The Financial Conduct Authority, the Bank of England, and HM Treasury jointly published a statement on 15 May 2026 addressing cybersecurity and operational resilience risks arising from frontier AI models. The statement is supervisory guidance issued to regulated firms and financial market infrastructures; it does not constitute a formal rule change but sets out current regulatory expectations under existing operational resilience obligations.
The statement draws on the FCA's PS21/3 (Building Operational Resilience) and the Prudential Regulation Authority's SS1/21, alongside National Cyber Security Centre (NCSC) guidance on AI-enabled cyber threats. The regulators identify frontier AI models - systems with rapidly advancing reasoning and execution capabilities - as posing a material step-change in cybersecurity risk. The statement notes explicitly that the cyber capabilities of current frontier AI models already exceed what a skilled practitioner could achieve, operating at higher speed, greater scale, and lower cost.
Regulated firms - including banks, insurers, asset managers, payment institutions, and financial market infrastructures - are expected to act across three areas. In governance, boards and senior management must acquire sufficient understanding of frontier AI risks and escalation pathways. In threat assessment, firms must evaluate AI-enabled cyber threats within their operational resilience risk assessment processes. In supply chain oversight, firms must assess operational dependencies on AI model providers under existing third-party risk management obligations.
The statement does not impose a new compliance deadline. It signals that supervisors will assess frontier AI risk management as part of existing operational resilience reviews under PS21/3 and SS1/21. Firms with AI governance documentation already aligned to the Senior Managers and Certification Regime accountability structures are better positioned to demonstrate compliance. The statement calls for ongoing engagement with the Cross Market Operational Resilience Group (CMORG) and monitoring of NCSC publications.
Licentium advises financial services firms on FCA and PRA operational resilience obligations and AI governance. Work we undertake includes frontier AI risk assessments, board-level AI governance documentation, third-party AI vendor due diligence, and SMCR accountability mapping for AI-related risks in regulated entities.