PRA Supervision Outlook 2025 – what you need to know
On 21 January the PRA published two Dear CEO Letters outlining their 2025 priorities for Supervision of International Banks and UK Deposit Takers. There are common themes across both letters, giving us an insight into the PRAs approach to supervision more broadly. Below, we have explored some of these themes and expectations.
Governance
Senior management and the Board must ensure that governance frameworks are robust enough to manage known and emerging risks. There is a particular focus on credit risk management including counterparty credit risk management, especially across vulnerable portfolios. The PRA has reiterated the importance of data integrity when producing management information (MI) to enable senior management / the Board to make appropriate risk-based decisions.
Data
As well as data integrity, a firm’s ability to interrogate the data it has in a way that’s actually meaningful is an area of focus. Firms should be able to evidence that not only do they have access to raw data, but they use it in a way to inform decisions and drive enhancements across the business. Where firms have implemented analytics tools, firms are expected to be able to explain why they are confident in the tool and how they are utilising the outputs.
Financial resilience
Having the capability to identify changes to the funding and liquidity landscape is a must. Firms are expected to conduct ongoing assessments of their funding and liquidity position. These assessments must be used to drive specific stress-tests inform contingency plans for financial resilience.
Operational Resilience
Cyber resilience remains in the spotlight, but firms must also consider their third-party risk management procedures. Evidencing that you have comprehensively assessed your third-party risk and have implemented proper procedures to manage the level of risk should be high on the agenda for 2025.
The PRA have also reminded firms that those subject to Operational Resilience regulation must be able to demonstrate, by March 2025, that they have:
Identified their Important Business Services
Set appropriate Impact Tolerances
Tested their ability to remain within Impact Tolerances during disruptions
What next?
Focus on these areas is not new, nor is it going anywhere. If you haven’t already, now is the time to get on the front foot. Ask yourself the following questions:
When was your governance framework last assessed?
How do you get comfortable that mechanisms are in place to effectively identify and manage risks?
Can you evidence that your governance framework is structured to ensure adequate senior management / Board oversight?
How do you generate frequent and reliable MI?
Can you demonstrate that MI informs risk-based decision making?
How accessible is your data?
How do you ensure that all data is up to date and accurate?
How do you use the data you have access to?
When were resilience stress-tests last conducted?
Can you demonstrate that contingency plans are informed by stress-tests?
Are you ready for the March 2025 deadline?