The Bank, FCA and HM Treasury Joint Statement on Frontier AI Models and Cyber Resilience

The Bank of England, Financial Conduct Authority, and HM Treasury published a joint statement on 15 May 2026 formally directing regulated firms and financial market infrastructures (FMIs) to treat frontier AI as a material cyber and operational resilience risk. The statement asserts that 'the cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost,' and warns that 'these capabilities, if used maliciously, amplify cyber threats to firms' safety and soundness, customers, market integrity, and financial stability.' Regulators specify four action domains: governance and strategy, vulnerability identification and remediation, third-party and supply-chain risk (including open-source components), and resourcing and capability — including the potential need for automated AI-enabled defences. Boards and senior management are explicitly named as accountable.

This is the first time the UK's three most senior financial regulators have issued a unified directive explicitly naming frontier AI as an operational resilience threat, linking it directly to existing supervisory frameworks. For CISOs and boards of UK-regulated institutions, this converts frontier AI cyber risk from a watch-list item into a supervisory expectation requiring documented controls.

Boards of UK-regulated firms and FMIs should request a gap assessment against the four action domains within 30 days; CISOs should confirm frontier AI threat scenarios are reflected in the operational resilience self-assessment and next DORA/operational resilience report cycle.