Thank you again for joining the recent Oliver Wyman UK mid-sized banks IRB Roundtable. We really appreciated the openness of the discussion and have attached the materials shared during the session for ease of reference.

A few themes stood out from the conversation:

• For the mid-sized banks, the IRB journey remains challenging not only from a modelling perspective, but also in terms of building and sustaining a clear internal business case, especially with the upcoming RWA output floor
• The value of IRB is seen beyond capital benefits alone, with greater emphasis on stronger risk management, pricing and decision-making
• Data continues to be a major constraint, particularly in relation to limited historical depth and LGD data gaps (including collateral valuation)
• There was strong interest in pooled data, benchmarking and external datasets, although it is important to ensure governance, comparability and validation through a third party engagement
• Regulatory engagement continues to be lengthy and complex, especially where expectations around submission completeness are evolving, although there appear to be some recent improvements in supervisory capacity and process
• Standardised tooling can help accelerate delivery and improve consistency, but it must remain flexible enough to reflect institution-specific portfolio characteristics and modelling choices
• The value of such tooling increases with the validation of such tooling by a third party
• Across both modelling and validation, internal ownership within each bank remains critical, particularly for senior modelling leads
• Looking ahead, many participants expect validation capacity to come under increasing pressure, especially as models become more complex and increasingly AI-enabled

As discussed during the roundtable, we will follow up with more concrete thoughts on practical next steps for data pooling. In the meantime, we would be pleased to arrange a short demo of Hercules, our credit risk modelling toolkit (you can find more details about it here)

Thank you again for the candid and insightful discussion.

Kind regards

Europe’s approach to combating financial crime is entering its most significant phase of evolution in decades. Faced with mounting regulatory consolidation, cost pressures, rapid advances in artificial intelligence (AI), and increasingly sophisticated criminal tactics, financial institutions must rethink how they identify and manage risk across borders and business lines

At the centre of this transformation are two major developments: the Anti-Money Laundering Authority (AMLA) and the new European AML Rulebook (AMLR). Together, these elements establish a harmonised regulatory and supervisory framework across the EU. AMLA, which launched in July 2025, will bring direct supervision to roughly 40 high-risk institutions by 2027 and become fully operational by 2028, while the AMLR creates consistent standards and methodologies to replace fragmented national rules.

For financial crime executives, this shift demands more than compliance checklists—it requires organisational change. Firms are encouraged to harmonise internal policies, streamline transaction monitoring, unify supervisory response functions, and align risk assessments and model governance with the new European standards.

Cost and value dynamics are also changing. As volumes of data grow and false positives proliferate, anti-financial crime (AFC) functions must move from cost-centric models to ones that demonstrate measurable value. Leveraging AI to automate routine investigations—while reserving skilled human judgement for nuanced cases—can help improve detection quality and reduce operational drag.

Advances in generative AI and machine learning are unlocking further potential, enabling faster triage, improved outcome consistency, and enhanced analytical capabilities. The next frontier lies in agentic AI—systems that can autonomously manage risk workflows within controlled, explainable frameworks, enabling real-time monitoring and dynamic risk scoring.

Finally, the insight highlights the growing importance of public-private partnerships (PPPs) and shared utilities. Criminal networks exploit data silos and fragmented defenses; by contrast, collaboration—supported by privacy-enhancing technologies such as federated learning—can improve detection accuracy, reduce false positives, lower costs, and strengthen compliance credibility across the industry.

In sum, 2026 represents a pivotal moment for European AFC leaders: a chance to leverage regulatory reform, technological innovation, and collaborative intelligence to build more efficient, resilient, and proactive defences against financial crime.

Read more and the report in full here

Across the UK and EU, supervisors are sharpening their focus on resilience, data, and disciplined execution amid significant regulatory change. In the UK, both the PRA and FCA are balancing competitiveness and growth objectives with heightened expectations around risk management, operational robustness, capital readiness, and consumer and financial crime outcomes—alongside efforts to modernise supervisory processes and reporting. In the EU, the EBA and ECB are driving rulebook delivery, supervisory convergence, and technology-related oversight, with particular emphasis on geopolitical resilience, ICT and third-party risk, and the governance of emerging digital and AI use cases. Collectively, the agenda signals sustained supervisory intensity, with firms expected to demonstrate strong fundamentals while adapting to evolving frameworks and innovation-led risks.

UK

Prudential Regulatory Authority (PRA)

Strategic risk management (incl. trade finance, private markets, NBFI exposures, CCR, SRT discipline, model risk, new tech)

• Expect continued supervisory pressure on risk identification/aggregation (especially around NBFI counterparty credit risk and private markets connectivity) and board-level visibility of exposures; also tighter governance expectations around SRT capital relief and model risk remediation

Operational resilience (incl. cyber resilience and third‑party dependencies)

• Banks should anticipate deeper challenge on operational resilience testing, plus more scrutiny of cyber preparedness and outsourcing/third‑party concentration, including expectations for contingency/exit testing and “don’t rely solely on vendor assurance” approaches.

Financial resilience (capital & liquidity) with major regime change ahead

• PRA is explicitly linking 2026 supervisory work to readiness for Basel 3.1 implementation on 1 Jan 2027, alongside the Strong and Simple regime for SDDTs on the same date; banks should expect material focus on capital planning, RWA accuracy, and permissions. The PRA also flags variable Pillar 2 requirement rebasing in 2026 with a 31 March 2026 data submission deadline, which can drive near‑term workload and potentially affect requirements.

Data risk (incl. BCBS 239 benchmarking and potential skilled person reviews)

• Banks should expect continuing pressure to strengthen data governance, architecture and validation; the PRA signals willingness to use specialist/skilled person reviews where weaknesses persist—so data programmes can become a supervisory-critical path item.

Competitiveness & growth (see below for secondary objectives)

• Reporting burden reduction (Future Banking Data programme)
  Alongside higher data quality expectations, the PRA is explicitly pushing streamlining/modernising reporting via the Future Banking Data programme—this can mean change in reporting processes and architecture (even if intended to reduce burden over time).

• Supervisory approach / efficiency: shift to a two‑year cycle for PSMs and other streamlining
  PRA plans to move remaining firms from annual to biennial PSM cycles and accelerate certain approval timelines; banks may see fewer formal cycle-driven engagements but should expect continued cadence on material issues, plus operational changes in PRA interaction models

Financial Conduct Authority (FCA)

A smarter regulator (more efficient/effective; proportionate and predictable)

• Banks can expect continuing changes in data collection and regulatory interactions (including FCA efforts to stop some returns, digitise processes, and enable ad‑hoc “flexi collections”), plus an FCA supervision model that aims to focus resources on the highest harm and act faster in higher-risk cases.

Supporting growth (competitiveness, productivity, innovation)

• For banks, this tends to translate into a mix of (i) enabling frameworks (e.g., Open Banking/Open Finance) and (ii) regime-building work (e.g., crypto/stablecoins) that can create opportunities but also new compliance and operating model requirements. The FCA’s work programme explicitly funds major growth-oriented initiatives like Open Finance and crypto regime work.

Helping consumers navigate their financial lives

• Banks (especially retail) should expect continued FCA focus on consumer outcomes—resilience to shocks, saving/investing, and consistently good experiences—often manifesting as supervisory attention to product design, customer journeys and (where relevant) market-wide reviews (e.g., the FCA signals work like a public discussion on the future mortgage market).

Fighting financial crime

• Banks should expect ongoing emphasis on measures that slow fraud growth, protect market integrity and tackle money laundering; that typically drives scrutiny of AML systems/controls, governance, and how firms prevent/identify/respond to fraud typologies

EU

European Banking Authority (EBA)

Priority 1 — Rulebook: efficient, resilient and sustainable single market

• Banks should expect sustained EBA focus on single-rulebook delivery and consistent implementation, with major workload tied to CRR/CRD mandates (the SPD references a large pipeline of mandates through 2028 and explicitly flags prioritisation of Basel III implementation and issues like third‑country branch access/consolidation topics).

Priority 2 — Risk assessment: tools, data and methodologies for effective analysis/supervision/oversight

• Expect continued evolution in EU supervisory analytics and benchmarking—i.e., more structured use of data and methodologies to support supervisory convergence and risk monitoring, which can translate into data/reporting expectations and more comparable supervisory scrutiny across Member States.

Priority 3 — Innovation: enhancing technological capacity

• This priority explicitly connects to the EBA’s expanding perimeter and tech-related supervisory roles, including new responsibilities tied to DORA and MiCA; for banks, this typically elevates expectations on ICT/third-party risk and on how firms interact with crypto-asset ecosystems (directly or via clients/counterparties).

Cross-cutting: simplifying/streamlining the regulatory and supervisory framework

• The EBA states it is pursuing efficiency and simplification, including actions aimed at reporting burden and the production of Level 2/3 products. If executed, this could reduce duplicative requirements over time, but it can also trigger transition costs (systems/process change) as the reporting stack is redesigned.

European Central Bank (ECB)

Priority 1 — Resilience to geopolitical risks and macro‑financial uncertainties

• The ECB signals planned work that includes thematic review(s) of credit underwriting standards, follow-on reviews (e.g., loan pricing where relevant), and continued attention to capitalisation and CRR III implementation—all of which can affect supervisory findings, remediation programmes, and (indirectly) capital planning and RWA governance. Climate and nature-related risk management and transition planning also sit within Priority 1’s vulnerabilities/work programme.

Priority 2 — Operational resilience and robust ICT capabilities

• Expect supervisory intensity around DORA implementation (especially ICT third‑party and incident response), plus OSI campaigns, targeted reviews (e.g., ICT change management), and threat-led testing. ECB also highlights the need to remediate longstanding RDARR (risk data aggregation/risk reporting) issues and sets out a system-wide strategy with escalation if remediation is slow.

Medium-to-longer term focus — digital and AI strategies, governance and risk management

• The ECB is explicitly moving toward more structured engagement on banks’ AI (incl. generative AI) use cases, governance and controls—this can drive enhanced model risk management practices, data controls, and tech risk governance expectations over the 2026–28 horizon.

Final rules published; implementation from 2027
The PRA has finalised the UK Basel 3.1 rules, confirming a 1 January 2027 start date and providing firms with the certainty needed to complete implementation plans.

Near-final package largely confirmed
The final package broadly reflects the near-final proposals in PS17/23, PS9/24 and PS7/25, with no substantive policy changes and only limited clarifications.

Market risk: targeted adjustments and phased FRTB rollout
The PRA has finalised targeted adjustments to the Basel 3.1 market risk framework. The FRTB internal model approach will apply from 1 January 2028, with firms continuing to use existing internal models or standardised approaches until then. In CP17/25, the PRA consulted on four adjustments—now finalised in PS9/24—covering: a one-year delay to FRTB-IMA with non IMA positions moving to the new standardised approaches from 2027; simplifications for CIUs via de minimis thresholds and an adjusted look through threshold; a permissions regime for limited cases where the residual risk add on is considered disproportionate; and transitional reporting and disclosure changes, including retention of existing IMA templates until 2028. All four proposals were implemented as consulted, with the exception of the market risk look-through approach eligibility de minimis threshold which was lowered to 50%, reflecting feedback on operational challenges.

Integrated into wider UK banking capital framework reforms
As part of the wider reform of the UK banking capital framework, the package incorporates selected operational simplifications, embeds related changes such as the Strong and Simple framework and retirement of the refined Pillar 2A methodology, and aligns the rulebook with the UK’s post-Brexit regulatory regime.

Sector moves into implementation phase
With the rules now final, UK firms can focus on executing Basel 3.1 implementation, with the PRA indicating it will continue to engage on operational and transitional issues ahead of the effective dates.

Key elements of the PRA’s updated approach include:

• Enhanced Pre-Application Engagement: PRA will work more closely with firms before formal submissions to assess readiness and flag complex issues early.

• Dedicated Submission Slots: Firms will have designated slots for application submission, increasing procedural clarity and predictability on both sides.

• Accelerated Documentation Quality Checks: The PRA aims to complete thorough checks on application documentation within 4 weeks.

• Defined Review Timelines: Complete submissions will undergo review within 6 months if no additional information is needed.

• Final Decision Targets: PRA targets concluding decisions on applications within 18 months.

Implications for Banks

This transparent and disciplined approach is welcomed by firms. However, it makes banks’ committed model submission dates more important than ever. Firms need to be confident that they will be able to deliver the model in a certain month (with a foresight of a year in advance), having gone through a robust governance and validation process. They will also need to ensure all parts of the submission are complete and of good quality. Failure to deliver on time or to the expected standard will risk putting them ‘at the back of the queue’, resulting in more costly re-developments and potentially supervisory add-ons.
We see leading banks taking the opportunity to enhance their IRB model delivery and submission strategies.

Conduct a Comprehensive End-to-End Stock-Take of IRB Submissions

Across the board, we have observed the following best practices to fully review the current IRB model submission plans. This stock-take includes:

• Evaluate the feasibility and readiness of each submission relative to the PRA’s timelines and quality expectations. This is done in the light of both previous supervisory feedback and modelling challenges, to come to an honest assessment of whether a model can be delivered in a certain month.

• Integrate business and strategic priorities—focus should be placed on portfolios that align with the bank’s risk strategy and have the highest business impact.

• Evaluate levers to shorten delivery timelines – most banks now have elements of parallelization of different model development activities rather than a sequential ‘waterfall’ type approach

• Incorporate implementation readiness: given the PRA's more certain and shortened review timelines, banks should rigorously assess their ability to implement approved models within the required timeframe. Implementation timelines should be a critical dimension in deciding which models are "ready" for submission, ensuring that operational systems and infrastructures are aligned to support timely deployment post-approval.

Enhance planning and regulatory engagement
Our experience shows that the following three pillars are critical to ensuring a smooth, timely, and successful approval:

• Rigorous project management: the more formally and firmly committed timelines demand rigorous project management and discipline to meet deadlines. Late or rushed submissions significantly increase the risk of extensions and requests for additional information

• Avoid pitfalls from weak or incomplete documentation: all components of the submission package and in particular model documentation need to be planned from the outset to avoid gaps or quality issues that can jeopardise the model review proceeding as planned by ‘stopping the clock’ and having to re-submit

• Maximize the impact of pre-engagement meetings: the new pre-engagement meetings are an opportunity to present key elements of the model to the PRA end-to-end and provide specialists with the answers to key questions early on. In order to use this valuable time in the most impactful way, banks should prepare materials that directly address the PRA’s key areas of focus, including:

• Quality and depth of data and historical information used

• Key judgments and modelling assumptions

• Evidence of senior management involvement and ownership

• Thoroughness of internal model validation and challenge processes

By preparing high-quality, thoughtful presentations, banks can avoid surprises during the review phase.

How We Can Help

We recognise that the evolving supervisory approach poses new challenges and have worked with our clients to address these:

• Ensuring high-quality, complete submissions that meet PRA expectations and pass documentation quality checks first time

• Providing targeted project support to help banks meet the PRA’s accelerated regulatory timelines without sacrificing rigor

• Assisting clients in strategically prioritizing IRB submissions to align with both regulatory readiness and broader business goals, maximizing impact and resource efficiency

By partnering closely with our clients on these fronts, we help them transform regulatory requirements into competitive advantages and successfully navigate this evolving regulatory landscape.

The announcement represents one of the most significant restructurings of the UK’s financial crime oversight regime in over a decade. While the government has framed the reform as a simplification and strengthening of the UK’s defences against money laundering, early reactions from the legal profession and regulatory commentators suggest a far more complex picture, one that raises fundamental questions about proportionality, effectiveness, cost, and regulatory design.

Why the Government Acted: Fragmentation, Consistency, and International Pressure
At the heart of the reform lies a long-standing criticism of the UK’s AML supervisory model: fragmentation. Prior to the announcement, more than 20 professional body supervisors were responsible for AML oversight across legal, accounting, and other professional services. International assessments, including those by the Financial Action Task Force (FATF), have repeatedly highlighted uneven supervisory quality, inconsistent enforcement, and variable risk understanding across these bodies.

By centralising AML supervision within the FCA, the government aims to deliver greater consistency, stronger deterrence, and clearer accountability. The move also aligns with a broader policy narrative: strengthening economic crime controls while simultaneously reducing what the Chancellor described as “business bureaucracy” through rationalisation and digitisation.

However, the contradiction of tougher AML supervision alongside lighter-touch corporate reporting has not gone unnoticed.

Legal Sector Concerns: Proportionality and Sector Understanding

Reaction from the legal profession has been swift and largely sceptical. Representative bodies argue that the FCA’s financial-sector DNA may not translate well to the realities of legal practice, particularly for small and sole-practitioner firms.

The SRA, for example, had developed a tailored AML supervisory model over nearly two decades, combining education, thematic reviews, and increasingly assertive enforcement. By 2023, it supervised more than 6,000 firms and over 23,000 beneficial owners, officers, and managers, supported by a dedicated AML team and a multi-million-pound budget. While far from perfect – as evidenced by persistent deficiencies in firm-wide risk assessments – the SRA’s approach was rooted in a detailed understanding of legal services risk typologies.

Critics argue that imposing a financial-services-oriented regulator on the legal sector risks replacing targeted supervision with standardised compliance expectations. The fear is not deregulation, but over-regulation: duplicated reporting, increased formality, and a shift from judgement-based risk management to rule-driven compliance.

In Scotland, concerns are even more pronounced, given the distinct legal system and the Law Society of Scotland’s enhanced regulatory powers. The prospect of a London-centric regulator supervising thousands of small law firms has raised doubts about supervisory effectiveness and accessibility.

Cost, Complexity, and the Risk of Regulatory Burden Creep

One of the most persistent themes in stakeholder commentary is cost. AML supervision is not free, and under the SPSS model, the FCA’s expanded remit will need to be funded, ultimately by supervised firms.

There is apprehension that economies of scale may not materialise as hoped. Instead, firms may face higher fees, more extensive data requests, and parallel interactions with multiple regulators during a lengthy transition period. For smaller firms, particularly those already struggling with rising professional indemnity insurance and compliance costs, this could accelerate consolidation or market exit.

From a consumer perspective, these costs are unlikely to be absorbed quietly. As several commentators have warned, increased regulatory overheads tend to be passed on to clients, raising access-to-justice concerns at a time when affordability of legal services is already under strain.

A Harder Edge on Enforcement?

One area where the FCA’s involvement could prove transformative is enforcement intensity. The FCA has a well-established reputation for assertive financial crime supervision in banking and investment firms, underpinned by data-driven risk assessment, intrusive reviews, and public outcomes.

If this approach is extended to professional services, firms may see a marked increase in thematic reviews, skilled-person style assessments, and sanctions for weak AML frameworks, even in the absence of proven money laundering. The FCA’s long-standing focus on systems and controls failures suggests that “technical” non-compliance may attract greater scrutiny than under previous models.

This raises an important strategic implication: AML compliance for professional services is likely to become more formalised, more documented, and more closely aligned with financial-sector expectations. Firm-wide risk assessments, already a weak point under the SRA, are likely to become a primary supervisory entry point.

Broader Implications for the UK’s Financial Crime Framework

Beyond the legal sector, the FCA’s new mandate signals a broader recalibration of the UK’s approach to economic crime. Centralisation offers the potential for improved intelligence sharing, better alignment with law enforcement, and a more coherent national risk picture.

However, success will depend heavily on execution. The transition from multiple supervisors to a single authority carries material operational risks: loss of sector-specific expertise, supervisory bottlenecks, and short-term confusion over expectations. The FCA will need to demonstrate not only toughness, but adaptability by developing differentiated supervisory strategies that recognise the diversity of professional services business models.

Crucially, representative bodies such as the Law Society will need to remain closely involved in shaping guidance and risk typologies. Without this collaboration, there is a real danger that AML supervision becomes an exercise in compliance optics rather than crime prevention.

A High-Stakes Experiment in Regulatory Design

The FCA’s assumption of AML supervision marks a decisive shift in the UK’s financial crime architecture. It offers the promise of greater consistency, credibility, and international confidence, but also carries significant risks around proportionality, cost, and sector fit.

For firms, the direction of travel is clear: expectations will rise, documentation will matter more, and financial crime risk management will increasingly resemble that of regulated financial institutions. For policymakers and regulators, the challenge will be to ensure that centralisation enhances effectiveness without eroding the nuanced, risk-based supervision that professional services require.

Ultimately, the success of the SPSS model will be judged not by the elegance of its structure, but by whether it meaningfully reduces money laundering while preserving a competitive, accessible, and well-functioning professional services sector. The next two to three years will be critical in determining whether this reform becomes a benchmark for smart regulation, or a cautionary tale in regulatory overreach.

It is worth underlining that this is a system-wide benchmark used to guide expectations, rather than a single “switch” that instantly resets each bank’s requirements. A legal note captured in the press pack stresses the benchmark “is not immediately a binding rule”, but it strongly shapes PRA Pillar 2 decisions, buffer calibration, and market expectations.

The reaction from commentators was lukewarm. Brokers RBC framed the December package as constructive but “not an instant game changer”, noting the BoE expects capital requirements to come down by ~1% in 2027 (with ~0.5% from P2A) and estimating that this 0.5% P2A reduction frees ~£8.5bn of capital for RBC’s covered banks. Autonomous similarly highlighted that the headline shift was as expected, but that it contained “fewer concrete policy updates” than hoped - notably no CCyB cut, and “an announcement of a review” on leverage rather than immediate changes. Broadly speaking, brokers felt that the move was directionally positive but there was uncertainly about how quickly it becomes actionable for banks’ management targets and distributions.

A useful practical implication (and a good “investor narrative” point for an expanded piece): RBC explicitly suggested banks should shift investor messaging away from absolute CET1 ratios and toward capital levels relative to regulatory targets, especially if management targets start to come down over the next 12 months.

Why now?

The stress test results provided the immediate “permission structure” for the change in tone. Morgan Stanley highlighted an aggregate 350bp drawdown, with all banks ending above hurdle rates; it also attributed the lower drawdown (vs earlier tests) to balance sheet de-risking and a higher profitability starting point. Press coverage also emphasised that, even at the low point, the system remained meaningfully above minima/ systemic buffers (cited at around £60bn above aggregate minima and systemic buffers).

A particularly helpful articulation of the FPC’s logic came from Sarah Breeden (Deputy Governor for Financial Stability) in the Financial Times. She positioned the benchmark as an attempt to find the level of capital that maximises growth through the cycle (balancing fewer crises vs potentially higher lending costs). She also explained a key technical nuance: the FPC judged “appropriate” capital at ~11%, but then added 2 percentage points to account for imperfections/gaps in RWA measurement, yielding the 13% benchmark.

Buffer usability

The FPC and PRA’s stated ambition is to make buffers usable in stress, and to reduce incentives to deleverage in downturns or run with large voluntary buffers. However, multiple commentators highlight that behavioural stigma around dipping into buffers (and the market/supervisory reaction) is the real barrier. Convincing banks and shareholders that buffers can genuinely be drawn down could be challenging after ~15 years of tightening; prudence has “paid off” and perceptions may take time to shift.

Potential impact (if this workstream succeeds): even without changing headline minimum much further, improving usability could be the difference between (i) a 13% benchmark that remains largely theoretical, and (ii) banks actually reducing management targets and deploying capital into lending, organic growth, or distributions.

Simplification: the “Bufferati” vision and a single releasable buffer

Autonomous flagged that the BoE referenced Sam Woods’ 2022 “Bufferati” speech and the idea of a single releasable buffer, but also cautioned that banks are still likely to want to run headroom to MDA in practice. Separately, GlobalCapital quoted ABN AMRO’s Kapil Damani describing this as the UK’s first genuine rethink of the framework in over a decade i.e., a shift from “more capital” to “smarter, better-calibrated capital”, and explicitly linked the benchmark change to a move toward simpler, more usable buffers.

Potential impact: simplification is not just aesthetics; it could reduce real or perceived “stack complexity” that drives internal management buffers, and (depending on design) could also make stress-time capital deployment less procyclical.

Leverage ratio buffers: likely the most “material” lever for domestic banks

Several sources point to leverage as the area where changes could be more significant than the 13% benchmark itself. If leverage constraints are not addressed it will be difficult for banks like Lloyds and Natwest to lower target capital levels, since for domestics as well as UK-based global investment banks CCyB and domestic surcharge buffers are added onto the leverage requirement and must be met with pure CET1 (whereas the base 3.25% can be partly met with AT1).

Autonomous added that if objective is to make leverage less binding under stress, it may require revisiting the systemic buffer calibration in the leverage stack (they reference it as currently 35% of the RWA-based metric), though that could imply further divergence from international standards.

Potential impact: if leverage buffers are recalibrated, the beneficiaries could disproportionately be domestic retail banks whose leverage stack is currently “heavier”, potentially enabling lower CET1 targets even if RWAs fall and IRB improvements reduce risk densities.

Domestic-exposure capital requirements: de-duplicating overlapping intents

The BoE will do further work on how domestic-exposure-related requirements interact (CCyB, O‑SII, elements of P2A). Presumably the intent is to avoid double-counting of risk.

Potential impact: this is a technically complex area, but it is potentially where the BoE/PRA can reduce conservatism without weakening overall resilience — by ensuring different tools are not inadvertently charging for the same exposure twice.

Broad implications

A Financial Times commentary cited Alvarez & Marsal estimates that, on £3tn of domestic RWAs, a 1pp change could free up ~£30bn of capital; it also highlighted that how much is realised depends on banks’ own capital headroom preferences. Compare with RBC’s “covered universe” specific estimate (mentioned above) of ~£8.5bn from the 0.5% P2A move.

A Reuters piece captured the post‑announcement debate sharply: former officials John Vickers and David Aikman argued requirements should be higher, warning the practical effect could be higher payouts to shareholders; Governor Bailey defended the cut, saying roughly half the change reflects Basel 3.1 and half reflects lower-than-expected systemic importance, and emphasised that financial stability is a precondition for growth (also pointing to the credibility of the UK resolution regime).

Ultimately, even if the framework is easing, political and reputational constraints will shape how quickly banks convert capital capacity into distributions.

A GlobalCapital piece discusses the impact on the UK SRT market (relevant for the Treasury Platform): while the “natural expectation” is that lower requirements reduce the imperative for SRT, market participants still expect activity to continue because (i) the reduction is small and (ii) banks typically maintain safety margins anyway.
The same source notes an uptick in private capital relief transactions and highlights that incoming Basel 3.1 (tightening capital calculation) remains a key driver of banks’ incentive to optimise capital.

The Financial Times commentary explicitly argued Bailey’s pronouncements will be watched across Europe, noting competitive dynamics with the US and potential pressure on European regulators if the UK moves further. A separate GlobalCapital piece discusses EU buffer usability/simplification debates and notes expectations around an ECB-led simplification task force report, situating the UK move in a broader global “lighten the load” conversation (with uncertainty about how far it goes). So a key consideration to note in any more in-depth piece whether the UK is ‘front‑running’ a broader recalibration - or diverging?

Pulling this together, the FPC’s 13% benchmark is best read as a directional reset and a platform for follow‑through work - rather than a one-off “capital giveaway.” The stress test results support the claim that resilience is strong, and Breeden’s articulation of “optimal capital” plus an explicit RWA‑uncertainty overlay provides a defensible prudential rationale.

But the real-world impact for banks will depend on: (i) whether buffer usability reforms genuinely change behaviour, (ii) whether the leverage review reduces bindingness for domestic banks, and (iii) whether “domestic exposure” requirements can be streamlined without creating new blind spots.

EBA consults on climate-focused changes to the Systemic Risk Buffer (SyRB) guidelines

EBA
The European Banking Authority launched a consultation to amend guidelines on sectoral exposures for the Systemic Risk Buffer to make climate risk more visible in macroprudential capital tools. Proposed changes aim to add granularity in identifying climate-related exposures and how they are treated across jurisdictions. The consultation runs through April with a public hearing scheduled for April 2026.

Why this matters
Embedding climate risk into macroprudential tools raises expectations for data, reporting, and capital planning across large banks. It may also lead to divergent national calibrations, complicating cross-border capital planning. For risk planners, this signals climate risk accruing real prudential weight, not just disclosure emphasis.

Bank of England/PRA publishes its 2026 supervisory priorities

PRA
The PRA set out its supervisory priorities for 2026, highlighting a streamlined supervisory process and more efficient focus on key risks. The document confirms a shift of some supervisory reviews (like Periodic Summary Meetings) onto a biennial cadence. It also emphasises proportionate risk identification and remediating material weaknesses across banks and building societies.

Why it matters
This shapes how UK regulators allocate their scrutiny and resources, affecting risk reporting and supervisory engagement across firms. Streamlining may reduce administrative burden but heighten focus on core risks like governance and capital adequacy. Banks should adjust planning and evidence tracks to align with the updated supervisory cadence.

ECB Vice-Chair Elderson emphasises operational and geopolitical shock resilience in supervision

ECB
The ECB’s Frank Elderson told the European Parliament that supervisory priorities through 2028 will emphasise resilience to geopolitical and macro-financial shocks as well as operational risk (e.g., cybersecurity). He also reinforced stronger oversight of innovation risks, including AI and digital assets. Elderson stressed that supervisory simplification must not dilute risk-based scrutiny.

Why it matters
This highlights where supervisors will intensify scrutiny - particularly on cyber, third-party risk, and innovation controls. A clearer risk focus aids strategic compliance planning but raises expectations on operational risk governance. It signals that resilience goes beyond capital ratios to include non-financial operational domains.

Bank of England Governor warns shadow banking could threaten financial system

The Times
Bank of England Governor Andrew Bailey said regulators must address risks in the shadow banking sector, warning it could pose systemic threats due to growing scale and opacity. He announced plans for a new stress test of the private markets ecosystem to better understand systemic vulnerabilities. Bailey noted that while traditional banks are resilient, non-bank interconnections require closer monitoring.

Why it matters
A shift of supervisory attention toward shadow banking broadens the perimeter of risk monitoring beyond traditional deposit-taking banks. Systemic risk could be masked if these sectors expand without commensurate oversight. Banks with exposures to market-based finance should prepare for increased scrutiny on indirect risks and interconnected exposures.

EBA completes IRRBB Heatmap work, highlighting EVE/NII and CSRBB issues

EBA
The EBA published its final report on medium-to-long-term objectives under the IRRBB Heatmap initiative, noting progress but ongoing asymmetries in EVE and NII impacts. The report highlighted inconsistent treatment of Credit Spread Risk in the Banking Book across banks. It encourages firms to align approaches and enhance governance.

Why it matters
Interest rate risk in the banking book remains a core balance-sheet vulnerability in a rate-volatile environment. Divergent practices around credit spread risk and hedging governance can prompt regulatory findings and capital add-ons. This underscores the need for robust risk measurement, governance, and consistent methodology.

Bank of England/PRA finalises Basel 3.1 UK rules and confirms implementation timing

BoE/ PRA
The PRA published its final Basel 3.1 package in PS1/26, setting out the calibrated UK approach to the post-crisis Basel reforms. It reconfirms the UK implementation date of 1 January 2027 after a one-year delay agreed with HM Treasury. The policy statement anchors the supervisory baseline for firms in scope.

Why it matters
Basel 3.1 shapes capital calibration, risk-weighted assets, and disclosure norms critical to capital planning and competitiveness. The delayed timeline adds execution risk and cross-border complexity for UK-EU/US operations. It also underlines the need for robust programme management and model

BIS speech warns AI and digital finance can create new financial-stability fault lines

Bank of International Settlements
In a BIS speech in Hong Kong, Tao Zhang warned that rapid adoption of artificial intelligence and digital finance could create new fault lines in financial stability. He highlighted risks from operational fragility, concentration, and common-mode failures where institutions rely on similar models, vendors, or data. The speech also noted that automation and faster market dynamics could amplify stress, arguing that policy and risk frameworks must evolve alongside technological adoption

Why it matters
For GSIBs and DSIBs, AI risk is increasingly viewed not just as a model or operational issue but as a potential systemic risk. Heavy reliance on shared technology stacks and third-party providers heightens correlated failures that are difficult to mitigate through diversification. This raises supervisory expectations for robust AI governance, resilience planning, and clear incident management under a financial-stability lens.

EBA and AMLA complete handover of AML/CFT mandate effective 1 January 2026

EBA
he EBA announced that the new EU Anti-Money Laundering Authority (AMLA) took over AML/CFT supervisory mandates effective 1 January 2026. This structural change centralises oversight of anti-money-laundering supervision in the EU. The transition is intended to strengthen coordinated action and supervisory consistency.

Why it matters
Centralised AML supervision raises expectations for consistent, high-quality controls, reporting, and risk management across large banking groups. AML failures remain a key operational and reputational risk with rapid escalation potential. For international groups, alignment between UK and EU frameworks will be critical to managing compliance risk.

ECB advances climate and nature plan embedding risks into supervision

ECB
The ECB announced deeper integration of climate and nature-related risk considerations across its supervision and policy frameworks. This includes enhanced risk assessment capabilities and scenario analysis tools. The ECB intends to use binding decisions where necessary.

Why it matters
Climate and nature-related risks are now mainstream in euro-area supervisory expectations, with potential direct implications for capital adequacy and risk management. Banks need robust strategies and evidence to satisfy growing supervisory demands. It increases the importance of scenario planning and data quality in climate risk frameworks.

FINMA issues guidance to limit crypto-asset custody risks

FINMA
Switzerland’s regulator FINMA released guidance outlining expectations to limit operational, legal, and control risks linked to crypto-asset custody services. It emphasises firm structure, governance, and risk controls in crypto custody offerings. The guidance aims to protect clients and support supervisory clarity.

Why this matters
As crypto exposures grow, custody operations concentrate operational and compliance risks that could cascade into larger reputational and financial shocks. Regulatory guidance signals enhanced scrutiny and expectations for control environments. This affects UK and global banks offering digital asset services as part of broader risk frameworks.

The survey mainly consists of multiple-choice questions and is targeted at the risk modelling technology users (including regulatory change programs leaders, regulatory model owners and model developers).

RiskBowl users are invited to participate – your input will help generate valuable benchmarking data, which will be shared exclusively with participants.

We kindly request that the survey be completed by 21st November, with a view to share results by the end of November

Access the survey here

Should you have any questions, please feel free to reach out to Angelina Egorova, who is leading this initiative within our London F&R team.

Thank you for your time and cooperation.

As banking leaders look beyond 2025 toward 2030 and beyond, a series of “big debates” are emerging within the industry. How individual banks and banking sector as a whole resolve these debates will in large part shape the environment in which Risk functions operate, influencing priorities, resourcing, and governance structures over the coming decade.

The Risk function of the future will need to be prepared for multiple, simultaneous pressures. First, it must respond to growing end-customer expectations for seamless experiences, while maintaining resilient performance, a combination that increasingly carries a high premium in competitive markets. Second, Risk functions must be ready for the next financial crisis, which many analysts view as increasingly “due” given historical cycles and macroeconomic pressures. Third, the function must confront actual climate-related risks, moving beyond scenario exercises to tangible, measurable mitigation and monitoring. Fourth, AI mastery will no longer be optional; it is rapidly becoming a table-stakes capability for Risk teams, both for efficiency and for insights-driven decision-making.

While AI presents significant opportunities, Risk functions must approach it with both enthusiasm and realism. Many of the tasks performed by Risk involve “trust functions” i.e., oversight, challenge, and independent verification, which cannot be fully automated. Therefore, AI should be leveraged strategically, deployed where it adds measurable value, and integrated thoughtfully into existing control and assurance frameworks.

Beyond technology, we also see a broadening of Risk’s remit. The Risk function is increasingly positioned to serve as the bank’s protector of truth, ensuring that information, assumptions, and metrics across the institution remain reliable, consistent, and auditable. In this sense, Risk is not just a defensive or compliance-oriented function; it is a guardian of credibility, playing a central role in how the bank navigates uncertainty, innovation, and stakeholder expectations over the next decade.

Risk Vision and Strategy

AI in Risk

In the near term, Risk will enhance human productivity with GenAI as a supportive ‘co-pilot’, while waiting for more reliable technology before fully evolving into dynamic, specialized AI-human collaborative networks in 2030

• In the next two to three years, leading Risk functions will deploy GenAI as a disciplined co‑pilot to amplify human productivity, prioritizing discovery and drafting tasks, supported by expert predictive scaffolding and anchored in high‑quality data repositories (including GRC/ RCSA tooling). Scope for holistic process reimagination however remains limited in scope until reliability materially improves, which we anticipate in the next decade and beyond

• As AI accuracy surpasses 99%, Risk will then transition into dynamic, specialized AI‑human collaborative networks, where orchestrated agents operate in real time under human supervision, unlocking scale, speed, and sharper decisioning across the enterprise

Governance

Future Risk Governance will strike a dynamic balance between 1/2LOD responsibilities, embrace (some) agile FinTech-inspired practices, deeply embed risk culture in the organization, and streamline governance

• Risk governance is migrating to a pragmatic equilibrium in the three lines of defence, with mature-risk activities moving closer to the first line for tighter business alignment while the second line rapidly builds expertise in novel risk types. At the same time, agile practices borrowed from FinTechs are reshaping ways of working, integrating risk early in decisions, preserving independence, and elevating a strong, lived risk culture across the enterprise

• To make this shift stick, successful Risk functions will simplify and rationalize committee structures, delegate more decision rights to where the information is richest, and advance the governance toolkit so oversight becomes faster, clearer, and more effective in a more volatile world

Risk Pillars

Credit risk

The Credit Risk Function of the Future will reduce involvement in individual transaction approval and annual reviews, assessing risk based on real-time data

• In the near term, leading institutions will deploy AI to strengthen origination and monitoring, using targeted automation to boost coverage, consistency, and speed without compromising control or judgment

• Over time, these capabilities will converge into a fully integrated human-AI credit system that continually assesses risk using real‑time data and drives decisions through a “zero‑ops” approach—minimizing manual intervention while elevating oversight and outcome quality

• As accelerated digitalization and lending commoditization reshape the market, automated decisioning systems will expand in scope and ticket size, becoming a core
  engine of scalable growth and disciplined risk management

Non-Financial Risk, Compliance and Economic crime

The NFR function will revolutionize into a real-time and strategic response unit, integrating automation, AI and strategic accountability

• As non-financial risk capabilities modernize, previously manual processes will be seamlessly automated and orchestrated in real time, elevating regulatory adherence while shifting the function from reactive remediation to proactive risk management
• Continuous control testing, real-time compliance execution, and end-to-end accountability will hardwire strategic collaboration across the bank and direct control spend to the highest‑impact areas, creating a faster, clearer, and more anticipatory line of defence

Model risk

MRM is evolving into a proactive enabler of safe AI adoption, balancing innovation with oversight

• Model Risk Management is shifting from gatekeeper to catalyst, embedded in high‑impact initiatives to enable AI‑driven innovation, while moving earlier into the model lifecycle to strengthen oversight and collaboration with the first line.

• At the same time, supervisors are raising the bar on transparency and accountability for AI and third‑party models, pushing firms toward materially stronger governance frameworks that balance speed with safety

Enablers

Risk analytics, Modelling and Data

Future Risk Analytics will leverage modularized toolkit powered by centralised data assets, and expand insights by harnessing unstructured big data for stronger predictive power

• Successful Risk functions will industrialize analytics by building centralized toolkits with standardized code modules that can be reused across multiple use cases, all powered by centralized data assets that act as a single “golden source” for the entire analytical suite
• Risk specialists will then harness GenAI to accelerate documentation, code generation, and peer reviews, shifting time from manual effort to deeper analysis and faster decisioning
• In parallel, the function will broaden its data universe by incorporating unstructured big data to materially strengthen predictive power, improving the accuracy, timeliness, and relevance of insights delivered to the business

Talent

The future Risk workforce will blend critical thinking, tech savvy, and risk intuition, while winning talent through diverse experiences, agile work styles, cutting-edge tech, strong culture, and inspiring leadership

• To build the risk function of the future, CROs must cultivate a more well‑rounded cadre of professionals, combining critical thinking, a big‑picture perspective, risk intuition, and strong technology literacy and analytics, while competing effectively in the war for talent by offering diverse experiences, more agile ways of working, advanced tooling, a strong, lived culture, and thoughtful leadership that inspires and retains new generations of risk experts

In sum, the Risk function’s next chapter will be defined by its ability to simultaneously elevate customer experience, withstand systemic shocks, operationalize climate risk, and master AI, while preserving the integrity of core “trust functions” through disciplined oversight and human judgment. As governance evolves toward a pragmatic equilibrium across the lines of defence, with agile, FinTech‑inspired practices and a lived risk culture, Risk will increasingly act as the bank’s protector of truth, ensuring reliable, auditable decisioning in a more volatile world.

Credit will transition toward integrated, real‑time, human‑AI systems that expand automated decisioning without sacrificing outcome quality; NFR and Compliance will become proactive, real‑time control engines; and Model Risk will shift from gatekeeper to catalyst, enabling safe, transparent AI at scale. Underpinning this transformation, centralized data assets, modular analytics, and GenAI‑accelerated workflows will industrialize insight generation, while unstructured data broadens the field of vision. Ultimately, success will hinge on talent i.e., blending critical thinking, risk intuition, and technology literacy, supported by inspiring leadership and agile ways of working.

Those banks that commit early, invest thoughtfully, and embed these capabilities end‑to‑end will not only manage risk more effectively; they will compete and differentiate in the decade ahead

The last decade has reshaped the architecture of global finance. Lending once channelled primarily through banks has increasingly migrated into the hands of non-bank financial institutions (NBFIs), such as private-credit funds, real-estate finance vehicles, hedge funds and specialist lenders that operate largely outside the supervisory perimeter. With this shift, what regulators once labelled the “shadow banking system”, which shifts credit intermediation and other financial activities outside the regular banking system, has become a central force in credit creation and could prove dangerous as risk is pushed to lightly regulated areas of the financial system.

Today, the global private-credit market is estimated to exceed $3 trillion. It has grown more than five-fold since the global financial crisis, faster than almost any other major asset class, and is the primary lender to many mid-market firms. Companies that find banks’ balance sheets constrained by regulation or capital rules increasingly turn to private-credit funds for financing tailored to their specific needs.

From fringe to financial core

Private-credit’s appeal is rooted in flexibility: faster approvals, bespoke terms, and financing solutions banks often can’t provide. Pension funds and wealth managers, hungry for yield, have poured capital into the sector. As a result, NBFIs are now woven deeply into the plumbing of global finance.

Crucially, banks are not bystanders. They supply:

• Credit lines and leverage
• Derivatives and hedging
• Warehouse facilities for loans
• Capital commitments as investors

This symbiotic relationship has tightened the linkages between regulated and non-regulated finance.

Opacity: the unresolved concern

The International Monetary Fund and Bank of England have recently warned that while private credit supports real economic activity, it also operates in an environment of lighter disclosure, less-tested liquidity structures and opaque leverage. Risk builds out of view and can cascade quickly.

Unlike banks, private-credit funds do not hold deposit-based liabilities. They rely on institutional capital and financing markets. That structure can be an advantage, insulating the retail system from classic bank-run dynamics, but only if liquidity remains available.

A problem for tomorrow or a pressure point for today?

No one is arguing that a crisis is imminent. The BoE is preparing voluntary stress tests of private-credit and NBFI exposures not because the system is flashing red, but because it isn’t monitored nearly as closely as banks.

The broader worry is timing: when the credit cycle turns, collapses tend not to unfold slowly – they snap.

Highly leveraged borrowers, elevated asset valuations and tighter financial conditions could expose fragilities far faster than policymakers are prepared for. In the real-estate sector especially, loan-level stress remains uneven, and stress-correlations are poorly understood.

The optimistic counterview

Many practitioners argue that the rise of private credit is not a failure of banks, but an evolution of the market:

• Diversifying funding away from the banking system reduces systemic concentration
• Many deals employ senior-secured structures and robust covenants
• Losses fall mainly on institutional investors, not taxpayers

Rather than a threat, they see resilience: a parallel channel that broadens credit access and supports growth.

Private credit sits at the crossroads of modern finance: part innovation, part necessity, and part enigma. Its rapid rise reflects both the strengths and limitations of today’s banking system, namely more regulation in the core has pushed risk outward, which is rational when markets are calm and capital plentiful.

But financial stability is a collective good. As private lenders take up a larger share of global credit, the system has become more interconnected, more complex, and more data-poor. These blind spots matter, because crises rarely emerge from where we are watching.

The challenge is clear, and perhaps one which perennially before policymakers: catch up to the market’s evolution before the market tests the system’s resilience
If transparency improves, oversight sharpens, and risk transfers are better understood, the rise of private credit could mark a new era of diversified, durable financing. If not, the very shift that was meant to reduce fragility may end up revealing it.

Either way, this is no longer a shadow story but the future of finance taking shape in real time.

References

• IMF (2024), Global Financial Stability Report: The Rise and Risks of Private Credit.
• Deloitte (2024), Private Credit Growth and Corporate Financing.
• PwC (2024), Private Credit: Rewiring Credit in Capital Markets.
• Macquarie Capital (2024), Private Credit Market Set for Significant Growth in 2025.
• BlackRock (2024), The Growth of Direct Lending.
• FSB (2024), Global Monitoring Report on Non-Bank Financial Intermediation.

Jan Polách, Oliver Wyman

Introduction

In recent years, physical climate risk has emerged as an increasing concern for financial institutions worldwide. This heightened importance is driven by the increasing frequency and severity of climate-related events such as hurricanes, floods, droughts, and heatwaves, alongside longer-term shifts like rising sea levels and higher average temperatures (1). These phenomena are causing significant disruptions to businesses, infrastructure, and communities, leading to substantial economic losses that have the potential to impact financial stability not just of the affected areas but also of the wider economy. At the same time, regulators are intensifying their focus on climate risk management, introducing stress tests, scenario analyses, and mandatory disclosure requirements. Over 50 ministries of finance across the globe have pledged their support for the Helsinki Principles, committing to incorporate climate change considerations into macroeconomic policy, fiscal planning, budgeting, and public investment decisions. Investors and stakeholders are also demanding greater transparency and accountability, integrating environmental, social, and governance (ESG) considerations into their decision-making processes (2). Together, these factors underscore why physical climate risk has become a central issue for the financial sector, necessitating proactive strategies to manage and mitigate its impacts.

Data

To date, much of the attention on climate-related financial risks has centred on transitions risks (Carney 2015). In this article, we investigate the impact of acute physical climate risks on the delinquency rates of mortgages in the US and show that, for certain types of these risks, the impacts may be meaningful. The results we present here provide a way for lending institutions to quantify the potential increase in the default behaviour within their portfolios and may be used in calibrations of climate-risk-aware credit risk models, including climate-aware RWA models.

We obtain the data on mortgage delinquency rates (30–90 days past due, 91 and more days past due) from the National Mortgage Database (NMDB), which uses a nationally representative sample of residential mortgages (3). The dataset is at the county-level and covers the period from January 2008 to December 2024. Figure 1 shows the 90+ days past due (DPD) rate in time by US state, aggregated from the county-level data, with significant variations both in time as well as cross-sectionally (4).

Figure 1: The 90+ days past due rates by US state aggregated from the county-level data

We join this dataset with the Disaster Declarations Summaries data, also at the county-level, maintained by the Federal Emergency Management Agency (FEMA) that summarises all federally declared disasters (5). Figure 2 shows the number of disaster declarations related to the physical risk types we consider in this article, at the county-level and presented by year. The evident outlier is due to the 2005 Atlantic hurricane season that featured 28 tropical and subtropical storms and, of those, seven were major hurricanes rated Category 3 or higher with four of these rated Category 5.

Figure 2: Number of disaster declarations at the county level by year and disaster type

Results

To estimate the impact of the physical risk-related natural disasters shown in Figure 2, we build a panel data fixed-effects econometric model of the form

where is the difference in the delinquency rate for county between times and the county-level fixed effects, the time fixed effects, and the number of disasters declared for county between and (6). The results of the estimations are shown in Figure 3 by plotting the impact (in basis points) of a disaster on the delinquency rates across a range of lags. For drought and freezing events, there are not enough unique data points to estimate the model on and, as a result, these two types are not considered further.

Figure 3: Impact of a single natural disaster on the delinquency rate, by disaster type and lag length

The results reveal a few interesting patterns. First, unsurprisingly, disaster type matters. Fire-related events have very little economic and statistical relationship with the delinquency rates while all other disaster types tend to increase the delinquency rates across a range of horizons in a meaningful manner. Second, this impact tends to be concentrated in the defaulted pool of loans that are more than 90 DPD; apart from hurricanes, these natural disasters do not have a significant impact on the delinquent, but not defaulted, loans that are between 30 and 90 DPD. Third, the impact tends to level off between 18–24 months from when the event occurred with, again, hurricanes being the exception and impacting the delinquency rates in a more persistent manner. Fourth, immediately after the disaster, hurricanes tend to be associated with temporarily suppressed delinquency rates, a result that has been discussed previously by e.g. Gallagher and Hartley (2017) and driven by homeowners using flood insurance to repay their mortgages rather than to rebuild. However, this trend reverses, and after five to six months the delinquency rates increase.

Applications

The econometric model we have estimated equips us with a quantification of the impact of various natural disasters on the county-level delinquency rates. These estimates may be used directly in climate stress tests to understand the potential changes in the credit quality of the portfolio in the face of adverse weather events at the portfolio level or, for example, when calibrating the individual borrowers’ sensitivity to the shocks caused by these disaster types within a Merton model framework (7).

Similarly, this approach may be leveraged by financial institutions that want to understand the impact of acute climate physical risk on their RWAs. While still an emerging field, climate-aware RWA estimation has been gaining traction recently (8), and a framework similar to the one discussed in this article may be employed to quantify the change in the default probabilities of obligors and the resulting capital impact.

References

• Carney, Mark. 2015. “Breaking the Tragedy of the Horizon–Climate Change and Financial Stability.” Speech Given at Lloyd’s of London 29: 220–30
• Gallagher, Justin, and Daniel Hartley. 2017. “Household Finance After a Natural Disaster: The Case of Hurricane Katrina.” American Economic Journal: Economic Policy 9 (3): 199–228
• Oliver Wyman, UNEPFI. 2018. “Extending Our Horizons. Assessing Credit Risk and Opportunity in a Changing Climate: Outputs of a Working Group of 16 Banks Piloting the TCFD Recommendations.” UNEPFI Whitepaper
• Pozdyshev, Vasily, Alexey Lobanov, and Kirill Ilinsky. 2025. “Incorporating Physical Climate Risks into Banks’ Credit Risk Models.”

Footnotes

1. These two groups of physical risks are typically termed “acute” and “chronic” physical climate risks, respectively
2. For more information on the Helsinki Principles, visit The Coalition of Finance Ministers for Climate Action at https://www.financeministersforclimate.org/
3. The NMDB is a joint project undertaken by the Consumer Financial Protection Bureau (CFPB) and the Federal Housing Finance Agency (FHFA)
4. The apparent seasonality at year-ends is driven by (bad) loan write-offs and subsequent closures typically in January
5. We filter this dataset and only consider those disasters that may be classified as manifestations of physical climate risk
6. We estimate this model separately for each disaster type and a range of different lags. The reason for differencing the dependent variable is the presence of unit roots in the original time series
7. See Oliver Wyman (2018) for an example use of such a model in a climate context
8. An example of such a model is that developed by Pozdyshev, Lobanov, and Ilinsky (2025)

On 9th October 2025 we held our latest RiskBowl Live roundtable with participants from 10 banks and building societies, alongside two of our senior advisors: Colin Jennings (ex-PRA and ex-CRO) and Lukasz Szpruch (The Alan Turing Institute).

This roundtable brought together senior heads of Model Risk Management to take stock of where banks are on managing the model risk of AI and discuss their convergence towards full compliance with SS1/23.

The discussion confirmed a common trajectory: an early phase of AI modelling experimentation has exposed structural gaps — in taxonomy, inventory management, model monitoring and validation — that now require a coordinated effort to make bank-wide AI use safe, auditable and scalable across firms. Firms have welcomed the clarity and the heightened stature of Model Risk in the firm’s risk taxonomy, and are using its guiding principles to coordinate said effort.

Key takeaways from the discussion are presented below:

Managing the model risk of AI
• Experimentation to consolidation: participants described an early period of numerous disjointed pilots and recommend grouping similar use cases to scale efficiently rather than proliferate ad hoc AI projects
• Use case specific governance: high risk algorithmic/decisioning use cases require materially different controls from low risk productivity tools; a one size governance model is insufficient
• New tech stack & MRM implications: generative AI brings dependencies that must be formally approved and governed. These create integration and approval work that traditional MRM processes were not designed to cover.
• Skills and vendor risk gaps: many teams or vendors originate outside banking and lack knowledge of bank’s processes, compliance expectations, and model lifecycle controls; stronger third party standards and onboarding are needed
• Model classification ambiguity: simple assistive tools (e.g., grammar correction) may fall outside current model definitions, while some AI systems sit partially within model risk remit—creating uncertainty about monitoring and ownership
• Committee and oversight design: avoid duplication of oversight bodies — firms must clarify roles between existing model risk committees and any AI monitoring forums
• Quantitative monitoring and human AI controls: firms want monitoring frameworks capturing model and human performance, with defined escalation triggers and the ability to switch to automated testing based on scale and level of risk

Convergence towards compliance with SS1/23
• Raised standards and visibility: SS1/23 has driven broader Model Risk visibility within firms and heightened board awareness
• Material operational uplift: documenting and managing additional models and DQMs in scope is increasing resourcing and cost materially — firms reported significant headcount increase and process redevelopment
• Definition and scope tensions: debate continues on what counts as a model (quantitative, deterministic, qualitative outputs, agentic behaviours) and on incentives to classify or de classify to manage control and operational burden
• Validation and ownership challenges: validating qualitative and AI enabled outputs is resource intensive; teams need clarity on who conducts testing (first line, MRM, or specialist validation units) and on practical monitoring cadences
• Ongoing dialogue required: participants agreed continued cross firm engagement and proactive regulatory conversations are necessary to align interpretations and reduce operational fragmentation between firms and subsidiaries

Cem Dedeaga
Partner, Head of Risk Modelling UK&I
cem.dedeaga@oliverwyman.com

Matias Coggiola
Senior Manager, MRM lead
matias.coggiola@oliverwyman.com

Download the above as PDF by clicking on the link here: 20251009_MRM_Roundtable_Summary_vF.pdf

How do you choose between the effectiveness and efficiency of the Finance function? We believe this is the wrong question, a false trade-off. The best-in-class Finance functions can achieve greater effectiveness and efficiency in tandem

In our latest OW Treasures, we explore how to tackle this challenge and drive the Finance of the Future - we’d love to hear your thoughts

Germany’s Bundesbank has tabled a set of options to strip back the euro area’s “maze” of bank capital rules, arguing that complexity is hobbling the very buffers meant to be used in stress. In a keynote on 12 September 2025, President Joachim Nagel urged EU policymakers to consolidate requirements, clarify what counts for going versus gone concern loss absorption, and make more of the system explicitly releasable in a downturn—without lowering resilience

What the Bundesbank is putting on the table

Nagel outlined three core simplification moves and a proportionality strand:

• Two core requirements, met entirely with CET1. Today’s parallel minimum ratios and add ons would be pared back so the going concern stack speaks in one language: common equity

• Re assign AT1 and Tier 2 to “gone concern” use only. Subordinated instruments would serve resolution needs (MREL/TLAC), rather than padding day to day requirements that banks try to meet in steady state

• Merge the CCyB and SyRB into a single, releasable buffer. That would make drawdowns more credible when macro conditions sour

• A cleaner, lighter regime for small, non complex banks. Proportionality is a repeated theme across the speech and the conference framing

The push comes with an explicit health warning: simplification is not deregulation. In a companion essay, a Bundesbank executive board member called for Europe’s overlapping “stacks” to be made transparent and usable, not looser

How this fits into the EU rulebook (Basel III finalisation, SSM/SRB)

The proposals would land on top of CRR3/CRD6, the EU’s final Basel III package that entered into application on 1 January 2025 (with some phased elements). Under current law, Pillar 1 minima remain CET1 4.5%, Tier 1 6%, total capital 8%, with buffers (the CBR) made of CET1 and added via the CRD, plus SSM set Pillar 2 overlays and guidance. Any shift to a CET1 only going concern stack and a single releasable buffer would therefore require legislative changes in Brussels and coordination with supervisors and the Single Resolution Board

A stricter separation of prudential (Pillar 1, Pillar 2, CBR/P2G) and resolution (MREL/TLAC) is also squarely in line with concerns the SRB and ESRB have flagged: as frameworks overlap, capital that looks releasable on paper can be trapped by parallel minimums in practice (including leverage and MREL expressed in LRE). The Bundesbank’s blueprint would try to eliminate that double counting

Why now: the problem of buffer usability (stated and implicit goals)

Stated goals are usability and clarity: if buffers cannot be drawn without breaching some other binding constraint—or if banks fear market or supervisory stigma—the buffer concept breaks. The Basel Committee and ESRB have documented these frictions; the ECB/ESRB also advocate building releasable space early in the cycle via a “positive neutral” CCyB. The Bundesbank proposals closely echo that logic

Implicit goals are competitiveness and coherence. EU banks face higher complexity costs and, at the margin, less usable headroom than some peers. Simplifying the stack while tilting going concern requirements toward pure CET1 could improve comparability with other jurisdictions, especially as the US reworks its “Basel endgame” and leans into domestic recalibration

Early reactions

• ECB/SSM Chief Supervisor Claudia Buch has been championing “simplification without deregulation,” backed by a High Level Task Force chaired by Luis de Guindos to sift practical proposals across prudential, supervisory and reporting domains. Messaging from ECB supervisors consistently ties simplification to SREP process reform, not lower capital

• EBA and SRB The EBA’s 2024 report mapped EU stacking orders (Pillar 1/2, buffers, leverage, MREL) and stopped short of recommending immediate rule changes, but it underscores how stack interactions can bind. The SRB has warned explicitly that overlap can limit buffer usability

• Industry The European Banking Federation’s “Simply Competitive” campaign urges cutting regulatory complexity as a competitiveness priority—language that dovetails with the Bundesbank pitch while also pushing for broader policy changes

• Parliament/think tanks A recent European Parliament study on banking competitiveness calls for simpler capital/loss absorbency requirements and more centralised macroprudential decision making in the Banking Union

• Markets There was no discrete price move tied to the speech; Euro STOXX Banks rose +0.12% on 12 Sept, with subsequent sector moves dominated by macro newsflow. That points to a policy story unfolding over months, not days

Consistency with past Bundesbank/ECB positions

The Bundesbank has historically backed full, faithful Basel implementation and published regular impact updates. Its 2024 assessment put the CRR3/CRD6 driven increase in minimum required capital for a German sample at ~3.3% by 2030 (phase in), reinforcing a resilience first stance. The new initiative targets architecture and usability, not lower capital. On the ECB side, recent speeches and blogs emphasise stable methodologies, more proportionality for small banks, and process simplification—again, not a reduction in prudential strength

What would change if the ideas advance?

• Bank stability A CET1 only going concern stack could raise the quality of loss absorbing resources and make drawdowns clearer in stress, at the cost of transition pressure for banks that currently rely on AT1/T2 to meet Pillar 2 requirements. The payoff is a more credible “use it when needed” buffer design

• Resolution credibility Ring fencing gone concern resources in MREL/TLAC and removing overlaps with prudential buffers would clarify the hierarchy of loss absorption, potentially strengthening resolution planning and investor signalling. But it would likely reprice AT1/T2 as their role is narrowed

• Competitiveness and costs Less stacking order confusion and fewer composition rules can reduce compliance friction and free headroom that is actually usable, which industry argues matters for credit supply. The ECB and ESRB’s push for releasable capital supports this direction, provided overall resilience is preserved

• Legislative pathway Delivering any of this requires EU co legislation (CRR/CRD and potentially SRMR/BRRD changes) and detailed alignment across SSM and SRB methodologies. With the ECB task force work ongoing, observers expect an initial simplification package for lawmakers’ consideration around year end. Timelines and calibration will be the politics

Analytical context: today’s stack and why it binds

Under the current EU framework, banks satisfy Pillar 1 minimums (CET1/T1/TC), then layer on Pillar 2 Requirements (P2R), the combined buffer requirement (CBR)—made of the capital conservation buffer, countercyclical buffer, systemic risk buffer, and G SII/O SII buffers—and Pillar 2 Guidance (P2G). In parallel sit the leverage ratio minimum and MREL under the resolution regime. This is the source of multi restrictiveness: dipping into the CBR can trip leverage or MREL constraints, rendering buffers de facto unusable without supervisory waivers and potential market penalties. The Bundesbank’s CET1 only going concern idea and single releasable buffer are designed to untie those knots

What to watch next

1. Text and calibration The Bundesbank has posted the speech entry and BIS transcript; watch for the full text and any follow up technical notes spelling out the two CET1 metrics, leverage interaction, and transition

2. ECB task force deliverables How far will the de Guindos task force go on buffer releasability, P2R/P2G composition, and prudential resolution separation—and what needs co legislation?

3. Macroprudential governance If CCyB and SyRB merge into a single tool, who sets and releases it—national authorities, the ECB, or a hybrid within the Banking Union? The ECB/ESRB “positive neutral” agenda is the analytical backdrop

4. AT1/T2 markets A pivot to gone concern only could reshape issuance and pricing of AT1/T2, affecting banks’ funding mixes and WACC

5. Level playing field The US is rewriting its capital package; any EU simplification will be measured against that and the UK’s evolving approach

The establishment of the EU Anti-Money Laundering Authority (AMLA) under Regulation (EU) 2024/1620 marks the most significant change in the bloc’s approach to financial crime since the first AML Directives. Tasked with directly supervising high-risk, cross-border financial institutions and coordinating national authorities, AMLA will reshape compliance standards, operational structures, and business models. This article analyses the regulatory framework, timeline, and impacts on banks across the EU from 2024 to 2028. Key implications include higher compliance costs, harmonised supervisory expectations, closer scrutiny of crypto-asset service providers, and opportunities for early movers to leverage compliance excellence as a competitive advantage

Why the AMLA was created

Europe’s AML/CFT regime has long suffered from fragmented national implementation of directives, uneven supervision, and weak enforcement. Scandals involving large banks highlighted gaps in cross-border coordination and beneficial ownership transparency. To align with FATF expectations and restore confidence in the single market, the Commission’s 2021 AML package introduced a Single Rulebook (Regulation (EU) 2024/1624), a new Directive (AMLD6), and AMLA as a central authority

Legal Framework: AMLA’s statutory powers, supervisory scope, and enforcement tools

Core Legal Basis

• Regulation (EU) 2024/1620 establishes AMLA, conferring on it powers to directly supervise “selected obliged entities” in the financial sector, coordinate and oversee AML/CFT supervision across Member States, support and coordinate Financial Intelligence Units (FIUs), issue guidelines, regulatory technical standards, recommendations, and enforce its own decisions in certain cases

• The AML Package includes the AML Regulation (EU) 2024/1624 (providing a Single Rulebook), AML Directive (EU) 2024/1640 (AMLD6), and other instruments (e.g. for transfers of funds / crypto transfers). These combine to broaden obligations and reduce national discretion

Supervisory Scope

AMLA will have two main supervisory modalities

1. Direct supervision of selected obliged entities, which are financial sector entities (credit institutions, investment firms, insurance undertakings, crypto-asset service providers, etc.), satisfying criteria of:

   • Operations in at least six EU Member States (by branch or via freedom to provide services)

   • A high ML/TF risk profile as assessed by AMLA (“inherent” and “residual” risk)

   • First selection expected to cover around 40 entities/groups, with selection every 3 years

2. Indirect supervision / Coordination / Convergence: For all other obliged entities, supervision remains with national authorities, but AMLA will set binding technical standards (via Regulation), issue guidelines and recommendations, conduct annual or periodic reviews of supervisory authorities’ performance, coordinate peer reviews, facilitate cooperation among FIUs, resolving supervisory disagreements cross-border, etc.

Enforcement Tools

• For selected obliged entities, AMLA will have administrative measures including orders for corrective measures, temporary bans on persons, etc.

• Ability to impose pecuniary sanctions for serious, repeated or systematic breaches of the AML Regulation, including periodic penalty payments to ensure compliance

• Transparency: public naming of decisions in certain cases. National authorities for non-selected entities will be expected to follow AMLA guidelines. AMLA may issue warnings if a Member State fails to correctly apply EU rules

Other Powers

• Monitoring and assessing ML/TF risks in the EU internal market and wider world; gathering data; establishing a central information database accessible to national and EU supervisors

• Overseeing FIUs: facilitating joint analyses of suspicious cross-border transactions, improving secure information exchange (FIU.net), training, technical / IT support

Transitional arrangements will include grace periods for some obligations, phasing of enforcement powers, and continuing national supervision (with cooperation) until direct supervision kicks in. Entities selected will likely receive notice ahead of time and have reasonable notice to adjust. Some technical standards / guidelines will apply from earlier dates or upon issuance

Operational Impacts for Banks

Banks and other obliged entities will need to adjust multiple aspects of their compliance operations. Key areas where operational impacts are likely (2024-2028):

Customer Due Diligence (CDD)

• Stricter beneficial ownership requirements under AMLD6

• Enhanced due diligence for politically exposed persons (PEPs), high-risk jurisdictions, cross-border/onboarding of clients in other Member States. The risk-based approach will be standardised across the EU, reducing margin for national variation

• More detailed ongoing monitoring obligations, review of residual risk, more frequent updates to CDD records

Transaction Monitoring and Suspicious Transaction Reports (STRs)

• Given AMLA’s mandate over joint analyses (FIU cooperation) and monitoring, banks will need to ensure transaction monitoring systems are capable of producing information that supports cross-border patterns, large and complex transactions, crypto flows, etc.

• STR submission standards may become more unified; expectations for timeliness, quality, and use of analytics will increase

Sanctions Screening

• Integration of sanctions compliance with AML/CFT obligations will become even more crucial, particularly since AMLA’s powers include ensuring selected obliged entities have appropriate internal policies for targeted financial sanctions, asset freezes etc.

• Increased overlap among AML, CFT, sanctions regimes (national, EU, international) will require more centralised functions in many banks

Crypto-Asset Service Providers (CASPs) Oversight

• CASPs are expressly included as possible “selected obliged entities.” They will be subject to direct supervision if they meet cross-border / risk criteria

• Even for non-selected CASPs, the indirect supervision and technical standards will raise the floor, requiring improved controls, transaction traceability, monitoring of crypto-asset transfers

Data and IT

• AMLA will maintain a central information database; banks will need to ensure data compatibility, submission of required data, quality, timeliness

• Upgrading or enhancing transaction monitoring systems, STR analytics, AI/ML tools; cross-border data flow infrastructure; strong model governance

Onboarding/ Offboarding

• Uniform rules will reduce some of the friction caused by national differences, but the cost of adjusting onboarding policies, risk classification, escalation procedures, enhanced due diligence will be non-trivial.

• Offboarding (client exit) decisions may be more scrutinised in cross-border / high risk settings

Drivers of cost

• System and data architecture upgrades (including analytics, AI/ML, cross-border data flows)

• Hiring or reallocating compliance, legal, risk personnel; possibly setting up dedicated “AMLA preparation/ liaison” functions

• Training and change management across country teams and business lines

• Remediation of past weaknesses: e.g. beneficial ownership, lack of consistent policies, documentation gaps

• External advisory, audit / validation cost

Savings / possible offsets

• Over time, standardisation may reduce duplicated effort across national jurisdictions

• Shared services (e.g. central transaction monitoring, vendor-provided screening) may achieve economies of scale

• Improved automation, better analytics reducing false positives or inefficiencies

Strategic Business Model Implications

• Cross-Border Operations and Correspondent Banking

  • Banks with large cross-border footprints will be under direct AMLA supervision; this increases risk (regulatory, compliance, reputational) but also relative advantage for those who perform well

  • Correspondent banking relationships may be scrutinised more closely; some banks may “de-risk” by terminating or reducing exposure to jurisdictions or partners with weak AML/CFT track records. This would reduce correspondent banking network densities

• Crypto Services

  • Firms engaged in crypto-asset services are part of the scope; those with cross-border operations and high risk are likely to be directly supervised.

  • Crypto service providers and the financial institutions that interface with them will need to close gaps in transfer traceability, origin/destination controls, screening, etc.

• Client Onboarding/ Offboarding

  • Stricter uniform CDD and enhanced due diligence will likely slow onboarding for high risk / cross-border / crypto clients

  • Banks may re-evaluate acceptance criteria. Offboarding decisions may become riskier, especially in jurisdictions or with clients triggering systemic risk

• Reputation, Risk Appetite and Business Lines

  • Reputational risk will amplify failures in AMLA’s directly supervised entities will likely draw EU-level attention and public naming; non-selected entities, while under national supervision, will still face scrutiny via AMLA’s reports, peer reviews, etc.

  • Banks may adjust risk appetite: reduce exposures in high-risk jurisdictions; shift business lines less exposed to ML/TF risks

• Competitive Opportunity

  • Those banks that prepare early and demonstrate strong AML/CFT frameworks may benefit lower cost of compliance in the medium term

  • Ability to serve high risk clients more credibly; help with cross-border business; possible regulatory “trust premium.”

• Governance and Organisational Change

  • Risk appetite & oversight: Boards and senior management must engage more directly; AML/CFT must be elevated in enterprise risk frameworks, with clearer metrics, KPIs

  • Lines of defence: First, second, third lines will need clearer roles: compliance units, internal audit, legal will need to coordinate; possibly new roles for liaison with AMLA; stronger independence

  • Incident response: Prepare for more inspections / audits; better readiness for regulatory investigations; crisis communications (reuse of reputational risk)

  • Shared services: Many banks will centralise compliance functions to avoid duplication across regions; consider internal centres for excellence

• Technology and Data Requirements

  • Standardisation: Uniform data definitions, standardised risk scoring, harmonised reporting templates across EU; data models that meet AMLA’s technical standards

  • Analytics / machine learning tools: To detect cross-border suspicious patterns, large transaction volumes, crypto flows, link networks of entities

  • FIU integration and secure data exchange: Banks must ensure that systems can interoperate with FIU requirements, central database; privacy and security; resilience

  • Model governance: More robust validation of AML/CTF models; oversight of AI/ML components; assurance of explainability particularly under enforcement.

  • Operational infrastructure: Real-time or near-real time screening (transaction, sanction, PEP etc.), scalable data storage, audit trails

Recommendations: Strategic Priorities for Banks

To manage the transition and exploit opportunities, banks should consider the following strategic priorities:

Short-Term (2024-2026)

• Gap analysis / readiness audit: assess current AML/CFT frameworks against AML Regulation / AMLD6 / AMLA draft technical standards; especially for cross-border operations, CDD, sanctions, crypto

• Stakeholder mapping and liaison: identify whether bank is likely to become a selected obliged entity; engage with national regulators; monitor AMLA’s upcoming guidelines / selection criteria

• Data and systems inventory: map data flows, reporting, IT systems; identify gaps for traceability, cross-border transaction monitoring

• Resourcing plan: estimate additional staff, budget, and external support needed; hire or train early; plan for centralization or shared services where possible

• Policy standardisation across jurisdictions: harmonise internal policies, risk classification, onboarding/offboarding, PEP/ sanctions screening to reduce divergence

Medium-Term (2026-2028)

• Implement technical tools: deploy or upgrade transaction monitoring, AI/ML, analytics for cross-border suspicious patterns; build pipelines for large data sets; enhance model governance

• Compliance culture and training: firm-wide training; embed AML/CFT in business line planning; set measurable KPIs; align incentives

• Scenario planning and stress testing: simulate supervisory inspections, enforcement; test readiness for adverse events (e.g. failed STRs, sanctions breaches)

• Strategic portfolio review: re-evaluate correspondent banking relationships; exposure to high risk jurisdictions; consider withdrawing or offboarding where risk excessive or cost outweighs benefit

• Collaboration and industry engagement: engage with peers, trade associations, FIUs; monitor AMLA / EU-level regulatory discussions; possibly influence upcoming technical standards

Long-Term (2028 and beyond)

• Embed continuous improvement: establish a cycle of review, benchmarking against best practices, adapting to evolving ML/TF threats (crypto, AI/tech-enabled crime)

• Leverage harmonisation for competitive advantage: streamline cross-border services; reduce internal friction; offer clients more consistent experiences across Member States

• Invest in resilient infrastructure: ensure data privacy / cybersecurity; robust disaster recovery; compliance with technological and regulatory evolution (e.g. blockchain, cross-border payments)

AMLA introduces a new, more centralised, harmonised and enforceable regime for AML/CFT in the EU. For banks, especially those with cross-border profiles, the period 2024-2028 will be one of substantial operational, strategic and financial change. The chief challenges are in upgrading data, systems and processes; managing cost; aligning risk appetite; and preparing for stronger enforcement. But banks that act early—auditing their current state, investing in technology and governance, and shaping their policies to meet the new rulebook—can not only avoid penalties, but gain competitive advantage in a higher transparency, lower arbitrage regime. Leadership should treat AMLA not simply as a compliance burden but as a strategic inflection point: one that may reshape business models, product offerings, and cross-border strategy for years to come