X-twitter Lock Envelope Phone-alt

PRA Review of the Sector 2025

Facebook
Email
Twitter
LinkedIn

PRA Review of the Sector 2025

The PRA have issued their 2025 review of the sector letter for credit unions with turnover up to £50million.

The letter covers 2 main risks to the credit union sector:

  • Operational Resilience- The PRA’s thematic work in 2026 will focus on supporting credit unions strengthen their operational resilience. Reliance on third parties, cyber attacks and contingency plans remain key areas for operational resilience. The PRA have also set out a separate letter on this topic and their expectation for Credit Unions.
  • Disorderly Failure- The PRA expect Board’s to monitor their credit union and where the credit union is no longer sustainable to consider alternatives and engage with regulators and trade bodies to reduce the risk of disorderly failure.

The PRA have also stated that governance will be a regulatory focus in 2026. They expect credit union Board’s to:

  • Ensure proper succession plans are in place
  • Regularly assess MI
  • Regularly review key policy documents
  • Improve business planning and ensure business plans are kept up to date.
  • Implement formal and timely appraisals of Board and Senior Management against targets.
The letter can be found here and should be reviewed by Board Members and Senior Management.

Operational Risk and Resilience

  • The PRA also issued a letter on Operational Risk and Resilience. Some of the main areas of focus are set out below:

Outsourcing

The PRA made a number of key points about outsourcing including:

  • Credit Unions must consider the risks posed by outsourcing particular where these involve critical third parties
  • Must not delegate senior personnel responsibilities and there must be oversight of the outsourced function.
  • Service provider must have capacity and authorisation to carry out the activities reliably
  • Appropriate action must be taken when the third party is not carrying out their activities reliably
  • Agreements should set out requirement for third parties to inform credit union of any events that could have material impact on ability to carry out the service.
  • Credit Unions should be informing regulator before entering into any material outsourcing arrangements.

Cyber Risk

Credit Unions are expected to treat cyber risks as a key component of their operational risk framework. The PRA have provided copies of their CQUEST questionnaire to help Credit Unions consider the risks.

Core Services

The PRA is encouraging Credit Unions to:

  • identify their core services,
  • understanding dependencies in these services,
  • assessing vulnerabilities to these services,
  • developing and testing contingency plans to ensure these services continue
  • Engaging in Board Oversight

We would encourage Credit Unions to review the PRA letters in detail and consider the operational risk arrangements.