FCA retail banking regulatory priorities

The FCA has replaced more than 40 portfolio letters with a new suite of Regulatory Priorities reports, published annually by sector. The retail banking edition lands at a moment of genuine structural tension.

Retail banking is changing significantly: people are using branches less and digital channels more, business models are diversifying with new entrants and greater fintech involvement, and open banking and payment types continue to evolve.

Against that backdrop, the FCA has decided to redraw the map. These reports are addressed squarely at Boards and Chief Executives, who are expected to read them carefully and act where necessary. The FCA is also transforming how it supervises: expanding dedicated supervisory contacts, applying a more risk-based approach for its largest firms, and making data collection more targeted and efficient – with the stated goal of less intensive attention on firms doing the right thing, and stronger, faster action where harm is greatest. 

Four priorities dominate the agenda for the next twelve months. This briefing sets out what each priority demands of firms, explains what is genuinely new in the FCA's thinking, and offers practical steps your firm should take now.

Priority 1: Access to cash and essential banking services

Applies to: Retail banks and building societies

Many consumers now bank digitally, and many firms are undertaking digital-first transformations. But these can reduce face-to-face contact and may render some services inaccessible. The sector has established over 200 new banking hubs and nearly 150 other cash and deposit solutions so far to help consumers access essential retail banking services, but there is more to do, and improvements firms can make in how they approach individual branch closures.

The FCA expects designated firms to fill significant gaps in local cash access in accordance with its Access to Cash sourcebook; to avoid causing foreseeable harm to retail customers during digital-first transformations, including by analysing customer need and ensuring any proposed alternatives are accessible before a branch closes; to comply with Basic Bank Account regulations; and to ensure that financial crime controls do not lead to unnecessary or overlong account freezing.

What is new

The FCA now has statutory powers from Parliament to make rules on reasonable cash access for consumers and businesses, powers that did not exist under previous portfolio letter communications. The FCA will this year research the harms that reduced in-person banking services may create, and will conclude mystery shopping exercises on how firms provide basic bank accounts, feeding back good and bad practice in Q2 2026. The breadth and legislative underpinning of this agenda is entirely new in scope and consequence compared to what portfolio letters communicated.

Practical steps for firms

• Conduct a thorough review of all planned branch closures and digital transformation programmes, ensuring that substitute services are genuinely accessible to customers (including those who are less digitally capable) before any closure takes effect.
• If your firm is designated under the Access to Cash regime, audit your compliance with the Access to Cash sourcebook now and address any gaps proactively, ahead of the FCA's formal evaluation of the regime which begins in Q4 2026.
• Designated firms should review how easy it is for eligible consumers to apply for basic bank accounts and make access improvements ahead of the FCA's mystery shopping exercise in Q2 2026.
• Review account-freezing practices to ensure that financial crime controls are not disproportionate and are not causing unnecessary harm to customers.

Priority 2: Good outcomes from products and services

Applies to: Retail banks and building societies

The FCA has seen firms make good progress driving positive outcomes under the Consumer Duty, but most still have further to go on their data-led monitoring and assessment of retail customer outcomes. Whilst firms have responded well when shown areas to improve, such as sharing more value with cash savers and treating customers in bereavement or power of attorney situations better, the FCA's recent review of business current account fair value found improvements alongside areas where firms could still do better.

The FCA expects firms to keep improving their data and management information dashboards for monitoring and assessing consumer outcomes; to take action where need is identified to support consumers in pursuing their financial objectives and avoiding foreseeable harm, including for those in vulnerable circumstances or where fair value is not being provided; and to keep consumer outcomes front and centre when designing and delivering products and services, especially new, innovative or AI-based ones.

What is new

Previous FCA portfolio letters set out the Consumer Duty framework and required firms to embed it. The tone has now shifted. The FCA makes clear that embedding the Duty must be a continuing effort, especially as consumer behaviour changes and technology and business models evolve. The focus is no longer on implementation, it is on what firms can demonstrate through data.

The FCA also intends to consult in 2026 on a retail banking disclosure rule review, examining where simplifying prescriptive disclosure requirements may support consumer understanding – a deregulatory step not signalled in previous retail banking portfolio letters. The FCA will also support firms' responsible adoption of AI, wanting them to use it to help consumers receive the right information when they need it, with cohort 2 of the Supercharged Sandbox and AI Live Testing open for applications and an evaluation report from AI Live Testing to be published by the end of the year.

Practical steps for firms

• Review the quality and coverage of your management information and data dashboards for monitoring consumer outcomes and, where gaps exist, prioritise their development as a board-level matter.
• The FCA will monitor the market to identify poor consumer outcomes and take action against outliers. Firms should identify any pockets of poor value, particularly for customers in vulnerable circumstances, and remediate proactively before the FCA does it for them.
• Any firm developing new, innovative or AI-based products or services should build a Consumer Duty assessment into the design process from the outset, not as a retrospective compliance exercise.
• Monitor and engage with the forthcoming retail banking disclosure rule review consultation – this is a genuine opportunity to reduce compliance burden in this area.
• Firms interested in using AI to improve consumer outcomes should consider applying for the FCA's Supercharged Sandbox or AI Live Testing cohort 2.

Priority 3: Fighting fraud and other financial crime

Applies to: Retail banks and building societies

The mass open nature of retail banking presents inherent financial crime risks, meaning firms must help defend consumers from fraud and the financial system from money laundering and other misuse. Most firms have invested heavily in systems and controls for detection, disruption and prevention, but some have progressed more than others against constantly evolving threats. In the first year of the PSR's APP fraud reimbursement policy, 88% of the money consumers lost to APP scams within the scope of the policy was returned to them – representing £173 million.

The FCA expects firms to help consumers understand fraud risks and support victims fairly; to monitor and mitigate risks, refining defences and control frameworks and promptly remediating any weaknesses; to keep improving systems and controls to combat bad actors' evolving tactics and technologies; and to learn from FCA outputs and keep investing in resources and controls, including advanced technology such as AI where appropriate.

What is new 

Firms have made progress on fraud, including successfully implementing the PSR's reimbursement requirements on authorised push payment fraud, and some are already leveraging AI to fight financial crime. However, the FCA's messaging has sharpened materially. The ongoing challenge of staying ahead of fraudsters and other bad actors who may themselves be enabled by AI or quantum computing is now explicitly flagged, a threat dimension that was not part of earlier portfolio letter communications. 

The FCA will continue its review of money laundering controls around cash deposits, including through the Post Office – a specific supervisory initiative with no direct precedent in prior retail banking portfolio letters. Final notices issued against Monzo, Barclays and Nationwide for past control failings make plain that enforcement action in this area remains live.

Practical steps for firms

• Review your fraud, money laundering and wider financial crime risk frameworks now, treating any identified weaknesses as requiring prompt and documented remediation.
• Invest in advanced technology, including AI where appropriate, to stay ahead of increasingly sophisticated criminal tactics – the FCA expects firms to match the pace of threat evolution.
• If your firm processes cash deposits through third-party channels such as the Post Office, review money laundering controls over those channels ahead of the FCA's ongoing review in this area.
• Assess how your firm communicates fraud risks to consumers and how it supports victims, ensuring that the support provided is genuinely fair and not merely process-compliant.
• Be prepared for the FCA to use data analytics to identify outliers – firms whose financial crime metrics diverge from sector norms should expect targeted regulatory engagement.

Priority 4: Operational resilience and data security

Applies to: Retail banks and building societies

Firms face continual risks to resilience and security from technology transformations (including digital-first strategies and AI adoption) increasing reliance on critical third parties, cyber threats including from state actors, and insider risks arising from malice or negligence. The number of operational incidents reported by retail banking firms to the FCA has been rising: 409 in 2022, 415 in 2023, 477 in 2024, and 468 in 2025.

The FCA expects firms to identify emerging risks to resilience, incorporating these in scenarios and testing to refine action plans for remediating vulnerabilities and remaining within impact tolerances; to continue evolving and improving cyber protection and information security strategies with tested recovery plans; and to manage any live issues within impact tolerances, managing the customer impact and communicating effectively.

What is new

Whilst firms have set impact tolerances for their important business services and tested their ability to remain within them, staying resilient and secure remains an ongoing challenge as risks and threats multiply. The FCA's approach to this priority is notably more interventionist than previous portfolio letters suggested. New rules for reporting operational incidents and information on material third parties (following CP24/28) are to be introduced alongside the PRA, with the FCA engaging with firms during the implementation period. 

The FCA will also collect information on insider risk management to gather insights on its maturity in the sector – a targeted supervisory initiative that has not previously featured in retail banking portfolio letters. A PRA/Bank of England consultation paper on ICT, cyber risk management and resilience is planned for 2026, and final rules on incident and outsourcing and third-party reporting are expected in H1 2026, with implementation twelve months later.

Practical steps for firms

• Update operational resilience scenarios and testing programmes to incorporate emerging risks, including AI-related risks and state-sponsored cyber threats. Do not rely on scenarios developed before these threats crystallised.
• Review and test recovery plans for cyberattacks and third-party failures, and ensure these plans have been genuinely stress-tested rather than simply documented.
• Begin assessing the maturity of your insider risk management framework now, ahead of the FCA's information-gathering exercise, as firms that cannot evidence a structured approach will be at a disadvantage.
• Monitor progress on CP24/28 and prepare for the new operational incident and third-party reporting requirements: begin mapping reporting workflows and data sources ahead of implementation.
• Participate in relevant cross-industry resilience initiatives – the FCA explicitly expects firms to contribute to system-wide resilience, not merely their own.

Additional areas requiring attention

1. Business banking outcomes 

Under the Consumer Duty, firms should monitor and assess outcomes for their eligible business customers, support them in pursuing their financial objectives, and avoid causing foreseeable harm. The FCA also wants firms to assess business customers' treatment and access to services, and to identify potential improvements, particularly in sectors important to national and economic security and the medium to long-term growth of the UK economy.

2. Motor Finance 

Some firms are affected by the Supreme Court's decision on motor finance and the FCA's consequent interventions on potential redress. The FCA will decide whether to introduce a redress scheme and, if so, expects to publish final rules in late March. Affected firms should ensure complaints handling is fully compliant with current FCA interventions.

3. Innovation

Current innovations relevant to retail banking include AI and targeted support, for which firms can now apply for permission to provide – including by using the FCA's pre-application support service. The targeted support regime goes live on 6 April 2026.

4. SMCR reform

Working with HM Treasury and the PRA, the FCA is reviewing the efficiency and effectiveness of the SMCR regime with the aim of halving its regulatory burden in H1 2026.

Conclusion

The FCA's inaugural Regulatory Priorities report for retail banking is not a repackaging of familiar supervisory messages – it is a recalibration of how the regulator intends to operate, and what it expects in return. The consolidation of more than 40 portfolio letters into a single, annually published document is itself a statement of intent, and the four priorities (access to cash and essential services, good consumer outcomes, fighting financial crime, and operational resilience) together define a regulator that is simultaneously more commercially engaged and more forensically data-driven than at any point in recent memory. 

The FCA's enforcement appetite has not diminished: it will apply a more risk-based approach for its largest firms and take stronger, faster action where harm is greatest. Firms that have treated Consumer Duty as a one-time implementation project, allowed financial crime controls to stagnate, or failed to invest in genuine operational resilience face a regulator with the tools, the data, and the stated willingness to intervene – as the recent final notices against Monzo, Barclays and Nationwide make abundantly clear.

Equally, the FCA is explicitly inviting firms to engage: to share insights, challenge its thinking, and help build a regulatory system that deepens trust, rebalances risk, and supports growth. The targeted support regime, the AI sandbox, the disclosure rule review, SMCR reform, and the open banking roadmap all represent genuine opportunities for firms that move first to help shape the rules they will live by. The question for every Board and Chief Executive reading this report is a simple one: are you in front of these priorities, or behind them?