Bank of England, FCA and Treasury Issue Joint Frontier AI Warning to UK Financial Services Firms as Cyber Capabilities Outpace Human Practitioners
The Bank of England, the FCA (Financial Conduct Authority), and HM Treasury published a joint statement warning UK financial services firms that frontier AI (the most advanced AI models currently being developed and deployed) already poses a material and escalating cybersecurity risk to the sector. The regulators stated that "the cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost." The joint statement warned that these capabilities, if used maliciously, amplify cyber threats to firms' safety and soundness, their customers, market integrity, and financial stability. Firms were directed to take active steps to manage these risks and were pointed to existing cyber resilience guidance published jointly by the Bank of England, PRA (Prudential Regulation Authority), and FCA in October 2025, as well as resources published by the UK National Cyber Security Centre (NCSC) to help firms understand frontier AI, prepare for a vulnerability "patch wave," and deploy AI defensively to identify their own vulnerabilities. The statement arrives against a backdrop of intensifying AI-related hiring in regulatory practices: McDermott Will & Schulte separately announced the hire of privacy and AI partner Elisabeth Dehareng in Brussels, joining from Baker McKenzie, to advise on the EU AI Act, Digital Services Act, Data Act, Cyber Resilience Act, and NIS2 Directive. The hire underscores that regulatory advisory demand around AI governance is translating into concrete lateral hiring at the partner level across UK and EU practice groups.
Why this matters
A joint statement from the Bank of England, FCA, and HM Treasury carries the highest possible weight in UK financial regulation — it signals that AI-related cyber risk is now treated as a systemic concern, not merely an operational IT matter. For regulated firms, this creates a near-term compliance obligation: they must be able to demonstrate to the FCA and PRA that their cyber resilience frameworks have been assessed against frontier AI threat scenarios, which requires legal, compliance, and technology teams to work together on policy updates. The McDermott hire of an EU AI Act specialist reflects the same dynamic in Brussels: as the EU AI Act enters full implementation, firms across Europe need dedicated regulatory counsel — and elite firms are racing to build that capability.
On the Ground
A trainee responding to this guidance on behalf of a financial services client would assist with AI governance policy drafting, updating the firm's existing cyber resilience framework against the October 2025 PRA/FCA benchmarks. They would also prepare a regulatory impact assessment memo mapping the frontier AI risks identified in the joint statement against the client's current technology stack, and assist with vendor due diligence questionnaires for any AI tools the client deploys.
Interview prep
Soundbite
Regulators saying AI already outpaces skilled humans in cyber attack means compliance frameworks written last year are already out of date.
Question you might get
“What specific steps would you advise a UK-regulated bank to take in response to the Bank of England, FCA and Treasury's joint frontier AI statement, and how would you prioritise those actions?”
Full answer
The Bank of England, FCA, and Treasury have jointly stated that frontier AI cyber capabilities already exceed what skilled human practitioners can achieve — a striking regulatory assessment that elevates AI risk from a technology problem to a systemic financial stability concern. For law firms advising regulated financial institutions, this creates immediate work: clients need to update cyber resilience frameworks, prepare board-level governance documentation, and demonstrate readiness to the FCA and PRA in the next supervisory cycle. This connects to the broader trend of AI regulation accelerating ahead of firm and regulator capacity to manage it — the EU AI Act, the UK's post-Brexit AI governance agenda, and now this joint statement are all converging simultaneously. The most significant implication is that firms which treat AI governance as a future problem rather than a present compliance obligation will face increasing regulatory scrutiny in 2026.
Sources
My notes
saved