PRA SS4/24 compliance guide: Requirements, risks and how to stay compliant
PRA SS4/24 details the standards that regulated firms must meet to gain or maintain permission to use internal models for calculating risk-weighted assets. It covers everything from data quality and model calibration to senior management accountability and governance.
Written by a human
As of 2026, this guidance has taken on increased importance due to heightened PRA scrutiny and a regulatory focus on accountability and controls.
With the new version of PRA SS4/24 published on January 20, 2026, and an effective date of January 1, 2027, firms must transition from high-level policy to demonstrable proof of compliance throughout 2026.
In brief:
- Strengthened oversight through PRA SS4/24 reinforces expectations regarding governance, oversight, and internal controls.
- Demonstrable accountability means firms are required to showcase clear accountability and robust control frameworks.
- Evidence-based compliance places a heavy emphasis on documented processes, comprehensive audit trails, and physical evidence.
- The requirements for continuous monitoring translates to ongoing operational activities involving active monitoring, rather than a one-time policy implementation.
What is PRA SS4/24?
PRA SS4/24 explained: PRA SS4/24 is a Supervisory Statement issued by the Prudential Regulation Authority (PRA) that outlines expectations for firms using the Internal Ratings Based (IRB) approach for credit risk. It covers critical areas such as governance, risk management, and oversight expectations to ensure firms maintain robust capital standards.
By complying with the PRA’s rules, regulated entities are contributing towards the PRA’s objective to safeguard the stability of the United Kingdom’s financial infrastructure,
With a clear emphasis on accountability and controls, PRA governance requirements mean implementing effective risk management strategies, and oversight and governance measures.
You can learn more about compliance risk management by reading our article Understanding Compliance Risk Management: Definitions, Importance, and Strategies.
Who Does PRA SS4/24 Apply To?
The requirements within PRA SS4/24 apply to UK-regulated financial institutions, including banks, building societies, and designated investment firms.
In fact, the PRA regulates around 1,300 banks, building societies, credit unions, insurers, and major investment firms. A complete list of PRA-regulated institutions is published and updated regularly.
Specifically, PRA SS4/24 impacts:
- Senior managers: Individuals under the Senior Managers and Certification Regime (SMCR) who hold responsibility for risk and capital.
- Internal functions: Governance, risk, and compliance departments tasked with model oversight.
- Holding companies: PRA-approved financial holding companies that oversee groups using the IRB approach.
Key requirements under PRA SS4/24
From a governance perspective, the PRA expects firms to move beyond theoretical compliance towards evidence-led compliance by implementing the following measures:
- Governance structures: Firms must have clear, documented hierarchies for model approval and ongoing review.
- Oversight and accountability: There must be a direct link between model performance and senior management responsibility.
- Risk management expectations: Models must include a Margin of Conservatism (MoC) to account for data deficiencies or modeling uncertainties.
- Documentation and evidence: Every decision, including human judgment and Post-Model Adjustments (PMAs), must be documented with a clear rationale.
PRA SS4/24 changes, and why it matters in 2026
The regulatory environment in 2026 reflects a shift toward demonstrable compliance, marking a pivotal shift in how regulated firms approach and manage risk.
The PRA’s updated version of the statement (published January 20, 2026) mandates that firms prepare now for the January 1, 2027, effective date.
Significantly, there is now greater scrutiny of:
- Decision-making processes: The PRA wants to see how and why specific risk parameters were chosen.
- Internal controls: There is an increased focus on the independence of the validation function.
- Alignment with PRA priorities: PRA SS4/24 is now closely aligned with the final Basel 3.1 standards. Specifically, it serves as the definitive supervisory document that translates Basel 3.1 credit risk standards into actionable expectations for UK firms utilizing the Internal Ratings Based (IRB) approach. This ensures that high-level global reforms are converted into detailed, practical requirements for the UK market.
Common PRA SS4/24 pitfalls: Compliance gaps and risks
Many firms risk material non-compliance of UK financial regulation SS4/24 if they rely on outdated processes. This can lead to serious consequences for regulated institutions.
With this in mind, it’s useful to understand the common risks identified in PRA commentary, which include:
- Weak governance frameworks: Failing to clearly define who is responsible for model performance.
- Lack of documented evidence: Inability to produce the paper trail for why certain conservative buffers were applied.
- Poor oversight of key functions: Especially regarding outsourced data or centralized group models.
- Inability to demonstrate accountability: Failing to link model failures to Senior Management Function (SMF) accountability.
PRA SS4/24 compliance checklist
To prepare for the 2027 deadline, firms should use the following checklist to evaluate their current standing in respect of PRA governance requirements:
- Define governance: Are your governance structures clearly defined and documented?
- Assign SMF responsibility: Is a specific Senior Manager accountable for the annual IRB attestation?
- Document policies: Are all policies, decisions, and model adjustments recorded in a centralized system?
- Verify audit trails: Can you reconstruct the decision-making process for any given risk parameter?
- Test controls: Do you regularly review and test your internal controls for model risk?
Best practices for PRA SS4/24 compliance
Knowing how to comply with PRA SS4/24 requires embedding governance into daily operations.
To meet the PRA’s expectations, firms must ensure that their internal frameworks are capable of producing granular evidence of compliance by addressing the following areas:
1. Centralize records and data lineage
Firms must maintain all documentation and internal communications in a single, accessible location. Operationally, this means establishing a single source of truth for model development and calibration.
Regulators expect to see not just the final model, but the entire lifecycle of decision-making, including rejected assumptions and data cleaning logs.
2. Align with SMCR and accountability frameworks
Ensure that the specific technical responsibilities outlined for SS4/24 compliance, such as the oversight of model performance and the approval of risk parameters, are explicitly reflected in the relevant SMCR.
From a governance perspective, this alignment ensures that the annual IRB attestation is supported by a clear chain of command and that senior leaders have the requisite visibility into potential model deficiencies.
3. Targeted internal audits
Conduct regular internal audits that move beyond general process reviews to focus specifically on the representativeness of data and the rigorous application of the MoC.
Operationally, firms should perform deep dive reviews of the models used to calculate risk, to ensure they’re sound.
How technology supports governance and compliance
It’s already apparent that modern financial regulation requires more sophisticated tools than manual spreadsheets and siloed folders. Moreover, technology plays a vital role in meeting the UK financial regulation SS4/24 for evidence, transforming compliance into a continuous, data-driven process.
1. Centralized recordkeeping and discovery
Systems that automatically capture relevant communications, meeting minutes, and technical documents ensure that proof of compliance is always available for regulatory inspection.
This reduces the operational risk of compliance being dependent on the knowledge of a key person, or where critical rationale for model choices exists only in fragmented email chains or personal drives.
Level-up your recordkeeping: Why not explore Global Relay’s communications monitoring solutions which accurately identify risks in every communication and ensure data completeness?
2. Immutable audit trails
Automated logs provide an immutable record of every modification made to a rating system or risk parameter.
In the event of a PRA section 166 review (also known as a Skilled Person Review) or a routine supervisory visit, these audit trails allow firms to reconstruct the exact state of a model at any point in time.
This measure provides the transparency required for robust regulatory oversight. Learn more about how the Financial Conduct Authority commissions Skilled Person Reviews.
3. Real-time monitoring and automated reporting
Advanced real-time capabilities allow firms to monitor model performance against actual default experience continuously. By implementing automated triggers, firms can identify and remediate model deficiencies before they become material issues that jeopardize IRB permission.
Compliant communications: Our AI-enabled communications surveillance tool incorporates a five-layered approach to communications monitoring, reducing noise, identifying risk, and supporting intelligent investigation and reporting to help you stay compliant.
Final thoughts
The PRA expects clear, demonstrable governance in 2026 and beyond. As the January 2027 effective date approaches, firms must move from simply having a policy to providing undeniable proof of SS4/24 compliance. For many firms, this will have a significant operational impact and requires fundamental organizational changes.
Yet ensuring your firm has the right accountability, documentation, and audit trails is easier than ever when partnering with Global Relay. As leaders in compliance excellence, we provide fully integrated compliance solutions for every step of your compliant communications journey. Learn more about our compliance solutions.
PRA SS4/24 FAQs
- What is PRA SS4/24?
PRA SS4/24 is a Supervisory Statement outlining the PRA’s expectations for firms using the Internal Ratings Based (IRB) approach for credit risk. It covers governance, risk management, and the technical standards required for internal models used to calculate capital requirements.
- Who does SS4/24 apply to?
It applies to UK-regulated banks, building societies, and designated investment firms. It specifically impacts Senior Managers under the Senior Managers and Certification Regime (SMCR) and those responsible for governance, risk, and compliance functions within these financial institutions.
- What are the key requirements?
Key requirements include establishing robust governance structures, ensuring senior management accountability, maintaining detailed and accessible documentation, and providing clear audit trails. Firms must also apply a Margin of Conservatism (MoC) to address any data or model uncertainties.
- How does SS4/24 relate to SMCR?
SS4/24 ties IRB compliance directly to the SMCR. It requires a designated Senior Manager to provide an annual attestation to the PRA regarding the firm’s compliance with IRB requirements, making them personally accountable.
- What happens if firms fail to comply?
Firms that fail to comply risk having their IRB permissions revoked or restricted. If material non-compliance is identified, the firm must submit a detailed remediation plan to the PRA and may face increased capital requirements or further supervisory intervention.