Our quarterly internal audit hot topics provides a thematic view of new and emerging regulatory risks across the financial sector. Get in touch if you would like to discuss any of the topics below.
Our risk focus radar is a combination of our view of key priorities and an extract from the UK Regulatory Initiatives Grid (where key milestones or formal engagement is planned), representing the risks and key priorities raised by the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and leading UK regulatory bodies.
We identify the risk priorities at a glance for the four key sectors, segmented by time horizon and risk themes to support audit planning and forecast upcoming requirements.
The geopolitical environment continues to prove challenging and affects business strategies across the financial sector. Ongoing political tensions present significant issues for all businesses, and sanctions management remains a concern. It’s also essential to consider how international tensions may affect trade, business strategy and operational resilience.
While there have been three Interest rate cuts this year, it remains relatively high, at 4%, with inflation at around 3.8% CPI. Inflation is forecast to continue to be above the Bank of England’s 2% target but a softening in economic indicators (as illustrated by a higher-than-expected unemployment rate of 5%) means the decision to change this rate further is finely balanced. The recent budget included changes for businesses such as updates to the tax treatment of salary sacrifice pension contributions, minimum wage increases and the extension of the freezing of income tax thresholds, which could prove a key juncture for the UK economy.
In response to potential macroeconomic shocks, firms should consider the impact of interest rate changes on business models, pricing and valuations and liquidity risk under scenarios where credit conditions tighten. Other considerations include:
Firms may also need to consider changes in business hiring patterns, consumer spending and how they continue to identify (and offer additional support to) vulnerable customers.
Cyber security remains a priority this year, following major cyber-attacks on the retail and manufacturing sector. This includes a breach at a high-profile automotive company, which the Cyber Monitoring Centre cites as the "the single most financially damaging cyber event ever to hit the UK", worth an estimated £1.9 billion. Meanwhile, ransomware from the Scattered Spider group halted online orders for a major UK retailer, with losses of about £300 million. In both cases, arrangements with third-party service providers appear to have been manipulated or exploited in the cyber-attack. This is an ongoing trend, with Verizon noting that 30% of breaches in 2024 leveraged a third-party relationship, double that of the previous year.
With this in mind, it's no surprise that the IIA has chosen cyber security and third-party risk management as its first and second topical requirements, with organisational resilience currently under consultation. These requirements form an integral part of the IIA's International Professional Practices Framework (IPPF), aiming to standardise audit practices and create a minimum baseline to assess governance, risk management and control.
Effective cyber security must be embedded across the firm, with all individuals and teams across all three lines of defence recognising their individual roles and responsibilities. Senior management must support individuals and teams by setting an appropriate culture around cyber security, backed by sufficient training and risk management approaches, in line with emerging threats.
When these areas are included in the internal audit plan, firms need to follow the new topical requirements, as follows:
The Economic Crime and Corporate Transparency Act came into force in September, introducing the new failure to prevent fraud offence. This makes in-scope firms criminally liable if an associated person (including an employee, agent or contractor) commits fraud that benefits the organisation or its clients. It applies to organisations with two or more of the following criteria:
In the event of fraud, firms need to demonstrate that they had ‘reasonable procedures’ to prevent it, including a clear definition of ‘associated persons’, a sufficient understanding of their exposures, and evidence of robust controls. Other key considerations include decentralisation risks, and territoriality to identify exposures where the UK operations could inadvertently enable overseas fraudulent activity (noting that a UK nexus is integral to the offence). It’s also important to highlight the interaction with Consumer Duty, recognising that that severe misrepresentation of financial products or services could, theoretically, construe fraud.
Alongside the above, regulators are putting firms under greater scrutiny over their financial crime controls. HMT’s Anti-Money Laundering and Counter-Terrorist Financing Supervision Report, published in March noted that 10% of all supervised firms were subject to desk-based reviews or site visits in 2023-24, compared to 6% the previous year. 1,227 enforcement fines were issued by all supervisors in 2023-24, compared to just 614 in 2021-22 – highlighting that many firms are still not meeting the expected standards.
To support the above, internal audit needs to ensure the firm has:
Last year’s UK Corporate Governance Code introduced a revised Provision 29, requiring firms to report on their material controls. While the concept itself is nothing new, the prescriptive reporting and disclosure requirements mark a significant shift in regulatory expectations.
For financial years beginning on or after 1 January 2026, boards must monitor their firm’s risk management and internal control systems, including all material controls, with an annual review of their effectiveness. This extends to material controls across finance, operations, reporting and compliance.
Boards must now also disclose in their annual reports:
Firms also need to gain attestation over these controls, which will be familiar to those subject to US SOX (for financial material controls). Firms not subject to US SOX will face a greater journey to implementation.
The most immediate challenge is defining what constitutes a material control and internal audit should refer to the FRC’s guidance, which notes material controls as those relating to principal risks and are likely to encompass:
Internal audit needs robust processes to identify which controls are material, with appropriate assurance processes and controls testing in place to support the board in their attestations. This is particularly important given that company directors must sign off on the robustness of those controls, with personal accountability, with coverage across financial, operational and financial crime frameworks.
The Financial Stability Board’s (FSB) annual report on AI Vulnerabilities in Financial Services noted that AI models have become higher performing, at a lower cost, with greater vertical integration across supply chains. With new use-cases emerging daily, adoption is on the up, with subsequently greater considerations over third-party risk management, concentration risks and cyber security. It also notes the potential for AI-driven market correlations, where algorithms use the same market data to reach the same decisions, and the potential for AI to heighten existing systemic risks. As such, the FSB highlights the need for national authorities to embed consistent definitions of AI to support more effective monitoring and supervision across the financial sector.
These concerns are shared by other supervisory bodies, as reflected in ongoing work between the ICO and FCA on supporting AI, innovation and growth in financial services. Recognising that data protection and Consumer Duty are two key barriers to adoption, the regulators are exploring how to provide greater certainty to promote safe growth in this space. Similarly, the PRA has noted the emerging risks of AI, in its 2025 business plan, with key considerations including application of model risk management principles, effective operational resilience processes and international consistency to support innovation.
As a key area of innovation across the sector, internal audit teams need a good understanding of where various teams are applying AI across the firm, with effective controls and oversight in place. Key considerations include:
Most importantly, as an emerging technology, internal audit needs to stay up to date with emerging use cases, risks and regulatory thinking to establish and maintain good practice.
The PRA has updated its climate risk rules via PS25/25 and SS4/25, which replaces SS3/19 from six years ago. Building on CP10/25, the update reflects a more mature climate risk landscape, with emerging standards and more developed capabilities. Maintaining a proportionate approach, the updated rules include:
In addition to the above, the new supervisory statement notes a few sector-specific points. For example, it clarifies that insurance firms can capture climate-risk within current SCR rules, and internal models should treat climate factors as risk drivers. For banks, the PRA notes that accounting and audit rules still align to climate risk expectations for financial reporting, and ICAAP/ILAAP scenarios may use standard timeframes.
To get started, firms should carry out a gap analysis against the PRA’s updated expectations with a focus on:
The FCA launched its long-awaited redress scheme consultation in October, with final rules due in February or March 2026. It applies to regulated motor finance agreements initiated between 6 April 2007 and 1 November 2024, where lenders paid brokers commission and where the lender-borrower relationship was potentially ‘unfair’. That includes agreements with poorly disclosed: discretionary commission arrangements; unduly high commission; and certain contractual ties between the lender and broker.
Redress calculations are more complex than anticipated, with the FCA putting forward three remedies:
Given the complex calculations and short timeframes for delivery, the FCA allows firms to use informed assumptions to address incomplete data, for example, where the details of the customer loan agreement have been expunged.
In addition to the redress scheme consultation, the FCA issued a Dear CEO letter in October, urging lenders and brokers to make preparations for resolving all motor finance complaints – regardless of the current redress scheme status. The regulator also asked firms to prepare for the proposed scheme, including starting work on identifying impacted customers and determining which cases are in scope.
This has been followed by another Dear CEO and PS25/18 announcing that the FCA won’t extend the pause on motor finance leasing complaints, and firms must resume their complaints handling in line with DISP rules. However, all other motor finance related complaints, including those relating to DCA and non-DCA commissions will be subject to an extended deadline of 31 May 2026 (this could change for complaints falling into scope of the redress scheme).
Internal audit teams need to consider financial, reputational and operational implications of the redress scheme to ensure it meets the FCA’s requirements. Key challenges include:
Firms continue to implement the near-final Basel 3.1 rules, with a general compliance deadline of 1 January 2027. However, with ongoing uncertainty about the US implementation, the PRA has taken steps to avoid short-term divergence. As such, it’s pushed back the Fundamental Review of the Trading Book’s internal models approach to 1 January 2028. It has also announced market risk simplifications under the Leeds Reforms, namely:
The PRA has also retired the refined Pillar 2A methodology via PS18/25, effective 1 January 2027. This is no longer needed due to improved risk sensitivity in the new credit risk standardised approach. There are additional minor clarifications to the Interest Rate Risk in the Banking Book (IRRBB) and Pension Obligation Risk approaches, to improve transparency and consistency, effective 1 July 2026.
Alongside the above, the PRA has published the near-final policy statement (PS20/25) on the Small Domestic Deposit Takers Regime (SDDT) in October, with a few key changes from the draft policy:
Firms have until 31 March 2026 to grant their consent (or intention to consent) to become an SDDT firm on 1 January 2027. Those that don’t will fall under Basel 3.1.
With the near-final rules now in place for SDDT (subject to the repeal and replacements of CRR), firms can make a more informed decision about which direction to take. This will largely depend on the extent and complexity of their capital requirements, in addition to the ongoing cost of compliance – so sizing these up is a good place to start for firms that are undecided.
Once the direction of travel is clear, firms must ensure they:
Mid-level banks and building societies must now have a solvent exit analysis (SEA) in place, covering topics such as solvent exit actions, key indicators and barriers to success, among others. However, it’s important to remember that it isn’t a ‘one-and-done’ exercise. As the business grows and strategies evolve, firms need to make sure this information is up to date and remains practical.
To achieve that, it’s essential to embed processes to monitor material changes to the business, with significant senior oversight and approval. This needs to align and bring together a broader range of work across the firm, including recovery planning, scenario testing and recovery capacity calculations. These were all noted as areas for improvements in last year’s Dear CEO letter and should warrant close consideration moving forward.
While aiming to strengthen the recovery and resolution landscape, the PRA is also simplifying the associated reporting procedures, in line with the Government’s growth agenda. The Leeds Reforms includes the following key changes:
Individually, the updates aren’t extensive, but collectively, they can streamline compliance processes and help manage costs.
Internal audit needs to make sure the fundamentals for recovery and resolution planning are in place. Recovery stress scenarios must be severe but realistic, with recovery capacity calculations that reflect the type of stress and any dependencies. These calculations are inherently complex and it’s essential to make sure the PRA’s methodology is applied correctly and appropriately quantified.
Firms also need to review their current recovery and resolution reporting processes and ensure they’re using the correct templates moving forward.
Last year, there were 48.8 billion digital and contactless payments in the UK, with cash payments making up less than 10% of all transactions and predicted to fall to just 4% by 2034. This highlights the importance of the burgeoning payments sector and the need for effective regulatory oversight from regulators including the FCA, which is currently in the process of consolidating with the Payment Systems Regulator.
As such, the payments sector is facing a broader range of risks and regulatory challenges than ever before, including:
While implementing the above, it’s essential to remember that the sector is evolving alongside emerging technologies. As such, consumer demand can grow (and change direction) rapidly. So, it’s essential to adopt practical processes that are scalable and responsive to change and innovations.
With so much change in the sector and regulatory landscape, internal audit has a crucial role to play in supporting the firm’s compliance activities. Key activities include:
The FCA’s published CP25/32 to streamline MiFIR transaction reporting rules to improve reporting quality, reduce the cost of compliance and maintain market integrity. Key changes include removing reporting requirements for foreign exchange derivatives, and for wide range of instruments that are only traded on EU trading venues. The regulator’s also reducing the back reporting timeframe from five years to three, to reduce resubmissions by about a third. Collectively, these changes aim to simplify transaction reporting and reduce firms’ compliance burden, in line with the Government’s simplification agenda.
The final rules are due in the second half of 2026, with implementation expected about 18 months later.
To prepare for the changes in transaction reporting rules, firms must:
Private capital markets have grown over the last few years, with the UK serving as the largest hub in Europe. While they offer new opportunities to diversify investments and support business growth, regulators have concerns over how those assets are valued, given their inherent lack of transparency and reliance on expert judgement. Left unchecked, these could result in poor customer outcomes, liquidity risks and systemic impacts across the financial sector.
To address these issues, the FCA’s conducted a multi-firm review, of private market valuations, which found:
Moving forward, firms will face greater regulatory scrutiny and must demonstrate robust methodology, transparency and governance processes.
As a starting point, internal audit needs to ensure all team members are up to date on current regulatory expectations and concerns, with appropriate training in place. Other key considerations include:
The FCA noted that independent valuations reflect good practice and firms may benefit from third-party support.
In March 2025, IOSCO published ‘Revised recommendations of liquidity risk management for collective investment schemes’ which found potential mismatches in liquidity against redemption terms. Highlighting a range of improvements across stress-testing, greater governance practices, disclosures, fund design and liquidity management tools, it’s led to greater regulatory scrutiny for asset managers.
Moving forward, firms will be expected to deliver more granular and frequent reports, which may require updated systems and processes. This includes reliable and consistent market data, with robust models to support stress testing and give senior stakeholders assurance that liquidity and redemption demands will remain balanced, particularly during stressed conditions. This should be supported by practical contingency plans in the event of a liquidity crisis. Firms also need to consider the role of Consumer Duty, ensuring customers are treated fairly throughout all liquidity and redemption processes.
The FCA plans to consult on the Collective Investment Schemes Sourcebook (COLL) by the end of the year, to address these issues and improve regulatory oversight.
Senior management should be prepared for ongoing regulatory scrutiny, and internal audit teams can offer greater assurance by considering the following:
Under Consumer Duty, firms need to assess and test customer outcomes to demonstrate how they’ve achieved good outcomes and prevented foreseeable harm. However, outcomes monitoring is proving tricky, as reflected in the FCA’s multi-firm review of insurance firms, which has broad read-across for the wider financial sector, including asset managers. The FCA noted a general confusion between demonstrating effective business processes and evidencing good customer outcomes – they aren’t the same, and the former doesn’t automatically lead to the latter. Instead, the FCA expects firms to define what a good outcome looks like, then actively test customer outcomes against it.
FCA guidance is non-prescriptive so firms have a range of options available. They can sample representative groups for end-to-end testing, look at specific points in a customer’s journey, carry out issues-based reviews (for example during onboarding, investment management processes, vulnerable customer reviews or bereavement journeys) or assess specific customer sub-sets. Different customer groups can have varying outcomes for the same products, so it’s essential to look at the issue from a range of lenses. Where poor, or potentially poor, outcomes are identified, the FCA expect firms to take action to rectify it.
It’s also important to note the FCA’s recent FS25/2, which committed to reviewing the Assessment of Value reporting requirement due to potential overlap with Consumer Duty. The paper is expected by the end of the year.
Asset managers need to work closely with their intermediaries to get a better picture of customer outcomes across the supply chain. Key considerations include:
The sustainability disclosure requirements (SDR) are proving challenging to implement. The labelling regime is in full swing, and the temporary extension on naming and marketing rules passed in April 2025. For asset managers, the key issue is identifying whether assets are genuinely sustainable, and how to categorise them. To achieve this, firms face significant operational and resource challenges to ensure accurate identification, clear evidence and appropriate data for reporting purposes.
Many of these challenges continue through preparations for the upcoming disclosure requirements. Larger asset managers (with AUM over £50 billion) must make product and entity level disclosures from 2 December 2025, with smaller firms (AUM over £5 billion) due to make entity level disclosures from 2 December 2026. For product level disclosures, firms must be able to justify all sustainability related labels, including key metrics. For entity level disclosures, firms need to demonstrate appropriate governance, progress against sustainability targets, and regulatory alignment across the business.
Good governance and oversight are crucial to ensure labels, naming and marketing rules are accurately applied – and continue to be over time. To achieve that, firms need effective MI to demonstrate sustainability characteristics across all investments and portfolios. Most importantly, firms need to make arrangements to get independent assurance over their labels and respective disclosures.
The FCA continues to focus on the Consumer Duty price and value outcomes, following last year’s good and poor practice update, which highlighted weaknesses across the financial sector, including guaranteed asset protection (GAP) insurance. However, the FCA has taken a non-prescriptive approach, making it tricky to establish and demonstrate fair value.
Fundamentally, firms need to make sure that overall charges (including cost, APR and commission) are fair and reasonable in relation to the benefits received. When doing so, it’s essential to remember that the lowest cost to consumer – or even the industry average – doesn’t necessarily reflect fair value. The calculation will be specific to the genuine benefits from each product, and firms need to be able to demonstrate that those benefits are valued by the customer.
The FCA encourages firms to take a holistic approach to fair value assessments, by incorporating evidence of the other three ‘mutually reinforcing’ Consumer Duty outcomes. Firms that can show they are delivering against the other Consumer Duty outcomes will be more likely to demonstrate (and be able to evidence) fair value. However, the assessments must be appropriately granular, with:
Recognising the non-prescriptive nature of fair value assessments, insurance firms need to ensure they have a clear and demonstrably effective methodology, to include:
Fair value may change over time, so firms need to carry out these exercises frequently, making sure their processes, methodology and benchmarking remain fit for purpose. The Consumer Duty price and value rules are over two years old, and the FCA expects firms’ approaches to fair value (and other things) to be continuously reviewed and improved (as necessary). Firms should be able to show that their fair value assessment approaches are robust and that they take meaningful action to address indicators or evidence of poor value.
The FCA’s premium finance market study is ongoing, with final findings due towards the end of the year. It aims to assess competition across the insurance sector and determine whether retail customers are receiving fair value in line with Consumer Duty.
The interim findings, published in July, found significant variations in consumer charges but ruled out a ban on commissions or cap on annual percentage rates (APR). It noted that premium finance does incur a cost, but that many providers’ fees materially exceed that cost with margins as high as 62%. Some insurers also charged high APRs, with nearly a fifth of customers paying over 30%. The FCA also identified high commissions to brokers as problematic, although the FCA didn’t go into detail in its interim report.
The FCA will continue to engage with the sector for the duration of the study, and beyond into any subsequent rule changes, which will assess:
The premium finance market study could lead to rule changes or firm-specific actions, so it’s essential to ensure all offerings meet FCA expectations, particularly on fair value good customer outcomes. Key activities include:
The UK has transitioned from Solvency II to Solvency UK, with additional reforms underway. This includes new governance expectations, and streamlined data and reporting standards. Ultimately, these changes aim to promote more proportionate, principles-based regulation to support growth across the sector.
Some of the key amendments for internal audit to consider include:
The new liquidity risk reporting requirement (CP19/24) is proving particularly challenging for firms. With an emphasis on supporting operational resilience, the PRA is asking firms to produce daily, granular liquidity reports during stressed conditions. While primarily affecting large life insurers, many firms aren’t equipped for this and will need to make significant changes to their data and reporting infrastructure to support the new reporting requirements. As a result, the PRA has pushed out implementation of the requirements to September 2026.
To meet emerging expectations, firms need to ensure that:
Your essential guide to the UK regulatory landscape.
Analysis of annual reports across FTSE 350 firms and investment trusts highlights key themes in governance best practice and shares insight on future trends.
Date: 12.03.2026, Heads of Audit for Insurance and Asset Management firms
Venue: 8 Finsbury Circus, London, EC2M 7EA
Please contact Emilie Watts to express your interest in attending.
David Morrey and Ben Farmer unpack the FCA’s new sector priority reports and what they really signal for financial services firms in 2026.
Stay up to date with our latest round up of financial regulation.
TPR has sharpened expectations for pension scheme administration, highlighting key risks around governance, data integrity and oversight that trustees must act on.
FCA CP25/32 proposes major changes to MiFIR transaction reporting. Explore key reforms, governance expectations and steps firms should take to prepare.
The insurance sector stands at the crossroads between wholesale transformation and uncertainty around the direction of tide for regulatory redress. Successfully leveraging data in the road to greater digitalisation will be a key differentiator.
How will banking change this year? Find out the key themes and trends affecting banks now – and how to stay ahead.
From AI to ESG, investment managers need to stay on top of ongoing issues and new trends. This is what you need to look out for this year.
In this episode, our experts explore the key trends and challenges impacting financial services and its sub-sectors.
