Risk & Controls: What’s on the agenda for Wholesale banks?

On 8 September 2023, the FCA published its first portfolio letter in four years and, in doing so, determined the supervisory agenda for wholesale banks over the next two years.

Whilst the letter is wide ranging, focussing on several different areas including Operational Resilience, ESG, Consumer Duty and Artificial Intelligence, this blog will concentrate on the heart of the FCA’s agenda: risk. The FCA considers the challenging market environment seen in recent times and the impact that those market stresses have had on wholesale banks noting that “a failure to manage operational or reputational risks can quickly result in broader concerns about a firm’s safety and soundness”.

The interconnectivity of our global financial markets means that any failure in risk management can quickly escalate to have a wider societal implication and the FCA is understandably determined to avoid this.

Financial Risks & Remediation:

The FCA is blunt in its assessment of failures in risk management citing several recent examples within the letter; the tone suggests that the FCA is frustrated with these incidents given their expectation that wholesale banks should already have been prioritising the improvement of their risk frameworks since the default of Archegos in 2021.

The FCA is clear that it expects firms to have put in place “remediation programmes in response to events of the last 18 months” whether they were directly affected or not and as part of its supervisory agenda in the next two years will be assessing these programmes to ensure they align with the FCA’s expectations of sound risk management. Wholesale banks should consider:

Where there is no remediation programme in place:

• How they demonstrate that the risk management framework across the three lines of defence is effective. A minimum expectation would be that controls testing is in place at a regular cadence as well as a review of the framework itself especially post market events.

Where there is a remediation programme in place:

• How they demonstrate how the programme is going to improve the existing risk management framework and satisfy the FCA (and PRA’s) expectations.
• Have they defined the governance in place to show appropriate oversight and accountability for the remediation plan all the way up to Board level.
• How ongoing review of the framework will be managed on a go forward basis.

Non-financial Risks:

The FCA have specifically called out non-financial risks as a focus area for them and will be “ramping up [its] testing programme to look at how banks are controlling these risks”. The remediation programmes called out above, tend to concentrate on financial risks, for example, unauthorised trading. Yet there are a number of less tangible risks that need to be accounted for, for example, market abuse, conflicts of interest and financial crime.

Whilst these risks are more challenging to quantify, the implications of failing to control for them can be significant, not only financial losses, but also reputational impacts on not just the organisation in question but the wider market. Wholesale banks should consider:

• Whether they are able to demonstrate that they have non-financial risk appetite and framework in place and show how they are effectively controlling for these risks.
• Not only whether they have strong polices and procedures in place but also show how these are put into practice to safeguard against non-financial risks.
• How they evidence the role of control functions (i.e. Internal Audit, Compliance) play a role in supporting the business in effectively managing risk.

Management Information (MI) and Governance:

Underpinning the FCA’s letter is a clear message that wholesale banks should expect increased supervisory scrutiny in the foreseeable future and should be prepared to react to requests nimbly as well as the expectation that responses be “data-led”. This inevitably will lead to an increased need for effective MI which firms can use to evidence their ability to control for both financial and non-financial risks but crucially, firms will also need to show the review of that MI has been actioned appropriately. Wholesale banks should consider:

• Reviewing their existing MI and ensure it’s aligned to their risk taxonomy. In the review, wholesale banks should assess whether the MI is “fit for purpose” and adequately reflects the risks faced.
• If the governance framework in place allows for escalation at pre-determined thresholds allowing Senior Management to make informed decisions.

Conclusion:

In this letter, the FCA has set its supervisory stall for the next two years across a number of focus areas and acknowledges that it will need to be flexible and re-prioritise as market events occur. However, there is one consistent theme throughout all these areas and that is risk and the ability for wholesale banks to manage that risk appropriately.

The FCA expects firms to discuss this letter with Boards within the next 2 months and “where necessary, take action” and if firms deem it not necessary, the FCA will expect a thorough justification for why not.