On 21 January 2025, the Prudential Regulation Authority (PRA) published a ‘Dear CEO’ letter setting out its 2025 priorities in relation to the supervision of UK deposit takers.

In the letter, which was sent to Chief Executive Officers of PRA regulated UK deposit takers, the PRA explains that the common theme across its key priorities over the past few years and for 2025 remains the need for robust governance, risk management and controls at firms, supported by accurate information, to enable firms to proactively identify and analyse and mitigate risks in a dynamic, competitive and challenging environment. It notes that the thematic priorities set out in the letter are not exhaustive and are intended to complement its core assurance work and the firm-specific feedback provided following firms’ most recent Periodic Summary Meetings.

The thematic priorities covered in the letter are:

  • Risk management, governance and controls. The PRA notes that it expects firms to have these frameworks in place across businesses, risk and internal audit functions, commensurate with the firm’s business model, and that boards should also consider where risk culture may be the root cause of material weaknesses in their firm’s control environment. It also flags that firms should continue to implement and embed changes to model risk management to align with the principles in the PRA’s supervisory statement 1/23.
  • Data risk. The letter reminds firms of the need to ensure they are submitting complete, timely and accurate regulatory returns, and notes that while not all firms are in scope of the Basel Committee on Banking Supervision’s principles for effective risk data aggregation and reporting, these principles provide a good base for firms to think about in their management of data risk.
  • Funding and liquidity. The PRA notes that liquidity events in recent years have highlighted the importance of liquidity resilience and firms’ preparedness for unexpected shocks, and that the funding and liquidity landscape for UK banks will see significant changes in the next few years both in terms of normalisation of the Bank of England’s balance sheet and changing market dynamics. It asks firms’ boards to seek assurance from their treasury and risk management functions about the effectiveness of balance sheet management and how these changes will impact on the firm.
  • Operational resilience. With the approaching March 2025 deadline for firms to ensure they can comply with operational resilience obligations, the PRA says that it expects firms to have made significant progress already towards this and that operational resilience should be a key point of consideration for boards and executives. It also notes that it intends to start consulting, together with the Financial Conduct Authority, in H2 2025 on policy relating to the management of information and communication technology and cyber risks.
  • The delay in implementing Basel 3.1 and the Strong and Simple regime. The PRA flags that it is considering the impact of the delay to Basel 3.1 on the timeframe for implementing the Strong and Simple framework, but says it still expects small domestic deposit taker (SDDT) eligible firms and their boards to consider the implications and possible capital impacts of the proposals in CP7/24, and to consider whether the SDDT regime or the Basel 3.1 regime is the appropriate prudential regime for them.