What the PRA’s new SS 5/25 means for financial institutions
The Prudential Regulation Authority (PRA) has published its final version of Supervisory Statement 5/25 (SS 5/25), marking a fundamental update to how it expects banks and insurers to identify, manage, and govern climate-related risks. The statement replaces the PRA’s 2019 supervisory statement (SS3/19) and reflects six years of industry progress, persistent supervisory concerns, and a shift from awareness to implementation.
SS 5/25 is not a checklist. It is a clear message to firms that climate risk must be treated as a core part of prudential management. Unlike the more prescriptive ESG guidance issued by EU supervisors, the PRA maintains a principles-based approach. This should not be mistaken for lower ambition. Expectations have been significantly raised, and the focus is now on integration, governance, and action.
From Framework to Function
SS3/19 was a foundational statement. It set out high-level principles, encouraged early scenario analysis, and emphasised the need for governance structures. It reflected the state of the market at the time: low capacity, growing interest, and limited data.
SS 5/25 builds on SS3/19. The PRA now expects climate risk management to inform business strategy, be embedded across the three lines of defence, and be regularly reported to Boards with sufficient technical detail to support decisions. Senior managers are expected to demonstrate ownership of climate issues and report clearly on risk appetite, exposures, and mitigation plans.
In short, what was once seen as “leading practice” is now the baseline.
Where Expectations Have Grown Stronger
Several areas show the clearest evolution in supervisory expectations:
1. Governance and accountability
Boards are expected to review and sign off on the firm’s material climate risks, supported by detailed internal reporting and analysis. Senior Management Functions (SMFs) are expected to lead the firm’s climate risk response within existing accountability frameworks and regularly update the Board on practices, strategy, and implementation. Firms should document this governance process in a way that allows supervisors to review how climate risk is being managed at the top.
2. Risk appetite and materiality
The PRA formalises a two-step process. First, all firms must assess whether climate-related risks are material. This assessment is risk-based and not driven by firm size. The outcome must be signed off by the Board and revisited periodically. Second, where risks are deemed material, firms are expected to develop and maintain a proportionate but robust risk management framework, including clear appetite statements and thresholds. These should cascade to business units and be used to guide client-level and portfolio-level decisions.
3. Scenario analysis (CSA)
The PRA continues to note that firms have yet to fully operationalise climate scenario analysis. SS 5/25 clarifies how this should change. Scenario selection should reflect the firm’s unique risk profile, with assumptions grounded in scientific evidence and relevant jurisdictional policy targets. The guidance reinforces the use of reverse stress testing to assess business model vulnerabilities and makes clear that CSA should inform decision-making, not function solely as an external reporting exercise. Boards and executives are expected to understand the outputs and act on them.
Firms that rely on third-party scenario tools must be able to explain how they work, what assumptions they rely on, and what limitations they face. Outsourcing the technical work does not outsource the responsibility.
4. Sector-specific requirements
For banks, SS 5/25 reinforces expectations that climate-related risks to cash flow, asset liquidity, and funding should be assessed and managed through existing liquidity and capital planning frameworks, including ICAAP and ILAAP where relevant.
For insurers, the PRA expects deeper integration of climate risk into the Own Risk and Solvency Assessment (ORSA), with climate change considered as a risk driver across relevant components of the Solvency Capital Requirement (SCR). In particular, insurers are expected to assess how climate change may affect asset valuations, liability risks (including through higher claims or litigation), and Matching Adjustment portfolios, especially as exposure to illiquid assets increases under Solvency UK reforms.
5. Data and internal reporting
While data gaps remain a constraint, the PRA makes it clear that this cannot be an excuse for inaction. Firms are expected to implement plans to address data gaps over time. In the interim, they may use conservative assumptions and proxies, provided the rationale and limitations are clearly documented. Reporting should be sufficiently detailed to support management and Board decisions and updated regularly as new information becomes available.
6. Third-party and outsourcing risks
Firms are expected to explicitly consider how climate risks affect outsourced services and critical third-party relationships. This includes setting risk tolerances, reviewing exposures, and ensuring that external partners do not introduce unmanaged climate vulnerabilities into the business.
SS 5/25 also explicitly recognises litigation risk as a climate risk transmission channel, which firms should assess within their broader risk management frameworks.
What Firms Should Do Next
With SS 5/25 now final, firms should focus on demonstrating progress toward the PRA’s expectations. Supervisory assessment is expected to follow within approximately six to twelve months of finalisation, meaning firms are likely to be asked to evidence their approach during 2026.
Now is the time to act:
- Conduct a comprehensive gap analysis: Compare your current approach to SS 5/25’s expectations, identifying areas requiring enhancement, particularly in governance, scenario analysis, and internal reporting.
- Engage your Board early: Ensure they are aware of their responsibilities, receive the right training, and have access to the data and insights required to oversee climate risks effectively.
- Develop or upgrade scenario analysis tools: Move beyond boilerplate stress tests. Scenarios should be use-case specific, decision-relevant, and capable of identifying vulnerabilities across your business.
- Strengthen internal risk reporting: Create a reporting cadence that supports cross-functional decision-making and enables ongoing Board engagement.
- Review your ORSA or ICAAP frameworks: These must now include climate risks where material, backed by credible methodologies and clear documentation.
- Evaluate outsourcing and vendor risks: Map out how climate risks affect your broader ecosystem and build this into risk appetite frameworks and contracts.
This is not simply a compliance update. It is a shift in how the PRA expects risk to be understood, communicated, and acted upon. The tone is clear. Climate risk needs to be a core component of how financial institutions operate and plan, not a standalone workstream or disclosure requirement.
Connecting Regulation to Resilience
SS 5/25 brings the UK closer to international best practice while remaining firmly principles-based. It reflects lessons learned from more prescriptive regimes elsewhere without signaling any retreat from supervisory ambition.
The challenge for firms is not just to respond, but to prepare. As expectations are embedded into supervision, scrutiny will follow. Institutions that move early will not only reduce supervisory risk but also be better positioned to navigate the strategic and financial impacts of climate change over the long term.
Comparison of PRA SS 5/25 and PRA SS 3/19
Enjoyed this analysis? D. A. Carlin & Co helps clients navigate these turbulent times through strategic briefings, practical capacity-building workshops, and regulatory support. Book a call with us today through our "Speak with us" form and find out how we can give you and your team the future-ready skills and strategies you need.