How Should EU and UK Banks Manage Climate-related Risks?

Alert

24 March 2025

21 min read

Over the past 12 months, different regions of the globe again witnessed natural disasters such as the flash floods in Spain and the Californian wildfires that ravaged Los Angeles in January. A scientific¹ and increasingly embedded societal view is that these events may be supercharged by climate change. In terms of financial impact, climate and nature-related risks can affect operational resilience and lead to losses in the financial sector.² For example, Lloyd's of London alone said in March 2025 that it expected to lose USD 2.3bn from the Los Angeles wildfires and warned that higher incidences of natural catastrophes were likely to keep insurance costs high.³ In connection with the Los Angeles wildfires, banks with high exposure to real estate were significantly impacted by large outstanding mortgages on homes destroyed by the wildfires. As the UK Prudential Regulation Authority ("PRA") noted in its Climate Change Adaptation Report 2025,⁴ where the future likelihood of such climate driven events is not incorporated into banks' and insurers' pricing, and firms instead react to disasters in real time, sudden price adjustments can result, contributing to financial instability.

For credit institutions around the world, anticipation of intensifying or more extreme climate risks played only a limited role in their risk management in the past, and certain institutions may have perceived climate transition to be more of a corporate social responsibility or reputational issue. This has changed in recent years. Regulatory and governmental pressures have stepped up in acknowledgement of the escalating risks.

While the level of regulatory and governmental expectations for banks to manage climate-related risks varies across major jurisdictions and is subject to a dynamic process, in both the UK and the EU a detailed framework for the management of climate-related risks has been established. This article will examine the current state of play in the UK and the EU with respect to regulatory requirements on banks' management of climate-related risks and provide an overview of current and future requirements.

UK – what are the regulatory requirements imposed on banks with respect to managing climate-related risks?

Introduction

The Bank of England ("BoE") became the first central bank and supervisor to set supervisory expectations in April 2019 ("SS3/19")⁵ for banks on the management of climate-related financial risks, covering governance, risk management, scenario analysis and disclosure. This set the BoE's expectations that banks take a strategic approach; identifying current risks and those that can plausibly arise in the future, and appropriate actions to mitigate those risks. The BoE emphasised that climate change creates financial risks and economic consequences which matter for the BoE's mission to maintain monetary and financial stability. In 2020, the BoE followed up with a Dear CEO letter addressed to all banks (and other firms) regulated by the PRA, clarifying that banks must have fully embedded their approaches to managing climate-related financial risks by the end of 2021.⁶ The Dear CEO letter set out the regulators' examples of good practices and highlighted where it saw gaps between firms' intentions and its own expectations. In October 2021, the BoE published a second climate change adaptation report,⁷ and from 2022 onwards has moved towards actively supervising banks against the regulatory expectations set out in SS3/19. In October 2022, a further Dear CEO letter was published, providing more detail on the BoE's observations of how banks are meeting supervisory expectations and highlighting examples of effective and less effective practices identified.⁸

At the invitation of the Department for Environment, Food and Rural Affairs ("DEFRA"), the PRA published a Climate Change Adaptation Report at the end of January 2025.⁹ In this report, the PRA observed that while banks (and insurers) have taken positive steps towards implementing the supervisory expectations set out in SS3/19, the levels to which these are embedded vary and the overall assessment is that further progress is needed by all firms. Against this backdrop, the April 2025 Regulatory Initiatives Grid issued by the Financial Services Regulatory Initiatives Forum references as one of the PRA's actions for Q1 2025 the publication of a consultation on updating SS3/19. From the Climate Change Adaptation Report, it can be anticipated that the update consulted on will look to build upon and clarify the existing expectations set out in SS3/19. In doing so, it will consolidate existing published PRA climate-related guidance—including Dear CEO and Dear CFO letters—while incorporating the PRA's improved understanding of climate risks and reflecting the work of international standard-setters like the BCBS and IAIS.

Within this context, we set out below a summary of how banks are currently required and/or expected to manage their climate-related risks in the UK to meet regulatory supervisory standards.

Overview of key requirements

Governance

In the UK, the PRA expects the banks that it regulates to understand the risks posed to them from climate change and how these will affect their business model. The PRA's Climate Adaptation Report notes that climate risks have three distinctive elements, which, together, present unique challenges for the financial sector and require a strategic management approach: (1) risks are systemic; (2) risks are simultaneously uncertain and yet foreseeable; and (3) the size and balance of the future risks we face will be determined by actions taken now. Senior management within banks have been directly addressed in several Dear CEO and Dear CFO letters that the PRA has published during the past five years to engage with banks on embedding supervisory expectations on climate matters. The PRA expects bank boards to ensure that adequate resources and sufficient skills and expertise are devoted to managing the financial risks from climate change, including having clear roles and responsibilities for the board and its relevant sub-committees. Further, boards and executives should be able to show that the approach taken to the integration of climate considerations into their business in terms of business strategy, planning, governance, and risk management is coherent and supported by available metrics and risk appetites that provide an effective measure of vulnerability. More recently, in its Climate Change Adaptation Report, the PRA noted that—while banks have generally made substantial progress in establishing governance structures for climate risks—consistency in application of governance frameworks across firms, including cascading down different business lines, could be improved.

Risk Management

UK-regulated banks are expected to address the risks from climate change through their existing risk management frameworks, including through their risk appetite statement, committee structures and three lines of defence models, deploying both qualitative and quantitative measures. With respect to quantitative measures in particular, the PRA has communicated that it expects banks to be able to demonstrate how they have factored climate risks into their quantitative analysis, using appropriate metrics and prudent assumptions and proxies where data gaps exist, and to be able to explain what actions are being taken to address these data gaps. In managing their own climate risk, banks are also expected to be proactive in assessing their counterparties' exposure to climate change as they adapt their business strategies.

The PRA's September 2024 'Dear CFO' letter took a closer look at the use of quantitative data to help manage risks from climate change, particularly as regards banks accounting for expected credit loss.¹⁰ The PRA's key findings as to areas for improvement by banks included: (1) scope to expand the range of loan portfolios subjected to a climate risk assessment, to pick up impacts on underlying collateral, refinance risk and ability to repay; (2) enhancement of data granularity and working towards embedding climate risk in loan-level credit risk assessments; and (3) expanding the range of climate scenarios considered, to better identify borrowers and sectors implicated by climate risk.

The PRA has also noted that, whilst firms' work on climate-related capital assessments is complex and still evolving, it is essential that the impact of climate risks is accurately reflected in banks' balance sheets and wider financial statements to help mitigate the risks of gaps in the capital framework. Banks are expected to be able to demonstrate that the financial risks from climate change are appropriately considered within their Internal Capital Adequacy Assessment Process, according to the nature, scale and complexity of their business. The PRA has found that there are significant variations in firms' processes and further work is required by all to develop appropriate risk management tools that contribute to decision-making.

Strategy Setting and Scenario analysis

While the PRA expects banks to conduct scenario analysis ("CSA") to determine the impact of financial risks from climate change on their risk profiles and business strategies, the PRA recognises in its Climate Change Adaptation Report that the use of CSA within the financial sector has been limited due to its complexity and a lack of familiarity. The PRA has invested in developing CSA tools and guidance (such as an article published in its Quarterly Bulletin 2024 on 'Measuring climate-related financial risks using scenario analysis'¹¹) and has encouraged firms to incorporate CSA into their risk management activities. The PRA nonetheless recognises that further improvement is required, as scenario analysis capabilities are generally not sufficiently well-developed to support effective strategic and business decision-making. CSA should cover both short-term and long-term assessments and, for example, address various outcomes relating to different transition paths to a low-carbon economy and scenarios where no transition occurs. UK banks should use these scenarios to understand impacts on solvency and liquidity and evaluate whether management actions to mitigate such risks are realistic, credible, consistent with regulatory expectations and achievable.

Adequate climate related data and associated data architecture play a key role in scenario analysis (as well as governance, risk management and disclosure). In its Climate Change Adaptation Report, the PRA observed that data gaps remain an integral part of the climate risks that banks must manage and recognised that more robust, standardised climate-related data of sufficient coverage is needed across the financial sector. Nonetheless, banks need to explain how they identify their significant data gaps, what plans they have to close those gaps, and what processes they have in place to ensure that developments in data and tools will be identified and incorporated into their approach. Where data gaps exist, all firms need to put in place contingency solutions using appropriately prudent assumptions, judgements and proxies.

Disclosure

The PRA notes in its Climate Change Adaptation Report that high-quality, comprehensive and consistent climate disclosure across the economy is essential to identify and measure climate risk, in turn enabling banks to improve their risk management and make better decisions. In addition to complying with the existing regulatory risk disclosure requirements, UK banks should consider making further disclosures (particularly, for example, on how climate-related financial risks are integrated into governance and risk management process) to enhance transparency on their risk management approach. The PRA expects banks to develop an appropriate disclosure approach to reflect the distinctive elements of financial risks from climate change, and to engage with wider initiatives on climate-related financial disclosure such as the Taskforce on Climate-related Financial Disclosures.

Europe – what are the regulatory requirements imposed on banks with respect to managing climate-related risks?

Introduction

Climate risks have become focus of the ECB

In recent years, EU supervisory authorities have intensified their efforts to address climate-related risks. Starting with its November 2020 Guide on climate-related and environmental risks¹² ("ECB Climate Risk Guide") the European Central Bank ("ECB") has increasingly made the management of climate-related risks a key priority in its supervisory practice. With this guide, the ECB set out 13 expectations for banks to deal with the challenges of climate change, including expectations related to business models and strategy, governance and risk appetite, risk management as well as disclosures. Two years after the initial publication of the ECB Climate Risk Guide and following an inaugural Climate Risk Stress Test conducted in October 2021, the ECB's thematic review in November 2022 concluded that banks fell significantly short of the expectations outlined in the ECB Climate Risk Guide and set deadlines for alignment with those expectations. Several banks that did not meet the ECB's first deadline to perform a climate risk materiality assessment and business environment scan by March 2023 received binding supervisory decisions in December 2023, which also included periodic penalty payments in case of non-compliance with these decisions.¹³ Throughout 2024, the ECB has reiterated warnings of enforcement action against banks failing to adequately include climate-related risks in their governance, strategy and risk management arrangements. And most recently the ECB highlighted the continuing deficiencies in the management of climate-related physical and transition risks as a "prioritised vulnerability" of banks in its supervisory priorities 2025-27, particularly addressing shortcomings in compliance with upcoming regulatory requirements.¹⁴

Legislative efforts to enhance the legal framework

In terms of the legal framework, the ECB's supervisory expectations and measures were not originally based on specific climate-related risk requirements under EU supervisory law, but on general risk management requirements under (transposed) EU law. Only recently, legislative efforts have resulted in the codification of the previously administratively set climate-related requirements. The "banking package" adopted by the European Parliament in July 2024 amending the Capital Requirements Regulation ("CRR") (Regulation (EU) 575/2013) and the Capital Requirements Directive ("CRD") (Directive 2013/36/EU),¹⁵ introduces inter alia, a number of new regulations on ESG risks, including new requirements related to the management of climate-related and environmental risks. The amended CRR (CRR III) applies since 1 January 2025, whilst the amendments to the CRD (CRD VI) must be transposed into national law by Member States by 10 January 2026.

In addressing climate-related risks, the banking package employs a common distinction already used in the ECB Climate Risk Guide between "transition risks" and "physical risks" as part of "environmental risks", while still acknowledging that "ESG risks" – as the relevant umbrella category – manifest through traditional categories of financial risks and do not constitute a separate risk category (new Article 4(1) point 52d CRR). Under the definition provided in new Article 4(1) point 52g CRR, corresponding to the definition used in the ECB Climate Risk Guide, point 3.1, transition risks are risks that arise from the current or prospective impact of the transition to an environmentally sustainable economy. Accordingly, transition risks include changes in policy, such as those imposed by new regulations. Transition risks may also involve often unpredictable shifts in supply and demand, for example those driven by technological innovations in the automotive sector, which can affect the banks' debtors and assets. Finally, transition risks include legal risks for financial institutions (cf. new Article 4(1) point 52a CRR), such as climate litigation against financial institutions. Physical risks, in contrast, refer to the potential economic losses resulting from the physical effects of climate change on the institution's counterparties or invested assets (new Article 4(1) point 52f CRR).

Moreover, to further align the supervisory practices across the EU, the banking package tasks the European Banking Authority ("EBA") to issue guidelines on the application of certain new requirements. Most notably, on the basis of the new Article 87a(5) lit. a-c CRD the EBA issued guidelines on the management of ESG risks on 9 January 2025 ("EBA Guidelines on ESG Risk Management").¹⁶ These guidelines will generally apply from 11 January 2026 and for small and non-complex institutions at the latest from 11 January 2027. They closely align with the established supervisory practice of the ECB and integrate supervisory requirements that were previously dispersed across various publications.

Within this context, we set out below a summary of current and forthcoming key requirements and expectations for banks in the EU regarding the management of climate-related and environmental risks under the upcoming framework.

Overview of key requirements

Governance

Under the ECB Climate Risk Guide, the ECB already expects institutions to assign responsibility for the management of climate-related and environmental risks within the organisational structure in accordance with the three lines of defence model and to explicitly include climate-related and environmental risks in their risk appetite framework (ECB Climate Risk Guide, Expectations 4, 5).

Similarly, under the CRD VI framework banks in the EU will need to have in place governance arrangements including robust strategies, policies, processes and systems for identifying, measuring, managing and monitoring ESG risks over the short, medium and long-term, with the latter encompassing a time horizon of at least 10 years (new Article 87a(2) CRD). As the EBA Guidelines on ESG Risk Management further specify, the internal control framework should include a clear definition and assignment of ESG risks responsibilities and reporting lines (EBA Guidelines on ESG Risk Management, para. 56). The risk culture should include a clear communication from the management body ("tone from the top") regarding ESG risks, strategic objectives and commitments (EBA Guidelines on ESG Risk Management, para. 55). Likewise, institutions should incorporate ESG risks into their internal control frameworks across the three lines of defence (EBA Guidelines on ESG Risk Management, para. 56).

In order to implement the governance arrangements, management bodies shall possess adequate collective knowledge, skills and experience to be able to understand both the entity's activities and the associated risks and the entity's impact on environmental factors in the short, medium and long term (new Article 91(2b) CRD). In this respect, the EBA Guidelines on ESG Risk Management further stipulate that that knowledge of ESG factors and risks is considered relevant for the assessment of the suitability of members of the management body and for Key Function Holders (EBA Guidelines on ESG Risk Management, para. 54).

Risk Management

With regard to risk management, the ECB Climate Risk Guide already set out the expectation that institutions incorporate climate-related and environmental risks as drivers of existing risk categories into their risk management framework. Bank must therefore manage, monitor and mitigate these risks over a sufficiently long-term horizon, and to review their arrangements on a regular basis and identify and quantify these risks within their overall process of ensuring capital adequacy (ECB Climate Risk Guide, Expectation 7).

Likewise, the EBA Guidelines on ESG Risk Management stipulate that banks should embed ESG risks within their regular risk management systems and processes as well as within their risk appetite, ensuring consistency with their overall business and risk strategies (EBA Guidelines on ESG Risk Management, paras. 31, 44, 50). Moreover, specific arrangements for ESG risks should be aligned with the regular risk management framework (EBA Guidelines on ESG Risk Management, para. 44).

In this context, the EBA also suggests various tools to address these risks (EBA Guidelines on ESG Risk Management, para. 46). For example, banks could diversify lending and investment portfolios based on ESG-relevant criteria, and, if necessary, reallocate financing between and within sectors towards exposures more resilient to ESG risks or, as another tool, adjust financial terms or pricing based on ESG risk-relevant criteria.

As already undertaken by the ECB, supervisory authorities in the EU will oversee how banks handle ESG risks in the context of the supervisory review and evaluation process ("SREP") (new Article 98(9) CRD) and may require banks to mitigate ESG risks under new express supervisory powers (new Article 104(1)(m) CRD).

Against this backdrop, the impact of ESG risks on capital requirements will also continue to grow – particularly affecting institutions that are allowed to use their own estimated risk parameters for the purpose of calculating regulatory capital (internal ratings-based approach ("IRBA")). For example, banks will be required to take into account ESG-related considerations when calculating the market value of financial and physical collaterals (amended Article 207(4)(d) CRR and amended Article 210(g) CRR).

Strategy Setting and Scenario Analysis

Banks will be required to include short, medium and long-term horizons of ESG risks in their strategies and processes for evaluating adequate internal governance and capital needs (amended Articles 73(1) and 74(1) CRD). More generally, the ECB has also stated the expectation that institutions integrate climate-related and environmental risks that impact their business environment in the short, medium or long term when determining and implementing their business strategy (ECB Climate Risk Guide, Expectation 2).

In this regard, management bodies are also required to develop and monitor the implementation of transition plans to address such risks and include quantifiable targets, which consider the latest reports and measures prescribed by the European Scientific Advisory Board on Climate Change, in particular in relation to the achievement of the climate targets of the EU (amended Article 76(2) CRD).

Moreover, under the new Article 177(2a) CRR, banks will need to include ESG risk drivers when defining scenarios that are used for mandatory capital adequacy stress tests, in particular physical risk and transition risk drivers stemming from climate change. The EBA is tasked to issue guidelines on the application of this new requirement. Accordingly, on 16 January 2025, the EBA launched a public consultation on its Draft Guidelines on ESG scenario analysis.¹⁷ These guidelines are based on Article 87a(5) lit. d CRD and Article 177(2a) CRR and are designed to complement the EBA Guidelines on ESG Risk Management as well as the EBA Guidelines on institutions' stress testing (EBA/GL/2018/04) by specifying, inter alia, the relevant factors and climate risk transmission channels that institutions should consider when conducting climate scenario analyses. The objective of these guidelines is to enable institutions to test their financial resilience to severe shocks in the short to medium term, as well as to assess their strategy and business model in the long term, offering the tools of Climate Stress Tests ("CST") and/or Climate Resilience Analysis ("CRA"), respectively. It is planned that the guidelines will be finalised by the second half of 2025 and apply from 11 January 2026 except for small and non-complex institutions for which the guidelines will apply at the latest from 11 January 2027. In addition, the EBA has announced that it will include climate risk factors in its regular EU-wide stress tests in the future.

Disclosures and Annual Reports

As regards disclosure requirements, the disclosure of ESG risks will now apply to all institutions (new Article 449a CRR). Moreover, financial institutions are still required to disclose Pillar 3 information on ESG risks as per the Annexes of the Implementing Technical Standards ("ITS"). To be able to track the development of ESG risk management more accurately, the EBA plans to enhance Pillar 3 ESG disclosure requirements by adding more data and additional indicators regularly, for example, on environmental risks beyond climate.

In addition, disclosure requirements for certain financial products have recently come into effect. For example, since 8 July 2024, new Regulatory Technical Standards ("RTS") provide for ESG impact disclosure for simple, transparent and standardised ("STS") securitisations where the underlying exposures are residential loans, auto loans and leases.¹⁸ Besides, several legislative initiatives aim to extend and simplify sustainability disclosures and should be closely monitored in the near future (e.g., the recommendation of amendments to Regulation (EU) 2022/1288 by the European Supervisory Authorities ("ESAs")¹⁹ and a call for climate-related disclosure for structured finance products through harmonised climate-related data requirements by the ESAs and the ECB).²⁰

Conclusion – market forces and regulatory pressures

It is clear that regulatory requirements and expectations for banks across the UK and the EU to manage climate-related risks have been growing rapidly and continue to develop. It will be key that banks' senior management understand the evolving nature of climate-related risks and closely follow the further development of regulatory requirements. Climate-related risks encompass not only physical risks to the environment (such as extreme weather events that can have an impact on, amongst other things, bank clients' creditworthiness and asset prices/valuations) but also transition risks where banks both play a role in, and are also otherwise affected by, efforts toward a lower carbon economy. This may be more challenging to anticipate, quantify and account for, as it requires a deep understanding on the part of banks of the commercial and regulatory landscape in which they operate, insofar as climate-related risks are concerned. For example, a decision to lend to a company is likely to now have regard to that company's emissions, its potential for asset damage and risk of operational disruptions. However, with the comprehensive regulatory frameworks already introduced in the EU and the UK, it remains to be seen how global governments, regulatory authorities and banks continue to act in setting requirements for banks to manage climate-related risks. Correspondingly, especially given the latest developments in global economic politics, where leaders are increasingly prioritising national economic interests over shared goals, there is a risk that climate risk rules will increasingly diverge across the globe. In such a scenario, banks may start to face growing fragmentation of both transition regimes and regulatory requirements across the various jurisdictions in which they operate. This will pose additional challenges for globally operating banking groups in particular. Against this backdrop, the future of a centralised climate risk regulation at an international level remains uncertain.

Lennart Sunnus (Legal Intern, Berlin) contributed to the development of this publication.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}