The PRA has turned up the heat on banks’ regulatory reporting, commissioning a number of skilled person reviews using their powers under Section 166 of FSMA. In this blog we look at some of the common challenges banks face in regulatory reporting, focussing on:
In summary, the industry still has considerable work to do to enhance its end‑to‑end regulatory reporting process and potentially stave off further regulatory scrutiny.
Target Audience: Board Audit and Risk Committees; CFOs; CROs; CIO/CDOs; Heads of Regulatory Reporting functions; reporting team members.
In September 2021, the PRA issued a “Dear CEO” letter1 setting out thematic findings on the quality of UK banks’ regulatory reporting. The letter raised a number of issues and was particularly robust in its tone, setting out the PRA’s expectation that banks should apply the same standards of accuracy, oversight and rigour to regulatory reporting that they apply to financial reporting.
Following the PRA’s letter, we published a blog on some of the common challenges banks face with regulatory reporting, which you can find here.
The PRA has in recent years made considerable use of its Section 166 power to appoint skilled persons to review banks’ regulatory reporting returns and has indicated that it will continue to do so where it feels that banks are not meeting appropriate standards.
Regulatory reports cover a broad range of regulatory submissions, from COREP and FINREP returns to Bank of England Statistical returns and responses to ad hoc requests. It is important to note that all regulatory returns are important, and banks need to regard any information they provide to their supervisors as being subject to the same expectations of accuracy and timeliness.
This blog sets out some observations from PRA publications and also from our experience in the market since we published our first blog.
Despite ongoing regulatory attention and considerable investment in some areas in recent years, many banks’ regulatory reporting teams continue to struggle with legacy IT systems that are fragmented, and for which change processes are time-consuming and expensive. These infrastructure challenges play out in a number of ways when it comes to regulatory reporting, including:
Banks generally have clearly defined, robust, and well understood governance and control processes for their financial reporting. However, governance and control systems for regulatory reporting have historically been less formalised from an end-to-end perspective with inconsistencies in how they have been applied, particularly for older reports.
In order to meet the PRA’s expectation that regulatory reporting is undertaken to the same standard as financial reporting, some banks are investing in enhancing the control framework and oversight processes for their regulatory reporting, including an increase in systematic controls.
As part of this, banks are looking to set out clearly the roles of oversight teams to ensure that there is appropriate challenge from the second line, and sufficiently frequent review by the third line, of regulatory reporting processes/controls and outputs, including in some cases substantive testing.
A related issue is reporting teams not always being able, or feeling empowered, to challenge sufficiently the information they receive from underlying systems or the business. This can arise as a result of lack of time to undertake robust challenge (e.g. receiving the information very late in the process), a lack of understanding of regulatory complexity or requirements (including where these differ across jurisdictions), or as a result of the roles of senior management in the process not being well defined, driving limited engagement, particularly in sign-off procedures. Lack of robust, timely challenge can lead to a range of outcomes including:
One issue we have observed across the market is instances of banks failing to give sufficient priority to the permanent remediation of identified reporting errors or persistent data issues feeding the reporting processes. The result is that mitigating manual controls remain in place long term, increasing the risk that reporting errors persist in PRA submissions. This is a major area of focus for many of the programmes that are being established to address regulatory reporting remediation.
Inconsistent or inappropriate regulatory interpretations
The regulatory regime for banks is complex: regulatory rule sets run to hundreds of pages and there are numerous areas where banks need to use judgement when applying the rules to customers and exposures. These issues are particularly in evidence where there are boundary issues, such as determining into which asset class an exposure should be allocated. The outcome of this assessment can have a material effect on capital requirements.
The regulatory regime is also constantly changing – both in larger scale, such as the impending implementation of Basel 3.1; and in smaller scale, such as by way of updates to supervisory policies and guidance. Ensuring policy implementation is in line with the latest regulatory requirements is critical to ensuring ongoing compliance. However, in many banks the pool of people with the relevant skills, historic knowledge, and capacity to dedicate time to reviewing regulatory rules and interpreting how those rules should be applied to the bank’s portfolio, is relatively small. Individuals with regulatory expertise are often required to input across a range of regulatory change initiatives, in addition to their day-to-day role of horizon scanning and policy implementation.
This lack of expertise and capacity may result in:
Another common issue in this area is hard-coding: some regulatory interpretations are coded into systems (e.g. product code(s) in systems may only be associated with specific regulatory asset classes). Banks need to consider how these hard-coded interpretations are monitored and amended when needed. As an example of the sort of change that may affect hard-coded regulatory classifications, under Basel 3.1 banks will need to be able to aggregate several types of exposures under the new Real Estate asset class, as well as give them risk weights according to whether they are residential or commercial real estate exposures.
Tied to the challenges around regulatory interpretations are a number of observations on documentation and record keeping in relation to regulatory interpretations and reporting:
The PRA’s intent is to effect a meaningful improvement in how banks prepare and deliver regulatory reporting such that regulatory reporting is given the same focus as financial reporting. In some cases, this will require a change in culture around the importance of regulatory reporting in addition to the required investment in systems and data.
Banks currently face a wide array of material regulatory changes. These include the impending implementation of Basel 3.1 and the Consumer Duty, significant changes to regulatory expectations around model risk management, and the eventual outcome of the Edinburgh reforms, along with a host of other, individually smaller but in aggregate significant, changes. Given the strength of the PRA’s comments in the Dear CEO letter from late 2021 and the vigour with which it is following up on it, banks must not lose sight of the need to make demonstrable progress in bringing their regulatory reporting up to the same standard as financial reporting.
________________________________________________________________________________________
Reference:
1Dear CEO letter Thematic findings on the reliability of regulatory reporting (bankofengland.co.uk)
3Our prior blog charted regulatory fines for reporting failures, which you can find here.