The gap between regulatory intent and operational reality

0

The Prudential Regulation Authority’s January 2026 Dear CEO letter to UK banks and building societies was unusually direct about where it expects to find problems. Written by Charlotte Gerken, executive director of UK Deposit Takers Supervision, it identified data risk as a standalone supervisory priority for the first time, stating that “weaknesses in data quality continue to drive operational and prudential issues” and that “challenges persist due to complex IT landscapes, legacy systems and governance gaps”. That is not a warning about the future. It is a description of the present.

With Basel 3.1 confirmed for 1 January 2027 and the Pillar 2 rebasing data collection deadline having passed in March, the question for lenders is no longer whether the rules are clear. The question is whether the operational infrastructure needed to comply with them is genuinely in place or whether firms are relying on workarounds that will not hold up under scrutiny.

The PRA has been explicit about what it expects. Internal Capital Adequacy Assessment Processes signed off in 2026 must include a full impact assessment of Basel 3.1 or the Strong and Simple framework, and the data submitted for the Pillar 2 rebasing exercise must be board-assured and of sufficient quality to support accurate recalibration of requirements.

The firms most exposed are those where implementation has been technically led but operationally shallow

For smaller deposit-taking lenders, particularly building societies, the challenge is compounded by the scale of change relative to available resource. The Building Societies Association has noted the disproportionate impact of Basel 3.1 on monoline mortgage lenders, arguing that capital increases should be grounded in empirical evidence of increased risk.

The PRA has made some adjustments in response, but the operational burden of implementing even a simplified framework should not be underestimated.

What the Dear CEO letter makes clear is that the PRA is not simply checking whether firms have produced the right documents. It is looking at whether risk management frameworks are genuinely keeping pace with business model changes, whether data governance is embedded rather than aspirational and whether boards have real visibility of their capital position under the new rules.

That is a materially higher bar than many firms may have assumed. Producing a compliant ICAAP is one thing. Demonstrating that the underlying models have been validated, the data feeding them is accurate and complete, and the governance around the whole process is robust enough to withstand a skilled person review is another.

The firms furthest ahead are those that treated this as an operating model question from the outset, not a compliance project handed off to a single team. The firms most exposed are those where implementation has been technically led but operationally shallow – where the rules have been interpreted correctly but the processes, controls and people needed to sustain the new framework in business as usual have not yet caught up.

The PRA has signalled it will deploy specialist and skilled person reviews where data quality weaknesses persist. That is the regulatory equivalent of a warning shot. The time to close the gap is now.

Share.

About Author

Avatar photo

John Barbour, Chief Executive Officer at Rockstead

Leave A Reply