Bank of England regulator warns of ‘significant disruption’ from new AI

TL;DR:

  • Sam Woods, chief executive of the Bank of England’s Prudential Regulation Authority, told a UK Finance event it is “reasonable to expect quite significant disruption” to financial services from frontier models such as Anthropic’s Mythos and ChatGPT 5.5 Instant.
  • Woods linked the risk specifically to those models’ growing ability to identify vulnerabilities, and the resulting pressure on banks to patch at higher speed.
  • Resultsense view: this is the first time the UK’s bank regulator has used the word “disruption” so plainly about a specific generation of models, and it reframes the AI-and-banking conversation from “innovation opportunity” to “operational resilience problem”.

Woods, speaking at UK Finance’s Growth Delivery Summit, said firms will need to step up basic cyber hygiene and lean more heavily on AI-driven defences. He singled out the requirement to patch identified vulnerabilities — already described by the PRA as the leading cause of outages in the financial system — as the area most likely to come under strain.

Why this matters now

Anthropic rolled out Mythos to a limited group of business customers in April. Cybersecurity practitioners have been flagging since then that the model represents a step change in finding and exploiting flaws in legacy systems, the very thing UK banks run a great deal of. A BoE-co-led cyber resilience exercise last month judged the sector ready for that pressure; Woods’s own comments suggest the regulator is not relaxed about how long that judgement will hold.

The PRA’s framing is consistent with the wider direction of UK financial regulation. The FCA and the Bank of England jointly issued operational resilience rules in 2022 requiring firms to identify “important business services” and prove they can stay within impact tolerances during severe disruption. The new warning effectively tells regulated firms that AI-accelerated attack speed is now one of the disruption scenarios they have to plan for, not a theoretical one.

Looking forward

Expect the PRA to push for tighter patching cadence in supervisory engagement, and for AI-augmented vulnerability management to move up board agendas across UK banks, building societies and large insurers. For UK SMEs sitting in the financial services supply chain — fintech vendors, managed-service providers, anyone with a regulated firm as a customer — the practical effect is that contractual security expectations will tighten, and “we patch monthly” will increasingly read as inadequate. The regulator’s tone today is unusually direct; the policy paperwork that follows is unlikely to be looser.