OUT-LAW ANALYSIS 7 min. read
Financial firms face increased scrutiny as a new dawn rises for climate risk rules. Photo: iStock
30 Jun 2026, 1:13 pm
UK banks and insurers are now operating under a materially higher supervisory standard for the management of climate-related financial risks as new rules take effect.
The Prudential Regulation Authority’s Supervisory Statement SS5/25 has replaced SS3/19, with the June 2026 deadline for firms to complete internal reviews and develop plans to address gaps having now passed.
For PRA-regulated firms, climate risk is no longer a developing expectation or a matter of voluntary enhancement. It is a live prudential risk management issue, with implications for governance, risk frameworks, capital and solvency assessments, scenario analysis, data, disclosures and senior management accountability.
The practical question for boards is now not whether the firm is “getting ready” - it is whether the firm can show that its climate risk governance, controls and decision-making would withstand supervisory scrutiny.
SS5/25 sets out the PRA’s updated expectations for how banks, insurers and designated investment firms should identify, measure, manage, monitor and report climate-related financial risks.
The statement covers governance, risk management, climate scenario analysis, data and disclosures, together with banking- and insurance-specific issues.
The PRA has framed the new expectations as proportionate - but proportionality does not mean optionality. Firms are expected to assess climate-related risks by reference to the materiality of their exposures; document and justify their judgements; and revisit them as data, climate science, modelling capability and business exposures evolve.
That has important consequences. A firm that concludes that certain climate risks are not material should be able to produce the evidence supporting that judgement, and one which has identified material risks should be able to demonstrate how those risks have been embedded into governance, risk appetite, business strategy, controls, reporting and escalation routes.
In practice, this means firms should expect questions such as:
The strengthened expectations in SS5/25 put board ownership and senior management accountability at the centre of climate risk supervision. The PRA’s approach reflects a clear view that climate-related risks are financial risks and should be managed through the same discipline as other material prudential risks.
This creates a particular challenge for firms that have developed climate risk frameworks but have not yet fully tested whether those frameworks operate in practice. Policies, risk appetite statements and committee terms of reference may not be enough if the firm cannot show how climate risk information flows through the organisation and influences decision-making.
Our view is that the supervisory focus is likely to be on evidence. If the PRA asks how a board satisfied itself that climate-related risks were properly identified, assessed and managed, firms will need a clear governance narrative supported by documents, decisions and escalation records.
A well-written policy will not be enough if the underlying evidence does not show effective implementation. The regulatory consequences of weaknesses may include governance remediation, capital add-ons or constraints, and scrutiny of individual senior managers where responsibilities and oversight are unclear.
SS5/25 also lands in an environment of increased investor scrutiny of climate governance, transition planning and corporate disclosures. Shareholders and other stakeholders are increasingly challenging companies on whether climate-related risks have been properly assessed, whether disclosures are consistent with the underlying evidence, and whether accounts provide a true and fair view.
For banks and insurers, this means the same evidence base may need to serve multiple purposes. It may be relevant to PRA supervision, board assurance, audit committee oversight, investor engagement, annual report disclosures, transition planning and as a defence for potential disputes or litigation.
The interaction with international reporting standards is also important. The PRA expects external disclosures to be consistent with internal risk management, and the wider direction of travel in sustainability reporting is towards International Sustainability Standards Board (ISSB) aligned disclosure and stronger connectivity between financial reporting, risk governance and climate-related assumptions.
This increases the importance of a defensible materiality assessment. If a firm’s external disclosures say one thing, its risk register says another, and its board papers do not show how climate risk judgements were reached, the firm may face questions from regulators, investors and other stakeholders.
Many firms completed some form of internal review before the 3 June 2026 deadline. The next stage is different. The focus now is on whether those reviews were sufficiently robust, whether identified gaps have been remediated, and whether the firm can explain its position if challenged.
That makes the design of any post-deadline assurance exercise critical. A review that is too narrow may miss implementation weaknesses. A review that is too informal may fail to create a reliable evidence base. A review that is not properly governed may create additional risk if it identifies gaps but does not support coherent remediation.
Firms should consider whether any post-deadline review should be structured with investigation-grade discipline: clear scoping, document preservation, disciplined evidence gathering, stakeholder interviews where appropriate, findings analysis, escalation protocols, remediation planning and careful reporting to the board or relevant committee.
Legal privilege may also be relevant, particularly where a review could identify historic weaknesses, governance failures or evidence that may become relevant to supervisory engagement, investor challenge or litigation.
Post-deadline reviews should be treated with the same care as any sensitive regulatory review. If the review identifies a gap that already exists under the live supervisory standard, the firm needs to manage the legal, regulatory and governance implications carefully.
That is where scope, privilege, evidence handling and reporting lines really matter.
Although SS5/25 is detailed, the core features of a defensible approach are practical. Firms should be able to show that climate-related financial risks have been assessed, embedded, governed and monitored in a way that is proportionate to their risk profile and business model.
In practice, a defensible position is likely to include:
The firms that will be best placed are those that can demonstrably connect the dots between climate science, financial risk, governance evidence and disclosure.
The PRA is not asking firms to predict the future with certainty. It is asking them to show that they understand the risks, have made reasoned judgements, and have embedded those judgements into the way the business is governed.
PRA engagement may take different forms, including supervisory conversations, targeted information requests, or thematic or firm-specific reviews and follow-ups arising from disclosures or existing supervisory work.
Firms should therefore prepare now for how they would respond if asked to provide evidence of compliance. That means identifying who owns the response, where the key documents sit, how board and committee materials are organised, how materiality judgements can be explained, and how known gaps are being remediated.
A rushed response to a regulator request can expose weaknesses that might otherwise have been remediated or explained. A structured assurance review can help firms identify gaps before the regulator does, develop a credible remediation plan, and ensure that the board has a coherent narrative for how the firm is managing climate-related financial risk.
Boards and senior managers should use the post-deadline period to focus on four immediate priorities.
Firstly, they should test whether the firm’s SS5/25 review was sufficiently comprehensive and whether it covered governance, risk management, scenario analysis, data, disclosures and sector-specific expectations. Then they should review the evidence base supporting materiality assessments, proportionality judgements and decisions to exclude or deprioritise particular risks.
Thirdly, they should assess whether climate risk is embedded in practice, not only in policy documents. This includes testing reporting lines, escalation processes, board papers, risk committee minutes, scenario analysis outputs and links to capital and solvency assessments. Finally, they should consider whether identified gaps require privileged remediation planning, particularly where weaknesses may be relevant to supervisory engagement, investor challenge or potential litigation.
SS5/25 marks a clear shift from climate risk as a policy concern to climate risk as a prudential governance issue. Boards and senior managers now need to be able to evidence not only that frameworks exist, but that they are embedded, tested and capable of informing real risk decisions.
With SS5/25 now live and enforceable, firms should assume that supervisory engagement is no longer hypothetical. The immediate task for boards and senior management is to move from framework design to demonstrable evidence of effectiveness.
The question boards should be asking themselves now is simple: if we had to explain and defend our climate risk governance tomorrow, to the regulator, investors or auditors, could we do so confidently and with evidence?
Written by
