirements
  • Consumer Duty – to ensure AI supports good customer outcomes, with appropriate oversight to prevent foreseeable harm

Most importantly, as an emerging technology, internal audit needs to stay up to date with emerging use cases, risks and regulatory thinking to establish and maintain good practice.

The PRA has updated its climate risk rules via PS25/25 and SS4/25, which replaces SS3/19 from six years ago. Building on CP10/25, the update reflects a more mature climate risk landscape, with emerging standards and more developed capabilities. Maintaining a proportionate approach, the updated rules include:

  • stronger governance expectations with Boards having direct accountability and oversight for climate risk (but crucially, there’s no requirement for a Senior Management Function)
  • greater proportionality, with a focus on the firm’s material climate-risk exposures, rather than firm size
  • better integration into firmwide risk management approaches, such as existing sub-registers and clearer alignment with operational resilience
  • recognition of litigation risk as a key transition channel for climate risk
  • more robust scenario analysis to support real-time decision making across strategy, risk, capital planning and calculations
  • demonstrative understanding of data limitations (but firms don’t need to explicitly quantify them).

In addition to the above, the new supervisory statement notes a few sector-specific points. For example, it clarifies that insurance firms can capture climate-risk within current SCR rules, and internal models should treat climate factors as risk drivers. For banks, the PRA notes that accounting and audit rules still align to climate risk expectations for financial reporting, and ICAAP/ILAAP scenarios may use standard timeframes.

What should happen now?

To get started, firms should carry out a gap analysis against the PRA’s updated expectations with a focus on:

  • board understanding of climate risk, enabling them to approve materiality assessments and make informed judgements
  • ensure climate related responsibilities are effectively embedded across existing senior management roles
  • enhancing scenario analysis to reflect the firm’s unique risk profile and robustly assess material risks
  • review current data processes with clearly documented limitations.

Banking and capital markets

The FCA launched its long-awaited redress scheme consultation in October, with final rules due in February or March 2026. It applies to regulated motor finance agreements initiated between 6 April 2007 and 1 November 2024, where lenders paid brokers commission and where the lender-borrower relationship was potentially ‘unfair’. That includes agreements with poorly disclosed: discretionary commission arrangements; unduly high commission; and certain contractual ties between the lender and broker. 

Redress calculations are more complex than anticipated, with the FCA putting forward three remedies:

  • The annual percentage rate (APR) adjustment remedy – this is the most complex approach, redressing by recalculating the customer’s historical payments using a market-adjusted interest rate
  • The commission repayment remedy – this refunds the commission in full
  • A hybrid remedy – this approach gives an average of the two remedies above

Given the complex calculations and short timeframes for delivery, the FCA allows firms to use informed assumptions to address incomplete data, for example, where the details of the customer loan agreement have been expunged.

In addition to the redress scheme consultation, the FCA issued a Dear CEO letter in October, urging lenders and brokers to make preparations for resolving all motor finance complaints – regardless of the current redress scheme status. The regulator also asked firms to prepare for the proposed scheme, including starting work on identifying impacted customers and determining which cases are in scope.

This has been followed by another Dear CEO and PS25/18 announcing that the FCA won’t extend the pause on motor finance leasing complaints, and firms must resume their complaints handling in line with DISP rules. However, all other motor finance related complaints, including those relating to DCA and non-DCA commissions will be subject to an extended deadline of 31 May 2026 (this could change for complaints falling into scope of the redress scheme).  

What should happen now?

Internal audit teams need to consider financial, reputational and operational implications of the redress scheme to ensure it meets the FCA’s requirements. Key challenges include:

  • data – firms must take reasonable steps to identify and extract all available data (including information held by dealers), which may be supported by machine learning and AI to collate structured and unstructured data from a variety of sources
  • resource allocation – the work will require significant, specialist technical skillsets, which many firms may not have in-house
  • financial provisions – some lenders have increased provisions since the consultation, so it’s important to reassess financial forecasts and consider the strategic implications.

Firms continue to implement the near-final Basel 3.1 rules, with a general compliance deadline of 1 January 2027. However, with ongoing uncertainty about the US implementation, the PRA has taken steps to avoid short-term divergence. As such, it’s pushed back the Fundamental Review of the Trading Book’s internal models approach to 1 January 2028. It has also announced market risk simplifications under the Leeds Reforms, namely:

  • a streamlined approach to collective investment undertakings (CIUs) for greater proportionality and to ensure appropriate capitalisation
  • changes to the residual risk add-on (RRAO) for complex asset structures
  • reduced reporting requirements for the internal models approach (to apply from 1 January 2028).

The PRA has also retired the refined Pillar 2A methodology via PS18/25, effective 1 January 2027. This is no longer needed due to improved risk sensitivity in the new credit risk standardised approach. There are additional minor clarifications to the Interest Rate Risk in the Banking Book (IRRBB) and Pension Obligation Risk approaches, to improve transparency and consistency, effective 1 July 2026.

Alongside the above, the PRA has published the near-final policy statement (PS20/25) on the Small Domestic Deposit Takers Regime (SDDT) in October, with a few key changes from the draft policy:

  • Removal of operational risk buckets to assess firms’ capital requirements, in favour of scenario analysis
  • Changes to base add-ons for Pillar 2A credit concentration risk, notably excluding covered bonds
  • Changes to the Pillar 2A cluster limit to improve transparency and risk sensitivity
  • Less frequent Pillar 2A and 2B updates to the ICCAP
  • Simpler capital requirement calculations by deducting specific assets, rather than a threshold-based approach
  • Reduced reporting requirements

Firms have until 31 March 2026 to grant their consent (or intention to consent) to become an SDDT firm on 1 January 2027. Those that don’t will fall under Basel 3.1.

What should happen now?

With the near-final rules now in place for SDDT (subject to the repeal and replacements of CRR), firms can make a more informed decision about which direction to take. This will largely depend on the extent and complexity of their capital requirements, in addition to the ongoing cost of compliance – so sizing these up is a good place to start for firms that are undecided.

Once the direction of travel is clear, firms must ensure they:

  • fully embed and test all new processes supporting Basel 3.1 or SDDT, and ideally perform a parallel run
  • assess the impact on regulatory returns and reporting requirements
  • review current governance, IT or people processes
  • ensure all data practices are robust, with appropriate oversight, granularity and standardisation.

Mid-level banks and building societies must now have a solvent exit analysis (SEA) in place, covering topics such as solvent exit actions, key indicators and barriers to success, among others. However, it’s important to remember that it isn’t a ‘one-and-done’ exercise. As the business grows and strategies evolve, firms need to make sure this information is up to date and remains practical. 

To achieve that, it’s essential to embed processes to monitor material changes to the business, with significant senior oversight and approval. This needs to align and bring together a broader range of work across the firm, including recovery planning, scenario testing and recovery capacity calculations. These were all noted as areas for improvements in last year’s Dear CEO letter and should warrant close consideration moving forward.

While aiming to strengthen the recovery and resolution landscape, the PRA is also simplifying the associated reporting procedures, in line with the Government’s growth agenda. The Leeds Reforms includes the following key changes:

  • Standardised MREL disclosure templates with a broader range of firms in scope
  • Streamlined MREL reporting requirements
  • Raised resolution assessment threshold from £50 billion in retail deposits to £100 billion
  • Less frequent recovery plans for SDDTs.

Individually, the updates aren’t extensive, but collectively, they can streamline compliance processes and help manage costs.

What should happen now?

Internal audit needs to make sure the fundamentals for recovery and resolution planning are in place. Recovery stress scenarios must be severe but realistic, with recovery capacity calculations that reflect the type of stress and any dependencies. These calculations are inherently complex and it’s essential to make sure the PRA’s methodology is applied correctly and appropriately quantified. 

Firms also need to review their current recovery and resolution reporting processes and ensure they’re using the correct templates moving forward.

Last year, there were 48.8 billion digital and contactless payments in the UK, with cash payments making up less than 10% of all transactions and predicted to fall to just 4% by 2034. This highlights the importance of the burgeoning payments sector and the need for effective regulatory oversight from regulators including the FCA, which is currently in the process of consolidating with the Payment Systems Regulator.

As such, the payments sector is facing a broader range of risks and regulatory challenges than ever before, including:

  • safeguarding customer funds – payment firms will have to protect their customers’ funds under a more stringent and granular Client Assets (CASS) regime in line with the FCA’s PS25/12
  • maintaining operational resilience – as an integral part of the financial landscape, payments services firms must be able to recover from operational incidents promptly, and without causing financial harm to individuals or the wider economy
  • meeting Consumer Duty requirements – with the FCA highlighting the transparency and value of international payment pricing as a key consideration for the sector
  • PSD3 and PSR adoption – to maintain UK interoperability with EU markets, the FCA, and Payment Systems Regulator, are expected to align closely with the EU's 2026 Payment Services Directive 3 (PSD3) and the EU Payment Services Regulation (PSR); this will update PSD2 and significantly update the UK's PSR 2017 with new authorisation and capital requirements, among others
  • wind-down planning – with the FCA highlighting the need for plans to be effective in practice and be better integrated into the risk management frameworks of e-money and payments firms
  • ISO 20022 adoption – In November 2026, the Bank of England will implement a new ISO 20022 schema upgrade for CHAPS and RTGS; to include annual message updates, richer structured data fields, interoperability with SWIFT and enhanced compliance, fraud monitoring requirements
  • Authorised Push Payment (APP) fraud prevention – with mandatory reimbursement policies under Specific Direction 20.

While implementing the above, it’s essential to remember that the sector is evolving alongside emerging technologies. As such, consumer demand can grow (and change direction) rapidly. So, it’s essential to adopt practical processes that are scalable and responsive to change and innovations.

What should happen now?

With so much change in the sector and regulatory landscape, internal audit has a crucial role to play in supporting the firm’s compliance activities. Key activities include:

  • ensuring infrastructure is fit for purpose and scalable to meet strategic growth ambitions, with a focus on critical services and operational resilience
  • review, update and test current PSPs systems to ensure they can support new data requirements for ISO 20022 MX formats, with effective interoperability and continuous service throughout the transition period
  • effective horizon scanning to monitor the final PSD3 rules, with a gap analysis to ensure all EU entities of UK businesses comply – which could require relicensing and changes to capital requirements.

The FCA’s published CP25/32 to streamline MiFIR transaction reporting rules to improve reporting quality, reduce the cost of compliance and maintain market integrity. Key changes include removing reporting requirements for foreign exchange derivatives, and for wide range of instruments that are only traded on EU trading venues. The regulator’s also reducing the back reporting timeframe from five years to three, to reduce resubmissions by about a third. Collectively, these changes aim to simplify transaction reporting and reduce firms’ compliance burden, in line with the Government’s simplification agenda.

The final rules are due in the second half of 2026, with implementation expected about 18 months later.

What should happen now?

To prepare for the changes in transaction reporting rules, firms must:

  • assess how the new transaction reporting scope relate to current trading activities; with specific reference to FX derivatives, or financial instruments only tradeable on EU venues
  • update supporting systems to reflect reduced data fields and shorter requirements for retained data.

Asset management

Private capital markets have grown over the last few years, with the UK serving as the largest hub in Europe. While they offer new opportunities to diversify investments and support business growth, regulators have concerns over how those assets are valued, given their inherent lack of transparency and reliance on expert judgement. Left unchecked, these could result in poor customer outcomes, liquidity risks and systemic impacts across the financial sector.

To address these issues, the FCA’s conducted a multi-firm review, of private market valuations, which found:

  • Valuation-related conflicts of interest for asset transfers, borrowing and fundraising
  • Some evidence of poor governance and limited independence
  • Inconsistent valuation processes, with lack of transparency around methodology changes
  • Overly conservative valuations, which can affect investor reporting and regulatory capital assessments.

Moving forward, firms will face greater regulatory scrutiny and must demonstrate robust methodology, transparency and governance processes. 

What should happen now?

As a starting point, internal audit needs to ensure all team members are up to date on current regulatory expectations and concerns, with appropriate training in place. Other key considerations include:

  • clear methodologies, policies and procedures for private asset valuations – with processes in place to update all stakeholders when these change
  • governance processes, including board level oversight and escalation procedures
  • conflict management processes
  • effective modelling, scenario analysis and sensitivity testing.

The FCA noted that independent valuations reflect good practice and firms may benefit from third-party support. 

In March 2025, IOSCO published ‘Revised recommendations of liquidity risk management for collective investment schemes’ which found potential mismatches in liquidity against redemption terms. Highlighting a range of improvements across stress-testing, greater governance practices, disclosures, fund design and liquidity management tools, it’s led to greater regulatory scrutiny for asset managers.

Moving forward, firms will be expected to deliver more granular and frequent reports, which may require updated systems and processes. This includes reliable and consistent market data, with robust models to support stress testing and give senior stakeholders assurance that liquidity and redemption demands will remain balanced, particularly during stressed conditions. This should be supported by practical contingency plans in the event of a liquidity crisis. Firms also need to consider the role of Consumer Duty, ensuring customers are treated fairly throughout all liquidity and redemption processes.

The FCA plans to consult on the Collective Investment Schemes Sourcebook (COLL) by the end of the year, to address these issues and improve regulatory oversight.

What should happen now?

Senior management should be prepared for ongoing regulatory scrutiny, and internal audit teams can offer greater assurance by considering the following:

  • Liquidity management system and procedures
  • Timely monitoring and managing of liquidity risk
  • Liquidity management limits and stress tests
  • Alignment of investment strategy, liquidity profile and redemption policy
  • Strength of liquidity management approaches
  • Robust stress testing methodologies
  • Appropriate reporting and disclosure processes in line with regulatory expectations

Under Consumer Duty, firms need to assess and test customer outcomes to demonstrate how they’ve achieved good outcomes and prevented foreseeable harm. However, outcomes monitoring is proving tricky, as reflected in the FCA’s multi-firm review of insurance firms, which has broad read-across for the wider financial sector, including asset managers. The FCA noted a general confusion between demonstrating effective business processes and evidencing good customer outcomes – they aren’t the same, and the former doesn’t automatically lead to the latter. Instead, the FCA expects firms to define what a good outcome looks like, then actively test customer outcomes against it. 

FCA guidance is non-prescriptive so firms have a range of options available. They can sample representative groups for end-to-end testing, look at specific points in a customer’s journey, carry out issues-based reviews (for example during onboarding, investment management processes, vulnerable customer reviews or bereavement journeys) or assess specific customer sub-sets. Different customer groups can have varying outcomes for the same products, so it’s essential to look at the issue from a range of lenses. Where poor, or potentially poor, outcomes are identified, the FCA expect firms to take action to rectify it.

It’s also important to note the FCA’s recent FS25/2, which committed to reviewing the Assessment of Value reporting requirement due to potential overlap with Consumer Duty. The paper is expected by the end of the year.

What should happen now?

Asset managers need to work closely with their intermediaries to get a better picture of customer outcomes across the supply chain. Key considerations include:

  • clear articulations of expected good outcomes
  • data collection, data sharing and third-party oversight
  • undertaking robust value assessments
  • making sure products are properly targeted and marketed
  • ensure customer communications are clear, with robust evidence of consumer understanding of the products
  • assessing consumer complaints, customer service data and client feedback.

The sustainability disclosure requirements (SDR) are proving challenging to implement. The labelling regime is in full swing, and the temporary extension on naming and marketing rules passed in April 2025. For asset managers, the key issue is identifying whether assets are genuinely sustainable, and how to categorise them. To achieve this, firms face significant operational and resource challenges to ensure accurate identification, clear evidence and appropriate data for reporting purposes.

Many of these challenges continue through preparations for the upcoming disclosure requirements. Larger asset managers (with AUM over £50 billion) must make product and entity level disclosures from 2 December 2025, with smaller firms (AUM over £5 billion) due to make entity level disclosures from 2 December 2026. For product level disclosures, firms must be able to justify all sustainability related labels, including key metrics. For entity level disclosures, firms need to demonstrate appropriate governance, progress against sustainability targets, and regulatory alignment across the business.

What should happen now?

Good governance and oversight are crucial to ensure labels, naming and marketing rules are accurately applied – and continue to be over time. To achieve that, firms need effective MI to demonstrate sustainability characteristics across all investments and portfolios. Most importantly, firms need to make arrangements to get independent assurance over their labels and respective disclosures. 

Insurance

The FCA continues to focus on the Consumer Duty price and value outcomes, following last year’s good and poor practice update, which highlighted weaknesses across the financial sector, including guaranteed asset protection (GAP) insurance. However, the FCA has taken a non-prescriptive approach, making it tricky to establish and demonstrate fair value.

Fundamentally, firms need to make sure that overall charges (including cost, APR and commission) are fair and reasonable in relation to the benefits received. When doing so, it’s essential to remember that the lowest cost to consumer – or even the industry average – doesn’t necessarily reflect fair value. The calculation will be specific to the genuine benefits from each product, and firms need to be able to demonstrate that those benefits are valued by the customer.

The FCA encourages firms to take a holistic approach to fair value assessments, by incorporating evidence of the other three ‘mutually reinforcing’ Consumer Duty outcomes. Firms that can show they are delivering against the other Consumer Duty outcomes will be more likely to demonstrate (and be able to evidence) fair value. However, the assessments must be appropriately granular, with:

  • product-specific considerations of the financial and non-financial costs and benefits
  • a clear method for determining value
  • a clear conclusion. 

What should happen now?

Recognising the non-prescriptive nature of fair value assessments, insurance firms need to ensure they have a clear and demonstrably effective methodology, to include:

  • identifying key metrics to demonstrate price, benefits and outcomes
  • bundling similar target markets or products together for more efficient assessment
  • assessing customer outcomes by consumer groups (such vulnerable customers)
  • outputs from product governance reviews
  • whether a product meets other Consumer Duty outcomes.

Fair value may change over time, so firms need to carry out these exercises frequently, making sure their processes, methodology and benchmarking remain fit for purpose. The Consumer Duty price and value rules are over two years old, and the FCA expects firms’ approaches to fair value (and other things) to be continuously reviewed and improved (as necessary). Firms should be able to show that their fair value assessment approaches are robust and that they take meaningful action to address indicators or evidence of poor value.

The FCA’s premium finance market study is ongoing, with final findings due towards the end of the year. It aims to assess competition across the insurance sector and determine whether retail customers are receiving fair value in line with Consumer Duty.

The interim findings, published in July, found significant variations in consumer charges but ruled out a ban on commissions or cap on annual percentage rates (APR). It noted that premium finance does incur a cost, but that many providers’ fees materially exceed that cost with margins as high as 62%. Some insurers also charged high APRs, with nearly a fifth of customers paying over 30%. The FCA also identified high commissions to brokers as problematic, although the FCA didn’t go into detail in its interim report.

The FCA will continue to engage with the sector for the duration of the study, and beyond into any subsequent rule changes, which will assess:

  • fair-value of higher priced premium finance products
  • whether the wide range of approaches from firms to premium finance represent fair value
  • Customers' ability to compare premium finance with other credit products.

What should happen now?

The premium finance market study could lead to rule changes or firm-specific actions, so it’s essential to ensure all offerings meet FCA expectations, particularly on fair value good customer outcomes. Key activities include:

  • assessing whether APRs are in line with the level of credit risk and commissions paid are reasonable in relation to costs incurred
  • reviewing product governance, remuneration and fair value assessment processes
  • revisiting the cost-to-serve of premium finance products to ensure it meets expectations
  • carry out business model stress, scenario and viability testing to assess the potential impacts of the market study.

The UK has transitioned from Solvency II to Solvency UK, with additional reforms underway. This includes new governance expectations, and streamlined data and reporting standards. Ultimately, these changes aim to promote more proportionate, principles-based regulation to support growth across the sector. 

Some of the key amendments for internal audit to consider include:

  • new reporting templates, to boost transparency, improve quality and streamline processes (in some instances)
  • greater emphasis on board oversight of Solvency UK, specifically over risk management and internal model governance
  • reforms to risk margins and matching adjustments within technical provision calculations, alongside widening risks in matching adjustment portfolios through broadening eligibility and increased reliance on firm governance (which is particularly significant for life insurers)
  • changes for third country branches of UK insurers including reduced reporting requirements and no need to hold capital locally
  • updates to how external credit ratings are mapped to credit quality steps which are used to calculate default risk, spread risk and concentration risk, with final rules due later this year.

The new liquidity risk reporting requirement (CP19/24) is proving particularly challenging for firms. With an emphasis on supporting operational resilience, the PRA is asking firms to produce daily, granular liquidity reports during stressed conditions. While primarily affecting large life insurers, many firms aren’t equipped for this and will need to make significant changes to their data and reporting infrastructure to support the new reporting requirements. As a result, the PRA has pushed out implementation of the requirements to September 2026.

What should happen now? 

To meet emerging expectations, firms need to ensure that:

  • financial modelling approaches remain fit for purpose and accurately reflect the firm’s capital position
  • data infrastructure is robust, granular and timely to support reporting
  • liquidity reports can be produced daily and to the required level of detail
  • new reporting templates are adopted across the business, noting that although they tend to be simpler, they may still require significant operational change
  • governance and oversight processes are robust and in line with updated regulatory requirements.
UK Regulatory Handbook 2025

UK Regulatory Handbook 2025

Your essential guide to the UK regulatory landscape.

Corporate Governance Review

Corporate Governance Review

Analysis of annual reports across FTSE 350 firms and investment trusts highlights key themes in governance best practice and shares insight on future trends.

    Events

    Spotlight on Motor Finance for Heads of Audit  

    Date: 3rd February 2026 

    Venue: 8 Finsbury Circus, London, EC2M 7EA 

    Please contact Shuvo Banerjee to express your interest in attending.

    2026 Heads of Audit symposiums

    3rd March 2026 – Heads of Audit for Mid-Market Banks 

    12th March 2026 – Heads of Audit for Insurance and Asset Management firms 

    Please email Emilie Watts to register your interest.

    Related insights

    View more
    BNPL in the UAE: Competing, complying and securing growth
    Article BNPL in the UAE: Competing, complying and securing growth
    The buy now pay later sector in the UAE is growing rapidly. Banks have entered the market and many BNPL providers are forming strategic partnerships to extend their reach. Chris Laverty looks at the importance of building resilience to ensure firms are well placed to manage any challenges this increased competition may bring.
    Chris Laverty
    Chris Laverty
    | 7 min read | 18 Dec 2025
    orange abstract image
    Technical Your guide to this week in regulation
    Stay up to date with our latest round up of financial regulation.
    Paul Staples
    Paul Staples
    | 5 min read | 15 Dec 2025
    CRD VI: EU banking rules tighten for third-country firms
    Article CRD VI: EU banking rules tighten for third-country firms
    The European Banking Authority has published a report on cross-border banking services and the regulatory boundaries for third-country firms operating in the EU. Rashim Arora explores the findings and how firms can prepare for the end of remote access to EU clients alongside an evolving compliance landscape.
    Rashim Arora
    Rashim Arora
    | 5 min read | 14 Oct 2025
    Two colleagues walking together talking
    Article FCA’s section 165 request signals strategic shift
    FCA’s Section 165 request marks a shift to data-led supervision. Learn what firms must do to align with Consumer Duty and stay compliant.
    David Morrey
    Jonathan Charles
    | 6 min read | 11 Jul 2025
      View more

      Top themes for financial services

      listing image
      Article Insurance outlook: Top themes and priorities for 2025
      The insurance sector stands at the crossroads between wholesale transformation and uncertainty around the direction of tide for regulatory redress. Successfully leveraging data in the road to greater digitalisation will be a key differentiator.
      Read more
      team work image
      Article Top themes in banking: What to watch for in 2025
      How will banking change this year? Find out the key themes and trends affecting banks now – and how to stay ahead.
      Read more
      team work image
      Article Investment management: What should the priorities be in 2025?
      From AI to ESG, investment managers need to stay on top of ongoing issues and new trends. This is what you need to look out for this year.
      Read more
      Podcast-imagery
      Episode 72 Financial Services challenges and trends
      In this episode, our experts explore the key trends and challenges impacting financial services and its sub-sectors.
      Read more

        Get in touch with our experts

        Rob Benson
        Rob Benson
        Partner, Financial services
        London
        View full profile
        Ravi Joshi
        Ravi Joshi
        Partner, Financial Services
        London
        View full profile
        Kantilal Pithia
        Kantilal Pithia
        Partner, Financial Services
        London
        View full profile
        Manav Soni headshot
        Manav Soni
        Partner, Financial Services
        London
        View full profile
        Ryan Price's headshot
        Ryan Price
        Partner
        London
        View full profile