RegTech Intelligence

UK prudential regulator hits systemically important banks with governance, risk management reviews

Rachel Wolcott, Regulatory Intelligence

The UK Prudential Regulation Authority (PRA) ordered globally systemically important banks (G-SIB) to commission skilled persons reviews of their governance and individual accountability regimes, as well as control and risk management frameworks in its financial year 2020/21. This activity underscores the continuing serious problems that the world’s largest and most-complex banks have had with risk management more than a decade on from the 2008 financial crisis.

The PRA regulates all 30 G-SIBs, either as UK-incorporated banks or as branches. In 2020/21, it ordered a total of 17 Section 166 reviews under the Financial Services and Markets Act 2000, all but five of which were aimed at banks. Seven were labelled controls and risk management frameworks (Lot C), three were prudential (Lot F) and two were for governance and individual accountability (Lot B).

Regulatory Intelligence submitted a request under the Freedom of Information Act to the PRA asking how many of these reviews it ordered G-SIBs to commission and to break the response down by lots. It confirmed it held the information but declined to provide it, saying it would be too easy to figure out which banks were under scrutiny.


“Dear CEO” letter

Sarah Breeden, executive director, UK deposit takers supervision, and David Bailey, executive director, international banks supervision, jointly penned a ” Dear CEO” on the reliability of regulatory returns, which announced more s 166 reviews would be ordered accordingly.

“Examples of errors in regulatory reporting (both public and those identified in our business as usual supervision) have further underlined the need for appropriate investment in both the integrity of data and the ability to process them accurately,” they wrote.

Shortly after that letter was sent, the PRA fined Citi £44 million for regulatory reporting failures in its European businesses was seen as a sign it and other G-SIBs still rely on manual processes and spreadsheets to manage key risks.

The PRA final notice pointed to many mistakes in Citi’s regulatory capital and liquidity capital ratio reporting starting in 2015. It faulted the bank for inadequate systems controls with regards to reporting, inadequate staffing levels, poor governance and an ineffective approach to technical interpretations of reporting requirements.


U.S. regulators levied big fines on G-SIBs for poor risk management

Last year, the U.S. Office of the Comptroller of the Currency (OCC) fined Citi and JPMorgan $400 million and $250 million respectively for serious risk management failures.

“Every major bank that we’re talking to wants analysis on this particular fine from the OCC regarding risk management and internal control deficiencies at Citi. They also got fined about $500 million from some of the other regulators, so it’s about a billion-dollar fine. This is enterprise wide; the regulators are saying it’s not for one little piece, [it’s] the whole bank,” said John Byrne, chief executive at Corlytics, a regulatory analytics technology company in Dublin.

Citi’s failings were serious enough for the OCC to issue a cease-and-desist order requiring the bank to take broad and comprehensive corrective actions to improve risk management, data governance, and internal controls.

“The order requires the bank to seek the OCC’s non-objection before making significant new acquisitions and reserves the OCC’s authority to implement additional business restrictions or require changes in senior management and the bank’s board should the bank not make timely, sufficient progress in complying with the order,” the OCC final notice said.


Steps to address failings

Citi said it was disappointed to have fallen short of regulatory expectations and has “significant remediation projects” under way.

JPMorgan’s $250 million fine came after years of weak management and control framework for its fiduciary activities and had an insufficient audit program for, and inadequate internal controls over, those activities.

“Among other things, the Bank had deficient risk management practices and an insufficient framework for avoiding conflicts of interest,” the OCC said.


“We are committed to delivering best-in-class controls across our business, and we have invested significantly in and enhanced our controls platform over the last several years to address the issues identified,” a JPMorgan spokesman said at the time the fine was announced.

Byrne interprets these fines partly as a judgement on senior management.

“What I’m really interested in with a fine like this is does this go to the board and the chief executive and the chairman? And this absolutely does,” Byrne said.

Produced by Thomson Reuters Accelus Regulatory Intelligence on 15 March 2021

To promote global dialogue on how to deliver regulatory change JWG post hundreds of focused articles a year to thousands of subscribers. Get involved and join the mail list.

By hitting the subscribe button you agree to our Privacy Policy