From the journal

FCA, Bank of England and HM Treasury Warn Firms on Frontier AI Cyber Risks, May 2026

On May 15, 2026, the FCA, Bank of England, and HM Treasury issued a joint statement identifying frontier AI cyber capabilities as an active systemic risk to financial services firms. The statement sets out supervisory expectations for governance, vulnerability management, automated defence deployment, and incident recovery under existing rules. No new regulations were issued; the authorities indicated that current obligations apply to frontier AI-driven threats immediately.

2 min read

The FCA, Bank of England, and HM Treasury issued a joint statement on May 15, 2026, addressing frontier AI models and cyber resilience in financial services. The statement is addressed to regulated financial services firms and constitutes a supervisory communication, not new rules. The three authorities treat frontier AI cyber risk as a live and material concern requiring firms to act under existing obligations.

The statement draws authority from existing regulatory obligations, including FCA Principle 3 on management and control systems, PRA Fundamental Rule 7 on operational resilience, and the Bank of England and FCA operational resilience rules effective March 2022. It identifies frontier AI cyber capabilities as exceeding what a skilled practitioner can achieve in speed and scale. Adversaries using those capabilities can identify and exploit technology estate vulnerabilities across multiple firms simultaneously, at a rate that conventional security controls cannot match.

Regulated firms, including FCA-authorised firms, PRA-supervised institutions, and payment service providers, must act in four areas. Boards and senior management must demonstrate adequate understanding of frontier AI risks. Firms must continuously identify and manage technology estate vulnerabilities. Firms must deploy AI-enabled defensive controls that can operate at the speed of AI-driven attacks. Firms must maintain response and recovery capabilities sufficient to address disruption quickly. The FCA and Bank of England will monitor progress through existing supervisory channels, including the Cross Market Operational Resilience Group (CMORG).

The statement does not set a compliance deadline. The language 'firms should be taking active steps' signals that supervisory challenge is available now. The three authorities will update their expectations as frontier AI capabilities develop and will continue industry engagement through CMORG and the National Cyber Security Centre.

Licentium advises financial services firms on AI governance and regulatory compliance across UK and EU regulatory requirements. We support clients on operational resilience program design and board-level AI risk reporting. Work we undertake includes AI governance reviews, UK operational resilience gap assessments, frontier AI risk advisory, and FCA and PRA regulatory advisory.

Source: FCA, Bank of England, and HM Treasury, Joint Statement on Frontier AI Models and Cyber Resilience, 15 May 2026

AI Regulatory