The FCA, Bank of England, and HM Treasury issued a joint statement on May 15, 2026, addressing frontier AI models and cyber resilience in financial services. The statement is addressed to regulated financial services firms and constitutes a supervisory communication, not new rules. The three authorities treat frontier AI cyber risk as a live and material concern requiring firms to act under existing obligations.
The statement draws authority from existing regulatory obligations, including FCA Principle 3 on management and control systems, PRA Fundamental Rule 7 on operational resilience, and the Bank of England and FCA operational resilience rules effective March 2022. It identifies frontier AI cyber capabilities as exceeding what a skilled practitioner can achieve in speed and scale. Adversaries using those capabilities can identify and exploit technology estate vulnerabilities across multiple firms simultaneously, at a rate that conventional security controls cannot match.
Regulated firms, including FCA-authorised firms, PRA-supervised institutions, and payment service providers, must act in four areas. Boards and senior management must demonstrate adequate understanding of frontier AI risks. Firms must continuously identify and manage technology estate vulnerabilities. Firms must deploy AI-enabled defensive controls that can operate at the speed of AI-driven attacks. Firms must maintain response and recovery capabilities sufficient to address disruption quickly. The FCA and Bank of England will monitor progress through existing supervisory channels, including the Cross Market Operational Resilience Group (CMORG).
The statement does not set a compliance deadline. The language 'firms should be taking active steps' signals that supervisory challenge is available now. The three authorities will update their expectations as frontier AI capabilities develop and will continue industry engagement through CMORG and the National Cyber Security Centre.
Licentium advises financial services firms on AI governance and regulatory compliance across UK and EU regulatory requirements. We support clients on operational resilience program design and board-level AI risk reporting. Work we undertake includes AI governance reviews, UK operational resilience gap assessments, frontier AI risk advisory, and FCA and PRA regulatory advisory.