Welcome to the latest edition of the Financial Regulation Weekly Bulletin.
If you would like to discuss in more detail, please contact your relationship partner or email one of our Financial Regulation team.
General
HM Treasury
Financial Services Act 2012 (Relevant Functions in relation to Complaints Scheme) (Amendment) Order 2026 - 2 July 2026
The Financial Services Act 2012 (Relevant Functions in relation to Complaints Scheme) (Amendment) Order 2026 (the Order) has been published, alongside an explanatory memorandum. The Order amends the 2014 Order that specifies the regulatory functions of the FCA, PRA and Bank of England that fall within the statutory complaints scheme. Section 84 of the Financial Services Act 2012 requires the regulators to maintain a scheme for the prompt, independent investigation of complaints made against them in respect of their relevant functions, such as complaints about maladministration.
The Order adds to the FCA’s relevant functions its functions under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, while excluding the FCA’s functions of making technical standards under regulation 20(6) and giving guidance under regulation 48(1) of those Regulations. It also corrects the 2014 Order, excluding the FCA’s function of giving guidance under paragraph 7 of Schedule 1, and the regulators’ functions of preparing and issuing a statement of policy under paragraph 14 of Schedule 1, of the Markets in Financial Instruments Regulations 2017.
The Order comes into force on 23 July 2026.
Cyber resilience in financial services - HM Treasury publishes report - 8 July 2026
HM Treasury has published a report on cyber resilience in financial services, examining the economic and financial value of operational and cyber resilience in the UK financial sector. The report was developed with external industry analytical support, and draws on survey data, national cyber security centre incident data and loss modelling.
The report finds that cyber risk has intensified, noting that the Bank of England’s 2026 H1 Systemic Risk Survey recorded 82% of surveyed banks, insurers and asset managers citing cyber-attacks as a top five risk to the financial system. It argues that resilience should be treated not merely as a compliance cost but as a strategic capability that reduces the likelihood and severity of disruption while supporting growth, innovation and long-term performance.
Financial Conduct Authority
AI and the future of retail financial services - FCA publishes the Mills Review - 6 July 2026
The FCA has published The Mills Review, an independent review led by executive director Sheldon Mills into how AI could reshape retail financial services for consumers, firms, markets and regulators by 2030 and beyond. The FCA describes it as the first work of its kind initiated by a regulator globally, drawing on analysis, commissioned consumer research and industry engagement following an engagement paper published in January 2026.
The Review identifies four major AI-driven shifts likely to affect retail financial services: (i) the transformation of firm operations, (ii) the evolution of consumer journeys, (iii) the reshaping of competition and market power, and (iv) the amplification of fraud and cyber risks. It concludes that AI could improve access, personalisation and efficiency, and help address long-standing problems such as advice gaps, low switching and protection gaps, while also amplifying risks around fraud, cyber security, consumer harm and market concentration.
The Review makes priority recommendations for the FCA Board and Executive to consider, including securing and adapting the regulatory perimeter, strengthening system-wide coordination and oversight, and monitoring the transition to autonomous models. Mills also recommends scaling up the FCA’s AI Lab and further building the foundations for agentic finance, while also building and adopting an AI-enabled agentic supervisory model, and developing a trusted public-interest AI-enabled financial capability service.
The FCA has said it will publish an AI good and poor practice publication later in 2026.
European Systemic Risk Board
Systemic cyber risks from frontier AI models - ESRB issues warning - 7 July 2026
The European Systemic Risk Board (ESRB) has issued a warning (ESRB/2026/3), accompanied by an analytical report, on the systemic cyber risks to the EU financial system stemming from frontier artificial intelligence models (FAIMs).
The ESRB warns that FAIMs, advanced general-purpose AI models capable of materially affecting cyber operations, can now discover vulnerabilities, generate working exploits and autonomously execute cyber-attacks at a speed, scale and accuracy far exceeding earlier models and overcoming defensive time buffers. It considers this a source of systemic risk weakening operational resilience across four areas: the time available to patch complex systems, the capability of defenders, concentration risk from dependence on a small number of AI providers, cloud and open-source providers, and the capability of authorities.
The ESRB will reflect these developments in its risk assessments, testing frameworks, supervisory expectations and scenario development, and will reassess them in each quarterly risk assessment. The ESRB also notes that the ECB, in its role as banking supervisor, has asked significant institutions to develop a comprehensive action plan by 31 October 2026 (see further the item below). The European Supervisory Authorities (the EBA, EIOPA and ESMA) have published a statement welcoming and supporting the ESRB’s warning.
European Central Bank
AI-enabled cybersecurity threats - ECB publishes letter - 7 July 2026
The European Central Bank (ECB) has published a letter from Supervisory Board Chair Claudia Buch to the CEOs of significant institutions on addressing AI-enabled cybersecurity threats, issued alongside the ESRB’s warning of the same date.
The ECB warns that emerging AI models can identify vulnerabilities and generate functioning exploits at unprecedented speed, amplifying the speed and scale at which existing risks materialise, and calls on significant institutions to assess the impact without delay and develop a comprehensive action plan. In the short term, firms should accelerate vulnerability and patch management at scale, enhance monitoring, detection and AI-enabled defensive capabilities, and verify that third-party risk management is fit for purpose. Structural measures include reinforcing defence-in-depth and cyber hygiene, modernising legacy infrastructure, and improving response and recovery arrangements.
Action plans should be submitted to the relevant Joint Supervisory Team by 31 October 2026, and the ECB will extend the deadline for the annual IT Risk Questionnaire from September 2026 to February 2027; it also flags a forthcoming separate letter on the implications of quantum computing.
UK Parliament
Secondary competitiveness and growth objective - Financial Services Regulation Committee publishes one-year updates - 8 July 2026
The House of Lords Financial Services Regulation Committee (FSRC) has published one-year updates it received from the FCA and PRA on how each regulator is embedding its secondary competitiveness and growth objective (SCGO), following the Committee’s June 2025 report.
In its update dated 12 June 2026, the FCA reported that growth and international competitiveness are now embedded as a core part of its 2025-2030 strategy and pointed to positive signals in its metrics. In a separate letter dated 25 June 2026, Sam Woods, Deputy Governor and PRA Chief Executive, updated the Committee on the PRA’s response to the recommendations in 2025 report, stressing that the SCGO is being advanced in a way that supports financial stability.
Banking and finance
HM Treasury
Overseas Prudential Requirements Regime (Credit Institutions and Investment Firms) Regulations 2026 - 2 July 2026
The draft Overseas Prudential Requirements Regime (Credit Institutions and Investment Firms) Regulations 2026 have been published, alongside a draft explanatory memorandum. The draft Regulations, made under the Financial Services and Markets Act 2023, restate the third-country equivalence provisions of the retained Capital Requirements Regulation (CRR) (articles 81(1)(a)(iii), 82(a)(iii), 107(4), 114(7), 115(4) and 116(5)), which are revoked with effect from 1 January 2027.
Regulation 3 confers on the Treasury a power to designate an overseas jurisdiction, exercisable only where the Treasury considers it compatible with protecting UK financial stability, the safety and soundness of CRR firms, and either promoting effective competition in consumers’ interests or facilitating the UK’s international competitiveness and medium to long-term growth. Regulations 4 to 7 set out the effects of designation, allowing CRR firms and CRR consolidation entities to apply favourable prudential treatment when calculating risk weighting and own funds for exposures to a number of counterparties and capital instruments.
Regulation 9 makes standalone provision for the treatment of exposures to Gibraltar-based counterparties, and Regulation 10 and the Schedule designate specified jurisdictions (namely Australia, Brazil, Canada, China, the European Union, Japan, Singapore, Switzerland and the United States), replacing the retained Commission Implementing Decision 2014/908/EU and the Capital Requirements Regulation Equivalence Directions 2020.
The draft Regulations are subject to approval by resolution of each House of Parliament and, if approved, come into force on 1 January 2027.
Bank of England
Financial Stability Report and the bank capital framework - Bank of England publishes July 2026 Report - 7 July 2026
The Bank of England has published its July 2026 Financial Stability Report, together with the record of the Financial Policy Committee (FPC) meeting of 26 June 2026 and an edition of Financial Stability in Focus on the bank capital framework.
On the overall risk environment, the FPC continues to monitor the macro-financial implications of AI and, on frontier AI, endorses the May 2026 joint statement of the Bank, FCA and HM Treasury on frontier models and cyber resilience, reinforcing existing cyber and operational resilience expectations. It also welcomes the Bank’s recent policy statement and draft code of practice for systemic sterling-denominated stablecoins, and has maintained the UK countercyclical capital buffer rate at 2%.
Working with the PRA, the FPC is modernising the bank capital framework to make it simpler, more proportionate and better calibrated while preserving resilience. It reaffirms that the appropriate benchmark for system-wide Tier 1 capital requirements is around 13% of risk-weighted assets (a CET1 ratio of around 11%). The FPC will pursue reform towards a single buffer that is releasable in stress and usable without automatic distribution restrictions, welcoming the PRA’s intention to release the other systemically important institutions (O-SII) buffer in systemic stress (see further the item below). Alongside the PRA, the FPC intends to consult on making the leverage ratio framework more proportionate, including removing the countercyclical leverage buffer, recalibrating the additional leverage ratio buffer to 50% of risk-weighted systemic buffers, and reducing the leverage ratio minimum requirement from 3.25% to 3% alongside a new 25 basis point general leverage ratio buffer.
Prudential Regulation Authority
Usability and releasability of capital buffers - PRA publishes statement - 7 July 2026
The PRA has published a statement on enhancing the usability and releasability of capital buffers, endorsing the FPC’s vision of a simpler capital buffer framework centred on a single buffer that is releasable in stress and usable without automatic distribution restrictions.
As a near-term step, the PRA clarifies that it could release the other systemically important institution (O-SII) buffer in the event of systemic stress, exercising its existing discretionary powers to vary O-SII buffer rates (including setting them to zero) under the Capital Buffers and Macro-prudential Measures Regulations 2025, thereby lowering the level of capital at which automatic distribution restrictions apply and reducing incentives for defensive deleveraging. It recognises that combined regulatory buffers may need to be rebuilt over several years, with the pace depending on banks’ ability to rebuild capital while continuing to lend to creditworthy households and businesses.
The PRA intends to consult in the second half of 2026 on changes to its statement of policy on the O-SII buffer, including qualitative guidance on rebuild expectations.
European Banking Authority
Authorisation of third-country branches - EBA publishes final guidelines - 7 July 2026
The European Banking Authority (EBA) has published its final report and guidelines on the authorisation of third-country bank branches in the EU (TCBs) under Article 48c(8) of the Capital Requirements Directive (CRD).
The guidelines, addressed to competent authorities and indirectly to applicant head undertakings, specify (i) the information required in an application submitted by a head undertaking, (ii) the procedure for authorisation (including standard forms and templates), (iii) the assessment methodology and conditions for authorisation and (iv) the conditions under which competent authorities may rely on previously supplied information as part of a prior TCB authorisation. Among other things, the guidelines emphasise the importance of TCBs not being empty shells and not being used solely and systematically to originate assets and liabilities thereafter booked into other EU-based entities.
The guidelines will apply from 11 January 2027, aligning with the new minimum harmonisation regime for TCBs introduced by Directive (EU) 2024/1619.
Financial Conduct Authority
Basic bank accounts - FCA publishes review of good and poor practice - 7 July 2026
The FCA has published the findings of a review of how the nine largest banks and building societies legally required to offer basic bank accounts (BBAs) provide access to them, based on a mystery shopping exercise, alongside a press release.
Across 298 mystery shops, the FCA rated 28% of interactions as good or very good, 38% as fair, 20% as poor and 14% as very poor, finding that firms did not consistently identify or discuss BBAs early enough (in around 15% of shops staff did not mention a BBA at all, even after a prompt), created avoidable barriers for consumers with non-standard identification or no fixed address, and did not consistently recognise or respond to vulnerability, often steering customers towards unsuitable online-only journeys.
To address this, the nine firms have agreed individual improvement plans and, working with UK Finance, a collective commitment to improve BBA access. UK Finance will lead a sector-wide review of progress after six and twelve months.
Securities and markets
European Securities and Markets Authority
Product intervention measures on binary options and event contracts - ESMA publishes public statement - 3 July 2026
ESMA has published a public statement, addressed to firms and national competent authorities (NCAs), on the application of the national product intervention measures on binary options to ‘event contracts’. The statement responds to the increased offering of event contracts and the growth of so-called ‘prediction markets’, and reminds firms to assess whether the measures apply to their offered products based on their specific characteristics.
ESMA also reminds firms that providing investment services concerning these financial instruments in the EU requires MiFID II authorisation, so that distribution even solely to non-retail clients requires authorisation, and that participating in activities to circumvent the product intervention measures is prohibited.
Risk management function of UCITS management companies and AIFMs - ESMA launches Common Supervisory Action - 3 July 2026
The European Securities and Markets Authority (ESMA) has announced the launch of a Common Supervisory Action (CSA) with national competent authorities (NCAs) on the risk management function of UCITS management companies and alternative investment fund managers (AIFMs) across the EU. The CSA will be conducted throughout 2026 and 2027 in close collaboration with NCAs.
The CSA aims to assess how firms comply with key risk-related provisions under the UCITS and AIFMD frameworks, focusing on the effectiveness, independence and expertise of the risk management function. NCAs will concentrate on three areas:
- the governance and organisation of the risk management function;
- the identification, measurement and monitoring of risks, including market, credit, liquidity, counterparty and operational risks; and
- reporting to senior management and governing bodies.
ESMA will also support supervisory convergence through a common framework setting out the scope, methodology, supervisory expectations and timeline, with NCAs sharing knowledge and experience throughout the exercise.
ESMA expects to publish a final report with the results of the exercise in 2028.
European Securities and Markets Authority
Digital operational resilience of crypto-asset service providers - ESMA launches Common Supervisory Action - 8 July 2026
The European Securities and Markets Authority (ESMA) has launched a common supervisory action (CSA), to be carried out with national competent authorities (NCAs), on the digital operational resilience of crypto-asset service providers (CASPs), with a specific emphasis on custody services. The CSA will assess the maturity of CASPs’ digital operational resilience frameworks for custody activities, focusing on risks inherent to distributed ledger technology (DLT), including governance arrangements, key and storage management, transaction controls, incident detection and response, smart contract risks and dependencies on third-party providers.
NCAs will conduct the exercise on a risk-based sample of authorised CASPs from the second half of 2026 to the first half of 2027. The findings will be consolidated into a final report to be submitted to ESMA’s Board of Supervisors in the second half of 2027.
HM Treasury
Over the Counter Derivatives (Intragroup Transactions) Regulations 2026 - 6 July 2026
A draft version of the Over the Counter Derivatives (Intragroup Transactions) Regulations 2026 (the Regulations) has been published, alongside an explanatory memorandum. The Regulations reform the UK framework for intragroup over-the-counter (OTC) derivative transactions under the European Market Infrastructure Regulation as it forms part of UK assimilated law (UK EMIR), replacing the Temporary Intragroup Exemption Regime (TIGER) with a permanent framework.
The Regulations facilitate permanent exemptions from the clearing obligation and margin requirements for intragroup transactions between UK counterparties and overseas group entities, regardless of whether the overseas jurisdiction has been declared equivalent under Article 13 of UK EMIR. They amend the definition of an intragroup transaction in Article 3 of UK EMIR so that it no longer depends on an equivalence determination, and streamline the exemption process in Articles 4 and 11, meaning firms will no longer need to notify the FCA for exemptions between two UK counterparties, while exemptions involving an overseas group entity will be available on notification to the FCA where the FCA does not object within a 30-day period, replacing the current TIGER position under which FCA approval was required within three months. The Regulations also include transitional provision so that firms already benefitting from exemptions granted under TIGER can continue to do so when that regime expires at the end of 2026, without needing to notify the FCA, subject to certain conditions.
The Regulations come into force on the day on which the revocation of Part 5 of the 2019 EU Exit Regulations (which established TIGER) takes effect under the Financial Services and Markets Act 2023.
Insurance
European Insurance and Occupational Pensions Authority
IRRD framework - EIOPA publishes final reports, guidelines, and draft RTS - 8 July 2026
The European Insurance and Occupational Pensions Authority (EIOPA) has published four final reports under the framework for the recovery and resolution of insurance and reinsurance undertakings (Directive (EU) 2025/1) (IRRD). They comprise a final report on draft regulatory technical standards (RTS) on the independence of valuers for resolution, together with three sets of final guidelines on: (i) the criteria for applying simplified obligations; (ii) how confidential information should be provided in summary or collective form; and (iii) the range of macroeconomic and financial scenarios in pre-emptive recovery planning.
The draft RTS specify the conditions for a valuer to be considered independent of both the resolution authority and the entity under resolution. The guidelines, developed in cooperation with the European Systemic Risk Board in the case of the scenario guidelines, further specify the relevant IRRD criteria and are intended to enhance supervisory convergence and proportionality.
EIOPA will submit the draft RTS to the European Commission and issue the guidelines during 2027, with the measures applying from 30 January 2027.
Draft RTS on the valuation of (re)insurers in the context of resolution under the IRRD - EIOPA consults - 8 July 2026
The European Insurance and Occupational Pensions Authority (EIOPA) has launched two consultations on draft regulatory technical standards (RTS) concerning the valuation of insurance and reinsurance undertakings and groups for the purposes of resolution under the Insurance Recovery and Resolution Directive (IRRD) (Directive (EU) 2025/1), which is set to become operational in January 2027.
The consultations cover the four separate valuation mandates set out in the IRRD, split across two draft RTS by reference to the sequence of the three valuations the Directive requires. The first consultation paper (EIOPA-BoS-26-268) addresses the methodologies for assessing the value of an undertaking’s assets and liabilities in resolution and for calculating the buffer for additional losses to be included in provisional valuations. The second (EIOPA-BoS-26-267) addresses the methodology for assessing the treatment that shareholders, policyholders, beneficiaries, claimants and other creditors would have received had the undertaking entered insolvency proceedings, the estimation of replacement costs, and the separation of valuations in resolution and insolvency proceedings.
IRRD - EIOPA publishes seven guidelines and draft technical standards - 8 July 2026
EIOPA has published a package of seven instruments related to the implementation of the Insurance Recovery and Resolution Directive (IRRD) (Directive (EU) 2025/), comprising four guidelines and three draft regulatory technical standards (RTS).
The four guidelines cover: (i) the range of macroeconomic and financial stress scenarios to be used in pre-emptive recovery planning; (ii) the qualitative and quantitative indicators to be included in pre-emptive recovery plans; (iii) the criteria for determining whether simplified obligations may apply to certain undertakings and groups; and (iv) how information should be provided in summary or collective form for the purposes of Article 66(2)(b) of the IRRD.
The three draft RTS concern the independence of valuers for resolution, the contractual recognition of resolution stay powers in contracts governed by third-country law, and the methodologies and principles for valuing liabilities arising from derivatives.
International Association of Insurance Supervisors
Global insurance market report 2026 - IAIS publishes mid-year update - 9 July 2026
The International Association of Insurance Supervisors (IAIS) has published the mid-year update to its global insurance market report (GIMAR), based on preliminary findings from its 2026 global monitoring exercise (GME).
The report indicates that the global insurance sector maintained stable solvency, liquidity and profitability positions at year-end 2025, supported by strong operational performance, effective asset-liability management and robust capital. The IAIS notes that aggregate systemic risk scores of global insurance groups increased slightly compared with year-end 2024, with the largest increases recorded in asset liquidation to generate excess cash and in interconnectedness. It cautions that geopolitical tensions, inflationary pressures and elevated sovereign debt levels present complexity for insurers’ balance sheets and business models in 2026, requiring a heightened focus on effective risk management. Supervisors have identified three sector-wide themes for deeper analysis in the 2026 GME: (i) the impact of macroeconomic risks on life insurers’ balance sheets; (ii) the transmission channels of geopolitical risk in non-life insurance; and (iii) the impact of advances in artificial intelligence and technology on insurers’ cyber resilience.
The year-end 2026 GIMAR is due to be published in December.
Financial crime
Anti-Money Laundering Authority
Pecuniary sanctions, administrative measures and periodic penalty payments under the AMLD - AMLA publishes final report and draft RTS - 8 July 2026
The Anti-Money Laundering Authority (AMLA) has published a final report containing draft regulatory technical standards (RTS) under Article 53(10) of the Anti-Money Laundering Directive (Directive (EU) 2024/1640) (AMLD). The draft RTS specify indicators to classify the level of gravity of breaches, criteria for setting the level of pecuniary sanctions or applying administrative measures, and a methodology for imposing periodic penalty payments, including their frequency.
The draft RTS establish a single, horizontal framework applicable to both financial and non-financial sector supervisors, intended to ensure that the same breach is assessed consistently and that the resulting enforcement measure is proportionate, effective and dissuasive across member states. Supervisors will first assess the gravity of a breach against a list of common indicators, classify it into one of four categories of increasing severity, and then determine the level of pecuniary sanction or administrative measure by reference to specified criteria, applying supervisory judgement throughout.
The draft RTS will be submitted to the European Commission for adoption and would apply from 10 July 2027.
This material is provided for general information only. It does not constitute legal or other professional advice.