FCA Wholesale Banks portfolio letter – a wider range of issues to dominate the supervisory agenda

Audience:

Board members, CEOs, CFOs, CROs, CIO/CTOs, Company Secretaries, Heads of Compliance, Heads of Regulatory Engagement

At a glance:

• On 8 September 2023, the FCA set out its key priorities for Wholesale Banks in its latest portfolio letter. This is the first Wholesale Banks portfolio letter for over four years and the first since the FCA established its new Sell-Side Directorate. The letter sets out the FCA’s supervisory priorities for Wholesale Banks for the next two years which will shape its engagement with the sector.
• The FCA also reflects on the market shocks in the past year and broader challenges in the external environment (volatility in asset prices, weak global growth, rising interest rates, inflation, and geopolitical tensions) which could lead to transformed and interconnected risks that put Wholesale Banks’ business models to the test.
• Although the newly set out supervisory priorities are broadly in-line with the FCA’s ongoing supervisory agenda there are a number of specific expectations which banks’ senior management and Boards need to consider. In this blog we summarise the FCA’s main messages and key actions that banks should take to prepare for upcoming regulatory engagement.

Risk management needs to be recalibrated

Risk management was always a key focus of the FCA’s supervisory agenda, but the events of the past 18 months have emphasised the importance of robust and evolving risk management processes. In addition to weaknesses highlighted in the Dear CEO letter published in 2021 following the default of Archegos Capital Management, the FCA has identified further weaknesses in Wholesale Banks’ risk management including:

• Poor management of client relationships and inadequate knowledge of clients’ business profiles leading to unknown concentrations of client risk – both within firms, where several counterparties are unknowingly related; and across firms, where banks collectively underestimate a counterparty’s total exposure.
  
• An underestimation of concentration in markets with limited groups of buyers and sellers, where individual firm responses to stress can imperil market liquidity quickly.
• Overoptimistic liquidity assumptions in stress testing whether in relation to the available market depth to accommodate stressed sales, or the speed at which capital can be withdrawn from stressed vehicles. These liquidity risks can be exacerbated by the underestimation of concentrations mentioned above.

The FCA stresses the importance of Wholesale Banks’ risk management for broader financial stability and market integrity and will be looking to banks to demonstrate the improvements in risk management and oversight they have made following market events in the past 18 months – regardless of the degree to which firms were affected.

Actions for banks:

• All Wholesale Banks need to consider lessons learned from the March 2023 banks’ turmoil and other significant market events to ensure that their risk management including risk appetite, risk limits, and stress testing assumptions are calibrated to reflect recent market volatility.
• Senior management will need to evidence the improvements made to risk management in the areas set out in the letter and reassure the regulator that sufficient oversight and a strong culture is in place. Board members need to be comfortable that any improvements are designed to deliver long-term change in risk management culture and approach.
• The FCA will specifically test how embedded the improvements in risk management are and is likely to focus on all three lines of defence. In particular, the FCA is going to test this through the new product and transactions approval process. Banks should prepare for increased regulatory focus in this area.

High standards of controls should be maintained

The FCA is concerned that the current environment (revenue pressure, market instability) could affect controls, either by commercial interests being prioritised over regulatory obligations or by employees not following procedures and processes. The FCA spells out two concerns in particular:

• Improper behaviour, similar to when banks were using their lending relationship during the Covid pandemic to secure equity mandates that they would otherwise not win.
• A blurring of responsibilities between the first and second lines of defence, for example in relation to ESG, where there is a lack of clarity in some banks as to who is responsible for ensuring a bank is delivering against public commitments.

The FCA is stepping up its testing programme on banks’ controls over these risks (with a particular focus on conflicts of interest) including more in-person supervisory assessments, being more data-led, and testing outcomes rather than policies.

Actions for banks:

• The FCA explicitly asks Boards and senior management to “provide an unambiguous tone from the top on the importance of good conduct”.
• Banks need to evidence that there is sufficient resourcing of their control functions, and these are adequate to cover the breadth and complexity of their business models.
• Banks need to be able to demonstrate clear accountability and split of responsibilities between first and second lines of defence, particularly in relation to newer businesses.
• Banks should prepare for information requests in this area.

Operational resilience

The FCA reiterates its expectations for Wholesale Banks’ operational resilience as set out in PS21/3 Building Operational Resilience and highlights banks’ increasing reliance on third-party services, reminding them that they remain responsible for their operational resilience. The FCA will continue to review banks’ compliance with the new requirements and use engagement with relevant senior managers to assess whether lessons have been learnt from operational resilience events (even if their firm has not been directly affected).

Actions for banks:

• Banks need to ensure that they fully understand their dependence on third party providers and take steps to mitigate the impact on business continuity if the service is lost.
• Banks need to be able to demonstrate their ability to remain within their impact tolerances as soon as reasonably practicable, but no later than 31 March 2025.
• Banks need to promptly notify the FCA if they, or a third party on which they rely, have been subject to a cyber-attack.

Other issues

In addition to the above, the FCA identified a number of other areas that supervisors will be focusing on, including post-Brexit organisational changes, finalisation of LIBOR transition, implementation of the Consumer Duty, delivery of ESG commitments, AI controls, evolution of diversity, equity and inclusion (DEI), and controls around non-financial misconduct.

Actions for banks:

• Prepare to demonstrate appropriate oversight of any business booked into the UK.
• Continue notifying the FCA promptly of any potential changes relating to the service of clients, re-location, changes to booking model, or risk management arrangements.
• Ensure the transition of the last few contracts referencing USD LIBOR, while not relying unnecessarily on synthetic LIBOR.
• Review exposure to retail clients (either direct or through manufacturing of products that can be distributed to retail clients) through the lens of the Consumer Duty and be prepared to demonstrate the robustness of these assessments.
• Prepare to demonstrate the alignment of financing activities with transition plans and ensure the delivery of ESG products and public-facing commitments in practice.
• Prepare to engage with the FCA on AI and machine learning and consider the required control infrastructure.
• Take non-financial misconduct allegations seriously and ensure that effective controls, robust systems and a strong culture are in place to prevent misconduct.

Conclusion and next steps

The FCA expects wholesale banks to continuously assess and stress test their systems and controls in light of the external market environment and regulatory and technological developments. The wide range of issues on the supervisory agenda, including those such as financial crime that are not explicitly set out in this letter but will be an area of continued scrutiny, is likely to result in stretched resources for both supervision teams and banks responding to supervisory enquiries. The FCA reiterated the CEO’s responsibilities under the SM&CR regime and expects all CEOs to discuss the letter with Boards within 2 months.