From the journal

UK Regulators Issue Joint Statement on Frontier AI Cyber Resilience, 15 May 2026

On 15 May 2026, the Financial Conduct Authority, Bank of England, and HM Treasury issued a joint statement identifying frontier AI models as a material cybersecurity threat requiring immediate action from regulated financial firms and financial market infrastructures. The statement does not introduce new rules but carries supervisory weight, placing frontier AI risk within existing operational resilience obligations and calling on boards to demonstrate active oversight.

3 min read

On 15 May 2026, the Financial Conduct Authority, Bank of England, and HM Treasury issued a joint statement on frontier AI models and cyber resilience. The statement is not a rule or binding obligation, but constitutes a coordinated supervisory expectation from three peak UK financial regulators. Frontier AI models already exceed skilled human practitioners in identifying and exploiting cybersecurity vulnerabilities, operating at materially higher speed, scale, and lower cost. Regulated firms and financial market infrastructures must take active steps to address these risks now.

The statement situates frontier AI risk within existing operational resilience obligations. For FCA-authorised enhanced firms, those obligations appear in SYSC 15A of the FCA Handbook, effective from 31 March 2022 under Policy Statement PS21/3. For Bank of England and PRA-supervised firms, the equivalent source is Supervisory Statement SS1/21 on operational resilience. Both instruments require boards to set impact tolerances and ensure the ability to continue operations through severe disruptions. The statement adds frontier AI as a live risk category within these existing requirements, without creating new statutory provisions. Firms should also monitor publications from the Cross Market Operational Resilience Group and the National Cyber Security Centre.

Deposit-takers, investment firms, payment service providers, insurers, and financial market infrastructures regulated by the FCA or Bank of England must now incorporate frontier AI-driven cyberattack scenarios into their operational resilience assessments. Boards and senior management must demonstrate sufficient understanding of frontier AI risk to direct investment and oversight. Firms should review access management, network segmentation, and data protection controls for gaps that a frontier AI model could exploit. Deploying automated and AI-enabled defensive capabilities capable of matching the speed and scale of AI-driven attacks is a specific expectation in the statement.

The statement provides no formal implementation deadline or transitional period. The government and regulators will continue monitoring frontier AI developments and engaging with industry through the Cross Market Operational Resilience Group. Firms should treat this statement as live supervisory guidance rather than a consultation document awaiting a formal response period. The CMORG Frontier AI Risk Mitigation Webinar, held on 14 May 2026, provides supplementary technical context for compliance planning.

Licentium advises regulated financial institutions on AI governance, operational resilience, and cybersecurity compliance across UK and EU regulatory regimes. Our partner network includes specialists in FCA and PRA supervisory engagement and board-level risk governance. Work we undertake includes: AI governance review, operational resilience program assessment, FCA cybersecurity supervisory response, senior manager accountability analysis under SMCR, and board reporting on AI-related cyber risk.

Source: FCA, Bank of England and HM Treasury, Joint Statement on Frontier AI Models and Cyber Resilience, 15 May 2026

AI Regulatory

More from the journal

See all

Illinois signs Artificial Intelligence Safety Measures Act into law, effective January 2027

Governor JB Pritzker signed the Illinois Artificial Intelligence Safety Measures Act on 6 July 2026, making Illinois the first US state to require mandatory annual third-party audits of frontier AI model developers. The Act applies to large frontier developers operating or deploying models in Illinois, requires transparency reports before each new or substantially modified frontier model deployment, and establishes civil penalties. Core obligations take effect 1 January 2027.

UK consults on modernising payment services regulation covering stablecoins and AI agents, 2026

HM Treasury launched a consultation on modernising the UK payment services regulatory regime, with responses due by 6 October 2026. The consultation addresses how to adapt regulation for tokenised payments including qualifying stablecoins, Open Banking expansion, and agentic AI systems authorised to conduct payments. It follows the February 2026 Payments Forward Plan and the government's decision to transfer Payment Systems Regulator functions to the Financial Conduct Authority.

Hong Kong SFC mandates phishing-resistant authentication for internet brokers and VATPs, July 2026

The Hong Kong Securities and Futures Commission issued a circular on 9 July 2026 requiring licensed corporations engaged in electronic trading and SFC-licensed virtual asset trading platform operators to replace one-time passwords with phishing-resistant authentication methods. Covered firms must implement passkeys or bound-device recognition for client login and device binding. Large internet brokers must act immediately. All other in-scope firms have up to 12 months to comply.