PRA
The Prudential Regulation Authority regulates banks, building societies, and insurers in the UK — its focus is systemic risk, capital adequacy, and operational resilience of systemically important institutions.
The Prudential Regulation Authority (PRA) is part of the Bank of England and regulates approximately 1,500 deposit-takers, insurers, and major investment firms in the UK. While the FCA focuses on conduct and consumer outcomes, the PRA focuses on prudential safety and soundness — ensuring that firms hold adequate capital, manage risk appropriately, and will not fail in ways that destabilize the financial system. PRA-regulated firms must satisfy both regulators simultaneously, as the FCA and PRA have overlapping but distinct supervisory objectives.
The PRA's operational resilience framework — introduced through SS1/21 — requires PRA-regulated firms to identify important business services and demonstrate the ability to remain within impact tolerances through severe but plausible disruption scenarios. Unlike FCA operational resilience (which focuses on consumer impact), PRA operational resilience focuses on systemic impact — the disruption a firm's failure would cause to the broader financial system. The engineering requirements are similar but the severity assumptions are more extreme.
PRA technology risk is governed by SS2/21, which sets expectations for firms' risk frameworks around operational risk from technology and cyber threats. The PRA expects firms to have board-level ownership of technology risk, comprehensive vulnerability management programs, rigorous third-party risk management for technology suppliers, and incident response capabilities tested against realistic scenarios. For firms using cloud services, the PRA expects the same risk management applied to on-premise infrastructure — cloud does not reduce PRA scrutiny, it shifts it.
We build PRA-compliant systems for UK banks and insurers — designing operational resilience architecture that satisfies SS1/21 impact tolerance requirements, implementing technology risk management frameworks that meet SS2/21 expectations, and building the third-party risk management infrastructure for cloud-dependent systems. Our teams understand the PRA examination process and design systems that meet systemic-impact resilience standards.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.