On 15 May 2026, the Financial Conduct Authority, Bank of England, and HM Treasury issued a joint statement on frontier AI models and cyber resilience. The statement is not a rule or binding obligation, but constitutes a coordinated supervisory expectation from three peak UK financial regulators. Frontier AI models already exceed skilled human practitioners in identifying and exploiting cybersecurity vulnerabilities, operating at materially higher speed, scale, and lower cost. Regulated firms and financial market infrastructures must take active steps to address these risks now.
The statement situates frontier AI risk within existing operational resilience obligations. For FCA-authorised enhanced firms, those obligations appear in SYSC 15A of the FCA Handbook, effective from 31 March 2022 under Policy Statement PS21/3. For Bank of England and PRA-supervised firms, the equivalent source is Supervisory Statement SS1/21 on operational resilience. Both instruments require boards to set impact tolerances and ensure the ability to continue operations through severe disruptions. The statement adds frontier AI as a live risk category within these existing requirements, without creating new statutory provisions. Firms should also monitor publications from the Cross Market Operational Resilience Group and the National Cyber Security Centre.
Deposit-takers, investment firms, payment service providers, insurers, and financial market infrastructures regulated by the FCA or Bank of England must now incorporate frontier AI-driven cyberattack scenarios into their operational resilience assessments. Boards and senior management must demonstrate sufficient understanding of frontier AI risk to direct investment and oversight. Firms should review access management, network segmentation, and data protection controls for gaps that a frontier AI model could exploit. Deploying automated and AI-enabled defensive capabilities capable of matching the speed and scale of AI-driven attacks is a specific expectation in the statement.
The statement provides no formal implementation deadline or transitional period. The government and regulators will continue monitoring frontier AI developments and engaging with industry through the Cross Market Operational Resilience Group. Firms should treat this statement as live supervisory guidance rather than a consultation document awaiting a formal response period. The CMORG Frontier AI Risk Mitigation Webinar, held on 14 May 2026, provides supplementary technical context for compliance planning.
Licentium advises regulated financial institutions on AI governance, operational resilience, and cybersecurity compliance across UK and EU regulatory regimes. Our partner network includes specialists in FCA and PRA supervisory engagement and board-level risk governance. Work we undertake includes: AI governance review, operational resilience program assessment, FCA cybersecurity supervisory response, senior manager accountability analysis under SMCR, and board reporting on AI-related cyber risk.