We still need to talk about regulatory reporting…

At a glance:

The PRA has turned up the heat on banks’ regulatory reporting, commissioning a number of skilled person reviews using their powers under Section 166 of FSMA. In this blog we look at some of the common challenges banks face in regulatory reporting, focussing on:

• Governance and controls
  • some banks are investing to improve the controls and oversight of their end-to-end regulatory reporting process, including the automation of controls and establishing a systematic “2nd line” oversight process;
• Regulatory interpretations
  • many banks are exposed to key person risk in some areas of regulatory reporting expertise;
  • the PRA has identified that the quality and extent of documentation and governance of regulatory interpretations is below that of financial reporting;
• Documentation and record keeping
  • some banks are reviewing their record keeping processes around regulatory reporting so they can demonstrate they are meeting supervisory expectations to have robust methods to organise and control their historical information responsibly and effectively;
• Data and systems
  • many banks require more investment to fund the systems transformations required to enhance their regulatory reporting.

In summary, the industry still has considerable work to do to enhance its end‑to‑end regulatory reporting process and potentially stave off further regulatory scrutiny.

Target Audience: Board Audit and Risk Committees; CFOs; CROs; CIO/CDOs; Heads of Regulatory Reporting functions; reporting team members.

In September 2021, the PRA issued a “Dear CEO” letter¹ setting out thematic findings on the quality of UK banks’ regulatory reporting. The letter raised a number of issues and was particularly robust in its tone, setting out the PRA’s expectation that banks should apply the same standards of accuracy, oversight and rigour to regulatory reporting that they apply to financial reporting.

Following the PRA’s letter, we published a blog on some of the common challenges banks face with regulatory reporting, which you can find here.

The PRA has in recent years made considerable use of its Section 166 power to appoint skilled persons to review banks’ regulatory reporting returns and has indicated that it will continue to do so where it feels that banks are not meeting appropriate standards.

Regulatory reports cover a broad range of regulatory submissions, from COREP and FINREP returns to Bank of England Statistical returns and responses to ad hoc requests. It is important to note that all regulatory returns are important, and banks need to regard any information they provide to their supervisors as being subject to the same expectations of accuracy and timeliness.

This blog sets out some observations from PRA publications and also from our experience in the market since we published our first blog.

Poor data and infrastructure

Despite ongoing regulatory attention and considerable investment in some areas in recent years, many banks’ regulatory reporting teams continue to struggle with legacy IT systems that are fragmented, and for which change processes are time-consuming and expensive. These infrastructure challenges play out in a number of ways when it comes to regulatory reporting, including:

• Reporting teams not receiving the data they need, with sufficient time for the review and remediation required to ensure submission of accurate reports.
  • With many banks having embarked on significant data programmes there is a need for reporting requirements to be incorporated into these programmes, both from an internal MI perspective and to ensure external reporting requirements can be met.
  • In the EU, the ECB continues its focus on banks’ compliance with BCBS 239; in the UK, the Bank of England continues to focus on its industry-wide project to transform data collection for regulatory returns^2. Both programmes will deliver long-term benefits for banks, at the expense of short-term and medium-term effort.
• Reporting teams struggling to secure resources (financial and human) to enable the system changes needed to speed up the delivery required to improve the accuracy of returns, against competing resource demands, including from other regulatory programmes. Failure to secure the resources to make systems changes results in banks needing to have additional resources in place to undertake manual processes and workarounds to deliver regulatory returns on time.

Inconsistent governance processes and poor control frameworks

Banks generally have clearly defined, robust, and well understood governance and control processes for their financial reporting. However, governance and control systems for regulatory reporting have historically been less formalised from an end-to-end perspective with inconsistencies in how they have been applied, particularly for older reports.

In order to meet the PRA’s expectation that regulatory reporting is undertaken to the same standard as financial reporting, some banks are investing in enhancing the control framework and oversight processes for their regulatory reporting, including an increase in systematic controls.

As part of this, banks are looking to set out clearly the roles of oversight teams to ensure that there is appropriate challenge from the second line, and sufficiently frequent review by the third line, of regulatory reporting processes/controls and outputs, including in some cases substantive testing.

A related issue is reporting teams not always being able, or feeling empowered, to challenge sufficiently the information they receive from underlying systems or the business. This can arise as a result of lack of time to undertake robust challenge (e.g. receiving the information very late in the process), a lack of understanding of regulatory complexity or requirements (including where these differ across jurisdictions), or as a result of the roles of senior management in the process not being well defined, driving limited engagement, particularly in sign-off procedures. Lack of robust, timely challenge can lead to a range of outcomes including:

• errors in regulatory returns that require them to be re-worked and re-submitted;
• regulatory returns being challenged by the PRA due to inaccuracies or inconsistencies; and
• fines³ and/or potential for regulatory sanctions under the SMCR, depending on the severity of the governance/control issues and/or reporting errors identified.

Dealing with errors

One issue we have observed across the market is instances of banks failing to give sufficient priority to the permanent remediation of identified reporting errors or persistent data issues feeding the reporting processes. The result is that mitigating manual controls remain in place long term, increasing the risk that reporting errors persist in PRA submissions. This is a major area of focus for many of the programmes that are being established to address regulatory reporting remediation.

Inconsistent or inappropriate regulatory interpretations

The regulatory regime for banks is complex: regulatory rule sets run to hundreds of pages and there are numerous areas where banks need to use judgement when applying the rules to customers and exposures. These issues are particularly in evidence where there are boundary issues, such as determining into which asset class an exposure should be allocated. The outcome of this assessment can have a material effect on capital requirements.

The regulatory regime is also constantly changing – both in larger scale, such as the impending implementation of Basel 3.1; and in smaller scale, such as by way of updates to supervisory policies and guidance. Ensuring policy implementation is in line with the latest regulatory requirements is critical to ensuring ongoing compliance. However, in many banks the pool of people with the relevant skills, historic knowledge, and capacity to dedicate time to reviewing regulatory rules and interpreting how those rules should be applied to the bank’s portfolio, is relatively small. Individuals with regulatory expertise are often required to input across a range of regulatory change initiatives, in addition to their day-to-day role of horizon scanning and policy implementation.

This lack of expertise and capacity may result in:

• regulatory interpretations not being reviewed/updated sufficiently often;
• regulatory interpretations not being subject to appropriate oversight or governance; for example, no differentiation of governance for more significant regulatory interpretations that can lead to material mis-statement of reported RWA/regulatory capital amounts; and
• key person risk: in some areas of regulatory interpretations there are very few people, even in larger banks, who have the level of understanding of the regulations and the bank’s end‑to‑end systems and processes for regulatory return production.

Another common issue in this area is hard-coding: some regulatory interpretations are coded into systems (e.g. product code(s) in systems may only be associated with specific regulatory asset classes). Banks need to consider how these hard-coded interpretations are monitored and amended when needed. As an example of the sort of change that may affect hard-coded regulatory classifications, under Basel 3.1 banks will need to be able to aggregate several types of exposures under the new Real Estate asset class, as well as give them risk weights according to whether they are residential or commercial real estate exposures.

Poor documentation and record keeping

Tied to the challenges around regulatory interpretations are a number of observations on documentation and record keeping in relation to regulatory interpretations and reporting:

• Some banks do not keep complete, centrally maintained, and robust records of regulatory interpretations, particularly in relation to permissions and waivers from the PRA that affect the preparation of regulatory returns:
  • waivers of rules usually have an expiry date: maintaining clear records of when waivers expire and who is responsible for ensuring that waivers are re-applied for, or that reporting processes change when they expire, is key to demonstrating that the bank is managing its regulatory reporting risks appropriately;
  • one error that arises in respect of model waivers in particular is where bank has applied models to exposures which fall outside the PRA’s approved model permission. This can materially affect reported RWAs. Some banks’ second- or third-line teams are explicitly given responsibility for ensuring that models are implemented and used in accordance with internal and regulatory permissions. We regard this as good practice, and it is an area we expect to become more pressing for banks as they implement upcoming regulatory changes such as Basel 3.1 and the PRA’s Principles for Model Risk Management.
• It can be difficult to trace the path from regulation to policy to reporting approach:
  • Banks should be able to demonstrate that where they have taken a course of action, it is because they have made a deliberate decision to do so. Being able to refer to a comprehensive policy framework allows banks to demonstrate to the PRA that the decisions they have made, and the regulatory returns that they have submitted, arise from an informed decision process.

Conclusion

The PRA’s intent is to effect a meaningful improvement in how banks prepare and deliver regulatory reporting such that regulatory reporting is given the same focus as financial reporting. In some cases, this will require a change in culture around the importance of regulatory reporting in addition to the required investment in systems and data.

Banks currently face a wide array of material regulatory changes. These include the impending implementation of Basel 3.1 and the Consumer Duty, significant changes to regulatory expectations around model risk management, and the eventual outcome of the Edinburgh reforms, along with a host of other, individually smaller but in aggregate significant, changes. Given the strength of the PRA’s comments in the Dear CEO letter from late 2021 and the vigour with which it is following up on it, banks must not lose sight of the need to make demonstrable progress in bringing their regulatory reporting up to the same standard as financial reporting.

________________________________________________________________________________________

Reference:

¹Dear CEO letter Thematic findings on the reliability of regulatory reporting (bankofengland.co.uk)

²Transforming data collection from the UK financial sector: a plan for 2021 and beyond | Bank of England

³Our prior blog charted regulatory fines for reporting failures, which you can find here.