The UK Prudential Regulation Authority (PRA) has warned firms about deficiencies in their regulatory reporting governance arrangements, systems and controls as well as the of key rules interpretations. The PRA’s ‘ Dear CEO’ letter published last week, admonished firms for their “historic lack of focus, prioritisation, and investment in this area” and called for firms to devote as much rigour to regulatory reporting as financial reporting.
It was clear many firms failed to treat regulatory returns with the “same care and diligence” given to financial reports, the PRA said.
“That’s a big statement because regulatory reporting is not financial reporting. The UK has really raised the bar as regulatory data requests are not currently expressed in a manner which allows the individual actors to agree common interpretation – as accounting standards bodies do today. This means that a RegTech infrastructure, standards and methodology is required to formalise the way the industry interprets what are today very subjective judgements. RegTech tooling is now here to support this need and is being adopted by firms keen to cut costs in the next round of reporting programmes which are kicking off with EMIR Refit now and will continue through Basel IV,” said PJ Di Giammarino, chief executive at regulatory think-tank JWG.
The industry now has another reporting challenge which requires standards, a formal methodology and a plan to meet the PRA heightened expectations, he said.
Fundamental rule 7
The letter’s emphasis on governance arrangements and controls on returns’ production is a comment on firms’ culture.
“We expect all firms to submit reliable and accurate regulatory returns,” the letter said, citing PRA Fundamental Rule 7: “A firm must deal with its regulators in an open and cooperative way and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice”.
A firm’s failure to deal with its regulators in an “open and cooperative way” is the kind of conduct often cited in enforcement notices as an aggravating factor when determining the quantum of a fine. Fundamental Rules 5 and 6 refer to risk management and responsible and effective organisation and control of a firm’s affairs, respectively. The letter did not cite those rules, however.
“This is about culture. The PRA appears to be taking the view that if you can’t do reporting properly, clearly, you’re missing everything else as well. And that would explain the reference to PRA Fundamental Rule 7 rather than to specific rule breaches,” said Sam Tyfield, a financial services partner at Shoosmiths in London.
The PRA said section 166 report findings demonstrated “an increased risk of material misstatements from firms who did not meet our expectations”. It will follow up with firms on specific s 166 findings and wants all firms to review and remediate reporting governance, controls and data. It will consider the full range of supervisory and enforcement actions for firms that fall short of its expectations. That could mean more s 166s or fines.
“They’ve already done quality enforcement on a number of firms with issuing them with section 166s. The next thing they must do is the difficult bit of a formal investigation and enforcement proceedings against these banks. It is resource intensive, and ultimately the PRA might not want to take that step,” Tyfield said.
Findings
The PRA’s 2019 ” Dear CEO” letter on regulatory returns set the terms of the work to be carried out through skilled persons reviews (Financial Services and Markets Act 2000, s 166) following a recommendation made in the Independent Review of the Prudential Supervision of the Co-operative Bank Plc. Some globally systemically important banks (G-SIB) were subject to PRA-initiated s 166 reviews as part of this work stream.
Shortly after the 2019 letter was published, the PRA fined Citi £44 million for regulatory reporting failures in its European businesses. The PRA final notice pointed to many mistakes in Citi’s regulatory capital and liquidity capital ratio reporting starting in 2015. It faulted the bank for inadequate systems controls with regards to reporting, inadequate staffing levels, poor governance, and an ineffective approach to technical interpretations of reporting requirements.
Last week’s letter describes similar findings. Firms had underinvested in people and technology “leading to reduced capacity and capability compared with financial reporting”. A lack of senior leadership oversight and accountability was emphasised.
Data aggregation and reporting processes were full of gaps and lacked reconciliation checks for errors. There is still an over reliance on manual interventions and spreadsheets. Poor documentation caused a lack of understanding of controls and their effectiveness, and ultimately errors in reporting.
“The findings of our work demonstrated there is an increased risk of material misstatements from firms who did not meet our expectations,” the PRA said.
This article was published by Thomson Reuters Accelus Regulatory Intelligence on 15 September 2021