On 21 January 2025, the Prudential Regulation Authority (PRA) published a ‘Dear CEO’ letter setting out its 2025 priorities in relation to the supervision of international banks.

In the letter, which was sent to Chief Executive Officers of PRA regulated international banks active in the UK, the PRA explains that the common theme across its key priorities over the past few years and for 2025 remains the need for robust governance, risk management and controls at firms, supported by accurate information, to enable firms to proactively identify and analyse and mitigate risks in a dynamic, competitive and challenging environment. It notes that the thematic priorities set out in the letter are not exhaustive and are intended to complement its core assurance work and the firm-specific feedback provided following firms’ most recent Periodic Summary Meetings.

The thematic priorities covered in the letter are:

  • Risk management, governance and controls. The PRA notes that it expects firms to have these frameworks in place across businesses, risk and internal audit functions, commensurate with the firm’s business model, and that boards should also consider where risk culture may be the root cause of material weaknesses in their firm’s control environment. It also flags that firms should continue to invest in robust credit risk management and measurement practices that are adaptable to changing conditions, and that new lending, growth areas and existing portfolios should be risk assessed in the context of the evolving outlook.
  • Data risk. The letter reminds firms of the need to ensure they are submitting complete, timely and accurate regulatory returns.
  • Financial resilience. The PRA plans to continue to focus on broader financial resilience issues in 2025, through ongoing assessment of individual firms’ capital and liquidity. It notes that it expects to see firms consider and manage risk to a broad range of forward-looking liquidity and capital indicators, to use stress testing to assess their financial resilience and to have realistic and effective contingency plans that are supported by accurate and relevant information.
  • Operational resilience. With the approaching March 2025 deadline for firms to ensure they can comply with operational resilience obligations, the PRA says that it expects firms to have made significant progress already towards this and that operational resilience should be a key point of consideration for boards and executives. It also notes that it intends to start consulting, together with the Financial Conduct Authority, in H2 2025 on policy relating to the management of information and communication technology and cyber risks.
  • The delay in implementing Basel 3.1. The PRA flags that firms should ensure they continue to work through the potential impact and implications of the Basel 3.1 policy package with their board despite the delay in implementing it, and notes that it will communicate further on the implications of the delay in due course.