So far, 2025 is shaping up to be a challenging year for the banking sector – as highlighted by the variety and high volume of themes we've analysed here. With pressure to innovate and support growth agendas, banks are working to make sure that they can remain resilient, treat customers fairly and promote a safe regulatory environment. Understanding what lies ahead in each of these areas will be key to navigating this.
Motor finance
The FCA continues its work on discretionary commission arrangements (DCAs) in motor finance and the outcome will be influenced by the upcoming judgment from the related Supreme Court appeal in April.
This case relates to judgments from the Court of Appeal in October 2024, which found in favour of three claimants regarding commission payments that were not fully disclosed. It has broader implications for all motor finance agreements where commission was paid to the broker, not just where there was a DCA.
There are also implications for the wider credit sector. The judgment drew on a broader fiduciary duty rather than explicit FCA rules, stating that brokers and lenders must act in the customers’ best interest and avoid conflicts of interest. Applying the same logic across the financial sector means that any credit arranged by a broker could potentially be in scope. This includes financial products bought on finance or via a price comparison website.
While the FCA’s investigation is ongoing, it has paused complaints handling until 4 December 2025 on all DCA and non-DCA related complaints about motor finance. This gives consumers more time to raise concerns and firms more space to assess complaints.
The FCA has confirmed that if motor finance customers have been negatively affected by widespread failings then it is likely to consult on an industry-wide, proactive redress scheme. If so, it will confirm that decision within six weeks of the Supreme Court’s judgment, with further details for the sector.
What do banks need to think about?
Long-term repercussions of the motor finance review can't be overstated. Lenders could face large-scale remediation and redress programmes, while consumers may find it harder to access this kind of product and loans.
Data will be one of the biggest challenges, with potential claims going back to 2007. Banks have almost certainly got new systems since then, and may struggle to identify the affected customers, or the policies or processes in place at that time. Effective communication with customers, regulators and the press is also crucial.
Digital assets
The digital assets landscape is evolving quickly and many banks are focusing their efforts on tokenisation. These projects will most likely see financial assets such as tokenised deposits, gold, securities or bonds moved to distributed ledger technology (DLT), such as blockchain. Some of the largest banks are already leading the way with large-scale pilots, and potential benefits include faster settlements, greater security, reduced costs, business efficiency and improved liquidity, among others.
Such projects could be fast-tracked over the next couple of years to reflect the UK Government's ambition to make the UK a “global hub for securities tokenisation”. These priorities are supported by the Bank of England and FCA’s joint Digital Securities Sandbox, which was launched last September and aims to help UK capital markets adopt DLT. There’s also the Digital Gilt Instrument (DIGIT), which aims to tokenise government bonds to improve efficiency and transparency around government debt.
These initiatives reflect a global shift in interest towards tokenisation. Last year, the Financial Stability Board published a white paper to explore the associated opportunities and risks. The European Banking Authority also published a report to promote awareness of tokenised deposits, with tokenisation established as a priority for its 2024-25 innovative applications workstream.
What do banks need to think about?
While regulators and standard setters are increasingly interested in tokenisation, supporting regulation is at a relatively early stage. Banks need to monitor these developments to ensure their approach to digital assets continues to align with their strategic ambitions and regulatory expectations.
Key milestones include the FCA’s crypto roadmap, which outlines forthcoming consultations for the treatment of stablecoins, custody arrangements, prudential risk management, trading platforms, conduct and financial crime, among others. It will also publish a new prudential sourcebook in 2025, outlining capital, liquidity and risk management requirements for digital assets.
It’s also important to consider digital assets in the context of the wider fundamental compliance frameworks, including anti-money laundering and counter-terrorist financing, and rules on operational resilience on consumer duty, to name a few.
Digital assets regulation: the FCA's new crypto roadmap
Payments
The payments sector is undergoing a period of rapid change to keep pace with regulation, emerging technology and consumer demand. Banks and payments service providers (PSPs) face increased challenges to manage risk, comply with regulation and remain competitive with their payments products and capabilities. Current regulatory priorities, as set out in the recent update from the Payment Systems Regulator, include preventing fraud and encouraging innovation while maintaining the integrity of the financial system and preventing consumer harm. These key focus areas are at the forefront of open banking, consumer duty, operational resilience, safeguarding funds and effective governance.
What do banks need to think about?
Banks also need significant investment for the mandatory adoption of UK and global ISO 20022 payment messaging changes. SWIFT support for legacy payment messages ends in December 2025. The industry is working to make sure there’s clear alignment between internal and external payment messages and interactions, and to reduce any negative impacts for customers. These changes are essential to maintain compliance with the Bank of England and other payment market infrastructure group operators across the globe.
The EU has also introduced the Single European Payments Area (SEPA) Instant Payments Regulation (IPR), making it compulsory for all EU participants to offer instant payments to customers. This includes verification of payee requirements, which are due by 5 October 2025. Banks that only transact in the European Economic Area and the UK don’t have to meet the above timelines. However, as the UK participates in the SEPA scheme, more banks will need to upgrade their instant payments offering to meet IPR requirements.
Banks and other PSPs must take a data-led approach to transaction monitoring, and ensure they adhere to Consumer Duty principles – specifically those around the wider supply chain, and mitigating the potential for, and remedying actual, financial harm. There’s also the potential for poor consumer outcomes for fraud related to intra-firm payments, which are not carried out by CHAPS or FSP. From a regulatory standpoint, these do not offer the same levels of consumer protection, and banks need to carefully consider their control environment and reimbursement policies.
Financial crime
Financial crime compliance remains a ‘big ticket’ cost item for banks. There are also ongoing concerns about the effectiveness of systems and controls in detecting and deterring crime. Some larger banks have invested in new technology to address this challenge, such as AI for transaction monitoring and dynamic customer risk rating. However, financial crime compliance activities remain primarily people-driven for many firms.
Payment continues to be a key area of focus, including adoption of Confirmation of Payee (CoP) safeguards to prevent authorised push payments (APP) fraud. Under new rules, which went live in October 2024, banks and PSPs must reimburse CHAPS and FPS victims of APP fraud unless the customer was grossly negligent or involved in the fraud. Where fraud is suspected, sending banks and PSPs may delay the payment for up to four days to investigate further.
In addition to APP fraud prevention measures, some key provisions from the Economic Crime and Corporate Transparency Act 2023 come into effect this year. These include the new failure to prevent fraud offence from 1 September 2025, and new Identification and Verification (ID&V) requirements at Companies House.
This year also brings some uncertainty. It's unclear whether the FCA’s growth agenda and the Government's focus on competitiveness will lead to any changes in the UK Money Laundering Regulations or other relevant legislation; and geopolitical tensions mean that sudden shifts in sanctions are possible. In the meantime, there's no sign that the FCA is wavering in its approach to supervision, investigation and enforcement – as shown by sizeable fines for several challenger banks in 2024.
What do banks need to think about?
The basics still matter, and all banks need to be comfortable that core due diligence and monitoring activities happen when they should and to an appropriate quality standard, including sanctions screening. The new failure to prevent fraud offence requires a risk assessment, and firms need to think about a wider range of fraud risks and controls.
The FCA has signalled that wholesale brokers’ financial crime controls will be the subject of scrutiny this year and banks with broking arms may need to review their frameworks.
With regards to payments, banks and PSPs must have effective anti-fraud systems and controls in place, including: effective governance arrangements, regular reviews of systems and controls, and appropriate ongoing customer due diligence.
Finally, firms contemplating the use of AI and machine learning for financial crime – or any other new technology – need to think carefully about configuration, data quality, training and testing, before they deploy new tools.
Data
AI-driven decision-making and advanced analytics are on the rise and firms need to build trust in these automated systems. As such, it’s essential to create a robust foundation of data governance and data management to underpin all operations. Effective data management ensures that data is accurate, accessible and reliable, serving as a critical enabler for decision-making, regulatory compliance and operational efficiency. Strong data governance frameworks help define ownership, maintain data quality and enforce data policies, helping to reduce data risks.
On an operational level, banks need trusted data that is accessible, reliable and fit for purpose – whether it’s for more tangible topics, such as Basel 3.1 or regulatory reporting, or more qualitative areas, such as behavioural risk or ESG. Consumer Duty is particularly challenging, as it requires firms to collect more data than ever before. This includes information on the wider supply chain, fair value assessments, more details on the customer themselves and to identify the potential for consumer harm.
There’s also BCBS 239 compliance to consider, which focuses on risk data aggregation and risk reporting (RDARR). This is currently under greater scrutiny due to recent European Central Bank feedback from its on-site inspection campaign, which found some data infrastructure and IT architecture wasn't fit for purpose. There were also poor data quality controls, which affected accuracy and integrity.
What do banks need to think about?
First and foremost, banks need to redefine their data governance and management frameworks. As data becomes more decentralised across business lines, functions, cloud platforms, third-party providers and open banking ecosystems, banks must establish robust data governance structures that go beyond compliance. This means clearly defining data ownership, accountability and stewardship across the organisation.
Finally, with the heightened potential for remediation and redress activity this year, banks need to proactively consider the quality, accessibility and integrity of their historic customer and product data. In an environment of increasing regulatory scrutiny, having clean, well-governed historical data can significantly mitigate risks and support more effective, defensible outcomes during remediation efforts.
Use of AI
AI tools are more accessible than ever, with widespread adoption across the banking sector. These tools can be a game changer for large workstreams, such as motor finance reviews, Consumer Duty compliance, ESG or financial crime. They can also help banks stay on top of complex regulations, tracking requirements from the regulation itself, through to the corresponding policy and operational activities.
However, there’s a growing focus on AI assurance, data privacy, data ethics and data usage, with stricter rules on how customer data is collected, processed, and shared. As new AI guidelines emerge, such as the EU AI Act, banks need to consider implementation in the context of broader ethical data and AI practices. This includes addressing algorithmic bias, ensuring transparency in AI-driven decisions, and implementing robust data and AI governance frameworks that prioritise accountability and fairness.
The ethical use of AI and data analytics is another key concern. As AI and machine learning models become integral to many of bank’s processes and decision making, transparency and accountability in how these models operate is essential. Banks must implement strong governance around AI, ensuring algorithms are free from biases, explainable to stakeholders, and aligned with ethical standards. Regular reviews of AI models and robust AI assurance framework, combined with a focus on ethical data sourcing and usage, will help maintain compliance and trust.
What do banks need to think about?
While AI has the potential to make cost savings and efficiencies across an organisation, there are significant risks. Firms need to prioritise data accuracy, establish reliable data sources and be able to identify errors.
Fair treatment of customers and compliance with Consumer Duty is a top priority, and firms need to think about the governing policies, procedures and training needed to mitigate the associated risks. The EU AI Act will undoubtedly influence the approach in the UK, so early adoption of best practice on transparency, explainability and bias mitigation will give firms a competitive edge.
The Treasury Committee has launched an inquiry to assess the potential impact of AI in financial services, to gauge its effect on innovation, competitiveness, employment rates and the impact on customers. The FCA has also recently run an information-gathering exercise through its AI Lab and has held an AI Sprint, considering possible future use cases for AI in financial services and the potential impact on regulation. It’s important to monitor these outputs to help shape good practice, drive UK innovation and protect consumers.
Operational resilience and third-party risk
With DORA now in force, and the UK operational resilience deadline of 31 March, firms are finalising their approaches to ensure they have a clear, explainable position on how they meet fundamental requirements. Given statements by both the UK and EU regulators, firms will need to embed these implementations as business as usual, recognising that operational processes will need to be updated over time, as regulatory expectations and business strategies evolve.
A particular area of challenge is in ensuring consistent taxonomy and visibility across the organisation and throughout the digital supply chain. As banks continue to adopt new technology and update legacy infrastructure, there is a growing dependence on third-party services including for critical functions, as highlighted in the ECB’s recent newsletter. Many of these services are niche, giving way to concentration risk. This also reduces available suppliers to move to in the event of a service outage and limits options for substitutability.
However, operational resilience issues are not specific to third parties and issues could cover anything from climate risk to cyber-attacks to sociopolitical risks. Robust scenario testing, effective response and recovery plans, and ongoing self-assessment are crucial to effective operational resilience arrangements.
What do banks need to think about?
Banks need to consider their critical third parties, and how they can restore important services within their impact tolerance limits. Larger banks, or those with EU operations will also continue to refine their operational resilience approach for DORA, ensuring synergies across the two regulations. Recording and reviewing digital resilience information in a consistent way and against a clear taxonomy is the next challenge for firms.
It’s also important to consider the interplay between operational resilience and Consumer Duty, recognising the potential for consumer harm and taking active steps to prevent it.
ESG
Environmental, social and governance (ESG) remains a key challenge for banks. A lot of work has gone into managing climate-related financial risks, predominantly through SS3/19 (which is due an update later this year). However, the conversation has shifted to look at broader factors such as biodiversity, nature loss, culture, diversity and inclusion, and wellbeing, to name a few. In terms of risk management, these are all at different stages of maturity and banks need to understand how these factors can translate into traditional categories, such as credit risk, market risk or operational risk. From there, it's important to identify how they could crystallise over short-, medium- and long-term horizons, taking into account both physical and transition risks.
Banks also need to consider regulatory compliance with key initiatives such as the Sustainability Disclosure Rules (SDR). Under SDR, all FCA-regulated firms are subject to a broad anti-greenwashing rule, and it’s important to understand how this rule supports and interacts with Consumer Duty. The Government is also creating UK Sustainability Reporting Standards (UK SRS), based on the ISSB standards, including IFRS 1 (on disclosing sustainability-related financial information) and IFRS 2 (on climate-related disclosures). These in turn incorporate the Task Force on Climate-related Financial Disclosures (TCFD) disclosure framework.
What do banks need to think about?
Poor quality data makes it tricky to identify, track and measure ESG exposures. This is partly due to inconsistent and unreliable ESG ratings, and the FCA is consulting on regulating ESG ratings providers later this year to improve trust and integrity across the market. In the meantime, banks need to make sure they robustly assess all ESG-related data sources for credibility and apply science-based targets wherever possible, particularly for scenario planning.
Banks also need to monitor the regulatory environment closely. Best practice from think tanks, forums and international bodies continue to inform regulation, however this is happening alongside moves to rationalise sustainability reporting requirements, for example, through the proposed EU Omnibus regulation. Staying on top of these changes is essential for a streamlined, clear and consistent approach to ESG regulation.
Risk management of trading controls
The Prudential Regulation Authority (PRA) is increasingly concerned with trading controls. It is particularly focused on inappropriate trades, which are usually due to miscommunication, incorrect orders, poor or manually overridden controls, or algorithms that aren’t functioning as expected. Banks’ markets, sales and trading divisions must clearly delineate these trades from fraudulent (unauthorised) trades, and take active measures to prevent them. This is a slight shift in focus, with many firms historically focusing on detective over preventative measures in this space.
Inappropriate trades can have a significant impact on market stability, and as such, the regulators are focused on blocking controls’ design and calibration. Banks must demonstrate that they have robust end-to-end controls in place, that are well designed and operating effectively.
What do banks need to think about?
Banks need to assess their first-, second- and third-line controls to ensure they continue to align with regulatory expectations. This includes risk and control assessments, compliance with e-trading and algorithmic trading regulations, and broader regulatory alignment with MiFID II, EMIR, MAR and Dodd-Frank.
Recovery, resolution and solvent exit planning
Across the banking sector, we expect an increase in recovery and resolution work. This continues a trend from the last few years, driven by funding and liquidity challenges, when banks’ business models are impacted by heightened reputational risks and a decline in investor confidence. There are also ongoing economic volatility, global political shifts and uncertainty around international tariffs, all of which could provide a challenging financial environment for banks.
What do banks need to think about?
While all banks need to think about recovery and resolution planning, in line with the Resolvability Assessment Framework (RAF), the challenges are different depending on their size and scale. In particular, non-systemically important banks need to consider solvent exit planning or the potential for a modified insolvency to support a safe exit from the market.
Most importantly, these plans need to extend beyond an academic exercise and be rooted in practical, realistic actions that are tried and tested through robust scenario testing. These need to be credible, and directly applicable to the business model and risk appetite. Banks also need to embed effective communication strategies and consider how they will manage critical services, including their impact on customers and the wider market.
M&A activity
Over the last few years, external factors such as the economic environment and political uncertainty have led to subdued M&A activity across banking and the wider lending sector. There is now ongoing caution due to uncertainty over motor finance discretionary commission arrangements (DCAs), and the wider Supreme Court judgement. As a result, several non-bank lenders (potential strategic acquisition targets for banks) who were preparing to come to market have halted M&A plans until there is further clarity.
Despite this, there were multiple transformational deals last year, largely driven by a desire to achieve scale and product diversification. We have seen early signs of consolidation within the challenger banking space with building societies emerging as a new set of consolidators. The integration success of these deals will set the tone for further consolidation in the sector. Funding and capital efficiencies will also create opportunities to combine challenger banks (with an attractive cost of funds) and non-bank lenders (with strong distribution capabilities).
What should banks do now?
The second half of 2025 and early 2026 will most likely bring a flurry of activity as the sector gains greater clarity over DCAs and commissions. This could prompt highly competitive processes, as investors compete to boost capabilities and grow market share.
A theme to watch is the ’valuation gap’’ between buyers and sellers. Buyers will need to consider the growth potential for acquisitions and factor that into their offers to secure strategically important plays.
Basel 3.1
The PRA published the second half of its near-final rules for the Basel 3.1 standards in October 2024, laying the groundwork for UK firms to start the implementation process. However, uncertainty over the US adoption has thrown a spanner in the works prompting the PRA to delay the UK’s implementation by one year, until 1 January 2027.
Many firms will prefer a consistent application across their global operations – including those in the US. This is especially important in the context of the UK Government’s growth agenda, where international regulatory alignment can have significant implications. If the US adopts a light touch version of Basel 3.1, that could result in material changes to the UK’s implementation.
What do banks need to think about?
The PRA is taking a wait-and-see approach, pausing planned work such as the data collection exercise on firm-specific Pillar 2 capital requirements (originally due in March 2025).
The changes may also affect the Small Domestic Deposit Takers (SDDT) regime for smaller banks that may reconsider applying Basel 3.1, if Basel 3.1 is not disproportionate to their size and scale. While the implementation dates now align better across the two regimes, the PRA will extend the application window for the Interim Capital Regime (previously February 2025).
Despite the uncertainty, the PRA has re-iterated that the final date for Basel 3.1 compliance will remain as 1 January 2030, giving firms less time to implement the necessary changes. With a significant amount of work ahead, particularly around building and approving the associated models, banks need to achieve as much as they can with the current guidance and continue to monitor for any regulatory updates in this space.
The changing tax landscape
The tax landscape is evolving rapidly, bringing new challenges for banks. Perhaps the most significant change is Pillar 2, which was introduced at the end of 2023 and is a fundamental shift in how businesses are taxed. Carrying additional global compliance and reporting obligations, it will have the biggest impact on international firms, but some UK domestic-only banks will also need to determine if they are in scope.
There are also VAT policy exemptions to consider, and last year’s (highly-technical) policy statement from HMRC to financial services firms was challenging for the banking sector as it was introduced without consultation. This potentially removes some VAT exemptions and could lead to increased costs, with a lack of clarity around compliance expectations.
Banks also need to consider ongoing challenges from operational taxes, such as the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS), which are currently under increased scrutiny from HMRC and other tax authorities. There’s also the lasting impact of the Corporate Criminal Offence (CCO) legislation, which makes firms criminally liable for acts of tax evasion committed by an associated person, unless they can demonstrate reasonable preventative controls.
It's also important to consider recent changes to the UK research and development (R&D) tax rules, which saw the gross research and development expenditure credit (RDEC) rate rise from 13% to 20%. This aligns to the Government’s broader initiative to support and promote innovation. However, where banks have contracted out some of their R&D activities, it’s unclear who is eligible for the relief – the contractor or the bank – and there are some eligibility restrictions in place.
What do banks need to think about?
Banks have a lot to think about regarding tax this year, and how they approach these issues could have a significant impact on their cost base and profitability.
Under Pillar 2, financial reporting obligations could be triggered earlier, as could adjustments to forecasting models and transfer pricing. So, it’s important to prepare these statements and supporting documentation early, to avoid missing key deadlines.
HMRC has increased oversight of financial services VAT exemptions, as well as FATCA and CRS returns so banks need to make sure they have appropriate processes and procedures in place to demonstrate compliance. Banks need to be prepared for an audit, so appropriate documentation is vital. CCO firms also need to have an up-to-date risk assessment in place.
When planning R&D activities, banks need to pay particular attention to the type of activity underway and the use of contractors, noting that these choices will significantly impact the associated tax and potential exemptions.
For further insight and guidance, get in touch with Paul Garbutt.
