EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
Our Global Regulatory Network, consisting of former regulators and bankers from the Americas, Asia and Europe, provides strategic insights on financial regulation that helps clients adapt to the changing regulatory landscape.
Read moreOne of our key insights is that 2025 provides an opportunity for firms to take a strategic approach to regulatory changes — one that goes beyond compliance and includes embedding outcomes-based approaches, pursuing gains from the growth agenda, and realising efficiencies from AI and automation.
In addition, firms have an opportunity to not just respond to the regulatory regime but to shape it. Those able to evidence the gap between regulatory cost to business, versus positive benefits achieved, will be able to influence regulators and drive a more efficient UK regime.
One particularly interesting area is the use of AI, and the opportunity to engage with regulatory initiatives such as the FCA’s AI Lab2 and Supercharged Sandbox.
Such schemes provide opportunities to work with regulators on the use of AI, allowing firms to gain feedback and reassurance and to potentially shape the regulators’ approaches in practical and meaningful ways.
There will be challenges
Amid the opportunities, our report also identifies challenges for firms in 2025. For example, we anticipate ongoing tension between the move away from a tick-box approach and the use of AI, which works best, at least for now, with simpler, rules-based challenges.
We also expect the emphasis on outcomes-based regulation, including the Consumer Duty, to require a focus for human resources on judgement-led decisions, with AI and automation potentially used to create efficiencies more broadly. There will also be a need to upskill leadership and teams to effectively use AI, making the most of its opportunities and managing its risks.
The speed with which emerging threats develop today could also present challenges, both for firms and regulators.
The seven key financial services regulation themes for 2025
To help senior executives and regulatory teams anticipate challenges and opportunities, we have identified seven cross-cutting themes in financial services regulation that we expect to be at the heart of developments this year:
1. Growth
This is now a regulatory priority. Wholesale initiatives are most advanced, with reforms to UK MiFID under consultation, HM Treasury giving the FCA powers to create a new transaction reporting regime in capital markets, and the FCA consulting on disapplication of consumer regulation in wholesale insurance markets. In retail markets, the FCA will announce the outcome of its call for inputs on removing rules overlapping with the Consumer Duty.
Firms should seize the opportunity to shape the UK regulatory regime and engage with government and regulators to present opportunities and highlight problems in a constructive, evidence-based way. They should also prepare now for potential deregulatory change and develop ways to drive efficiencies whilst still meeting high-level regulatory standards.
2. Data, technology and AI
Technological change provides opportunities for firms to both reduce compliance costs and deliver regulatory outcomes. These include using digital solutions to map regulatory rules to systems and controls and drive reporting and use of data, digital strategies and AI to demonstrate that regulatory compliance and outcomes are achieved.
We expect supervisors to pay close attention to change management, including trade-offs between the status quo and AI approaches, management of downsides, impacts on end users and understanding of risk types. In response, firms will need to focus on change management, risk, human capability, governance and executive leadership to oversee AI and other innovative technology.
We expect both the FCA and the PRA to continue to pull large data sets from firms, combining these with the usual regulatory returns to provide a data-led view on a firm’s performance. Firms should enhance data capabilities to generate a cumulative internal view on data previously provided to regulators.
3. The Consumer Duty, fair value and vulnerability
The Consumer Duty will remain the FCA’s primary focus during the year, with particular attention on delivery of fair value and vulnerability. In addition, precedents regarding fair treatment will continue to be set by the decisions of the Ombudsman and the Courts. Furthermore, redress linked to the potential mis-selling of car finance agreements could become the largest redress exercise since payment protection insurance (PPI), with estimates of up to £30bn.
The FCA remains concerned about fair value outcomes, particularly in general insurance markets and the effectiveness of governance over fair value. In addition, we expect its Vulnerable Customer Review findings due to be published in Q1 2025 to identify weaknesses in practices and to set clearer expectations for treatment of vulnerable customers.
Firms should continue to embed Consumer Duty outcomes in their strategies and processes and ensure they can demonstrate effective governance to regulators. They should also identify potential barriers to accessibility in products and services, and ensure there are evidenced processes for using customer data to identify potential vulnerabilities, including financial difficulty. Firms should also review staff training and support in this area, to ensure they are aligned with internal vulnerable customer policies.
4. Governance and risk culture
The PRA is focussing on “risk culture,” whilst the FCA has clear expectations of boards regarding the Consumer Duty, which will become more complex as expectations in this area evolve. Final rules on non-financial misconduct will be implemented in 2025 and we expect further supervisory focus in wholesale insurance and capital markets.
Firms should empower and equip staff to make judgements on rapidly evolving, complex issues relating to financial risk, consumer outcomes and operational challenges. They should also regularly review board effectiveness amid evolving Consumer Duty expectations, review staff training to help deliver positive risk outcomes, and enable greater agility at customer contact points, moving away from a tick-box approach and binary rules. They should also build enhanced management information and outcomes monitoring to demonstrate a strong risk culture with the right decisions made first time and prepare for further supervisory action on governance and management information.
5. Financial crime
This will be one of four key themes in the FCA’s 2025–30 strategy. For 2025, the regulator is targeting reductions in investment fraud, authorised push payment (APP) fraud and money laundering. Both the FCA and PSR will monitor implementation of the new reimbursement regime and are expecting firms to use new flexibility in payment delays to combat fraud.
Sanctions activity will remain high, and regulators will be keeping a close eye on the handling of politically exposed persons (PEPs). The FCA will conduct firm-specific assessments on anti-money laundering (AML) and sanctions systems and controls. Firms should review financial crime controls, demonstrate robust governance and be able to prove to regulators that senior management are effective when setting and reviewing strategy. They should also set out clear lines of responsibility, review resource allocation and training, implement new reimbursement regimes and develop robust, risk-based responses to payment delays legislation.
6. Operational resilience
Firms face significant implementation deadlines, with the UK operational resilience three-year transition ending on 31 March 2025 and the final rules on critical third parties (CTPs) which went live on 1 January 2025. Many firms will also need to meet the EU’s Digital Operational Resilience Act (DORA) requirements for their EU businesses. In addition, the PRA and FCA will issue a joint consultation paper in Q1 2025 clarifying the information firms should submit when operational incidents occur.
Firms should already be addressing vulnerabilities ahead of the 31 March 2025 deadline and should embed robust testing to understand their capabilities and for assurance purposes. To meet regulatory expectations and build customer trust, they should also invest in risk management, governance, technology and infrastructure. In addition, they should consider integrated platforms allowing them to operate resilience programmes efficiently and respond to future changes.
7. Financial stability
Firms face significant major overhauls of prudential regimes. For banks, the PRA will continue to focus on Basel 3.1 standards, although the deadline has moved back to 1 January 2027. For insurers, the PRA will supervise in accordance with the new Solvency UK regime, which went live on 31 December 2024. In addition, the PRA will incorporate lessons learned from the Bank of England’s first system-wide exploratory scenario (SWES) exercise into its programme for 2025, including those related to the interconnectedness between banks and non-bank financial institutions (NBFIs), and use them in its considerations on firms’ stress testing.
The PRA will also continue to focus on firms’ exposures to NBFIs, especially on private equity financing and private credit.
Banks should consider the impact of the Basel 3.1 delay on their implementation plans. Insurers should prepare for the PRA’s final policy for solvent exit planning later this year, with implementation expected Q4 2025. They should also ensure that their risk management approach can manage their exposures to NBFIs, including correlations across financing activities with multiple clients.